firewall4/tests/03_rules, branch master

ruleset: reduce ksoftirqd load by refering to looopback by numeric id

2023-11-03T13:11:06Z

Reduce ksoftirq load by half using more efficient reference to loopback which always has index equal to one. Should help a lot with openwrt/openwrt#12914, openwrt/openwrt#12121 and similar iperf3 cases clamping against 100% CPU usage. Signed-off-by: Andris PE [fix S-o-b tag, fix commit author, rewrap commit message] Signed-off-by: Jo-Philipp Wich

ruleset: dispatch ct states using verdict map

2023-11-03T13:09:43Z

In case the dropping of invalid conntrack states is enabled, using a verdict map allows us to use only one rule instead of two, lowering the initial rule match overhead. Signed-off-by: Andris PE [whitespace cleanup, rebase, extend commit subject and message] Signed-off-by: Jo-Philipp Wich

Revert "ruleset: dispatch ct states using verdict map"

2023-11-03T13:09:16Z

This reverts commit 785798c8fd72ff3c4c8940922173290bb25bc18e. Revert commit due to bad commit metadata. Signed-off-by: Jo-Philipp Wich

ruleset: dispatch ct states using verdict map

2023-11-03T13:04:39Z

ruleset: fix emitting set_mark/set_xmark rules with masks

2022-10-14T15:01:44Z

Fix a bad variable access when emitting set_mark/set_xmark rules with masks and add test coverage for the various mark target variants. Fixes: #10965 Signed-off-by: Jo-Philipp Wich

fw4: fix formatting of default log prefix

2022-10-05T21:33:59Z

When using the explicit or implicit rule name as default log prefix, ensure that is followed by a colon and a space to yield properly formatted firewall log messages. Also align the processing logic of `option log` in `config nat` sections with that in `config rule` and `config redirect`. Ref: https://forum.openwrt.org/t/x/137182/8 Signed-off-by: Jo-Philipp Wich

tests: fix testcases

2022-10-03T12:29:41Z

Align expected output with the current implementation. Fixes: a540f6d ("fw4: fix cosmetic issue with per-ruleset and per-table include paths") Fixes: 145e159 ("fw4: recognize `option log` and `option counter` in `config nat` sections") Signed-off-by: Jo-Philipp Wich

ruleset: reorder declarations & output tweaks

2022-06-14T14:27:26Z

- Omit "Set definitions" header if no sets are declared - Always emit ${zone}_devices and ${zone}_subnets defines, even if empty - Move CT helper definitions to the top - Move ${zone}_helper chain definitions after ${zone}_forward chain defs - Consistently use two line spacing for output sections Signed-off-by: Jo-Philipp Wich

ruleset: reuse zone-jump.uc template for notrack and helper chain jumps

2022-06-14T14:27:26Z

Avoid some code-duplication by reusing the zone-jump.uc partial template to emit the helper_* chain jump rules. Also add some test coverage for notrack rules. Signed-off-by: Jo-Philipp Wich

ruleset: fix conntrack helpers

2022-06-14T14:26:07Z

In nftables, helper assignments need to be performed after the conntrack lookup has completed. Using the raw priority results in the assignment being done before the conntrack lookup, which breaks conntrack helpers. Fix this by moving the jumps helper rule chains to a new toplevel `prerouting` and the existing `output` chain respectively. Signed-off-by: Stijn Tintel [new toplevel `prerouting` chain + reuse existing `output` chain] Signed-off-by: Jo-Philipp Wich