Hi Florian, Pablo,
CC'ing Pablo because of the non-applicability of ingress chain
solution to our customers.
On Wed, May 3, 2023 at 9:46 PM Florian Westphal <fw@xxxxxxxxx> wrote:
>
> Boris Sukholitko <boris.sukholitko@xxxxxxxxxxxx> wrote:
[... snip to non working offload ...]
> > table inet filter {
> > flowtable f1 {
> > hook ingress priority filter
> > devices = { veth0, veth1 }
> > }
> >
> > chain forward {
> > type filter hook forward priority filter; policy accept;
> > ip dscp set cs3 offload
> > ip protocol { tcp, udp, gre } flow add @f1
> > ct state established,related accept
> > }
> > }
[...]
>
> I wish you would have reported this before you started to work on
> this, because this is not a bug, this is expected behaviour.
>
> Once you offload, the ruleset is bypassed, this is by design.
>From the rules UI perspective it seems possible to accelerate
forward chain handling with the statements such as dscp modification there.
Isn't it better to modify the packets according to the bypassed
ruleset thus making the behaviour more consistent?
> Lets not make the software offload more complex as it already is.
Could you please tell which parts of software offload are too complex?
It's not too bad from what I've seen :)
This patch series adds 56 lines of code in the new nf_conntrack.ext.c
file. 20 of them (nf_flow_offload_apply_payload) are used in
the software fast path. Is it too high of a price?
>
> If you want to apply dscp payload modification, do not use flowtable
> offload or hook those parts at netdev:ingress, it will be called before the
> software offload pipeline.
>
The problem is that our customers need to apply dscp modification in
more complex scenarios, e.g. after NAT.
Therefore I am not sure that ingress chain is enough for them.
Thanks,
Boris.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
