treewide: support flow offloading

[project/firewall4.git] / root / usr / share / firewall4 / templates / ruleset.uc

diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc
index e67fd7eca861f820e19272351a6546ea6c17eccc..9c69aec2351b7640a8f0f023b71d44e6c1d483dd 100644 (file)
--- a/root/usr/share/firewall4/templates/ruleset.uc
+++ b/root/usr/share/firewall4/templates/ruleset.uc
@@ -2,6 +2,18 @@ table inet fw4
 flush table inet fw4
 
 table inet fw4 {
+{%- if (fw4.default_option("flow_offloading") && length(devices) > 0): %}
+       #
+       # Flowtable
+       #
+
+       flowtable ft {
+               hook ingress priority 0;
+               devices = {{ fw4.set(devices, true) }};
+       }
+
+{% endif %}
+
        #
        # Set definitions
        #
@@ -70,6 +82,10 @@ table inet fw4 {
        chain forward {
                type filter hook forward priority filter; policy {{ fw4.forward_policy(true) }};
 
+{% if (fw4.default_option("flow_offloading") && length(devices) > 0): %}
+               ip protocol { tcp , udp } flow offload @ft;
+               ip6 nexthdr { tcp , udp } flow offload @ft;
+{% endif %}
                ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
 {% if (fw4.default_option("drop_invalid")): %}
                ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state"