X-Git-Url: https://git.donarmstrong.com/?p=dsa-puppet.git;a=blobdiff_plain;f=modules%2Fferm%2Fmanifests%2Fper-host.pp;h=2401338063a1b6c26b47f87d3f37d556df8094e0;hp=8ba8e6a2ccace5c2a7b023292f65e83b6633582d;hb=823568d2e4cad6f5b1a1a2fad73316f516601f62;hpb=e06a04ba03c98a81384caa35220a319efb00f388

diff --git a/modules/ferm/manifests/per-host.pp b/modules/ferm/manifests/per-host.pp
index 8ba8e6a2..24013380 100644
--- a/modules/ferm/manifests/per-host.pp
+++ b/modules/ferm/manifests/per-host.pp
@@ -169,6 +169,37 @@ class ferm::per-host {
 			@ferm::rule { 'dsa-conntrackd':
 				rule            => 'interface vlan2 daddr 225.0.0.50 jump ACCEPT',
 			}
+			@ferm::rule { 'dsa-bind-notrack-in':
+				domain      => 'ip',
+				description => 'NOTRACK for nameserver traffic',
+				table       => 'raw',
+				chain       => 'PREROUTING',
+				rule        => 'proto (tcp udp) daddr 5.153.231.24 dport 53 jump NOTRACK'
+			}
+
+			@ferm::rule { 'dsa-bind-notrack-out':
+				domain      => 'ip',
+				description => 'NOTRACK for nameserver traffic',
+				table       => 'raw',
+				chain       => 'OUTPUT',
+				rule        => 'proto (tcp udp) saddr 5.153.231.24 sport 53 jump NOTRACK'
+			}
+
+			@ferm::rule { 'dsa-bind-notrack-in6':
+				domain      => 'ip6',
+				description => 'NOTRACK for nameserver traffic',
+				table       => 'raw',
+				chain       => 'PREROUTING',
+				rule        => 'proto (tcp udp) daddr 2001:41c8:1000:21::21:24 dport 53 jump NOTRACK'
+			}
+
+			@ferm::rule { 'dsa-bind-notrack-out6':
+				domain      => 'ip6',
+				description => 'NOTRACK for nameserver traffic',
+				table       => 'raw',
+				chain       => 'OUTPUT',
+				rule        => 'proto (tcp udp) saddr 2001:41c8:1000:21::21:24 sport 53 jump NOTRACK'
+			}
 		}
 		default: {}
 	}