Page MenuHomeVyOS Platform
Create Task
Maniphest T6265

Firewall flowtable should allow ethernet only interfaces
Closed, InvalidPublicENHANCEMENT
Actions

Description

The firewall flowtable should allow ethX only interfaces.
It does not need to be set to PPP/BOND/VLAN/WG/etc, as it will work anyway if this interface is part of the forwarding of eth.

set firewall flowtable OFFLOAD interface ethX

Needs to consider/recheck about VLANs as at least it mentioned in the code https://elixir.bootlin.com/linux/v6.6.28/source/include/net/netfilter/nf_flow_table.h#L26

Details

Difficulty level
Unknown (require assessment)
Version
1.5
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Related Objects

Event Timeline

Viacheslav triaged this task as Normal priority.Thu, Apr 25, 10:46 AM
Viacheslav created this task.
Viacheslav created this object in space S1 VyOS Public.
Viacheslav mentioned this in T5794: Flowtable with Bond Race.
pasik added a subscriber: pasik.Thu, Apr 25, 10:55 AM
Viacheslav updated the task description. (Show Details)Thu, Apr 25, 12:14 PM
Viacheslav changed the subtype of this task from "Task" to "Enhancement".
Viacheslav updated the task description. (Show Details)Thu, Apr 25, 1:16 PM
n.fort added a subscriber: n.fort.Mon, May 6, 3:27 PM

PR: https://github.com/vyos/vyos-1x/pull/3414

n.fort changed the task status from Open to In progress.Mon, May 6, 3:28 PM
zsdc added a subscriber: zsdc.EditedMon, May 6, 3:51 PM

By looking at this and the documentation, I do not see any proofs that flowtables support any encapsulation except VLAN and PPPOE.

This means, that to accelerate a virtual interface (like a tunnel) this interface needs to be attached to a flowtable, it is not enough to attach a parent Ethernet interface.

n.fort added a comment.Mon, May 6, 5:12 PM

Example of using flowtables on mater interfaces, and communication between a local host that is on a VLAN (vlan eth2.22 and host 10.22.22.222), and a remote host that is reachable through a GRE tunnel (tunnel established using interface eth0):

vyos@ft:~$ show config commands | grep "prot\|firewall\|tun"
set firewall flowtable FT-VLAN interface 'eth2'
set firewall flowtable FT-VLAN interface 'eth0'
set firewall ipv4 forward filter rule 10 action 'offload'
set firewall ipv4 forward filter rule 10 offload-target 'FT-VLAN'
set interfaces tunnel tun0 address '172.16.20.1/30'
set interfaces tunnel tun0 encapsulation 'gre'
set interfaces tunnel tun0 remote '192.0.2.2'
set interfaces tunnel tun0 source-address '198.51.100.2'
set protocols static route 0.0.0.0/0 next-hop 198.51.100.1
set protocols static route 10.55.55.0/24 next-hop 172.16.20.2
vyos@ft:~$ 
vyos@ft:~$ 
vyos@ft:~$ show int
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address       MAC                VRF        MTU  S/L    Description
-----------  ---------------  -----------------  -------  -----  -----  -------------
eth0         198.51.100.2/30  50:00:00:01:00:00  default   1500  u/u
eth1         -                50:00:00:01:00:01  default   1500  u/u
eth1.11      10.11.11.1/24    50:00:00:01:00:01  default   1500  u/u
eth2         -                50:00:00:01:00:02  default   1500  u/u
eth2.22      10.22.22.1/24    50:00:00:01:00:02  default   1500  u/u
eth3         -                50:00:00:01:00:03  default   1500  u/u
lo           127.0.0.1/8      00:00:00:00:00:00  default  65536  u/u
             ::1/128
tun0         172.16.20.1/30   n/a                default   1476  u/u
vyos@ft:~$ sudo conntrack -L | grep OFFLOAD
conntrack v1.4.6 (conntrack-tools): tcp      6 src=10.22.22.222 dst=10.55.55.55 sport=49960 dport=22 src=10.55.55.55 dst=10.22.22.222 sport=22 dport=49960 [OFFLOAD] mark=0 use=2
4 flow entries have been shown.
vyos@ft:~$
n.fort added a comment.Mon, May 6, 5:13 PM

And similar example, using same interfaces and host, but instead of GRE tunnel, using a Wireguard site to site tunnel:

vyos@ft# run show config comm | grep "firewall\|wireguard\|protocol"
set firewall flowtable FT-VLAN interface 'eth2'
set firewall flowtable FT-VLAN interface 'eth0'
set firewall ipv4 forward filter rule 10 action 'offload'
set firewall ipv4 forward filter rule 10 offload-target 'FT-VLAN'
set interfaces wireguard wg0 address '10.99.99.1/30'
set interfaces wireguard wg0 peer RIGHT address '192.0.2.2'
set interfaces wireguard wg0 peer RIGHT allowed-ips '10.55.55.0/24'
set interfaces wireguard wg0 peer RIGHT port '3344'
set interfaces wireguard wg0 peer RIGHT public-key '3YynH17y8sdvr6E0+NcVKP9U+O3x82DYv2wDkei6gWg='
set interfaces wireguard wg0 port '3344'
set interfaces wireguard wg0 private-key 'iP1GXZ/JeW6PVbikHYuWVa448YwT5/CsI3HdFZGfP38='
set protocols static route 0.0.0.0/0 next-hop 198.51.100.1
set protocols static route 10.55.55.0/24 interface wg0
set protocols static route 10.55.55.0/24 next-hop 172.16.20.2 disable
[edit]
vyos@ft# 
[edit]
vyos@ft# 
[edit]
vyos@ft# sudo conntrack -L | grep OFFLOAD
conntrack v1.4.6 (conntrack-tools): tcp      6 src=10.22.22.222 dst=10.55.55.55 sport=47724 dport=22 src=10.55.55.55 dst=10.22.22.222 sport=22 dport=47724 [OFFLOAD] mark=0 use=2
4 flow entries have been shown.
[edit]
vyos@ft# run show int
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address       MAC                VRF        MTU  S/L    Description
-----------  ---------------  -----------------  -------  -----  -----  -------------
eth0         198.51.100.2/30  50:00:00:01:00:00  default   1500  u/u
eth1         -                50:00:00:01:00:01  default   1500  u/u
eth1.11      10.11.11.1/24    50:00:00:01:00:01  default   1500  u/u
eth2         -                50:00:00:01:00:02  default   1500  u/u
eth2.22      10.22.22.1/24    50:00:00:01:00:02  default   1500  u/u
eth3         -                50:00:00:01:00:03  default   1500  u/u
lo           127.0.0.1/8      00:00:00:00:00:00  default  65536  u/u
             ::1/128
tun0         172.16.20.1/30   n/a                default   1476  A/D
wg0          10.99.99.1/30    n/a                default   1420  u/u
[edit]
vyos@ft#
n.fort closed this task as Invalid.Tue, May 7, 4:52 PM

Further tests in lab shows that non-ehternet interfaces are needed in order to offload traffic as expected. An example is when using wireguard interface: in order to offload traffic, it's necessary to add interface wgX to the flowtable.
Otherwise, it won't work as expected