projects / project / firewall4.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 7ae5e14) | patch
ruleset: drop ctstate invalid traffic for masq-enabled zones
authorJo-Philipp Wich <jo@mein.io>
Tue, 25 Oct 2022 19:03:00 +0000 (21:03 +0200)
committerJo-Philipp Wich <jo@mein.io>
Wed, 26 Oct 2022 13:45:16 +0000 (15:45 +0200)
commit119ee1a06d4a5e5fd01ec1a242d21d6f355d7ff6
tree50e85097e6dccea768513586d03b34f25344109ctree | snapshot
parent7ae5e14bbd7265cc67ec870c3bb0c8e197bb7ca9commit | diff
ruleset: drop ctstate invalid traffic for masq-enabled zones

For NAT enabled zones, stage rules to drop forwarded traffic with conntrack
state "invalid" and honor `masq_allow_invalid` option to inhibit those
rules.

This ports the corresponding firewall3 logic to firewall4.

Ref: https://forum.openwrt.org/t/x/140790
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
root/usr/share/firewall4/templates/ruleset.uc diff | blob | history
root/usr/share/firewall4/templates/zone-drop-invalid.uc [new file with mode: 0644] blob
tests/01_configuration/01_ruleset diff | blob | history
tests/02_zones/02_masq diff | blob | history
tests/02_zones/03_masq_src_dest_restrictions diff | blob | history
tests/02_zones/04_masq_allow_invalid [new file with mode: 0644] blob
OpenWrt nftables firewall