[FS#4239] flow_offloading_hw doesn't work with nftables (mt7621)

OpenWrt Bugs openwrt-bugs at lists.openwrt.org
Wed Jan 26 00:09:54 PST 2022


The following task has a new comment added:

FS#4239 - flow_offloading_hw doesn't work with nftables (mt7621)
User who did this - amaumene (amaumene)

I've redone my performance test and I can confirm that while the CPU usage is lower with soft offloading, speed is lower as well.
My results are (download only):

  * no offload: 785 Mbits/sec
Average:     CPU    %usr   %nice    %sys %iowait    %irq   %soft  %steal  %guest  %gnice   %idle
Average:     all    0.00    0.00    0.07    0.00    0.00   30.46    0.00    0.00    0.00   69.47
  * soft offload: 730 Mbits/sec
Average:     CPU    %usr   %nice    %sys %iowait    %irq   %soft  %steal  %guest  %gnice   %idle
Average:     all    0.01    0.00    0.18    0.00    0.00   34.13    0.00    0.00    0.00   65.69
  * hw offload: 797 Mbits/sec
Average:     CPU    %usr   %nice    %sys %iowait    %irq   %soft  %steal  %guest  %gnice   %idle
Average:     all    0.00    0.00    0.01    0.00    0.00    0.12    0.00    0.00    0.00   99.87

To enabled hw offload manually:

  - enable soft offload in /etc/config/firewall (option flow_offloading '1')
  - restart firewall (/etc/init.d/firewall restart)
  - start our new rules with a flush (echo "flush ruleset" > /tmp/nftables)
  - dump all the current rules (nft -s list ruleset >> /tmp/nftables)
  - edit /tmp/nftables, replacing bridges with actual phy and adding "flags offload;" to flowtable:
 table inet fw4 {
 	flowtable ft {
 		hook ingress priority filter
-		devices = { br-lan, br-wan }
+		devices = { wan, sfp, lan2, lan3, lan4, lan5 }
+		flags offload;
  - apply modified rules (nft -f /tmp/nftables)
  - verify (cat /proc/net/nf_conntrack | grep HW_OFF)

Documentation [[https://www.kernel.org/doc/html/latest/networking/nf_flowtable.html|here]] says:
Since Linux kernel 5.13, you can add bridge ports to the flowtable. The flowtable infrastructure discovers the topology behind the bridge device. This allows the flowtable to define a fastpath bypass between the bridge ports (represented as eth1 and eth2 in the example figure below) and the gateway device (represented as eth0) in your switch/router.

My understanding is we are missing a patch from upstream to support this, which means currently we need to give the physical devices and not the bridge.

More information can be found at the following URL:

You are receiving this message because you have requested it from the Flyspray bugtracking system.  If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.

More information about the openwrt-bugs mailing list