Software/Hardware fastpath with nftables flowtable

Apachez · July 30, 2023, 12:03am

I have created a feature request regarding software and hardware fastpath with nftables flowtable:

Its based on the added capability of Firewalld as described in their blogpost over at:

So far their results looks promising with +58.5% increase in throughput for the usecase shown in the blogpost (from 12.47Gbps to 19.77Gbps with 2048 concurrent connections).

I wonder if anyone in this forum perhaps already have tested out flowtables (software and/or hardware) in nftables and can share their experience?

Any particular drawbacks by enabling it?

For more information:

https://wiki.nftables.org/wiki-nftables/index.php/Flowtables

https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks

https://docs.kernel.org/networking/nf_flowtable.html

Viacheslav · July 30, 2023, 7:13am

Duplicate task ⚓ T4502 Consider implementing (NAT/other) flow table offload

Apachez · July 30, 2023, 8:40am

As I mentioned in ⚓ T4502 Consider implementing (NAT/other) flow table offload :

As mentioned in ⚓ T5419 Software/Hardware fastpath with nftables flowtable the offloading should not only apply for NAT.

Also it would be prefered if there were option to select between flowtable_software and flowtable_hardware per inferface (or whatever proper naming there might be).

Suggestion is that this setting should be placed in the “set interface ethernet ethX” section instead such as:

set interface ethernet ethX offload_firewall <value>

Where accepted values are “none” (default), “flowtable_software” or “flowtable_hardware”).

Viacheslav · July 30, 2023, 5:17pm

Sure it is not only for nat