[PATCH firewall4] ruleset: offload a connection only after certain packets

Qingfang Deng dqfext at gmail.com
Mon Nov 4 23:58:28 PST 2024


Users commonly create firewall rules that inspect packet content, such
as matching an HTTP host. The current implementation offloads a
connection immediately after it's established, bypassing user-defined
rules. To respect these rules, only offload a connection after certain
packets have passed through the slow path.

This change ensures that packet inspection rules are applied correctly
before offloading, improving the accuracy and effectiveness of user-
defined firewall rules.

Signed-off-by: Qingfang Deng <dqfext at gmail.com>
---
 root/usr/share/firewall4/templates/ruleset.uc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc
index 2bec4d9..f588ee5 100644
--- a/root/usr/share/firewall4/templates/ruleset.uc
+++ b/root/usr/share/firewall4/templates/ruleset.uc
@@ -135,7 +135,7 @@ table inet fw4 {
 		type filter hook forward priority filter; policy {{ fw4.forward_policy(true) }};
 
 {% if (length(flowtable_devices) > 0): %}
-		meta l4proto { tcp, udp } flow offload @ft;
+		meta l4proto { tcp, udp } ct packets ge 16 flow offload @ft;
 {% endif %}
 {% fw4.includes('chain-prepend', 'forward') %}
 		ct state vmap { established : accept, related : accept{% if (fw4.default_option("drop_invalid")): %}, invalid : drop{% endif %} } comment "!fw4: Handle forwarded flows"
-- 
2.43.0




More information about the openwrt-devel mailing list