defaults: add support for xt_FLOWOFFLOAD rule

Introduce a new defaults section option "flow_offloading" which,
when enabled, causes fw3 to emit a -j FLOWOFFLOAD rule in the
forwarding chain.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

diff --git a/defaults.c b/defaults.c
index 7b2d9e6f357f2aecdbbc12904882c7651d8b9173..bf2b51f91da1c0c7cf4c1a32ae954baa844907e7 100644 (file)
--- a/defaults.c
+++ b/defaults.c
@@ -57,6 +57,7 @@ const struct fw3_option fw3_flag_opts[] = {
        FW3_OPT("auto_helper",         bool,     defaults, auto_helper),
        FW3_OPT("custom_chains",       bool,     defaults, custom_chains),
        FW3_OPT("disable_ipv6",        bool,     defaults, disable_ipv6),
+       FW3_OPT("flow_offloading",     bool,     defaults, flow_offloading),
 
        FW3_OPT("__flags_v4",          int,      defaults, flags[0]),
        FW3_OPT("__flags_v6",          int,      defaults, flags[1]),
@@ -80,6 +81,26 @@ check_policy(struct uci_element *e, enum fw3_flag *pol, const char *name)
        }
 }
 
+static void
+check_offloading(struct uci_element *e, bool *offloading)
+{
+       FILE *f;
+
+       if (!*offloading)
+               return;
+
+       f = fopen("/sys/module/xt_FLOWOFFLOAD/refcnt", "r");
+
+       if (f)
+       {
+               fclose(f);
+               return;
+       }
+
+       warn_elem(e, "enables offloading but missing kernel support, disabling");
+       *offloading = false;
+}
+
 void
 fw3_load_defaults(struct fw3_state *state, struct uci_package *p)
 {
@@ -115,6 +136,8 @@ fw3_load_defaults(struct fw3_state *state, struct uci_package *p)
                check_policy(e, &defs->policy_input, "input");
                check_policy(e, &defs->policy_output, "output");
                check_policy(e, &defs->policy_forward, "forward");
+
+               check_offloading(e, &defs->flow_offloading);
        }
 }
 
@@ -207,6 +230,14 @@ fw3_print_default_head_rules(struct fw3_ipt_handle *handle,
                        }
                }
 
+               if (defs->flow_offloading)
+               {
+                       r = fw3_ipt_rule_new(handle);
+                       fw3_ipt_rule_extra(r, "-m conntrack --ctstate RELATED,ESTABLISHED");
+                       fw3_ipt_rule_target(r, "FLOWOFFLOAD");
+                       fw3_ipt_rule_append(r, "FORWARD");
+               }
+
                for (i = 0; i < ARRAY_SIZE(chains); i += 2)
                {
                        r = fw3_ipt_rule_new(handle);

diff --git a/options.h b/options.h
index 5b2a7693c020566a0d23e7f4a25f7b1e8f58b647..dcce64425b96ab715f2e829c59ff83f28e366e13 100644 (file)
--- a/options.h
+++ b/options.h
@@ -289,6 +289,7 @@ struct fw3_defaults
 
        bool custom_chains;
        bool auto_helper;
+       bool flow_offloading;
 
        bool disable_ipv6;