firewall: Make logging of conntrack INVALIDs configureable

[people/mfischer/ipfire-2.x.git] / src / initscripts / system / firewall

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 5fef07a00f4b49f9a1d0205928916d6668cc546f..14f93d9c776ecdb2a291f65418655ce7eb596353 100644 (file)
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -122,7 +122,9 @@ iptables_init() {
 
        # Connection tracking chains
        iptables -N CTINVALID
-       iptables -A CTINVALID  -m limit --limit 10/second -j LOG  --log-prefix "DROP_CTINVALID "
+       if [ "$LOGDROPCTINVALID" == "on" ]; then
+               iptables -A CTINVALID  -m limit --limit 10/second -j LOG  --log-prefix "DROP_CTINVALID "
+       fi
        iptables -A CTINVALID  -j DROP -m comment --comment "DROP_CTINVALID"
 
        iptables -N CONNTRACK