Cannot disable connection tracking

mozuzu · August 17, 2017, 11:50am

I noticed there is a note in LEDE Documentation which says that disabling firewall's connection tracking can speed up routing and save memory. So I tried to disable it but that didn't work. Could someone tell me how to do it?

Thanks in advance.

What I did

I followed the guide and tried disabling it by specifying 'option conntrack 0' in /etc/config/firewall.

# cat /etc/config/firewall
[...]

config zone
    option name             awlan
    list   network          'awlan'
    option conntrack        0
    option input            REJECT
    option output           ACCEPT
    option forward          REJECT

[...]

And then, I proceeded to reload the configuration but it says the option conntrack is unknown.

# /etc/init.d/firewall reload
Warning: Option @zone[0].conntrack is unknown

[...]

As expected, there seems to be no firewall rules regarding connection tracking.

# iptables -t raw -L -vn
Chain PREROUTING (policy ACCEPT 1587 packets, 251K bytes)
 pkts bytes target     prot opt in     out     source               destination
 
Chain OUTPUT (policy ACCEPT 1422 packets, 326K bytes)
 pkts bytes target     prot opt in     out     source               destination

Hardware and Software

I don't know if this clarifies the issue, but I tried LEDE 17.01.2 on WZR-300HP (Buffalo) and WZR-HP-G450H (Buffalo) and both of which didn't work.

DjiPi · August 17, 2017, 11:49pm

AFAIK, that's because with firewall3 it's not supported anymore. Further reading:
Wiki note: https://lede-project.org/docs/user-guide/firewall_configuration#notes_on_connection_tracking
And commit note introducing this change: https://github.com/lede-project/source/commit/2daab45cae3cfc09bae96f4326a3963a7504e86d

Furthermore, if you are using masquerading, you seems to require this feature anyway...

mozuzu · August 18, 2017, 5:19am

Thank you for the clear answer!

It turns out I missed the note on the page you've posted even though it is very obvious. I'm stupid...

This is now obsolete since fw3 version 2016-11-29 ...

Since disabling connection tracking seems unnecessary now according to the commit message, I decided to keep it turned on.

As for masquerading, I'm using my routers like VLAN switches so I don't need to use masquerading for now.

Thanks again for answering my question!