From ac8a7378c9a920f5af8da2c9019e26f8f6844ae9 Mon Sep 17 00:00:00 2001
From: Jo-Philipp Wich <jo@mein.io>
Date: Fri, 28 Jan 2022 09:51:12 +0100
Subject: [PATCH] ruleset: remove redundant syn check

The syn_flood chain entry is guarded by a TCP flags check in the calling
chain, so the syn_flood chain doesn't need to check packet flags again,
it only needs to count and potentially drop.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
---
 root/usr/share/firewall4/templates/ruleset.uc | 7 +++----
 tests/01_configuration/01_ruleset             | 2 +-
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc
index 75f0679..e9692d7 100644
--- a/root/usr/share/firewall4/templates/ruleset.uc
+++ b/root/usr/share/firewall4/templates/ruleset.uc
@@ -70,7 +70,7 @@ table inet fw4 {
 {% if (fw4.default_option("drop_invalid")): %}
 		ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state"
 {% endif %}
-{% if (fw4.default_option("synflood_protect")): %}
+{% if (fw4.default_option("synflood_protect") && fw4.default_option("synflood_rate")): %}
 		tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets"
 {% endif %}
 {% for (let rule in fw4.rules("input")): %}
@@ -138,13 +138,12 @@ table inet fw4 {
 		}} comment "!fw4: Reject any other traffic"
 	}
 
-{% if (fw4.default_option("synflood_protect")):
+{% if (fw4.default_option("synflood_protect") && fw4.default_option("synflood_rate")):
 	let r = fw4.default_option("synflood_rate");
 	let b = fw4.default_option("synflood_burst");
 %}
 	chain syn_flood {
-		tcp flags & (fin | syn | rst | ack) == syn
-		{%- if (r): %} limit rate {{ r.rate }}/{{ r.unit }}{% endif %}
+		limit rate {{ r.rate }}/{{ r.unit }}
 		{%- if (b): %} burst {{ b }} packets{% endif %} return comment "!fw4: Accept SYN packets below rate-limit"
 		drop comment "!fw4: Drop excess packets"
 	}
diff --git a/tests/01_configuration/01_ruleset b/tests/01_configuration/01_ruleset
index 1b006d8..7f4fcfd 100644
--- a/tests/01_configuration/01_ruleset
+++ b/tests/01_configuration/01_ruleset
@@ -93,7 +93,7 @@ table inet fw4 {
 	}
 
 	chain syn_flood {
-		tcp flags & (fin | syn | rst | ack) == syn limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
+		limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
 		drop comment "!fw4: Drop excess packets"
 	}
 
-- 
2.30.2