T4502: firewall: Add software flow offload using flowtable
The following commands will enable nftables flowtable offload on interfaces eth0 eth1:
set firewall global-options flow-offload software interface <name> set firewall global-options flow-offload hardware interface <name>
Generated nftables rules:
table inet vyos_offload {
flowtable VYOS_FLOWTABLE_software {
hook ingress priority filter - 1; devices = { eth0, eth1, eth2, eth3 };
counter
}
chain VYOS_OFFLOAD_software {
type filter hook forward priority filter - 1; policy accept;
ct state { established, related } meta l4proto { tcp, udp } flow add @VYOS_FLOWTABLE_software
}
}Use this option to count packets and bytes for each offloaded flow:
set system conntrack flow-accounting
To verify a connection is offloaded, run
cat /proc/net/nf_conntrack|grep OFFLOAD
This PR follows firewalld's implementation: https://github.com/firewalld/firewalld/blob/e748b97787d685d0ca93f58e8d4292e87d3f0da6/src/firewall/core/nftables.py#L590
A good introduction to nftables flowtable: https://thermalcircle.de/doku.php?id=blog:linux:flowtables_1_a_netfilter_nftables_fastpath