Fails to enable flowtable offload with zone-based-firewall at VyOS 1.5 rolling 2026.03.09-0026

General questions
, , ,
1

Hi, VyOS community,

I’m newbie and trying to configure flowtable with zone-base-firewall.
My questions are

  • Is this a configuration issue on my side?
  • Could this be a bug related to flowtable + zone-based firewall?
  • Are there additional checks or requirements for using action offload?

Version info is below:

vyos@vyos:~$ show version 
Version:          VyOS 2026.03.09-0026-rolling
Release train:    current
Release flavor:   generic

Built by:         autobuild@vyos.net
Built on:         Mon 09 Mar 2026 00:27 UTC
Build UUID:       834eecd2-208b-4429-9371-eb3d2b2a473a
Build commit ID:  fbdce6466748fd

Architecture:     x86_64
Boot via:         installed image
System type:      bare metal
Secure Boot:      disabled

Hardware vendor:  Dell Inc.
Hardware model:   OptiPlex 3070
Hardware S/N:     *******
Hardware UUID:    ********-****-****-****-************

Copyright:        VyOS maintainers and contributors

lspci

vyos@vyos:~$ lspci
00:00.0 Host bridge: Intel Corporation 8th Gen Core Processor Host Bridge/DRAM Registers (rev 07)
00:01.0 PCI bridge: Intel Corporation 6th-10th Gen Core Processor PCIe Controller (x16) (rev 07)
00:02.0 VGA compatible controller: Intel Corporation CoffeeLake-S GT2 [UHD Graphics 630]
00:08.0 System peripheral: Intel Corporation Xeon E3-1200 v5/v6 / E3-1500 v5 / 6th/7th/8th Gen Core Processor Gaussian Mixture Model
00:12.0 Signal processing controller: Intel Corporation Cannon Lake PCH Thermal Controller (rev 10)
00:14.0 USB controller: Intel Corporation Cannon Lake PCH USB 3.1 xHCI Host Controller (rev 10)
00:14.2 RAM memory: Intel Corporation Cannon Lake PCH Shared SRAM (rev 10)
00:16.0 Communication controller: Intel Corporation Cannon Lake PCH HECI Controller (rev 10)
00:17.0 SATA controller: Intel Corporation Cannon Lake PCH SATA AHCI Controller (rev 10)
00:1c.0 PCI bridge: Intel Corporation Cannon Lake PCH PCI Express Root Port #5 (rev f0)
00:1f.0 ISA bridge: Intel Corporation H370 Chipset LPC/eSPI Controller (rev 10)
00:1f.3 Audio device: Intel Corporation Cannon Lake PCH cAVS (rev 10)
00:1f.4 SMBus: Intel Corporation Cannon Lake PCH SMBus Controller (rev 10)
00:1f.5 Serial bus controller: Intel Corporation Cannon Lake PCH SPI Controller (rev 10)
01:00.0 Ethernet controller: Mellanox Technologies MT27710 Family [ConnectX-4 Lx]
01:00.1 Ethernet controller: Mellanox Technologies MT27710 Family [ConnectX-4 Lx]
02:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 15)
vyos@vyos:~$

Below are the steps I followed in my configuration:

  1. Configure the flowtable.
    set firewall flowtable FT interface ‘eth0’
    set firewall flowtable FT interface ‘eth1’
    set firewall flowtable FT interface ‘pppoe0’
    set firewall flowtable FT offload ‘software’

  2. Define the zone-based firewall rules.
    *At this stage, I mistakenly assumed that the offload rule should use action accept.
    set firewall ipv4 name Any-WAN-v4 default-action ‘accept’
    set firewall ipv4 name Any-WAN-v4 rule 10 action ‘accept’
    set firewall ipv4 name Any-WAN-v4 rule 10 offload-target ‘FT’
    set firewall ipv4 name Any-WAN-v4 rule 10 state ‘established’
    set firewall ipv4 name Any-WAN-v4 rule 10 state ‘related’
    set firewall ipv4 name Any-WAN-v4 rule 20 action ‘accept’
    set firewall ipv4 name Any-WAN-v4 rule 20 state ‘established’
    set firewall ipv4 name Any-WAN-v4 rule 20 state ‘related’
    set firewall ipv4 name Any-WAN-v4 rule 30 action ‘drop’
    set firewall ipv4 name Any-WAN-v4 rule 30 state ‘invalid’
    (Similar rules are defined for other IPv4/IPv6 chains.)

