summaryrefslogtreecommitdiff
path: root/scripts/firewall/firewall.init.in
diff options
context:
space:
mode:
Diffstat (limited to 'scripts/firewall/firewall.init.in')
-rw-r--r--scripts/firewall/firewall.init.in7
1 files changed, 7 insertions, 0 deletions
diff --git a/scripts/firewall/firewall.init.in b/scripts/firewall/firewall.init.in
index 2759647..d38d052 100644
--- a/scripts/firewall/firewall.init.in
+++ b/scripts/firewall/firewall.init.in
@@ -48,6 +48,10 @@ start () {
for mod in ${modules[@]} ; do
modprobe --syslog $mod
done
+ # raw table ignore connection tracking chain
+ iptables -t raw -N VYATTA_CT_IGNORE
+ iptables -t raw -A VYATTA_CT_IGNORE -j RETURN
+
# conection tracking timeout chain
iptables -t raw -N VYATTA_CT_TIMEOUT
iptables -t raw -A VYATTA_CT_TIMEOUT -j RETURN
@@ -146,6 +150,9 @@ start () {
iptables -t raw -I PREROUTING -j VYATTA_CT_TIMEOUT
iptables -t raw -I OUTPUT -j VYATTA_CT_TIMEOUT
+
+ iptables -t raw -I PREROUTING -j VYATTA_CT_IGNORE
+ iptables -t raw -I OUTPUT -j VYATTA_CT_IGNORE
# Loosen the acceptability rules for TCP sequence and ACK numbers in
# conntrack. This allows TCP connections through NAT to survive certain
# cases of packet loss where conntrack can not accurately track the
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-10 06:31:44 +0000