On Mon, Sep 28, 2020 at 09:35:00PM +0000, ѽ҉ᶬḳ℠ wrote:
> Whilst testing NFTables's flow offload on a node with a PPPoE subscriber
> line it turned out that the flow offload happens with the NIC netdev and not
> (as I expected) the virtual PPPoE netdev.
>
> Just for reference this being the NFT config (eth2 being the NIC)
>
> flowtable fte {
> hook ingress priority -100
> devices = { eth2 }
> counter
> }
Could you describe your testbed?
> ip protocol { 6, 17 } flow add @fte;
> ip6 nexthdr { 6, 17 } flow add @fte;
You can consolidate this rule with:
meta l4proto { tcp, udp } flow add @fte;
You might also want to use the existing protocol definitions, instead
of numeric protocols to make your ruleset more readable.
> Why would the packet filtering have to take place on the PPPoE netdev but
> the flowatable happens with the NIC instead?
What would you like to achieve with the flowtable?
