From 37cb4cb437fd685f31926a4c326ba8afe329e4a6 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Fri, 13 Jan 2017 18:19:43 +0100 Subject: [PATCH] zones: do not check conntrack state in zone_*_dest_ACCEPT chains Packets which are merely forwarded by the router and which are neither involved in any DNAT/SNAT nor originate locally, are considered INVALID from a conntrack point of view, causing them to get dropped in the zone_*_dest_ACCEPT chains, since those only allow stream with state NEW or UNTRACKED. Remove the ctstate restriction on dest accept chains to properly pass- through unrelated 3rd party traffic. Signed-off-by: Jo-Philipp Wich --- zones.c | 5 ----- 1 file changed, 5 deletions(-) diff --git a/zones.c b/zones.c index 8b4bbcd..520d00c 100644 --- a/zones.c +++ b/zones.c @@ -357,11 +357,6 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state, r = fw3_ipt_rule_create(handle, NULL, NULL, dev, NULL, sub); fw3_ipt_rule_target(r, jump_target(t)); fw3_ipt_rule_extra(r, zone->extra_dest); - - if (t == FW3_FLAG_ACCEPT && !state->defaults.drop_invalid) - fw3_ipt_rule_extra(r, - "-m conntrack --ctstate NEW,UNTRACKED"); - fw3_ipt_rule_replace(r, "zone_%s_dest_%s", zone->name, fw3_flag_names[t]); } -- 2.25.1