Skip to content

ruleset: make synflood lighter using ct state#31

Open
brada4 wants to merge 3 commits intoopenwrt:masterfrom
brada4:synmeta
Open

ruleset: make synflood lighter using ct state#31
brada4 wants to merge 3 commits intoopenwrt:masterfrom
brada4:synmeta

Conversation

@brada4
Copy link

@brada4 brada4 commented May 29, 2024

Make synflood inteject as found in default setup quicker by using ct state attribute and avoiding packet data examination.

Bytecode before:

// block A implicit
  [ meta load l4proto => reg 1 ]
  [ cmp eq reg 1 0x00000006 ]
// block B V1
  [ payload load 1b @ transport header + 13 => reg 1 ]
  [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ]
  [ cmp eq reg 1 0x00000002 ]
// verdict
  [ immediate reg 0 jump -> syn_flood ]

After:

// block B V2
  [ ct load state => reg 1 ]
  [ bitwise reg 1 = ( reg 1 & 0x00000008 ) ^ 0x00000000 ]
  [ cmp neq reg 1 0x00000000 ]
// block A explicit
  [ meta load l4proto => reg 1 ]
  [ cmp eq reg 1 0x00000006 ]
// verdict
  [ immediate reg 0 jump -> syn_flood ]

Signed-Off-By: Andris PE neandris@gmail.com

@brada4
ruleset: make synflood lighter using ct meta
38a6069 
Make synflood inteject as found in default setup quicker by using ct state attribute and avoiding packet data examination.

Bytecode before:
```
// block A implicit
  [ meta load l4proto => reg 1 ]
  [ cmp eq reg 1 0x00000006 ]
// block B V1
  [ payload load 1b @ transport header + 13 => reg 1 ]
  [ bitwise reg 1 = ( reg 1 & 0x00000017 ) ^ 0x00000000 ]
  [ cmp eq reg 1 0x00000002 ]
// verdict
  [ immediate reg 0 jump -> syn_flood ]
```
After:
```
// block B V2
  [ ct load state => reg 1 ]
  [ bitwise reg 1 = ( reg 1 & 0x00000008 ) ^ 0x00000000 ]
  [ cmp neq reg 1 0x00000000 ]
// block A explicit
  [ meta load l4proto => reg 1 ]
  [ cmp eq reg 1 0x00000006 ]
// verdict
  [ immediate reg 0 jump -> syn_flood ]
```
@brada4
Copy link
Author

brada4 commented May 29, 2024
edited
Loading

Reordering conditions presumes ct state is cache-hot at the point, can be vice-versa. Either way falls under measurable timer resolution compared to payload loading.

EDIT: hi @jow-

brada4 added 2 commits June 1, 2024 18:49
@brada4
Relocate rule to drop unneeded packets asap
aeb6cac 
Somewhat similar to PR22 to discard packets as soon as it is known they
need to be discarded.
Proto first not viable in this place
@brada4
Revert "Relocate rule to drop unneeded packets asap"
c3f104f 
quite dumb to add extra checks before mainstream state plays

This reverts commit aeb6cac.
@brada4 brada4 changed the title ruleset: make synflood lighter using ct state [WIP]ruleset: make synflood lighter using ct state Aug 30, 2024
@brada4
Copy link
Author

brada4 commented Aug 30, 2024
edited
Loading

Got hint in forums another (starting empty) chain of similar power is useful in forward chain.
Will work that out incl adding to nftabled.d/README example on prepending something to existing chains.

@brada4 brada4 changed the title [WIP]ruleset: make synflood lighter using ct state ruleset: make synflood lighter using ct state Jan 22, 2025
@brada4
Copy link
Author

brada4 commented Jan 22, 2025

default net.netfilter.nf_conntrack_tcp_loose=1 permits opening connection state with 2x synack and bypass intended protection. Update follows the setting.

@brada4 brada4 marked this pull request as draft June 19, 2025 11:31
@brada4
Copy link
Author

brada4 commented Jun 19, 2025

small rework due - also take care of forwarded traffic.

@brada4
Copy link
Author

brada4 commented Oct 17, 2025

.. not

@brada4 brada4 marked this pull request as ready for review October 17, 2025 12:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@brada4