fix potential rootfs owner/group mismatch (tgz root only, patch from #4562)

[openwrt.git] / package / firewall / files / uci_firewall.sh

diff --git a/package/firewall/files/uci_firewall.sh b/package/firewall/files/uci_firewall.sh
index fd10899..f6fa82b 100755 (executable)
--- a/package/firewall/files/uci_firewall.sh
+++ b/package/firewall/files/uci_firewall.sh
@@ -154,21 +154,22 @@ fw_defaults() {
        $IPTABLES -P FORWARD DROP
 
        $IPTABLES -F
-       $IPTABLES -t mangle -F
        $IPTABLES -t nat -F
-       $IPTABLES -t mangle -X
        $IPTABLES -t nat -X
        $IPTABLES -X
-       
-       $IPTABLES -A INPUT -m state --state INVALID -j DROP
+
+       config_get_bool drop_invalid $1 drop_invalid 1
+
+       [ "$drop_invalid" -gt 0 ] && {
+               $IPTABLES -A INPUT -m state --state INVALID -j DROP
+               $IPTABLES -A OUTPUT -m state --state INVALID -j DROP
+               $IPTABLES -A FORWARD -m state --state INVALID -j DROP
+       }
+
        $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-               
-       $IPTABLES -A OUTPUT -m state --state INVALID -j DROP
        $IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-       
-       $IPTABLES -A FORWARD -m state --state INVALID -j DROP
        $IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-       
+
        $IPTABLES -A INPUT -i lo -j ACCEPT
        $IPTABLES -A OUTPUT -o lo -j ACCEPT
 
@@ -416,9 +417,7 @@ fw_init() {
 
 fw_stop() {
        $IPTABLES -F
-       $IPTABLES -t mangle -F
        $IPTABLES -t nat -F
-       $IPTABLES -t mangle -X
        $IPTABLES -t nat -X
        $IPTABLES -X
        $IPTABLES -P INPUT ACCEPT