diff options
| author | Viacheslav Hletenko <v.gletenko@vyos.io> | 2023-09-14 17:18:33 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-09-14 17:18:33 +0300 |
| commit | c355b07c21b6cac7405a6e575947a181fd2236f5 (patch) | |
| tree | b3176c4593566708add72657191991a2744f7d14 /data/templates/firewall/nftables.j2 | |
| parent | fc5b2871c548698cd3d484c69675454b28c8f843 (diff) | |
| parent | f909c17aca4d48598d5eaee0df81bf64967902f0 (diff) | |
| download | vyos-1x-c355b07c21b6cac7405a6e575947a181fd2236f5.tar.gz vyos-1x-c355b07c21b6cac7405a6e575947a181fd2236f5.zip | |
Merge pull request #2062 from vfreex/simple-fastpath-support
T4502: firewall: Add software flow offload using flowtable
Diffstat (limited to 'data/templates/firewall/nftables.j2')
| -rw-r--r-- | data/templates/firewall/nftables.j2 | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2 index 87630940b..1b764c9da 100644 --- a/data/templates/firewall/nftables.j2 +++ b/data/templates/firewall/nftables.j2 @@ -2,6 +2,7 @@ {% import 'firewall/nftables-defines.j2' as group_tmpl %} {% import 'firewall/nftables-bridge.j2' as bridge_tmpl %} +{% import 'firewall/nftables-offload.j2' as offload %} flush chain raw FW_CONNTRACK flush chain ip6 raw FW_CONNTRACK @@ -271,3 +272,26 @@ table bridge vyos_filter { {{ group_tmpl.groups(group, False, False) }} } {% endif %} +{{ group_tmpl.groups(group, True) }} +} + +table inet vyos_offload +delete table inet vyos_offload +table inet vyos_offload { +{% if flowtable_enabled %} +{% if global_options.flow_offload.hardware.interface is vyos_defined %} + {{- offload.render_flowtable('VYOS_FLOWTABLE_hardware', global_options.flow_offload.hardware.interface | list, priority='filter - 2', hardware_offload=true) }} + chain VYOS_OFFLOAD_hardware { + type filter hook forward priority filter - 2; policy accept; + ct state { established, related } meta l4proto { tcp, udp } flow add @VYOS_FLOWTABLE_hardware + } +{% endif %} +{% if global_options.flow_offload.software.interface is vyos_defined %} + {{- offload.render_flowtable('VYOS_FLOWTABLE_software', global_options.flow_offload.software.interface | list, priority='filter - 1') }} + chain VYOS_OFFLOAD_software { + type filter hook forward priority filter - 1; policy accept; + ct state { established, related } meta l4proto { tcp, udp } flow add @VYOS_FLOWTABLE_software + } +{% endif %} +{% endif %} +} |