On 10/03/2023 01:49, st...@linux-ipv6.be wrote:
We currently only accept DNAT traffic if there is at least one DNAT rule
configured in UCI. This leads to a problem for people wanting to use
UPnP, and do not have any DNAT rules configured. In this case, the UPnP
daemon sets up the DNAT rules, but the traffic is not allowed in the
input or forward chain, so the DNAT rules do not work.
Solve this by unconditionally allowing packets with the dnat conntrack
status. One could argue that this makes firewall4 less secure, but for a
packet to have the dnat conntrack status, it must have already matched a
DNAT rule. If there are no DNAT rules, no packets should ever have this
status.
Please disregard, miniupnpd seems to add a forward rule, this is no
longer needed.
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel