Flowtable corrupts large TCP packets on BananaPi BPI-R4-PRO-8X

Banana Pi Router design BPI-R4/BPI-R4 Pro(MT7988)
1

Dears,

Hardware: BananaPi BPI-R4-PRO-8X SoC: MediaTek MT7988A (Filogic 880), 4x ARM Cortex-A73 OpenWrt: 24.10-SNAPSHOT, kernel 6.6.93, target mediatek/filogic Symptoms

  • SSH connections to remote hosts fail consistently via router, work fine with direct ISP connection:
> ssh [email protected]
Connection reset by 1.1.1.1 port 22
  • Websites load slowly, stall, or partially load
  • Short HTTP requests work fine; large/long-lived TCP connections break

Root cause

The board ships with /etc/flowtable.conf, a board-specific nftables config that enables hardware-accelerated packet forwarding via the MT7988A flowtable engine:

table inet filter {
flowtable f {
hook ingress priority filter + 1;
devices = { eth0,eth1,eth2,lan0,lan3,mxl_lan0,mxl_lan1,mxl_lan2,mxl_lan3,mxl_lan5 };
flags offload;
counter;
}
chain forward {
type filter hook forward priority filter; policy accept;
meta l4proto { tcp, udp } flow add @f;
}
}

The flowtable silently truncates large TCP segments in transit. Verified via tcpdump:

# Client sent 1672-byte SSH key exchange packet:
client → serverseq 23:1695 length 1672[P.]

# Server acknowledged only 1471 bytes — 224 bytes missing:
server → clientack 1471length 1120[P.]

# Client sent next chunk (unaware of gap):
client → serverseq 1695:2903 length 1208[P.]

# Server received out-of-sequence data → RST:
server → clientRST

224 bytes (bytes 1471–1694) never reached the server despite MTU being 1500 on all hops (tracepath confirmed pmtu 
1500 end-to-end).

Both hardware and software offload modes are affected. Removing only flags offload (software flowtable) does not fix the truncation — ruling out the hardware DMA engine specifically and pointing to a bug in the flowtable fastpath itself.

Fix

Remove /etc/flowtable.conf and optionally flush the runtime table without rebooting:

# Permanent fix (survives reboot):
mv /etc/flowtable.conf /etc/flowtable.conf.bak

# Apply immediately without reboot:
nft delete table inet filter 2>/dev/null

Impact of the fix

Slightly reduced forwarding throughput — every packet goes through the full netfilter stack instead of the fastpath. On MT7988A (4x Cortex-A73) this is negligible for 1Gbps routing. Only noticeable if simultaneously saturating multiple 2.5G/10G ports.

2

This is because perhaps your “fix” has disabled HW offload.

I haven’t looked closely at nor used 24.x. I didn’t recall seeing “/etc/flowtable.conf” in master-snapshot before 25.x fork and as well as in 25.x. Perhaps a 24.x thing? I would expect firewall/offload is configured in “/etc/config/firewall”

For R4 (non Pro), HW offload works well in 25.x release.

3

1672 bytes look too much for mtu,wonder why there is an ack.

24.x from bpi may use the older tagging protocol and different vlan stack. So can you test with lower mtu (e.g. 1490) on the dsa user port?