Andrew
Andrew
locate offload at the end of slowpath ... use builtin tcpudp filter in place of extra filter ... and directly yield to offload-add kworker drop invalid asap and avoid further...
Do not emit helper jump if no helper modules are present saving per-every-packet bytecode before ct: ``` inet fw4 prerouting [ meta load iifname => reg 1 ] [ cmp...
Dropping packets with no clear forward destination is nicer than rejecting them. Especially when some providers punish users for spoofing caused by their noisy infra. Fixes: https://github.com/openwrt/openwrt/issues/13340 Signed-Off-By: Andris PE
Status/firewall may need to parse `notrack` - similar to `accept` and `goto` similar to `jump` but ends after called chain.
Anchor grep regex to avoid wrongly matching unrelated inet fw4whatever style table names Signed-Off-By: Andris PE
Make synflood inteject as found in default setup quicker by using ct state attribute and avoiding packet data examination. Bytecode before: ``` // block A implicit [ meta load l4proto...
Just derived from another accidental side effect of reducing scope of soft offloads in https://github.com/openwrt/firewall4/commit/e00958884416f59b273595f941d198de63acc1dd 2-3x throughput or 2-3x less cpu cycles for same data moved in and out of...
echo-request is stateful, thus once accepted in either of 2 rules you have unlimited rate from/to same host, echo reply is unreachable. @jow-
ICMPv6 echo-reply is already handled by conntrack after first echo-request. Signed-off-by: Andris PE
Use conntrack flow packet counter to limit mss fixup filter to the very start of connection flows where adjustable syn/syn can possibly appear. Two initial packets + > sysctl net.ipv4.tcp_syn_retries...