From d41d2fce811cc8a465d274fd29ace8c065f99703 Mon Sep 17 00:00:00 2001
From: Stephen Gran <steve@lobefin.net>
Date: Mon, 21 Jan 2013 11:16:18 +0000
Subject: [PATCH] NOTRACK for bind traffic

Signed-off-by: Stephen Gran <steve@lobefin.net>
---
 modules/named/manifests/init.pp | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/modules/named/manifests/init.pp b/modules/named/manifests/init.pp
index 28a666b5a..83647911b 100644
--- a/modules/named/manifests/init.pp
+++ b/modules/named/manifests/init.pp
@@ -16,6 +16,14 @@ class named {
 		rule        => '&TCP_UDP_SERVICE(53)'
 	}
 
+	@ferm::rule { 'dsa-bind-notrack':
+		domain      => '(ip ip6)',
+		description => 'NOTRACK for nameserver traffic',
+		table       => 'raw',
+		chain       => 'PREROUTING',
+		rule        => 'proto (tcp udp) dport 53 jump NOTRACK'
+	}
+
 	file { '/var/log/bind9':
 		ensure => directory,
 		owner  => bind,
-- 
2.20.1