firewall4/tests/02_zones, branch master

tests: adjust zone log limit testcases

2023-11-03T13:14:15Z

Fix testcase failure introduced by a previous commit. Fixes: a5553da ("ruleset: reduce ksoftirqd load by refering to looopback by numeric id") Signed-off-by: Jo-Philipp Wich

ruleset: reduce ksoftirqd load by refering to looopback by numeric id

2023-11-03T13:11:06Z

Reduce ksoftirq load by half using more efficient reference to loopback which always has index equal to one. Should help a lot with openwrt/openwrt#12914, openwrt/openwrt#12121 and similar iperf3 cases clamping against 100% CPU usage. Signed-off-by: Andris PE [fix S-o-b tag, fix commit author, rewrap commit message] Signed-off-by: Jo-Philipp Wich

ruleset: dispatch ct states using verdict map

2023-11-03T13:09:43Z

In case the dropping of invalid conntrack states is enabled, using a verdict map allows us to use only one rule instead of two, lowering the initial rule match overhead. Signed-off-by: Andris PE [whitespace cleanup, rebase, extend commit subject and message] Signed-off-by: Jo-Philipp Wich

Revert "ruleset: dispatch ct states using verdict map"

2023-11-03T13:09:16Z

This reverts commit 785798c8fd72ff3c4c8940922173290bb25bc18e. Revert commit due to bad commit metadata. Signed-off-by: Jo-Philipp Wich

ruleset: dispatch ct states using verdict map

2023-11-03T13:04:39Z

fw4: add log_limit to rules and redirects

2023-11-03T12:37:19Z

Just like zone log_limit, now you can specify a different log limit to a single rule or redirect. Signed-off-by: Luiz Angelo Daros de Luca [whitespace cleanup, properly format limit expressions] Signed-off-by: Jo-Philipp Wich

ruleset: drop ctstate invalid traffic for masq-enabled zones

2022-10-26T13:45:16Z

For NAT enabled zones, stage rules to drop forwarded traffic with conntrack state "invalid" and honor `masq_allow_invalid` option to inhibit those rules. This ports the corresponding firewall3 logic to firewall4. Ref: https://forum.openwrt.org/t/x/140790 Signed-off-by: Jo-Philipp Wich

fw4: don't inherit zone family from ct helpers

2022-08-01T10:39:49Z

It's perfectly valid to use a conntrack helper that only supports a single address family in a zone where both IPv4 and IPv6 are used. Restricting a zone to a certain family due to limitations of the associated conntrack helpers may result in unexpected behaviour, which in turn may have unintended security implications. Don't inherit zone family from conntrack helper restrictions to avoid this and add test coverage. Signed-off-by: Stijn Tintel Acked-by: Jo-Philipp Wich

ruleset: reorder declarations & output tweaks

2022-06-14T14:27:26Z

- Omit "Set definitions" header if no sets are declared - Always emit ${zone}_devices and ${zone}_subnets defines, even if empty - Move CT helper definitions to the top - Move ${zone}_helper chain definitions after ${zone}_forward chain defs - Consistently use two line spacing for output sections Signed-off-by: Jo-Philipp Wich

ruleset: reuse zone-jump.uc template for notrack and helper chain jumps

2022-06-14T14:27:26Z

Avoid some code-duplication by reusing the zone-jump.uc partial template to emit the helper_* chain jump rules. Also add some test coverage for notrack rules. Signed-off-by: Jo-Philipp Wich