We currently only accept DNAT traffic if there is at least one DNAT rule configured in UCI. This leads to a problem for people wanting to use UPnP, and do not have any DNAT rules configured. In this case, the UPnP daemon sets up the DNAT rules, but the traffic is not allowed in the input or forward chain, so the DNAT rules do not work.
Solve this by unconditionally allowing packets with the dnat conntrack status. One could argue that this makes firewall4 less secure, but for a packet to have the dnat conntrack status, it must have already matched a DNAT rule. If there are no DNAT rules, no packets should ever have this status. Signed-off-by: Stijn Tintel <[email protected]> --- root/usr/share/firewall4/templates/ruleset.uc | 4 ---- 1 file changed, 4 deletions(-) diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc index 9537ba2..f57836e 100644 --- a/root/usr/share/firewall4/templates/ruleset.uc +++ b/root/usr/share/firewall4/templates/ruleset.uc @@ -217,9 +217,7 @@ table inet fw4 { {% for (let rule in fw4.rules(`input_${zone.name}`)): %} {%+ include("rule.uc", { fw4, rule }) %} {% endfor %} -{% if (zone.dflags.dnat): %} ct status dnat accept comment "!fw4: Accept port redirections" -{% endif %} {% fw4.includes('chain-append', `input_${zone.name}`) %} jump {{ zone.input }}_from_{{ zone.name }} } @@ -238,9 +236,7 @@ table inet fw4 { {% for (let rule in fw4.rules(`forward_${zone.name}`)): %} {%+ include("rule.uc", { fw4, rule }) %} {% endfor %} -{% if (zone.dflags.dnat): %} ct status dnat accept comment "!fw4: Accept port forwards" -{% endif %} {% fw4.includes('chain-append', `forward_${zone.name}`) %} jump {{ zone.forward }}_to_{{ zone.name }} {% if (fw4.forward_policy() != "accept" && (zone.log & 1)): %} -- 2.39.2 _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
