From 0bcb15317fede5c17c77c187e1cd9a68a0c8030c Mon Sep 17 00:00:00 2001
From: Todd Willey <todd@ansolabs.com>
Date: Fri, 10 Jun 2011 22:32:33 -0400
Subject: Reorder firewall rules so the common path is shorter.

---
 nova/virt/libvirt/firewall.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'nova')

diff --git a/nova/virt/libvirt/firewall.py b/nova/virt/libvirt/firewall.py
index 28cd9fe9c..331c73b47 100644
--- a/nova/virt/libvirt/firewall.py
+++ b/nova/virt/libvirt/firewall.py
@@ -590,14 +590,14 @@ class IptablesFirewallDriver(FirewallDriver):
         ipv4_rules += ['-m state --state ' 'INVALID -j DROP']
         ipv6_rules += ['-m state --state ' 'INVALID -j DROP']
 
-        # Pass through provider-wide drops
-        ipv4_rules += ['-j $provider']
-        ipv6_rules += ['-j $provider']
-
         # Allow established connections
         ipv4_rules += ['-m state --state ESTABLISHED,RELATED -j ACCEPT']
         ipv6_rules += ['-m state --state ESTABLISHED,RELATED -j ACCEPT']
 
+        # Pass through provider-wide drops
+        ipv4_rules += ['-j $provider']
+        ipv6_rules += ['-j $provider']
+
         dhcp_servers = [network['gateway'] for (network, _m) in network_info]
 
         for dhcp_server in dhcp_servers:
-- 
cgit