From 83c9ac173d105243ffe346165d17f5109f9d4fa7 Mon Sep 17 00:00:00 2001
From: Jo-Philipp Wich <jow@openwrt.org>
Date: Fri, 16 Jan 2009 18:09:19 +0000
Subject: [PATCH] firewall: introduce drop_invalid option to allow disabling
 the invalid state match

SVN-Revision: 14061
---
 package/firewall/files/uci_firewall.sh | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/package/firewall/files/uci_firewall.sh b/package/firewall/files/uci_firewall.sh
index fd108993c8..f38bd6b9ae 100755
--- a/package/firewall/files/uci_firewall.sh
+++ b/package/firewall/files/uci_firewall.sh
@@ -159,16 +159,19 @@ fw_defaults() {
 	$IPTABLES -t mangle -X
 	$IPTABLES -t nat -X
 	$IPTABLES -X
-	
-	$IPTABLES -A INPUT -m state --state INVALID -j DROP
+
+	config_get_bool drop_invalid $1 drop_invalid 1
+
+	[ "$drop_invalid" -gt 0 ] && {
+		$IPTABLES -A INPUT -m state --state INVALID -j DROP
+		$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
+		$IPTABLES -A FORWARD -m state --state INVALID -j DROP
+	}
+
 	$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-		
-	$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
 	$IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-	
-	$IPTABLES -A FORWARD -m state --state INVALID -j DROP
 	$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-	
+
 	$IPTABLES -A INPUT -i lo -j ACCEPT
 	$IPTABLES -A OUTPUT -o lo -j ACCEPT
 
-- 
GitLab