firewall4/tests/01_configuration/02_rule_order, branch master

ruleset: reduce ksoftirqd load by refering to looopback by numeric id

2023-11-03T13:11:06Z

Reduce ksoftirq load by half using more efficient reference to loopback which always has index equal to one. Should help a lot with openwrt/openwrt#12914, openwrt/openwrt#12121 and similar iperf3 cases clamping against 100% CPU usage. Signed-off-by: Andris PE [fix S-o-b tag, fix commit author, rewrap commit message] Signed-off-by: Jo-Philipp Wich

ruleset: dispatch ct states using verdict map

2023-11-03T13:09:43Z

In case the dropping of invalid conntrack states is enabled, using a verdict map allows us to use only one rule instead of two, lowering the initial rule match overhead. Signed-off-by: Andris PE [whitespace cleanup, rebase, extend commit subject and message] Signed-off-by: Jo-Philipp Wich

Revert "ruleset: dispatch ct states using verdict map"

2023-11-03T13:09:16Z

This reverts commit 785798c8fd72ff3c4c8940922173290bb25bc18e. Revert commit due to bad commit metadata. Signed-off-by: Jo-Philipp Wich

ruleset: dispatch ct states using verdict map

2023-11-03T13:04:39Z

tests: fix testcases

2022-10-03T12:29:41Z

Align expected output with the current implementation. Fixes: a540f6d ("fw4: fix cosmetic issue with per-ruleset and per-table include paths") Fixes: 145e159 ("fw4: recognize `option log` and `option counter` in `config nat` sections") Signed-off-by: Jo-Philipp Wich

fw4: support automatic includes

2022-08-12T12:35:58Z

Introduce a new directory tree /usr/share/nftables.d/ which may contain partial nftables files being included into the rendered ruleset. The include position is derived from the file path; - Files in .../nftables.d/table-pre/ and .../nftables.d/table-post/ are included before and after the `table inet fw4 { ... }` declaration respectively - Files in .../nftables.d/ruleset-pre/ and .../nftables.d/ruleset-post/ are included before the first chain and after the last chain declaration within the fw4 table respectively - Files in .../nftables.d/chain-pre/${chain}/ and .../chain-post/${chain}/ are included before the first and after the last rule within the mentioned chain of the fw4 table respectively Automatic includes can be disabled by setting the `auto_includes` option to `0` in the global defaults section. Also adjust testcases accordingly. Signed-off-by: Jo-Philipp Wich

ruleset: reorder declarations & output tweaks

2022-06-14T14:27:26Z

- Omit "Set definitions" header if no sets are declared - Always emit ${zone}_devices and ${zone}_subnets defines, even if empty - Move CT helper definitions to the top - Move ${zone}_helper chain definitions after ${zone}_forward chain defs - Consistently use two line spacing for output sections Signed-off-by: Jo-Philipp Wich

ruleset: fix conntrack helpers

2022-06-14T14:26:07Z

In nftables, helper assignments need to be performed after the conntrack lookup has completed. Using the raw priority results in the assignment being done before the conntrack lookup, which breaks conntrack helpers. Fix this by moving the jumps helper rule chains to a new toplevel `prerouting` and the existing `output` chain respectively. Signed-off-by: Stijn Tintel [new toplevel `prerouting` chain + reuse existing `output` chain] Signed-off-by: Jo-Philipp Wich

ruleset: correct mangle_output chain type

2022-05-30T18:59:27Z

Use the `route` chain type for the `mangle_output` chain since rules in this chain influence egress packet routing. Fixes: #9955 Signed-off-by: Jo-Philipp Wich

tests: change mocked wan interface type to PPPoE

2022-02-12T19:36:46Z

Change the WAN interface type in the mock data to PPPoE. PPPoE interfaces are special because their L3 device differs from the L2 one which becomes important later for resolving hw offloaded flowtable devices. Adjust the test cases accordingly. Signed-off-by: Jo-Philipp Wich