From f909c17aca4d48598d5eaee0df81bf64967902f0 Mon Sep 17 00:00:00 2001 From: Yuxiang Zhu Date: Sat, 26 Aug 2023 05:28:11 +0000 Subject: T4502: firewall: Add software flow offload using flowtable The following commands will enable nftables flowtable offload on interfaces eth0 eth1: ``` set firewall global-options flow-offload software interface set firewall global-options flow-offload hardware interface ``` Generated nftables rules: ``` table inet vyos_offload { flowtable VYOS_FLOWTABLE_software { hook ingress priority filter - 1; devices = { eth0, eth1, eth2, eth3 }; counter } chain VYOS_OFFLOAD_software { type filter hook forward priority filter - 1; policy accept; ct state { established, related } meta l4proto { tcp, udp } flow add @VYOS_FLOWTABLE_software } } ``` Use this option to count packets and bytes for each offloaded flow: ``` set system conntrack flow-accounting ``` To verify a connection is offloaded, run ``` cat /proc/net/nf_conntrack|grep OFFLOAD ``` This PR follows firewalld's implementation: https://github.com/firewalld/firewalld/blob/e748b97787d685d0ca93f58e8d4292e87d3f0da6/src/firewall/core/nftables.py#L590 A good introduction to nftables flowtable: https://thermalcircle.de/doku.php?id=blog:linux:flowtables_1_a_netfilter_nftables_fastpath --- data/templates/conntrack/sysctl.conf.j2 | 1 + data/templates/firewall/nftables-offload.j2 | 11 +++++++++++ data/templates/firewall/nftables.j2 | 24 ++++++++++++++++++++++++ 3 files changed, 36 insertions(+) create mode 100644 data/templates/firewall/nftables-offload.j2 (limited to 'data/templates') diff --git a/data/templates/conntrack/sysctl.conf.j2 b/data/templates/conntrack/sysctl.conf.j2 index 075402c04..3d6fc43f2 100644 --- a/data/templates/conntrack/sysctl.conf.j2 +++ b/data/templates/conntrack/sysctl.conf.j2 @@ -24,3 +24,4 @@ net.netfilter.nf_conntrack_tcp_timeout_time_wait = {{ timeout.tcp.time_wait }} net.netfilter.nf_conntrack_udp_timeout = {{ timeout.udp.other }} net.netfilter.nf_conntrack_udp_timeout_stream = {{ timeout.udp.stream }} +net.netfilter.nf_conntrack_acct = {{ '1' if flow_accounting is vyos_defined else '0' }} diff --git a/data/templates/firewall/nftables-offload.j2 b/data/templates/firewall/nftables-offload.j2 new file mode 100644 index 000000000..6afcd79f7 --- /dev/null +++ b/data/templates/firewall/nftables-offload.j2 @@ -0,0 +1,11 @@ +{% macro render_flowtable(name, devices, priority='filter', hardware_offload=false, with_counter=true) %} +flowtable {{ name }} { + hook ingress priority {{ priority }}; devices = { {{ devices | join(', ') }} }; +{% if hardware_offload %} + flags offload; +{% endif %} +{% if with_counter %} + counter +{% endif %} +} +{% endmacro %} diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2 index 87630940b..1b764c9da 100644 --- a/data/templates/firewall/nftables.j2 +++ b/data/templates/firewall/nftables.j2 @@ -2,6 +2,7 @@ {% import 'firewall/nftables-defines.j2' as group_tmpl %} {% import 'firewall/nftables-bridge.j2' as bridge_tmpl %} +{% import 'firewall/nftables-offload.j2' as offload %} flush chain raw FW_CONNTRACK flush chain ip6 raw FW_CONNTRACK @@ -271,3 +272,26 @@ table bridge vyos_filter { {{ group_tmpl.groups(group, False, False) }} } {% endif %} +{{ group_tmpl.groups(group, True) }} +} + +table inet vyos_offload +delete table inet vyos_offload +table inet vyos_offload { +{% if flowtable_enabled %} +{% if global_options.flow_offload.hardware.interface is vyos_defined %} + {{- offload.render_flowtable('VYOS_FLOWTABLE_hardware', global_options.flow_offload.hardware.interface | list, priority='filter - 2', hardware_offload=true) }} + chain VYOS_OFFLOAD_hardware { + type filter hook forward priority filter - 2; policy accept; + ct state { established, related } meta l4proto { tcp, udp } flow add @VYOS_FLOWTABLE_hardware + } +{% endif %} +{% if global_options.flow_offload.software.interface is vyos_defined %} + {{- offload.render_flowtable('VYOS_FLOWTABLE_software', global_options.flow_offload.software.interface | list, priority='filter - 1') }} + chain VYOS_OFFLOAD_software { + type filter hook forward priority filter - 1; policy accept; + ct state { established, related } meta l4proto { tcp, udp } flow add @VYOS_FLOWTABLE_software + } +{% endif %} +{% endif %} +} -- cgit v1.2.3