Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reorder early state dispatch for quicker outcome #22

Open
wants to merge 8 commits into
base: master
Choose a base branch
from
Open

Reorder early state dispatch for quicker outcome #22

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
f7f39de
Reorder early state dispatch for quicker outcome
Feb 28, 2024
4647530
Characterize rule workings better
Mar 2, 2024
c3b6b68
Reduce default weight.
Mar 27, 2024
a625924
Stay with vmapized versions
Jun 6, 2024
786ea40
Offloading can also happen when ramips hw offload rejects on ICMP3
Jun 8, 2024
d4d7578
Cosmetic fix - use readback/kernel.org syntax ipo nftables wiki
Jul 23, 2024
5dc4d82
Replace vmap with bitmask match ct state
Jul 23, 2024
fe27543
Parse states before (quick) loopback accept
Jul 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 22 additions & 9 deletions root/usr/share/firewall4/templates/ruleset.uc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,10 +112,9 @@ table inet fw4 {
chain input {
type filter hook input priority filter; policy {{ fw4.input_policy(true) }};

iif "lo" accept comment "!fw4: Accept traffic from loopback"

{% fw4.includes('chain-prepend', 'input') %}
ct state vmap { established : accept, related : accept{% if (fw4.default_option("drop_invalid")): %}, invalid : drop{% endif %} } comment "!fw4: Handle inbound flows"
ct state established,related accept comment "!fw4: Accept inbound flows"
iif "lo" accept comment "!fw4: Accept traffic from loopback"
{% if (fw4.default_option("synflood_protect") && fw4.default_option("synflood_rate")): %}
tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets"
{% endif %}
Expand All @@ -134,11 +133,12 @@ table inet fw4 {
chain forward {
type filter hook forward priority filter; policy {{ fw4.forward_policy(true) }};

{% fw4.includes('chain-prepend', 'forward') %}
{% if (length(flowtable_devices) > 0): %}
meta l4proto { tcp, udp } flow offload @ft;
ct state established,related goto handle_offload comment "!fw4: Handle forwarded flows"
{% else %}
ct state established,related accept comment "!fw4: Accept forwarded flows"
{% endif %}
{% fw4.includes('chain-prepend', 'forward') %}
ct state vmap { established : accept, related : accept{% if (fw4.default_option("drop_invalid")): %}, invalid : drop{% endif %} } comment "!fw4: Handle forwarded flows"
{% for (let rule in fw4.rules("forward")): %}
{%+ include("rule.uc", { fw4, zone: (rule.src?.zone?.log_limit ? rule.src.zone : rule.dest?.zone), rule }) %}
{% endfor %}
Expand All @@ -154,10 +154,13 @@ table inet fw4 {
chain output {
type filter hook output priority filter; policy {{ fw4.output_policy(true) }};

oif "lo" accept comment "!fw4: Accept traffic towards loopback"

{% fw4.includes('chain-prepend', 'output') %}
ct state vmap { established : accept, related : accept{% if (fw4.default_option("drop_invalid")): %}, invalid : drop{% endif %} } comment "!fw4: Handle outbound flows"
{% if (fw4.default_option("drop_invalid")): %}
ct state vmap { established : accept, related : accept, invalid : drop } comment "!fw4: Handle outbound flows"
{% else %}
ct state established,related accept comment "!fw4: Accept outbound flows"
{% endif %}
oif "lo" accept comment "!fw4: Accept traffic towards loopback"
{% for (let rule in fw4.rules("output")): %}
{%+ include("rule.uc", { fw4, zone: null, rule }) %}
{% endfor %}
Expand All @@ -181,6 +184,9 @@ table inet fw4 {

chain prerouting {
type filter hook prerouting priority filter; policy accept;
{% if (fw4.default_option("drop_invalid")): %}
ct state invalid drop comment "!fw4: Drop packets in invalid flow state"
{% endif %}
{% for (let zone in fw4.zones()): %}
{% if (zone.dflags.helper): %}
{% for (let rule in zone.match_rules): %}
Expand All @@ -207,6 +213,13 @@ table inet fw4 {
}} comment "!fw4: Reject any other traffic"
}

