Bugfix 4340: Enable net.netfilter.nf_conntrack_tcp_be_liberal by default.

The parameter in question loosens the "acceptability" check on TCP sequence and ACK numbers in the TCP conntrack module. This allows connection tracking to survive certain cases where packet loss would cause it to loose sync with the TCP endpoints.
author: Bob Gilligan <gilligan@vyatta.com> 2009-05-08 13:36:18 -0700
committer: Bob Gilligan <gilligan@vyatta.com> 2009-05-08 13:36:18 -0700
commit: 2cc639cacae969af4f36a7b587f86ac479ebe729 (patch)
tree: 5ee944c355a9a8a3d849bd94f42dbd06478b0055 /scripts/firewall/firewall.init.in
parent: e02bba9135b133ced2922258177e8f9cd0ae9f70 (diff)
download: vyatta-cfg-firewall-2cc639cacae969af4f36a7b587f86ac479ebe729.tar.gz
vyatta-cfg-firewall-2cc639cacae969af4f36a7b587f86ac479ebe729.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/scripts/firewall/firewall.init.in b/scripts/firewall/firewall.init.in
index f3b20b6..2c272d8 100644
--- a/scripts/firewall/firewall.init.in
+++ b/scripts/firewall/firewall.init.in
@@ -73,6 +73,12 @@ start () {
     iptables -t nat -N VYATTA_PRE_SNAT_HOOK
     iptables -t nat -A VYATTA_PRE_SNAT_HOOK -j RETURN
     iptables -t nat -A POSTROUTING -j VYATTA_PRE_SNAT_HOOK
+
+    # Loosen the acceptability rules for TCP sequence and ACK numbers in
+    # conntrack.  This allows TCP connections through NAT to survive certain
+    # cases of packet loss where conntrack can not accurately track the
+    # connection state
+    sysctl -q -w net.netfilter.nf_conntrack_tcp_be_liberal=1
 }
 
 case "$ACTION" in
author	Bob Gilligan <gilligan@vyatta.com>	2009-05-08 13:36:18 -0700
committer	Bob Gilligan <gilligan@vyatta.com>	2009-05-08 13:36:18 -0700
commit	2cc639cacae969af4f36a7b587f86ac479ebe729 (patch)
tree	5ee944c355a9a8a3d849bd94f42dbd06478b0055 /scripts/firewall/firewall.init.in
parent	e02bba9135b133ced2922258177e8f9cd0ae9f70 (diff)
download	vyatta-cfg-firewall-2cc639cacae969af4f36a7b587f86ac479ebe729.tar.gz vyatta-cfg-firewall-2cc639cacae969af4f36a7b587f86ac479ebe729.zip