git.openwrt.org Git - project/firewall4.git/commit

author	Baptiste Jonglez <git@bitsofnetworks.org>
	Wed, 2 Nov 2022 15:06:47 +0000 (16:06 +0100)
committer	Baptiste Jonglez <git@bitsofnetworks.org>
	Wed, 2 Nov 2022 15:24:20 +0000 (16:24 +0100)
commit	6443ec7805295de07f6051662065a16b4a194f19
tree	52e424623d5eb28e6e80a6f9b90a739bbb1d0a4f	tree \| snapshot
parent	119ee1a06d4a5e5fd01ec1a242d21d6f355d7ff6	commit \| diff

config: drop input traffic by default

This is necessary with firewall4 to avoid a hard-to-diagnose race
condition during boot, causing DNAT rules not to be taken into account
correctly.

The root cause is that, during boot, the ruleset is mostly empty, and
interface-related rules (including DNAT rules) are added incrementally.
If a packet hits the input chain before the DNAT rules are setup, it can
create buggy conntrack entries that will persist indefinitely.

This new default should be safe because firewall4 explicitly accepts
authorized traffic and rejects the rest. Thus, in normal operations, the
default policy is not used.

Fixes: #10749
Ref: https://github.com/openwrt/openwrt/issues/10749
Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>

root/etc/config/firewall		diff \| blob \| history
tests/01_configuration/01_ruleset		diff \| blob \| history
tests/mocks/uci/firewall.json		diff \| blob \| history