summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGaurav Sinha <gaurav.sinha@vyatta.com>2012-06-22 15:00:41 -0700
committerGaurav Sinha <gaurav.sinha@vyatta.com>2012-06-22 15:00:41 -0700
commitfaacba00db46c29fc652217653f9fe0564c1ebac (patch)
tree247c38bd37cf30f5b500b5c850bf9a7f039bd209
parentdd1223e84a2589c9782e2fc3774bc124fcba61b0 (diff)
downloadvyatta-cfg-firewall-faacba00db46c29fc652217653f9fe0564c1ebac.tar.gz
vyatta-cfg-firewall-faacba00db46c29fc652217653f9fe0564c1ebac.zip
fixing 8173: moving CT_HELPER chain just before CTTIMEOUT
-rwxr-xr-xlib/Vyatta/IpTables/Mgr.pm4
1 files changed, 3 insertions, 1 deletions
diff --git a/lib/Vyatta/IpTables/Mgr.pm b/lib/Vyatta/IpTables/Mgr.pm
index 19c3c29..6723bc3 100755
--- a/lib/Vyatta/IpTables/Mgr.pm
+++ b/lib/Vyatta/IpTables/Mgr.pm
@@ -230,7 +230,9 @@ sub ipt_enable_conntrack {
# this index does not change now but maybe later we change it, so being defensive.
my $cttimeout_index = ipt_find_chain_rule($iptables_cmd, 'raw', $label, "VYATTA_CT_TIMEOUT");
if (defined($cttimeout_index)) {
- $cttimeout_index++;
+ # $cttimeout_index++; fixing 8173
+ # currently we have cttimeout at 1 index, it might change in future.
+ # helper chain should be before timeout chain
system("sudo $iptables_cmd -t raw -I $label $cttimeout_index -j VYATTA_CT_HELPER");
}
}