From f94e8a60845215d3a5a1ed68a2be196691c03a06 Mon Sep 17 00:00:00 2001
From: "r.kubiak" <r.kubiak@samsung.com>
Date: Wed, 7 Oct 2015 17:40:26 +0200
Subject: [PATCH] Added loopback rules, so that the REJECT target can transmit
 ICMP packets to the process.

Change-Id: Idb5494f72e380164ab1473d18ef1f41a83e03ebe
---
 conf/nether.rules | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/conf/nether.rules b/conf/nether.rules
index b342507..b7ce458 100644
--- a/conf/nether.rules
+++ b/conf/nether.rules
@@ -23,9 +23,8 @@
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [816152:74580343]
 :POSTROUTING ACCEPT [824147:75308906]
+-A OUTPUT -o lo -j ACCEPT
 -A OUTPUT -p tcp -m state --state NEW -j NFQUEUE --queue-num 0 --queue-bypass
-#-A OUTPUT -p udp -j NFQUEUE --queue-num 0 --queue-bypass
--A OUTPUT -p icmp -j NFQUEUE --queue-num 0 --queue-bypass
 COMMIT
 *filter
 :INPUT ACCEPT [927054:2081201095]
@@ -33,6 +32,7 @@ COMMIT
 :OUTPUT ACCEPT [805408:74228055]
 :NETHER-ALLOWLOG - [0:0]
 :NETHER-DENY - [0:0]
+-A OUTPUT -o lo -j ACCEPT
 -A OUTPUT -m mark --mark 0x3 -j NETHER-DENY
 -A OUTPUT -m mark --mark 0x4 -j NETHER-ALLOWLOG
 -A NETHER-ALLOWLOG -j AUDIT --type accept
-- 
2.7.4