How to use flowtables in Vyos 1.4 (with zone-based firewall)

deallerbeste · December 3, 2023, 5:15pm

I am currently setting up my firewall to migrate from OPNSense to VyOS, because my internet speeds are going to increase to 8Gbps and VyOS is faster. It’s really great what you guys are doing and the progress that is being made.

To increase the forwarding speed flowtables is great. And I am glad that it got backported to 1.4. But what is the correct way to implement it? This is my current configuration and the configuration that I have for flowtables with VyOS 1.4-rolling-202311301716:
set firewall flowtable FLOW-DMZ interface ‘eth2’
set firewall flowtable FLOW-DMZ offload ‘software’
set firewall flowtable FLOW-GUEST interface ‘eth3’
set firewall flowtable FLOW-GUEST offload ‘software’
set firewall flowtable FLOW-IOT interface ‘eth4’
set firewall flowtable FLOW-IOT offload ‘software’
set firewall flowtable FLOW-LAN interface ‘eth1’
set firewall flowtable FLOW-LAN offload ‘software’
set firewall flowtable FLOW-WAN interface ‘eth0’
set firewall flowtable FLOW-WAN offload ‘software’
set firewall flowtable FLOW-WIREGUARD interface ‘wg01’

I want to use flowtables on all my interfaces, but how can I check if it’s enabled? Since the command set system conntrack flow-accounting is not working on 1.4.

And is it enough to enable it on all my interfaces, or is it needed to enable it in the firewall rules as well? Because currently I don’t see the option to use flowtables with zone-based firewall

n.fort · December 4, 2023, 10:16am

Hi.
I wasn’t able to test it with zones, but I think adding offload rules to forward rules might be enough:

# For ipv4
set firewall ipv4 forward filter rule 10 action offload
set firewall ipv4 forward filter rule 10 offload-target FLOW-XXX

And generating only one flowtable with all interfaces needed seems simpler.
Once it’s configured you can check offload entries in conntrack table:

sudo conntrack -L

deallerbeste · December 4, 2023, 1:09pm

Hi,
Thanks for your answer. I was not aware that it was possible to add multiple interfaces to one flowtable. It’s much cleaner indeed

set firewall flowtable FLOW-ALL interface 'eth0'
set firewall flowtable FLOW-ALL interface 'eth2'
set firewall flowtable FLOW-ALL interface 'eth3'
set firewall flowtable FLOW-ALL interface 'eth4'
set firewall flowtable FLOW-ALL offload 'software'

I added the rules and it seems to be working fine. I see the offload mark in conntrack:

udp      17 src=192.168.50.50 dst=193.123.56.220 sport=53141 dport=123 src=193.123.56.220 dst=192.168.1.113 sport=123 dport=53141 [OFFLOAD] mark=0 use=2

Are there any plans to add this to zone-based firewall config as well? Or in general just enable it globally without the need for a firewall rule.

deallerbeste · December 4, 2023, 3:00pm

On further investigation it looks like when you enable the forward filter, an implicit accept is added to the firewall. I can’t add a drop rule to the forwarding chain after the offload, because things will brake. The rules on the zone-based firewall will not get hit anymore, because of the implicit accept.

dec  4 16:19:33 vyos kernel: [ 3162.844117] [ipv4-FWD-filter-default-A]IN=wg01 OUT=eth1 MAC= SRC=10.10.0.2 DST=192.168.50.50 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=52964 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=174

Korikaze · December 4, 2023, 3:41pm

set firewall ipv4 forward filter default-action drop

That would set it globally but you may be better off creating the offload rule within each custom chain you made for zones instead of the forward filter itself.

deallerbeste · December 4, 2023, 5:50pm

I used that command, but my zone firewalls rules did not work anymore after that (all that relate to forwarding) The best option would be like you said a offload rule in chain, but currently that option it not available on the CLI, or just global setting to enable flowtables.

Korikaze · December 4, 2023, 6:08pm

Looks like according to ⚓ T4502 Consider implementing (NAT/other) flow table offload it is still a WIP. I don’t know enough of the nitty griity of nftables but I don’t see why offload actions couldn’t be applied to custom chains. Since zones were originally going to be dropped entirely until the reversal of that decision, it’s not unreasonable to presume it was missed as an option. I’d suggest creating an account at https://vyos.dev and updating that task regarding functionality missing from custom chains.

n.fort · December 4, 2023, 6:24pm

What about defining offfload in custom chain, for example:

# if used WAN_to_DMZ in firewall for traffic that foes from zone WAN to zone DMZ
set firewall ipv4 name WAN_to_DMZ rule XX action offload
set firewall ipv4 name WAN_to_DMZ rule XX offload target FLOW-XXX

Most probably, you will need to offload on the other way round too ( DMZ_to_WAN)

Korikaze · December 4, 2023, 8:02pm

@deallerbeste and myself can both confirm offload isn’t a valid action in custom chains.


[edit]
vy1@vyos# edit firewall ipv4 name CONN_FILTER rule 10
[edit firewall ipv4 name CONN_FILTER rule 10]
vy1@vyos# set action
Possible completions:
   accept               Accept matching entries
   continue             Continue parsing next rule
   jump                 Jump to another chain
   reject               Reject matching entries
   return               Return from the current chain and continue at the next rule of the last chain
   drop                 Drop matching entries
   queue                Enqueue packet to userspace
   synproxy             Synproxy connections



[edit firewall ipv4 name CONN_FILTER rule 10]
vy1@vyos# set action offload



  Invalid value
  Value validation failed
  Set failed

n.fort · December 4, 2023, 10:19pm

Feel free to submit a feature request in vyos.dev

Korikaze · December 6, 2023, 1:55pm

I updated ⚓ T4502 Consider implementing (NAT/other) flow table offload since that appears to be the main feature request for flow tables and is still currently open.

deallerbeste · December 6, 2023, 6:12pm

Thanks. I was waiting for approval.
Another option (or additional) option would be to make it a global option.

GurliGebis · December 14, 2023, 9:25pm

I have created a PR that adds support for this.

github.com/vyos/vyos-1x

T4502 flowtables with named tables

vyos:current ← GurliGebis:T4502-flowtables-with-named-tables

opened 09:22PM - 14 Dec 23 UTC

GurliGebis

+44 -2

## Change Summary Added the `offload-target` command to the custom name firew…all tables, and added `offload` as a valid action as well. This allows the flowtable logic to be used with the zone based firewall. ## Types of changes  - [ ] Bug fix (non-breaking change which fixes an issue) - [X] New feature (non-breaking change which adds functionality) - [ ] Code style update (formatting, renaming) - [ ] Refactoring (no functional changes) - [ ] Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component - [ ] Other (please describe): ## Related Task(s) * https://vyos.dev/T4502 ## Related PR(s) ## Component(s) name firewall ## Proposed changes As described above, this adds the missing pieces for the flowtables to be used with the zone based firewall. ## How to test  Config: ``` set interfaces ethernet eth0 address dhcp set interfaces ethernet eth1 address 10.10.10.1/24 set firewall flowtable TRAFFIC interface eth0 set firewall flowtable TRAFFIC interface eth1 set firewall flowtable TRAFFIC offload software set system conntrack flow-accounting set firewall ipv4 name TEST rule 10 action offload set firewall ipv4 name TEST rule 10 offload-target TRAFFIC ``` Generate ipv4 ruleset: ``` vyos@vyos:~$ sudo nft -s list table ip vyos_filter table ip vyos_filter { flowtable VYOS_FLOWTABLE_TRAFFIC { hook ingress priority filter devices = { eth0, eth1 } counter } chain VYOS_FORWARD_filter { type filter hook forward priority filter; policy accept; counter accept comment "FWD-filter default-action accept" } chain VYOS_INPUT_filter { type filter hook input priority filter; policy accept; counter accept comment "INP-filter default-action accept" } chain VYOS_OUTPUT_filter { type filter hook output priority filter; policy accept; counter accept comment "OUT-filter default-action accept" } chain VYOS_FRAG_MARK { type filter hook prerouting priority -450; policy accept; ip frag-off & 16383 != 0 meta mark set 0x000ffff1 return } chain NAME_TEST { counter flow add @VYOS_FLOWTABLE_TRAFFIC comment "ipv4-NAM-TEST-10" counter drop comment "TEST default-action drop" } } ``` ## Smoketest result  ``` vyos@vyos:~$ sudo /usr/libexec/vyos/tests/smoke/cli/test_firewall.py test_bridge_basic_rules (__main__.TestFirewall.test_bridge_basic_rules) ... ok test_flow_offload (__main__.TestFirewall.test_flow_offload) ... Interface "eth0" does not support hardware offload ok test_geoip (__main__.TestFirewall.test_geoip) ... Updating GeoIP. Please wait... Updating GeoIP. Please wait... ok test_groups (__main__.TestFirewall.test_groups) ... ok test_ipv4_advanced (__main__.TestFirewall.test_ipv4_advanced) ... ok test_ipv4_basic_rules (__main__.TestFirewall.test_ipv4_basic_rules) ... ok test_ipv4_mask (__main__.TestFirewall.test_ipv4_mask) ... ok test_ipv4_state_and_status_rules (__main__.TestFirewall.test_ipv4_state_and_status_rules) ... ok test_ipv4_synproxy (__main__.TestFirewall.test_ipv4_synproxy) ... "synproxy" option allowed only for action synproxy ok test_ipv6_advanced (__main__.TestFirewall.test_ipv6_advanced) ... ok test_ipv6_basic_rules (__main__.TestFirewall.test_ipv6_basic_rules) ... ok test_ipv6_mask (__main__.TestFirewall.test_ipv6_mask) ... ok test_nested_groups (__main__.TestFirewall.test_nested_groups) ... Group "smoketest_network1" has a circular reference ok test_source_validation (__main__.TestFirewall.test_source_validation) ... ok test_sysfs (__main__.TestFirewall.test_sysfs) ... ok test_zone_basic (__main__.TestFirewall.test_zone_basic) ... ok test_zone_flow_offload (__main__.TestFirewall.test_zone_flow_offload) ... Interface "eth0" does not support hardware offload ok ---------------------------------------------------------------------- Ran 17 tests in 44.240s OK ``` ## Checklist: - [X] I have read the [**CONTRIBUTING**](https://github.com/vyos/vyos-1x/blob/current/CONTRIBUTING.md) document - [X] I have linked this PR to one or more Phabricator Task(s) - [X] I have run the components [**SMOKETESTS**](https://github.com/vyos/vyos-1x/tree/current/smoketest/scripts/cli) if applicable - [X] My commit headlines contain a valid Task id - [X] My change requires a change to the documentation - [ ] I have updated the documentation accordingly

GurliGebis · December 15, 2023, 11:34am

Pull request for 1.4 backport, since it would be great to have included in 1.4 (since the zone based firewall and flowtables won’t work together without it): firewall: T4502: add offload to firewall table actions (backport #2638) by GurliGebis · Pull Request #2641 · vyos/vyos-1x · GitHub

deallerbeste · December 15, 2023, 5:33pm

Thanks for the PR

In the meantime. I have a NIC that support hardware offloads (eth0) but it’s not working in combination with software offload. Any ideas what I am doing wrong this time? Eveytime I get the following error message, but I already added this to the configuration:

#Hardware:

set interfaces ethernet eth0 offload hw-tc-offload
set firewall flowtable FLOW-HW interface 'eth0'
set firewall flowtable FLOW-HW offload 'hardware'

#Software
set firewall flowtable FLOW-SW interface 'eth2'
set firewall flowtable FLOW-SW interface 'eth3'
set firewall flowtable FLOW-SW interface 'eth4'
set firewall flowtable FLOW-SW offload 'software'

Error message after commit:

vyos@fw# commit

Interface "eth0" requires "offload hw-tc-offload"

[[firewall]] failed

When I enable this with ethtoool and commit after that I get the following error:

sudo ethtool -K eth0 hw-tc-offload on

Failed to apply firewall: /run/nftables.conf:28:15-36: Error: Could not
process rule: Operation not supported     flowtable VYOS_FLOWTABLE_FLOW-
HW {               ^^^^^^^^^^^^^^^^^^^^^^ /run/nftables.conf:280:15-36:
Error: Could not process rule: Operation not supported     flowtable
VYOS_FLOWTABLE_FLOW-HW {               ^^^^^^^^^^^^^^^^^^^^^^

nftables.conf

delete table ip vyos_filter
table ip vyos_filter {
    flowtable VYOS_FLOWTABLE_FLOW-HW {
        hook ingress priority 0; devices = { eth0 };
        flags offload;
        counter
    }

    flowtable VYOS_FLOWTABLE_FLOW-SW {
        hook ingress priority 0; devices = { eth2, eth3, eth4 };
        counter
    }

It does not seem possible to run software and hardware flowtables together.

GurliGebis · December 15, 2023, 8:33pm

Does it work if you remove the software flowtable? (like only set up hardware for eth0)
If not, it sounds more like your NIC doesn’t support hw flowtables.

n.fort · December 18, 2023, 10:50am

Does it work if you only define one flowtable using hardware offload?
I wasn’t able to make it run using hardware offload in my lab. Not even using direct nft commands, even though all requirements are supposed to be satisfied.

danhusan · December 18, 2023, 8:15pm

@n.fort: no

danhusan@myv.c1# sudo ethtool -K eth0 hw-tc-offload on
[edit]
danhusan@myv.c1# set interfaces ethernet eth0 offload hw-tc-offload
[edit]
danhusan@myv.c1# set firewall flowtable FLOW-HW interface 'eth0'
[edit]
danhusan@myv.c1# set firewall flowtable FLOW-HW offload 'hardware'
[edit]
danhusan@myv.c1# commit

Failed to apply firewall: /run/nftables.conf:28:15-36: Error: Could not
process rule: Operation not supported     flowtable VYOS_FLOWTABLE_FLOW-
HW {               ^^^^^^^^^^^^^^^^^^^^^^ /run/nftables.conf:114:15-36:
Error: Could not process rule: Operation not supported     flowtable
VYOS_FLOWTABLE_FLOW-HW {               ^^^^^^^^^^^^^^^^^^^^^^

[[firewall]] failed
Commit failed