diff options
| author | Stijn Tintel | 2021-10-14 18:42:46 +0000 |
|---|---|---|
| committer | Stijn Tintel | 2022-01-06 12:49:03 +0000 |
| commit | 85b74f35e4a7aa6b98c5a339a990be1fc2e338e2 (patch) | |
| tree | 9c49be3ccd47a0fb90f3329684050904bd002572 | |
| parent | 9ebc2f4f10ab14a6f3b6df3069ce3410a4af66bc (diff) | |
| download | firewall4-85b74f35e4a7aa6b98c5a339a990be1fc2e338e2.tar.gz | |
treewide: support flow offloading
Flow offloading doesn't work if the devices aren't specified. Pass
interfaces used by enabled firewall zones to the ruleset renderer.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
| -rw-r--r-- | root/usr/share/firewall4/main.uc | 6 | ||||
| -rw-r--r-- | root/usr/share/firewall4/templates/ruleset.uc | 16 | ||||
| -rw-r--r-- | root/usr/share/ucode/fw4.uc | 2 |
3 files changed, 22 insertions, 2 deletions
diff --git a/root/usr/share/firewall4/main.uc b/root/usr/share/firewall4/main.uc index 6012bd1..141ba01 100644 --- a/root/usr/share/firewall4/main.uc +++ b/root/usr/share/firewall4/main.uc @@ -95,9 +95,13 @@ function reload_sets() { } function render_ruleset(use_statefile) { + let devices = {}; + fw4.load(use_statefile); - include("templates/ruleset.uc", { fw4, type, exists, length, include }); + map(fw4.zones(), zone => push(devices, ...zone.match_devices)); + + include("templates/ruleset.uc", { fw4, type, exists, length, include, devices: sort(devices) }); } function lookup_network(net) { diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc index e67fd7e..9c69aec 100644 --- a/root/usr/share/firewall4/templates/ruleset.uc +++ b/root/usr/share/firewall4/templates/ruleset.uc @@ -2,6 +2,18 @@ table inet fw4 flush table inet fw4 table inet fw4 { +{%- if (fw4.default_option("flow_offloading") && length(devices) > 0): %} + # + # Flowtable + # + + flowtable ft { + hook ingress priority 0; + devices = {{ fw4.set(devices, true) }}; + } + +{% endif %} + # # Set definitions # @@ -70,6 +82,10 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy {{ fw4.forward_policy(true) }}; +{% if (fw4.default_option("flow_offloading") && length(devices) > 0): %} + ip protocol { tcp , udp } flow offload @ft; + ip6 nexthdr { tcp , udp } flow offload @ft; +{% endif %} ct state established,related accept comment "!fw4: Allow forwarded established and related flows" {% if (fw4.default_option("drop_invalid")): %} ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state" diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc index 7472509..3469b50 100644 --- a/root/usr/share/ucode/fw4.uc +++ b/root/usr/share/ucode/fw4.uc @@ -1638,7 +1638,7 @@ return { auto_helper: [ "bool", "1" ], custom_chains: [ "bool", null, UNSUPPORTED ], disable_ipv6: [ "bool", null, UNSUPPORTED ], - flow_offloading: [ "bool", null, UNSUPPORTED ], + flow_offloading: [ "bool", "0" ], flow_offloading_hw: [ "bool", null, UNSUPPORTED ] }); |