Permalink
Browse files

merge in alternative way to fix connection drops during sync, drop th…

…e packets rather than resetting the connection so that it is handled a little better when tehre is a lot of traffic during a sync
  • Loading branch information...
1 parent 679a939 commit 04f79ad41ca6b4b3ace555dd6142ed7d0bd0096c @micolous committed Nov 2, 2012
Showing with 4 additions and 0 deletions.
  1. +4 −0 tollgate/backend/iptables.py
@@ -183,6 +183,7 @@ def create_nat():
iptables('-I','FORWARD','2','-j',BLACKLIST_RULE)
# delete existing rejection rule
+ iptables('-D','FORWARD','-p','tcp','-m','state','--state','ESTABLISHED','-j','DROP')
iptables('-D','FORWARD','-p','tcp','-j','REJECT','--reject-with','tcp-reset')
iptables('-D','FORWARD','-j','REJECT','--reject-with',REJECT_MODE)
@@ -204,6 +205,9 @@ def create_nat():
iptables('-A','FORWARD','-m','mark','--mark','0x1','-o',INTERN_IFACE,'-j','ACCEPT')
# create new rejection rule
+ # just drop traffic that has an open connection, that way it is just packet
+ # loss when the firewall is resyncing
+ iptables('-A','FORWARD','-p','tcp','-m','state','--state','ESTABLISHED','-j','DROP')
if REJECT_TCP_RESET:
iptables('-A','FORWARD','-p','tcp','-j','REJECT','--reject-with','tcp-reset')
iptables('-A','FORWARD','-j','REJECT','--reject-with',REJECT_MODE)

0 comments on commit 04f79ad

Please sign in to comment.