From 2faa4e11dd8c097f5bace4f67c5a4b1ff6ad18b8 Mon Sep 17 00:00:00 2001
From: Tobias Hachmer <tobias@hachmer.de>
Date: Thu, 14 Dec 2017 06:33:39 +0100
Subject: [PATCH] Role network-iptables-gateway: omit dropping invalid packets

---
 roles/network-iptables-gateway/templates/rules.v4.j2 | 3 ---
 roles/network-iptables-gateway/templates/rules.v6.j2 | 3 ---
 2 files changed, 6 deletions(-)

diff --git a/roles/network-iptables-gateway/templates/rules.v4.j2 b/roles/network-iptables-gateway/templates/rules.v4.j2
index 94cdc07..8191876 100644
--- a/roles/network-iptables-gateway/templates/rules.v4.j2
+++ b/roles/network-iptables-gateway/templates/rules.v4.j2
@@ -6,7 +6,6 @@
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 -A INPUT -d {{ ansible_default_ipv4.address | ipaddr('public') }}/32 -p gre -j ACCEPT
--A INPUT -m conntrack --ctstate INVALID -j DROP
 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 {% for mesh_forward in meshes %}
 {% for mesh_recursive in meshes recursive %}
@@ -15,10 +14,8 @@
 {% endif %}
 {% endfor %}
 {% endfor %}
--A FORWARD -m conntrack --ctstate INVALID -j DROP
 -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A OUTPUT -s {{ ansible_default_ipv4.address | ipaddr('public') }}/32 -p gre -j ACCEPT
--A OUTPUT -m conntrack --ctstate INVALID -j DROP
 -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 COMMIT
 *mangle
diff --git a/roles/network-iptables-gateway/templates/rules.v6.j2 b/roles/network-iptables-gateway/templates/rules.v6.j2
index 7c97f3f..14653d6 100644
--- a/roles/network-iptables-gateway/templates/rules.v6.j2
+++ b/roles/network-iptables-gateway/templates/rules.v6.j2
@@ -5,7 +5,6 @@
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
--A INPUT -m conntrack --ctstate INVALID -j DROP
 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 {% for mesh_forward in meshes %}
 {% for mesh_recursive in meshes recursive %}
@@ -14,9 +13,7 @@
 {% endif %}
 {% endfor %}
 {% endfor %}
--A FORWARD -m conntrack --ctstate INVALID -j DROP
 -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
--A OUTPUT -m conntrack --ctstate INVALID -j DROP
 -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 COMMIT
 *mangle