Users commonly create firewall rules that inspect packet content, such
as matching an HTTP host. The current implementation offloads a
connection immediately after it's established, bypassing user-defined
rules. To respect these rules, only offload a connection after certain
packets have passed through the slow path.
This change ensures that packet inspection rules are applied correctly
before offloading, improving the accuracy and effectiveness of user-
defined firewall rules.
Signed-off-by: Qingfang Deng <dqf...@gmail.com>
---
root/usr/share/firewall4/templates/ruleset.uc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/root/usr/share/firewall4/templates/ruleset.uc
b/root/usr/share/firewall4/templates/ruleset.uc
index 2bec4d9..f588ee5 100644
--- a/root/usr/share/firewall4/templates/ruleset.uc
+++ b/root/usr/share/firewall4/templates/ruleset.uc
@@ -135,7 +135,7 @@ table inet fw4 {
type filter hook forward priority filter; policy {{
fw4.forward_policy(true) }};
{% if (length(flowtable_devices) > 0): %}
- meta l4proto { tcp, udp } flow offload @ft;
+ meta l4proto { tcp, udp } ct packets ge 16 flow offload @ft;
{% endif %}
{% fw4.includes('chain-prepend', 'forward') %}
ct state vmap { established : accept, related : accept{% if
(fw4.default_option("drop_invalid")): %}, invalid : drop{% endif %} } comment
"!fw4: Handle forwarded flows"
--
2.43.0
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
