All of lore.kernel.org
 help / color / mirror / Atom feed
* nftables offload doesn't seem to work
@ 2020-03-01 23:11 Patrick McLean
  2020-03-01 23:15 ` Patrick McLean
  0 siblings, 1 reply; 3+ messages in thread
From: Patrick McLean @ 2020-03-01 23:11 UTC (permalink / raw)
  To: netfilter

Hi,

I am trying to test the nftables offload support, as describe in
https://lwn.net/Articles/810663/

When I try to load the rules, or check a rules file, nft errors out, it
appears that it does not understand "flags offload;":

# nft --check --file test.nft
test.nft:6:51-55: Error: syntax error, unexpected flags
                type filter hook ingress device if0 priority 0; flags offload;

Here is the contents of the file I am trying to load:

table netdev filter_test {
    chain ingress {
        type filter hook ingress device eth0 priority 0; flags offload;

        192.168.0.10 tcp dport 22 drop
    }
}

I am using the 5.4.22 kernel with nftables 0.9.3, the hardware is mlx5:

# ethtool --driver eth0
driver: mlx5_core
version: 5.0-0
firmware-version: 16.23.1020 (MT_0000000012)
expansion-rom-version:
bus-info: 0000:61:00.0
supports-statistics: yes
supports-test: yes
supports-eeprom-access: no
supports-register-dump: no
supports-priv-flags: yes

lspci reports it as:
61:00.0 Ethernet controller: Mellanox Technologies MT27800 Family [ConnectX-5]

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: nftables offload doesn't seem to work
  2020-03-01 23:11 nftables offload doesn't seem to work Patrick McLean
@ 2020-03-01 23:15 ` Patrick McLean
  2020-03-03 13:36   ` Pablo Neira Ayuso
  0 siblings, 1 reply; 3+ messages in thread
From: Patrick McLean @ 2020-03-01 23:15 UTC (permalink / raw)
  To: netfilter

On Sun, 1 Mar 2020 15:11:48 -0800
Patrick McLean <chutzpah@gentoo.org> wrote:

> Hi,
> 
> I am trying to test the nftables offload support, as describe in
> https://lwn.net/Articles/810663/
> 
> When I try to load the rules, or check a rules file, nft errors out, it
> appears that it does not understand "flags offload;":
> 
> # nft --check --file test.nft
> test.nft:6:51-55: Error: syntax error, unexpected flags
>                 type filter hook ingress device if0 priority 0; flags offload;
> 
> Here is the contents of the file I am trying to load:
> 
> table netdev filter_test {
>     chain ingress {
>         type filter hook ingress device eth0 priority 0; flags offload;
> 
>         192.168.0.10 tcp dport 22 drop
Oops, copy/paste error, this line is:
ip daddr 192.168.0.10 tcp dport 22 drop
>     }
> }
> 
> I am using the 5.4.22 kernel with nftables 0.9.3, the hardware is mlx5:
> 
> # ethtool --driver eth0
> driver: mlx5_core
> version: 5.0-0
> firmware-version: 16.23.1020 (MT_0000000012)
> expansion-rom-version:
> bus-info: 0000:61:00.0
> supports-statistics: yes
> supports-test: yes
> supports-eeprom-access: no
> supports-register-dump: no
> supports-priv-flags: yes
> 
> lspci reports it as:
> 61:00.0 Ethernet controller: Mellanox Technologies MT27800 Family [ConnectX-5]


^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: nftables offload doesn't seem to work
  2020-03-01 23:15 ` Patrick McLean
@ 2020-03-03 13:36   ` Pablo Neira Ayuso
  0 siblings, 0 replies; 3+ messages in thread
From: Pablo Neira Ayuso @ 2020-03-03 13:36 UTC (permalink / raw)
  To: Patrick McLean; +Cc: netfilter

On Sun, Mar 01, 2020 at 03:15:04PM -0800, Patrick McLean wrote:
> On Sun, 1 Mar 2020 15:11:48 -0800
> Patrick McLean <chutzpah@gentoo.org> wrote:
> 
> > Hi,
> > 
> > I am trying to test the nftables offload support, as describe in
> > https://lwn.net/Articles/810663/
> > 
> > When I try to load the rules, or check a rules file, nft errors out, it
> > appears that it does not understand "flags offload;":
> > 
> > # nft --check --file test.nft
> > test.nft:6:51-55: Error: syntax error, unexpected flags
> >                 type filter hook ingress device if0 priority 0; flags offload;
> > 
> > Here is the contents of the file I am trying to load:
> > 
> > table netdev filter_test {
> >     chain ingress {
> >         type filter hook ingress device eth0 priority 0; flags offload;
> > 
> >         192.168.0.10 tcp dport 22 drop
> Oops, copy/paste error, this line is:
> ip daddr 192.168.0.10 tcp dport 22 drop
> >     }
> > }
> > 
> > I am using the 5.4.22 kernel with nftables 0.9.3

You have to use a nftables snapshot from git.netfilter.org.

Please, remember to invoke ethtool first:

        ethtool -K eth0 hw-tc-offload on

I'm planning to explore a way to make this transparent to the user, so
the offload flag implicitly turns on this toggle, so users do not have
to invoke ethtool and the 'flags offload' becomes sufficient to turn
on hardware offload.

Please, note that basechain priorities are restricted to 1 to
USHRT_MAX.

        type filter hook ingress device eth0 priority 1; flags offload;
                                                      ^

Such basechain priority limitation might be removed in the future,
however, that will require cooperation from network driver
maintainers.

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-03-03 13:36 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-01 23:11 nftables offload doesn't seem to work Patrick McLean
2020-03-01 23:15 ` Patrick McLean
2020-03-03 13:36   ` Pablo Neira Ayuso

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.