BCP38: don't slow down established connections (#2838)

Enabling BCP38 causes an iptables rule to be inserted before this rule: ACCEPT all -- anywhere anywhere ID:66773300 ctstate RELATED,ESTABLISHED This makes all forwarded packets go through the BCP38 ipset match, which slows down download speed from 440 Mbit/s to 340 Mbit/s. Only apply BCP38 match rules if state is NEW. Bump package version. Signed-off-by: Török Edwin <edwin@skylable.com>
2026-04-30 15:38:40 +01:00 · 2016-06-12 16:09:05 +03:00
parent 9093379603
commit 0b2b462ae0
2 changed files with 7 additions and 7 deletions
@@ -72,9 +72,9 @@ setup_iptables()
 	iptables -N "$IPTABLES_CHAIN" 2>/dev/null
 	iptables -F "$IPTABLES_CHAIN" 2>/dev/null

-	iptables -I output_rule -j "$IPTABLES_CHAIN"
-	iptables -I input_rule -j "$IPTABLES_CHAIN"
-	iptables -I forwarding_rule -j "$IPTABLES_CHAIN"
+	iptables -I output_rule -m state --state NEW -j "$IPTABLES_CHAIN"
+	iptables -I input_rule -m state --state NEW -j "$IPTABLES_CHAIN"
+	iptables -I forwarding_rule -m state --state NEW -j "$IPTABLES_CHAIN"

 	# always accept DHCP traffic
 	iptables -A "$IPTABLES_CHAIN" -p udp --dport 67:68 --sport 67:68 -j RETURN
@@ -90,9 +90,9 @@ destroy_ipset()

 destroy_iptables()
 {
-	iptables -D output_rule -j "$IPTABLES_CHAIN" 2>/dev/null
-	iptables -D input_rule -j "$IPTABLES_CHAIN" 2>/dev/null
-	iptables -D forwarding_rule -j "$IPTABLES_CHAIN" 2>/dev/null
+	iptables -D output_rule -m state --state NEW -j "$IPTABLES_CHAIN" 2>/dev/null
+	iptables -D input_rule -m state --state NEW -j "$IPTABLES_CHAIN" 2>/dev/null
+	iptables -D forwarding_rule -m state --state NEW -j "$IPTABLES_CHAIN" 2>/dev/null
 	iptables -F "$IPTABLES_CHAIN" 2>/dev/null
 	iptables -X "$IPTABLES_CHAIN" 2>/dev/null
 }