From 382c6fc6ffe76d7ce418018f69902572701215a3 Mon Sep 17 00:00:00 2001 From: l0crian1 Date: Wed, 16 Apr 2025 12:31:34 -0400 Subject: firewall: T7358: add offload option to global state policy Since the jump to the global state chain is inserted before all rules, it wasn't possible to use offload with the global state policies This commit adds a new chain for offloaded traffic in the forward chain and jumps to that chain. Please enter the commit message for your changes. Lines starting --- data/templates/firewall/nftables.j2 | 40 +++++++++++++++++++++++++++++++++++-- 1 file changed, 38 insertions(+), 2 deletions(-) (limited to 'data') diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2 index 67473da8e..4f2783e6f 100755 --- a/data/templates/firewall/nftables.j2 +++ b/data/templates/firewall/nftables.j2 @@ -47,7 +47,7 @@ table ip vyos_filter { chain VYOS_FORWARD_{{ prior }} { type filter hook forward priority {{ prior }}; policy accept; {% if global_options.state_policy is vyos_defined %} - jump VYOS_STATE_POLICY + jump VYOS_STATE_POLICY_FORWARD {% endif %} {% if conf.rule is vyos_defined %} {% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} @@ -181,6 +181,24 @@ table ip vyos_filter { return } {% endif %} + +{% if global_options.state_policy.offload is vyos_defined %} + chain VYOS_STATE_POLICY_FORWARD { +{% if global_options.state_policy.offload is vyos_defined %} + counter flow add @VYOS_FLOWTABLE_{{ global_options.state_policy.offload.offload_target }} +{% endif %} +{% if global_options.state_policy.established is vyos_defined %} + {{ global_options.state_policy.established | nft_state_policy('established') }} +{% endif %} +{% if global_options.state_policy.invalid is vyos_defined %} + {{ global_options.state_policy.invalid | nft_state_policy('invalid') }} +{% endif %} +{% if global_options.state_policy.related is vyos_defined %} + {{ global_options.state_policy.related | nft_state_policy('related') }} +{% endif %} + return + } +{% endif %} } {% if first_install is not vyos_defined %} @@ -200,7 +218,7 @@ table ip6 vyos_filter { chain VYOS_IPV6_FORWARD_{{ prior }} { type filter hook forward priority {{ prior }}; policy accept; {% if global_options.state_policy is vyos_defined %} - jump VYOS_STATE_POLICY6 + jump VYOS_STATE_POLICY6_FORWARD {% endif %} {% if conf.rule is vyos_defined %} {% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} @@ -332,6 +350,24 @@ table ip6 vyos_filter { return } {% endif %} + +{% if global_options.state_policy.offload is vyos_defined %} + chain VYOS_STATE_POLICY6_FORWARD { +{% if global_options.state_policy.offload is vyos_defined %} + counter flow add @VYOS_FLOWTABLE_{{ global_options.state_policy.offload.offload_target }} +{% endif %} +{% if global_options.state_policy.established is vyos_defined %} + {{ global_options.state_policy.established | nft_state_policy('established') }} +{% endif %} +{% if global_options.state_policy.invalid is vyos_defined %} + {{ global_options.state_policy.invalid | nft_state_policy('invalid') }} +{% endif %} +{% if global_options.state_policy.related is vyos_defined %} + {{ global_options.state_policy.related | nft_state_policy('related') }} +{% endif %} + return + } +{% endif %} } ## Bridge Firewall -- cgit v1.2.3 From 76c4fcbad8698f277b2b5ed859edb068359af463 Mon Sep 17 00:00:00 2001 From: l0crian1 Date: Fri, 18 Apr 2025 10:16:59 -0400 Subject: firewall: T7358: add offload option to global state policy - Fixed CI smoketest failures --- data/templates/firewall/nftables.j2 | 6 ------ 1 file changed, 6 deletions(-) (limited to 'data') diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2 index 4f2783e6f..e07c9a652 100755 --- a/data/templates/firewall/nftables.j2 +++ b/data/templates/firewall/nftables.j2 @@ -180,9 +180,7 @@ table ip vyos_filter { {% endif %} return } -{% endif %} -{% if global_options.state_policy.offload is vyos_defined %} chain VYOS_STATE_POLICY_FORWARD { {% if global_options.state_policy.offload is vyos_defined %} counter flow add @VYOS_FLOWTABLE_{{ global_options.state_policy.offload.offload_target }} @@ -199,7 +197,6 @@ table ip vyos_filter { return } {% endif %} -} {% if first_install is not vyos_defined %} delete table ip6 vyos_filter @@ -349,9 +346,7 @@ table ip6 vyos_filter { {% endif %} return } -{% endif %} -{% if global_options.state_policy.offload is vyos_defined %} chain VYOS_STATE_POLICY6_FORWARD { {% if global_options.state_policy.offload is vyos_defined %} counter flow add @VYOS_FLOWTABLE_{{ global_options.state_policy.offload.offload_target }} @@ -368,7 +363,6 @@ table ip6 vyos_filter { return } {% endif %} -} ## Bridge Firewall {% if first_install is not vyos_defined %} -- cgit v1.2.3 From 12ba00ecdd2927207106f709a3ba2b23448a5997 Mon Sep 17 00:00:00 2001 From: l0crian1 Date: Fri, 18 Apr 2025 10:26:18 -0400 Subject: firewall: T7358: add offload option to global state policy - fixed CI smoketest failures (again) --- data/templates/firewall/nftables.j2 | 2 ++ 1 file changed, 2 insertions(+) (limited to 'data') diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2 index e07c9a652..a78119a80 100755 --- a/data/templates/firewall/nftables.j2 +++ b/data/templates/firewall/nftables.j2 @@ -197,6 +197,7 @@ table ip vyos_filter { return } {% endif %} +} {% if first_install is not vyos_defined %} delete table ip6 vyos_filter @@ -363,6 +364,7 @@ table ip6 vyos_filter { return } {% endif %} +} ## Bridge Firewall {% if first_install is not vyos_defined %} -- cgit v1.2.3