Software flow offloading for containerized OpenWrt

Hi all,
first off, I thought this section was more appropriate for this kind of thread, if not I apologize in advance for that, move it as you wish.

I'm trying OpenWrt inside an lxc container on an x86_64 box. I notice there is no Software flow offloading option among the firewall settings and (giving a quick loook at the LuCI code) I guess it must be because the host kernel doesn't have the flow offload capabilities, which I imagine are an OpenWrt custom patch to the kernel.

Now, out of curiosity, how could I add support for SFO to the stock linux kernel shipped by the host distro? Is SFO support mainlined? Should I build a module for it and/or a custom (patched?) kernel? Is there a solution that doesn't imply much management effort in this respect?


That is the problem with containerization (compared to full system virtualization) and OpenWrt, the host kernel must provide everything expected by your OpenWrt container (and also with a roughly matching default configuration in terms of sysctls and more). On top of that, the host is still on the hook to handle the network separation and to forward the necessary interfaces, which kind of duplicates what OpenWrt is supposed to do in the first place (this works in a tightly managed enterprise environment, at home it's more of a burden).

Flow-offloading is supported by the mainline kernel, however there exclusively in combination with nftables - while OpenWrt's fw3 relies on iptables (as frontend to nftables) at this point. The patches necessary to make flow-offloading work on top of iptables are specific to OpenWrt, as they have been rejected in mainline (which focuses on nftables and doesn't want to add new features to legacy code). Work on an nftables based replacement for fw3 is progressing in the form of a mostly drop-in replacement via fw4, but it's still early days for that (not part of openwrt-21.02, not really in use in master either at this point, but planned for limelight soon and to send of fw3 into retirement).


Thanks @slh for the in-depth explanation.

How is an home network more of a burden for a containerized image?

Anyway, I think it's not worth the effort of trying any hacking, if even feasible. Better wait for a future support, at least in my case.
Also because i have noticed no perceivable difference in CPU load during high-traffic situations (and idle ofc.), either with SFO (running the stock OpenWrt image from USB) or without SFO (running as container), and with SQM enabled. The load is pretty much identical in both setups (i.e. shaping a 100/20 with 70% CPU on dslreports with the maximum number of streams, which in the end is way more than my typical network usage).

just curious, but is the code online anywhere?;a=summary

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.