netfilter buglog - Oct 2024 - [Bug 1776] New: No hw offload for flowtables with intel x710

https://bugzilla.netfilter.org/show_bug.cgi?id=1776

            Bug ID: 1776
           Summary: No hw offload for flowtables with intel x710
           Product: nftables
           Version: unspecified
          Hardware: All
                OS: other
            Status: NEW
          Severity: normal
          Priority: P5
         Component: kernel
          Assignee: pablo at netfilter.org
          Reporter: aljutor at gmail.com

Hi.

I would like to report an issue,
For some reason I am unable to use hw offload in flowtables with intel x710.


I have VyOS 1.5-rolling-202410010007 in a Proxmox VM, with Intel X710 SFP+
controller.
nftables v1.0.9 (Old Doc Yak #3)
kernel 6.6.52-vyos

Configuration:
Port 1 is in direct pass through to the VM it serves as WAN port 
Port 2 is splitted in several VF, and one of them is passed to the VyOS, others
are used by the host system and other VM.

vyos at vyos:~$ lspci | grep -E -i --color 'network|ethernet'
01:00.0 Ethernet controller: Intel Corporation Ethernet Controller X710 for
10GbE SFP+ (rev 02)
02:00.0 Ethernet controller: Intel Corporation Ethernet Virtual Function 700
Series (rev 02)

ethtool reports that both nics supports hw offload

vyos at vyos:~$ ethtool -k eth0 | grep hw-tc-offload
hw-tc-offload: on
vyos at vyos:~$ ethtool -k eth1 | grep hw-tc-offload
hw-tc-offload: on

Also, eth1 contains vlan with pppoe session in it schema: 

Interface Description
--------  ------------
eth0      LAN
eth1      XGSPON Module
eth1.20   PPPoE VLAN
pppoe0    PPPoE ISP



Software based offloading works fine, I can see offload in conntrack -L

Also flowtable  in vyos_filter table looks like this (hw offload disabled):
flowtable VYOS_FLOWTABLE_forward-table {
        hook ingress priority filter
        devices = { eth0, eth1 }
        counter
}


But I am unable to enable hardware offloading:

vyos at vyos# set firewall flowtable forward-table offload hardware
[edit]
vyos at vyos# commit
[ firewall ]
Fail to apply firewall Error found on: firewall ipv4 forward filter rule
5         Error message: Could not process rule: Operation not supported
Error found on: firewall ipv6 forward filter rule 5         Error
message: Could not process rule: No such file or directory
[[firewall]] failed
Commit failed
[edit]
vyos at vyos#


There is bug already opened at VyOS bug tracker with some additional info
https://vyos.dev/T6526 but looks like it's a problem with nftables

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20241014/5c17faa7/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1776

aljutor at gmail.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
          Component|kernel                      |nft

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20241014/65f36fe6/attachment.html>