aboutsummaryrefslogtreecommitdiffstats
path: root/package/firewall
diff options
context:
space:
mode:
authorJo-Philipp Wich <jow@openwrt.org>2009-01-16 18:09:19 +0000
committerJo-Philipp Wich <jow@openwrt.org>2009-01-16 18:09:19 +0000
commit053133c34344cfb4cac6ea587ca45eb124bd5dbc (patch)
tree993231a8fac9349ec77225332aaf7a1d5c71d523 /package/firewall
parentc2a20b44bd04070784a2e8f7fa23e815689a7304 (diff)
downloadmaster-187ad058-053133c34344cfb4cac6ea587ca45eb124bd5dbc.tar.gz
master-187ad058-053133c34344cfb4cac6ea587ca45eb124bd5dbc.tar.bz2
master-187ad058-053133c34344cfb4cac6ea587ca45eb124bd5dbc.zip
firewall: introduce drop_invalid option to allow disabling the invalid state match
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@14061 3c298f89-4303-0410-b956-a3cf2f4a3e73
Diffstat (limited to 'package/firewall')
-rwxr-xr-xpackage/firewall/files/uci_firewall.sh17
1 files changed, 10 insertions, 7 deletions
diff --git a/package/firewall/files/uci_firewall.sh b/package/firewall/files/uci_firewall.sh
index fd108993c8..f38bd6b9ae 100755
--- a/package/firewall/files/uci_firewall.sh
+++ b/package/firewall/files/uci_firewall.sh
@@ -159,16 +159,19 @@ fw_defaults() {
$IPTABLES -t mangle -X
$IPTABLES -t nat -X
$IPTABLES -X
-
- $IPTABLES -A INPUT -m state --state INVALID -j DROP
+
+ config_get_bool drop_invalid $1 drop_invalid 1
+
+ [ "$drop_invalid" -gt 0 ] && {
+ $IPTABLES -A INPUT -m state --state INVALID -j DROP
+ $IPTABLES -A OUTPUT -m state --state INVALID -j DROP
+ $IPTABLES -A FORWARD -m state --state INVALID -j DROP
+ }
+
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-
- $IPTABLES -A OUTPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-
- $IPTABLES -A FORWARD -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-
+
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT