OpenWrt nftables firewall https://git.openwrt.org/project/firewall4/atom?h=master 2023-11-03T13:11:06Z 2023-11-03T13:11:06Z Andris PE 2023-09-19T15:23:59Z urn:sha1:a5553dae70439c7e4fa910490fcf12a1ffff5bd2 Reduce ksoftirq load by half using more efficient reference to loopback which always has index equal to one. Should help a lot with openwrt/openwrt#12914, openwrt/openwrt#12121 and similar iperf3 cases clamping against 100% CPU usage. Signed-off-by: Andris PE <neandris@gmail.com> [fix S-o-b tag, fix commit author, rewrap commit message] Signed-off-by: Jo-Philipp Wich <jo@mein.io> 2023-11-03T13:09:43Z Andris PE 2023-09-07T19:04:35Z urn:sha1:19a8caf614ec338513e58535ea02c6ee52988170 In case the dropping of invalid conntrack states is enabled, using a verdict map allows us to use only one rule instead of two, lowering the initial rule match overhead. Signed-off-by: Andris PE <neandris@gmail.com> [whitespace cleanup, rebase, extend commit subject and message] Signed-off-by: Jo-Philipp Wich <jo@mein.io> 2023-11-03T13:09:16Z Jo-Philipp Wich 2023-11-03T13:09:12Z urn:sha1:22c53921c11115e5437385719b6e73800a68cd33 This reverts commit 785798c8fd72ff3c4c8940922173290bb25bc18e. Revert commit due to bad commit metadata. Signed-off-by: Jo-Philipp Wich <jo@mein.io> 2023-11-03T13:04:39Z User User-User 2023-09-07T19:04:35Z urn:sha1:785798c8fd72ff3c4c8940922173290bb25bc18e In case the dropping of invalid conntrack states is enabled, using a verdict map allows us to use only one rule instead of two, lowering the initial rule match overhead. Signed-off-by: Andris PE <neandris@gmail.com> [whitespace cleanup, rebase, extend commit subject and message] Signed-off-by: Jo-Philipp Wich <jo@mein.io> 2022-06-14T14:27:26Z Jo-Philipp Wich 2022-06-14T14:23:50Z urn:sha1:11410b80eb9c442c4850cfc3034267f3f72a196c - Omit "Set definitions" header if no sets are declared - Always emit ${zone}_devices and ${zone}_subnets defines, even if empty - Move CT helper definitions to the top - Move ${zone}_helper chain definitions after ${zone}_forward chain defs - Consistently use two line spacing for output sections Signed-off-by: Jo-Philipp Wich <jo@mein.io> 2022-06-14T14:27:26Z Jo-Philipp Wich 2022-06-14T12:59:58Z urn:sha1:e1cb763b65262eef5958d19fe922380aa1e96570 Avoid some code-duplication by reusing the zone-jump.uc partial template to emit the helper_* chain jump rules. Also add some test coverage for notrack rules. Signed-off-by: Jo-Philipp Wich <jo@mein.io> 2022-06-14T14:26:07Z Stijn Tintel 2022-06-13T15:00:26Z urn:sha1:a063317d96c6c85e4c909eab017ef2813f93ff05 In nftables, helper assignments need to be performed after the conntrack lookup has completed. Using the raw priority results in the assignment being done before the conntrack lookup, which breaks conntrack helpers. Fix this by moving the jumps helper rule chains to a new toplevel `prerouting` and the existing `output` chain respectively. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be> [new toplevel `prerouting` chain + reuse existing `output` chain] Signed-off-by: Jo-Philipp Wich <jo@mein.io> 2022-05-30T18:59:27Z Jo-Philipp Wich 2022-05-30T18:59:27Z urn:sha1:fb9a6b2ba85bb434e6634808fd4530ac2fb2c2c0 Use the `route` chain type for the `mangle_output` chain since rules in this chain influence egress packet routing. Fixes: #9955 Signed-off-by: Jo-Philipp Wich <jo@mein.io> 2022-01-27T15:22:15Z Jo-Philipp Wich 2022-01-26T11:05:39Z urn:sha1:e60bb4b47ff9aad6806afc0468f4217a344a7cf0 Support non-contiguous address masks (such as `::1234/::ffff`) for zone subnet and rule src_ip / dest_ip options and translate them into appropriate bitwise & expressions internally. Add appropriate logic to calculate permutations of inverted, non-inverted, contiguous and non-contiguous address matches since bitwise calculation expressions can not appear within sets which means that any non-inverted, non-contiguous mask addresses must be put into separate rules while the remaining addresses (if any) may be grouped into a common set. Signed-off-by: Jo-Philipp Wich <jo@mein.io>