* [nftables] packet (filtering) flow NIC vs. PPPoE?
@ 2020-09-28 21:35 ѽ҉ᶬḳ℠
2020-09-29 11:23 ` ѽ҉ᶬḳ℠
2020-09-29 15:06 ` Pablo Neira Ayuso
0 siblings, 2 replies; 4+ messages in thread
From: ѽ҉ᶬḳ℠ @ 2020-09-28 21:35 UTC (permalink / raw)
To: netfilter@vger.kernel.org
Whilst testing NFTables's flow offload on a node with a PPPoE subscriber
line it turned out that the flow offload happens with the NIC netdev and
not (as I expected) the virtual PPPoE netdev.
Just for reference this being the NFT config (eth2 being the NIC)
flowtable fte {
hook ingress priority -100
devices = { eth2 }
counter
}
ip protocol { 6, 17 } flow add @fte;
ip6 nexthdr { 6, 17 } flow add @fte;
Why would the packet filtering have to take place on the PPPoE netdev
but the flowatable happens with the NIC instead?
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [nftables] packet (filtering) flow NIC vs. PPPoE?
2020-09-28 21:35 [nftables] packet (filtering) flow NIC vs. PPPoE? ѽ҉ᶬḳ℠
@ 2020-09-29 11:23 ` ѽ҉ᶬḳ℠
2020-09-29 15:06 ` Pablo Neira Ayuso
1 sibling, 0 replies; 4+ messages in thread
From: ѽ҉ᶬḳ℠ @ 2020-09-29 11:23 UTC (permalink / raw)
To: netfilter@vger.kernel.org
On 28/09/2020 23:35, ѽ҉ᶬḳ℠ wrote:
> Whilst testing NFTables's flow offload on a node with a PPPoE
> subscriber line it turned out that the flow offload happens with the
> NIC netdev and not (as I expected) the virtual PPPoE netdev.
>
> Just for reference this being the NFT config (eth2 being the NIC)
>
> flowtable fte {
> hook ingress priority -100
> devices = { eth2 }
> counter
> }
>
> ip protocol { 6, 17 } flow add @fte;
> ip6 nexthdr { 6, 17 } flow add @fte;
>
>
> Why would the packet filtering have to take place on the PPPoE netdev
> but the flowatable happens with the NIC instead?
>
Is this perhaps due to:
nft_flow_offload -> NDO hook
utilising the NIC's hardware flow tables? If so how is the NIC's
flow-table capability transparent to the user, querying the NIC with
ethtool for 'flow' does not produce anything.
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [nftables] packet (filtering) flow NIC vs. PPPoE?
2020-09-28 21:35 [nftables] packet (filtering) flow NIC vs. PPPoE? ѽ҉ᶬḳ℠
2020-09-29 11:23 ` ѽ҉ᶬḳ℠
@ 2020-09-29 15:06 ` Pablo Neira Ayuso
2020-09-29 16:08 ` ѽ҉ᶬḳ℠
1 sibling, 1 reply; 4+ messages in thread
From: Pablo Neira Ayuso @ 2020-09-29 15:06 UTC (permalink / raw)
To: ѽ҉ᶬḳ℠; +Cc: netfilter@vger.kernel.org
On Mon, Sep 28, 2020 at 09:35:00PM +0000, ѽ҉ᶬḳ℠ wrote:
> Whilst testing NFTables's flow offload on a node with a PPPoE subscriber
> line it turned out that the flow offload happens with the NIC netdev and not
> (as I expected) the virtual PPPoE netdev.
>
> Just for reference this being the NFT config (eth2 being the NIC)
>
> flowtable fte {
> hook ingress priority -100
> devices = { eth2 }
> counter
> }
Could you describe your testbed?
> ip protocol { 6, 17 } flow add @fte;
> ip6 nexthdr { 6, 17 } flow add @fte;
You can consolidate this rule with:
meta l4proto { tcp, udp } flow add @fte;
You might also want to use the existing protocol definitions, instead
of numeric protocols to make your ruleset more readable.
> Why would the packet filtering have to take place on the PPPoE netdev but
> the flowatable happens with the NIC instead?
What would you like to achieve with the flowtable?
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [nftables] packet (filtering) flow NIC vs. PPPoE?
2020-09-29 15:06 ` Pablo Neira Ayuso
@ 2020-09-29 16:08 ` ѽ҉ᶬḳ℠
0 siblings, 0 replies; 4+ messages in thread
From: ѽ҉ᶬḳ℠ @ 2020-09-29 16:08 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter@vger.kernel.org
On 29/09/2020 17:06, Pablo Neira Ayuso wrote:
> On Mon, Sep 28, 2020 at 09:35:00PM +0000, ѽ҉ᶬḳ℠ wrote:
>> Whilst testing NFTables's flow offload on a node with a PPPoE subscriber
>> line it turned out that the flow offload happens with the NIC netdev and not
>> (as I expected) the virtual PPPoE netdev.
>>
>> Just for reference this being the NFT config (eth2 being the NIC)
>>
>> flowtable fte {
>> hook ingress priority -100
>> devices = { eth2 }
>> counter
>> }
> Could you describe your testbed?
The node being a router that may or may not (travelling) be on a xDSL
PPPoE subscriber line, which needs a bit of working around since nft
fails to init if the PPPoE netdev is in the config (netdev famility a/o
flowtable) but absent from the OS. For that purpose the workflow being:
* nft main conf file sans PPPoE (netdev famility a/o flowtable) when
booting the node
* loading a supplementary nft conf file in the event of PPPoE being up
with just PPPoE stanza for netdev and flowtable
Then monitored the logs about the flow offload and seen only entries for
flow offloads with the NIC but not PPPoE.
I suppose supplementing the main conf file is not such a good idea. Now
I copied the main conf file and added the PPPoE parts and getting that
file loaded in the event of PPPoE being up. Since then the logs showing
the offload with PPPoE working.
>
>> ip protocol { 6, 17 } flow add @fte;
>> ip6 nexthdr { 6, 17 } flow add @fte;
> You can consolidate this rule with:
>
> meta l4proto { tcp, udp } flow add @fte;
Thank you for the hint.
>
> You might also want to use the existing protocol definitions, instead
> of numeric protocols to make your ruleset more readable.
>
>> Why would the packet filtering have to take place on the PPPoE netdev but
>> the flowatable happens with the NIC instead?
> What would you like to achieve with the flowtable?
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-09-29 16:08 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-09-28 21:35 [nftables] packet (filtering) flow NIC vs. PPPoE? ѽ҉ᶬḳ℠
2020-09-29 11:23 ` ѽ҉ᶬḳ℠
2020-09-29 15:06 ` Pablo Neira Ayuso
2020-09-29 16:08 ` ѽ҉ᶬḳ℠
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox