From: Jo-Philipp Wich <jo@mein.io>
Date: Mon, 7 Feb 2022 22:27:37 +0000 (+0100)
Subject: fw4: gracefully handle unsupported hardware offloading
X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=a0518b6d0273ad3267e65953e52989a1589fefab;p=project%2Ffirewall4.git

fw4: gracefully handle unsupported hardware offloading

Try to create a hardware-offloaded flowtable using `nft -c` and fall back
to software offloading in case the test command fails.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
---

diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc
index eeef02e..9d2a0b4 100644
--- a/root/usr/share/ucode/fw4.uc
+++ b/root/usr/share/ucode/fw4.uc
@@ -404,6 +404,20 @@ function nft_json_command(...args) {
 	return info || [];
 }
 
+function nft_try_hw_offload(devices) {
+	let nft_test =
+		'add table inet fw4-hw-offload-test; ' +
+		'add flowtable inet fw4-hw-offload-test ft { ' +
+			'hook ingress priority 0; ' +
+			'devices = { "' + join('", "', devices) + '" }; ' +
+			'flags offload; ' +
+		'}';
+
+	let rc = system(sprintf("/usr/sbin/nft -c '%s' 2>/dev/null", replace(nft_test, "'", "'\\''")));
+
+	return (rc == 0);
+}
+
 
 return {
 	read_kernel_version: function() {
@@ -434,11 +448,25 @@ return {
 				devstatus = bus.call("network.device", "status") || {};
 				bus.disconnect();
 			}
+
+			for (let zone in this.zones())
+				for (let device in zone.match_devices)
+					push(devices, ...resolve_lower_devices(devstatus, device));
+
+			devices = uniq(devices);
+
+			if (nft_try_hw_offload(devices))
+				return devices;
+
+			this.warn('Hardware flow offloading unavailable, falling back to software offloading');
+			this.state.defaults.flow_offloading_hw = false;
 		}
 
-		for (let zone in fw4.zones())
+		devices = [];
+
+		for (let zone in this.zones())
 			for (let device in zone.match_devices)
-				push(devices, ...resolve_lower_devices(devstatus, device));
+				push(devices, ...resolve_lower_devices(null, device));
 
 		return uniq(devices);
 	},