This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, master has been updated via 5c1af49c835921232a0312819025fb08dddae4b3 (commit) from 10148970eb431e8a1a99aaca67c531dc3b6f1492 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 5c1af49c835921232a0312819025fb08dddae4b3 Author: Peter Müller peter.mueller@ipfire.org Date: Thu Feb 17 20:16:02 2022 +0000
firewall: Add proper logging prefix for conntrack INVALID hits
Fixes: #12778
Signed-off-by: Peter Müller peter.mueller@ipfire.org
-----------------------------------------------------------------------
Summary of changes: src/initscripts/system/firewall | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)
Difference in files: diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index fc355cd5d..2f4b4e30e 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -119,9 +119,13 @@ iptables_init() { iptables -A FORWARD -p tcp -j BADTCP
# Connection tracking chains + iptables -N CTINVALID + iptables -A CTINVALID -m limit --limit 10/second -j LOG --log-prefix "DROP_CTINVALID " + iptables -A CTINVALID -j DROP -m comment --comment "DROP_CTINVALID" + iptables -N CONNTRACK iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED -j ACCEPT - iptables -A CONNTRACK -m conntrack --ctstate INVALID -j LOG_DROP + iptables -A CONNTRACK -m conntrack --ctstate INVALID -j CTINVALID iptables -A CONNTRACK -p icmp -m conntrack --ctstate RELATED -j ACCEPT
# Restore any connection marks
hooks/post-receive -- IPFire 2.x development tree