projects / project / firewall4.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
ruleset: do not emit redundant drop invalid rules
[project/firewall4.git] / root / usr / share / firewall4 / templates / ruleset.uc
diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc
index 4210d64461f2861b6972b609a6e575111c26753f..bcfd0d5395d84b32f4182c65201e241b6d79d1ec 100644 (file)
--- a/root/usr/share/firewall4/templates/ruleset.uc
+++ b/root/usr/share/firewall4/templates/ruleset.uc
@@ -276,7 +276,7 @@ table inet fw4 {
 {%   if (zone.dflags[verdict]): %}
        chain {{ verdict }}_to_{{ zone.name }} {
 {%   for (let rule in zone.match_rules): %}
-{%     if (verdict == "accept" && (zone.masq || zone.masq6) && !zone.masq_allow_invalid): %}
+{%     if (!fw4.default_option("drop_invalid") && verdict == "accept" && (zone.masq || zone.masq6) && !zone.masq_allow_invalid): %}
                {%+ include("zone-drop-invalid.uc", { fw4, zone, rule }) %}
 {%     endif %}
                {%+ include("zone-verdict.uc", { fw4, zone, rule, egress: true, verdict }) %}
OpenWrt nftables firewall