From 7004c1298354b05ddbc37ced2e9a6d4927ec4111 Mon Sep 17 00:00:00 2001
From: Matthias Schiffer <mschiffer@universe-factory.net>
Date: Fri, 13 Jun 2014 21:56:32 +0200
Subject: [PATCH] gluon-firewall: enable conntrack on WAN

Otherwise, the state match doesn't work, not allowing replies to outgoing
packets to get in.
---
 .../files/lib/gluon/upgrade/firewall/invariant/011-wan-firewall  | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gluon/gluon-firewall/files/lib/gluon/upgrade/firewall/invariant/011-wan-firewall b/gluon/gluon-firewall/files/lib/gluon/upgrade/firewall/invariant/011-wan-firewall
index b63f519..792e06a 100755
--- a/gluon/gluon-firewall/files/lib/gluon/upgrade/firewall/invariant/011-wan-firewall
+++ b/gluon/gluon-firewall/files/lib/gluon/upgrade/firewall/invariant/011-wan-firewall
@@ -9,6 +9,7 @@ local c = uci.cursor()
 local function reject_input_on_wan(zone)
 	if zone.name == 'wan' then
 		c:set('firewall', zone['.name'], 'input', 'REJECT')
+		c:set('firewall', zone['.name'], 'conntrack', '1')
 	end
 
 	return true