Skip to content

ruleset: drop invalid packets at mangle priority #59

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
brada4 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

ruleset: drop invalid packets at mangle priority #59

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 9 additions & 3 deletions root/usr/share/firewall4/templates/ruleset.uc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,7 @@ table inet fw4 {
iif "lo" accept comment "!fw4: Accept traffic from loopback"

{% fw4.includes('chain-prepend', 'input') %}
ct state vmap { established : accept, related : accept{% if (fw4.default_option("drop_invalid")): %}, invalid : drop{% endif %} } comment "!fw4: Handle inbound flows"
ct state established,related accept comment "!fw4: Accept inbound flows"
{% if (fw4.default_option("synflood_protect") && fw4.default_option("synflood_rate")): %}
tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets"
{% endif %}
Expand All @@ -138,7 +138,7 @@ table inet fw4 {
meta l4proto { tcp, udp } flow offload @ft;
{% endif %}
{% fw4.includes('chain-prepend', 'forward') %}
ct state vmap { established : accept, related : accept{% if (fw4.default_option("drop_invalid")): %}, invalid : drop{% endif %} } comment "!fw4: Handle forwarded flows"
ct state established,related accept comment "!fw4: Accept forwarded flows"
{% for (let rule in fw4.rules("forward")): %}
{%+ include("rule.uc", { fw4, zone: (rule.src?.zone?.log_limit ? rule.src.zone : rule.dest?.zone), rule }) %}
{% endfor %}
Expand All @@ -157,7 +157,7 @@ table inet fw4 {
oif "lo" accept comment "!fw4: Accept traffic towards loopback"

{% fw4.includes('chain-prepend', 'output') %}
ct state vmap { established : accept, related : accept{% if (fw4.default_option("drop_invalid")): %}, invalid : drop{% endif %} } comment "!fw4: Handle outbound flows"
ct state established,related accept comment "!fw4: Accept outbound flows"
{% for (let rule in fw4.rules("output")): %}
{%+ include("rule.uc", { fw4, zone: null, rule }) %}
{% endfor %}
Expand Down Expand Up @@ -411,6 +411,9 @@ table inet fw4 {

chain mangle_prerouting {
type filter hook prerouting priority mangle; policy accept;
{% if (fw4.default_option("drop_invalid")): %}
ct state invalid counter drop comment "!fw4: Drop invalid ingress packets"
{% endif -%}
{% fw4.includes('chain-prepend', 'mangle_prerouting') %}
{% for (let rule in fw4.rules("mangle_prerouting")): %}
{%+ include("rule.uc", { fw4, zone: null, rule }) %}
Expand Down Expand Up @@ -445,6 +448,9 @@ table inet fw4 {

chain mangle_output {
type route hook output priority mangle; policy accept;
{% if (fw4.default_option("drop_invalid")): %}
ct state invalid counter drop comment "!fw4: Drop invalid egress packets"
{% endif -%}
{% fw4.includes('chain-prepend', 'mangle_output') %}
{% for (let rule in fw4.rules("mangle_output")): %}
{%+ include("rule.uc", { fw4, zone: null, rule }) %}
Expand Down
6 changes: 3 additions & 3 deletions tests/01_configuration/01_ruleset
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,7 +112,7 @@ table inet fw4 {

iif "lo" accept comment "!fw4: Accept traffic from loopback"

ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
ct state established,related accept comment "!fw4: Accept inbound flows"
tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets"
iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
Expand All @@ -123,7 +123,7 @@ table inet fw4 {
type filter hook forward priority filter; policy drop;

meta l4proto { tcp, udp } flow offload @ft;
ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
ct state established,related accept comment "!fw4: Accept forwarded flows"
iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
jump handle_reject
Expand All @@ -134,7 +134,7 @@ table inet fw4 {

oif "lo" accept comment "!fw4: Accept traffic towards loopback"

ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
ct state established,related accept comment "!fw4: Accept outbound flows"
meta l4proto tcp counter comment "!fw4: Test-Deprecated-Rule-Option"
oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
Expand Down
6 changes: 3 additions & 3 deletions tests/01_configuration/02_rule_order
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,15 +93,15 @@ table inet fw4 {

iif "lo" accept comment "!fw4: Accept traffic from loopback"

ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
ct state established,related accept comment "!fw4: Accept inbound flows"
iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
}

chain forward {
type filter hook forward priority filter; policy drop;

ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
ct state established,related accept comment "!fw4: Accept forwarded flows"
iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
}
Expand All @@ -111,7 +111,7 @@ table inet fw4 {

oif "lo" accept comment "!fw4: Accept traffic towards loopback"

ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
ct state established,related accept comment "!fw4: Accept outbound flows"
oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
}
Expand Down
6 changes: 3 additions & 3 deletions tests/02_zones/01_policies
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,7 @@ table inet fw4 {

iif "lo" accept comment "!fw4: Accept traffic from loopback"

ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
ct state established,related accept comment "!fw4: Accept inbound flows"
iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic"
iifname "zone2" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic"
iifname "zone3" jump input_test3 comment "!fw4: Handle test3 IPv4/IPv6 input traffic"
Expand All @@ -104,7 +104,7 @@ table inet fw4 {
chain forward {
type filter hook forward priority filter; policy drop;

ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
ct state established,related accept comment "!fw4: Accept forwarded flows"
iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic"
iifname "zone2" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic"
iifname "zone3" jump forward_test3 comment "!fw4: Handle test3 IPv4/IPv6 forward traffic"
Expand All @@ -115,7 +115,7 @@ table inet fw4 {

oif "lo" accept comment "!fw4: Accept traffic towards loopback"

ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
ct state established,related accept comment "!fw4: Accept outbound flows"
oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic"
oifname "zone2" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic"
oifname "zone3" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic"
Expand Down
6 changes: 3 additions & 3 deletions tests/02_zones/02_masq
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@ table inet fw4 {

iif "lo" accept comment "!fw4: Accept traffic from loopback"

ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
ct state established,related accept comment "!fw4: Accept inbound flows"
iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic"
iifname "zone2" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic"
iifname "zone3" jump input_test3 comment "!fw4: Handle test3 IPv4/IPv6 input traffic"
Expand All @@ -108,7 +108,7 @@ table inet fw4 {
chain forward {
type filter hook forward priority filter; policy drop;

ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
ct state established,related accept comment "!fw4: Accept forwarded flows"
iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic"
iifname "zone2" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic"
iifname "zone3" jump forward_test3 comment "!fw4: Handle test3 IPv4/IPv6 forward traffic"
Expand All @@ -119,7 +119,7 @@ table inet fw4 {

oif "lo" accept comment "!fw4: Accept traffic towards loopback"

ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
ct state established,related accept comment "!fw4: Accept outbound flows"
oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic"
oifname "zone2" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic"
oifname "zone3" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic"
Expand Down
6 changes: 3 additions & 3 deletions tests/02_zones/03_masq_src_dest_restrictions
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -122,15 +122,15 @@ table inet fw4 {

iif "lo" accept comment "!fw4: Accept traffic from loopback"

ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
ct state established,related accept comment "!fw4: Accept inbound flows"
iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic"
iifname "zone2" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic"
}

chain forward {
type filter hook forward priority filter; policy drop;

ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
ct state established,related accept comment "!fw4: Accept forwarded flows"
iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic"
iifname "zone2" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic"
}
Expand All @@ -140,7 +140,7 @@ table inet fw4 {

oif "lo" accept comment "!fw4: Accept traffic towards loopback"

ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
ct state established,related accept comment "!fw4: Accept outbound flows"
oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic"
oifname "zone2" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic"
}
Expand Down
6 changes: 3 additions & 3 deletions tests/02_zones/04_masq_allow_invalid
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,14 +71,14 @@ table inet fw4 {

iif "lo" accept comment "!fw4: Accept traffic from loopback"

ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
ct state established,related accept comment "!fw4: Accept inbound flows"
iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic"
}

chain forward {
type filter hook forward priority filter; policy drop;

ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
ct state established,related accept comment "!fw4: Accept forwarded flows"
iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic"
}

Expand All @@ -87,7 +87,7 @@ table inet fw4 {

oif "lo" accept comment "!fw4: Accept traffic towards loopback"

ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
ct state established,related accept comment "!fw4: Accept outbound flows"
oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic"
}

Expand Down
6 changes: 3 additions & 3 deletions tests/02_zones/04_wildcard_devices
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -122,7 +122,7 @@ table inet fw4 {

iif "lo" accept comment "!fw4: Accept traffic from loopback"

ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
ct state established,related accept comment "!fw4: Accept inbound flows"
jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic"
iifname "/never/" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic"
iifname "test*" jump input_test3 comment "!fw4: Handle test3 IPv4/IPv6 input traffic"
Expand All @@ -137,7 +137,7 @@ table inet fw4 {
chain forward {
type filter hook forward priority filter; policy drop;

ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
ct state established,related accept comment "!fw4: Accept forwarded flows"
jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic"
iifname "/never/" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic"
iifname "test*" jump forward_test3 comment "!fw4: Handle test3 IPv4/IPv6 forward traffic"
Expand All @@ -154,7 +154,7 @@ table inet fw4 {

oif "lo" accept comment "!fw4: Accept traffic towards loopback"

ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
ct state established,related accept comment "!fw4: Accept outbound flows"
jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic"
oifname "/never/" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic"
oifname "test*" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic"
Expand Down
6 changes: 3 additions & 3 deletions tests/02_zones/05_subnet_mask_matches
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ table inet fw4 {

iif "lo" accept comment "!fw4: Accept traffic from loopback"

ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
ct state established,related accept comment "!fw4: Accept inbound flows"
meta nfproto ipv6 ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::2 jump input_test1 comment "!fw4: Handle test1 IPv6 input traffic"
meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump input_test2 comment "!fw4: Handle test2 IPv6 input traffic"
meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::2 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump input_test2 comment "!fw4: Handle test2 IPv6 input traffic"
Expand All @@ -91,7 +91,7 @@ table inet fw4 {
chain forward {
type filter hook forward priority filter; policy drop;

ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
ct state established,related accept comment "!fw4: Accept forwarded flows"
meta nfproto ipv6 ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::2 jump forward_test1 comment "!fw4: Handle test1 IPv6 forward traffic"
meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump forward_test2 comment "!fw4: Handle test2 IPv6 forward traffic"
meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::2 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump forward_test2 comment "!fw4: Handle test2 IPv6 forward traffic"
Expand All @@ -103,7 +103,7 @@ table inet fw4 {

oif "lo" accept comment "!fw4: Accept traffic towards loopback"

ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
ct state established,related accept comment "!fw4: Accept outbound flows"
meta nfproto ipv6 ip6 daddr & ::ffff == ::1 ip6 daddr & ::ffff != ::2 jump output_test1 comment "!fw4: Handle test1 IPv6 output traffic"
meta nfproto ipv6 ip6 daddr != { ::7, ::8 } ip6 daddr & ::ffff == ::1 ip6 daddr & ::ffff != ::5 ip6 daddr & ::ffff != ::6 jump output_test2 comment "!fw4: Handle test2 IPv6 output traffic"
meta nfproto ipv6 ip6 daddr != { ::7, ::8 } ip6 daddr & ::ffff == ::2 ip6 daddr & ::ffff != ::5 ip6 daddr & ::ffff != ::6 jump output_test2 comment "!fw4: Handle test2 IPv6 output traffic"
Expand Down
6 changes: 3 additions & 3 deletions tests/02_zones/06_family_selections
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -136,7 +136,7 @@ table inet fw4 {

iif "lo" accept comment "!fw4: Accept traffic from loopback"

ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
ct state established,related accept comment "!fw4: Accept inbound flows"
meta nfproto ipv4 ip saddr 10.0.0.0/8 jump input_test1 comment "!fw4: Handle test1 IPv4 input traffic"
meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 jump input_test2 comment "!fw4: Handle test2 IPv6 input traffic"
meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 jump input_test3 comment "!fw4: Handle test3 IPv6 input traffic"
Expand All @@ -148,7 +148,7 @@ table inet fw4 {
chain forward {
type filter hook forward priority filter; policy drop;

ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
ct state established,related accept comment "!fw4: Accept forwarded flows"
meta nfproto ipv4 ip saddr 10.0.0.0/8 jump forward_test1 comment "!fw4: Handle test1 IPv4 forward traffic"
meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 jump forward_test2 comment "!fw4: Handle test2 IPv6 forward traffic"
meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 jump forward_test3 comment "!fw4: Handle test3 IPv6 forward traffic"
Expand All @@ -162,7 +162,7 @@ table inet fw4 {

oif "lo" accept comment "!fw4: Accept traffic towards loopback"

ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
ct state established,related accept comment "!fw4: Accept outbound flows"
meta nfproto ipv4 ip daddr 10.0.0.0/8 jump output_test1 comment "!fw4: Handle test1 IPv4 output traffic"
meta nfproto ipv6 ip6 daddr 2001:db8:1234::/64 jump output_test2 comment "!fw4: Handle test2 IPv6 output traffic"
meta nfproto ipv6 ip6 daddr 2001:db8:1234::/64 jump output_test3 comment "!fw4: Handle test3 IPv6 output traffic"
Expand Down
6 changes: 3 additions & 3 deletions tests/02_zones/07_helpers
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -168,7 +168,7 @@ table inet fw4 {

iif "lo" accept comment "!fw4: Accept traffic from loopback"

ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
ct state established,related accept comment "!fw4: Accept inbound flows"
iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic"
iifname "zone2" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic"
iifname "zone3" jump input_test3 comment "!fw4: Handle test3 IPv4/IPv6 input traffic"
Expand All @@ -178,7 +178,7 @@ table inet fw4 {
chain forward {
type filter hook forward priority filter; policy drop;

ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
ct state established,related accept comment "!fw4: Accept forwarded flows"
iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic"
iifname "zone2" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic"
iifname "zone3" jump forward_test3 comment "!fw4: Handle test3 IPv4/IPv6 forward traffic"
Expand All @@ -190,7 +190,7 @@ table inet fw4 {

oif "lo" accept comment "!fw4: Accept traffic towards loopback"

ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
ct state established,related accept comment "!fw4: Accept outbound flows"
oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic"
oifname "zone2" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic"
oifname "zone3" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic"
Expand Down
6 changes: 3 additions & 3 deletions tests/02_zones/08_log_limit
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -240,7 +240,7 @@ table inet fw4 {

iif "lo" accept comment "!fw4: Accept traffic from loopback"

ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
ct state established,related accept comment "!fw4: Accept inbound flows"
tcp dport 1007 counter log prefix "@rule[6]: " comment "!fw4: @rule[6]"
tcp dport 1008 counter comment "!fw4: @rule[7]"
tcp dport 1009 limit rate 5/minute log prefix "@rule[12]: "
Expand All @@ -254,7 +254,7 @@ table inet fw4 {
chain forward {
type filter hook forward priority filter; policy drop;

ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
ct state established,related accept comment "!fw4: Accept forwarded flows"
tcp dport 1005 limit name "lan.log_limit" log prefix "@rule[4]: "
tcp dport 1005 counter comment "!fw4: @rule[4]"
tcp dport 1006 counter comment "!fw4: @rule[5]"
Expand All @@ -269,7 +269,7 @@ table inet fw4 {

oif "lo" accept comment "!fw4: Accept traffic towards loopback"

ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
ct state established,related accept comment "!fw4: Accept outbound flows"
oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
meta nfproto ipv4 oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4 output traffic"
oifname "br-guest" jump output_guest comment "!fw4: Handle guest IPv4/IPv6 output traffic"
Expand Down
Loading