From 85b74f35e4a7aa6b98c5a339a990be1fc2e338e2 Mon Sep 17 00:00:00 2001
From: Stijn Tintel <stijn@linux-ipv6.be>
Date: Thu, 14 Oct 2021 20:42:46 +0200
Subject: [PATCH] treewide: support flow offloading

Flow offloading doesn't work if the devices aren't specified. Pass
interfaces used by enabled firewall zones to the ruleset renderer.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
---
 root/usr/share/firewall4/main.uc              |  6 +++++-
 root/usr/share/firewall4/templates/ruleset.uc | 16 ++++++++++++++++
 root/usr/share/ucode/fw4.uc                   |  2 +-
 3 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/root/usr/share/firewall4/main.uc b/root/usr/share/firewall4/main.uc
index 6012bd1..141ba01 100644
--- a/root/usr/share/firewall4/main.uc
+++ b/root/usr/share/firewall4/main.uc
@@ -95,9 +95,13 @@ function reload_sets() {
 }
 
 function render_ruleset(use_statefile) {
+	let devices = {};
+
 	fw4.load(use_statefile);
 
-	include("templates/ruleset.uc", { fw4, type, exists, length, include });
+	map(fw4.zones(), zone => push(devices, ...zone.match_devices));
+
+	include("templates/ruleset.uc", { fw4, type, exists, length, include, devices: sort(devices) });
 }
 
 function lookup_network(net) {
diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc
index e67fd7e..9c69aec 100644
--- a/root/usr/share/firewall4/templates/ruleset.uc
+++ b/root/usr/share/firewall4/templates/ruleset.uc
@@ -2,6 +2,18 @@ table inet fw4
 flush table inet fw4
 
 table inet fw4 {
+{%- if (fw4.default_option("flow_offloading") && length(devices) > 0): %}
+	#
+	# Flowtable
+	#
+
+	flowtable ft {
+		hook ingress priority 0;
+		devices = {{ fw4.set(devices, true) }};
+	}
+
+{% endif %}
+
 	#
 	# Set definitions
 	#
@@ -70,6 +82,10 @@ table inet fw4 {
 	chain forward {
 		type filter hook forward priority filter; policy {{ fw4.forward_policy(true) }};
 
+{% if (fw4.default_option("flow_offloading") && length(devices) > 0): %}
+		ip protocol { tcp , udp } flow offload @ft;
+		ip6 nexthdr { tcp , udp } flow offload @ft;
+{% endif %}
 		ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
 {% if (fw4.default_option("drop_invalid")): %}
 		ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state"
diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc
index 7472509..3469b50 100644
--- a/root/usr/share/ucode/fw4.uc
+++ b/root/usr/share/ucode/fw4.uc
@@ -1638,7 +1638,7 @@ return {
 			auto_helper: [ "bool", "1" ],
 			custom_chains: [ "bool", null, UNSUPPORTED ],
 			disable_ipv6: [ "bool", null, UNSUPPORTED ],
-			flow_offloading: [ "bool", null, UNSUPPORTED ],
+			flow_offloading: [ "bool", "0" ],
 			flow_offloading_hw: [ "bool", null, UNSUPPORTED ]
 		});
 
-- 
2.30.2