firewall: config: drop input traffic by default
authorBaptiste Jonglez <git@bitsofnetworks.org>
Wed, 19 Oct 2022 14:49:03 +0000 (16:49 +0200)
committerBaptiste Jonglez <git@bitsofnetworks.org>
Tue, 1 Nov 2022 22:25:39 +0000 (23:25 +0100)
commitef597b026bb0351ae909ae1fdaed12e76ddd41b7
tree30654d9138bbd241cd06a1ae460e7fd8f4454606
parent5b7c99bc4c4d437285605d2a7dbb17d65aa6453d
firewall: config: drop input traffic by default

This is necessary with firewall4 to avoid a hard-to-diagnose race
condition during boot, causing DNAT rules not to be taken into account
correctly.

The root cause is that, during boot, the ruleset is mostly empty, and
interface-related rules (including DNAT rules) are added incrementally.
If a packet hits the input chain before the DNAT rules are setup, it can
create buggy conntrack entries that will persist indefinitely.

This new default should be safe because firewall4 explicitly accepts
authorized traffic and rejects the rest.  Thus, in normal operations, the
default policy is not used.

Fixes: #10749
Ref: https://github.com/openwrt/openwrt/issues/10749
Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
package/network/config/firewall/files/firewall.config