[PATCH firewall4] ruleset: unconditionally allow DNAT traffic

[stijn at linux-ipv6.be]

We currently only accept DNAT traffic if there is at least one DNAT rule
configured in UCI. This leads to a problem for people wanting to use
UPnP, and do not have any DNAT rules configured. In this case, the UPnP
daemon sets up the DNAT rules, but the traffic is not allowed in the
input or forward chain, so the DNAT rules do not work.

Solve this by unconditionally allowing packets with the dnat conntrack
status. One could argue that this makes firewall4 less secure, but for a
packet to have the dnat conntrack status, it must have already matched a
DNAT rule. If there are no DNAT rules, no packets should ever have this
status.

Signed-off-by: Stijn Tintel <stijn at linux-ipv6.be>
---
 root/usr/share/firewall4/templates/ruleset.uc | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc
index 9537ba2..f57836e 100644
--- a/root/usr/share/firewall4/templates/ruleset.uc
+++ b/root/usr/share/firewall4/templates/ruleset.uc
@@ -217,9 +217,7 @@ table inet fw4 {
 {%  for (let rule in fw4.rules(`input_${zone.name}`)): %}
 		{%+ include("rule.uc", { fw4, rule }) %}
 {%  endfor %}
-{%  if (zone.dflags.dnat): %}
 		ct status dnat accept comment "!fw4: Accept port redirections"
-{%  endif %}
 {%  fw4.includes('chain-append', `input_${zone.name}`) %}
 		jump {{ zone.input }}_from_{{ zone.name }}
 	}
@@ -238,9 +236,7 @@ table inet fw4 {
 {%  for (let rule in fw4.rules(`forward_${zone.name}`)): %}
 		{%+ include("rule.uc", { fw4, rule }) %}
 {%  endfor %}
-{%  if (zone.dflags.dnat): %}
 		ct status dnat accept comment "!fw4: Accept port forwards"
-{%  endif %}
 {%  fw4.includes('chain-append', `forward_${zone.name}`) %}
 		jump {{ zone.forward }}_to_{{ zone.name }}
 {%  if (fw4.forward_policy() != "accept" && (zone.log & 1)): %}
-- 
2.39.2