openwrt/package/network/config/firewall/files
Baptiste Jonglez ef597b026b firewall: config: drop input traffic by default
This is necessary with firewall4 to avoid a hard-to-diagnose race
condition during boot, causing DNAT rules not to be taken into account
correctly.

The root cause is that, during boot, the ruleset is mostly empty, and
interface-related rules (including DNAT rules) are added incrementally.
If a packet hits the input chain before the DNAT rules are setup, it can
create buggy conntrack entries that will persist indefinitely.

This new default should be safe because firewall4 explicitly accepts
authorized traffic and rejects the rest.  Thus, in normal operations, the
default policy is not used.

Fixes: #10749
Ref: https://github.com/openwrt/openwrt/issues/10749
Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
2022-11-01 23:25:39 +01:00
..
firewall.config firewall: config: drop input traffic by default 2022-11-01 23:25:39 +01:00
firewall.hotplug firewall: don't reload if there were no address or data changes 2014-01-19 17:35:33 +00:00
firewall.init package/*: remove useless explicit set of function returncode 2014-08-25 06:35:50 +00:00
firewall.user firewall3: rename to firewall, move into base system menu, update to git head with compatibility fixes for AA 2013-06-04 12:21:52 +00:00