On 28/09/2020 23:35, ѽ҉ᶬḳ℠ wrote:
Whilst testing NFTables's flow offload on a node with a PPPoE
subscriber line it turned out that the flow offload happens with the
NIC netdev and not (as I expected) the virtual PPPoE netdev.
Just for reference this being the NFT config (eth2 being the NIC)
flowtable fte {
hook ingress priority -100
devices = { eth2 }
counter
}
ip protocol { 6, 17 } flow add @fte;
ip6 nexthdr { 6, 17 } flow add @fte;
Why would the packet filtering have to take place on the PPPoE netdev
but the flowatable happens with the NIC instead?
Is this perhaps due to:
nft_flow_offload -> NDO hook
utilising the NIC's hardware flow tables? If so how is the NIC's
flow-table capability transparent to the user, querying the NIC with
ethtool for 'flow' does not produce anything.
