Alexandros Kosiaris has submitted this change and it was merged.
Change subject: Avoid connection tracking for DNS recursors
......................................................................
Avoid connection tracking for DNS recursors
Connection tracking for DNS recursors could fill up the connection
tracking tables causing unwanted packetloss. Avoid tracking DNS protocol
on DNS recursor, thus avoiding a potential issue
Change-Id: Iaa490bc97cee9e3d8a3fa9682fbfb5f6fec66045
---
M manifests/role/dns.pp
1 file changed, 9 insertions(+), 0 deletions(-)
Approvals:
Alexandros Kosiaris: Looks good to me, approved
jenkins-bot: Verified
diff --git a/manifests/role/dns.pp b/manifests/role/dns.pp
index fcc529a..9ff709e 100644
--- a/manifests/role/dns.pp
+++ b/manifests/role/dns.pp
@@ -70,4 +70,13 @@
port => '53',
}
+ ferm::rule { 'skip_dns_conntrack-out':
+ desc => 'Skip DNS outgoing connection tracking',
+ rule => 'proto udp sport 53 NOTRACK',
+ }
+
+ ferm::rule { 'skip_dns_conntrack-in':
+ desc => 'Skip DNS incoming connection tracking',
+ rule => 'proto udp dport 53 NOTRACK',
+ }
}
--
To view, visit https://gerrit.wikimedia.org/r/134071
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: Iaa490bc97cee9e3d8a3fa9682fbfb5f6fec66045
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Alexandros Kosiaris <akosia...@wikimedia.org>
Gerrit-Reviewer: Alexandros Kosiaris <akosia...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
