New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FS#3005 - iptables ruleset order improvement option #7767
Comments
jow-: This will change the behavior of the |
veld_muis: It will no more see packets that apply to established states. Those are accepted already, thy wont make a state, (not) dropping packets midst connection is your concern? |
veld_muis: There is (unused) RAW table for stuff in single-packet context. |
veld_muis: note that same applies to input/output chains. |
jow-: Traffic count rules come to mind. |
veld_muis: Actually forwarding is IP - Layer 3 thing, so TCP/UDP states should not even apply there, they are sort of well with NAT. States are kind of fun , track states, lots of them, but in the end nothing more than counting state vs new state above unnecessary processing happens behind the scenes. |
veld_muis:
They count on the interface first probably one needs to sum all rules already instead of ripping number of the exactly second one for proper result? |
veld_muis: Relevant part from ubuntu UFW, before any user hook enters (they can prepend a rule same as OpenWRT) They sort of have by magnitude more memory bandwidth to copy packets and cpu power to stroll state trees. |
veld_muis: The ultimate request is to sort rules in a logical in 6 places (in/out/fw ip4/ip6) where they exit fw3 generator. There is no way around it to put sense into existing configuration except for user script prepending complete override for all generated ruleset. It should not work that bad out of the box. Other things catching the eye:
|
veld_muis: As looking from wat luci extensions can be installed most hook into NAT table, connmark and stuff, so indifferent if forward keeps state on top of leak blocks. noddos prepends filter forward rule - no interference raw table is extra module, probably not worth integrating out of fear of breaking something, i will happily jump to snapshot f it goes better for my simple setup. |
veld_muis:
Supply the following if possible:
TP-Link Archer C7 v5
19.07.2, just default packages
Current iptable ordering is badly pessimal (this repeats 3x, so 3 states get set for each connection, but thats for other news)
following does same job but does significantly less processing for typical case of in-state packets
Not willing to generalize, but my wifi and wire behind could not reach subscription 100Mbps in any way before the change, after change it is steady 100Mbps both ways.
The text was updated successfully, but these errors were encountered: