@@ -97,9 +97,9 @@ table inet fw4 {
chain input {
type filter hook input priority filter; policy {{ fw4.input_policy(true) }};
+{% fw4.includes('chain-prepend', 'input') %}
iifname "lo" accept comment "!fw4: Accept traffic from loopback"
-{% fw4.includes('chain-prepend', 'input') %}
ct state established,related accept comment "!fw4: Allow inbound established and related flows"
{% if (fw4.default_option("drop_invalid")): %}
ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state"
@@ -145,9 +145,9 @@ table inet fw4 {
chain output {
type filter hook output priority filter; policy {{ fw4.output_policy(true) }};
+{% fw4.includes('chain-prepend', 'output') %}
oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
-{% fw4.includes('chain-prepend', 'output') %}
ct state established,related accept comment "!fw4: Allow outbound established and related flows"
{% if (fw4.default_option("drop_invalid")): %}
ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state"
Before this change, the user defined include rules in the output and input chain were not evaluated for the leepback interface. Traffic related to the loopback interface was always accepted. To ensure that the custom rules also apply to the loopback interface, this commit moves the custom rule for the input and output chain before the accept rule of the loopback interface. User defined rules for the input and output chain are now always evaluated for the entire traffic. Signed-off-by: Florian Eckert <fe@dev.tdt.de> --- root/usr/share/firewall4/templates/ruleset.uc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)