Re: [PATCH] netfilter: flowtable: resolve LAG slave for direct HW offload

[Pablo Neira Ayuso]

On Tue, May 26, 2026 at 01:33:09AM +0900, Jihong Min wrote:
> Sorry for the noise.
> 
> While preparing the git-send-email command, I noticed that the subject
> prefix was not set correctly. This should have been sent with the
> nf-next prefix.
> 
> I also noticed that the Assisted-by trailer was missing. Most of the
> patch was written by me, but I did get help from GPT-5.5 for some of
> the RCU and lifetime details, so the patch should have included:
> 
> Assisted-by: Codex:gpt-5.5
> 
> Also, this change was tested on a Lumen W1700K2 with a Linux 6.18
> OpenWrt-based image, where it enabled flow offload in a bonding setup.
> I have also applied the same diff on top of nf-next and completed a
> compile test there. I checked that the relevant infrastructure for
> bonding flow offload support is identical between the tested tree and
> nf-next.

Can you make this work with fill_forward_path in the bonding device?

> I will be more careful in the next submission and will correct this
> there.
> 
> Best regards,
> Jihong
> 
> On 5/26/26 01:24, Jihong Min wrote:
> > FLOW_OFFLOAD_XMIT_DIRECT path discovery can stop at a LAG master because
> > the real egress port is selected later through ndo_get_xmit_slave().
> > Hardware flow offload drivers that program per-port redirects need the
> > selected lower device, while software forwarding must still transmit
> > through the LAG master.
> > 
> > Keep the route tuple software egress ifindex on the LAG master and carry
> > a separate hardware redirect ifindex. When the direct egress device is a
> > LAG master, resolve the selected slave with netdev_get_xmit_slave(),
> > verify that it belongs to the flowtable, and store it as the hardware
> > redirect device.
> > 
> > Signed-off-by: Jihong Min <hurryman2212@xxxxxxxxx>
> > ---
> >  include/net/netfilter/nf_flow_table.h |  1 +
> >  net/netfilter/nf_flow_table_core.c    |  1 +
> >  net/netfilter/nf_flow_table_offload.c |  2 +-
> >  net/netfilter/nf_flow_table_path.c    | 34 ++++++++++++++++++++++++++-
> >  4 files changed, 36 insertions(+), 2 deletions(-)
> > 
> > diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h
> > index 7b23b245a5a8..ada9db7e5c38 100644
> > --- a/include/net/netfilter/nf_flow_table.h
> > +++ b/include/net/netfilter/nf_flow_table.h
> > @@ -163,6 +163,7 @@ struct flow_offload_tuple {
> >  		};
> >  		struct {
> >  			u32		ifidx;
> > +			u32		hw_ifidx;
> >  			u8		h_source[ETH_ALEN];
> >  			u8		h_dest[ETH_ALEN];
> >  		} out;
> > diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c
> > index 785d8c244a77..bc329420f882 100644
> > --- a/net/netfilter/nf_flow_table_core.c
> > +++ b/net/netfilter/nf_flow_table_core.c
> > @@ -132,6 +132,7 @@ static int flow_offload_fill_route(struct flow_offload *flow,
> >  		memcpy(flow_tuple->out.h_source, route->tuple[dir].out.h_source,
> >  		       ETH_ALEN);
> >  		flow_tuple->out.ifidx = route->tuple[dir].out.ifindex;
> > +		flow_tuple->out.hw_ifidx = route->tuple[dir].out.hw_ifindex;
> >  		dst_release(dst);
> >  		break;
> >  	case FLOW_OFFLOAD_XMIT_XFRM:
> > diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c
> > index 002ec15d988b..7c46baa1546d 100644
> > --- a/net/netfilter/nf_flow_table_offload.c
> > +++ b/net/netfilter/nf_flow_table_offload.c
> > @@ -596,7 +596,7 @@ static int flow_offload_redirect(struct net *net,
> >  	switch (this_tuple->xmit_type) {
> >  	case FLOW_OFFLOAD_XMIT_DIRECT:
> >  		this_tuple = &flow->tuplehash[dir].tuple;
> > -		ifindex = this_tuple->out.ifidx;
> > +		ifindex = this_tuple->out.hw_ifidx;
> >  		break;
> >  	case FLOW_OFFLOAD_XMIT_NEIGH:
> >  		other_tuple = &flow->tuplehash[!dir].tuple;
> > diff --git a/net/netfilter/nf_flow_table_path.c b/net/netfilter/nf_flow_table_path.c
> > index 9e88ea6a2eef..10f38ca27a6f 100644
> > --- a/net/netfilter/nf_flow_table_path.c
> > +++ b/net/netfilter/nf_flow_table_path.c
> > @@ -5,6 +5,7 @@
> >  #include <linux/etherdevice.h>
> >  #include <linux/netlink.h>
> >  #include <linux/netfilter.h>
> > +#include <linux/netdevice.h>
> >  #include <linux/spinlock.h>
> >  #include <linux/netfilter/nf_conntrack_common.h>
> >  #include <linux/netfilter/nf_tables.h>
> > @@ -76,6 +77,7 @@ static int nft_dev_fill_forward_path(const struct nf_flow_route *route,
> >  struct nft_forward_info {
> >  	const struct net_device *indev;
> >  	const struct net_device *outdev;
> > +	const struct net_device *hw_outdev;
> >  	struct id {
> >  		__u16	id;
> >  		__be16	proto;
> > @@ -179,6 +181,7 @@ static void nft_dev_path_info(const struct net_device_path_stack *stack,
> >  		}
> >  	}
> >  	info->outdev = info->indev;
> > +	info->hw_outdev = info->indev;
> >  
> >  	if (nf_flowtable_hw_offload(flowtable) &&
> >  	    nft_is_valid_ether_device(info->indev))
> > @@ -250,6 +253,7 @@ static void nft_dev_forward_path(const struct nft_pktinfo *pkt,
> >  	struct net_device_path_stack stack;
> >  	struct nft_forward_info info = {};
> >  	unsigned char ha[ETH_ALEN];
> > +	struct net_device *lag_slave = NULL;
> >  	int i;
> >  
> >  	if (nft_dev_fill_forward_path(route, dst, ct, dir, ha, &stack) >= 0)
> > @@ -258,9 +262,34 @@ static void nft_dev_forward_path(const struct nft_pktinfo *pkt,
> >  	if (info.outdev)
> >  		route->tuple[dir].out.ifindex = info.outdev->ifindex;
> >  
> > -	if (!info.indev || !nft_flowtable_find_dev(info.indev, ft))
> > +	if (!info.indev)
> >  		return;
> >  
> > +	if (info.xmit_type == FLOW_OFFLOAD_XMIT_DIRECT &&
> > +	    netif_is_lag_master(info.hw_outdev)) {
> > +		rcu_read_lock();
> > +		lag_slave = netdev_get_xmit_slave((struct net_device *)info.hw_outdev,
> > +						  pkt->skb, false);
> > +		if (lag_slave)
> > +			dev_hold(lag_slave);
> > +		rcu_read_unlock();
> > +
> > +		if (!lag_slave)
> > +			return;
> > +
> > +		if (!nft_is_valid_ether_device(lag_slave)) {
> > +			dev_put(lag_slave);
> > +			return;
> > +		}
> > +
> > +		info.hw_outdev = lag_slave;
> > +	}
> > +
> > +	if (!nft_flowtable_find_dev(info.hw_outdev, ft)) {
> > +		dev_put(lag_slave);
> > +		return;
> > +	}
> > +
> >  	route->tuple[!dir].in.ifindex = info.indev->ifindex;
> >  	for (i = 0; i < info.num_encaps; i++) {
> >  		route->tuple[!dir].in.encap[i].id = info.encap[i].id;
> > @@ -281,9 +310,12 @@ static void nft_dev_forward_path(const struct nft_pktinfo *pkt,
> >  	if (info.xmit_type == FLOW_OFFLOAD_XMIT_DIRECT) {
> >  		memcpy(route->tuple[dir].out.h_source, info.h_source, ETH_ALEN);
> >  		memcpy(route->tuple[dir].out.h_dest, info.h_dest, ETH_ALEN);
> > +		route->tuple[dir].out.hw_ifindex = info.hw_outdev->ifindex;
> >  		route->tuple[dir].xmit_type = info.xmit_type;
> >  	}
> >  	route->tuple[dir].out.needs_gso_segment = info.needs_gso_segment;
> > +
> > +	dev_put(lag_slave);
> >  }
> >  
> >  int nft_flow_route(const struct nft_pktinfo *pkt, const struct nf_conn *ct,
>