diff options
| author | Jo-Philipp Wich | 2022-02-12 19:32:38 +0000 |
|---|---|---|
| committer | Jo-Philipp Wich | 2022-02-12 19:41:40 +0000 |
| commit | 53caa1a762125a71389a486aa913e4fbdf3650cf (patch) | |
| tree | c1d84a92cafba6f26b9a0347f860c221ce6525e6 | |
| parent | 9fe58f51e1e12eadac82d04a34fb024b012bc912 (diff) | |
| download | firewall4-53caa1a762125a71389a486aa913e4fbdf3650cf.tar.gz | |
fw4: resolve zone layer 2 devices for hw flow offloading
Some interface protocols like PPPoE use a layer 3 device that is different
fro mthe layer 2 one and which cannot be resolved to a lower device through
sysfs, so additionally track related layer 2 devices and resolve those when
constructing a hardware flow offloading table.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
| -rw-r--r-- | root/usr/share/ucode/fw4.uc | 12 | ||||
| -rw-r--r-- | tests/01_configuration/01_ruleset | 7 |
2 files changed, 12 insertions, 7 deletions
diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc index 243e27c..7172a86 100644 --- a/root/usr/share/ucode/fw4.uc +++ b/root/usr/share/ucode/fw4.uc @@ -453,7 +453,7 @@ return { } for (let zone in this.zones()) - for (let device in zone.match_devices) + for (let device in zone.related_physdevs) push(devices, ...resolve_lower_devices(devstatus, device)); devices = uniq(devices); @@ -463,9 +463,9 @@ return { this.warn('Hardware flow offloading unavailable, falling back to software offloading'); this.state.defaults.flow_offloading_hw = false; - } - devices = []; + devices = []; + } for (let zone in this.zones()) for (let device in zone.match_devices) @@ -536,6 +536,7 @@ return { let net = { up: ifc.up, device: ifc.l3_device, + physdev: ifc.device, zone: ifc.data?.zone }; @@ -1883,6 +1884,7 @@ return { zone.auto_helper = false; let match_devices = []; + let related_physdevs = []; let related_subnets = []; let related_ubus_networks = []; let match_subnets, masq_src_subnets, masq_dest_subnets; @@ -1903,6 +1905,9 @@ return { }); } + if (net.physdev && !e.invert) + push(related_physdevs, net.physdev); + push(related_subnets, ...(net.ipaddrs || [])); } } @@ -2036,6 +2041,7 @@ return { zone.match_subnets = map(filter(related_subnets, s => !s.invert && s.bits != -1), this.cidr); zone.related_subnets = related_subnets; + zone.related_physdevs = related_physdevs; if (zone.masq || zone.masq6) zone.dflags.snat = true; diff --git a/tests/01_configuration/01_ruleset b/tests/01_configuration/01_ruleset index f19daf5..913bfb3 100644 --- a/tests/01_configuration/01_ruleset +++ b/tests/01_configuration/01_ruleset @@ -26,7 +26,7 @@ table inet fw4 { flowtable ft { hook ingress priority 0; - devices = { "eth0" }; + devices = { "eth0", "eth1" }; flags offload; } @@ -299,9 +299,8 @@ table inet fw4 { [call] ctx.call object <network.device> method <status> args <null> [call] fs.opendir path </sys/class/net/br-lan> [call] fs.opendir path </sys/class/net/eth0> -[call] fs.opendir path </sys/class/net/pppoe-wan> -[call] fs.opendir path </sys/class/net/pppoe-wan> -[call] system command </usr/sbin/nft -c 'add table inet fw4-hw-offload-test; add flowtable inet fw4-hw-offload-test ft { hook ingress priority 0; devices = { "eth0" }; flags offload; }' 2>/dev/null> timeout <null> +[call] fs.opendir path </sys/class/net/eth1> +[call] system command </usr/sbin/nft -c 'add table inet fw4-hw-offload-test; add flowtable inet fw4-hw-offload-test ft { hook ingress priority 0; devices = { "eth0", "eth1" }; flags offload; }' 2>/dev/null> timeout <null> [call] fs.popen cmdline </usr/sbin/nft --terse --json list flowtables inet> mode <r> [call] fs.open path </sys/class/net/br-lan/flags> mode <r> [call] fs.open path </sys/class/net/br-lan/flags> mode <r> |