openwrt/package/network/config
Baptiste Jonglez ef597b026b firewall: config: drop input traffic by default
This is necessary with firewall4 to avoid a hard-to-diagnose race
condition during boot, causing DNAT rules not to be taken into account
correctly.

The root cause is that, during boot, the ruleset is mostly empty, and
interface-related rules (including DNAT rules) are added incrementally.
If a packet hits the input chain before the DNAT rules are setup, it can
create buggy conntrack entries that will persist indefinitely.

This new default should be safe because firewall4 explicitly accepts
authorized traffic and rejects the rest.  Thus, in normal operations, the
default policy is not used.

Fixes: #10749
Ref: https://github.com/openwrt/openwrt/issues/10749
Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
2022-11-01 23:25:39 +01:00
..
firewall firewall: config: drop input traffic by default 2022-11-01 23:25:39 +01:00
firewall4 firewall4: update to latest Git HEAD 2022-10-18 09:50:05 +02:00
gre gre: use alternative way to check if kernel support is enabled 2021-03-13 20:58:55 +01:00
ipip ipip: add 'nohostroute' option 2022-01-19 20:57:59 +01:00
ltq-adsl-app ltq-[a|v]dsl-app: provide ltq-dsl-app 2022-09-17 17:39:23 +02:00
ltq-vdsl-vr9-app ltq-vdsl-vr9-app: extend ubus call to provide DSL statistics 2022-10-30 23:14:45 +01:00
netifd netifd: update to the latest version 2022-08-25 21:16:26 +02:00
qos-scripts qos-scripts: fix trailing whitespace in config files 2022-09-27 17:16:46 +02:00
qosify qosify: update to the latest version 2022-04-08 13:07:47 +02:00
soloscli soloscli: fix uci-defaults file 2020-06-11 01:49:24 +02:00
swconfig swconfig: parse "switch_vlan" before "switch_port" 2022-06-15 10:44:32 +02:00
vti vti: squash vtiv4 and vtiv6 packages into vti 2021-11-03 20:34:43 +01:00
vxlan vxlan: allow for dynamic source ip selection (FS#3426) 2020-12-31 11:53:21 +01:00
xfrm xfrm: simplify the check for necessary kernel support 2021-03-13 20:59:22 +01:00