From 823568d2e4cad6f5b1a1a2fad73316f516601f62 Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Sun, 1 Dec 2013 10:49:17 +0100
Subject: [PATCH] Attempt not to track DNS traffic

---
 modules/ferm/manifests/per-host.pp | 31 ++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/modules/ferm/manifests/per-host.pp b/modules/ferm/manifests/per-host.pp
index 8ba8e6a2..24013380 100644
--- a/modules/ferm/manifests/per-host.pp
+++ b/modules/ferm/manifests/per-host.pp
@@ -169,6 +169,37 @@ class ferm::per-host {
 			@ferm::rule { 'dsa-conntrackd':
 				rule            => 'interface vlan2 daddr 225.0.0.50 jump ACCEPT',
 			}
+			@ferm::rule { 'dsa-bind-notrack-in':
+				domain      => 'ip',
+				description => 'NOTRACK for nameserver traffic',
+				table       => 'raw',
+				chain       => 'PREROUTING',
+				rule        => 'proto (tcp udp) daddr 5.153.231.24 dport 53 jump NOTRACK'
+			}
+
+			@ferm::rule { 'dsa-bind-notrack-out':
+				domain      => 'ip',
+				description => 'NOTRACK for nameserver traffic',
+				table       => 'raw',
+				chain       => 'OUTPUT',
+				rule        => 'proto (tcp udp) saddr 5.153.231.24 sport 53 jump NOTRACK'
+			}
+
+			@ferm::rule { 'dsa-bind-notrack-in6':
+				domain      => 'ip6',
+				description => 'NOTRACK for nameserver traffic',
+				table       => 'raw',
+				chain       => 'PREROUTING',
+				rule        => 'proto (tcp udp) daddr 2001:41c8:1000:21::21:24 dport 53 jump NOTRACK'
+			}
+
+			@ferm::rule { 'dsa-bind-notrack-out6':
+				domain      => 'ip6',
+				description => 'NOTRACK for nameserver traffic',
+				table       => 'raw',
+				chain       => 'OUTPUT',
+				rule        => 'proto (tcp udp) saddr 2001:41c8:1000:21::21:24 sport 53 jump NOTRACK'
+			}
 		}
 		default: {}
 	}
-- 
2.39.2