ruleset: make synflood lighter using ct state

[brada4]

Make synflood inteject as found in default setup quicker by using ct state attribute and avoiding packet data examination.

Bytecode before:

// block A implicit
  [ meta load l4proto => reg 1 ]
  [ cmp eq reg 1 0x00000006 ]
// block B V1
  [ payload load 1b @ transport header + 13 => reg 1 ]
  [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ]
  [ cmp eq reg 1 0x00000002 ]
// verdict
  [ immediate reg 0 jump -> syn_flood ]

After:

// block B V2
  [ ct load state => reg 1 ]
  [ bitwise reg 1 = ( reg 1 & 0x00000008 ) ^ 0x00000000 ]
  [ cmp neq reg 1 0x00000000 ]
// block A explicit
  [ meta load l4proto => reg 1 ]
  [ cmp eq reg 1 0x00000006 ]
// verdict
  [ immediate reg 0 jump -> syn_flood ]

Signed-Off-By: Andris PE [email protected]

[brada4]

Reordering conditions presumes ct state is cache-hot at the point, can be vice-versa. Either way falls under measurable timer resolution compared to payload loading.

EDIT: hi @jow-

[brada4]

Got hint in forums another (starting empty) chain of similar power is useful in forward chain. Will work that out incl adding to nftabled.d/README example on prepending something to existing chains.

[brada4]

default net.netfilter.nf_conntrack_tcp_loose=1 permits opening connection state with 2x synack and bypass intended protection. Update follows the setting.

[brada4]

small rework due - also take care of forwarded traffic.

[brada4]

.. not