OpenWrt nftables firewall https://git-03.infra.openwrt.org/project/firewall4/atom?h=master 2023-11-03T13:33:55Z 2023-11-03T13:33:55Z Andris PE 2023-06-21T10:06:24Z urn:sha1:698a53354fd280aae097efe08803c0c9a10c14c2 Reduce scope of MSS fixup to TCP SYN packets only and relocate the fixing of egress MSS to the mangle/postrouting chain in order to properly apply final known MTU size. Fixes: openwrt/openwrt#12112 Signed-off-by: Andris PE <neandris@gmail.com> [fix S-o-b tag, fix commit author, reword commit message] Signed-off-by: Jo-Philipp Wich <jo@mein.io> 2023-11-03T13:14:15Z Jo-Philipp Wich 2023-11-03T13:14:15Z urn:sha1:de3483c561a728d5234a0a3f49b5dde4527a0f3f Fix testcase failure introduced by a previous commit. Fixes: a5553da ("ruleset: reduce ksoftirqd load by refering to looopback by numeric id") Signed-off-by: Jo-Philipp Wich <jo@mein.io> 2023-11-03T13:11:06Z Andris PE 2023-09-19T15:23:59Z urn:sha1:a5553dae70439c7e4fa910490fcf12a1ffff5bd2 Reduce ksoftirq load by half using more efficient reference to loopback which always has index equal to one. Should help a lot with openwrt/openwrt#12914, openwrt/openwrt#12121 and similar iperf3 cases clamping against 100% CPU usage. Signed-off-by: Andris PE <neandris@gmail.com> [fix S-o-b tag, fix commit author, rewrap commit message] Signed-off-by: Jo-Philipp Wich <jo@mein.io> 2023-11-03T13:09:43Z Andris PE 2023-09-07T19:04:35Z urn:sha1:19a8caf614ec338513e58535ea02c6ee52988170 In case the dropping of invalid conntrack states is enabled, using a verdict map allows us to use only one rule instead of two, lowering the initial rule match overhead. Signed-off-by: Andris PE <neandris@gmail.com> [whitespace cleanup, rebase, extend commit subject and message] Signed-off-by: Jo-Philipp Wich <jo@mein.io> 2023-11-03T13:09:16Z Jo-Philipp Wich 2023-11-03T13:09:12Z urn:sha1:22c53921c11115e5437385719b6e73800a68cd33 This reverts commit 785798c8fd72ff3c4c8940922173290bb25bc18e. Revert commit due to bad commit metadata. Signed-off-by: Jo-Philipp Wich <jo@mein.io> 2023-11-03T13:04:39Z User User-User 2023-09-07T19:04:35Z urn:sha1:785798c8fd72ff3c4c8940922173290bb25bc18e In case the dropping of invalid conntrack states is enabled, using a verdict map allows us to use only one rule instead of two, lowering the initial rule match overhead. Signed-off-by: Andris PE <neandris@gmail.com> [whitespace cleanup, rebase, extend commit subject and message] Signed-off-by: Jo-Philipp Wich <jo@mein.io> 2023-11-03T12:37:19Z Luiz Angelo Daros de Luca 2023-08-01T19:51:58Z urn:sha1:187405075911d408fa48e97ce343e76a2a30ef12 Just like zone log_limit, now you can specify a different log limit to a single rule or redirect. Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com> [whitespace cleanup, properly format limit expressions] Signed-off-by: Jo-Philipp Wich <jo@mein.io> 2023-05-30T08:19:51Z Jo-Philipp Wich 2023-05-30T08:19:01Z urn:sha1:23a434d0d15d61db61bb065c89f266a326c78a88 A previous commit enabled flowtable counters without properly adjusting the testcase output. Fixes: 04a06bd ("fw4: enable flowtable counters") Signed-off-by: Jo-Philipp Wich <jo@mein.io> 2023-02-03T11:04:58Z Jo-Philipp Wich 2023-02-03T11:04:58Z urn:sha1:ce9a37829a765c62ce8d9da37caa9bbfb5bb58ec Signed-off-by: Jo-Philipp Wich <jo@mein.io> 2023-02-03T11:04:15Z Jo-Philipp Wich 2023-01-07T16:00:18Z urn:sha1:39e8c70957c795bf0c12f04299170ae86c6efdf8 The comment option for ipset definitions is incorrectly declared as bool and not actually used anywhere in the nftables output rendering. Solve this issue by changing it to the proper "string" type and expose the user configured comment as "comment" property in the generated nftables output. Also add some initial test coverage for ipset declarations to better spot such inconsistencies in the future. Ref: https://github.com/openwrt/luci/pull/6187#issuecomment-1374506633 Reported-by: Paul Dee <itsascambutmailmeanyway@gmail.com> Signed-off-by: Jo-Philipp Wich <jo@mein.io>