From 71d2fb884451eea25411c7e589c02f9eff02adc3 Mon Sep 17 00:00:00 2001
From: Demi Marie Obenour <demi@invisiblethingslab.com>
Date: Sun, 12 Mar 2023 17:28:48 -0400
Subject: [PATCH] Use flowtables to accelerate forwarding

This accelerates IP forwarding and NAT using flowtables.
---
 network/vif-route-qubes | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/network/vif-route-qubes b/network/vif-route-qubes
index 12565089..8126f7ff 100755
--- a/network/vif-route-qubes
+++ b/network/vif-route-qubes
@@ -116,6 +116,31 @@ case "$command" in
         nftables_cmd=add
         cmdprefix=''
         ipv6_disabled=$(cat "/proc/sys/net/ipv6/conf/$vif/disable_ipv6" || echo 1)
+        interfaces=''
+        separator=''
+
+        for i in /proc/sys/net/ipv4/conf/*; do
+            i=${i:24}
+            case $i in (all|default|*[!A-Za-z0-9._]*) continue;; esac
+            interfaces+="$separator$i"
+            separator=', '
+        done
+        if [[ -n "$separator" ]]; then
+            nft "
+add table inet qubes-nat-accel
+delete table inet qubes-nat-accel
+table inet qubes-nat-accel {
+   flowtable qubes-accel {
+      hook ingress priority filter
+      devices = { $interfaces }
+   }
+   chain qubes-accel {
+      type filter hook forward priority filter; policy accept;
+      flow add @qubes-accel
+      counter
+   }
+}"
+        fi
         ;;
     offline)
         do_without_error ifdown "${vif}"