summaryrefslogtreecommitdiff
path: root/data/templates/firewall
diff options
context:
space:
mode:
authorYuxiang Zhu <vfreex@gmail.com>2023-08-26 05:28:11 +0000
committerYuxiang Zhu <vfreex@gmail.com>2023-09-09 08:16:04 +0000
commitf909c17aca4d48598d5eaee0df81bf64967902f0 (patch)
tree8641df807e45f9257f1603c0f467d5ec226c9618 /data/templates/firewall
parentf494325bfde2ba9ff708fa00a7582a5fb6182486 (diff)
downloadvyos-1x-f909c17aca4d48598d5eaee0df81bf64967902f0.tar.gz
vyos-1x-f909c17aca4d48598d5eaee0df81bf64967902f0.zip
T4502: firewall: Add software flow offload using flowtable
The following commands will enable nftables flowtable offload on interfaces eth0 eth1: ``` set firewall global-options flow-offload software interface <name> set firewall global-options flow-offload hardware interface <name> ``` Generated nftables rules: ``` table inet vyos_offload { flowtable VYOS_FLOWTABLE_software { hook ingress priority filter - 1; devices = { eth0, eth1, eth2, eth3 }; counter } chain VYOS_OFFLOAD_software { type filter hook forward priority filter - 1; policy accept; ct state { established, related } meta l4proto { tcp, udp } flow add @VYOS_FLOWTABLE_software } } ``` Use this option to count packets and bytes for each offloaded flow: ``` set system conntrack flow-accounting ``` To verify a connection is offloaded, run ``` cat /proc/net/nf_conntrack|grep OFFLOAD ``` This PR follows firewalld's implementation: https://github.com/firewalld/firewalld/blob/e748b97787d685d0ca93f58e8d4292e87d3f0da6/src/firewall/core/nftables.py#L590 A good introduction to nftables flowtable: https://thermalcircle.de/doku.php?id=blog:linux:flowtables_1_a_netfilter_nftables_fastpath
Diffstat (limited to 'data/templates/firewall')
-rw-r--r--data/templates/firewall/nftables-offload.j211
-rw-r--r--data/templates/firewall/nftables.j224
2 files changed, 35 insertions, 0 deletions
diff --git a/data/templates/firewall/nftables-offload.j2 b/data/templates/firewall/nftables-offload.j2
new file mode 100644
index 000000000..6afcd79f7
--- /dev/null
+++ b/data/templates/firewall/nftables-offload.j2
@@ -0,0 +1,11 @@
+{% macro render_flowtable(name, devices, priority='filter', hardware_offload=false, with_counter=true) %}
+flowtable {{ name }} {
+ hook ingress priority {{ priority }}; devices = { {{ devices | join(', ') }} };
+{% if hardware_offload %}
+ flags offload;
+{% endif %}
+{% if with_counter %}
+ counter
+{% endif %}
+}
+{% endmacro %}
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2
index 87630940b..1b764c9da 100644
--- a/data/templates/firewall/nftables.j2
+++ b/data/templates/firewall/nftables.j2
@@ -2,6 +2,7 @@
{% import 'firewall/nftables-defines.j2' as group_tmpl %}
{% import 'firewall/nftables-bridge.j2' as bridge_tmpl %}
+{% import 'firewall/nftables-offload.j2' as offload %}
flush chain raw FW_CONNTRACK
flush chain ip6 raw FW_CONNTRACK
@@ -271,3 +272,26 @@ table bridge vyos_filter {
{{ group_tmpl.groups(group, False, False) }}
}
{% endif %}
+{{ group_tmpl.groups(group, True) }}
+}
+
+table inet vyos_offload
+delete table inet vyos_offload
+table inet vyos_offload {
+{% if flowtable_enabled %}
+{% if global_options.flow_offload.hardware.interface is vyos_defined %}
+ {{- offload.render_flowtable('VYOS_FLOWTABLE_hardware', global_options.flow_offload.hardware.interface | list, priority='filter - 2', hardware_offload=true) }}
+ chain VYOS_OFFLOAD_hardware {
+ type filter hook forward priority filter - 2; policy accept;
+ ct state { established, related } meta l4proto { tcp, udp } flow add @VYOS_FLOWTABLE_hardware
+ }
+{% endif %}
+{% if global_options.flow_offload.software.interface is vyos_defined %}
+ {{- offload.render_flowtable('VYOS_FLOWTABLE_software', global_options.flow_offload.software.interface | list, priority='filter - 1') }}
+ chain VYOS_OFFLOAD_software {
+ type filter hook forward priority filter - 1; policy accept;
+ ct state { established, related } meta l4proto { tcp, udp } flow add @VYOS_FLOWTABLE_software
+ }
+{% endif %}
+{% endif %}
+}