I don't understand the problem. Why does this produce different output that original code?
> -----Original Message----- > From: pve-devel [mailto:pve-devel-boun...@pve.proxmox.com] On Behalf > Of Alexandre Derumier > Sent: Montag, 12. Mai 2014 15:19 > To: pve-devel@pve.proxmox.com > Subject: [pve-devel] [PATCH] insert PVEFW-IPS after vm rules generation v2 > > or it never match it > > Signed-off-by: Alexandre Derumier <aderum...@odiso.com> > --- > src/PVE/Firewall.pm | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index > 4cefc41..41494c6 100644 > --- a/src/PVE/Firewall.pm > +++ b/src/PVE/Firewall.pm > @@ -2550,8 +2550,7 @@ sub compile { > # fixme: what log level should we use here? > my $loglevel = get_option_log_level($hostfw_options, "log_level_out"); > > - my $accept = ruleset_chain_exist($ruleset, "PVEFW-IPS") ? "PVEFW-IPS" : > "ACCEPT"; > - ruleset_chain_add_conn_filters($ruleset, "PVEFW-FORWARD", $accept); > + ruleset_chain_add_conn_filters($ruleset, "PVEFW-FORWARD", > + "ACCEPT"); > > if ($cluster_conf->{ipset}->{blacklist}){ > ruleset_addlog($ruleset, "PVEFW-FORWARD", 0, "DROP: ", $loglevel, > "-m set --match-set PVEFW-blacklist src"); @@ -2633,6 +2632,10 @@ sub > compile { > } > } > > + if(ruleset_chain_exist($ruleset, "PVEFW-IPS")){ > + ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack -- > ctstate RELATED,ESTABLISHED -j PVEFW-IPS"); > + } > + > return ($ruleset, $ipset_ruleset); > } > > -- > 1.7.10.4 > > _______________________________________________ > pve-devel mailing list > pve-devel@pve.proxmox.com > http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
