diff options
author | Daniil Baturin <daniil@vyos.io> | 2023-11-22 00:09:33 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-11-22 00:09:33 +0000 |
commit | c87edc8f1f61dda36ece893dc523fa73e69307df (patch) | |
tree | 9048cc2d1cfcc6cfc76e3154bd9bf427dc69264c /data/templates | |
parent | d1750790419d9db3e4d71974005190752c7928e0 (diff) | |
parent | 4e8839b6d78c7629cd2c1daee0438472c96365a4 (diff) | |
download | vyos-1x-c87edc8f1f61dda36ece893dc523fa73e69307df.tar.gz vyos-1x-c87edc8f1f61dda36ece893dc523fa73e69307df.zip |
Merge pull request #2517 from nicolas-fort/T5419-FT-Sagitta
T5419: firewall: backport firewall flowtable to Sagitta.
Diffstat (limited to 'data/templates')
-rw-r--r-- | data/templates/firewall/nftables-offload.j2 | 9 | ||||
-rw-r--r-- | data/templates/firewall/nftables.j2 | 13 |
2 files changed, 22 insertions, 0 deletions
diff --git a/data/templates/firewall/nftables-offload.j2 b/data/templates/firewall/nftables-offload.j2 new file mode 100644 index 000000000..087fd141c --- /dev/null +++ b/data/templates/firewall/nftables-offload.j2 @@ -0,0 +1,9 @@ +{% macro flowtable(name, config) %} + flowtable VYOS_FLOWTABLE_{{ name }} { + hook ingress priority 0; devices = { {{ config.interface | join(', ') }} }; +{% if config.offload is vyos_defined('hardware') %} + flags offload; +{% endif %} + counter + } +{% endmacro %}
\ No newline at end of file diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2 index 9fcacf677..91c4d0788 100644 --- a/data/templates/firewall/nftables.j2 +++ b/data/templates/firewall/nftables.j2 @@ -2,6 +2,7 @@ {% import 'firewall/nftables-defines.j2' as group_tmpl %} {% import 'firewall/nftables-bridge.j2' as bridge_tmpl %} +{% import 'firewall/nftables-offload.j2' as offload_tmpl %} {% import 'firewall/nftables-zone.j2' as zone_tmpl %} flush chain raw FW_CONNTRACK @@ -38,6 +39,12 @@ delete table ip vyos_filter {% endif %} table ip vyos_filter { {% if ipv4 is vyos_defined %} +{% if flowtable is vyos_defined %} +{% for name, flowtable_conf in flowtable.items() %} +{{ offload_tmpl.flowtable(name, flowtable_conf) }} +{% endfor %} +{% endif %} + {% set ns = namespace(sets=[]) %} {% if ipv4.forward is vyos_defined %} {% for prior, conf in ipv4.forward.items() %} @@ -160,6 +167,12 @@ delete table ip6 vyos_filter {% endif %} table ip6 vyos_filter { {% if ipv6 is vyos_defined %} +{% if flowtable is vyos_defined %} +{% for name, flowtable_conf in flowtable.items() %} +{{ offload_tmpl.flowtable(name, flowtable_conf) }} +{% endfor %} +{% endif %} + {% set ns = namespace(sets=[]) %} {% if ipv6.forward is vyos_defined %} {% for prior, conf in ipv6.forward.items() %} |