Disable tracking of loopback connections

diff --git a/cookbooks/networking/recipes/default.rb b/cookbooks/networking/recipes/default.rb
index 86792ea992faf616451f9fd2333f5b0ca28e4e26..51f3f4389aa1eb7dd4ec5f2078080e47131ac6e5 100644 (file)
--- a/cookbooks/networking/recipes/default.rb
+++ b/cookbooks/networking/recipes/default.rb
@@ -179,6 +179,14 @@ template "/etc/shorewall/hosts" do
   notifies :restart, "service[shorewall]"
 end
 
+template "/etc/shorewall/conntrack" do
+  source "shorewall-conntrack.erb"
+  owner "root"
+  group "root"
+  mode 0o644
+  notifies :restart, "service[shorewall]"
+end
+
 template "/etc/shorewall/policy" do
   source "shorewall-policy.erb"
   owner "root"
@@ -291,6 +299,14 @@ unless node.interfaces(:family => :inet6).empty?
     notifies :restart, "service[shorewall6]"
   end
 
+  template "/etc/shorewall6/conntrack" do
+    source "shorewall-conntrack.erb"
+    owner "root"
+    group "root"
+    mode 0o644
+    notifies :restart, "service[shorewall6]"
+  end
+
   template "/etc/shorewall6/policy" do
     source "shorewall-policy.erb"
     owner "root"

diff --git a/cookbooks/networking/templates/default/shorewall-conntrack.erb b/cookbooks/networking/templates/default/shorewall-conntrack.erb
new file mode 100644 (file)
index 0000000..4d5e726
--- /dev/null
+++ b/cookbooks/networking/templates/default/shorewall-conntrack.erb
@@ -0,0 +1,7 @@
+# DO NOT EDIT - This file is being maintained by Chef
+
+?FORMAT 3
+
+# ACTION       SOURCE  DEST    PROTO   DPORT   SPORT   USER    SWITCH
+NOTRACK:P      lo      -       -       -       -       -       -
+NOTRACK:O      -       lo      -       -       -       -       -