Changeset 28148


Ignore:
Timestamp:
2011-09-01T22:37:22+02:00 (5 years ago)
Author:
jow
Message:

[package] firewall: make ESTABLISHED,RELATED rules match before INVALID, use conntrack instead of state match (#10038)

Location:
trunk/package/firewall
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/package/firewall/Makefile

    r27979 r28148  
    1010 
    1111PKG_VERSION:=2 
    12 PKG_RELEASE:=34 
     12PKG_RELEASE:=35 
    1313 
    1414include $(INCLUDE_DIR)/package.mk 
  • trunk/package/firewall/files/lib/core_init.sh

    r27196 r28148  
    1 # Copyright (C) 2009-2010 OpenWrt.org 
     1# Copyright (C) 2009-2011 OpenWrt.org 
    22# Copyright (C) 2008 John Crispin <blogic@openwrt.org> 
    33 
     
    6767        fw_sysctl_interface all 
    6868 
     69        fw add i f INPUT   ACCEPT { -m conntrack --ctstate RELATED,ESTABLISHED } 
     70        fw add i f OUTPUT  ACCEPT { -m conntrack --ctstate RELATED,ESTABLISHED } 
     71        fw add i f FORWARD ACCEPT { -m conntrack --ctstate RELATED,ESTABLISHED } 
     72 
    6973        [ $defaults_drop_invalid == 1 ] && { 
    70                 fw add i f INPUT   DROP { -m state --state INVALID } 
    71                 fw add i f OUTPUT  DROP { -m state --state INVALID } 
    72                 fw add i f FORWARD DROP { -m state --state INVALID } 
     74                fw add i f INPUT   DROP { -m conntrack --ctstate INVALID } 
     75                fw add i f OUTPUT  DROP { -m conntrack --ctstate INVALID } 
     76                fw add i f FORWARD DROP { -m conntrack --ctstate INVALID } 
    7377                FW_NOTRACK_DISABLED=1 
    7478        } 
    75  
    76         fw add i f INPUT   ACCEPT { -m state --state RELATED,ESTABLISHED } 
    77         fw add i f OUTPUT  ACCEPT { -m state --state RELATED,ESTABLISHED } 
    78         fw add i f FORWARD ACCEPT { -m state --state RELATED,ESTABLISHED } 
    7979 
    8080        fw add i f INPUT  ACCEPT { -i lo } 
Note: See TracChangeset for help on using the changeset viewer.