Reorder early state dispatch for quicker outcome

openwrt / firewall4

[MIRROR] OpenWrt nftables firewall

https://git.openwrt.org/?p=project/firewall4.git;

17 stars 13 forks source link

Reorder early state dispatch for quicker outcome #22

Open brada4 opened 9 months ago

brada4 commented 9 months ago

locate offload at the end of slowpath ... use builtin tcpudp filter in place of extra filter ... and directly yield to offload-add kworker

drop invalid asap and avoid further activity on useless packets ... which accidentally simplifies main state dispatch ... so make use of optimized output chain dispatch alternatives depending on global setting

Thanks-to: @CallMeR for tcpudp filter avoidance idea Thanks-to: forum user kvic for detailed review and suggestions Discussed: https://github.com/openwrt/firewall4/pull/20 Part-reverts: https://github.com/openwrt/firewall4/commit/19a8caf614ec338513e58535ea02c6ee52988170

Signed-Off-By: Andris PE neandris@gmail.com

brada4 commented 9 months ago

@jow- diff is identical to #20 , share if any (non-revolutionary) changes can improve it. Diff visualisation misses logic change: old: filter.forward if offload add flow dispatch states new: filter.forward if offload dispatch states diverting to offload chain else dispatch states

brada4 commented 9 months ago

Dropping invalid packets over localhost would be swapping iif lo and ct state in output along removing iif != in new prerouting. I dont feel either way, so I maintained behaviour exactly.

brada4 commented 6 months ago

@jow- this alters semantics for improved safety discarding invalid (out of state and bad checksum) packets before nat alg helpers.

brada4 commented 5 months ago

@jow- made it vmap, netfilters own examples now has vmaps everywhere....

drop invalid early
change comments (not meant to obfuscate change)
use whole output lines in place of string concatenation, just to avoid superlong lines in code
add offload hash on first qualifying packet, not second, so that second packet is already offloaded. new connection -> first ack after synack sets hash (used to only set "assured" state and hash set at next packet) timer retirement -> hash is restored after mandatory slowpath (it is just state dispatch, not the full filter) for certain, not tried before mandatory slowpath traversal

brada4 commented 4 months ago

@jow- hi, got nice pro feedback at https://forum.openwrt.org/t/first-rule-in-chain-input-output-for-firewall4/204723 and implemented best parts, 1 cosmetic 2 improves NAT performance by dozen hairs

brada4 commented 4 months ago

Also discovered that this adds easy flowtable exception via /e/n.d/ for more fifo-ish behaviour (still to dig up test case)

jow- commented 4 months ago

Should this PR drop commit https://github.com/openwrt/firewall4/pull/22/commits/a625924e002c50206509e85f32084707c18f22cb since it is partially reverted in https://github.com/openwrt/firewall4/pull/22/commits/5dc4d82932ae0c7a9416f0969dc695b60250be2c ?

brada4 commented 4 months ago

No, it should sray like this short simple. 1k evaluations on a pc totals to about same 7.abit ms for either but vmap version has broader deviation not explainable by any significant cpu consumption or absent in case network load.

brada4 commented 4 months ago

Yes, default configuration is revert (2 rules swapped tough)