From 41c2343f7505734703385724f76379b4f494faf3 Mon Sep 17 00:00:00 2001
From: Ryan Cavicchioni <ryan@cavi.cc>
Date: Fri, 30 Aug 2019 00:33:49 +0000
Subject: [PATCH] Exclude loopback from conntrack

---
 roles/firewall/defaults/main.yaml     | 2 ++
 roles/firewall/templates/ip6tables.j2 | 8 ++++++++
 roles/firewall/templates/iptables.j2  | 8 ++++++++
 3 files changed, 18 insertions(+)

diff --git a/roles/firewall/defaults/main.yaml b/roles/firewall/defaults/main.yaml
index 77a4fb6..c935853 100644
--- a/roles/firewall/defaults/main.yaml
+++ b/roles/firewall/defaults/main.yaml
@@ -29,6 +29,8 @@ firewall_drop_icmp_flood: true
 firewall_limit_icmp_flood_seconds: 1
 firewall_limit_icmp_flood_hitcount: 6
 
+firewall_loopback_notrack: true
+
 firewall_limited_tcp_ports: {}
 
 firewall_allowed_tcp_ports: {}
diff --git a/roles/firewall/templates/ip6tables.j2 b/roles/firewall/templates/ip6tables.j2
index 501fc75..5a75dfc 100644
--- a/roles/firewall/templates/ip6tables.j2
+++ b/roles/firewall/templates/ip6tables.j2
@@ -92,7 +92,15 @@
 -A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "accept related/established inet6" -j ACCEPT
 
 -A INPUT -m comment --comment "default drop inet6" -j LOG_DROP
+COMMIT
 
+*raw
+:PREROUTING ACCEPT -
+:OUTPUT ACCEPT -
+{% if firewall_loopback_notrack %}
+-A PREROUTING -i lo -j NOTRACK
+-A OUTPUT -o lo -j NOTRACK
+{% endif %}
 COMMIT
 
 # vim: tw=0
diff --git a/roles/firewall/templates/iptables.j2 b/roles/firewall/templates/iptables.j2
index 3142019..4963d39 100644
--- a/roles/firewall/templates/iptables.j2
+++ b/roles/firewall/templates/iptables.j2
@@ -76,7 +76,15 @@
 -A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "accept related/established" -j ACCEPT
 
 -A INPUT -m comment --comment "default drop" -j LOG_DROP
+COMMIT
 
+*raw
+:PREROUTING ACCEPT -
+:OUTPUT ACCEPT -
+{% if firewall_loopback_notrack %}
+-A PREROUTING -i lo -j NOTRACK
+-A OUTPUT -o lo -j NOTRACK
+{% endif %}
 COMMIT
 
 # vim: tw=0