This is necessary with firewall4 to avoid a hard-to-diagnose race
condition during boot, causing DNAT rules not to be taken into account
correctly.
The root cause is that, during boot, the ruleset is mostly empty, and
interface-related rules (including DNAT rules) are added incrementally.
If a packet hits the input chain before the DNAT rules are setup, it can
create buggy conntrack entries that will persist indefinitely.
This new default should be safe because firewall4 explicitly accepts
authorized traffic and rejects the rest. Thus, in normal operations, the
default policy is not used.
Fixes: #10749
Ref: https://github.com/openwrt/openwrt/issues/10749
Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
config defaults
option syn_flood 1
- option input ACCEPT
+ option input REJECT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
#
chain input {
- type filter hook input priority filter; policy accept;
+ type filter hook input priority filter; policy drop;
iifname "lo" accept comment "!fw4: Accept traffic from loopback"
tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets"
iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
+ jump handle_reject
}
chain forward {
"flow_offloading": "1",
"flow_offloading_hw": "1",
"forward": "REJECT",
- "input": "ACCEPT",
+ "input": "REJECT",
"output": "ACCEPT",
"syn_flood": "1",
"unknown_defaults_option": "foo"