From: Jo-Philipp Wich <jo@mein.io>
Date: Fri, 13 Jan 2017 17:19:43 +0000 (+0100)
Subject: zones: do not check conntrack state in zone_*_dest_ACCEPT chains
X-Git-Url: http://git.archive.openwrt.org/?p=project%2Ffirewall3.git;a=commitdiff_plain;h=37cb4cb437fd685f31926a4c326ba8afe329e4a6

zones: do not check conntrack state in zone_*_dest_ACCEPT chains

Packets which are merely forwarded by the router and which are neither
involved in any DNAT/SNAT nor originate locally, are considered INVALID
from a conntrack point of view, causing them to get dropped in the
zone_*_dest_ACCEPT chains, since those only allow stream with state NEW
or UNTRACKED.

Remove the ctstate restriction on dest accept chains to properly pass-
through unrelated 3rd party traffic.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
---

diff --git a/zones.c b/zones.c
index 8b4bbcd..520d00c 100644
--- a/zones.c
+++ b/zones.c
@@ -357,11 +357,6 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
 				r = fw3_ipt_rule_create(handle, NULL, NULL, dev, NULL, sub);
 				fw3_ipt_rule_target(r, jump_target(t));
 				fw3_ipt_rule_extra(r, zone->extra_dest);
-
-				if (t == FW3_FLAG_ACCEPT && !state->defaults.drop_invalid)
-					fw3_ipt_rule_extra(r,
-					                   "-m conntrack --ctstate NEW,UNTRACKED");
-
 				fw3_ipt_rule_replace(r, "zone_%s_dest_%s", zone->name,
 				                     fw3_flag_names[t]);
 			}