[PATCH] firewall4: ruleset: also evaluate the custom includes for the loopback interface

Thu, 07 Sep 2023 00:08:55 -0700 

Before this change, the user defined include rules in the output and input
chain were not evaluated for the leepback interface. Traffic related to
the loopback interface was always accepted.

To ensure that the custom rules also apply to the loopback interface,
this commit moves the custom rule for the input and output chain before
the accept rule of the loopback interface.

User defined rules for the input and output chain are now always
evaluated for the entire traffic.

Signed-off-by: Florian Eckert <f...@dev.tdt.de>
---
 root/usr/share/firewall4/templates/ruleset.uc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/root/usr/share/firewall4/templates/ruleset.uc 
b/root/usr/share/firewall4/templates/ruleset.uc
index 7bd9309..639795e 100644
--- a/root/usr/share/firewall4/templates/ruleset.uc
+++ b/root/usr/share/firewall4/templates/ruleset.uc
@@ -97,9 +97,9 @@ table inet fw4 {
        chain input {
                type filter hook input priority filter; policy {{ 
fw4.input_policy(true) }};
 
+{% fw4.includes('chain-prepend', 'input') %}
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
 
-{% fw4.includes('chain-prepend', 'input') %}
                ct state established,related accept comment "!fw4: Allow 
inbound established and related flows"
 {% if (fw4.default_option("drop_invalid")): %}
                ct state invalid drop comment "!fw4: Drop flows with invalid 
conntrack state"
@@ -145,9 +145,9 @@ table inet fw4 {
        chain output {
                type filter hook output priority filter; policy {{ 
fw4.output_policy(true) }};
 
+{% fw4.includes('chain-prepend', 'output') %}
                oifname "lo" accept comment "!fw4: Accept traffic towards 
loopback"
 
-{% fw4.includes('chain-prepend', 'output') %}
                ct state established,related accept comment "!fw4: Allow 
outbound established and related flows"
 {% if (fw4.default_option("drop_invalid")): %}
                ct state invalid drop comment "!fw4: Drop flows with invalid 
conntrack state"
-- 
2.30.2


_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Reply via email to