Re: Fwd: correct nft v1.1.0 usage for flowtable h/w offload? `flags offload` &/or `devices=`

[Pablo Neira Ayuso <pablo@netfilter.org>]

Hi,

Driver does not support this.

Not many drivers support this by the time I am writing this.

This infrastructure is attracting margial attention from driver
developers / hardware vendors.

It is frustrating.

Sorry.

On Thu, Aug 15, 2024 at 12:38:01PM -0400, pgnd wrote:
> ('radio silence' on netfilter@ ML ... trying here)
> 
> i'm setting up nftables flowtable for h/w offload, per
> 
> 	https://wiki.nftables.org/wiki-nftables/index.php/Flowtables
> 	https://docs.kernel.org/networking/nf_flowtable.html#hardware-offload
> 	https://thermalcircle.de/doku.php?id=blog:linux:flowtables_1_a_netfilter_nftables_fastpath
> &
> 	a slew of older posts @ ML ...
> 
> 
> on
> 
> 	/usr/local/sbin/nft -V
> 		nftables v1.1.0 (Commodore Bullmoose)
> 		  cli:          editline
> 		  json:         yes
> 		  minigmp:      no
> 		  libxtables:   no
> 
> 	uname -rm
> 		6.10.3-200.fc40.x86_64 x86_64
> 
> 
> with
> 
> 	lspci | grep -i eth
> 		02:00.0 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)
> 		03:00.0 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)
> 
> 	ethtool -k enp3s0 | grep -i offload.*on
> 		tcp-segmentation-offload: on
> 		generic-segmentation-offload: on
> 		generic-receive-offload: on
> 		rx-vlan-offload: on
> 		tx-vlan-offload: on
> 		hw-tc-offload: on
> 
> 	(which, iiuc, is sufficient?)
> 
> a test config
> 
> 	cat test.nft
> 		#!/usr/local/sbin/nft -f
> 
> 		table inet filter {
> 
> 			flowtable f {
> 				hook ingress priority 0;
> 				devices = { enp2s0, enp3s0 };
> 			}
> 
> 			chain input {
> 				type filter hook input priority 0;
> 				policy accept;
> 			}
> 
> 			chain forward {
> 				type filter hook forward priority 1;
> 				policy drop;
> 
> 				ct state invalid drop;
> 
> 				tcp dport { 80, 443 } ct state established flow offload @f;
> 
> 				ct state { established, related } accept;
> 				accept;
> 			}
> 		}
> 
> fails conf check,
> 
> 	nft -c -f ./test.nft
> 		./test.nft:8:12-12: Error: Could not process rule: Operation not supported
> 		        flowtable f {
> 		                  ^
> 
> otoh, per example @
> 
> 	https://docs.kernel.org/networking/nf_flowtable.html#hardware-offload
> 
> edit
> 
> 	flowtable f {
> 		hook ingress priority 0;
> -		devices = { enp2s0, enp3s0 };
> +		flags offload;
> 	}
> 
> passes conf check. and after load
> 
> 	nft list flowtables
> 		table inet filter {
> 		        flowtable f {
> 		                hook ingress priority filter
> 		                flags offload
> 		        }
> 		}
> 
> what's the correct/current usage for flowtable declaration in hardware offload use case?
> as documented @ wiki, or kernel docs?
> _seems_ it's kernel docs ...
> 
> 
> reading @,
> 
> 	https://netfilter.org/projects/nftables/files/changes-nftables-1.1.0.txt
> 
> i don't find (yet) the change re `flags offload` usage.
> 
> what commit introduced it?
> 
> 
>