fw4.uc: do not skip defaults with invalid option

Skipping a defaults section because it contains invalid options can be a
security risk. If the user configures a default policy to DROP or
REJECT, this should always be applied. The user is warned about the
invalid option anyway.

This makes firewall4 behave like firewall3 with regards to defaults.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>

diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc
index 476982755b27d8e3a1740168b06596e41d3a3032..8057fac628581dec64010f9898d56c4f6273e981 100644 (file)
--- a/root/usr/share/ucode/fw4.uc
+++ b/root/usr/share/ucode/fw4.uc
@@ -1642,11 +1642,6 @@ return {
                        flow_offloading_hw: [ "bool", "0" ]
                });
 
-               if (defs === false) {
-                       this.warn_section(data, "skipped due to invalid options");
-                       return;
-               }
-
                if (defs.synflood_protect === null)
                        defs.synflood_protect = defs.syn_flood;