@dangowrt can you tell me how i can setup wed with nftables? Or is bridger a hard requirement? I do not plan to bridge wifi devices atm
maybe you can point us to the changes and build-code for bridger
Now you made me think. I thought that I donāt need bridger but I am not sure anymore.
Flow offloading happens in situations where flows are actually being tracked, ie. when using NAT/routing. To use WED on a dumb access point requires the bridger package which does a bit of BPF magic to get bridged streams tracked (and hence offloaded).
In my case I have a bridge that includes (lan0-3 and wlan0-1) but I also have some routing configured between that bridÄ and the WAN interface.
Do I need the bridger in this case to benefit from WED?
How about offloading wlan to lan? That is not routed or through nat. Even there is a nat configured, but it is for wan.
So need to remove wlan from the bridge and forward traffic, in order to get hw-offlioading to/from wlan started?
I need wlan in the bridge for 802.11r roamingā¦
No, or at least not for traffic between WAN and Wi-Fi interfaces. Traffic between LAN and Wi-Fi wonāt be offloaded without bridger.
Thanks, for now that will be enough for me.
Do you know how I can enable enable flow table for wlan interface using nftables? If I try to add a wlan interface to my existing flowtable I am getting following error:
Error: Could not process rule: Operation not supported
Do you mean that wed is not usable with non openwrt linux userspace? Bridger seems to be only compatible with openwrt.
Why it is not similar to wan/lan/ppp offloading?
Did you set the wed_enable=Y module parameter for the mt7915e module?
It very much is. And thatās why it depends on connection tracking and flows, just like any PPE forwarding offload function. However, if you just put two interfaces into a bridge on Linux there is no connections tracking on layer-3 what-so-ever, thus PPE cannot bind to anything and no offloading will happen.
bridger is a small tool which installs eBPF programs on tc layer on the relevant bridge member interfaces which enables connection tracking on them, hence allowing for bridged flows to be offloaded.
i do not want to bridge wifi and lanā¦
but i cannot get it working too
root@bpi-r3:~# cat /etc/nftables.conf
#!/usr/sbin/nft -f
define iflan="lanbr0"
define ifinternal={$iflan,"wlan0","wlan1"}
flush ruleset
table inet filter {
flowtable f {
hook ingress priority filter
devices = { lan0, lan1, lan2, lan3, wan }
#devices = { lan0, lan1, lan2, lan3, wan, wlan0, wlan1 }
flags offload
}
chain input {
type filter hook input priority filter;policy drop;
limit rate 5/second icmp type {echo-request, echo-reply} accept comment "limit icmp to 5/s"
iifname "lo" accept comment "accept loopback"
iifname $ifinternal accept comment "allow traffic from internal interfaces"
reject
}
chain forward {
type filter hook forward priority filter;policy drop;
ct state invalid counter drop comment "early drop of invalid packets"
ct state established flow offload @f counter
ct state {established,related} accept comment "allow connections initiated"
}
chain output {
type filter hook output priority filter;
}
}
table ip nat {
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oifname "wan" masquerade
}
}
if i enable the line with wlan devices (of course disable the other one) nftables cannot startā¦i dontāt get any specific error, only this:
root@bpi-r3:~# nft -f /etc/nftables.conf
/etc/nftables.conf:9:19-19: Error: Could not process rule: Operation not supported
flowtable f {
^
/etc/nftables.conf:25:24-38: Error: Could not process rule: No such file or directory
ct state established flow offload @f counter
^^^^^^^^^^^^^^^
root@bpi-r3:~# cat /sys/module/mt7915e/parameters/wed_enable
Y
root@bpi-r3:~# cat /sys/kernel/debug/mtk_ppe/bind
cat: /sys/kernel/debug/mtk_ppe/bind: No such file or directory
root@bpi-r3:~#
edit: noticed iām currently running 6.1.50 on that deviceā¦i guess need to switch to later kernelā¦also with 6.5.0 i have same errorā¦
of course i have debugfs mountedā¦i see entries like wed0 and wed1 there, but no bind
root@bpi-r3:~# ls /sys/kernel/debug/
bdi dynamic_debug mmc0 pwm suspend_stats
block extfrag mtd ras swiotlb
clear_warn_once f2fs opp regmap tracing
clk fault_around_bytes phy regulator ubi
debug_enabled gpio pinctrl sched ubifs
device_component hid pm_genpd sfp-1 usb
devices_deferred ieee80211 ppe0 sfp-2 wakeup_sources
dma_pools iio ppe1 slab wed0
dmaengine memblock psci sleep_time wed1
root@bpi-r3:~# ls /sys/kernel/debug/wed0/
regidx regval rxinfo txinfo
root@bpi-r3:~# ls /sys/kernel/debug/wed1/
regidx regval rxinfo txinfo
see no mtk_ppe (searched for ppe) in menuconfigā¦
No I did not. I will set it and report back.
