firewall4/tests/03_rules/02_enabled, branch masterOpenWrt nftables firewallhttps://git-03.infra.openwrt.org/project/firewall4/atom?h=master2023-11-03T13:11:06Zruleset: reduce ksoftirqd load by refering to looopback by numeric id2023-11-03T13:11:06ZAndris PE2023-09-19T15:23:59Zurn:sha1:a5553dae70439c7e4fa910490fcf12a1ffff5bd2
Reduce ksoftirq load by half using more efficient reference to loopback
which always has index equal to one.
Should help a lot with openwrt/openwrt#12914, openwrt/openwrt#12121 and
similar iperf3 cases clamping against 100% CPU usage.
Signed-off-by: Andris PE <neandris@gmail.com>
[fix S-o-b tag, fix commit author, rewrap commit message]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
ruleset: dispatch ct states using verdict map2023-11-03T13:09:43ZAndris PE2023-09-07T19:04:35Zurn:sha1:19a8caf614ec338513e58535ea02c6ee52988170
In case the dropping of invalid conntrack states is enabled, using a verdict
map allows us to use only one rule instead of two, lowering the initial rule
match overhead.
Signed-off-by: Andris PE <neandris@gmail.com>
[whitespace cleanup, rebase, extend commit subject and message]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Revert "ruleset: dispatch ct states using verdict map"2023-11-03T13:09:16ZJo-Philipp Wich2023-11-03T13:09:12Zurn:sha1:22c53921c11115e5437385719b6e73800a68cd33
This reverts commit 785798c8fd72ff3c4c8940922173290bb25bc18e.
Revert commit due to bad commit metadata.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
ruleset: dispatch ct states using verdict map2023-11-03T13:04:39ZUser User-User2023-09-07T19:04:35Zurn:sha1:785798c8fd72ff3c4c8940922173290bb25bc18e
In case the dropping of invalid conntrack states is enabled, using a verdict
map allows us to use only one rule instead of two, lowering the initial rule
match overhead.
Signed-off-by: Andris PE <neandris@gmail.com>
[whitespace cleanup, rebase, extend commit subject and message]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
ruleset: reorder declarations & output tweaks2022-06-14T14:27:26ZJo-Philipp Wich2022-06-14T14:23:50Zurn:sha1:11410b80eb9c442c4850cfc3034267f3f72a196c
- Omit "Set definitions" header if no sets are declared
- Always emit ${zone}_devices and ${zone}_subnets defines, even if empty
- Move CT helper definitions to the top
- Move ${zone}_helper chain definitions after ${zone}_forward chain defs
- Consistently use two line spacing for output sections
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
ruleset: fix conntrack helpers2022-06-14T14:26:07ZStijn Tintel2022-06-13T15:00:26Zurn:sha1:a063317d96c6c85e4c909eab017ef2813f93ff05
In nftables, helper assignments need to be performed after the conntrack
lookup has completed. Using the raw priority results in the assignment
being done before the conntrack lookup, which breaks conntrack helpers.
Fix this by moving the jumps helper rule chains to a new toplevel
`prerouting` and the existing `output` chain respectively.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
[new toplevel `prerouting` chain + reuse existing `output` chain]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
ruleset: correct mangle_output chain type2022-05-30T18:59:27ZJo-Philipp Wich2022-05-30T18:59:27Zurn:sha1:fb9a6b2ba85bb434e6634808fd4530ac2fb2c2c0
Use the `route` chain type for the `mangle_output` chain since rules in
this chain influence egress packet routing.
Fixes: #9955
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
ruleset: fix chain selection for mark and dscp targets2022-01-22T19:36:29ZJo-Philipp Wich2022-01-22T19:36:29Zurn:sha1:5f61dbfe219ac5f7ad7e5e04748357d0ebb3debc
Align the chain selection logic for mark and dscp targets with the one
implemented in firewall3 with commit https://git.openwrt.org/61db17e
Also add corresponding testcases to assert the correct selection logic.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
tests: expand testing2021-03-31T20:10:04ZJo-Philipp Wich2021-03-31T20:09:01Zurn:sha1:29fba840201287b9265888adba6298779b750af5
- Rewrite test framework
- Add initial rule test coverage
Signed-off-by: Jo-Philipp Wich <jo@mein.io>