Hi,
Driver does not support this.
Not many drivers support this by the time I am writing this.
This infrastructure is attracting margial attention from driver
developers / hardware vendors.
It is frustrating.
Sorry.
On Thu, Aug 15, 2024 at 12:38:01PM -0400, pgnd wrote:
> ('radio silence' on netfilter@ ML ... trying here)
>
> i'm setting up nftables flowtable for h/w offload, per
>
> https://wiki.nftables.org/wiki-nftables/index.php/Flowtables
> https://docs.kernel.org/networking/nf_flowtable.html#hardware-offload
> https://thermalcircle.de/doku.php?id=blog:linux:flowtables_1_a_netfilter_nftables_fastpath
> &
> a slew of older posts @ ML ...
>
>
> on
>
> /usr/local/sbin/nft -V
> nftables v1.1.0 (Commodore Bullmoose)
> cli: editline
> json: yes
> minigmp: no
> libxtables: no
>
> uname -rm
> 6.10.3-200.fc40.x86_64 x86_64
>
>
> with
>
> lspci | grep -i eth
> 02:00.0 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)
> 03:00.0 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)
>
> ethtool -k enp3s0 | grep -i offload.*on
> tcp-segmentation-offload: on
> generic-segmentation-offload: on
> generic-receive-offload: on
> rx-vlan-offload: on
> tx-vlan-offload: on
> hw-tc-offload: on
>
> (which, iiuc, is sufficient?)
>
> a test config
>
> cat test.nft
> #!/usr/local/sbin/nft -f
>
> table inet filter {
>
> flowtable f {
> hook ingress priority 0;
> devices = { enp2s0, enp3s0 };
> }
>
> chain input {
> type filter hook input priority 0;
> policy accept;
> }
>
> chain forward {
> type filter hook forward priority 1;
> policy drop;
>
> ct state invalid drop;
>
> tcp dport { 80, 443 } ct state established flow offload @f;
>
> ct state { established, related } accept;
> accept;
> }
> }
>
> fails conf check,
>
> nft -c -f ./test.nft
> ./test.nft:8:12-12: Error: Could not process rule: Operation not supported
> flowtable f {
> ^
>
> otoh, per example @
>
> https://docs.kernel.org/networking/nf_flowtable.html#hardware-offload
>
> edit
>
> flowtable f {
> hook ingress priority 0;
> - devices = { enp2s0, enp3s0 };
> + flags offload;
> }
>
> passes conf check. and after load
>
> nft list flowtables
> table inet filter {
> flowtable f {
> hook ingress priority filter
> flags offload
> }
> }
>
> what's the correct/current usage for flowtable declaration in hardware offload use case?
> as documented @ wiki, or kernel docs?
> _seems_ it's kernel docs ...
>
>
> reading @,
>
> https://netfilter.org/projects/nftables/files/changes-nftables-1.1.0.txt
>
> i don't find (yet) the change re `flags offload` usage.
>
> what commit introduced it?
>
>
>
