fw4/nftables - performance seriously degraded after upgrade to 22.03.5 (from 21.03)

Luiz Angelo Daros de Luca luizluca at gmail.com
Fri May 26 11:09:16 PDT 2023


After I upgraded to 22.03.5 (from 21.03.x), I noticed that the
performance was seriously degraded.
The reason was that fw4/nftables was not handling a large number of
rejections the same way as fw3/iptables. If I disable the log, the
router is back to normal. I don't know if fw3 was implicitly limiting
the amount of logs (it now generates almost double the number of
lines) or the logs are just more expensive, but it introduces a way to
DoS a router with logs enabled (much worse than with fw3/iptables).

Is there a workaround for that other than disabling logs? log_limit
does not seem to be supported by fw4:


Although the wiki firewall doc still mentions log_limit.

Would it be too complex to implement a log limit for fw4?


     Luiz Angelo Daros de Luca
            luizluca at gmail.com

More information about the openwrt-devel mailing list