T4502: firewall: Add software flow offload using flowtable #2062
Conversation
vyosbot
requested review from
a team,
dmbaturin,
sarthurdev,
zdc,
jestabro,
sever-sever and
c-po
and removed request for
a team
vfreex
force-pushed
the
simple-fastpath-support
branch
from
41e6dc7
to
acd53c0
Compare
| <properties> | ||
| <help>Interfaces to enable</help> | ||
| <completionHelp> | ||
| <script>${vyos_completion_dir}/list_interfaces --type ethernet</script> |
There was a problem hiding this comment.
Why Ethernet only?
It could be tunnel, wireguard or PPPoE, etc.
There was a problem hiding this comment.
I was lazy at when writing this PR XD.
The reason is that when adding a virtual interface (e.g. a bridge, pppoe interface or vlan vif) to a flowtable, it actually adds the underlying physical interface. Therefore all ingress traffic from that physical interface will be offloaded.
e.g. if you add eth0.3 and eth1 to a flowtable, forwarding traffic between eth0.4 and eth1 will be offloaded as well.
So limiting it to ethernet could be less confusing for end-users.
|
There's a bigger change for firewall refactoring. #2016 Once we move forward with it, we plan to introduce flowtables and other features. |
|
Ack. Thanks for the info. |
|
@nicolas-fort Any ETA for when that refactoring might occur? Both https://vyos.dev/T4502 and https://vyos.dev/T5419 shows that implementing flowtable should be a fairly easy task (adding flowtable object which defines which interfaces it will operate on and then adding a line to the chains of IPv4 and IPv6 for it to utilize flowtable as a first option). Preferly this setting would be set through "set interface ethernet ethX". @sever-sever It seems that this feature acts on physical hardware only so setting it on tunnels either have not effect or is incorrect. As mentioned when setting it on example eth1 then everything that flows through eth1 will be accelerated. Im still trying to find out any drawbacks but right now it seems that enabling the software flowtable should be safe for all users (even if this offloading option probably should be disabled by default anyway at least in the first rolling releases) while enabling hardware flowtable depends on which NIC's and drivers you are using (only a few seems to properly support this as of today). |
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
|
Now that firewall refactor was merged, I suggest working on this feature again. It should create proper rule, and corresponding flowtable. |
|
As I understand there are no inbound/outbound interfaces |
Agree.. This is an example in order to re-use current cli.. |
|
Given the description at: https://firewalld.org/2023/05/nftables-flowtable I would suggest to either make it global, something like: or per interface: I would prefer to have it named "offload nftables" or "offload nftables_flowtable" rather than just "offload nft" which might be too short. |
I would prefer don’t use nftables at all for name of this feature. |
|
Better CLI nodes would be:
So this blends in the current CLI options for offloading in ethernet (but at the cost of adding a dependency call to the firewall script - which is something we try to avoid at all cost) - So I'd stick with the global option only and not make it more complex then necessary. |
|
The ones proposed works fine for me :-) Then regarding if it should be global or not... "Normally" I think it would make things easier with just Where: is default or if not set. Because "normally" you want this to be enabled and since it acts on physical interfaces you would either have it enabled for all interfaces or for no interfaces. It would match the other globals such as: Because technically one might want to enabled broadcast-pings on just eth2 and no other interface. So having the flowtable setting as a global-option would match that design. But with that being said there might show up situations where one nic (due to different vendor/model and because of that the driver) for whatever reason is not to happy with flowtable and must have it disabled for whatever reason. For that case then: Would be prefered. Because I assume VyOS wouldnt like to have it configurable at two places? Something like: would mean that interface 1-8 have offloading enabled EXCEPT interface eth2 and eth3. On the other hand having the offloading per interface (even if it would be handy) instead as a global-option can lead to increased amount of support cases where the user for example enabled Perhaps the global-option could have an exclude list which normally is empty? |
|
I would prefer to have it's own configuration as a new section insde firewall. Allow some matcher, such as protocol (tcp, udp) and ports. Then generate one flowtable per rule. |
@nicolas-fort I don't think we need any rules here. @c-po Which interface will it configure without explicitly setting them? |
