[firewall4] ruleset: offload a connection only after certain packets

Return-Path: 
 <openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
	dkim=pass (2048-bit key;
 secure) header.d=lists.infradead.org header.i=@lists.infradead.org
 header.a=rsa-sha256 header.s=bombadil.20210309 header.b=gYBrKKsV;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20230601 header.b=drJL+0AJ;
	dkim-atps=neutral
Authentication-Results: legolas.ozlabs.org;
 spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org
 (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org;
 envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org;
 receiver=patchwork.ozlabs.org)
Received: from bombadil.infradead.org (bombadil.infradead.org
 [IPv6:2607:7c80:54:3::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4XjNQr5Tdnz1xyD
	for <incoming@patchwork.ozlabs.org>; Tue,  5 Nov 2024 20:32:19 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:
	Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-ID:Date:Subject:To
	:From:Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:
	List-Owner; bh=c8rtaKBV1c4ST787rXBM7u9ujfm9WtxqLp1NjL3G5aQ=; b=gYBrKKsVQGnXDv
	I2HtSooyuOBRRP8crbrSGEi7LpY4mcPnXgZ5RUOOUdxjiDdB+Ik29cQU5WX2EBs7SLgoOV6/7wkKF
	HhJ++1u89c9Mrzz/H9Nv8Rpi8msS67MQ+ZKdz7Kx+KzjpD3dDn7X4+qNE9Q/WUkKZQTVl2sa4brNy
	Ytp+ZU0pepTK0jhIJVbxokrwr+m7Dle3/WOxMIWDHqlUX4nvInk8wIODkhk9OAAEQBigU8V2dsL58
	vmEy/+G/PCNJOtXmD6gIUnrcTZFWmEm26+kZcjmE6ZTkKO/Yv+Oj+8Q7xCokOC7+bbwyx7Z3LbFdw
	llO5wzyUSCugMPYFO1bg==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.98 #2 (Red Hat Linux))
	id 1t8FuA-0000000GVl3-103d;
	Tue, 05 Nov 2024 09:31:18 +0000
Received: from mail-pf1-x436.google.com ([2607:f8b0:4864:20::436])
	by bombadil.infradead.org with esmtps (Exim 4.98 #2 (Red Hat Linux))
	id 1t8EST-0000000GGN4-2ruf
	for openwrt-devel@lists.openwrt.org;
	Tue, 05 Nov 2024 07:58:38 +0000
Received: by mail-pf1-x436.google.com with SMTP id
 d2e1a72fcca58-720b2d8bcd3so4126881b3a.2
        for <openwrt-devel@lists.openwrt.org>;
 Mon, 04 Nov 2024 23:58:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1730793516; x=1731398316;
 darn=lists.openwrt.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:to
         :from:from:to:cc:subject:date:message-id:reply-to;
        bh=HZ9WgYypTc6E2+nb/1OckVi97dXysIrYt91x7bO3iWs=;
        b=drJL+0AJw26tO+hewDRO9Jx+s5SJQ1rRWWJn/DwW8+F0bTt2fNMAe+Sr9Ez9QiSctF
         Jc1r0aYu3qqfxznPk1xRMBx9u3JT9b++AaPGBTAHJQUT5E343B0ZkQHVUg6s/tjvgPsp
         nQWhzrDbmyPZvstjr/qkXNlgX3iliK6OEvSb7BrhWUCFSYGxdipavf5O8XkzJVwiL08i
         a+9VhJgl/ayZJOjElhO3w1LjPyy8w6+h0QZ+zNuvUWV6Oi4vc+25xqC0ug3jYS3krlXw
         cZXsa331dagQMz9Rl8URc7IeEreS4GwWHuqE7CQ0b+iCAqC7RDFtf1JFF71yBWfH3I1a
         EzZw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1730793516; x=1731398316;
        h=content-transfer-encoding:mime-version:message-id:date:subject:to
         :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=HZ9WgYypTc6E2+nb/1OckVi97dXysIrYt91x7bO3iWs=;
        b=H4o9g44NE8VrD9QF16vHtvnNYxBlvjRzoyfsCwTNWgbBBhusx4rim172bhhNLTTgfy
         l9yfyUvNRJtNlp8UbQYTmK/bME5nkZFx7pPeGelxARsfPQ7gn+xY3x/y0BJlXRT3SJSf
         VzGN8vKf/Dbxpu7OojrwKmCQ/mc2paLTvuvXvOya42NjgLK/69t4xHWB03XDeAJwCt7L
         fHUTzvJLwx41/0Gw7BtYiAzSFo8rJn5ztH8Dl9yN0QsWT3A9Bwh8gWkvXbHM8CRKm7zF
         RwQEo8c92L9L1HLuhW9ya/POXFJ9vP1nNwu+D6IvRzwy5io3kCIPyOSSAMJXhX1nurlU
         Re1Q==
X-Gm-Message-State: AOJu0Yzt8pLsv8qvAhJ40En3Buds+lnley5pDIc3pi/qU7zGWqvIVR1A
	HhJVxTHIZV99eRkOrJxAQdwqNRsGCs+Zl62acmvfEgjCcdlPaUSoCU5xyXyGVKE=
X-Google-Smtp-Source: 
 AGHT+IFcIJRTvUsIZwNyFDY4DdeE4K8KXb+Hg4uSGCHXOsN6yn5TWbAiNZtJPNYMo+lCHwpta2/e7g==
X-Received: by 2002:a05:6a21:9983:b0:1db:a919:27ea with SMTP id
 adf61e73a8af0-1dba9193157mr20237170637.41.1730793515869;
        Mon, 04 Nov 2024 23:58:35 -0800 (PST)
Received: from gmail.com ([2a09:bac5:6369:78::c:360])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-720bc313e0csm8971188b3a.189.2024.11.04.23.58.34
        for <openwrt-devel@lists.openwrt.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 04 Nov 2024 23:58:35 -0800 (PST)
From: Qingfang Deng <dqfext@gmail.com>
To: openwrt-devel@lists.openwrt.org
Subject: [PATCH firewall4] ruleset: offload a connection only after certain
 packets
Date: Tue,  5 Nov 2024 15:58:28 +0800
Message-ID: <20241105075828.627-1-dqfext@gmail.com>
X-Mailer: git-send-email 2.43.0
MIME-Version: 1.0
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20241104_235837_742984_D5B018C0 
X-CRM114-Status: GOOD (  10.20  )
X-Spam-Score: -2.1 (--)
X-Spam-Report: Spam detection software,
 running on the system "bombadil.infradead.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  Users commonly create firewall rules that inspect packet
 content,
    such as matching an HTTP host. The current implementation offloads a
 connection
    immediately after it's established, bypassing user-def [...]
 Content analysis details:   (-2.1 points, 5.0 required)
  pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/, no
                             trust
                             [2607:f8b0:4864:20:0:0:0:436 listed in]
                             [list.dnswl.org]
 -0.0 SPF_PASS               SPF: sender matches SPF record
  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
                             envelope-from domain
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
 author's
                             domain
  0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily valid
 -0.1 DKIM_VALID             Message has at least one valid DKIM or DK
 signature
 -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
                             [score: 0.0000]
  0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail
 provider
                             [dqfext(at)gmail.com]
X-BeenThere: openwrt-devel@lists.openwrt.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: OpenWrt Development List <openwrt-devel.lists.openwrt.org>
List-Unsubscribe: <https://lists.openwrt.org/mailman/options/openwrt-devel>,
 <mailto:openwrt-devel-request@lists.openwrt.org?subject=unsubscribe>
List-Archive: <http://lists.openwrt.org/pipermail/openwrt-devel/>
List-Post: <mailto:openwrt-devel@lists.openwrt.org>
List-Help: <mailto:openwrt-devel-request@lists.openwrt.org?subject=help>
List-Subscribe: <https://lists.openwrt.org/mailman/listinfo/openwrt-devel>,
 <mailto:openwrt-devel-request@lists.openwrt.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "openwrt-devel" <openwrt-devel-bounces@lists.openwrt.org>
Errors-To: 
 openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org