Hi all, On Wed, Aug 28, 2019 at 7:37 PM Kristian Evensen <kristian.even...@gmail.com> wrote: > > firewall3 currently creates one rule for each interface that is a member of a > zone. On for example devices with multiple interfaces, the current firewall3 > behavior quickly leads to a lot of rules. In order to reduce the number of > rules, this patch replaces the per-interface rules with ipset matches (if > ipset > is available). Since 2011, ipset has supported the set type "hash:net,iface". > By adding (and matching on) on pairs consiting of the v4/v6 any-address and an > interface name, we get the same behavior as the current interface-rules. > > After applying this patch (and assuming ipset is available), the following > actions are performed when a zone is created: > > * We creates (allocate) an ipset of type "hash:net,iface" for each zone. The > name follows the following format: zone_<zone name>_<4/6>_set. > * If creating a set fails, then we ignore the zone. This is something we can > change, but my reason for this behavior is to have consistent firewall rules. > I.e., zone-rules either match on ipset or interface names, and not a mix. > * Each set is populated with pairs consisting of the IPv4/IPv6 any-address and > an interface name, for example "0.0.0.0/0, eth0.2". > * Instead of one rule per device, a single rule is created matching on the > ipset. > * The check used to select the OUTPUT/PREROUTING-chain when adding rules to > the > raw-table has been moved to print_interface_rules_{default,set}. The > motivation > behind this move was to avoid changing print_interface_rule() too much. As far > as I can see (and have tested), the logic for selecting chain/creating the > rules is the same as before. > > Because the change introduced by this patch is quite intrusive and I am sure > there will be comments/disagreements/suggestions, I have sent this patch as an > RFC. One thing that I am aware of and will fix before the final submission, is > to add support for printing ipsets. Right now "fw3 print" prints per-interface > rules.
I have had the chance to run this patch in production for a while, and thought I should share my experiences. All in all, switching to ipsets seems to work well and, with one exception, I have not found any configurations or configuration steps that break. Also, in some of my setups, the number of iptables rules are greatly reduced. While I haven't measured any performance improvements, fewer rules makes the rule set easier to work with. The need to reload the firewall on ifup is also removed (it is sufficient to update the set), which removes an annoying gap or interruption in traffic on some of the devices I am running. What (currently) breaks is wildcard interface names, ipset currently has no wildcard-support. I have submitted a patch upstream adding support for wildcard naming, and have received positive feedback but no final decision. BR, Kristian _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel