Andrew
Andrew
Flush conntrack if fw4 is started with fw4 table absent Approximates fw3 ct flush when no iptables rules are present Prevents (deletes) eternal ghost states created at early boot. Also...
Drop ICMPv6 packets that are not explicitly allowed, like falling outside conntrack due to missing embedded state header like in referenced issue Add older patch and omit singular echo reply...
### Describe the bug When uncommon errors are encountered parsing sysctl.conf the rest of configuration is ignored. ### OpenWrt version r28741-5ff7149a08 ### OpenWrt release 24.10-SNAPSHOT ### OpenWrt target/subtarget x86/64 ###...
Correct rport null propagation moving compensatory conditional to reflection snat rule only. Emit shorthand rules if user did not specify redirect target port This saves 2 bytecodes in rule and...
Add missing includes around prerouting chain Used by eg transparent proxies. Spotted by @reinerotto Add another missing in raw_prerouting
Add explicit l4proto match before _ifname to avoid burning cycles for other protocols, eliminating measurable (iperf3) udp re-ordering Displayed back rules show pessimal combo even new one is loaded. Fixes:...
Link to the issue to not forget it https://github.com/openwrt/openwrt/issues/20047
ip4 part never served any purpose except confusing users eg https://github.com/openwrt/firewall4/issues/53 Permit only IKE conformant to RFC, ip4 NAT traversal has different port and terminating on the router can be...
Check if banner file specified actually exist. Dropbear refuses to start without file present eg un-commenting only commented line in default uci file
Do not accept unsolicited ICMP echo reply. It is implied by conntrack state from request already. cf https://github.com/openwrt/firewall4/pull/44 Also exemplified by ipv4 ping rule Limit peer-to-peer ipsec to ipv6 only...