Modify

Opened 6 years ago

Last modified 4 years ago

#10038 reopened enhancement

Fix Firewall package for better rule ordering

Reported by: Olipro <olipro@…> Owned by: developers
Priority: normal Milestone: Barrier Breaker 14.07
Component: packages Version: Trunk
Keywords: firewall Cc:

Description

Really simple changes here; replace -m state in favour of -m conntrack (and thus --ctstate instead of --state) since the conntrack match is preferred even if state isn't strictly deprecated.

Additionally, swap around the addition of the INVALID and RELATED,ESTABLISHED rules; by far the most commonly hit rule is going to be R,E connections, thus checking if the connection is INVALID should be performed after the R,E check to minimise processing time - you may argue that the time is insignificant, but considering the fact that the cost of switching those lines of code around takes 20 seconds of cut&pasting, I'd say it's worth it.

This only requires a very simple change to core_init.sh - I can produce a patch of the modified file if someone *really* wants me to.

Attachments (0)

Change History (4)

comment:1 Changed 6 years ago by jow

  • Resolution set to fixed
  • Status changed from new to closed

Fixed in r28148.

comment:2 Changed 6 years ago by Olipro <olipro@…>

  • Resolution fixed deleted
  • Status changed from closed to reopened

In the interests of a little more optimisation; since there are already unconditional rules in the filter table for the loopback interface, conntrack resources can be saved by setting the NOTRACK target on loopback packets in the PREROUTING and OUTPUT chains of the raw table.

e.g:
ip(6)tables -t raw -A PREROUTING -i lo -j NOTRACK
ip(6)tables -t raw -A OUTPUT -o lo -j NOTRACK

comment:3 Changed 6 years ago by anonymous

On a similar note (sorry for hijacking the ticket :)), the jump to MSSFIX chain is before ESTABLISHED,RELATED, but the later real MSSFIX rule has -p tcp --tcp-flags SYN,RST SYN limitations. I don't know how costly this is, but the jump and the check in MSSFIX can be avoided by setting the same limitations:

[ $zone_mtu_fix == 1 ] && {

fw add $mode f FORWARD ${chain}_MSSFIX \

{ -p tcp --tcp-flags SYN,RST SYN }

}

comment:4 Changed 4 years ago by jow

  • Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07

Milestone Attitude Adjustment 12.09 deleted

Add Comment

Modify Ticket

Action
as reopened .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.