  3. Apply the zone-based firewall rules.
    set firewall zone private default-action ‘drop’
    set firewall zone private from vyos firewall ipv6-name ‘VYOS-Any-v6’
    set firewall zone private from vyos firewall name ‘VYOS-Private-v4’
    set firewall zone private from wan firewall ipv6-name ‘WAN-Any-v6’
    set firewall zone private from wan firewall name ‘WAN-Any-v4’
    set firewall zone private member interface ‘eth1’
    set firewall zone server-local default-action ‘drop’
    set firewall zone server-local from vyos firewall ipv6-name ‘VYOS-Any-v6’
    set firewall zone server-local from wan firewall ipv6-name ‘WAN-Any-v6’
    set firewall zone server-local from wan firewall name ‘WAN-Any-v4’
    set firewall zone server-local member interface ‘eth1.10’
    set firewall zone vyos default-action ‘drop’
    set firewall zone vyos from private firewall ipv6-name ‘Private-Any-v6’
    set firewall zone vyos from private firewall name ‘Private-Any-v4’
    set firewall zone vyos from wan firewall ipv6-name ‘WAN-VYOS-v6’
    set firewall zone vyos from wan firewall name ‘WAN-Any-v4’
    set firewall zone vyos local-zone
    set firewall zone wan default-action ‘drop’
    set firewall zone wan from private firewall ipv6-name ‘Any-WAN-v6’
    set firewall zone wan from private firewall name ‘Any-WAN-v4’
    set firewall zone wan from server-local firewall ipv6-name ‘Any-WAN-v6’
    set firewall zone wan from server-local firewall name ‘Any-WAN-v4’
    set firewall zone wan from vyos firewall ipv6-name ‘Any-WAN-v6’
    set firewall zone wan from vyos firewall name ‘Any-WAN-v4’
    set firewall zone wan member interface ‘pppoe0’
    set firewall zone wan member interface ‘eth0’

At this point, I attempted to change rule number 10 in each zone-based firewall rule from accept to offload.

vyos@vyos:~$ configure 
[edit]
vyos@vyos# set firewall ipv4 name Any-WAN-v4 rule 10 action 'offload'
[edit]
vyos@vyos# set firewall ipv4 name Any-WAN-v4 rule 10 offload-target 'FT'

  Configuration path: [firewall ipv4 name Any-WAN-v4 rule 10 offload-target FT] already exists

However, commit fails.
Also, the error message differs between the first commit attempt after boot and subsequent commit attempts.

First commit attempt:

[edit]
vyos@vyos# commit
[ firewall ]
Failed to apply firewall: /run/nftables.conf:139:9-64: Error: Could not
process rule: Operation not supported         oifname { "pppoe0","eth0"
} counter jump NAME_Any-WAN-v4
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/run/nftables.conf:140:17-35: Error: Could not process rule: Operation
not supported         oifname { "pppoe0","eth0" } counter return
^^^^^^^^^^^^^^^^^^^ /run/nftables.conf:140:9-50: Error: Could not
process rule: Operation not supported         oifname { "pppoe0","eth0"
} counter return         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/run/nftables.conf:141:9-20: Error: Could not process rule: Operation
not supported         counter drop comment "zone_vyos default-action
drop"         ^^^^^^^^^^^^ /run/nftables.conf:144:17-35: Error: Could
not process rule: Operation not supported         iifname {
"pppoe0","eth0" } counter return                 ^^^^^^^^^^^^^^^^^^^
/run/nftables.conf:144:9-50: Error: Could not process rule: Operation
not supported         iifname { "pppoe0","eth0" } counter return
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ /run/nftables.conf:145:9-55:
Error: Could not process rule: Operation not supported         iifname {
"eth1" } counter jump NAME_Any-WAN-v4
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/run/nftables.conf:146:9-41: Error: Could not process rule: Operation
not supported         iifname { "eth1" } counter return
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ /run/nftables.conf:147:9-58: Error:
Could not process rule: Operation not supported         iifname {
"eth1.10" } counter jump NAME_Any-WAN-v4
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/run/nftables.conf:148:9-44: Error: Could not process rule: Operation
not supported         iifname { "eth1.10" } counter return
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ /run/nftables.conf:149:9-20: Error:
Could not process rule: Operation not supported         counter drop
comment "zone_wan default-action drop"         ^^^^^^^^^^^^
[[firewall]] failed
Commit failed
[edit]
vyos@vyos#

