From f909c17aca4d48598d5eaee0df81bf64967902f0 Mon Sep 17 00:00:00 2001 From: Yuxiang Zhu Date: Sat, 26 Aug 2023 05:28:11 +0000 Subject: T4502: firewall: Add software flow offload using flowtable The following commands will enable nftables flowtable offload on interfaces eth0 eth1: ``` set firewall global-options flow-offload software interface set firewall global-options flow-offload hardware interface ``` Generated nftables rules: ``` table inet vyos_offload { flowtable VYOS_FLOWTABLE_software { hook ingress priority filter - 1; devices = { eth0, eth1, eth2, eth3 }; counter } chain VYOS_OFFLOAD_software { type filter hook forward priority filter - 1; policy accept; ct state { established, related } meta l4proto { tcp, udp } flow add @VYOS_FLOWTABLE_software } } ``` Use this option to count packets and bytes for each offloaded flow: ``` set system conntrack flow-accounting ``` To verify a connection is offloaded, run ``` cat /proc/net/nf_conntrack|grep OFFLOAD ``` This PR follows firewalld's implementation: https://github.com/firewalld/firewalld/blob/e748b97787d685d0ca93f58e8d4292e87d3f0da6/src/firewall/core/nftables.py#L590 A good introduction to nftables flowtable: https://thermalcircle.de/doku.php?id=blog:linux:flowtables_1_a_netfilter_nftables_fastpath --- .../include/firewall/flow-offload.xml.i | 47 ++++++++++++++++++++++ .../include/firewall/global-options.xml.i | 1 + interface-definitions/system-conntrack.xml.in | 6 +++ 3 files changed, 54 insertions(+) create mode 100644 interface-definitions/include/firewall/flow-offload.xml.i (limited to 'interface-definitions') diff --git a/interface-definitions/include/firewall/flow-offload.xml.i b/interface-definitions/include/firewall/flow-offload.xml.i new file mode 100644 index 000000000..706836362 --- /dev/null +++ b/interface-definitions/include/firewall/flow-offload.xml.i @@ -0,0 +1,47 @@ + + + + Configurable flow offload options + + + + + Disable flow offload + + + + + + Software offload + + + + + Interfaces to enable + + + + + + + + + + + Hardware offload + + + + + Interfaces to enable + + + + + + + + + + + diff --git a/interface-definitions/include/firewall/global-options.xml.i b/interface-definitions/include/firewall/global-options.xml.i index e655cd6ac..03c07e657 100644 --- a/interface-definitions/include/firewall/global-options.xml.i +++ b/interface-definitions/include/firewall/global-options.xml.i @@ -271,6 +271,7 @@ disable + #include diff --git a/interface-definitions/system-conntrack.xml.in b/interface-definitions/system-conntrack.xml.in index 3abf9bbf0..78d19090c 100644 --- a/interface-definitions/system-conntrack.xml.in +++ b/interface-definitions/system-conntrack.xml.in @@ -9,6 +9,12 @@ 218 + + + Enable connection tracking flow accounting + + + Size of connection tracking expect table -- cgit v1.2.3