Opened 3 years ago
Last modified 3 years ago
#1534 new
upnp entries go on top of FORWARD chain.....
| Reported by: | frater | Owned by: | |
|---|---|---|---|
| Keywords: | Cc: |
Description
uPnP entries insert themselves at the top of the FORWARD chain. That's understandable, because you need to make sure it doesn't come after a deny, but this also means each and every packages is checked. Those uPnP entries are typically made by p2p-programs and exactly these programs put an extra burden on your router.
Can't you create a seperate chain for uPnP-entries and call that chain just after the "ESTABLISHED RELATED". Once the connection is established and related the packages go through that entry and normal traffic will pass less rules.
-A FORWARD -j lan2wan -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -A FORWARD -i br0 -o br0 -j ACCEPT -A FORWARD -j upnp
Change History (2)
comment:1 Changed 3 years ago by frater
comment:2 Changed 3 years ago by mixmasta
I finally like something you've said on here frater!
Note: See
TracTickets for help on using
tickets.
It would also make it much easier to control. Deleting all uPnP rules can be done by flushing that chain. Stopping uPnP is as easy as leaving out '-A FORWARD -j upnp'. The entries can even stay.