diff options
author | Gaurav Sinha <gaurav.sinha@vyatta.com> | 2012-06-22 15:00:41 -0700 |
---|---|---|
committer | Gaurav Sinha <gaurav.sinha@vyatta.com> | 2012-06-22 15:00:41 -0700 |
commit | faacba00db46c29fc652217653f9fe0564c1ebac (patch) | |
tree | 247c38bd37cf30f5b500b5c850bf9a7f039bd209 | |
parent | dd1223e84a2589c9782e2fc3774bc124fcba61b0 (diff) | |
download | vyatta-cfg-firewall-faacba00db46c29fc652217653f9fe0564c1ebac.tar.gz vyatta-cfg-firewall-faacba00db46c29fc652217653f9fe0564c1ebac.zip |
fixing 8173: moving CT_HELPER chain just before CTTIMEOUT
-rwxr-xr-x | lib/Vyatta/IpTables/Mgr.pm | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/lib/Vyatta/IpTables/Mgr.pm b/lib/Vyatta/IpTables/Mgr.pm index 19c3c29..6723bc3 100755 --- a/lib/Vyatta/IpTables/Mgr.pm +++ b/lib/Vyatta/IpTables/Mgr.pm @@ -230,7 +230,9 @@ sub ipt_enable_conntrack { # this index does not change now but maybe later we change it, so being defensive. my $cttimeout_index = ipt_find_chain_rule($iptables_cmd, 'raw', $label, "VYATTA_CT_TIMEOUT"); if (defined($cttimeout_index)) { - $cttimeout_index++; + # $cttimeout_index++; fixing 8173 + # currently we have cttimeout at 1 index, it might change in future. + # helper chain should be before timeout chain system("sudo $iptables_cmd -t raw -I $label $cttimeout_index -j VYATTA_CT_HELPER"); } } |