firewall4 icon indicating copy to clipboard operation
firewall4 copied to clipboard
verified publisher icon openwrt

ruleset: avoid no-op port translation in dnat

Open brada4 opened this issue 4 months ago • 2 comments

Correct rport null propagation moving compensatory conditional to reflection snat rule only. Emit shorthand rules if user did not specify redirect target port This saves 2 bytecodes in rule and kernel does not do no-op port rewrite. Also tweak tests to cover changed rules. V2 add test case from WIKI https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns#dns_redirection V3 omit unchanged dport in config example

brada4 avatar Oct 17 '25 11:10 brada4 

# old
meta nfproto ipv4 tcp dport 53 counter dnat 192.0.2.0:53
# new
meta nfproto ipv4 tcp dport 53 counter dnat 192.0.2.0

It could be even shorter with no place for counter abusing nft-nat-s builtin nfproto filter.

tcp dport 53 dnat ip 192.0.2.0

brada4 avatar Oct 17 '25 11:10 brada4

Also can zap remote port if equal and optimize user's rule.

brada4 avatar Oct 17 '25 11:10 brada4