Second and later attempts

[edit]
vyos@vyos# commit
[ firewall ]
Traceback (most recent call last):
  File "/usr/libexec/vyos/services/vyos-configd", line 157, in run_script
    script.apply(c)
  File "/usr/libexec/vyos/conf_mode/firewall.py", line 697, in apply
    parse_firewall_error(output.decode())
  File "/usr/libexec/vyos/conf_mode/firewall.py", line 685, in parse_firewall_error
    error_output.append(f'Error found on: firewall {family} {chain} {parsed_entries[2]} rule {parsed_entries[3]}')
                                                             ^^^^^
UnboundLocalError: cannot access local variable 'chain' where it is not associated with a value

[[firewall]] failed
Commit failed
[edit]
vyos@vyos#

I also tried deleting and recreating the firewall rules, but the behavior is the same.

2

Same error if you try latest stream edition?

3

Thank you for your reply.

And yes, I have confirmed it can reproduce these error at VyOS Stream 2026.03

  1. Download latest stream edition and switch to it.
vyos@vyos:~$ add system image https://community-downloads.vyos.dev/stream/2026.03/vyos-2026.03-generic-amd64.iso
The file is 536.000 MiB.
[##############################################################################################################################################################################################################################] 100%
Validating signature
Signature is valid
Validating image compatibility
Validating image checksums
What would you like to name this image? (Default: 2026.03) VyOS-Stream-2026.03                                                
Would you like to set the new image as the default one for boot? [Y/n] Y
An active configuration was found. Would you like to copy it to the new image? [Y/n] Y
Copying configuration directory
Would you like to copy SSH host keys? [Y/n] Y
Copying SSH host keys
Copying system image files
Cleaning up
Unmounting target filesystems
Removing temporary files
vyos@vyos:~$ 
vyos@vyos:~$ reboot
Are you sure you want to reboot this system (vyos)? [y/N] y

Broadcast message from root@vyos on pts/1 (Sun 2026-03-22 11:02:59 JST):

The system will reboot now!

Welcome to VyOS!

   ┌── ┐
   . VyOS 2026.03
   └ ──┘  circinus

 * Documentation:  https://docs.vyos.io/en/latest
 * Project news:   https://blog.vyos.io
 * Bug reports:    https://vyos.dev

You can change this banner using "set system login banner post-login" command.

VyOS is a free software distribution that includes multiple components,
you can check individual component licenses under /usr/share/doc/*/copyright

---
WARNING: This is a technology preview for future LTS release and may contain
         unaddressed issues. Consider carefully before using it in production.


vyos@vyos:~$
  1. Configure flowtable rule
vyos@vyos:~$ configure 
[edit]
vyos@vyos# 
[edit]
vyos@vyos# set firewall ipv4 name Any-WAN-v4 rule 10 action 'offload'
[edit]
vyos@vyos# set firewall ipv4 name Any-WAN-v4 rule 10 offload-target 'FT'

