correct nft v1.1.0 usage for flowtable h/w offload? `flags offload` &/or `devices=`

All of lore.kernel.org
 help / color / mirror / Atom feed

* correct nft v1.1.0 usage for flowtable h/w offload? `flags offload` &/or `devices=`
@ 2024-08-11 14:43 pgnd
  2024-08-15 16:38 ` Fwd: " pgnd
  0 siblings, 1 reply; 8+ messages in thread
From: pgnd @ 2024-08-11 14:43 UTC (permalink / raw)
  To: netfilter

i'm setting up nftables flowtable for h/w offload, per

	https://wiki.nftables.org/wiki-nftables/index.php/Flowtables
	https://docs.kernel.org/networking/nf_flowtable.html#hardware-offload
	https://thermalcircle.de/doku.php?id=blog:linux:flowtables_1_a_netfilter_nftables_fastpath
&
	a slew of older posts @ ML ...


on

	/usr/local/sbin/nft -V
		nftables v1.1.0 (Commodore Bullmoose)
		  cli:          editline
		  json:         yes
		  minigmp:      no
		  libxtables:   no

	uname -rm
		6.10.3-200.fc40.x86_64 x86_64


with

	lspci | grep -i eth
		02:00.0 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)
		03:00.0 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)

	ethtool -k enp3s0 | grep -i offload.*on
		tcp-segmentation-offload: on
		generic-segmentation-offload: on
		generic-receive-offload: on
		rx-vlan-offload: on
		tx-vlan-offload: on
		hw-tc-offload: on

	(which, iiuc, is sufficient?)

a test config

	cat test.nft
		#!/usr/local/sbin/nft -f

		table inet filter {

			flowtable f {
				hook ingress priority 0;
				devices = { enp2s0, enp3s0 };
			}

			chain input {
				type filter hook input priority 0;
				policy accept;
			}

			chain forward {
				type filter hook forward priority 1;
				policy drop;

				ct state invalid drop;

				tcp dport { 80, 443 } ct state established flow offload @f;

				ct state { established, related } accept;
				accept;
			}
		}

fails conf check,

	nft -c -f ./test.nft
		./test.nft:8:12-12: Error: Could not process rule: Operation not supported
		        flowtable f {
		                  ^

otoh, per example @

	https://docs.kernel.org/networking/nf_flowtable.html#hardware-offload

edit

	flowtable f {
		hook ingress priority 0;
-		devices = { enp2s0, enp3s0 };
+		flags offload;
	}

passes conf check. and after load

	nft list flowtables
		table inet filter {
		        flowtable f {
		                hook ingress priority filter
		                flags offload
		        }
		}

what's the correct/current usage for flowtable declaration in hardware offload use case?
as documented @ wiki, or kernel docs?
_seems_ it's kernel docs ...


reading @,

	https://netfilter.org/projects/nftables/files/changes-nftables-1.1.0.txt

i don't find (yet) the change re `flags offload` usage.

what commit introduced it?


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Fwd: correct nft v1.1.0 usage for flowtable h/w offload? `flags offload` &/or `devices=`
  2024-08-11 14:43 correct nft v1.1.0 usage for flowtable h/w offload? `flags offload` &/or `devices=` pgnd
@ 2024-08-15 16:38 ` pgnd
  2024-08-19 17:14   ` Pablo Neira Ayuso
  0 siblings, 1 reply; 8+ messages in thread
From: pgnd @ 2024-08-15 16:38 UTC (permalink / raw)
  To: netfilter-devel

('radio silence' on netfilter@ ML ... trying here)

i'm setting up nftables flowtable for h/w offload, per

	https://wiki.nftables.org/wiki-nftables/index.php/Flowtables
	https://docs.kernel.org/networking/nf_flowtable.html#hardware-offload
	https://thermalcircle.de/doku.php?id=blog:linux:flowtables_1_a_netfilter_nftables_fastpath
&
	a slew of older posts @ ML ...


on

	/usr/local/sbin/nft -V
		nftables v1.1.0 (Commodore Bullmoose)
		  cli:          editline
		  json:         yes
		  minigmp:      no
		  libxtables:   no

	uname -rm
		6.10.3-200.fc40.x86_64 x86_64


with

	lspci | grep -i eth
		02:00.0 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)
		03:00.0 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)

	ethtool -k enp3s0 | grep -i offload.*on
		tcp-segmentation-offload: on
		generic-segmentation-offload: on
		generic-receive-offload: on
		rx-vlan-offload: on
		tx-vlan-offload: on
		hw-tc-offload: on

	(which, iiuc, is sufficient?)

a test config

	cat test.nft
		#!/usr/local/sbin/nft -f

		table inet filter {

			flowtable f {
				hook ingress priority 0;
				devices = { enp2s0, enp3s0 };
			}

			chain input {
				type filter hook input priority 0;
				policy accept;
			}

			chain forward {
				type filter hook forward priority 1;
				policy drop;

				ct state invalid drop;

				tcp dport { 80, 443 } ct state established flow offload @f;

				ct state { established, related } accept;
				accept;
			}
		}

fails conf check,

	nft -c -f ./test.nft
		./test.nft:8:12-12: Error: Could not process rule: Operation not supported
		        flowtable f {
		                  ^

otoh, per example @

	https://docs.kernel.org/networking/nf_flowtable.html#hardware-offload

edit

	flowtable f {
		hook ingress priority 0;
-		devices = { enp2s0, enp3s0 };
+		flags offload;
	}

passes conf check. and after load

	nft list flowtables
		table inet filter {
		        flowtable f {
		                hook ingress priority filter
		                flags offload
		        }
		}

what's the correct/current usage for flowtable declaration in hardware offload use case?
as documented @ wiki, or kernel docs?
_seems_ it's kernel docs ...


reading @,

	https://netfilter.org/projects/nftables/files/changes-nftables-1.1.0.txt

i don't find (yet) the change re `flags offload` usage.

what commit introduced it?



^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Fwd: correct nft v1.1.0 usage for flowtable h/w offload? `flags offload` &/or `devices=`
  2024-08-15 16:38 ` Fwd: " pgnd
@ 2024-08-19 17:14   ` Pablo Neira Ayuso
  2024-08-19 18:22     ` pgnd
  0 siblings, 1 reply; 8+ messages in thread
From: Pablo Neira Ayuso @ 2024-08-19 17:14 UTC (permalink / raw)
  To: pgnd; +Cc: netfilter-devel

Hi,

Driver does not support this.

Not many drivers support this by the time I am writing this.

This infrastructure is attracting margial attention from driver
developers / hardware vendors.

It is frustrating.

Sorry.

On Thu, Aug 15, 2024 at 12:38:01PM -0400, pgnd wrote:
> ('radio silence' on netfilter@ ML ... trying here)
> 
> i'm setting up nftables flowtable for h/w offload, per
> 
> 	https://wiki.nftables.org/wiki-nftables/index.php/Flowtables
> 	https://docs.kernel.org/networking/nf_flowtable.html#hardware-offload
> 	https://thermalcircle.de/doku.php?id=blog:linux:flowtables_1_a_netfilter_nftables_fastpath
> &
> 	a slew of older posts @ ML ...
> 
> 
> on
> 
> 	/usr/local/sbin/nft -V
> 		nftables v1.1.0 (Commodore Bullmoose)
> 		  cli:          editline
> 		  json:         yes
> 		  minigmp:      no
> 		  libxtables:   no
> 
> 	uname -rm
> 		6.10.3-200.fc40.x86_64 x86_64
> 
> 
> with
> 
> 	lspci | grep -i eth
> 		02:00.0 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)
> 		03:00.0 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)
> 
> 	ethtool -k enp3s0 | grep -i offload.*on
> 		tcp-segmentation-offload: on
> 		generic-segmentation-offload: on
> 		generic-receive-offload: on
> 		rx-vlan-offload: on
> 		tx-vlan-offload: on
> 		hw-tc-offload: on
> 
> 	(which, iiuc, is sufficient?)
> 
> a test config
> 
> 	cat test.nft
> 		#!/usr/local/sbin/nft -f
> 
> 		table inet filter {
> 
> 			flowtable f {
> 				hook ingress priority 0;
> 				devices = { enp2s0, enp3s0 };
> 			}
> 
> 			chain input {
> 				type filter hook input priority 0;
> 				policy accept;
> 			}
> 
> 			chain forward {
> 				type filter hook forward priority 1;
> 				policy drop;
> 
> 				ct state invalid drop;
> 
> 				tcp dport { 80, 443 } ct state established flow offload @f;
> 
> 				ct state { established, related } accept;
> 				accept;
> 			}
> 		}
> 
> fails conf check,
> 
> 	nft -c -f ./test.nft
> 		./test.nft:8:12-12: Error: Could not process rule: Operation not supported
> 		        flowtable f {
> 		                  ^
> 
> otoh, per example @
> 
> 	https://docs.kernel.org/networking/nf_flowtable.html#hardware-offload
> 
> edit
> 
> 	flowtable f {
> 		hook ingress priority 0;
> -		devices = { enp2s0, enp3s0 };
> +		flags offload;
> 	}
> 
> passes conf check. and after load
> 
> 	nft list flowtables
> 		table inet filter {
> 		        flowtable f {
> 		                hook ingress priority filter
> 		                flags offload
> 		        }
> 		}
> 
> what's the correct/current usage for flowtable declaration in hardware offload use case?
> as documented @ wiki, or kernel docs?
> _seems_ it's kernel docs ...
> 
> 
> reading @,
> 
> 	https://netfilter.org/projects/nftables/files/changes-nftables-1.1.0.txt
> 
> i don't find (yet) the change re `flags offload` usage.
> 
> what commit introduced it?
> 
> 
> 

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Fwd: correct nft v1.1.0 usage for flowtable h/w offload? `flags offload` &/or `devices=`
  2024-08-19 17:14   ` Pablo Neira Ayuso
@ 2024-08-19 18:22     ` pgnd
  2024-08-19 18:33       ` Pablo Neira Ayuso
  0 siblings, 1 reply; 8+ messages in thread
From: pgnd @ 2024-08-19 18:22 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel

hi,

> Driver does not support this.

what's missing that tells you that from looking?

i _thought_, incorrectly, that this was sufficient

>> 	ethtool -k enp3s0 | grep -i offload.*on
>> 		tcp-segmentation-offload: on
>> 		generic-segmentation-offload: on
>> 		generic-receive-offload: on
>> 		rx-vlan-offload: on
>> 		tx-vlan-offload: on
>> 		hw-tc-offload: on

on the intel I350 cards.

what specific parameter needs to be enabled for the h/w offloading?

is `ethtool` the right tool to be checking with?

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Fwd: correct nft v1.1.0 usage for flowtable h/w offload? `flags offload` &/or `devices=`
  2024-08-19 18:22     ` pgnd
@ 2024-08-19 18:33       ` Pablo Neira Ayuso
  2024-08-19 19:04         ` pgnd
  0 siblings, 1 reply; 8+ messages in thread
From: Pablo Neira Ayuso @ 2024-08-19 18:33 UTC (permalink / raw)
  To: pgnd; +Cc: netfilter-devel

On Mon, Aug 19, 2024 at 02:22:55PM -0400, pgnd wrote:
> hi,
> 
> > Driver does not support this.
> 
> what's missing that tells you that from looking?
>
> i _thought_, incorrectly, that this was sufficient

driver needs to implement TC_SETUP_FT

> > > 	ethtool -k enp3s0 | grep -i offload.*on
> > > 		tcp-segmentation-offload: on
> > > 		generic-segmentation-offload: on
> > > 		generic-receive-offload: on
> > > 		rx-vlan-offload: on
> > > 		tx-vlan-offload: on
> > > 		hw-tc-offload: on
> 
> on the intel I350 cards.
> 
> what specific parameter needs to be enabled for the h/w offloading?
> 
> is `ethtool` the right tool to be checking with?

hw-tc-offload support is necessary, but not sufficient.

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Fwd: correct nft v1.1.0 usage for flowtable h/w offload? `flags offload` &/or `devices=`
  2024-08-19 18:33       ` Pablo Neira Ayuso
@ 2024-08-19 19:04         ` pgnd
  2024-08-19 19:18           ` Pablo Neira Ayuso
  0 siblings, 1 reply; 8+ messages in thread
From: pgnd @ 2024-08-19 19:04 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel

> driver needs to implement TC_SETUP_FT
> hw-tc-offload support is necessary, but not sufficient.


ah, thx o/

https://lore.kernel.org/netdev/20191111232956.24898-1-pablo@netfilter.org/T/



^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Fwd: correct nft v1.1.0 usage for flowtable h/w offload? `flags offload` &/or `devices=`
  2024-08-19 19:04         ` pgnd
@ 2024-08-19 19:18           ` Pablo Neira Ayuso
  2024-08-19 19:19             ` Pablo Neira Ayuso
  0 siblings, 1 reply; 8+ messages in thread
From: Pablo Neira Ayuso @ 2024-08-19 19:18 UTC (permalink / raw)
  To: pgnd; +Cc: netfilter-devel

On Mon, Aug 19, 2024 at 03:04:07PM -0400, pgnd wrote:
> > driver needs to implement TC_SETUP_FT
> > hw-tc-offload support is necessary, but not sufficient.
> 
> 
> ah, thx o/
> 
> https://lore.kernel.org/netdev/20191111232956.24898-1-pablo@netfilter.org/T/

yes, unfortunately it only supports for net/sched/sch_ct that I am
aware, it never made it to support netfilter's flowtable.

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Fwd: correct nft v1.1.0 usage for flowtable h/w offload? `flags offload` &/or `devices=`
  2024-08-19 19:18           ` Pablo Neira Ayuso
@ 2024-08-19 19:19             ` Pablo Neira Ayuso
  0 siblings, 0 replies; 8+ messages in thread
From: Pablo Neira Ayuso @ 2024-08-19 19:19 UTC (permalink / raw)
  To: pgnd; +Cc: netfilter-devel

On Mon, Aug 19, 2024 at 09:18:54PM +0200, Pablo Neira Ayuso wrote:
> On Mon, Aug 19, 2024 at 03:04:07PM -0400, pgnd wrote:
> > > driver needs to implement TC_SETUP_FT
> > > hw-tc-offload support is necessary, but not sufficient.
> > 
> > 
> > ah, thx o/
> > 
> > https://lore.kernel.org/netdev/20191111232956.24898-1-pablo@netfilter.org/T/
> 
> yes, unfortunately it only supports for net/sched/sch_ct that I am
                                          ^^^^^^^^^^^^^^^^
                                          net/sched/act_ct.c

> aware, it never made it to support netfilter's flowtable.

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2024-08-19 19:19 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-08-11 14:43 correct nft v1.1.0 usage for flowtable h/w offload? `flags offload` &/or `devices=` pgnd
2024-08-15 16:38 ` Fwd: " pgnd
2024-08-19 17:14   ` Pablo Neira Ayuso
2024-08-19 18:22     ` pgnd
2024-08-19 18:33       ` Pablo Neira Ayuso
2024-08-19 19:04         ` pgnd
2024-08-19 19:18           ` Pablo Neira Ayuso
2024-08-19 19:19             ` Pablo Neira Ayuso

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.