Exclude loopback from conntrack

roles/firewall/templates/ip6tables.j2

@@ -92,7 +92,15 @@
 -A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "accept related/established inet6" -j ACCEPT
 
 -A INPUT -m comment --comment "default drop inet6" -j LOG_DROP
+COMMIT
 
+*raw
+:PREROUTING ACCEPT -
+:OUTPUT ACCEPT -
+{% if firewall_loopback_notrack %}
+-A PREROUTING -i lo -j NOTRACK
+-A OUTPUT -o lo -j NOTRACK
+{% endif %}
 COMMIT
 
 # vim: tw=0

roles/firewall/templates/iptables.j2

@@ -76,7 +76,15 @@
 -A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "accept related/established" -j ACCEPT
 
 -A INPUT -m comment --comment "default drop" -j LOG_DROP
+COMMIT
 
+*raw
+:PREROUTING ACCEPT -
+:OUTPUT ACCEPT -
+{% if firewall_loopback_notrack %}
+-A PREROUTING -i lo -j NOTRACK
+-A OUTPUT -o lo -j NOTRACK
+{% endif %}
 COMMIT
 
 # vim: tw=0