[PATCH firewall4] ruleset: offload a connection only after certain packets
Qingfang Deng
dqfext at gmail.com
Mon Nov 4 23:58:28 PST 2024
Users commonly create firewall rules that inspect packet content, such
as matching an HTTP host. The current implementation offloads a
connection immediately after it's established, bypassing user-defined
rules. To respect these rules, only offload a connection after certain
packets have passed through the slow path.
This change ensures that packet inspection rules are applied correctly
before offloading, improving the accuracy and effectiveness of user-
defined firewall rules.
Signed-off-by: Qingfang Deng <dqfext at gmail.com>
---
root/usr/share/firewall4/templates/ruleset.uc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc
index 2bec4d9..f588ee5 100644
--- a/root/usr/share/firewall4/templates/ruleset.uc
+++ b/root/usr/share/firewall4/templates/ruleset.uc
@@ -135,7 +135,7 @@ table inet fw4 {
type filter hook forward priority filter; policy {{ fw4.forward_policy(true) }};
{% if (length(flowtable_devices) > 0): %}
- meta l4proto { tcp, udp } flow offload @ft;
+ meta l4proto { tcp, udp } ct packets ge 16 flow offload @ft;
{% endif %}
{% fw4.includes('chain-prepend', 'forward') %}
ct state vmap { established : accept, related : accept{% if (fw4.default_option("drop_invalid")): %}, invalid : drop{% endif %} } comment "!fw4: Handle forwarded flows"
--
2.43.0
More information about the openwrt-devel
mailing list