{% if (length(flowtable_devices) > 0): %}
chain handle_offload {
flow add @ft accept
accept
}

{% endif %}
{% if (fw4.default_option("synflood_protect") && fw4.default_option("synflood_rate")):
let r = fw4.default_option("synflood_rate");
let b = fw4.default_option("synflood_burst");
Expand Down
14 changes: 8 additions & 6 deletions tests/01_configuration/01_ruleset
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,9 +110,8 @@ table inet fw4 {
chain input {
type filter hook input priority filter; policy drop;

ct state established,related accept comment "!fw4: Accept inbound flows"
iif "lo" accept comment "!fw4: Accept traffic from loopback"

ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets"
iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
Expand All @@ -122,8 +121,7 @@ table inet fw4 {
chain forward {
type filter hook forward priority filter; policy drop;

meta l4proto { tcp, udp } flow offload @ft;
ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
ct state established,related goto handle_offload comment "!fw4: Handle forwarded flows"
iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
jump handle_reject
Expand All @@ -132,9 +130,8 @@ table inet fw4 {
chain output {
type filter hook output priority filter; policy accept;

ct state established,related accept comment "!fw4: Accept outbound flows"
oif "lo" accept comment "!fw4: Accept traffic towards loopback"

ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
meta l4proto tcp counter comment "!fw4: Test-Deprecated-Rule-Option"
oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
Expand All @@ -150,6 +147,11 @@ table inet fw4 {
reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
}

chain handle_offload {
flow add @ft accept
accept
}

chain syn_flood {
limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
drop comment "!fw4: Drop excess packets"
Expand Down
8 changes: 3 additions & 5 deletions tests/01_configuration/02_rule_order
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,27 +91,25 @@ table inet fw4 {
chain input {
type filter hook input priority filter; policy drop;

ct state established,related accept comment "!fw4: Accept inbound flows"
iif "lo" accept comment "!fw4: Accept traffic from loopback"

ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
}

chain forward {
type filter hook forward priority filter; policy drop;

ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
ct state established,related accept comment "!fw4: Accept forwarded flows"
iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
}

chain output {
type filter hook output priority filter; policy drop;

ct state established,related accept comment "!fw4: Accept outbound flows"
oif "lo" accept comment "!fw4: Accept traffic towards loopback"

ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
}
Expand Down
8 changes: 3 additions & 5 deletions tests/02_zones/01_policies
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,9 +93,8 @@ table inet fw4 {
chain input {
type filter hook input priority filter; policy drop;

ct state established,related accept comment "!fw4: Accept inbound flows"
iif "lo" accept comment "!fw4: Accept traffic from loopback"

ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic"
iifname "zone2" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic"
iifname "zone3" jump input_test3 comment "!fw4: Handle test3 IPv4/IPv6 input traffic"
Expand All @@ -104,7 +103,7 @@ table inet fw4 {
chain forward {
type filter hook forward priority filter; policy drop;

ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
ct state established,related accept comment "!fw4: Accept forwarded flows"
iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic"
iifname "zone2" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic"
iifname "zone3" jump forward_test3 comment "!fw4: Handle test3 IPv4/IPv6 forward traffic"
Expand All @@ -113,9 +112,8 @@ table inet fw4 {
chain output {
type filter hook output priority filter; policy drop;

ct state established,related accept comment "!fw4: Accept outbound flows"
oif "lo" accept comment "!fw4: Accept traffic towards loopback"

ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic"
oifname "zone2" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic"
oifname "zone3" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic"
Expand Down
8 changes: 3 additions & 5 deletions tests/02_zones/02_masq
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -97,9 +97,8 @@ table inet fw4 {
chain input {
type filter hook input priority filter; policy drop;

ct state established,related accept comment "!fw4: Accept inbound flows"
iif "lo" accept comment "!fw4: Accept traffic from loopback"

ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic"
iifname "zone2" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic"
iifname "zone3" jump input_test3 comment "!fw4: Handle test3 IPv4/IPv6 input traffic"
Expand All @@ -108,7 +107,7 @@ table inet fw4 {
chain forward {
type filter hook forward priority filter; policy drop;

ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
ct state established,related accept comment "!fw4: Accept forwarded flows"
iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic"
iifname "zone2" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic"
iifname "zone3" jump forward_test3 comment "!fw4: Handle test3 IPv4/IPv6 forward traffic"
Expand All @@ -117,9 +116,8 @@ table inet fw4 {
chain output {
type filter hook output priority filter; policy drop;

ct state established,related accept comment "!fw4: Accept outbound flows"
oif "lo" accept comment "!fw4: Accept traffic towards loopback"

ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic"
oifname "zone2" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic"
oifname "zone3" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic"
Expand Down
8 changes: 3 additions & 5 deletions tests/02_zones/03_masq_src_dest_restrictions
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,27 +120,25 @@ table inet fw4 {
chain input {
type filter hook input priority filter; policy drop;

ct state established,related accept comment "!fw4: Accept inbound flows"
iif "lo" accept comment "!fw4: Accept traffic from loopback"

ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic"
iifname "zone2" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic"
}

chain forward {
type filter hook forward priority filter; policy drop;

ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
ct state established,related accept comment "!fw4: Accept forwarded flows"
iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic"
iifname "zone2" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic"
}

chain output {
type filter hook output priority filter; policy drop;

ct state established,related accept comment "!fw4: Accept outbound flows"
oif "lo" accept comment "!fw4: Accept traffic towards loopback"

ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic"
oifname "zone2" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic"
}
Expand Down
8 changes: 3 additions & 5 deletions tests/02_zones/04_masq_allow_invalid
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,25 +69,23 @@ table inet fw4 {
chain input {
type filter hook input priority filter; policy drop;

ct state established,related accept comment "!fw4: Accept inbound flows"
iif "lo" accept comment "!fw4: Accept traffic from loopback"

ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic"
}

chain forward {
type filter hook forward priority filter; policy drop;

ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
ct state established,related accept comment "!fw4: Accept forwarded flows"
iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic"
}

chain output {
type filter hook output priority filter; policy drop;

ct state established,related accept comment "!fw4: Accept outbound flows"
oif "lo" accept comment "!fw4: Accept traffic towards loopback"

ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic"
}

Expand Down
8 changes: 3 additions & 5 deletions tests/02_zones/04_wildcard_devices
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,9 +120,8 @@ table inet fw4 {
chain input {
type filter hook input priority filter; policy drop;

ct state established,related accept comment "!fw4: Accept inbound flows"
iif "lo" accept comment "!fw4: Accept traffic from loopback"

ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic"
iifname "/never/" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic"
iifname "test*" jump input_test3 comment "!fw4: Handle test3 IPv4/IPv6 input traffic"
Expand All @@ -137,7 +136,7 @@ table inet fw4 {
chain forward {
type filter hook forward priority filter; policy drop;

ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
ct state established,related accept comment "!fw4: Accept forwarded flows"
jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic"
iifname "/never/" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic"
iifname "test*" jump forward_test3 comment "!fw4: Handle test3 IPv4/IPv6 forward traffic"
Expand All @@ -152,9 +151,8 @@ table inet fw4 {
chain output {
type filter hook output priority filter; policy drop;

ct state established,related accept comment "!fw4: Accept outbound flows"
oif "lo" accept comment "!fw4: Accept traffic towards loopback"

ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic"
oifname "/never/" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic"
oifname "test*" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic"
Expand Down
8 changes: 3 additions & 5 deletions tests/02_zones/05_subnet_mask_matches
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,9 +79,8 @@ table inet fw4 {
chain input {
type filter hook input priority filter; policy drop;

ct state established,related accept comment "!fw4: Accept inbound flows"
iif "lo" accept comment "!fw4: Accept traffic from loopback"

ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
meta nfproto ipv6 ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::2 jump input_test1 comment "!fw4: Handle test1 IPv6 input traffic"
meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump input_test2 comment "!fw4: Handle test2 IPv6 input traffic"
meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::2 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump input_test2 comment "!fw4: Handle test2 IPv6 input traffic"
Expand All @@ -91,7 +90,7 @@ table inet fw4 {
chain forward {
type filter hook forward priority filter; policy drop;

ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
ct state established,related accept comment "!fw4: Accept forwarded flows"
meta nfproto ipv6 ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::2 jump forward_test1 comment "!fw4: Handle test1 IPv6 forward traffic"
meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump forward_test2 comment "!fw4: Handle test2 IPv6 forward traffic"
meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::2 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump forward_test2 comment "!fw4: Handle test2 IPv6 forward traffic"
Expand All @@ -101,9 +100,8 @@ table inet fw4 {
chain output {
type filter hook output priority filter; policy drop;

ct state established,related accept comment "!fw4: Accept outbound flows"
oif "lo" accept comment "!fw4: Accept traffic towards loopback"

ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
meta nfproto ipv6 ip6 daddr & ::ffff == ::1 ip6 daddr & ::ffff != ::2 jump output_test1 comment "!fw4: Handle test1 IPv6 output traffic"
meta nfproto ipv6 ip6 daddr != { ::7, ::8 } ip6 daddr & ::ffff == ::1 ip6 daddr & ::ffff != ::5 ip6 daddr & ::ffff != ::6 jump output_test2 comment "!fw4: Handle test2 IPv6 output traffic"
meta nfproto ipv6 ip6 daddr != { ::7, ::8 } ip6 daddr & ::ffff == ::2 ip6 daddr & ::ffff != ::5 ip6 daddr & ::ffff != ::6 jump output_test2 comment "!fw4: Handle test2 IPv6 output traffic"
Expand Down
8 changes: 3 additions & 5 deletions tests/02_zones/06_family_selections
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -134,9 +134,8 @@ table inet fw4 {
chain input {
type filter hook input priority filter; policy drop;

ct state established,related accept comment "!fw4: Accept inbound flows"
iif "lo" accept comment "!fw4: Accept traffic from loopback"

ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
meta nfproto ipv4 ip saddr 10.0.0.0/8 jump input_test1 comment "!fw4: Handle test1 IPv4 input traffic"
meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 jump input_test2 comment "!fw4: Handle test2 IPv6 input traffic"
meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 jump input_test3 comment "!fw4: Handle test3 IPv6 input traffic"
Expand All @@ -148,7 +147,7 @@ table inet fw4 {
chain forward {
type filter hook forward priority filter; policy drop;

ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
ct state established,related accept comment "!fw4: Accept forwarded flows"
meta nfproto ipv4 ip saddr 10.0.0.0/8 jump forward_test1 comment "!fw4: Handle test1 IPv4 forward traffic"
meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 jump forward_test2 comment "!fw4: Handle test2 IPv6 forward traffic"
meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 jump forward_test3 comment "!fw4: Handle test3 IPv6 forward traffic"
Expand All @@ -160,9 +159,8 @@ table inet fw4 {
chain output {
type filter hook output priority filter; policy drop;

ct state established,related accept comment "!fw4: Accept outbound flows"
oif "lo" accept comment "!fw4: Accept traffic towards loopback"

ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
meta nfproto ipv4 ip daddr 10.0.0.0/8 jump output_test1 comment "!fw4: Handle test1 IPv4 output traffic"
meta nfproto ipv6 ip6 daddr 2001:db8:1234::/64 jump output_test2 comment "!fw4: Handle test2 IPv6 output traffic"
meta nfproto ipv6 ip6 daddr 2001:db8:1234::/64 jump output_test3 comment "!fw4: Handle test3 IPv6 output traffic"
Expand Down
Loading