rich: limit masquerading forward rule to new connections

firewalld · May 12, 2015 · 36ccd63 · 36ccd63
1 parent 54d7897
commit 36ccd63
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
@@ -889,7 +889,8 @@ def __rule(self, enable, zone, rule, mark_id):
                 # reverse source/destination !
                 self.__rule_source(rule.destination, command)
                 self.__rule_destination(rule.source, command)
-                command += [ "-j", "ACCEPT" ]
+                command += [ "-m", "conntrack", "--ctstate", "NEW",
+                             "-j", "ACCEPT" ]
                 rules.append((ipv, "filter", "%s_allow" % target, command))
 
             # FORWARD PORT