ruleset: do not emit redundant drop invalid rules

The wan interface drop rule unnecessarily persists when invalid state is dropped globally and the rule cannot catch anything at all, so remove it as the effect is achieved by default and to global extent. Fixes: 119ee1a ("ruleset: drop ctstate invalid traffic for masq-enabled zones") Signed-off-by: Andris PE <[email protected]> [fix S-o-b tag, fix commit author, reword commit subject and message] Signed-off-by: Jo-Philipp Wich <[email protected]>
openwrt · Nov 3, 2023 · 7392792 · 7392792
1 parent de3483c
commit 7392792
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc
@@ -276,7 +276,7 @@ table inet fw4 {
 {%   if (zone.dflags[verdict]): %}
 	chain {{ verdict }}_to_{{ zone.name }} {
 {%   for (let rule in zone.match_rules): %}
-{%     if (verdict == "accept" && (zone.masq || zone.masq6) && !zone.masq_allow_invalid): %}
+{%     if (!fw4.default_option("drop_invalid") && verdict == "accept" && (zone.masq || zone.masq6) && !zone.masq_allow_invalid): %}
 		{%+ include("zone-drop-invalid.uc", { fw4, zone, rule }) %}
 {%     endif %}
 		{%+ include("zone-verdict.uc", { fw4, zone, rule, egress: true, verdict }) %}