Nft flowtable 22.03.4

nonny · June 8, 2023, 1:08pm

Im confused by conflicting documentation on the web....

Currently the flowtable firewall rule inserted in the forwarding chain is:
'meta l4proto { tcp, udp } flow add @ft'

Surely that should be:
'meta l4proto { tcp, udp } flow offload @ft'

?

frollic · June 8, 2023, 1:10pm

the web is big, could you be more specific ?

dave14305 · June 8, 2023, 1:22pm

Looks right to me.

github.com

openwrt/firewall4/blob/4fbf6d75a4a9e523d1848a28d8a3ea095e870195/root/usr/share/firewall4/templates/ruleset.uc#L121-L123


      
          {% if (length(flowtable_devices) > 0): %}
          		meta l4proto { tcp, udp } flow offload @ft;
          {% endif %}

Compare fw4 -q print with nft list ruleset. Maybe nft is substituting the token on list output.

nonny · June 8, 2023, 1:58pm

Dave you are bang on.

nftables v1.0.2 (Lester Gooch)
'nft list ruleset' yields 'add' after explicitly setting 'offload' in the rule.

I had read somewhere on the nftables wiki that 'add' was for manually adding flows rather than automatically which rely on a conntrack'ed reply being sent. There are discrepancies between different document versions, not sure if early documentation was incorrect or the nftables api was unstable with earlier versions which confused me....either way it is now clear what is occurring.

Thanks for your prompt response.

dave14305 · June 8, 2023, 8:46pm

This commit seems to indicate the official syntax changed from offload to add in 2019.

http://git.netfilter.org/nftables/commit/?id=4795a994e2810c63d8da19b5f75854db470e4a6c

system · June 18, 2023, 8:46pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.