diff options
| -rw-r--r-- | scripts/firewall/firewall.init.in | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/scripts/firewall/firewall.init.in b/scripts/firewall/firewall.init.in index f3b20b6..2c272d8 100644 --- a/scripts/firewall/firewall.init.in +++ b/scripts/firewall/firewall.init.in @@ -73,6 +73,12 @@ start () { iptables -t nat -N VYATTA_PRE_SNAT_HOOK iptables -t nat -A VYATTA_PRE_SNAT_HOOK -j RETURN iptables -t nat -A POSTROUTING -j VYATTA_PRE_SNAT_HOOK + + # Loosen the acceptability rules for TCP sequence and ACK numbers in + # conntrack. This allows TCP connections through NAT to survive certain + # cases of packet loss where conntrack can not accurately track the + # connection state + sysctl -q -w net.netfilter.nf_conntrack_tcp_be_liberal=1 } case "$ACTION" in |