From e2d9b215659a9131e9a03f9ebd74c8af6a9e37fd Mon Sep 17 00:00:00 2001
From: GurliGebis <GurliGebis@users.noreply.github.com>
Date: Fri, 15 Dec 2023 07:09:53 +0100
Subject: [PATCH] firewall: T4502: add ofload to firewall table actions

---
 .../include/firewall/action.xml.i             |  8 +++--
 .../include/firewall/ipv4-custom-name.xml.i   |  1 +
 .../include/firewall/ipv6-custom-name.xml.i   |  1 +
 smoketest/scripts/cli/test_firewall.py        | 36 +++++++++++++++++++
 4 files changed, 44 insertions(+), 2 deletions(-)

diff --git a/interface-definitions/include/firewall/action.xml.i b/interface-definitions/include/firewall/action.xml.i
index 954e4f23eb..e1f0c6cb6e 100644
--- a/interface-definitions/include/firewall/action.xml.i
+++ b/interface-definitions/include/firewall/action.xml.i
@@ -3,7 +3,7 @@
   <properties>
     <help>Rule action</help>
     <completionHelp>
-      <list>accept continue jump reject return drop queue synproxy</list>
+      <list>accept continue jump reject return drop queue offload synproxy</list>
     </completionHelp>
     <valueHelp>
       <format>accept</format>
@@ -33,12 +33,16 @@
       <format>queue</format>
       <description>Enqueue packet to userspace</description>
     </valueHelp>
+    <valueHelp>
+      <format>offload</format>
+      <description>Offload packet via flowtable</description>
+    </valueHelp>
     <valueHelp>
       <format>synproxy</format>
       <description>Synproxy connections</description>
     </valueHelp>
     <constraint>
-      <regex>(accept|continue|jump|reject|return|drop|queue|synproxy)</regex>
+      <regex>(accept|continue|jump|reject|return|drop|queue|offload|synproxy)</regex>
     </constraint>
   </properties>
 </leafNode>
diff --git a/interface-definitions/include/firewall/ipv4-custom-name.xml.i b/interface-definitions/include/firewall/ipv4-custom-name.xml.i
index 9d6ecfaf29..c6420fe1f3 100644
--- a/interface-definitions/include/firewall/ipv4-custom-name.xml.i
+++ b/interface-definitions/include/firewall/ipv4-custom-name.xml.i
@@ -33,6 +33,7 @@
       <children>
         #include <include/firewall/common-rule-ipv4.xml.i>
         #include <include/firewall/inbound-interface.xml.i>
+        #include <include/firewall/offload-target.xml.i>
         #include <include/firewall/outbound-interface.xml.i>
       </children>
     </tagNode>
diff --git a/interface-definitions/include/firewall/ipv6-custom-name.xml.i b/interface-definitions/include/firewall/ipv6-custom-name.xml.i
index 81610babfe..2cc45a60cb 100644
--- a/interface-definitions/include/firewall/ipv6-custom-name.xml.i
+++ b/interface-definitions/include/firewall/ipv6-custom-name.xml.i
@@ -33,6 +33,7 @@
       <children>
         #include <include/firewall/common-rule-ipv6.xml.i>
         #include <include/firewall/inbound-interface.xml.i>
+        #include <include/firewall/offload-target.xml.i>
         #include <include/firewall/outbound-interface.xml.i>
       </children>
     </tagNode>
diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py
index 066ed707b2..5cfddb2697 100755
--- a/smoketest/scripts/cli/test_firewall.py
+++ b/smoketest/scripts/cli/test_firewall.py
@@ -753,5 +753,41 @@ def test_flow_offload(self):
         self.verify_nftables_chain([['accept']], 'ip vyos_conntrack', 'FW_CONNTRACK')
         self.verify_nftables_chain([['accept']], 'ip6 vyos_conntrack', 'FW_CONNTRACK')
 
+    def test_zone_flow_offload(self):
+        self.cli_set(['firewall', 'flowtable', 'smoketest', 'interface', 'eth0'])
+        self.cli_set(['firewall', 'flowtable', 'smoketest', 'offload', 'hardware'])
+
+        # QEMU virtual NIC does not support hw-tc-offload
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+
+        self.cli_set(['firewall', 'flowtable', 'smoketest', 'offload', 'software'])
+
+        self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'action', 'offload'])
+        self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'offload-target', 'smoketest'])
+
+        self.cli_set(['firewall', 'ipv6', 'name', 'smoketest', 'rule', '1', 'action', 'offload'])
+        self.cli_set(['firewall', 'ipv6', 'name', 'smoketest', 'rule', '1', 'offload-target', 'smoketest'])
+
+        self.cli_commit()
+
+        nftables_search = [
+            ['chain NAME_smoketest'],
+            ['flow add @VYOS_FLOWTABLE_smoketest']
+        ]
+
+        self.verify_nftables(nftables_search, 'ip vyos_filter')
+
+        nftables_search = [
+            ['chain NAME6_smoketest'],
+            ['flow add @VYOS_FLOWTABLE_smoketest']
+        ]
+
+        self.verify_nftables(nftables_search, 'ip6 vyos_filter')
+
+        # Check conntrack
+        self.verify_nftables_chain([['accept']], 'ip vyos_conntrack', 'FW_CONNTRACK')
+        self.verify_nftables_chain([['accept']], 'ip6 vyos_conntrack', 'FW_CONNTRACK')
+
 if __name__ == '__main__':
     unittest.main(verbosity=2)