[PATCH] firewall4: ruleset: also evaluate the custom includes for the loopback interface

[Florian Eckert]

Before this change, the user defined include rules in the output and input
chain were not evaluated for the leepback interface. Traffic related to
the loopback interface was always accepted.

To ensure that the custom rules also apply to the loopback interface,
this commit moves the custom rule for the input and output chain before
the accept rule of the loopback interface.

User defined rules for the input and output chain are now always
evaluated for the entire traffic.

Signed-off-by: Florian Eckert <fe at dev.tdt.de>
---
 root/usr/share/firewall4/templates/ruleset.uc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc
index 7bd9309..639795e 100644
--- a/root/usr/share/firewall4/templates/ruleset.uc
+++ b/root/usr/share/firewall4/templates/ruleset.uc
@@ -97,9 +97,9 @@ table inet fw4 {
 	chain input {
 		type filter hook input priority filter; policy {{ fw4.input_policy(true) }};
 
+{% fw4.includes('chain-prepend', 'input') %}
 		iifname "lo" accept comment "!fw4: Accept traffic from loopback"
 
-{% fw4.includes('chain-prepend', 'input') %}
 		ct state established,related accept comment "!fw4: Allow inbound established and related flows"
 {% if (fw4.default_option("drop_invalid")): %}
 		ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state"
@@ -145,9 +145,9 @@ table inet fw4 {
 	chain output {
 		type filter hook output priority filter; policy {{ fw4.output_policy(true) }};
 
+{% fw4.includes('chain-prepend', 'output') %}
 		oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
 
-{% fw4.includes('chain-prepend', 'output') %}
 		ct state established,related accept comment "!fw4: Allow outbound established and related flows"
 {% if (fw4.default_option("drop_invalid")): %}
 		ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state"
-- 
2.30.2