}
function render_ruleset(use_statefile) {
+ let devices = {};
+
fw4.load(use_statefile);
- include("templates/ruleset.uc", { fw4, type, exists, length, include });
+ map(fw4.zones(), zone => push(devices, ...zone.match_devices));
+
+ include("templates/ruleset.uc", { fw4, type, exists, length, include, devices: sort(devices) });
}
function lookup_network(net) {
flush table inet fw4
table inet fw4 {
+{%- if (fw4.default_option("flow_offloading") && length(devices) > 0): %}
+ #
+ # Flowtable
+ #
+
+ flowtable ft {
+ hook ingress priority 0;
+ devices = {{ fw4.set(devices, true) }};
+ }
+
+{% endif %}
+
#
# Set definitions
#
chain forward {
type filter hook forward priority filter; policy {{ fw4.forward_policy(true) }};
+{% if (fw4.default_option("flow_offloading") && length(devices) > 0): %}
+ ip protocol { tcp , udp } flow offload @ft;
+ ip6 nexthdr { tcp , udp } flow offload @ft;
+{% endif %}
ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
{% if (fw4.default_option("drop_invalid")): %}
ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state"
auto_helper: [ "bool", "1" ],
custom_chains: [ "bool", null, UNSUPPORTED ],
disable_ipv6: [ "bool", null, UNSUPPORTED ],
- flow_offloading: [ "bool", null, UNSUPPORTED ],
+ flow_offloading: [ "bool", "0" ],
flow_offloading_hw: [ "bool", null, UNSUPPORTED ]
});
projects / project / firewall4.git / commitdiff