firewall: introduce drop_invalid option to allow disabling the invalid state match

git-svn-id: svn://svn.openwrt.org/openwrt/trunk@14061 3c298f89-4303-0410-b956-a3cf2f4a3e73
author: jow <jow@3c298f89-4303-0410-b956-a3cf2f4a3e73> 2009-01-16 18:09:19 +0000
committer: jow <jow@3c298f89-4303-0410-b956-a3cf2f4a3e73> 2009-01-16 18:09:19 +0000
commit: 9a3973d64e53d52287ee8ba12c2c0cb7eb8998e9 (patch)
tree: 993231a8fac9349ec77225332aaf7a1d5c71d523 /package/firewall/files/uci_firewall.sh
parent: a84679b42d25884d3905e705dcca8b9d3a5607cd (diff)
1 files changed, 10 insertions, 7 deletions
diff --git a/package/firewall/files/uci_firewall.sh b/package/firewall/files/uci_firewall.sh
index fd108993c..f38bd6b9a 100755
--- a/package/firewall/files/uci_firewall.sh
+++ b/package/firewall/files/uci_firewall.sh
@@ -159,16 +159,19 @@ fw_defaults() {
 	$IPTABLES -t mangle -X
 	$IPTABLES -t nat -X
 	$IPTABLES -X
-	
-	$IPTABLES -A INPUT -m state --state INVALID -j DROP
+
+	config_get_bool drop_invalid $1 drop_invalid 1
+
+	[ "$drop_invalid" -gt 0 ] && {
+		$IPTABLES -A INPUT -m state --state INVALID -j DROP
+		$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
+		$IPTABLES -A FORWARD -m state --state INVALID -j DROP
+	}
+
 	$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-		
-	$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
 	$IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-	
-	$IPTABLES -A FORWARD -m state --state INVALID -j DROP
 	$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-	
+
 	$IPTABLES -A INPUT -i lo -j ACCEPT
 	$IPTABLES -A OUTPUT -o lo -j ACCEPT
author	jow <jow@3c298f89-4303-0410-b956-a3cf2f4a3e73>	2009-01-16 18:09:19 +0000
committer	jow <jow@3c298f89-4303-0410-b956-a3cf2f4a3e73>	2009-01-16 18:09:19 +0000
commit	9a3973d64e53d52287ee8ba12c2c0cb7eb8998e9 (patch)
tree	993231a8fac9349ec77225332aaf7a1d5c71d523 /package/firewall/files/uci_firewall.sh
parent	a84679b42d25884d3905e705dcca8b9d3a5607cd (diff)