ruleset: do not emit redundant drop invalid rules

The wan interface drop rule unnecessarily persists when invalid state
is dropped globally and the rule cannot catch anything at all, so remove
it as the effect is achieved by default and to global extent.

Fixes: 119ee1a ("ruleset: drop ctstate invalid traffic for masq-enabled zones")
Signed-off-by: Andris PE <[email protected]>
[fix S-o-b tag, fix commit author, reword commit subject and message]
Signed-off-by: Jo-Philipp Wich <[email protected]>

diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc
index 4210d64461f2861b6972b609a6e575111c26753f..bcfd0d5395d84b32f4182c65201e241b6d79d1ec 100644 (file)
--- a/root/usr/share/firewall4/templates/ruleset.uc
+++ b/root/usr/share/firewall4/templates/ruleset.uc
@@ -276,7 +276,7 @@ table inet fw4 {
 {%   if (zone.dflags[verdict]): %}
        chain {{ verdict }}_to_{{ zone.name }} {
 {%   for (let rule in zone.match_rules): %}
-{%     if (verdict == "accept" && (zone.masq || zone.masq6) && !zone.masq_allow_invalid): %}
+{%     if (!fw4.default_option("drop_invalid") && verdict == "accept" && (zone.masq || zone.masq6) && !zone.masq_allow_invalid): %}
                {%+ include("zone-drop-invalid.uc", { fw4, zone, rule }) %}
 {%     endif %}
                {%+ include("zone-verdict.uc", { fw4, zone, rule, egress: true, verdict }) %}