Netfilter "Flow offload" / HW NAT


#223

Help please set up firewall rules for passing vpn from client computers with software flow offload.
My router is linksys ea3500.


#224

yes, I have the same problem but if you have time you can try shorewall multi wan way and see if it's better


#225

Hi @zhuoyang,
I encountered the same issue.
Has this random reboot problem been solved?

[ 1727.771750] Unhandled kernel unaligned access[#1]:
[ 1727.781300] CPU: 3 PID: 70 Comm: kworker/3:1 Not tainted 4.14.105 #0
[ 1727.794041] Workqueue: events_long nf_ct_kill_acct [nf_conntrack]
[ 1727.794061] task: 8fd80c80 task.stack: 8fd08000
[ 1727.794066] $ 0   : 00000000 00000001 00000000 00022ba7
[ 1727.794083] $ 4   : 8e6025d8 00000000 3c8a8035 00000001
[ 1727.794098] $ 8   : 00000000 00007c00 00000192 0021c0de
[ 1727.794113] $12   : 00000000 00000000 3b9aca00 00000000
[ 1727.794127] $16   : 8e6025d8 8e494700 8e494700 fffffff0
[ 1727.794145] $20   : 00000000 00000604 80580000 00000003
[ 1727.794165] $24   : 27739c00 8e4c06bc
[ 1727.794186] $28   : 8fd08000 8fd09db8 8e4d0000 8e600650
[ 1727.794210] Hi    : 0000001d
[ 1727.794215] Lo    : 74955000
[ 1727.794242] epc   : 8e600658 nf_ct_nat_ext_add+0x218/0x928 [nf_nat]
[ 1727.794261] ra    : 8e600650 nf_ct_nat_ext_add+0x210/0x928 [nf_nat]
[ 1727.794266] Status: 11007c03 KERNEL EXL IE
[ 1727.794283] Cause : 40800014 (ExcCode 05)
[ 1727.794287] BadVA : 00022ba7
[ 1727.794291] PrId  : 0001992f (MIPS 1004Kc)
[ 1727.794294] Modules linked in: pppoe ppp_async pppox ppp_generic nf_conntrack_ipv6 mt76x2e mt76x2_common mt76x02_lib mt76 mac80211 iptable_nat ipt_REJECT ipt_MASQUERADE cfg80211 xt_time xt_tcpudp xt_tcpmss xt_statistic xt_state xt_socket xt_recent xt_nat xt_multiport xt_mark xt_mac xt_limit xt_length xt_iprange xt_hl xt_helper xt_ecn xt_dscp xt_conntrack xt_connmark xt_connlimit xt_connbytes xt_comment xt_TPROXY xt_TCPMSS xt_REDIRECT xt_LOG xt_HL xt_FLOWOFFLOAD xt_DSCP xt_CT xt_CLASSIFY slhc nf_socket_ipv6 nf_socket_ipv4 nf_reject_ipv4 nf_nat_redirect nf_nat_masquerade_ipv4 nf_conntrack_ipv4 nf_nat_ipv4 nf_nat nf_log_ipv4 nf_flow_table_hw nf_flow_table nf_defrag_ipv6 nf_defrag_ipv4 nf_conntrack_rtcache nf_conntrack_netlink nf_conntrack libcrc32c iptable_raw iptable_mangle iptable_filter ipt_ECN ip6table_raw
[ 1727.794503]  ip_tables crc_ccitt compat fuse tcp_bbr sch_tbf sch_ingress sch_htb sch_hfsc em_u32 cls_u32 cls_tcindex cls_route cls_matchall cls_fw cls_flow cls_basic act_skbedit act_mirred ledtrig_usbport xt_set ip_set_list_set ip_set_hash_netportnet ip_set_hash_netport ip_set_hash_netnet ip_set_hash_netiface ip_set_hash_net ip_set_hash_mac ip_set_hash_ipportnet ip_set_hash_ipportip ip_set_hash_ipport ip_set_hash_ipmark ip_set_hash_ip ip_set_bitmap_port ip_set_bitmap_ipmac ip_set_bitmap_ip ip_set nfnetlink nf_log_ipv6 nf_log_common ip6table_mangle ip6table_filter ip6_tables ip6t_REJECT x_tables nf_reject_ipv6 ifb vfat fat nls_utf8 nls_iso8859_1 nls_cp437 mmc_block mtk_sd mmc_core leds_gpio xhci_plat_hcd xhci_pci xhci_mtk xhci_hcd ahci libahci libata sd_mod scsi_mod gpio_button_hotplug ext4 mbcache
[ 1727.794745]  jbd2 usbcore nls_base usb_common crc32c_generic
[ 1727.794778] Process kworker/3:1 (pid: 70, threadinfo=8fd08000, task=8fd80c80, tls=00000000)
[ 1727.794783] Stack : fffffff0 00000000 00000604 80580000 8e494700 8e4cfdc8 8e4cfdd8 8e4caeb8
[ 1727.794819]         8fc2b300 00000000 05600003 8e494700 8e494700 8e494710 00000007 8e4c066c
[ 1727.794856]         8f6cd924 8fd36100 8123fa00 00000001 8e494700 8e4c1c48 8123e380 8008ad90
[ 1727.794882]         8fd80fa0 80470000 8f6cd94c 8059ce20 8e4d0000 8e4d0000 00000020 00000000
[ 1727.794905]         8e4cfd64 8e4ccad4 81242700 00000000 8e4cfd64 8fd36100 8123fa00 81242900
[ 1727.794939]         ...
[ 1727.794963] Call Trace:
[ 1727.794983] [<8e600658>] nf_ct_nat_ext_add+0x218/0x928 [nf_nat]
[ 1727.795049] Code: 02002025  8e23007c  8e220078 <ac620000> 10400002  00000000  ac430004  24020200  ae22007c
[ 1727.795090]
[ 1727.795199] ---[ end trace 46ae1a2b6c1a5eb2 ]---
[ 1727.806443] Kernel panic - not syncing: Fatal exception in interrupt
[ 1728.445305] Rebooting in 3 seconds..

#226

did you already go to build options and select strip unneeded functions?


#227

Because mwan3 use policy routing (--set-mark) .
flow offload realize very simple packet's path, it's break full kernel stack.


#228

(post withdrawn by author, will be automatically deleted in 24 hours unless flagged)


#229

I switched to padavan firmware which has hw offload without any problem.