OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of Flole »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - Flole

Pages: [1]
1
Development and Code Review / Re: "Improve" rule reloading
« on: November 15, 2019, 11:49:22 pm »
You could with iptables use dynamic add and remove commands, I've done that before.

For your example you would have the rule creation engine do the splitting of those rules when generating the anchor files, so when it does the ipv6 anchor it goes through all rules and looks for every ipv6 or "ipv4 and ipv6" rule and then writes it as a ipv6 only rule in the anchor. Same for IPv4. As traffic can't be both this would work and as the order within the anchors is correct, which anchor comes first doesn't really matter then. However, once you want to split it even further it gets more complicated.

2
Development and Code Review / Re: "Improve" rule reloading
« on: November 15, 2019, 08:37:06 pm »
It would not change the order of the rules, traffic can either be ipv4 or ipv6, so those rules can be split in 2 rules without changing the order effectively. Then you can split v4 and v6 again without affecting the order.

I know that iptables and nftables can do such a thing, but for pf I haven't found a way (yet).

3
Development and Code Review / "Improve" rule reloading
« on: November 15, 2019, 07:11:58 pm »
Hello everyone,

I'm crossposting this here now after on the pfsense forum there wasn't much discussion about it and I have been thinking about switching to opnsense for a while now and this would definitely make me switch. Please forgive me if there is already "improved" rule reloading in effect.

I'm currently a pfsense user and I am having some issues due to filter reloads causing temporary packet loss on routed UDP. That made me think about a different approach in how pfsense/opnsense handles rules that might be able to solve/reduce this:

Would it be possible to use anchors for IPv4/IPv6 so reloading the entire filter is not necessary, if an IPv6 Gateway goes down, IPv4 will not be affected by that. Of course this doesn't solve this entirely but it should make things better. Maybe it would be possible to go even further and use per-interface anchors to make the amounts of rules that need reloading even smaller.

What do you guys think? Would this work? Would this be a valid approach? Would this help and would this be wanted?

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2