Page MenuHomeVyOS Platform
Create Task
Maniphest T4502

Consider implementing (NAT/other) flow table offload
Open, Requires assessmentPublicFEATURE REQUEST
Actions

Description

SNAT, Use alternative forwarding path via nftables flowtable (fastpath bypass)

                                       userspace process
                                        ^              |
                                        |              |
                                   _____|____     ____\/___
                                  /          \   /         \
                                  |   input   |  |  output  |
                                  \__________/   \_________/
                                       ^               |
                                       |               |
    _________      __________      ---------     _____\/_____
   /         \    /          \     |Routing |   /            \
-->  ingress  ---> prerouting ---> |decision|   | postrouting |--> neigh_xmit
   \_________/    \__________/     ----------   \____________/          ^
     |      ^                          |               ^                |
 flowtable  |                     ____\/___            |                |
     |      |                    /         \           |                |
  __\/___   |                    | forward |------------                |
  |-----|   |                    \_________/                            |
  |-----|   |                 'flow offload' rule                       |
  |-----|   |                   adds entry to                           |
  |_____|   |                     flowtable                             |
     |      |                                                           |
    / \     |                                                           |
   /hit\_no_|                                                           |
   \ ? /                                                                |
    \ /                                                                 |
     |__yes_________________fastpath bypass ____________________________|

Example configuration:

table inet x {
        flowtable f {
                hook ingress priority 0; devices = { eth0, eth1 };
        }
        chain y {
                type filter hook forward priority 0; policy accept;
                ip protocol tcp flow offload @f
                counter packets 0 bytes 0
        }
}

Example NAT

[email protected]:~$ cat nat.nft 
flush ruleset

table ip filter {
	flowtable fastnat {
		hook ingress priority filter
		devices = { eth0, eth1 }
	}

	chain forward {
		type filter hook forward priority filter; policy accept;
		ip protocol { tcp, udp } flow add @fastnat
	}
}
table ip nat {
	chain POSTROUTING {
		type nat hook postrouting priority srcnat; policy accept;
		ip saddr 192.0.2.0/24 oif "eth0" snat to 192.168.122.14 persistent
	}

	chain PREROUTING {
		type nat hook prerouting priority dstnat; policy accept;
	}
}

https://www.kernel.org/doc/html/v5.10/networking/nf_flowtable.html
https://lwn.net/Articles/738214/
https://blog.fearcat.in/a?ID=01600-b829de09-5dee-4117-afb5-28b005e630a2

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Event Timeline

Viacheslav created this task.Jul 1 2022, 2:27 PM
Viacheslav renamed this task from Consider implementing NAT flow table offload to Consider implementing (NAT/other) flow table offload.Jul 2 2022, 1:23 PM
pasik added a subscriber: pasik.Jul 3 2022, 8:34 AM
hard awarded a token.Aug 10 2022, 8:33 PM
hard added a subscriber: hard.
Viacheslav updated the task description. (Show Details)Aug 30 2022, 7:36 AM
Viacheslav updated the task description. (Show Details)Aug 30 2022, 11:46 AM
n.fort added a subscriber: n.fort.Aug 30 2022, 12:52 PM

From kernel 5.13, hardware offload is supported (if nic supports it).
Info: https://www.kernel.org/doc/html/v5.13/networking/nf_flowtable.html#hardware-offload

If possible, it would be great to be able to compare performance:
No flowtable vs soft flowtables offload vs hw flowtable offload

Viacheslav added a comment.Aug 30 2022, 1:34 PM

Required version for offload hardware flag nftables 0.9.9
The current version we use 0.9.8-3.1

hard added a comment.Nov 2 2022, 9:10 AM

on nightly build nftables v1.0.5 and kernel 5.15.76

we can start thinking about how to integrate the parameters into the config structure
list of required parameters are:

  • devices in flowtable
  • offloaded ip protocol in forwarding chain
  • hardware offload flag as n.fort suggests
mpueschel added a subscriber: mpueschel.Nov 2 2022, 9:20 AM
hard added a comment.EditedNov 7 2022, 9:51 AM

i see it like that

nat {
  flowtable NAME {
    hw-offload
    member {
        interface eth1
        interface eth2
      }
    protocols {
      tcp
      udp
      }
    }
}

any suggestions? @Viacheslav @n.fort

hard added a comment.Nov 11 2022, 9:27 AM

or maybe better add this subsection in firewall section?

Viacheslav added a subscriber: sdev.Nov 13 2022, 4:37 PM
ServerForge added a subscriber: ServerForge.Feb 12 2023, 4:00 AM