[PATCH firewall4] ruleset: unconditionally allow DNAT traffic

Stijn Tintel stijn at linux-ipv6.be
Thu Mar 9 16:33:18 PST 2023


On 10/03/2023 01:49, stijn at linux-ipv6.be wrote:
> We currently only accept DNAT traffic if there is at least one DNAT rule
> configured in UCI. This leads to a problem for people wanting to use
> UPnP, and do not have any DNAT rules configured. In this case, the UPnP
> daemon sets up the DNAT rules, but the traffic is not allowed in the
> input or forward chain, so the DNAT rules do not work.
>
> Solve this by unconditionally allowing packets with the dnat conntrack
> status. One could argue that this makes firewall4 less secure, but for a
> packet to have the dnat conntrack status, it must have already matched a
> DNAT rule. If there are no DNAT rules, no packets should ever have this
> status.
Please disregard, miniupnpd seems to add a forward rule, this is no 
longer needed.



More information about the openwrt-devel mailing list