From c1a295a500f0d113bacc5455af6444eb18cb482f Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Tue, 13 Mar 2018 15:45:38 +0100 Subject: [PATCH] defaults: add support for xt_FLOWOFFLOAD rule Introduce a new defaults section option "flow_offloading" which, when enabled, causes fw3 to emit a -j FLOWOFFLOAD rule in the forwarding chain. Signed-off-by: Jo-Philipp Wich --- defaults.c | 31 +++++++++++++++++++++++++++++++ options.h | 1 + 2 files changed, 32 insertions(+) diff --git a/defaults.c b/defaults.c index 7b2d9e6..bf2b51f 100644 --- a/defaults.c +++ b/defaults.c @@ -57,6 +57,7 @@ const struct fw3_option fw3_flag_opts[] = { FW3_OPT("auto_helper", bool, defaults, auto_helper), FW3_OPT("custom_chains", bool, defaults, custom_chains), FW3_OPT("disable_ipv6", bool, defaults, disable_ipv6), + FW3_OPT("flow_offloading", bool, defaults, flow_offloading), FW3_OPT("__flags_v4", int, defaults, flags[0]), FW3_OPT("__flags_v6", int, defaults, flags[1]), @@ -80,6 +81,26 @@ check_policy(struct uci_element *e, enum fw3_flag *pol, const char *name) } } +static void +check_offloading(struct uci_element *e, bool *offloading) +{ + FILE *f; + + if (!*offloading) + return; + + f = fopen("/sys/module/xt_FLOWOFFLOAD/refcnt", "r"); + + if (f) + { + fclose(f); + return; + } + + warn_elem(e, "enables offloading but missing kernel support, disabling"); + *offloading = false; +} + void fw3_load_defaults(struct fw3_state *state, struct uci_package *p) { @@ -115,6 +136,8 @@ fw3_load_defaults(struct fw3_state *state, struct uci_package *p) check_policy(e, &defs->policy_input, "input"); check_policy(e, &defs->policy_output, "output"); check_policy(e, &defs->policy_forward, "forward"); + + check_offloading(e, &defs->flow_offloading); } } @@ -207,6 +230,14 @@ fw3_print_default_head_rules(struct fw3_ipt_handle *handle, } } + if (defs->flow_offloading) + { + r = fw3_ipt_rule_new(handle); + fw3_ipt_rule_extra(r, "-m conntrack --ctstate RELATED,ESTABLISHED"); + fw3_ipt_rule_target(r, "FLOWOFFLOAD"); + fw3_ipt_rule_append(r, "FORWARD"); + } + for (i = 0; i < ARRAY_SIZE(chains); i += 2) { r = fw3_ipt_rule_new(handle); diff --git a/options.h b/options.h index 5b2a769..dcce644 100644 --- a/options.h +++ b/options.h @@ -289,6 +289,7 @@ struct fw3_defaults bool custom_chains; bool auto_helper; + bool flow_offloading; bool disable_ipv6; -- 2.25.1