public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
* [pve-devel] [PATCH firewall] set sysctls on every apply
@ 2021-05-26 14:51 Stoiko Ivanov
  2021-05-26 15:31 ` [pve-devel] applied: " Thomas Lamprecht
  0 siblings, 1 reply; 2+ messages in thread
From: Stoiko Ivanov @ 2021-05-26 14:51 UTC (permalink / raw)
  To: pve-devel

setting the sysctls needed on every run should not be too costly
(the original implementation used a `system` invocation, which was
far more expensive), and reduce the chances for side-effects.

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
tested quickly on a test-installation of mine

 src/PVE/Firewall.pm | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 50be187..fc5c077 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1818,11 +1818,9 @@ sub rules_audit_permissions {
 }
 
 # core functions
-my $bridge_firewall_enabled = 0;
 
 sub enable_bridge_firewall {
 
-    return if $bridge_firewall_enabled; # only once
 
     PVE::ProcFSTools::write_proc_entry("/proc/sys/net/bridge/bridge-nf-call-iptables", "1");
     PVE::ProcFSTools::write_proc_entry("/proc/sys/net/bridge/bridge-nf-call-ip6tables", "1");
@@ -1830,7 +1828,6 @@ sub enable_bridge_firewall {
     # make sure syncookies are enabled (which is default on newer 3.X kernels anyways)
     PVE::ProcFSTools::write_proc_entry("/proc/sys/net/ipv4/tcp_syncookies", "1");
 
-    $bridge_firewall_enabled = 1;
 }
 
 sub iptables_restore_cmdlist {
-- 
2.20.1





^ permalink raw reply	[flat|nested] 2+ messages in thread
* [pve-devel] applied:  [PATCH firewall] set sysctls on every apply
  2021-05-26 14:51 [pve-devel] [PATCH firewall] set sysctls on every apply Stoiko Ivanov
@ 2021-05-26 15:31 ` Thomas Lamprecht
  0 siblings, 0 replies; 2+ messages in thread
From: Thomas Lamprecht @ 2021-05-26 15:31 UTC (permalink / raw)
  To: Proxmox VE development discussion, Stoiko Ivanov

On 26.05.21 16:51, Stoiko Ivanov wrote:
> setting the sysctls needed on every run should not be too costly
> (the original implementation used a `system` invocation, which was
> far more expensive), and reduce the chances for side-effects.
> 
> Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> ---
> tested quickly on a test-installation of mine
> 
>  src/PVE/Firewall.pm | 3 ---
>  1 file changed, 3 deletions(-)
> 
>

applied, thanks!




^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-05-26 15:32 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-26 14:51 [pve-devel] [PATCH firewall] set sysctls on every apply Stoiko Ivanov
2021-05-26 15:31 ` [pve-devel] applied: " Thomas Lamprecht

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal