* nft for bridge.
@ 2025-08-18 12:05 ratheesh kannoth
2025-08-18 14:20 ` Pablo Neira Ayuso
0 siblings, 1 reply; 6+ messages in thread
From: ratheesh kannoth @ 2025-08-18 12:05 UTC (permalink / raw)
To: Netfilter mailing list
hi,
inet offload is working fine for me.
++++++++++++++++++++++++
/etc/nftables/inet.nft
table inet x {
flowtable f {
hook ingress priority 0
devices = { eth0, sdp1-0 }
flags offload;
}
chain forward {
type filter hook forward priority 0; policy accept;
ct state { established, related } flow add @f
}
}
++++++++++++++++++
But bridge nft fails. Could you help with correct configuration? i
have already enabled below config
CONFIG_NF_TABLES_BRIDGE=y
CONFIG_NF_CONNTRACK_BRIDGE=y
/etc/nftables/ibridge-raw.nft
--------------
table bridge x {
flowtable f {
hook ingress priority 0
devices = { br0 }
flags offload;
}
chain forward {
type filter hook forward priority 0; policy accept;
ct state { established, related } flow add @f
}
}
~# nft -f /etc/nftables/ipv4-raw.nft
/etc/nftables/ipv4-raw.nft:7:16-16: Error: Could not process rule: No
such file or directory
flowtable f {
^
/etc/nftables/ipv4-raw.nft:15:43-53: Error: Could not process rule: No
such file or directory
ct state { established, related } flow add @f
^^^^^^^^^^^
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: nft for bridge. 2025-08-18 12:05 nft for bridge ratheesh kannoth @ 2025-08-18 14:20 ` Pablo Neira Ayuso 2025-10-05 7:03 ` ratheesh kannoth 0 siblings, 1 reply; 6+ messages in thread From: Pablo Neira Ayuso @ 2025-08-18 14:20 UTC (permalink / raw) To: ratheesh kannoth; +Cc: Netfilter mailing list On Mon, Aug 18, 2025 at 05:35:49PM +0530, ratheesh kannoth wrote: > hi, > > inet offload is working fine for me. > ++++++++++++++++++++++++ > /etc/nftables/inet.nft > > table inet x { > > flowtable f { > hook ingress priority 0 > devices = { eth0, sdp1-0 } > flags offload; > } > > chain forward { > type filter hook forward priority 0; policy accept; > ct state { established, related } flow add @f > } > } > ++++++++++++++++++ > But bridge nft fails. Could you help with correct configuration? i > have already enabled below config > CONFIG_NF_TABLES_BRIDGE=y > CONFIG_NF_CONNTRACK_BRIDGE=y > > > /etc/nftables/ibridge-raw.nft > -------------- > table bridge x { > > flowtable f { > hook ingress priority 0 > devices = { br0 } > flags offload; > } > > chain forward { > type filter hook forward priority 0; policy accept; > ct state { established, related } flow add @f > } > } > ~# nft -f /etc/nftables/ipv4-raw.nft > /etc/nftables/ipv4-raw.nft:7:16-16: Error: Could not process rule: No > such file or directory > flowtable f { > ^ > /etc/nftables/ipv4-raw.nft:15:43-53: Error: Could not process rule: No > such file or directory > ct state { established, related } flow add @f > ^^^^^^^^^^^ No flowtable support for the bridge family yet, sorry. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: nft for bridge. 2025-08-18 14:20 ` Pablo Neira Ayuso @ 2025-10-05 7:03 ` ratheesh kannoth 2025-10-05 11:45 ` Florian Westphal 0 siblings, 1 reply; 6+ messages in thread From: ratheesh kannoth @ 2025-10-05 7:03 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: Netfilter mailing list On Mon, Aug 18, 2025 at 7:50 PM Pablo Neira Ayuso <pablo@netfilter.org> wrote: > No flowtable support for the bridge family yet, sorry. Thanks. For routed flow, Openvswitch case, it pushes Original and reply direction with the same cookie. But nft case, it pushes Original direction tuple twice. Is this expected ? or is this issue fixed with the latest kernel or nft ? MY nft version : nftables v1.1.5 (Commodore Bullmoose #6) My kernel : kernel 6.6 ADD cookie=18446462603462596360 (00:00:00:00:00:00, 192.168.11.200:30443) to (00:00:00:00:00:00, 192.168.9.100:35091) IPv4 TCP ADD cookie=18446462603462596360 (00:00:00:00:00:00, 192.168.11.200:30443) to (00:00:00:00:00:00, 192.168.9.100:35091) IPv4 TCP ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: nft for bridge. 2025-10-05 7:03 ` ratheesh kannoth @ 2025-10-05 11:45 ` Florian Westphal 2025-10-05 12:26 ` ratheesh kannoth 0 siblings, 1 reply; 6+ messages in thread From: Florian Westphal @ 2025-10-05 11:45 UTC (permalink / raw) To: ratheesh kannoth; +Cc: Pablo Neira Ayuso, Netfilter mailing list ratheesh kannoth <ratheesh.ksz@gmail.com> wrote: > On Mon, Aug 18, 2025 at 7:50 PM Pablo Neira Ayuso <pablo@netfilter.org> wrote: > > No flowtable support for the bridge family yet, sorry. > Thanks. For routed flow, Openvswitch case, it pushes Original and > reply direction with the same cookie. But nft case, it pushes Original > direction tuple twice. Is this expected ? or is this issue fixed with > the latest kernel or nft ? You will need to figure that out yourself. Most of us a volunteers. > MY nft version : nftables v1.1.5 (Commodore Bullmoose #6) > My kernel : kernel 6.6 > > ADD cookie=18446462603462596360 (00:00:00:00:00:00, > 192.168.11.200:30443) to (00:00:00:00:00:00, 192.168.9.100:35091) IPv4 > TCP > ADD cookie=18446462603462596360 (00:00:00:00:00:00, > 192.168.11.200:30443) to (00:00:00:00:00:00, 192.168.9.100:35091) IPv4 > TCP I don't even know where these messages come from. