On Sat, 20 Apr 2024, at 7:37 PM, William N. wrote: > After spending some time looking for more info and based on this: > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/netfilter/nf_conntrack_proto_tcp.c?h=v5.8#n700 > > I think I figured it out: > > tcp flags & (fin|syn|rst|ack|urg) != { > syn, > syn|urg, > syn|ack, > rst, > rst|ack, > fin|ack, > fin|ack|urg, > ack, > ack|urg > } drop comment "TCP invalid" > > This checks the listed values against the mask "fin|syn|rst|ack|urg". > The same values and mask are used in the conntrack code, i.e. it drops > invalid TCP packets. > > According to my own tests, this works in the ingress hook, i.e. early > drop. > > The only question that remains is performance measurement and > comparison, as mentioned. > > Please let me know what you think. The rule looks good. Borrowing from the conntrack code was a bright idea. If using the ingress hook in this way is to make any measurable difference to your load average at all, my expectation would be for it be observable in the event that you are subjected to a concentrated flood of invalid TCP packets. You could use hping3 to conduct a series of stress tests. -- Kerin Millar