From 31c7550efcb8d1f6014202a257fc1b9e3ab5fc9e Mon Sep 17 00:00:00 2001
From: Stijn Tintel <stijn@linux-ipv6.be>
Date: Thu, 25 Nov 2021 05:41:16 +0200
Subject: [PATCH] fw4.uc: do not skip defaults with invalid option

Skipping a defaults section because it contains invalid options can be a
security risk. If the user configures a default policy to DROP or
REJECT, this should always be applied. The user is warned about the
invalid option anyway.

This makes firewall4 behave like firewall3 with regards to defaults.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
---
 root/usr/share/ucode/fw4.uc | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc
index 4769827..8057fac 100644
--- a/root/usr/share/ucode/fw4.uc
+++ b/root/usr/share/ucode/fw4.uc
@@ -1642,11 +1642,6 @@ return {
 			flow_offloading_hw: [ "bool", "0" ]
 		});
 
-		if (defs === false) {
-			this.warn_section(data, "skipped due to invalid options");
-			return;
-		}
-
 		if (defs.synflood_protect === null)
 			defs.synflood_protect = defs.syn_flood;
 
-- 
2.30.2