From e7e7e57dc16c9d705cab4091844530b588f3e3c3 Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Wed, 23 Oct 2024 20:19:25 +0200 Subject: [PATCH] Firewall: Settings: Advanced / syncookies - make stateless loopback rule conditional as a temporary solution and add a clear note about the state requirement. closes https://github.com/opnsense/core/issues/8008 --- src/etc/inc/filter.lib.inc | 7 ++++++- src/www/system_advanced_firewall.php | 4 ++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/src/etc/inc/filter.lib.inc b/src/etc/inc/filter.lib.inc index 13f016319..da3b3ac70 100644 --- a/src/etc/inc/filter.lib.inc +++ b/src/etc/inc/filter.lib.inc @@ -524,7 +524,12 @@ function filter_core_rules_system($fw, $defaults) } } // loopback. dont log internal communications - $fw->registerFilterRule(5, array('interface' => 'lo0', 'log' => false, 'descr' => 'pass loopback', 'statetype' => 'none'), $defaults['pass']); + if (!empty($config['system']['syncookies'])) { + /* temporary work-around, syncookies require states to avoid dropping traffic */ + $fw->registerFilterRule(5, array('interface' => 'lo0', 'log' => false, 'descr' => 'pass loopback'), $defaults['pass']); + } else { + $fw->registerFilterRule(5, array('interface' => 'lo0', 'log' => false, 'descr' => 'pass loopback', 'statetype' => 'none'), $defaults['pass']); + } // out from this Firewall $fw->registerFilterRule( 5, diff --git a/src/www/system_advanced_firewall.php b/src/www/system_advanced_firewall.php index 8f49f01cb..8339debf8 100644 --- a/src/www/system_advanced_firewall.php +++ b/src/www/system_advanced_firewall.php @@ -786,6 +786,10 @@ include("head.inc");