diff options
author | Bob Gilligan <gilligan@vyatta.com> | 2008-06-05 16:20:10 -0700 |
---|---|---|
committer | Bob Gilligan <gilligan@vyatta.com> | 2008-06-05 16:20:10 -0700 |
commit | 72513826f382a2fe4fa188c2477a01925478ac12 (patch) | |
tree | f162ec900184d16650ff5d8bdb1f87d72e0c2ff1 /templates | |
parent | b5521426168a30da7ffd806703613f85c5fb31e3 (diff) | |
download | vyatta-cfg-firewall-72513826f382a2fe4fa188c2477a01925478ac12.tar.gz vyatta-cfg-firewall-72513826f382a2fe4fa188c2477a01925478ac12.zip |
Bugfix: 2122
Add configuration parameter to set netfilter ip_conntrack_tcp_loose.
Diffstat (limited to 'templates')
-rw-r--r-- | templates/firewall/conntrack-tcp-loose/node.def | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/templates/firewall/conntrack-tcp-loose/node.def b/templates/firewall/conntrack-tcp-loose/node.def new file mode 100644 index 0000000..387afcb --- /dev/null +++ b/templates/firewall/conntrack-tcp-loose/node.def @@ -0,0 +1,54 @@ +# +# This parameter directs the netfilter TCP connection tracking modules +# (nf_conntrack, and others) to either allow or disallow the tracking +# of TCP connections which are "previously established". This +# includes all cases where the three-way connection opening handshake +# was not seen by this machine. That includes the case the connection +# was opened before this machine booted. It also includes cases where +# the packets comprising the three-way handshake were routed via some +# other router. +# +# If this parameter is set to "enable", tracking such connections is +# allowed. If disabled, such tracking is disabled. +# + +type: txt + +help: Set tracking of previously established connections + +comp_help:Possible completions: + enable\tAllow tracking of previously established connections + disable\tDo not allow tracking of previously established connections + +default: "enable" + +syntax:expression: $VAR(@) in "enable", "disable"; "must be either enable or disable" + +update: + if [ ! -e /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose ]; then + sudo modprobe nf_conntrack_ipv4 + fi + if [ "$VAR(@)" = "enable" ]; then + sudo sh -c "echo 1 > \ + /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose" + elif [ "$VAR(@)" = "disable" ]; then + sudo sh -c "echo 0 > \ + /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose" + else + echo "Invalid parameter: $VAR(@)" + exit 1 + fi + +delete: + if [ ! -e /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose ]; then + sudo modprobe nf_conntrack_ipv4 + fi + sudo sh -c "echo 1 > \ + /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose" + + + + + + + |