From a9ea01428e6e696072c708f2c09a531587fd51b5 Mon Sep 17 00:00:00 2001
From: Daniel Barlow <dan@telent.net>
Date: Thu, 8 Feb 2024 17:20:39 +0000
Subject: [PATCH] firewall: don't drop in conntrack rule

as there are other rules following that might want to accept
---
 examples/demo-firewall.nix | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/examples/demo-firewall.nix b/examples/demo-firewall.nix
index 20fdb8d..b9994d4 100644
--- a/examples/demo-firewall.nix
+++ b/examples/demo-firewall.nix
@@ -199,11 +199,10 @@ in {
     hook = "input";
     rules = [
       "iifname lo accept"
-      "ct state vmap { established : accept, related : accept, invalid : drop }"
       "iifname int jump input-ip4-lan"
       "iifname ppp0 jump input-ip4-wan"
       "oifname \"int\" iifname \"ppp0\" jump incoming-allowed-ip4"
-      "log prefix \"denied input-ip4 \""
+      "ct state vmap established,related accept"
     ];
   };