From: Pablo Neira Ayuso <pablo@netfilter.org>
To: tech <tech@format-tv.net>
Cc: netfilter@vger.kernel.org
Subject: Re: Traffic drops when using flow offload for nftables based NAT
Date: Tue, 16 Mar 2021 23:36:56 +0100 [thread overview]
Message-ID: <20210316223656.GA981@salvia> (raw)
In-Reply-To: <4986dab7b8162afc20ee5d21e42cca80@format-tv.net>
On Thu, Mar 11, 2021 at 12:17:18PM +0200, tech wrote:
> Hi,
> I'm trying to augment my nft based NAT server with flow offload feature.
> Prerequisites:
> # uname -a
> Linux nat40g 5.4.0-66-generic #74-Ubuntu SMP Wed Jan 27 22:54:38 UTC 2021
What kernel version are you using specifically as of kernel.org?
> x86_64 x86_64 x86_64 GNU/Linux
> ethtool -G enp1s0f0 tx 8192
> ethtool -G enp1s0f0 rx 8192
> ethtool -K enp1s0f0 hw-tc-offload on
>
> Ethernet controller: Mellanox Technologies MT27700 Family [ConnectX-4]
>
> # cat /opt/nftables.conf
> flush ruleset
>
> table ip filter {
> chain input {
> type filter hook input priority 0; policy accept;
> ct state established accept
> iif "vlan4" counter drop
> iif "vlan5" counter drop
> }
>
> flowtable fastnat {
> hook ingress priority 0
> devices = { vlan4, vlan5 }
> }
>
> chain forward {
> type filter hook forward priority 0; policy accept;
> ip protocol { tcp , udp } flow offload @fastnat;
> }
> }
>
>
> table ip nat {
> chain post {
> type nat hook postrouting priority 100; policy accept;
> ip saddr 10.0.0.0/8 oif "vlan5" snat to 19.2.5.1-19.2.5.125
> persistent
> }
>
> chain pre {
> type nat hook prerouting priority -100; policy accept;
> }
> }
>
> All good when there is up to 12G overall traffic volume, but when my traffic
> overall volume exceeds 12+G I experience input drops.
Probably you are missing this fix?
commit 8d6bca156e47d68551750a384b3ff49384c67be3
Author: Sven Auhagen <sven.auhagen@voleatech.de>
Date: Tue Feb 2 18:01:16 2021 +0100
netfilter: flowtable: fix tcp and udp header checksum update
> If I comment out this portion of configuration:
> flowtable fastnat {
> hook ingress priority 0
> devices = { vlan4, vlan5 }
> }
>
> chain forward {
> type filter hook forward priority 0; policy accept;
> ip protocol { tcp , udp } flow offload @fastnat;
> }
> The result no drops up to 21.5G and occur when CPU utilization up to 85%.
> P.S. If someone interested I can share images.
next prev parent reply other threads:[~2021-03-16 22:36 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-11 10:17 Traffic drops when using flow offload for nftables based NAT tech
2021-03-16 22:36 ` Pablo Neira Ayuso [this message]
2021-03-19 14:04 ` tech
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210316223656.GA981@salvia \
--to=pablo@netfilter.org \
--cc=netfilter@vger.kernel.org \
--cc=tech@format-tv.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox