Re: [pve-devel] [PATCH] add ips feature v3

Dietmar Maurer Mon, 17 Mar 2014 22:33:08 -0700

> this create a new chain PVEFW-Accept

You use this chain unconditionally, so we slow down things when the IPS is not 
active.
(because of an additional jump to PVEFW-Accept).


Besides, I cannot see that this patch replaces  all ACCEPT actions, for example:

---------------
sub ruleset_generate_vm_rules {
...

            if ($direction eq 'OUT') {
                ...
            } else {
                ruleset_generate_rule($ruleset, $chain, $rule, { REJECT => 
"PVEFW-reject" });
            }

}
----------------

So that generates normal ACCEPT?

_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [PATCH] add ips feature v3

Reply via email to