Summary
Using nftables flow tables does not currently work when using global state policies. This is because the jump is added before all rules in the forward chain.
chain VYOS_FORWARD_filter {
type filter hook forward priority filter; policy accept;
jump VYOS_STATE_POLICY
counter packets 0 bytes 0 flow add @VYOS_FLOWTABLE_FT1 comment "ipv4-FWD-filter-5"
}
chain VYOS_STATE_POLICY {
ct state established counter packets 843 bytes 96163 accept
ct state invalid counter packets 0 bytes 0 drop
ct state related counter packets 87 bytes 15528 accept
return
}It should be possible to have an offload rule above the jump rule to allow for the fast path to get used.
Use case
The rule could be added to global states as well, with something like:
set firewall global-options state-policy offload offload-target <some flowtable>
This would populate the VYOS_STATE_POLICY chain with:
chain VYOS_STATE_POLICY {
counter flow add @VYOS_FLOWTABLE_FT1
ct state established counter packets 843 bytes 96163 accept
ct state invalid counter packets 0 bytes 0 drop
ct state related counter packets 87 bytes 15528 accept
return
}This would likely require the use of 2 chains; VYOS_STATE_POLICY and VYOS_STATE_POLICY_OFFLOAD since offload is only valid in forward chains.