forwards: properly propagate conntrack flag
In the following topology:
config zone
option name A
config zone
option name B
config zone
option name C
option conntrack 1
config forwarding
option src A
option dest B
config forwarding
option src A
option dest C
... the conntrack flag needs to be propagated into both zones A and B as well.
Since A is connected with C, A will inherit C's conntrack requirement which
means that B will need to inherit the flag as well since it is connected to A.
The current code fails to apply the conntrack requirement flag recursively to
zones, leading to stray NOTRACK rules which break conntrack based traffic
policing.
Change the implementation to iteratively reapply the conntrack fixup logic
until no more zones had been changed in order to ensure that all directly and
indirectly connected zones receive the conntrack requirement flag.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
projects / oweals / firewall3.git / commit