Exclude loopback from conntrack

roles/firewall/defaults/main.yaml

@@ -29,6 +29,8 @@ firewall_drop_icmp_flood: true
 firewall_limit_icmp_flood_seconds: 1
 firewall_limit_icmp_flood_hitcount: 6
 
+firewall_loopback_notrack: true
+
 firewall_limited_tcp_ports: {}
 
 firewall_allowed_tcp_ports: {}

roles/firewall/templates/ip6tables.j2

@@ -92,7 +92,15 @@
 -A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "accept related/established inet6" -j ACCEPT
 
 -A INPUT -m comment --comment "default drop inet6" -j LOG_DROP
+COMMIT
 
+*raw
+:PREROUTING ACCEPT -
+:OUTPUT ACCEPT -
+{% if firewall_loopback_notrack %}
+-A PREROUTING -i lo -j NOTRACK
+-A OUTPUT -o lo -j NOTRACK
+{% endif %}
 COMMIT
 
 # vim: tw=0

roles/firewall/templates/iptables.j2

@@ -76,7 +76,15 @@
 -A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "accept related/established" -j ACCEPT
 
 -A INPUT -m comment --comment "default drop" -j LOG_DROP
+COMMIT
 
+*raw
+:PREROUTING ACCEPT -
+:OUTPUT ACCEPT -
+{% if firewall_loopback_notrack %}
+-A PREROUTING -i lo -j NOTRACK
+-A OUTPUT -o lo -j NOTRACK
+{% endif %}
 COMMIT
 
 # vim: tw=0