  Configuration path: [firewall ipv4 name Any-WAN-v4 rule 10 offload-target FT] already exists
  1. commit first attempt
[edit]
vyos@vyos# commit
[ firewall ]
Failed to apply firewall: /run/nftables.conf:137:9-64: Error: Could not
process rule: Operation not supported         oifname { "pppoe0","eth0"
} counter jump NAME_Any-WAN-v4
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/run/nftables.conf:138:17-35: Error: Could not process rule: Operation
not supported         oifname { "pppoe0","eth0" } counter return
^^^^^^^^^^^^^^^^^^^ /run/nftables.conf:138:9-50: Error: Could not
process rule: Operation not supported         oifname { "pppoe0","eth0"
} counter return         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/run/nftables.conf:139:9-20: Error: Could not process rule: Operation
not supported         counter drop comment "zone_vyos default-action
drop"         ^^^^^^^^^^^^ /run/nftables.conf:142:17-35: Error: Could
not process rule: Operation not supported         iifname {
"pppoe0","eth0" } counter return                 ^^^^^^^^^^^^^^^^^^^
/run/nftables.conf:142:9-50: Error: Could not process rule: Operation
not supported         iifname { "pppoe0","eth0" } counter return
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ /run/nftables.conf:143:9-55:
Error: Could not process rule: Operation not supported         iifname {
"eth1" } counter jump NAME_Any-WAN-v4
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/run/nftables.conf:144:9-41: Error: Could not process rule: Operation
not supported         iifname { "eth1" } counter return
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ /run/nftables.conf:145:9-58: Error:
Could not process rule: Operation not supported         iifname {
"eth1.10" } counter jump NAME_Any-WAN-v4
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/run/nftables.conf:146:9-44: Error: Could not process rule: Operation
not supported         iifname { "eth1.10" } counter return
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ /run/nftables.conf:147:9-20: Error:
Could not process rule: Operation not supported         counter drop
comment "zone_wan default-action drop"         ^^^^^^^^^^^^
[[firewall]] failed
Commit failed
  1. second and third commit attempt
[edit]
vyos@vyos# commit
[ firewall ]
Traceback (most recent call last):
  File "/usr/libexec/vyos/services/vyos-configd", line 157, in run_script
    script.apply(c)
  File "/usr/libexec/vyos//conf_mode/firewall.py", line 640, in apply
    parse_firewall_error(output.decode())
  File "/usr/libexec/vyos//conf_mode/firewall.py", line 628, in parse_firewall_error
    error_output.append(f'Error found on: firewall {family} {chain} {parsed_entries[2]} rule {parsed_entries[3]}')
                                                             ^^^^^
UnboundLocalError: cannot access local variable 'chain' where it is not associated with a value

[[firewall]] failed
Commit failed
[edit]
vyos@vyos# commit
[ firewall ]
Traceback (most recent call last):
  File "/usr/libexec/vyos/services/vyos-configd", line 157, in run_script
    script.apply(c)
  File "/usr/libexec/vyos//conf_mode/firewall.py", line 640, in apply
    parse_firewall_error(output.decode())
  File "/usr/libexec/vyos//conf_mode/firewall.py", line 628, in parse_firewall_error
    error_output.append(f'Error found on: firewall {family} {chain} {parsed_entries[2]} rule {parsed_entries[3]}')
                                                             ^^^^^
UnboundLocalError: cannot access local variable 'chain' where it is not associated with a value

[[firewall]] failed
Commit failed
[edit]
vyos@vyos#
4

I’m not sure how I do is correct, I submitted task at vyos.dev

5

You do not need to add pppoe0 to your flowtable.

image
image1780×402 41.6 KB

Source.

Regardless I see a PR has been created for it, so good work! But yea in the future you don’t need it.

6

tjh, Thank you for giving advice to me about flowtable.
I was about to want to know should I add pppoe interface to flowtable or not.

instead the real device is sufficient for the flowtable to track your flows.

So, I don’t need add to flowtable non-real interfaces like tunnel, virtual-ethernet, dummy either?

7

The documentation is less clear on that, sadly.
It’s my understanding that no, you don’t, it’s only to be enabled on the physical interface(s) you want offload on. But my advice is to test it and see.