|
@nicolas-fort Personally I would vote for the simplicity of: That is its globally enabled but the admin have the ability to for whatever reason exclude one or more interfaces from the flowtable optimization. The admin shouldnt need to care for adding this per rule or per flow etc since it should operate on the interface itself as described in: https://firewalld.org/2023/05/nftables-flowtable |
@Apachez- in your example and link setting interfaces are required so without setting interfaces it won’t work at all |
|
But VyOS already know which interfaces exists (part of generating that interface list in conf-mode). So use that list (perhaps also match so the interface isnt shutdown/disabled) to define flowtable for all interfaces (if Whats needed is: 1: where the devices are the interfaces to have this enabled. 2: Add this as 2nd line in FORWARD (and probably INPUT aswell?) chain: 3: Done! :-) To begin with this ( Or am I missing something here? |
|
I’m against global option until it’s doesn’t support natively in nft. |
|
It looks good but I have some doubts:
Maybe it's a good start merging this PR, because benefits from flowtables are more than welcome and needed.. But we should consider and think on how to cover hardware offload too. So far, I had no clear ideas on how to implement it. |
https://docs.vyos.io/en/latest/configuration/interfaces/ethernet.html#offloading
Where default is (to follow the designpattern of offloading for interfaces which are default disabled): 2.1 When it comes to adding support for hw-offloading this must be tested how things work out if you enable hw-offloading for an interface which doesnt support HW_OFFLOAD. I mean so the admin doesnt enable hw-offloading and after reboot lost access to the VyOS device. A check for HW_OFFLOAD flag during commit would be prefered and issue a log warning that a particular interface might not support the asked feature (in case admin have selected a non-supporting interface for hw-offloading through flowtable). 2.2 When it comes to naming I like systems which are self-explanatory as in you dont have to spend hours of reading manual and training to do basic configuration. That is one suggestion would be to in future updates separate flowtable into software-flowtable and hardware-flowtable. Checks might be needed if software and hardware offloading can be runned at the same time for a particular interface. Where default is (again to match the design pattern of offloading for interfaces): |
|
@nicolas-fort nicolas-fort
I was following other people's suggestion for the CLI structure. I guess it means we can add another offload approach in the future (e.g. hardware offload). Maybe it is better to be called
I don't have a hardware supporting hardware offload, but I saw OpenWRT demonstrated how they do hardware offload on mt7621 SoC: The Linux Kernel Documentation says "You can create as many flowtables as you want in case you need to perform resource partitioning." and "If your network device provides hardware offload support, you can turn it on by means of the 'offload' flag in your flowtable definition, e.g.", but I didn't see a clear description about the behavior if we mix interfaces. So more information or testing is needed. |
I like the idea of having I am not sure if the implication of Also for |
|
@vfreex In my case the below would yield the same result (as in no flowtable is configured in nft): But if the above would be an issue in the VyOS config engine then "none" can be removed from available options for "flowtable interfaces". The "any" option for "flowtable interface" would be really nice if that could be implemented in short future. Mainly for the case where (again must be verified with testing) you can just blindly enable both software- and hardware-flowtable for all interfaces and those who doesnt support hw but supports sw will utilize that sw-acceleration and those who support neither will work just as if they werent part of that interface list (and those who support both will well have both hw- and sw-acceleration - again must be tested so it isnt that an ingress interface can only be hw OR sw accelerated). Flowtable acts on ingress physical interface (so ethX in VyOS case) but since 5.13 also supports bridges. What happens in this case is that the kernel will resolve which physical interfaces are part of lets say br0 and apply the flowtable for the ingress of these interfaces according to https://docs.kernel.org/networking/nf_flowtable.html |
vfreex
changed the title
vfreex
force-pushed
the
simple-fastpath-support
branch
from
a0d9c45
to
1f50ab5
Compare
|
Thanks for the review. I've updated this PR as follows:
Note I don't really have a hardware that supports hardware offload. This setup totally comes from my understanding of the documentation. When I tried to add an unsupported interface for hardware offload, I got
|
|
@Apachez- I couldn't add an interface that doesn't support hardware offload to hardware-flowtable. I got the following error: This is the nftables config that I wanted to apply: Not sure if I did something wrong or it worked as expected. Based on my assumption that hardware flowtable can only contain interfaces that support hardware offload, I split this to 2 separate flowtables: One for software, another for hardware. I also removed the restriction to allow any interface to be added to flowtable. So nftables will complain if the interface is not supported. |
|
I wonder if we should instead follow the new CLI of the refactor when defining and applying flowtables? Example: This way you can create as many sw/hw offloaded flowtables as needed and the CLI is consistent with the refactor. (e.g. |
|
@sarthurdev As discussed earlier, using rules to configure flowtable could be an overkill for now. Personally I prefer to keep it simple at least for now. |
I would prefer explicitly defining the table and rules in CLI. That way you can see in the firewall config, the flowtable definition and the rules that reference it and know how it should operate - instead of the creation and rules being done for you behind the scenes. |
+1 |
The following commands will enable nftables flowtable offload on interfaces eth0 eth1:
```
set firewall global-options flow-offload software interface <name>
set firewall global-options flow-offload hardware interface <name>
```
Generated nftables rules:
```
table inet vyos_offload {
flowtable VYOS_FLOWTABLE_software {
hook ingress priority filter - 1; devices = { eth0, eth1, eth2, eth3 };
counter
}
chain VYOS_OFFLOAD_software {
type filter hook forward priority filter - 1; policy accept;
ct state { established, related } meta l4proto { tcp, udp } flow add @VYOS_FLOWTABLE_software
}
}
```
Use this option to count packets and bytes for each offloaded flow:
```
set system conntrack flow-accounting
```
To verify a connection is offloaded, run
```
cat /proc/net/nf_conntrack|grep OFFLOAD
```
This PR follows firewalld's implementation: https://github.com/firewalld/firewalld/blob/e748b97787d685d0ca93f58e8d4292e87d3f0da6/src/firewall/core/nftables.py#L590
A good introduction to nftables flowtable: https://thermalcircle.de/doku.php?id=blog:linux:flowtables_1_a_netfilter_nftables_fastpath
vfreex
force-pushed
the
simple-fastpath-support
branch
from
1f50ab5
to
f909c17
Compare
|
PR rebased |
|
no plans to merge this? |
|
Yeah, any ETA for merge? Both software and hardware flowtables is a welcomed addition in terms of added performance. |
@vfreex I built the iso with this PR but getting a strange error... also appears in the smoke test https://github.com/vyos/vyos-rolling-nightly-builds/actions/runs/6192281781/job/16812090664 |
|
So that means that there is one "}" too many in the rendered config by /usr/share/vyos/templates/firewall/nftables.j2: I think the error is at line 275-276: vyos-1x/data/templates/firewall/nftables.j2 Lines 275 to 276 in 249f391 For "Bridge Firewall" the table is deleted "delete table bridge vyos_filter". And then only created if "{% if bridge is vyos_defined %}". But then comes these two lines out of nowhere: Possible for you to comment out line 275 and 276 in /usr/share/vyos/templates/firewall/nftables.j2 at your installation and try to run the commit again? You might need to either reboot the box or restart vyos-configd before doing so: Also before doing so try to take a backup copy of /run/nftables.conf after that failed commit and then another backup after commit when you have done the above modification. If possible please upload both to this thread. |
|
@Apachez- thank you very much, it appears to be working now |
When rebasing vyos#2062, some additional lines are mistakenly included. vyos@45cfd56 has removed the extra `}`, but the `{{ group_tmpl.groups(group, True) }}` line needs to be removed as well.
|
Note to peoeple using CLI in this PR, next rolling image has changed flowtable CLI without automated migration (Due to being so close together, and not between release versions). Recommended to delete flowtable node prior updating to a newer rolling image. |
Change Summary
The following commands will enable nftables flowtable offload on interfaces eth0 eth1:
Generated nftables rules:
Use this option to count packets and bytes for each offloaded flow:
To verify a connection is offloaded, run
This PR follows firewalld's implementation: https://github.com/firewalld/firewalld/blob/e748b97787d685d0ca93f58e8d4292e87d3f0da6/src/firewall/core/nftables.py#L590
A good introduction to nftables flowtable: https://thermalcircle.de/doku.php?id=blog:linux:flowtables_1_a_netfilter_nftables_fastpath
Types of changes
Related Task(s)
Component(s) name
Proposed changes
How to test
Checklist: