<zorun>
jow: the report is fairly long, but after lots of debugging I think I have identified the root cause (it's more complex than I first thought)
<zorun>
btw, it's related to this "slow" fw4 ruleset generation I reported last time: it's not the cause of the bug, but it makes the race condition window larger
dangole_ is now known as dangole
<Borromini>
Habbie: some stuff works with the fullmac driver afaik :)
slh has quit [Ping timeout: 480 seconds]
<jow>
zorun: can you try setting the global input policy to "drop", that should completely solve your problem
slh64 has quit [Ping timeout: 480 seconds]
slh64 has joined #openwrt-devel
slh has joined #openwrt-devel
<jow>
zorun: we might even consider making it the default
<f00b4r0>
jow: security-wise, it should be imho.
bluew has joined #openwrt-devel
<jow>
f00b4r0: leaning towards it as well. Need to figure out the justification for doing it like that in the first place
<jow>
I think it was to reduce the softbrick probability on bad configs
<jow>
but since nft ruleset loading is atomic it might not be needed anymore
<jow>
there's also two further optimization approaches:
<f00b4r0>
I see. I always set INPUT DROP policy on all my owrt setups, never figured why it wasn't the default. Now I understand :)
<jow>
- event coalescing (gather several ifup's within a, say, 250ms timeframe, then issue reload once
<jow>
- render ruleset into temporary file and use that for both checking and applying (only relevant for restart though)
<jow>
my hunch is that drop-by-defualt will completely solve zorun's issues related to stale conntrack
<jow>
it might be simple fix then
<f00b4r0>
although it's not really a fix, more like a workaround :)
<Habbie>
Borromini, ack, we'll see :)
<jow>
f00b4r0: other fix might be selective conntrack flushing on every ifup, but that might not be intended