Incorrect generation of firewall rules when adding bridges

[cchrism]

I tested on the TNG builds (10/29 build), but after looking on the source it seems that this can occur on all builds.
The problem lies in /src/router/services/networking/firewall.c: In nat_table function NVRAM variable wk_mode is compared with static or router else filter_input, filter_output and filter_forward functions are called. The first bug (if I'm correct) is that wk_mode should be compared to static or gateway (instead of router).
Then the real problem relies in filter_output function, at the end of the function add_bridges ("OUTPUT", 0) is called which in the end generates a rule like -A OUTPUT -i br1 -j ACCEPT which breaks iptables-restore and no rules are installed, basically leaving plain router without any firewall either inbound or outbound.
I marked priority as major due to security implications.

[BrainSlayer]

wrong. this rule applies only if the firewall is disabled and "gateway" is the only mode which is based on NAT

the line you mentioned checks if its off, router or static and simply blocks some critical services if remote management is not enabled. for sure ospf, olsrd etc must be included here too, but thats all

about filter_output

i corrected now to use -o if OUTPUT chain is used