[BPI-R3] hardware offloading with flowtables

ghostbuster91 · July 2, 2023, 9:30pm

Hi,

I am trying to get the hw offloading to work using flowtables from nftables. Here is relevant part of my configuration:

table ip filter {
  # enable flow offloading for better throughput
   flowtable f {
      hook ingress priority 0;
      devices = { wan, br-lan };
  }
  chain input {
    type filter hook input priority 0; policy drop;
     # enable flow offloading for better throughput
     ip protocol { tcp, udp } flow offload @f
     iifname { "br-lan" } accept comment "Allow local network to access the router"
   ...

However this configuration fails to be applied with following error:

       > ruleset.conf:5:15-15: Error: Could not process rule: No such file or directory
       >     flowtable f {
       >               ^
       > ruleset.conf:13:28-42: Error: Could not process rule: No such file or directory
       >   ip protocol { tcp, udp } flow offload @f
       >                            ^^^^^^^^^^^^^^^

System info:

Linux surfer 6.4.0 #1-NixOS SMP Sun Jun 25 23:29:58 UTC 2023 aarch64 GNU/Linux

$ lsmod                                                                                                                                                                                                                                                
Module                  Size  Used by
nft_flow_offload       12288  0
nf_flow_table          36864  1 nft_flow_offload
nft_masq               12288  1
nft_ct                 16384  4
nft_chain_nat          12288  2
nf_nat                 49152  2 nft_masq,nft_chain_nat
nf_conntrack          118784  5 nf_nat,nft_flow_offload,nft_ct,nft_masq,nf_flow_table
nf_defrag_ipv6         24576  1 nf_conntrack
nf_defrag_ipv4         12288  1 nf_conntrack
nf_tables             229376  79 nft_flow_offload,nft_ct,nft_masq,nft_chain_nat
libcrc32c              12288  1 nf_tables
nfnetlink              20480  1 nf_tables
crct10dif_ce           12288  1
sch_fq_codel           16384  17
tun                    57344  0
tap                    28672  0
macvlan                28672  0
fuse                  139264  1
mt7915e               159744  0
mt76_connac_lib        65536  1 mt7915e
mt76                   86016  2 mt7915e,mt76_connac_lib
mac80211              561152  3 mt76,mt7915e,mt76_connac_lib
libarc4                12288  1 mac80211
cfg80211              405504  4 mt76,mt7915e,mac80211,mt76_connac_lib

Any idea what could be the reason? Did someone manage to get this working on either openwrt or another linux distro?

frank-w · July 3, 2023, 6:10am

I guess you miss inet/ip flowtable options

github.com

frank-w/BPI-Router-Linux/blob/5.10-main/arch/arm/configs/mt7623n_evb_fwu_defconfig#L225


CONFIG_NFT_OSF=m
CONFIG_NFT_TPROXY=m
CONFIG_NFT_SYNPROXY=m
CONFIG_NFTL=m
CONFIG_NFTL_RW=y
CONFIG_NFT_FIB_INET=m


CONFIG_NFT_FIB_IPV4=m
CONFIG_NFT_FIB_IPV6=m


CONFIG_NF_FLOW_TABLE=m
CONFIG_NF_FLOW_TABLE_INET=m
CONFIG_NF_FLOW_TABLE_IPV4=m
CONFIG_NF_FLOW_TABLE_IPV6=m
CONFIG_NFT_FLOW_OFFLOAD=m


CONFIG_DEBUG_SECTION_MISMATCH=y


#active ftp-support
CONFIG_NF_CONNTRACK_FTP=m
CONFIG_NF_NAT_FTP=m

ericwoud · July 3, 2023, 1:51pm

ghostbuster91:

$ lsmod                                                                                                                                                                                                                                                
Module                  Size  Used by
nft_flow_offload       12288  0
nf_flow_table          36864  1 nft_flow_offload

Shows the module is already loaded.

I’m also quite curious on how to set offloading… Still have to try.

ericwoud · July 3, 2023, 2:06pm

I found this:

Talking about the interfaces in the bridge, adding the interfaces instead of the bridge…

Edit:

Read here: https://elixir.bootlin.com/linux/v6.4.1/source/Documentation/networking/nf_flowtable.rst#L161

Also checkout the offload flag https://elixir.bootlin.com/linux/v6.4.1/source/Documentation/networking/nf_flowtable.rst#L186

frank-w · July 3, 2023, 3:40pm

I mean these:

CONFIG_NF_FLOW_TABLE_INET=m
CONFIG_NF_FLOW_TABLE_IPV4=m
CONFIG_NF_FLOW_TABLE_IPV6=m

Only marked the first line to have all options listed

And yes hw offloading works only on hw interfaces,offloading on bridge will not work

ericwoud · July 3, 2023, 6:00pm

I see now, that one was marked, you meant all of them. I will check if I have them enabled.

ericwoud · July 4, 2023, 12:09pm

Turns out that these 2 do not exist anymore.

frank-w · July 4, 2023, 7:52pm

Seems it is replaced by NF_FLOW_TABLE_INET near 5.17

So question is: can config applied with NF_FLOW_TABLE_INET added? Afair it can be applied with “wrong” interfaces like bridges,but it simply does not do any hw offloading

ericwoud · July 5, 2023, 7:00am

Here it says that you need to add the bridge ports.

https://elixir.bootlin.com/linux/v6.4.1/source/Documentation/networking/nf_flowtable.rst#L161

Edit:

Although in the first post, it is added to a

table ip filter {}

But I believe it should be like in the documentation:

table inet x {}

frank-w · July 5, 2023, 4:57pm

It depends on how you want to define your firewall…inet is ipv4+ipv6 and so statements have to be compatible with both protocols…you can also define an ip(v4) and ipv6 firewall separately (like i have)

ghostbuster91 · July 10, 2023, 9:36am

Hi, thank you both for the answers. I didn’t have time to test it yet as I discovered that there are more modules that has to be enabled in my kernel. I will test that and report with my findings.