Alexandros Kosiaris has uploaded a new change for review.
https://gerrit.wikimedia.org/r/230052
Change subject: ferm: NOTRACK needs to be applied on raw table
......................................................................
ferm: NOTRACK needs to be applied on raw table
Fix bug where NOTRACK was applied on the filter table instead of the raw
table. Also NOTRACK in this context needs to be applied to the
PREROUTING chain and not the INPUT chain
Bug: T104996
Change-Id: I7077050dc517e6745e9bc36b9709fbee77c308b5
---
M modules/ferm/files/functions.conf
1 file changed, 5 insertions(+), 2 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/52/230052/1
diff --git a/modules/ferm/files/functions.conf
b/modules/ferm/files/functions.conf
index 214f6d4..1e7e2ae 100644
--- a/modules/ferm/files/functions.conf
+++ b/modules/ferm/files/functions.conf
@@ -13,7 +13,10 @@
# Exempt service from connection tracking (for high traffic services)
@def &NO_TRACK($proto, $port) = {
- domain (ip ip6) chain INPUT {
- proto $proto dport $port NOTRACK;
+ domain (ip ip6) {
+ table raw {
+ chain PREROUTING {
+ proto $proto dport $port NOTRACK;
+ }
}
}
--
To view, visit https://gerrit.wikimedia.org/r/230052
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I7077050dc517e6745e9bc36b9709fbee77c308b5
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Alexandros Kosiaris <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
