On 6/28/2019 2:06 PM, Florian Westphal wrote:
> wenxu <wenxu@xxxxxxxxx> wrote:
>> ns21 iperf to 10.0.0.8 with dport 22 in ns22
>> first time with OFFLOAD enable
>>
>> nft add flowtable bridge firewall fb2 { hook ingress priority 0 \; devices = { veth21, veth22 } \; }
>> nft add chain bridge firewall ftb-all {type filter hook forward priority 0 \; policy accept \; }
>> nft add rule bridge firewall ftb-all counter ct zone 2 ip protocol tcp flow offload @fb2
>>
>> # iperf -c 10.0.0.8 -p 22 -t 60 -i2
> [..]
>> [ 3] 0.0-60.0 sec 353 GBytes 50.5 Gbits/sec
>>
>> The second time on any offload:
>> # iperf -c 10.0.0.8 -p 22 -t 60 -i2
>> [ 3] 0.0-60.0 sec 271 GBytes 38.8 Gbits/sec
> Wow, this is pretty impressive. Do you have numbers without
> offload and no connection tracking?
There is no other connection on the bridge in zone 2
>
> Is this with CONFIG_RETPOLINE=y (just curious)?
Yes, it is enable.
