diff options
| author | Jo-Philipp Wich <jo@mein.io> | 2018-03-13 15:45:38 +0100 |
|---|---|---|
| committer | Jo-Philipp Wich <jo@mein.io> | 2018-03-13 15:45:38 +0100 |
| commit | c1a295a500f0d113bacc5455af6444eb18cb482f (patch) | |
| tree | 27c574976c83535e39b39770f3cde90da3f2cf3c | |
| parent | 41c2ab5e5cf62a4c04707145c65d37e27d82d63f (diff) | |
| download | firewall3-c1a295a500f0d113bacc5455af6444eb18cb482f.tar.gz | |
defaults: add support for xt_FLOWOFFLOAD rule
Introduce a new defaults section option "flow_offloading" which,
when enabled, causes fw3 to emit a -j FLOWOFFLOAD rule in the
forwarding chain.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
| -rw-r--r-- | defaults.c | 31 | ||||
| -rw-r--r-- | options.h | 1 |
2 files changed, 32 insertions, 0 deletions
@@ -57,6 +57,7 @@ const struct fw3_option fw3_flag_opts[] = { FW3_OPT("auto_helper", bool, defaults, auto_helper), FW3_OPT("custom_chains", bool, defaults, custom_chains), FW3_OPT("disable_ipv6", bool, defaults, disable_ipv6), + FW3_OPT("flow_offloading", bool, defaults, flow_offloading), FW3_OPT("__flags_v4", int, defaults, flags[0]), FW3_OPT("__flags_v6", int, defaults, flags[1]), @@ -80,6 +81,26 @@ check_policy(struct uci_element *e, enum fw3_flag *pol, const char *name) } } +static void +check_offloading(struct uci_element *e, bool *offloading) +{ + FILE *f; + + if (!*offloading) + return; + + f = fopen("/sys/module/xt_FLOWOFFLOAD/refcnt", "r"); + + if (f) + { + fclose(f); + return; + } + + warn_elem(e, "enables offloading but missing kernel support, disabling"); + *offloading = false; +} + void fw3_load_defaults(struct fw3_state *state, struct uci_package *p) { @@ -115,6 +136,8 @@ fw3_load_defaults(struct fw3_state *state, struct uci_package *p) check_policy(e, &defs->policy_input, "input"); check_policy(e, &defs->policy_output, "output"); check_policy(e, &defs->policy_forward, "forward"); + + check_offloading(e, &defs->flow_offloading); } } @@ -207,6 +230,14 @@ fw3_print_default_head_rules(struct fw3_ipt_handle *handle, } } + if (defs->flow_offloading) + { + r = fw3_ipt_rule_new(handle); + fw3_ipt_rule_extra(r, "-m conntrack --ctstate RELATED,ESTABLISHED"); + fw3_ipt_rule_target(r, "FLOWOFFLOAD"); + fw3_ipt_rule_append(r, "FORWARD"); + } + for (i = 0; i < ARRAY_SIZE(chains); i += 2) { r = fw3_ipt_rule_new(handle); @@ -289,6 +289,7 @@ struct fw3_defaults bool custom_chains; bool auto_helper; + bool flow_offloading; bool disable_ipv6; |