8

May I have a simliar question but not zone-based firewall setting?

Here is base info

ouzy@VyOS-Router# sudo lspci
00:00.0 Host bridge: Intel Corporation 8th Gen Core Processor Host Bridge/DRAM Registers (rev 07)
00:01.0 PCI bridge: Intel Corporation 6th-10th Gen Core Processor PCIe Controller (x16) (rev 07)
00:02.0 VGA compatible controller: Intel Corporation CoffeeLake-S GT2 [UHD Graphics 630]
00:08.0 System peripheral: Intel Corporation Xeon E3-1200 v5/v6 / E3-1500 v5 / 6th/7th/8th Gen Core Processor Gaussian Mixture Model
00:12.0 Signal processing controller: Intel Corporation Cannon Lake PCH Thermal Controller (rev 10)
00:14.0 USB controller: Intel Corporation Cannon Lake PCH USB 3.1 xHCI Host Controller (rev 10)
00:14.2 RAM memory: Intel Corporation Cannon Lake PCH Shared SRAM (rev 10)
00:15.0 Serial bus controller: Intel Corporation Cannon Lake PCH Serial IO I2C Controller #0 (rev 10)
00:15.1 Serial bus controller: Intel Corporation Cannon Lake PCH Serial IO I2C Controller #1 (rev 10)
00:16.0 Communication controller: Intel Corporation Cannon Lake PCH HECI Controller (rev 10)
00:16.3 Serial controller: Intel Corporation Cannon Lake PCH Active Management Technology - SOL (rev 10)
00:17.0 SATA controller: Intel Corporation Cannon Lake PCH SATA AHCI Controller (rev 10)
00:1b.0 PCI bridge: Intel Corporation Cannon Lake PCH PCI Express Root Port #17 (rev f0)
00:1c.0 PCI bridge: Intel Corporation Cannon Lake PCH PCI Express Root Port #1 (rev f0)
00:1c.1 PCI bridge: Intel Corporation Cannon Lake PCH PCI Express Root Port #2 (rev f0)
00:1d.0 PCI bridge: Intel Corporation Cannon Lake PCH PCI Express Root Port #9 (rev f0)
00:1d.4 PCI bridge: Intel Corporation Cannon Lake PCH PCI Express Root Port #13 (rev f0)
00:1e.0 Communication controller: Intel Corporation Cannon Lake PCH Serial IO UART Host Controller (rev 10)
00:1f.0 ISA bridge: Intel Corporation Cannon Point-LP LPC Controller (rev 10)
00:1f.4 SMBus: Intel Corporation Cannon Lake PCH SMBus Controller (rev 10)
00:1f.5 Serial bus controller: Intel Corporation Cannon Lake PCH SPI Controller (rev 10)
00:1f.6 Ethernet controller: Intel Corporation Ethernet Connection (7) I219-LM (rev 10)
01:00.0 Ethernet controller: Intel Corporation Ethernet Controller X710 for 10GbE SFP+ (rev 02)
01:00.1 Ethernet controller: Intel Corporation Ethernet Controller X710 for 10GbE SFP+ (rev 02)
01:00.2 Ethernet controller: Intel Corporation Ethernet Controller X710 for 10GbE SFP+ (rev 02)
01:00.3 Ethernet controller: Intel Corporation Ethernet Controller X710 for 10GbE SFP+ (rev 02)
04:00.0 Ethernet controller: Intel Corporation I210 Gigabit Network Connection (rev 03)
05:00.0 Non-Volatile memory controller: KIOXIA Corporation NVMe SSD Controller BG5 (DRAM-less)


ouzy@VyOS-Router# ethtool -k eth2 | grep hw-tc-offload
hw-tc-offload: on
[edit]
ouzy@VyOS-Router# ethtool -k eth3 | grep hw-tc-offload
hw-tc-offload: on



ouzy@VyOS-Router# run show version
Version:          VyOS 1.5.0
Release train:    circinus
Release flavor:   generic

Built by:         VyOS Inc.
Built on:         Mon 30 Mar 2026 18:57 UTC
Build UUID:       ca4fe7cc-97f3-4c13-9882-75fb09302044
Build commit ID:  cb47cdb72c6d08

Architecture:     x86_64
Boot via:         installed image
System type:      bare metal

set firewall flowtable FT-WAN-LAN description 'Flowtable for WAN(PPPoE) and LAN'
set firewall flowtable FT-WAN-LAN interface 'eth2'      # WAN(PPPoE) via X710-DA4
set firewall flowtable FT-WAN-LAN interface 'eth3'      # LAN via X710-DA4
set firewall flowtable FT-WAN-LAN offload 'software' 

set firewall ipv4 forward filter rule 10 action 'offload'
set firewall ipv4 forward filter rule 10 offload-target 'FT-WAN-LAN'
set firewall ipv4 forward filter rule 10 state 'established'
set firewall ipv4 forward filter rule 10 state 'related'

Question is when I tried change from software to hardware. An error was shown.

ouzy@VyOS-Router# compare
[firewall flowtable FT-WAN-LAN]
- offload "software"
+ offload "hardware"

[edit]
ouzy@VyOS-Router# commit
[ firewall ]
Fail to apply firewall Error found on: firewall ipv4 forward filter rule
10         Error message: Could not process rule: Operation not
supported
[[firewall]] failed
Commit failed

May I know why and fix solution?

Thanks~~~

9

Does your hardware support hardware flowtable offloading? Intel NICs don’t, as far as I know. MediaTek supports it for a number of their networking focused SoCs and Mellanox does so as well. Besides those, I can’t immediately think of any other brands that do.

10

Thanks for asking.
Here is the data, I’m assuming X710 supported, am I correct?

sudo ethtool -k eth2 | grep hw-tc-offload
hw-tc-offload: on
11

Intel X710 doesn’t support hardware flowtable offloading, no. You’ll have to stick to the software version that works on all NICs.

12

Thanks for headsup~
Do you know why ethtool can turn hw-tc-offload: on but it actually NOT supported?

13

Because hw-tc-offload is a separate thing from nftables flowtable offloading, as far as I’m aware.

Enabling that option (which can be done with the VyOS CLI) is a requirement for nftables flowtable hardware offloading, but it’s not the same thing.

14

Noted, so can I say, there sort of compatibility issue that nftables flowtable offloading not support X710 but Mellanox would be much better?

15

Intel simply didn’t implement it. Mellanox did, but I haven’t seen people successfully use it on their Mellanox NICs, even though at least some of them supposedly support it. You can find the thread discussing its use on Mellanox NICs on the ServeTheHome forum.

I’ve mostly seen it implemented in network focused SoCs, not for NICs. For instance, my MediaTek MT7988A based BananaPi BPI-R4 that I’m running VyOS on can use it just fine.

Did you try the software offloading? Even that saves a lot of CPU cycles so that might be more then enough, depending on your needs.

16

Thanks for addtional information.
Yeah, I’m using flowtable software given not much throughtput. And I do noticed [OFFLOAD] via sudo conntrack -L | grep OFFLOAD

udp      17 src=192.168.1.6 dst=109.x.y.z sport=6881 dport=64830 src=109.x.y.z dst=113.x.y.z sport=64830 dport=6881 [OFFLOAD] mark=0 use=2
tcp      6 src=192.168.1.15 dst=45..x.y.z sport=53528 dport=11133 src=45.x.y.z dst=113.x.y.z sport=11133 dport=53528 [OFFLOAD] mark=0 use=2
tcp      6 src=192.168.1.15 dst=45..x.y.z sport=47766 dport=11101 src=45.x.y.z dst=113.x.y.z sport=11101 dport=47766 [OFFLOAD] mark=0 use=2
17

Yeah, the software offloading will show up in conntrack like that. :slight_smile:

It looks like your ISP is using PPPoE, based on your comment. That can seriously hurt performance when done in software. Hopefully accel-ppp minimizes the performance impact though. :slight_smile: