From cdeacccb567497c4bb2056f702ba7415bb00105a Mon Sep 17 00:00:00 2001
From: Florian Eckert <fe@dev.tdt.de>
Date: Thu, 7 Sep 2023 08:51:54 +0200
Subject: [PATCH] ruleset: also run through the custom includes for the
 loopback interface

Before this change, the user defined include rules in the output and input
chain were not evaluated for the loopback interface. Traffic related to
this interface was always accepted.

To ensure that the custom rules also apply to the loopback interface, move
the custom rule in front of the input and output chain. These changes make
it possible to evaluate rules for the loopack interface as well.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
---
 root/usr/share/firewall4/templates/ruleset.uc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc
index 2bec4d9..5acfc70 100644
--- a/root/usr/share/firewall4/templates/ruleset.uc
+++ b/root/usr/share/firewall4/templates/ruleset.uc
@@ -112,9 +112,9 @@ table inet fw4 {
 	chain input {
 		type filter hook input priority filter; policy {{ fw4.input_policy(true) }};
 
+{% fw4.includes('chain-prepend', 'input') %}
 		iif "lo" accept comment "!fw4: Accept traffic from loopback"
 
-{% fw4.includes('chain-prepend', 'input') %}
 		ct state vmap { established : accept, related : accept{% if (fw4.default_option("drop_invalid")): %}, invalid : drop{% endif %} } comment "!fw4: Handle inbound flows"
 {% if (fw4.default_option("synflood_protect") && fw4.default_option("synflood_rate")): %}
 		tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets"
@@ -154,9 +154,9 @@ table inet fw4 {
 	chain output {
 		type filter hook output priority filter; policy {{ fw4.output_policy(true) }};
 
+{% fw4.includes('chain-prepend', 'output') %}
 		oif "lo" accept comment "!fw4: Accept traffic towards loopback"
 
-{% fw4.includes('chain-prepend', 'output') %}
 		ct state vmap { established : accept, related : accept{% if (fw4.default_option("drop_invalid")): %}, invalid : drop{% endif %} } comment "!fw4: Handle outbound flows"
 {% for (let rule in fw4.rules("output")): %}
 		{%+ include("rule.uc", { fw4, zone: null, rule }) %}