diff options
author | Nicolas Fort <nicolasfort1988@gmail.com> | 2023-11-21 17:36:20 +0000 |
---|---|---|
committer | Nicolas Fort <nicolasfort1988@gmail.com> | 2023-11-21 17:36:20 +0000 |
commit | 4e8839b6d78c7629cd2c1daee0438472c96365a4 (patch) | |
tree | 1d70d79a5f3d1c2b31f962afdb7e908af5548d27 /data/templates/firewall | |
parent | 916adfaf0774df0731522bf3cbd886d794735c50 (diff) | |
download | vyos-1x-4e8839b6d78c7629cd2c1daee0438472c96365a4.tar.gz vyos-1x-4e8839b6d78c7629cd2c1daee0438472c96365a4.zip |
T5419: firewall: backport firewall flowtable to Sagitta.
Diffstat (limited to 'data/templates/firewall')
-rw-r--r-- | data/templates/firewall/nftables-offload.j2 | 9 | ||||
-rw-r--r-- | data/templates/firewall/nftables.j2 | 13 |
2 files changed, 22 insertions, 0 deletions
diff --git a/data/templates/firewall/nftables-offload.j2 b/data/templates/firewall/nftables-offload.j2 new file mode 100644 index 000000000..087fd141c --- /dev/null +++ b/data/templates/firewall/nftables-offload.j2 @@ -0,0 +1,9 @@ +{% macro flowtable(name, config) %} + flowtable VYOS_FLOWTABLE_{{ name }} { + hook ingress priority 0; devices = { {{ config.interface | join(', ') }} }; +{% if config.offload is vyos_defined('hardware') %} + flags offload; +{% endif %} + counter + } +{% endmacro %}
\ No newline at end of file diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2 index 9fcacf677..91c4d0788 100644 --- a/data/templates/firewall/nftables.j2 +++ b/data/templates/firewall/nftables.j2 @@ -2,6 +2,7 @@ {% import 'firewall/nftables-defines.j2' as group_tmpl %} {% import 'firewall/nftables-bridge.j2' as bridge_tmpl %} +{% import 'firewall/nftables-offload.j2' as offload_tmpl %} {% import 'firewall/nftables-zone.j2' as zone_tmpl %} flush chain raw FW_CONNTRACK @@ -38,6 +39,12 @@ delete table ip vyos_filter {% endif %} table ip vyos_filter { {% if ipv4 is vyos_defined %} +{% if flowtable is vyos_defined %} +{% for name, flowtable_conf in flowtable.items() %} +{{ offload_tmpl.flowtable(name, flowtable_conf) }} +{% endfor %} +{% endif %} + {% set ns = namespace(sets=[]) %} {% if ipv4.forward is vyos_defined %} {% for prior, conf in ipv4.forward.items() %} @@ -160,6 +167,12 @@ delete table ip6 vyos_filter {% endif %} table ip6 vyos_filter { {% if ipv6 is vyos_defined %} +{% if flowtable is vyos_defined %} +{% for name, flowtable_conf in flowtable.items() %} +{{ offload_tmpl.flowtable(name, flowtable_conf) }} +{% endfor %} +{% endif %} + {% set ns = namespace(sets=[]) %} {% if ipv6.forward is vyos_defined %} {% for prior, conf in ipv6.forward.items() %} |