X-Git-Url: https://git.rohieb.name/openwrt.git/blobdiff_plain/312627976edac54eaa668cd0f9c1130c605c7818..3a5c4c82ffa0efb67cb43225003dc61773bfb3f5:/package/firewall/files/uci_firewall.sh?ds=inline

diff --git a/package/firewall/files/uci_firewall.sh b/package/firewall/files/uci_firewall.sh
index fd108993c..c19700359 100755
--- a/package/firewall/files/uci_firewall.sh
+++ b/package/firewall/files/uci_firewall.sh
@@ -154,21 +154,22 @@ fw_defaults() {
 	$IPTABLES -P FORWARD DROP
 
 	$IPTABLES -F
-	$IPTABLES -t mangle -F
 	$IPTABLES -t nat -F
-	$IPTABLES -t mangle -X
 	$IPTABLES -t nat -X
 	$IPTABLES -X
-	
-	$IPTABLES -A INPUT -m state --state INVALID -j DROP
+
+	config_get_bool drop_invalid $1 drop_invalid 1
+
+	[ "$drop_invalid" -gt 0 ] && {
+		$IPTABLES -A INPUT -m state --state INVALID -j DROP
+		$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
+		$IPTABLES -A FORWARD -m state --state INVALID -j DROP
+	}
+
 	$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-		
-	$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
 	$IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-	
-	$IPTABLES -A FORWARD -m state --state INVALID -j DROP
 	$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-	
+
 	$IPTABLES -A INPUT -i lo -j ACCEPT
 	$IPTABLES -A OUTPUT -o lo -j ACCEPT
 
@@ -400,12 +401,12 @@ fw_init() {
 	config_foreach fw_defaults defaults
 	echo "Loading zones"
 	config_foreach fw_zone zone
-	echo "Loading rules"
-	config_foreach fw_rule rule
 	echo "Loading forwarding"
 	config_foreach fw_forwarding forwarding
 	echo "Loading redirects"
 	config_foreach fw_redirect redirect
+	echo "Loading rules"
+	config_foreach fw_rule rule
 	echo "Loading includes"
 	config_foreach fw_include include
 	uci_set_state firewall core loaded 1
@@ -416,9 +417,7 @@ fw_init() {
 
 fw_stop() {
 	$IPTABLES -F
-	$IPTABLES -t mangle -F
 	$IPTABLES -t nat -F
-	$IPTABLES -t mangle -X
 	$IPTABLES -t nat -X
 	$IPTABLES -X
 	$IPTABLES -P INPUT ACCEPT