Re: [PATCH net-next RFC] netfilter: flowtable: add CT metadata action for nft flowtables

Next message: Christoph Lameter (Ampere): "Re: [PATCH v2 1/4] mm/page_alloc/vmstat: Simplify refresh_cpu_vm_stats change detection"
Previous message: Thinh Nguyen: "Re: [PATCH v2 03/22] usb: dwc3: glue: Allow more fine grained control over mode switches"
Next in thread: Elad Yifee: "Re: [PATCH net-next RFC] netfilter: flowtable: add CT metadata action for nft flowtables"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pablo Neira Ayuso

Date: Wed Sep 24 2025 - 18:51:33 EST

On Wed, Sep 17, 2025 at 08:33:49PM +0300, Elad Yifee wrote:
> On Wed, Sep 17, 2025 at 11:18 AM Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> > Just to make sure we are on the same page: Software plane has to match
> > the capabilities of the hardware offload plan, new features must work
> > first in the software plane, then extend the hardware offload plane to
> > support it.
>
> Thanks - I see what you meant now.
>
> This isn’t a new feature that needs to be implemented in software
> first. We’re not introducing new user semantics, matches, or actions
> in nft/TC. no datapath changes (including the flowtable software
> offload fast path). The change only surfaces existing CT state
> (mark/labels/dir) as FLOW_ACTION_CT_METADATA at the hardware offload
> boundary so drivers can use it for per-flow QoS, or simply ignore it.
>
> When a flow stays in software, behavior remains exactly as today,
> software QoS continues to use existing tools (nft/TC setting
> skb->priority/mark, qdiscs, etc.). There’s no SW-HW mismatch
> introduced here.

You have to show me there is no mismatch.

This is exposing the current ct mark/label to your hardware, the
flowtable infrastructure (the software representation) makes no use of
this information from the flowtable datapath, can you explain how you
plan to use this?

Thanks.