Re: [nftables 0.9.2 | kernel 4.19.93] flowtable throws error on deployment (not on check however)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, Mar 18, 2020 at 04:46:08PM +0000, ѽ҉ᶬḳ℠ wrote:
> Trying to get flowtables to work but hitting a bit of a snag. Whilst nft
> -cf /path/to/conf (strangely) does not produce any error on deployment
> nft -f /path/to/conf it throws this error however:
> 
> Error: Could not process rule: Not supported
> ip protocol tcp flow offload @ft
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> table inet filter {
>         flowtable f {
>                 hook ingress priority filter
>                 devices = { pppoe-wan, lan0, lan1, lan2, lan3, lan4,
> br-lan }
>         }
> 
>         chain input {
>                 type filter hook input priority filter; policy drop;

You can only use the flowtable to accelerate the forwarding path.
Please, define use the forward hook, ie.

          chain forward {
                 type filter hook forward priority filter; policy drop;
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux