diff options
| author | Jo-Philipp Wich <jo@mein.io> | 2017-01-13 18:19:43 +0100 |
|---|---|---|
| committer | Jo-Philipp Wich <jo@mein.io> | 2017-01-13 18:25:50 +0100 |
| commit | 37cb4cb437fd685f31926a4c326ba8afe329e4a6 (patch) | |
| tree | 09387c3ef5c0864e4c2e60474fccfa1870dd8358 | |
| parent | 13698aafb52c45817ee7815da3405e620657c8d0 (diff) | |
| download | firewall3-37cb4cb437fd685f31926a4c326ba8afe329e4a6.tar.gz | |
zones: do not check conntrack state in zone_*_dest_ACCEPT chains
Packets which are merely forwarded by the router and which are neither
involved in any DNAT/SNAT nor originate locally, are considered INVALID
from a conntrack point of view, causing them to get dropped in the
zone_*_dest_ACCEPT chains, since those only allow stream with state NEW
or UNTRACKED.
Remove the ctstate restriction on dest accept chains to properly pass-
through unrelated 3rd party traffic.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
| -rw-r--r-- | zones.c | 5 |
1 files changed, 0 insertions, 5 deletions
@@ -357,11 +357,6 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state, r = fw3_ipt_rule_create(handle, NULL, NULL, dev, NULL, sub); fw3_ipt_rule_target(r, jump_target(t)); fw3_ipt_rule_extra(r, zone->extra_dest); - - if (t == FW3_FLAG_ACCEPT && !state->defaults.drop_invalid) - fw3_ipt_rule_extra(r, - "-m conntrack --ctstate NEW,UNTRACKED"); - fw3_ipt_rule_replace(r, "zone_%s_dest_%s", zone->name, fw3_flag_names[t]); } |