Re: [Thread split] nftables rule optimization - dropping invalid in ingress?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



After spending some time looking for more info and based on this:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/netfilter/nf_conntrack_proto_tcp.c?h=v5.8#n700

I think I figured it out:

tcp flags & (fin|syn|rst|ack|urg) != {
		syn,
		syn|urg,
		syn|ack,
		rst,
		rst|ack,
		fin|ack,
		fin|ack|urg,
		ack,
		ack|urg
	} drop comment "TCP invalid"

This checks the listed values against the mask "fin|syn|rst|ack|urg".
The same values and mask are used in the conntrack code, i.e. it drops
invalid TCP packets.

According to my own tests, this works in the ingress hook, i.e. early
drop.

The only question that remains is performance measurement and
comparison, as mentioned.

Please let me know what you think.




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux