Browse Source

BCP38: don't slow down established connections (#2838)

Enabling BCP38 causes an iptables rule to be inserted before this rule:
ACCEPT     all  --  anywhere             anywhere             ID:66773300 ctstate RELATED,ESTABLISHED

This makes all forwarded packets go through the BCP38 ipset match, which slows
down download speed from 440 Mbit/s to 340 Mbit/s.

Only apply BCP38 match rules if state is NEW.

Bump package version.

Signed-off-by: Török Edwin <edwin@skylable.com>
lilik-openwrt-22.03
Török Edwin 9 years ago
committed by Toke Høiland-Jørgensen
parent
commit
0b2b462ae0
2 changed files with 7 additions and 7 deletions
  1. +1
    -1
      net/bcp38/Makefile
  2. +6
    -6
      net/bcp38/files/run.sh

+ 1
- 1
net/bcp38/Makefile View File

@ -6,7 +6,7 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=bcp38 PKG_NAME:=bcp38
PKG_VERSION:=4
PKG_VERSION:=5
PKG_RELEASE:=1 PKG_RELEASE:=1
PKG_LICENCE:=GPL-3.0+ PKG_LICENCE:=GPL-3.0+


+ 6
- 6
net/bcp38/files/run.sh View File

@ -72,9 +72,9 @@ setup_iptables()
iptables -N "$IPTABLES_CHAIN" 2>/dev/null iptables -N "$IPTABLES_CHAIN" 2>/dev/null
iptables -F "$IPTABLES_CHAIN" 2>/dev/null iptables -F "$IPTABLES_CHAIN" 2>/dev/null
iptables -I output_rule -j "$IPTABLES_CHAIN"
iptables -I input_rule -j "$IPTABLES_CHAIN"
iptables -I forwarding_rule -j "$IPTABLES_CHAIN"
iptables -I output_rule -m state --state NEW -j "$IPTABLES_CHAIN"
iptables -I input_rule -m state --state NEW -j "$IPTABLES_CHAIN"
iptables -I forwarding_rule -m state --state NEW -j "$IPTABLES_CHAIN"
# always accept DHCP traffic # always accept DHCP traffic
iptables -A "$IPTABLES_CHAIN" -p udp --dport 67:68 --sport 67:68 -j RETURN iptables -A "$IPTABLES_CHAIN" -p udp --dport 67:68 --sport 67:68 -j RETURN
@ -90,9 +90,9 @@ destroy_ipset()
destroy_iptables() destroy_iptables()
{ {
iptables -D output_rule -j "$IPTABLES_CHAIN" 2>/dev/null
iptables -D input_rule -j "$IPTABLES_CHAIN" 2>/dev/null
iptables -D forwarding_rule -j "$IPTABLES_CHAIN" 2>/dev/null
iptables -D output_rule -m state --state NEW -j "$IPTABLES_CHAIN" 2>/dev/null
iptables -D input_rule -m state --state NEW -j "$IPTABLES_CHAIN" 2>/dev/null
iptables -D forwarding_rule -m state --state NEW -j "$IPTABLES_CHAIN" 2>/dev/null
iptables -F "$IPTABLES_CHAIN" 2>/dev/null iptables -F "$IPTABLES_CHAIN" 2>/dev/null
iptables -X "$IPTABLES_CHAIN" 2>/dev/null iptables -X "$IPTABLES_CHAIN" 2>/dev/null
} }


Loading…
Cancel
Save