From: Jo-Philipp Wich <jow@openwrt.org>
Date: Fri, 29 Jan 2016 17:22:34 +0000 (+0100)
Subject: defaults: emit ctstate INVALID drop rules by default
X-Git-Url: http://git.openwrt.org/?p=project%2Ffirewall3.git;a=commitdiff_plain;h=8957be6c026858fe414aef69281d8aa06f7ea122

defaults: emit ctstate INVALID drop rules by default

Enable the creation of state invalid catch rules by default to prevent
unnatted traffic from leaking onto the wan.

Fixes OpenWrt ticket #21738.

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
---

diff --git a/defaults.c b/defaults.c
index 4936b38..e246949 100644
--- a/defaults.c
+++ b/defaults.c
@@ -93,6 +93,7 @@ fw3_load_defaults(struct fw3_state *state, struct uci_package *p)
 	defs->tcp_syncookies       = true;
 	defs->tcp_window_scaling   = true;
 	defs->custom_chains        = true;
+	defs->drop_invalid         = true;
 
 	uci_foreach_element(&p->sections, e)
 	{