T4502: firewall: Add software fastpath with nftables flowtable

The following commands will enable nftables flowtable offload on interfaces `eth0` `eth1`: ``` set firewall fastpath interface eth0 set firewall fastpath interface eth1 commit ``` Generated nftables rules: ``` flowtable VYOS_FASTPATH { hook ingress priority filter devices = { eth0, eth1, eth2, pppoe0 } } chain VYOS_FW_FORWARD { type filter hook forward priority filter; policy accept; ct state { established, related } meta l4proto { tcp, udp } flow add @VYOS_FASTPATH } ``` To verify a connection is offloaded, run ``` cat /proc/net/nf_conntrack|grep OFFLOAD ipv6 10 tcp 6 src=* dst=* sport=32826 dport=5201 src=* dst=* sport=5201 dport=32826 [OFFLOAD] mark=0 zone=0 use=3 ```
vyos · Jul 1, 2023 · acd53c0 · acd53c0
1 parent badb234
commit acd53c0
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 2 deletions.
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2
@@ -7,8 +7,16 @@
 delete table ip vyos_filter
 {% endif %}
 table ip vyos_filter {
+{% if fastpath.interface is vyos_defined %}
+    flowtable VYOS_FASTPATH {
+        hook ingress priority 0; devices = { {{ fastpath.interface | join(', ') }} };
+    }
+{% endif %}
     chain VYOS_FW_FORWARD {
         type filter hook forward priority 0; policy accept;
+{% if fastpath.interface is vyos_defined %}
+        ct state { established, related } meta l4proto { tcp, udp } flow add @VYOS_FASTPATH
+{% endif %}
 {% if state_policy is vyos_defined %}
         jump VYOS_STATE_POLICY
 {% endif %}
@@ -116,8 +124,16 @@ table ip vyos_filter {
 delete table ip6 vyos_filter
 {% endif %}
 table ip6 vyos_filter {
+{% if fastpath.interface is vyos_defined %}
+    flowtable VYOS_FASTPATH6 {
+        hook ingress priority 0; devices = { {{ fastpath.interface | join(', ') }} };
+    }
+{% endif %}
     chain VYOS_FW6_FORWARD {
         type filter hook forward priority 0; policy accept;
+{% if fastpath.interface is vyos_defined %}
+        ct state { established, related } meta l4proto { tcp, udp } flow add @VYOS_FASTPATH6
+{% endif %}
 {% if state_policy is vyos_defined %}
         jump VYOS_STATE_POLICY6
 {% endif %}

diff --git a/data/vyos-firewall-init.conf b/data/vyos-firewall-init.conf
@@ -20,7 +20,7 @@ table raw {
     }
 
     chain PREROUTING {
-        type filter hook prerouting priority -200; policy accept;
+        type filter hook prerouting priority -300; policy accept;
         counter jump VYOS_CT_IGNORE
         counter jump VYOS_CT_TIMEOUT
         counter jump VYOS_CT_PREROUTING_HOOK
@@ -29,7 +29,7 @@ table raw {
     }
 
     chain OUTPUT {
-        type filter hook output priority -200; policy accept;
+        type filter hook output priority -300; policy accept;
         counter jump VYOS_CT_IGNORE
         counter jump VYOS_CT_TIMEOUT
         counter jump VYOS_CT_OUTPUT_HOOK

diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in
@@ -66,6 +66,22 @@
         </properties>
         <defaultValue>disable</defaultValue>
       </leafNode>
+      <node name="fastpath">
+        <properties>
+          <help>Software fastpath with nftables flowtable</help>
+        </properties>
+        <children>
+          <leafNode name="interface">
+            <properties>
+              <help>Interfaces to enable</help>
+              <completionHelp>
+                <script>${vyos_completion_dir}/list_interfaces --type ethernet</script>
+              </completionHelp>
+              <multi/>
+            </properties>
+          </leafNode>
+        </children>
+      </node>
       <node name="group">
         <properties>
           <help>Firewall group</help>