ruleset: avoid port translating local sockets

[brada4]

avoid allocating extra outgoing ports for local connections

Eliminate unnecesary port translation for locally originated connections

• firstly 2 ports are used for any connection, including single DNS packet
• if you run asterix or dht outgoing connections get randomized and keep ephemeral ports for long after they were relevant. i.e outgoing UDP port is unnecesarily held for 3mins, especially right after priming up dht when it pokes around the nets 1000 pipes at a time.
• once original incoming ct state expires udp based vpns get port-translated and have no chance to ever be kept alive from remote site, and eg normal site2site IKE needs to wait for timeouts to expire to get back to normal

fixes: openwrt/openwrt#22765

[brada4]

Alternate implementations would not be faster or depend on modules, esp when both meta integer fields are unconditionally populated before conntrack....

iif 0 return
  [ meta load iif => reg 1 ]
  [ cmp eq reg 1 0x00000000 ]
  [ immediate reg 0 return ]
meta skuid >= 0 return7
  [ meta load skuid => reg 1 ]
  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
  [ cmp gte reg 1 0x00000000 ]
  [ immediate reg 0 return ]

EDIT: upd for v2 patch

[stintel]

Neither the change in this PR, nor the proposed unconditional fib saddr type != local in openwrt/openwrt#22765 are acceptable as-is, since both change default behavior.

This PR also puts iif 0 return in the top-level srcnat chain before zone dispatch. That means locally generated packets skip the entire per-zone srcnat_<zone> chain, not just the automatically generated zone masquerade rule. In particular, per-zone config nat SNAT/masquerade rules and chain-append includes would no longer run for local-origin traffic.

I agree that excluding locally originated traffic from automatic zone masquerading is cleaner, but changing long-standing fw3/fw4 default behavior should not be done lightly, especially in stable releases.

A safer approach would be to add an explicit zone option, e.g. masq_local, defaulting to the current behavior for compatibility. Users who need the new behavior can set option masq_local '0', and we can later decide whether new default configs should opt out after a full test cycle.

[stintel]

I propose the following change instead: d1fadb5.

I intentionally left out the meta pkttype multicast return part. Avoiding masquerade for locally originated packets and skipping multicast traffic are two separate behavioral changes with different rationale and risk. They should be discussed and justified independently, and if needed, handled in separate commits.

The masq_local change only addresses the local-origin masquerade case while preserving existing behavior by default and keeping the per-zone srcnat_<zone> chains reachable.

[brada4]

Masquerade fallback to other port is to save local sockets from random impostor from LAN taking over their data. Was never a race between local sockets themselves to start with.
This major fuckup "long-standing default behavior" should be inverted asap, both users happy with double outgoing port consumption can have their parameter.

[stintel]

I’m not claiming the current behaviour is ideal. I’m saying it is not something we should silently change in stable releases.

This goes back to the initial firewall3 import from 2013-02-17, so it has effectively been OpenWrt firewall behaviour for 13 years. fw4 inherited the same model from its initial commit in 2021.

The masq_local option gives users affected by this a way to opt out now, without changing behaviour for everyone else. Once this has had some exposure in master, we can discuss changing the default for future releases.

[brada4]

Well, come back after you make site to site 500:500 ipv4 ike working using OpenWrt.
No it does not go back that far. It is unnoticed kernel change down the road.

[brada4]

Breadcrumb: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/339

explicitly protecting local connections from forwarded connections, not from themselves, happened around last days of fw3 .....

[brada4]

Maybe a global setting to enable broken legacy behaviour.