In the meantime, can some one explain to me the difference between:
$ cat /sys/module/mt7915e/parameters/wed_enable
N
and
$ zgrep 'WED' /proc/config.gz
CONFIG_NET_MEDIATEK_SOC_WED=y
Why one returns Y and the other returns N?
config.gz says your kernel has the wed driver builtinā¦the other tells options passed to the wifi driver module
root@bpi-r3:~# cat /etc/modprobe.d/wed.conf
options mt7915e wed_enable=Y
Thanks @frank-w 
I enabled the option for kernel module. I can now see
$ cat /sys/module/mt7915e/parameters/wed_enable
Y
However if I try to add a wlan interface to flowtable I fails with the same error as before:
nftables-rules[2565]: /nix/store/ivczmcr22329bbqrvc4cfhf256f7qp2q-nftables-rules:8:14-14: Error: Could not process rule: Operation not supported
nftables-rules[2565]: flowtable f {
nftables-rules[2565]: ^
nftables-rules[2565]: /nix/store/ivczmcr22329bbqrvc4cfhf256f7qp2q-nftables-rules:25:55-69: Error: Could not process rule: No such file or directory
nftables-rules[2565]: ip protocol { tcp, udp } ct state { established } flow offload @f comment "Offload tcp/udp established traffic"
nftables-rules[2565]:
$ uname -a
Linux surfer 6.4.11 #1-NixOS SMP Wed Aug 16 16:32:31 UTC 2023 aarch64 GNU/Linux
Since kernel 5.3 brought the module nf_conntrack_bridge to have conntrack available at the bridge layer, allowing stateful firewalling
If we need the flow to be tracked can nftables conntrack be setup on a bridge as well? Perhapse something like so:
table bridge filter {
chain input {
type filter hook input priority -200; policy accept;
}
chain forward {
type filter hook forward priority -200; policy accept;
}
chain output {
type filter hook output priority -200; policy accept;
}
}
And then adding the fast-path in these rules?
Guess you are not using 802.11r fast transition 
Iām still trying to see if we can use wed and bridge, since I really like using 802.11r. It is the first reason I changed to using bananapi routers in the first place. (mwlwifi did not support it at that time and development had halted.)
Not yetā¦i try to get wed working first without bridges 
(except the lanbr0) and leaving wlan0/1 as independ interfaces for nowā¦but need to check if flow offload also works when lanports bridgedā¦and the if the pppoe offload also works.
Setting up a basic system for replacing my r2 in near futureā¦
But i guess with the option you found we can also use acceleration within bridges.
@frank-w Were you able to get the WED working?
@dangowrt any idea why it complains about operation not supported in my case? WED and beamforming on BPI-R3 - #117 by ghostbuster91
Not yet,i contacted lorenzo to get a hint how to get it working with mainline linux
1 Like
lorenzo pointed me to this commit i applied on top of my 6.5-main tree:
e2486c27c56f (HEAD ā 6.5-main, origin/6.5-main) wifi: mt76: mt7915 add tc offloading support
after this is added, the nftables rules with wlan0/1 can be applied and i have the debugfs entry (but still empty)ā¦need to complete my wifi-setup for further testing
cat /sys/kernel/debug/ppe0/bind
edit: had to fix some bugs in my setup and now traffic itself works, but debugfs is still emptyā¦i see packets increasing on the forwarding-rule for offload, but nothing shown in āppe0-bindā
ct state established flow add @f counter packets 1206 bytes 318372
my current nftables:
note: wireless-next (maybe 6.6-rcX) seems to have broken firmware-load and renamed wmac driver (CONFIG_MT7986_WMAC => CONFIG_MT798X_WMAC)
firmware-load is fixed with this: try to fix wed firmware issue #2 Ā· frank-w/BPI-Router-Linux@9a5789f Ā· GitHub
but it looks like ppe does not kick in for wifi-devicesā¦
I assume that nothing has changed since your last message. Do you know if there is any upstream issue for this that we could track?
No nothing changedā¦made some debug with lorenzo but he was busy in last time and he had the mmc-issue in uboot multiple timesā¦openwrt was working but not vanilla kernel