Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

T4502: firewall: Add software flow offload using flowtable #2062

Merged
merged 1 commit into from
Sep 14, 2023
Merged

T4502: firewall: Add software flow offload using flowtable #2062

merged 1 commit into from
Sep 14, 2023

Commits on Sep 9, 2023

  1. T4502: firewall: Add software flow offload using flowtable 

    The following commands will enable nftables flowtable offload on interfaces eth0 eth1:

```
set firewall global-options flow-offload software interface <name>
set firewall global-options flow-offload hardware interface <name>
```

Generated nftables rules:

```
table inet vyos_offload {
    flowtable VYOS_FLOWTABLE_software {
        hook ingress priority filter - 1; devices = { eth0, eth1, eth2, eth3 };
        counter
    }

    chain VYOS_OFFLOAD_software {
        type filter hook forward priority filter - 1; policy accept;
        ct state { established, related } meta l4proto { tcp, udp } flow add @VYOS_FLOWTABLE_software
    }
}
```

Use this option to count packets and bytes for each offloaded flow:
```
set system conntrack flow-accounting
```

To verify a connection is offloaded, run

```
cat /proc/net/nf_conntrack|grep OFFLOAD
```

This PR follows firewalld's implementation: https://github.com/firewalld/firewalld/blob/e748b97787d685d0ca93f58e8d4292e87d3f0da6/src/firewall/core/nftables.py#L590

A good introduction to nftables flowtable: https://thermalcircle.de/doku.php?id=blog:linux:flowtables_1_a_netfilter_nftables_fastpath
    @vfreex
    vfreex committed Sep 9, 2023
    Configuration menu
    Copy the full SHA
    f909c17 View commit details
    Browse the repository at this point in the history