I'm using flowtable for udp voip packets:
table ip filter {
flowtable f {
hook ingress priority 0 devices = { external , internal };
}
.........
chain FORWARD {
...........
udp dport { iax, 10000-65000 } flow offload @f
..........
I'm having some issues with this, which sent me to read the docs more closely.
https://www.kernel.org/doc/Documentation/networking/nf_flowtable.txt
gives a similar example:
table inet x {
flowtable f {
hook ingress priority 0 devices = { eth0, eth1 };
}
chain y {
type filter hook forward priority 0; policy accept;
ip protocol tcp flow offload @f
............
and then says:
The 'flow offload' action from the forward chain 'y' adds an entry to the
flowtable for the TCP syn-ack packet coming in the reply direction.
key words: "in the reply direction" ! Why in only one direction ? I
would have thought it would be both directions. (In fact, I would have
thought all TCP packets, not just syn-ack packets, would go through
the flowtable bypass, which doesn't seem like a good idea.)
If only one direction, is the direction specified by the order of the
interfaces in the flowtable definition ? eth0 -> eth1 ? So for both
directions, you need 2 flowtables ? I'd like the voip udp packets to
use the flowtable in both directions.
sean
