Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RFC] iptables: Add default net filters #2322

Merged
merged 1 commit into from
Jan 3, 2018
Merged

[RFC] iptables: Add default net filters #2322

merged 1 commit into from
Jan 3, 2018

Conversation

Ray-future
Copy link
Contributor

Default: Only allow private subnets
Don't overwrite rules from docker or connman wifi tether

An example how to turn on/off through LE Settings addon is available here:
Ray-future/service.libreelec.settings@d3e19e7
I can PR that too if we decide to this get's accepted. Filters are disabled by default and need to be enabled through LE settings addon.

Docker is restarted when the rules are reloaded or flushed otherwise it would break network connectivity in docker. Same for wifi tethering.

I have been using these rules in my community builds for a few months (enabled by default) without hearing any complaints about broken networks. I've just reworked the scripts a little bit the last few days so it will require some testing before it can be merged.

chewitt
chewitt approved these changes Dec 15, 2017
View reviewed changes
Copy link
Member

@chewitt chewitt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM .. let's get it in and start working on GUI bits

@Ray-future Ray-future force-pushed the iptables branch 3 times, most recently from e612d46 to 73bd263 Compare December 15, 2017 14:25
@stefansaraev
Copy link
Contributor

you should never force load conntrack modules by using nat table or conntrack match. this hurts. unless it's completely optional.

@Ray-future
Copy link
Contributor Author

Care to elaborate why it hurts so much?

@stefansaraev
Copy link
Contributor

first. conntrack degrades network performance. may result in higher delays and low throughput

second: as every outgoung packet would be tracked, and conntrack table has limited size - as soon you start something that makes lot of outgoing connections (transmission comes first in my mind), you may get "conntrack table full" errors and packets will be dropped.

increasing conntrack table size is of course an option, but there is no one-value-fits-all configrations. it needs RAM and if not well tuned, lowmem devices will misbehave soon or later.

@Ray-future
Copy link
Contributor Author

@stefansaraev
OK. I'm not hard set on the conntrack, however your concerns seem to be very unlikely imho. At least I've never hit such a scenario and I'm using conntrack some years with my servers, clients at work.
However I'm not a bittorrent user so I haven't tested your scenario. The idea is to make those rules optional anyway. I don't want to enable them by default.

Nevertheless I'm very happy about your feedback about the rule sets. I get that there are hundreds of philosophies what to use and what not as filters. I will drop conntrack.

iptables: Add default net filters
e71646a 
Default: Only allow private subnets
Don't overwrite rules from docker or connman
Option to turn on/off through LE Settings addon
@chewitt chewitt merged commit e2c2a00 into LibreELEC:master Jan 3, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chewitt chewitt chewitt approved these changes

Assignees
No one assigned
Labels
FEATURE LE 9.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Ray-future @stefansaraev @chewitt