[FS#920] Final (default) rule in user defined zones wrong
LEDE Bugs
lede-bugs at lists.infradead.org
Fri Jul 21 00:59:54 PDT 2017
The following task has a new comment added:
FS#920 - Final (default) rule in user defined zones wrong
User who did this - Arjen de Korte (arjendekorte)
----------
I have the following in my configuration:
config zone
option name 'dmz'
option network 'dmz'
option family 'any'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
My expectation was, that the last line would cause all traffic in the 'dmz' zone that was not matched in other rules, to be rejected. Apparently, I was wrong because it doesn't. Instead it creates a rule that has a hitcount of '0', despite traffic passing over that rule and being rejected by the global DROP instead. I find the behavior prior to the above mentioned patch much more intuitive, but apparently (after three years have passed and nobody seems to have complained) I'm alone in that. So I have reverted that patch locally, which is just fine by me (I have plenty of local patches, so one additional one is not going to hurt me).
Although I still don't understand how a packet can end up in an iptables FORWARD chain with both input and output interfaces the same, I thank you for your time explaining the reasons why this was changed.
----------
More information can be found at the following URL:
https://bugs.lede-project.org/index.php?do=details&task_id=920#comment3037
More information about the lede-bugs
mailing list