From efdcd39a9b06ac5e45583a4e5eb00ae8ae480337 Mon Sep 17 00:00:00 2001 From: Gaurav Sinha Date: Wed, 22 Aug 2012 17:37:24 -0700 Subject: move CT_IGNORE chain up, first in raw table --- scripts/firewall/firewall.init.in | 3 +++ 1 file changed, 3 insertions(+) (limited to 'scripts') diff --git a/scripts/firewall/firewall.init.in b/scripts/firewall/firewall.init.in index 20ece8b..a7fb685 100644 --- a/scripts/firewall/firewall.init.in +++ b/scripts/firewall/firewall.init.in @@ -162,6 +162,9 @@ start () { iptables -t raw -I PREROUTING -j VYATTA_CT_TIMEOUT iptables -t raw -I OUTPUT -j VYATTA_CT_TIMEOUT + + iptables -t raw -I PREROUTING -j VYATTA_CT_IGNORE + iptables -t raw -I OUTPUT -j VYATTA_CT_IGNORE # Loosen the acceptability rules for TCP sequence and ACK numbers in # conntrack. This allows TCP connections through NAT to survive certain # cases of packet loss where conntrack can not accurately track the -- cgit v1.2.3