correct nft v1.1.0 usage for flowtable h/w offload? `flags offload` &/or `devices=`

netfilter.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* correct nft v1.1.0 usage for flowtable h/w offload? `flags offload` &/or `devices=`
@ 2024-08-11 14:43 pgnd
  0 siblings, 0 replies; only message in thread
From: pgnd @ 2024-08-11 14:43 UTC (permalink / raw)
  To: netfilter

i'm setting up nftables flowtable for h/w offload, per

	https://wiki.nftables.org/wiki-nftables/index.php/Flowtables
	https://docs.kernel.org/networking/nf_flowtable.html#hardware-offload
	https://thermalcircle.de/doku.php?id=blog:linux:flowtables_1_a_netfilter_nftables_fastpath
&
	a slew of older posts @ ML ...


on

	/usr/local/sbin/nft -V
		nftables v1.1.0 (Commodore Bullmoose)
		  cli:          editline
		  json:         yes
		  minigmp:      no
		  libxtables:   no

	uname -rm
		6.10.3-200.fc40.x86_64 x86_64


with

	lspci | grep -i eth
		02:00.0 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)
		03:00.0 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)

	ethtool -k enp3s0 | grep -i offload.*on
		tcp-segmentation-offload: on
		generic-segmentation-offload: on
		generic-receive-offload: on
		rx-vlan-offload: on
		tx-vlan-offload: on
		hw-tc-offload: on

	(which, iiuc, is sufficient?)

a test config

	cat test.nft
		#!/usr/local/sbin/nft -f

		table inet filter {

			flowtable f {
				hook ingress priority 0;
				devices = { enp2s0, enp3s0 };
			}

			chain input {
				type filter hook input priority 0;
				policy accept;
			}

			chain forward {
				type filter hook forward priority 1;
				policy drop;

				ct state invalid drop;

				tcp dport { 80, 443 } ct state established flow offload @f;

				ct state { established, related } accept;
				accept;
			}
		}

fails conf check,

	nft -c -f ./test.nft
		./test.nft:8:12-12: Error: Could not process rule: Operation not supported
		        flowtable f {
		                  ^

otoh, per example @

	https://docs.kernel.org/networking/nf_flowtable.html#hardware-offload

edit

	flowtable f {
		hook ingress priority 0;
-		devices = { enp2s0, enp3s0 };
+		flags offload;
	}

passes conf check. and after load

	nft list flowtables
		table inet filter {
		        flowtable f {
		                hook ingress priority filter
		                flags offload
		        }
		}

what's the correct/current usage for flowtable declaration in hardware offload use case?
as documented @ wiki, or kernel docs?
_seems_ it's kernel docs ...


reading @,

	https://netfilter.org/projects/nftables/files/changes-nftables-1.1.0.txt

i don't find (yet) the change re `flags offload` usage.

what commit introduced it?


^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2024-08-11 14:43 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-08-11 14:43 correct nft v1.1.0 usage for flowtable h/w offload? `flags offload` &/or `devices=` pgnd

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).