fw4/nftables - performance seriously degraded after upgrade to 22.03.5 (from 21.03)
Luiz Angelo Daros de Luca
luizluca at gmail.com
Fri May 26 11:09:16 PDT 2023
Hello,
After I upgraded to 22.03.5 (from 21.03.x), I noticed that the
performance was seriously degraded.
The reason was that fw4/nftables was not handling a large number of
rejections the same way as fw3/iptables. If I disable the log, the
router is back to normal. I don't know if fw3 was implicitly limiting
the amount of logs (it now generates almost double the number of
lines) or the logs are just more expensive, but it introduces a way to
DoS a router with logs enabled (much worse than with fw3/iptables).
Is there a workaround for that other than disabling logs? log_limit
does not seem to be supported by fw4:
https://git.openwrt.org/?p=project/firewall4.git;a=blob;f=root/usr/share/ucode/fw4.uc;h=06ef932c8a501bbc057669629d3b8ebeabde4aa7;hb=HEAD#l1997
Although the wiki firewall doc still mentions log_limit.
Would it be too complex to implement a log limit for fw4?
Regards,
---
Luiz Angelo Daros de Luca
luizluca at gmail.com
More information about the openwrt-devel
mailing list