Re: [Thread split] nftables rule optimization - dropping invalid in ingress?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 







Sent with Proton Mail secure email.

On Saturday, April 20th, 2024 at 11:37, William N. <netfilter@xxxxxxxxxx> wrote:

> After spending some time looking for more info and based on this:
> 
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/netfilter/nf_conntrack_proto_tcp.c?h=v5.8#n700
> 
> I think I figured it out:
> 
> tcp flags & (fin|syn|rst|ack|urg) != {
> syn,
> syn|urg,
> syn|ack,
> rst,
> rst|ack,
> fin|ack,
> fin|ack|urg,
> ack,
> ack|urg
> } drop comment "TCP invalid"
> 
> This checks the listed values against the mask "fin|syn|rst|ack|urg".
> The same values and mask are used in the conntrack code, i.e. it drops
> invalid TCP packets.
> 
> According to my own tests, this works in the ingress hook, i.e. early
> drop.
> 
> The only question that remains is performance measurement and
> comparison, as mentioned.
> 
> Please let me know what you think.

I'd be very interested in seeing some statistics on how many actual
invalid packets you see on a live link.  Stick some counters in there
and collect dropped versus passed packets...

My naive guess would be there are only tiny percentage of rejected
packets.

Eric





[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux