or it never match it
Signed-off-by: Alexandre Derumier <aderum...@odiso.com>
---
src/PVE/Firewall.pm | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 4cefc41..47a0f93 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -2550,8 +2550,7 @@ sub compile {
# fixme: what log level should we use here?
my $loglevel = get_option_log_level($hostfw_options, "log_level_out");
- my $accept = ruleset_chain_exist($ruleset, "PVEFW-IPS") ? "PVEFW-IPS" :
"ACCEPT";
- ruleset_chain_add_conn_filters($ruleset, "PVEFW-FORWARD", $accept);
+ ruleset_chain_add_conn_filters($ruleset, "PVEFW-FORWARD", "ACCEPT");
if ($cluster_conf->{ipset}->{blacklist}){
ruleset_addlog($ruleset, "PVEFW-FORWARD", 0, "DROP: ", $loglevel, "-m
set --match-set PVEFW-blacklist src");
@@ -2633,6 +2632,10 @@ sub compile {
}
}
+ if(ruleset_chain_exist($ruleset, "PVEFW-IPS")){
+ ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-j PVEFW-IPS");
+ }
+
return ($ruleset, $ipset_ruleset);
}
--
1.7.10.4
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
