From: Jo-Philipp Wich <jow@openwrt.org>
Date: Fri, 16 Jan 2009 18:11:27 +0000 (+0000)
Subject: merge r14061 to 8.09
X-Git-Url: http://git.cdn.openwrt.org/?a=commitdiff_plain;h=3112b67eb1689cfbc944d4b86a0570e755c1727a;p=openwrt%2Fsvn-archive%2Farchive.git

merge r14061 to 8.09


SVN-Revision: 14062
---

diff --git a/package/firewall/files/uci_firewall.sh b/package/firewall/files/uci_firewall.sh
index fd108993c8..f38bd6b9ae 100755
--- a/package/firewall/files/uci_firewall.sh
+++ b/package/firewall/files/uci_firewall.sh
@@ -159,16 +159,19 @@ fw_defaults() {
 	$IPTABLES -t mangle -X
 	$IPTABLES -t nat -X
 	$IPTABLES -X
-	
-	$IPTABLES -A INPUT -m state --state INVALID -j DROP
+
+	config_get_bool drop_invalid $1 drop_invalid 1
+
+	[ "$drop_invalid" -gt 0 ] && {
+		$IPTABLES -A INPUT -m state --state INVALID -j DROP
+		$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
+		$IPTABLES -A FORWARD -m state --state INVALID -j DROP
+	}
+
 	$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-		
-	$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
 	$IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-	
-	$IPTABLES -A FORWARD -m state --state INVALID -j DROP
 	$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-	
+
 	$IPTABLES -A INPUT -i lo -j ACCEPT
 	$IPTABLES -A OUTPUT -o lo -j ACCEPT