diff options
| author | Todd Willey <todd@ansolabs.com> | 2011-06-10 22:32:33 -0400 |
|---|---|---|
| committer | Todd Willey <todd@ansolabs.com> | 2011-06-10 22:32:33 -0400 |
| commit | 0bcb15317fede5c17c77c187e1cd9a68a0c8030c (patch) | |
| tree | 5c5670eb2063d02ca86828a364dd6220bd702cbb | |
| parent | 5c187a17216b76d730c3dcf983f905d2b5ce1bd9 (diff) | |
Reorder firewall rules so the common path is shorter.
| -rw-r--r-- | nova/virt/libvirt/firewall.py | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/nova/virt/libvirt/firewall.py b/nova/virt/libvirt/firewall.py index 28cd9fe9c..331c73b47 100644 --- a/nova/virt/libvirt/firewall.py +++ b/nova/virt/libvirt/firewall.py @@ -590,14 +590,14 @@ class IptablesFirewallDriver(FirewallDriver): ipv4_rules += ['-m state --state ' 'INVALID -j DROP'] ipv6_rules += ['-m state --state ' 'INVALID -j DROP'] - # Pass through provider-wide drops - ipv4_rules += ['-j $provider'] - ipv6_rules += ['-j $provider'] - # Allow established connections ipv4_rules += ['-m state --state ESTABLISHED,RELATED -j ACCEPT'] ipv6_rules += ['-m state --state ESTABLISHED,RELATED -j ACCEPT'] + # Pass through provider-wide drops + ipv4_rules += ['-j $provider'] + ipv6_rules += ['-j $provider'] + dhcp_servers = [network['gateway'] for (network, _m) in network_info] for dhcp_server in dhcp_servers: |