[pve-devel] [PATCH firewall] set sysctls on every apply

all lists on lists.proxmox.com
 help / color / mirror / Atom feed

* [pve-devel] [PATCH firewall] set sysctls on every apply
@ 2021-05-26 14:51 Stoiko Ivanov
  2021-05-26 15:31 ` [pve-devel] applied: " Thomas Lamprecht
  0 siblings, 1 reply; 2+ messages in thread
From: Stoiko Ivanov @ 2021-05-26 14:51 UTC (permalink / raw)
  To: pve-devel

setting the sysctls needed on every run should not be too costly
(the original implementation used a `system` invocation, which was
far more expensive), and reduce the chances for side-effects.

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
tested quickly on a test-installation of mine

 src/PVE/Firewall.pm | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 50be187..fc5c077 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1818,11 +1818,9 @@ sub rules_audit_permissions {
 }
 
 # core functions
-my $bridge_firewall_enabled = 0;
 
 sub enable_bridge_firewall {
 
-    return if $bridge_firewall_enabled; # only once
 
     PVE::ProcFSTools::write_proc_entry("/proc/sys/net/bridge/bridge-nf-call-iptables", "1");
     PVE::ProcFSTools::write_proc_entry("/proc/sys/net/bridge/bridge-nf-call-ip6tables", "1");
@@ -1830,7 +1828,6 @@ sub enable_bridge_firewall {
     # make sure syncookies are enabled (which is default on newer 3.X kernels anyways)
     PVE::ProcFSTools::write_proc_entry("/proc/sys/net/ipv4/tcp_syncookies", "1");
 
-    $bridge_firewall_enabled = 1;
 }
 
 sub iptables_restore_cmdlist {
-- 
2.20.1





^ permalink raw reply	[flat|nested] 2+ messages in thread

* [pve-devel] applied:  [PATCH firewall] set sysctls on every apply
  2021-05-26 14:51 [pve-devel] [PATCH firewall] set sysctls on every apply Stoiko Ivanov
@ 2021-05-26 15:31 ` Thomas Lamprecht
  0 siblings, 0 replies; 2+ messages in thread
From: Thomas Lamprecht @ 2021-05-26 15:31 UTC (permalink / raw)
  To: Proxmox VE development discussion, Stoiko Ivanov

On 26.05.21 16:51, Stoiko Ivanov wrote:
> setting the sysctls needed on every run should not be too costly
> (the original implementation used a `system` invocation, which was
> far more expensive), and reduce the chances for side-effects.
> 
> Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> ---
> tested quickly on a test-installation of mine
> 
>  src/PVE/Firewall.pm | 3 ---
>  1 file changed, 3 deletions(-)
> 
>

applied, thanks!




^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2021-05-26 15:32 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-26 14:51 [pve-devel] [PATCH firewall] set sysctls on every apply Stoiko Ivanov
2021-05-26 15:31 ` [pve-devel] applied: " Thomas Lamprecht

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.

Service provided by Proxmox Server Solutions GmbH | Privacy | Legal