OpenWrt nftables firewall https://git.openwrt.org/project/firewall4/atom?h=master 2023-11-03T13:33:55Z 2023-11-03T13:33:55Z Andris PE 2023-06-21T10:06:24Z urn:sha1:698a53354fd280aae097efe08803c0c9a10c14c2 Reduce scope of MSS fixup to TCP SYN packets only and relocate the fixing of egress MSS to the mangle/postrouting chain in order to properly apply final known MTU size. Fixes: openwrt/openwrt#12112 Signed-off-by: Andris PE <neandris@gmail.com> [fix S-o-b tag, fix commit author, reword commit message] Signed-off-by: Jo-Philipp Wich <jo@mein.io> 2023-11-03T13:11:06Z Andris PE 2023-09-19T15:23:59Z urn:sha1:a5553dae70439c7e4fa910490fcf12a1ffff5bd2 Reduce ksoftirq load by half using more efficient reference to loopback which always has index equal to one. Should help a lot with openwrt/openwrt#12914, openwrt/openwrt#12121 and similar iperf3 cases clamping against 100% CPU usage. Signed-off-by: Andris PE <neandris@gmail.com> [fix S-o-b tag, fix commit author, rewrap commit message] Signed-off-by: Jo-Philipp Wich <jo@mein.io> 2023-11-03T13:09:43Z Andris PE 2023-09-07T19:04:35Z urn:sha1:19a8caf614ec338513e58535ea02c6ee52988170 In case the dropping of invalid conntrack states is enabled, using a verdict map allows us to use only one rule instead of two, lowering the initial rule match overhead. Signed-off-by: Andris PE <neandris@gmail.com> [whitespace cleanup, rebase, extend commit subject and message] Signed-off-by: Jo-Philipp Wich <jo@mein.io> 2023-11-03T13:09:16Z Jo-Philipp Wich 2023-11-03T13:09:12Z urn:sha1:22c53921c11115e5437385719b6e73800a68cd33 This reverts commit 785798c8fd72ff3c4c8940922173290bb25bc18e. Revert commit due to bad commit metadata. Signed-off-by: Jo-Philipp Wich <jo@mein.io> 2023-11-03T13:04:39Z User User-User 2023-09-07T19:04:35Z urn:sha1:785798c8fd72ff3c4c8940922173290bb25bc18e In case the dropping of invalid conntrack states is enabled, using a verdict map allows us to use only one rule instead of two, lowering the initial rule match overhead. Signed-off-by: Andris PE <neandris@gmail.com> [whitespace cleanup, rebase, extend commit subject and message] Signed-off-by: Jo-Philipp Wich <jo@mein.io> 2023-05-30T08:19:51Z Jo-Philipp Wich 2023-05-30T08:19:01Z urn:sha1:23a434d0d15d61db61bb065c89f266a326c78a88 A previous commit enabled flowtable counters without properly adjusting the testcase output. Fixes: 04a06bd ("fw4: enable flowtable counters") Signed-off-by: Jo-Philipp Wich <jo@mein.io> 2022-11-02T15:24:20Z Baptiste Jonglez 2022-11-02T15:06:47Z urn:sha1:6443ec7805295de07f6051662065a16b4a194f19 This is necessary with firewall4 to avoid a hard-to-diagnose race condition during boot, causing DNAT rules not to be taken into account correctly. The root cause is that, during boot, the ruleset is mostly empty, and interface-related rules (including DNAT rules) are added incrementally. If a packet hits the input chain before the DNAT rules are setup, it can create buggy conntrack entries that will persist indefinitely. This new default should be safe because firewall4 explicitly accepts authorized traffic and rejects the rest. Thus, in normal operations, the default policy is not used. Fixes: #10749 Ref: https://github.com/openwrt/openwrt/issues/10749 Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org> 2022-10-26T13:45:16Z Jo-Philipp Wich 2022-10-25T19:03:00Z urn:sha1:119ee1a06d4a5e5fd01ec1a242d21d6f355d7ff6 For NAT enabled zones, stage rules to drop forwarded traffic with conntrack state "invalid" and honor `masq_allow_invalid` option to inhibit those rules. This ports the corresponding firewall3 logic to firewall4. Ref: https://forum.openwrt.org/t/x/140790 Signed-off-by: Jo-Philipp Wich <jo@mein.io> 2022-10-03T12:29:41Z Jo-Philipp Wich 2022-10-03T12:26:02Z urn:sha1:b0a6bff4ee4410cd554811fa0ca3b28fce908473 Align expected output with the current implementation. Fixes: a540f6d ("fw4: fix cosmetic issue with per-ruleset and per-table include paths") Fixes: 145e159 ("fw4: recognize `option log` and `option counter` in `config nat` sections") Signed-off-by: Jo-Philipp Wich <jo@mein.io> 2022-08-12T12:35:58Z Jo-Philipp Wich 2022-08-11T11:48:14Z urn:sha1:a4484d4612931800583a7219271b63224491244c Introduce a new directory tree /usr/share/nftables.d/ which may contain partial nftables files being included into the rendered ruleset. The include position is derived from the file path; - Files in .../nftables.d/table-pre/ and .../nftables.d/table-post/ are included before and after the `table inet fw4 { ... }` declaration respectively - Files in .../nftables.d/ruleset-pre/ and .../nftables.d/ruleset-post/ are included before the first chain and after the last chain declaration within the fw4 table respectively - Files in .../nftables.d/chain-pre/${chain}/ and .../chain-post/${chain}/ are included before the first and after the last rule within the mentioned chain of the fw4 table respectively Automatic includes can be disabled by setting the `auto_includes` option to `0` in the global defaults section. Also adjust testcases accordingly. Signed-off-by: Jo-Philipp Wich <jo@mein.io>