[nftables 0.9.2 | kernel 4.19.93] flowtable throws error on deployment (not on check however)

ѽ҉ᶬḳ℠ <vtol@xxxxxxx> · Wed, 18 Mar 2020 16:46:08 +0000



Trying to get flowtables to work but hitting a bit of a snag. Whilst nft
-cf /path/to/conf (strangely) does not produce any error on deployment
nft -f /path/to/conf it throws this error however:

Error: Could not process rule: Not supported
ip protocol tcp flow offload @ft
^^^^^^^^^^^^^^^^^^^^^^^^^^^^

table inet filter {
        flowtable f {
                hook ingress priority filter
                devices = { pppoe-wan, lan0, lan1, lan2, lan3, lan4,
br-lan }
        }

        chain input {
                type filter hook input priority filter; policy drop;
                ip protocol tcp flow offload @f
                ct state established,related accept
                ct state invalid drop
        }
}

_________

kernel conf

CONFIG_NFT_FLOW_OFFLOAD=m
CONFIG_NF_FLOW_TABLE_INET=m
CONFIG_NF_FLOW_TABLE=m
CONFIG_NF_FLOW_TABLE_HW=m
CONFIG_NETFILTER_XT_TARGET_FLOWOFFLOAD=m
CONFIG_NF_FLOW_TABLE_IPV4=m
CONFIG_NF_FLOW_TABLE_IPV6=m
CONFIG_NET_CLS_FLOW=m
CONFIG_NET_CLS_FLOWER=m
CONFIG_NET_FLOW_LIMIT=y

_________

lsmod | grep flow

cls_flow               20480  0
nf_conntrack           81920 44
nf_nat_pptp,nf_conntrack_pptp,xt_state,xt_nat,xt_helper,xt_conntrack,xt_connmark,xt_connlimit,xt_connbytes,xt_REDIRECT,xt_CT,nft_redir_ipv6,nft_redir_ipv4,nft_redir,nft_nat,nft_masq_ipv6,nft_masq_ipv4,nft_masq,nft_flow_offload,nft_ct,nf_nat_tftp,nf_nat_snmp_basic,nf_nat_sip,nf_nat_irc,nf_nat_ipv6,nf_nat_ipv4,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,nf_nat,nf_flow_table,nf_conntrack_tftp,nf_conntrack_snmp,nf_conntrack_sip,nf_conntrack_proto_gre,nf_conntrack_netlink,nf_conntrack_irc,nf_conntrack_h323,nf_conntrack_ftp,nf_conntrack_broadcast,nf_conntrack_amanda,nf_conncount,sch_cake,nf_conntrack_rtcache
nf_flow_table          24576  6
nf_flow_table_ipv6,nf_flow_table_ipv4,nf_flow_table_inet,xt_FLOWOFFLOAD,nft_flow_offload,nf_flow_table_hw
nf_flow_table_hw       16384  1
nf_flow_table_inet     16384  0
nf_flow_table_ipv4     16384  0
nf_flow_table_ipv6     16384  0
nf_tables              98304 32
nft_fib_inet,nf_flow_table_ipv6,nf_flow_table_ipv4,nf_flow_table_inet,nft_reject_ipv6,nft_reject_ipv4,nft_reject_inet,nft_reject_bridge,nft_reject,nft_redir_ipv6,nft_redir_ipv4,nft_redir,nft_quota,nft_numgen,nft_nat,nft_masq_ipv6,nft_masq_ipv4,nft_masq,nft_log,nft_limit,nft_fwd_netdev,nft_flow_offload,nft_fib_ipv6,nft_fib_ipv4,nft_fib,nft_dup_netdev,nft_ct,nft_counter,nft_chain_route_ipv6,nft_chain_route_ipv4,nft_chain_nat_ipv6,nft_chain_nat_ipv4
nft_flow_offload       16384  0