Andrew
Andrew
Always remove table and service state to have consistent cleaned up system state on exit even if user intentionally dropped our table. Removes dependency on grep as a consequence. Ref:...
In present code ip4 tcp bulk priority is neutralized in connection ageing code, lets make it right, See https://github.com/hudra0/qosmate/pull/17/files for more optimized version. Signed-off-by: Andris PE
Use more efficient (smaller) nftables conntrack id in place of iptables-translate 4-tupple Consequentially avoid extracting large piles of data from packet payload Unify ipv4 and ipv6 meters as now they...
- mark sysctl-based fw3 options UNSUPPORTED, emitting warning - remove notion of unsupported option from default config file No change in ruleset logic. Signed-off-by: Andris PE
Add example rules to enable nftrace and elaborate filter example to avoid overrunning user's terminal using defaults Helps detecting subtle deviations in filtering eg. https://github.com/openwrt/openwrt/issues/18387#issuecomment-2781442911 Signed-off-by: Andris PE
Relocate loopback rules after include Supersedes: https://github.com/openwrt/firewall4/pull/55 and after conntrack dispatch Part-supersedes: https://github.com/openwrt/firewall4/pull/22 Signed-off-by: Andris PE
We cannot fix invalid (checksum, out of state, short) packets by replying them with valid packet. Lets keep grief to bare minimum. Part-fixes: https://github.com/openwrt/openwrt/issues/13340 (the "new" valid packets would have...
Do not emit unnecessary l4proto filter for helpers. No bytecode or readback changed. There is something better waiting on top of this cleanup Signed-off-by: Andris PE
Use earliest hook after conntrack (-200) to drop invalid packets As a consequence they are not processed by conntrack at all once identified Add diagnostic counters, hopefully hinting users in...
Non-server DHCPx responses indicated by non-standard sport are already discarded by client, reflect that in firewall rule avoiding unnecessary ct state buildup wasting ct resources Signed-off-by: Andris PE