defaults: emit ctstate INVALID drop rules by default

Enable the creation of state invalid catch rules by default to prevent
unnatted traffic from leaking onto the wan.

Fixes OpenWrt ticket #21738.

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

diff --git a/defaults.c b/defaults.c
index 4936b38..e246949 100644 (file)
--- a/defaults.c
+++ b/defaults.c
@@ -93,6 +93,7 @@ fw3_load_defaults(struct fw3_state *state, struct uci_package *p)
        defs->tcp_syncookies       = true;
        defs->tcp_window_scaling   = true;
        defs->custom_chains        = true;
+       defs->drop_invalid         = true;
 
        uci_foreach_element(&p->sections, e)
        {