Age | Commit message (Collapse) | Author | |
---|---|---|---|
2023-09-16 | conntrack: T5571: Refactor conntrack to be independent conf script from ↵ | sarthurdev | |
firewall, nat, nat66 | |||
2023-09-14 | Merge pull request #2062 from vfreex/simple-fastpath-support | Viacheslav Hletenko | |
T4502: firewall: Add software flow offload using flowtable | |||
2023-09-10 | T4309: Fix conntrack teamplate group | Viacheslav Hletenko | |
2023-09-09 | T4502: firewall: Add software flow offload using flowtable | Yuxiang Zhu | |
The following commands will enable nftables flowtable offload on interfaces eth0 eth1: ``` set firewall global-options flow-offload software interface <name> set firewall global-options flow-offload hardware interface <name> ``` Generated nftables rules: ``` table inet vyos_offload { flowtable VYOS_FLOWTABLE_software { hook ingress priority filter - 1; devices = { eth0, eth1, eth2, eth3 }; counter } chain VYOS_OFFLOAD_software { type filter hook forward priority filter - 1; policy accept; ct state { established, related } meta l4proto { tcp, udp } flow add @VYOS_FLOWTABLE_software } } ``` Use this option to count packets and bytes for each offloaded flow: ``` set system conntrack flow-accounting ``` To verify a connection is offloaded, run ``` cat /proc/net/nf_conntrack|grep OFFLOAD ``` This PR follows firewalld's implementation: https://github.com/firewalld/firewalld/blob/e748b97787d685d0ca93f58e8d4292e87d3f0da6/src/firewall/core/nftables.py#L590 A good introduction to nftables flowtable: https://thermalcircle.de/doku.php?id=blog:linux:flowtables_1_a_netfilter_nftables_fastpath | |||
2023-09-04 | conntrack: T4309: T4903: Refactor `system conntrack ignore` rule generation, ↵ | sarthurdev | |
add IPv6 support and firewall groups | |||
2022-05-01 | conntrack: T4353: fix Jinja2 linting errors | Christian Poessinger | |
2022-04-13 | conntrack: T4333: migrate to new vyos_defined Jinja2 test | Christian Poessinger | |
2022-04-03 | conntrack: T4333: migrate to new vyos_defined Jinja2 test | Christian Poessinger | |
2022-01-10 | conntrack: T3579: prepare for "conntrack timeout custom rule" CLI commands | Christian Poessinger | |
2022-01-10 | conntrack: T3579: use "notrack" over "return" in nft statements | Christian Poessinger | |
2022-01-10 | conntrack: T3579: migrate "conntrack ignore" tree to vyos-1x and nftables | Christian Poessinger | |
2021-05-27 | conntrack: T3579: initial implementation with XML and Python | Christian Poessinger | |