From 72ecee553e191ae2cbad8b7d0c0809c4fd5bcb5c Mon Sep 17 00:00:00 2001
From: "David E. Myers" <dem@myersnet.net>
Date: Fri, 14 Feb 2020 08:54:07 -0500
Subject: [PATCH] Change ACCEPT to RETURN

---
 roles/common/templates/rules.v4.j2 | 2 +-
 roles/common/templates/rules.v6.j2 | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/roles/common/templates/rules.v4.j2 b/roles/common/templates/rules.v4.j2
index 022afdf..a4209f7 100644
--- a/roles/common/templates/rules.v4.j2
+++ b/roles/common/templates/rules.v4.j2
@@ -32,7 +32,7 @@ COMMIT
 {% if wireguard_enabled and wireguard_port|int == wireguard_port_avoid|int %}
 # Handle the special case of allowing access to WireGuard over an already used
 # port like 53
--A PREROUTING -s {{ subnets|join(',') }} -p udp --dport {{ wireguard_port_avoid }} -j ACCEPT
+-A PREROUTING -s {{ subnets|join(',') }} -p udp --dport {{ wireguard_port_avoid }} -j RETURN
 -A PREROUTING --in-interface {{ ansible_default_ipv4['interface'] }} -p udp --dport {{ wireguard_port_avoid }} -j REDIRECT --to-port {{ wireguard_port_actual }}
 {% endif %}
 # Allow traffic from the VPN network to the outside world, and replies
diff --git a/roles/common/templates/rules.v6.j2 b/roles/common/templates/rules.v6.j2
index 6968acf..3753d60 100644
--- a/roles/common/templates/rules.v6.j2
+++ b/roles/common/templates/rules.v6.j2
@@ -31,7 +31,7 @@ COMMIT
 {% if wireguard_enabled and wireguard_port|int == wireguard_port_avoid|int %}
 # Handle the special case of allowing access to WireGuard over an already used
 # port like 53
--A PREROUTING -s {{ subnets|join(',') }} -p udp --dport {{ wireguard_port_avoid }} -j ACCEPT
+-A PREROUTING -s {{ subnets|join(',') }} -p udp --dport {{ wireguard_port_avoid }} -j RETURN
 -A PREROUTING --in-interface {{ ansible_default_ipv6['interface'] }} -p udp --dport {{ wireguard_port_avoid }} -j REDIRECT --to-port {{ wireguard_port_actual }}
 {% endif %}
 # Allow traffic from the VPN network to the outside world, and replies