Andrew

Can you check if this solves the problem: (just copy file downloaded as raw over one in /usr/share/... in the router, original file is in /rom/usr/share/... if something goes foul....

Tested on both fw3 and fw4. Test machine with lan mtu 64 to chop icmp embedded extra header @hauke @jow- this has to be pushed to fw3 and picked to...

Kind of does not change much... I linked it to shoot all at once.

@jow- @dave14305 hope all issues fixed?

Raised here first https://forum.openwrt.org/t/firewall-control-over-established-sessions/228684 ~~Request to fully document `nft table create` upstream https://bugzilla.netfilter.org/show_bug.cgi?id=1800 Alternative would be to create and add test chain which fails in absence of parent table~~

Changed to draft, got better (performant) idea in works not needeing `echo f` kernel patch.

second 3rd of https://github.com/openwrt/firewall4/pull/22 Blocks guarding offload with ct state, ie last part of those. Careful rebasing on top of https://github.com/openwrt/firewall4/pull/56 - iif "lo" should follow established, related accept Ref:...

Ahh yes, loopback excluded to emulate fw3 workings, no harm in users running nmap -O against loopback (which is quite efficient ct invalid generator on its own)

Please consider https://github.com/brada4/firewall4/commit/aec0dc5606ad84efb2b31dd7c0b797f6cc513828 superseding pr #22 completely.

@f00b4r0 tell me if i am wrong tyy