firewall: fix forwarding local subnet traffic

Packets which are merely forwarded by the router and which are neither
involved in any DNAT/SNAT nor originate locally, are considered INVALID
from a conntrack point of view, causing them to get dropped in the
zone_*_dest_ACCEPT chains, since those only allow stream with state NEW
or UNTRACKED.

Remove the ctstate restriction on dest accept chains to properly pass-
through unrelated 3rd party traffic.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This commit is contained in:
Jo-Philipp Wich 2017-01-13 18:31:08 +01:00
parent 9641ceea0c
commit 920170a27f

View file

@ -13,9 +13,9 @@ PKG_RELEASE:=1
PKG_SOURCE_PROTO:=git
PKG_SOURCE_URL=$(LEDE_GIT)/project/firewall3.git
PKG_SOURCE_DATE:=2016-11-29
PKG_SOURCE_VERSION:=13698aafb52c45817ee7815da3405e620657c8d0
PKG_MIRROR_HASH:=6ba6e96a588dd3afd7e9db7e9246c5cc6c560aa95385592960c6b71b5a9c6395
PKG_SOURCE_DATE:=2017-01-13
PKG_SOURCE_VERSION:=37cb4cb437fd685f31926a4c326ba8afe329e4a6
PKG_MIRROR_HASH:=7ee075f05977e5d9a78e661b537e6eb077c8f328ff2e71d1e2fbef44cca97355
PKG_MAINTAINER:=Jo-Philipp Wich <jo@mein.io>
PKG_LICENSE:=ISC