summaryrefslogtreecommitdiff
path: root/templates
diff options
context:
space:
mode:
authorBob Gilligan <gilligan@vyatta.com>2008-06-05 16:20:10 -0700
committerBob Gilligan <gilligan@vyatta.com>2008-06-05 16:20:10 -0700
commit72513826f382a2fe4fa188c2477a01925478ac12 (patch)
treef162ec900184d16650ff5d8bdb1f87d72e0c2ff1 /templates
parentb5521426168a30da7ffd806703613f85c5fb31e3 (diff)
downloadvyatta-cfg-firewall-72513826f382a2fe4fa188c2477a01925478ac12.tar.gz
vyatta-cfg-firewall-72513826f382a2fe4fa188c2477a01925478ac12.zip
Bugfix: 2122
Add configuration parameter to set netfilter ip_conntrack_tcp_loose.
Diffstat (limited to 'templates')
-rw-r--r--templates/firewall/conntrack-tcp-loose/node.def54
1 files changed, 54 insertions, 0 deletions
diff --git a/templates/firewall/conntrack-tcp-loose/node.def b/templates/firewall/conntrack-tcp-loose/node.def
new file mode 100644
index 0000000..387afcb
--- /dev/null
+++ b/templates/firewall/conntrack-tcp-loose/node.def
@@ -0,0 +1,54 @@
+#
+# This parameter directs the netfilter TCP connection tracking modules
+# (nf_conntrack, and others) to either allow or disallow the tracking
+# of TCP connections which are "previously established". This
+# includes all cases where the three-way connection opening handshake
+# was not seen by this machine. That includes the case the connection
+# was opened before this machine booted. It also includes cases where
+# the packets comprising the three-way handshake were routed via some
+# other router.
+#
+# If this parameter is set to "enable", tracking such connections is
+# allowed. If disabled, such tracking is disabled.
+#
+
+type: txt
+
+help: Set tracking of previously established connections
+
+comp_help:Possible completions:
+ enable\tAllow tracking of previously established connections
+ disable\tDo not allow tracking of previously established connections
+
+default: "enable"
+
+syntax:expression: $VAR(@) in "enable", "disable"; "must be either enable or disable"
+
+update:
+ if [ ! -e /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose ]; then
+ sudo modprobe nf_conntrack_ipv4
+ fi
+ if [ "$VAR(@)" = "enable" ]; then
+ sudo sh -c "echo 1 > \
+ /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose"
+ elif [ "$VAR(@)" = "disable" ]; then
+ sudo sh -c "echo 0 > \
+ /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose"
+ else
+ echo "Invalid parameter: $VAR(@)"
+ exit 1
+ fi
+
+delete:
+ if [ ! -e /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose ]; then
+ sudo modprobe nf_conntrack_ipv4
+ fi
+ sudo sh -c "echo 1 > \
+ /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose"
+
+
+
+
+
+
+