On 20/05/2020 15:33, Pablo Neira Ayuso wrote: > #1 Drivers calling flow_action_hw_stats_check() fall within the > second branch (check_allow_bit is set on). > > } else if (check_allow_bit && <------ HERE > > These drivers are not honoring the _DONT_CARE bit, > __flow_action_hw_stats_check() with check_allow_bit set on does not > honor the _DONT_CARE bit. I don't understand. There isn't a _DONT_CARE bit; _DONT_CARE isa bitmask of *all* the bits: BIT(FLOW_ACTION_HW_STATS_NUM_BITS) - 1. So if allow_bit < FLOW_ACTION_HW_STATS_NUM_BITS, then BIT(allow_bit) & FLOW_ACTION_HW_STATS_DONT_CARE is nonzero, and thus the function returns true. > #2 Your patch needs to update Netfilter to set hw_stats to > FLOW_ACTION_HW_STATS_DONT_CARE explicitly. Ahh, naïvely I had assumed that you would have done that in the patch that added _DONT_CARE; I should have checked that. Will fix that for the next version. Thank you for being specific. And you'll be pleased to know that I've managed to bodge a working nft binary onto my test system, so hopefully I'll be able to test with netfilter offload. Am I right in thinking that an ingress chain on the netdev table is the thing I want? -ed