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: nft for bridge. 2025-10-05 11:45 ` Florian Westphal @ 2025-10-05 12:26 ` ratheesh kannoth 2025-10-06 10:03 ` Pablo Neira Ayuso 0 siblings, 1 reply; 6+ messages in thread From: ratheesh kannoth @ 2025-10-05 12:26 UTC (permalink / raw) To: Florian Westphal, Pablo Neira Ayuso; +Cc: Netfilter mailing list On Sun, Oct 5, 2025 at 5:15 PM Florian Westphal <fw@strlen.de> wrote: > You will need to figure that out yourself. Most of us a volunteers. Ok. > > > MY nft version : nftables v1.1.5 (Commodore Bullmoose #6) > > My kernel : kernel 6.6 > > > > ADD cookie=18446462603462596360 (00:00:00:00:00:00, > > 192.168.11.200:30443) to (00:00:00:00:00:00, 192.168.9.100:35091) IPv4 > > TCP > > ADD cookie=18446462603462596360 (00:00:00:00:00:00, > > 192.168.11.200:30443) to (00:00:00:00:00:00, 192.168.9.100:35091) IPv4 > > TCP > > I don't even know where these messages come from. Sorry. THis is a debug print added in my function xxxx() to print flow tuple information. .ndo_setup_tc() | | case TC_SETUP_FT: return flow_block_cb_setup_simple(type_data, &my_cb_list, my_setup_ft_block_ingress_cb, priv, priv, true); | | | my_setup_ft_block_ingress_cb() { struct flow_cls_offload *cls = type_data; switch (cls->command) { case FLOW_CLS_REPLACE: return xxxx(nic, cls); } | | | xxxx() { // parsing flow here if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_ETH_ADDRS)) { struct flow_match_eth_addrs match; /// debug prints are here to print MAC address flow_rule_match_eth_addrs(rule, &match); } if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_IPV4_ADDRS)) { struct flow_match_ipv4_addrs match; // debug prints are here to print IP address. flow_rule_match_ipv4_addrs(rule, &match); } } ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: nft for bridge. 2025-10-05 12:26 ` ratheesh kannoth @ 2025-10-06 10:03 ` Pablo Neira Ayuso 0 siblings, 0 replies; 6+ messages in thread From: Pablo Neira Ayuso @ 2025-10-06 10:03 UTC (permalink / raw) To: ratheesh kannoth; +Cc: Florian Westphal, Netfilter mailing list On Sun, Oct 05, 2025 at 05:56:06PM +0530, ratheesh kannoth wrote: > On Sun, Oct 5, 2025 at 5:15 PM Florian Westphal <fw@strlen.de> wrote: > > You will need to figure that out yourself. Most of us a volunteers. > Ok. > > > > > > MY nft version : nftables v1.1.5 (Commodore Bullmoose #6) > > > My kernel : kernel 6.6 > > > > > > ADD cookie=18446462603462596360 (00:00:00:00:00:00, > > > 192.168.11.200:30443) to (00:00:00:00:00:00, 192.168.9.100:35091) IPv4 > > > TCP > > > ADD cookie=18446462603462596360 (00:00:00:00:00:00, > > > 192.168.11.200:30443) to (00:00:00:00:00:00, 192.168.9.100:35091) IPv4 > > > TCP > > > > I don't even know where these messages come from. > Sorry. THis is a debug print added in my function xxxx() to print > flow tuple information. > .ndo_setup_tc() This is hardware offload trace. What are you trying to do there? > | > | > case TC_SETUP_FT: > return flow_block_cb_setup_simple(type_data, > &my_cb_list, > my_setup_ft_block_ingress_cb, > priv, priv, true); > | > | > | > my_setup_ft_block_ingress_cb() { > struct flow_cls_offload *cls = type_data; > switch (cls->command) { > case FLOW_CLS_REPLACE: > return xxxx(nic, cls); > } > | > | > | > xxxx() { > // parsing flow here > if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_ETH_ADDRS)) { > struct flow_match_eth_addrs match; > /// debug prints are here to print MAC address > flow_rule_match_eth_addrs(rule, &match); > } > if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_IPV4_ADDRS)) { > struct flow_match_ipv4_addrs match; > // debug prints are here to print IP address. > flow_rule_match_ipv4_addrs(rule, &match); > } > > } ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2025-10-06 10:13 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2025-08-18 12:05 nft for bridge ratheesh kannoth 2025-08-18 14:20 ` Pablo Neira Ayuso 2025-10-05 7:03 ` ratheesh kannoth 2025-10-05 11:45 ` Florian Westphal 2025-10-05 12:26 ` ratheesh kannoth 2025-10-06 10:03 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox