include/net/netfilter/nf_flow_table.h | 1 + net/netfilter/nf_flow_table_core.c | 1 + net/netfilter/nf_flow_table_offload.c | 2 +- net/netfilter/nf_flow_table_path.c | 34 ++++++++++++++++++++++++++- 4 files changed, 36 insertions(+), 2 deletions(-)
FLOW_OFFLOAD_XMIT_DIRECT path discovery can stop at a LAG master because
the real egress port is selected later through ndo_get_xmit_slave().
Hardware flow offload drivers that program per-port redirects need the
selected lower device, while software forwarding must still transmit
through the LAG master.
Keep the route tuple software egress ifindex on the LAG master and carry
a separate hardware redirect ifindex. When the direct egress device is a
LAG master, resolve the selected slave with netdev_get_xmit_slave(),
verify that it belongs to the flowtable, and store it as the hardware
redirect device.
Signed-off-by: Jihong Min <hurryman2212@gmail.com>
---
include/net/netfilter/nf_flow_table.h | 1 +
net/netfilter/nf_flow_table_core.c | 1 +
net/netfilter/nf_flow_table_offload.c | 2 +-
net/netfilter/nf_flow_table_path.c | 34 ++++++++++++++++++++++++++-
4 files changed, 36 insertions(+), 2 deletions(-)
diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h
index 7b23b245a5a8..ada9db7e5c38 100644
--- a/include/net/netfilter/nf_flow_table.h
+++ b/include/net/netfilter/nf_flow_table.h
@@ -163,6 +163,7 @@ struct flow_offload_tuple {
};
struct {
u32 ifidx;
+ u32 hw_ifidx;
u8 h_source[ETH_ALEN];
u8 h_dest[ETH_ALEN];
} out;
diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c
index 785d8c244a77..bc329420f882 100644
--- a/net/netfilter/nf_flow_table_core.c
+++ b/net/netfilter/nf_flow_table_core.c
@@ -132,6 +132,7 @@ static int flow_offload_fill_route(struct flow_offload *flow,
memcpy(flow_tuple->out.h_source, route->tuple[dir].out.h_source,
ETH_ALEN);
flow_tuple->out.ifidx = route->tuple[dir].out.ifindex;
+ flow_tuple->out.hw_ifidx = route->tuple[dir].out.hw_ifindex;
dst_release(dst);
break;
case FLOW_OFFLOAD_XMIT_XFRM:
diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c
index 002ec15d988b..7c46baa1546d 100644
--- a/net/netfilter/nf_flow_table_offload.c
+++ b/net/netfilter/nf_flow_table_offload.c
@@ -596,7 +596,7 @@ static int flow_offload_redirect(struct net *net,
switch (this_tuple->xmit_type) {
case FLOW_OFFLOAD_XMIT_DIRECT:
this_tuple = &flow->tuplehash[dir].tuple;
- ifindex = this_tuple->out.ifidx;
+ ifindex = this_tuple->out.hw_ifidx;
break;
case FLOW_OFFLOAD_XMIT_NEIGH:
other_tuple = &flow->tuplehash[!dir].tuple;
diff --git a/net/netfilter/nf_flow_table_path.c b/net/netfilter/nf_flow_table_path.c
index 9e88ea6a2eef..10f38ca27a6f 100644
--- a/net/netfilter/nf_flow_table_path.c
+++ b/net/netfilter/nf_flow_table_path.c
@@ -5,6 +5,7 @@
#include <linux/etherdevice.h>
#include <linux/netlink.h>
#include <linux/netfilter.h>
+#include <linux/netdevice.h>
#include <linux/spinlock.h>
#include <linux/netfilter/nf_conntrack_common.h>
#include <linux/netfilter/nf_tables.h>
@@ -76,6 +77,7 @@ static int nft_dev_fill_forward_path(const struct nf_flow_route *route,
struct nft_forward_info {
const struct net_device *indev;
const struct net_device *outdev;
+ const struct net_device *hw_outdev;
struct id {
__u16 id;
__be16 proto;
@@ -179,6 +181,7 @@ static void nft_dev_path_info(const struct net_device_path_stack *stack,
}
}
info->outdev = info->indev;
+ info->hw_outdev = info->indev;
if (nf_flowtable_hw_offload(flowtable) &&
nft_is_valid_ether_device(info->indev))
@@ -250,6 +253,7 @@ static void nft_dev_forward_path(const struct nft_pktinfo *pkt,
struct net_device_path_stack stack;
struct nft_forward_info info = {};
unsigned char ha[ETH_ALEN];
+ struct net_device *lag_slave = NULL;
int i;
if (nft_dev_fill_forward_path(route, dst, ct, dir, ha, &stack) >= 0)
@@ -258,9 +262,34 @@ static void nft_dev_forward_path(const struct nft_pktinfo *pkt,
if (info.outdev)
route->tuple[dir].out.ifindex = info.outdev->ifindex;
- if (!info.indev || !nft_flowtable_find_dev(info.indev, ft))
+ if (!info.indev)
return;
+ if (info.xmit_type == FLOW_OFFLOAD_XMIT_DIRECT &&
+ netif_is_lag_master(info.hw_outdev)) {
+ rcu_read_lock();
+ lag_slave = netdev_get_xmit_slave((struct net_device *)info.hw_outdev,
+ pkt->skb, false);
+ if (lag_slave)
+ dev_hold(lag_slave);
+ rcu_read_unlock();
+
+ if (!lag_slave)
+ return;
+
+ if (!nft_is_valid_ether_device(lag_slave)) {
+ dev_put(lag_slave);
+ return;
+ }
+
+ info.hw_outdev = lag_slave;
+ }
+
+ if (!nft_flowtable_find_dev(info.hw_outdev, ft)) {
+ dev_put(lag_slave);
+ return;
+ }
+
route->tuple[!dir].in.ifindex = info.indev->ifindex;
for (i = 0; i < info.num_encaps; i++) {
route->tuple[!dir].in.encap[i].id = info.encap[i].id;
@@ -281,9 +310,12 @@ static void nft_dev_forward_path(const struct nft_pktinfo *pkt,
if (info.xmit_type == FLOW_OFFLOAD_XMIT_DIRECT) {
memcpy(route->tuple[dir].out.h_source, info.h_source, ETH_ALEN);
memcpy(route->tuple[dir].out.h_dest, info.h_dest, ETH_ALEN);
+ route->tuple[dir].out.hw_ifindex = info.hw_outdev->ifindex;
route->tuple[dir].xmit_type = info.xmit_type;
}
route->tuple[dir].out.needs_gso_segment = info.needs_gso_segment;
+
+ dev_put(lag_slave);
}
int nft_flow_route(const struct nft_pktinfo *pkt, const struct nf_conn *ct,Sorry for the noise.
While preparing the git-send-email command, I noticed that the subject
prefix was not set correctly. This should have been sent with the
nf-next prefix.
I also noticed that the Assisted-by trailer was missing. Most of the
patch was written by me, but I did get help from GPT-5.5 for some of
the RCU and lifetime details, so the patch should have included:
Assisted-by: Codex:gpt-5.5
Also, this change was tested on a Lumen W1700K2 with a Linux 6.18
OpenWrt-based image, where it enabled flow offload in a bonding setup.
I have also applied the same diff on top of nf-next and completed a
compile test there. I checked that the relevant infrastructure for
bonding flow offload support is identical between the tested tree and
nf-next.
I will be more careful in the next submission and will correct this
there.
Best regards,
Jihong
On 5/26/26 01:24, Jihong Min wrote:
> FLOW_OFFLOAD_XMIT_DIRECT path discovery can stop at a LAG master because
> the real egress port is selected later through ndo_get_xmit_slave().
> Hardware flow offload drivers that program per-port redirects need the
> selected lower device, while software forwarding must still transmit
> through the LAG master.
>
> Keep the route tuple software egress ifindex on the LAG master and carry
> a separate hardware redirect ifindex. When the direct egress device is a
> LAG master, resolve the selected slave with netdev_get_xmit_slave(),
> verify that it belongs to the flowtable, and store it as the hardware
> redirect device.
>
> Signed-off-by: Jihong Min <hurryman2212@gmail.com>
> ---
> include/net/netfilter/nf_flow_table.h | 1 +
> net/netfilter/nf_flow_table_core.c | 1 +
> net/netfilter/nf_flow_table_offload.c | 2 +-
> net/netfilter/nf_flow_table_path.c | 34 ++++++++++++++++++++++++++-
> 4 files changed, 36 insertions(+), 2 deletions(-)
>
> diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h
> index 7b23b245a5a8..ada9db7e5c38 100644
> --- a/include/net/netfilter/nf_flow_table.h
> +++ b/include/net/netfilter/nf_flow_table.h
> @@ -163,6 +163,7 @@ struct flow_offload_tuple {
> };
> struct {
> u32 ifidx;
> + u32 hw_ifidx;
> u8 h_source[ETH_ALEN];
> u8 h_dest[ETH_ALEN];
> } out;
> diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c
> index 785d8c244a77..bc329420f882 100644
> --- a/net/netfilter/nf_flow_table_core.c
> +++ b/net/netfilter/nf_flow_table_core.c
> @@ -132,6 +132,7 @@ static int flow_offload_fill_route(struct flow_offload *flow,
> memcpy(flow_tuple->out.h_source, route->tuple[dir].out.h_source,
> ETH_ALEN);
> flow_tuple->out.ifidx = route->tuple[dir].out.ifindex;
> + flow_tuple->out.hw_ifidx = route->tuple[dir].out.hw_ifindex;
> dst_release(dst);
> break;
> case FLOW_OFFLOAD_XMIT_XFRM:
> diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c
> index 002ec15d988b..7c46baa1546d 100644
> --- a/net/netfilter/nf_flow_table_offload.c
> +++ b/net/netfilter/nf_flow_table_offload.c
> @@ -596,7 +596,7 @@ static int flow_offload_redirect(struct net *net,
> switch (this_tuple->xmit_type) {
> case FLOW_OFFLOAD_XMIT_DIRECT:
> this_tuple = &flow->tuplehash[dir].tuple;
> - ifindex = this_tuple->out.ifidx;
> + ifindex = this_tuple->out.hw_ifidx;
> break;
> case FLOW_OFFLOAD_XMIT_NEIGH:
> other_tuple = &flow->tuplehash[!dir].tuple;
> diff --git a/net/netfilter/nf_flow_table_path.c b/net/netfilter/nf_flow_table_path.c
> index 9e88ea6a2eef..10f38ca27a6f 100644
> --- a/net/netfilter/nf_flow_table_path.c
> +++ b/net/netfilter/nf_flow_table_path.c
> @@ -5,6 +5,7 @@
> #include <linux/etherdevice.h>
> #include <linux/netlink.h>
> #include <linux/netfilter.h>
> +#include <linux/netdevice.h>
> #include <linux/spinlock.h>
> #include <linux/netfilter/nf_conntrack_common.h>
> #include <linux/netfilter/nf_tables.h>
> @@ -76,6 +77,7 @@ static int nft_dev_fill_forward_path(const struct nf_flow_route *route,
> struct nft_forward_info {
> const struct net_device *indev;
> const struct net_device *outdev;
> + const struct net_device *hw_outdev;
> struct id {
> __u16 id;
> __be16 proto;
> @@ -179,6 +181,7 @@ static void nft_dev_path_info(const struct net_device_path_stack *stack,
> }
> }
> info->outdev = info->indev;
> + info->hw_outdev = info->indev;
>
> if (nf_flowtable_hw_offload(flowtable) &&
> nft_is_valid_ether_device(info->indev))
> @@ -250,6 +253,7 @@ static void nft_dev_forward_path(const struct nft_pktinfo *pkt,
> struct net_device_path_stack stack;
> struct nft_forward_info info = {};
> unsigned char ha[ETH_ALEN];
> + struct net_device *lag_slave = NULL;
> int i;
>
> if (nft_dev_fill_forward_path(route, dst, ct, dir, ha, &stack) >= 0)
> @@ -258,9 +262,34 @@ static void nft_dev_forward_path(const struct nft_pktinfo *pkt,
> if (info.outdev)
> route->tuple[dir].out.ifindex = info.outdev->ifindex;
>
> - if (!info.indev || !nft_flowtable_find_dev(info.indev, ft))
> + if (!info.indev)
> return;
>
> + if (info.xmit_type == FLOW_OFFLOAD_XMIT_DIRECT &&
> + netif_is_lag_master(info.hw_outdev)) {
> + rcu_read_lock();
> + lag_slave = netdev_get_xmit_slave((struct net_device *)info.hw_outdev,
> + pkt->skb, false);
> + if (lag_slave)
> + dev_hold(lag_slave);
> + rcu_read_unlock();
> +
> + if (!lag_slave)
> + return;
> +
> + if (!nft_is_valid_ether_device(lag_slave)) {
> + dev_put(lag_slave);
> + return;
> + }
> +
> + info.hw_outdev = lag_slave;
> + }
> +
> + if (!nft_flowtable_find_dev(info.hw_outdev, ft)) {
> + dev_put(lag_slave);
> + return;
> + }
> +
> route->tuple[!dir].in.ifindex = info.indev->ifindex;
> for (i = 0; i < info.num_encaps; i++) {
> route->tuple[!dir].in.encap[i].id = info.encap[i].id;
> @@ -281,9 +310,12 @@ static void nft_dev_forward_path(const struct nft_pktinfo *pkt,
> if (info.xmit_type == FLOW_OFFLOAD_XMIT_DIRECT) {
> memcpy(route->tuple[dir].out.h_source, info.h_source, ETH_ALEN);
> memcpy(route->tuple[dir].out.h_dest, info.h_dest, ETH_ALEN);
> + route->tuple[dir].out.hw_ifindex = info.hw_outdev->ifindex;
> route->tuple[dir].xmit_type = info.xmit_type;
> }
> route->tuple[dir].out.needs_gso_segment = info.needs_gso_segment;
> +
> + dev_put(lag_slave);
> }
>
> int nft_flow_route(const struct nft_pktinfo *pkt, const struct nf_conn *ct,
On Tue, May 26, 2026 at 01:33:09AM +0900, Jihong Min wrote:
> Sorry for the noise.
>
> While preparing the git-send-email command, I noticed that the subject
> prefix was not set correctly. This should have been sent with the
> nf-next prefix.
>
> I also noticed that the Assisted-by trailer was missing. Most of the
> patch was written by me, but I did get help from GPT-5.5 for some of
> the RCU and lifetime details, so the patch should have included:
>
> Assisted-by: Codex:gpt-5.5
>
> Also, this change was tested on a Lumen W1700K2 with a Linux 6.18
> OpenWrt-based image, where it enabled flow offload in a bonding setup.
> I have also applied the same diff on top of nf-next and completed a
> compile test there. I checked that the relevant infrastructure for
> bonding flow offload support is identical between the tested tree and
> nf-next.
Can you make this work with fill_forward_path in the bonding device?
> I will be more careful in the next submission and will correct this
> there.
>
> Best regards,
> Jihong
>
> On 5/26/26 01:24, Jihong Min wrote:
> > FLOW_OFFLOAD_XMIT_DIRECT path discovery can stop at a LAG master because
> > the real egress port is selected later through ndo_get_xmit_slave().
> > Hardware flow offload drivers that program per-port redirects need the
> > selected lower device, while software forwarding must still transmit
> > through the LAG master.
> >
> > Keep the route tuple software egress ifindex on the LAG master and carry
> > a separate hardware redirect ifindex. When the direct egress device is a
> > LAG master, resolve the selected slave with netdev_get_xmit_slave(),
> > verify that it belongs to the flowtable, and store it as the hardware
> > redirect device.
> >
> > Signed-off-by: Jihong Min <hurryman2212@gmail.com>
> > ---
> > include/net/netfilter/nf_flow_table.h | 1 +
> > net/netfilter/nf_flow_table_core.c | 1 +
> > net/netfilter/nf_flow_table_offload.c | 2 +-
> > net/netfilter/nf_flow_table_path.c | 34 ++++++++++++++++++++++++++-
> > 4 files changed, 36 insertions(+), 2 deletions(-)
> >
> > diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h
> > index 7b23b245a5a8..ada9db7e5c38 100644
> > --- a/include/net/netfilter/nf_flow_table.h
> > +++ b/include/net/netfilter/nf_flow_table.h
> > @@ -163,6 +163,7 @@ struct flow_offload_tuple {
> > };
> > struct {
> > u32 ifidx;
> > + u32 hw_ifidx;
> > u8 h_source[ETH_ALEN];
> > u8 h_dest[ETH_ALEN];
> > } out;
> > diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c
> > index 785d8c244a77..bc329420f882 100644
> > --- a/net/netfilter/nf_flow_table_core.c
> > +++ b/net/netfilter/nf_flow_table_core.c
> > @@ -132,6 +132,7 @@ static int flow_offload_fill_route(struct flow_offload *flow,
> > memcpy(flow_tuple->out.h_source, route->tuple[dir].out.h_source,
> > ETH_ALEN);
> > flow_tuple->out.ifidx = route->tuple[dir].out.ifindex;
> > + flow_tuple->out.hw_ifidx = route->tuple[dir].out.hw_ifindex;
> > dst_release(dst);
> > break;
> > case FLOW_OFFLOAD_XMIT_XFRM:
> > diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c
> > index 002ec15d988b..7c46baa1546d 100644
> > --- a/net/netfilter/nf_flow_table_offload.c
> > +++ b/net/netfilter/nf_flow_table_offload.c
> > @@ -596,7 +596,7 @@ static int flow_offload_redirect(struct net *net,
> > switch (this_tuple->xmit_type) {
> > case FLOW_OFFLOAD_XMIT_DIRECT:
> > this_tuple = &flow->tuplehash[dir].tuple;
> > - ifindex = this_tuple->out.ifidx;
> > + ifindex = this_tuple->out.hw_ifidx;
> > break;
> > case FLOW_OFFLOAD_XMIT_NEIGH:
> > other_tuple = &flow->tuplehash[!dir].tuple;
> > diff --git a/net/netfilter/nf_flow_table_path.c b/net/netfilter/nf_flow_table_path.c
> > index 9e88ea6a2eef..10f38ca27a6f 100644
> > --- a/net/netfilter/nf_flow_table_path.c
> > +++ b/net/netfilter/nf_flow_table_path.c
> > @@ -5,6 +5,7 @@
> > #include <linux/etherdevice.h>
> > #include <linux/netlink.h>
> > #include <linux/netfilter.h>
> > +#include <linux/netdevice.h>
> > #include <linux/spinlock.h>
> > #include <linux/netfilter/nf_conntrack_common.h>
> > #include <linux/netfilter/nf_tables.h>
> > @@ -76,6 +77,7 @@ static int nft_dev_fill_forward_path(const struct nf_flow_route *route,
> > struct nft_forward_info {
> > const struct net_device *indev;
> > const struct net_device *outdev;
> > + const struct net_device *hw_outdev;
> > struct id {
> > __u16 id;
> > __be16 proto;
> > @@ -179,6 +181,7 @@ static void nft_dev_path_info(const struct net_device_path_stack *stack,
> > }
> > }
> > info->outdev = info->indev;
> > + info->hw_outdev = info->indev;
> >
> > if (nf_flowtable_hw_offload(flowtable) &&
> > nft_is_valid_ether_device(info->indev))
> > @@ -250,6 +253,7 @@ static void nft_dev_forward_path(const struct nft_pktinfo *pkt,
> > struct net_device_path_stack stack;
> > struct nft_forward_info info = {};
> > unsigned char ha[ETH_ALEN];
> > + struct net_device *lag_slave = NULL;
> > int i;
> >
> > if (nft_dev_fill_forward_path(route, dst, ct, dir, ha, &stack) >= 0)
> > @@ -258,9 +262,34 @@ static void nft_dev_forward_path(const struct nft_pktinfo *pkt,
> > if (info.outdev)
> > route->tuple[dir].out.ifindex = info.outdev->ifindex;
> >
> > - if (!info.indev || !nft_flowtable_find_dev(info.indev, ft))
> > + if (!info.indev)
> > return;
> >
> > + if (info.xmit_type == FLOW_OFFLOAD_XMIT_DIRECT &&
> > + netif_is_lag_master(info.hw_outdev)) {
> > + rcu_read_lock();
> > + lag_slave = netdev_get_xmit_slave((struct net_device *)info.hw_outdev,
> > + pkt->skb, false);
> > + if (lag_slave)
> > + dev_hold(lag_slave);
> > + rcu_read_unlock();
> > +
> > + if (!lag_slave)
> > + return;
> > +
> > + if (!nft_is_valid_ether_device(lag_slave)) {
> > + dev_put(lag_slave);
> > + return;
> > + }
> > +
> > + info.hw_outdev = lag_slave;
> > + }
> > +
> > + if (!nft_flowtable_find_dev(info.hw_outdev, ft)) {
> > + dev_put(lag_slave);
> > + return;
> > + }
> > +
> > route->tuple[!dir].in.ifindex = info.indev->ifindex;
> > for (i = 0; i < info.num_encaps; i++) {
> > route->tuple[!dir].in.encap[i].id = info.encap[i].id;
> > @@ -281,9 +310,12 @@ static void nft_dev_forward_path(const struct nft_pktinfo *pkt,
> > if (info.xmit_type == FLOW_OFFLOAD_XMIT_DIRECT) {
> > memcpy(route->tuple[dir].out.h_source, info.h_source, ETH_ALEN);
> > memcpy(route->tuple[dir].out.h_dest, info.h_dest, ETH_ALEN);
> > + route->tuple[dir].out.hw_ifindex = info.hw_outdev->ifindex;
> > route->tuple[dir].xmit_type = info.xmit_type;
> > }
> > route->tuple[dir].out.needs_gso_segment = info.needs_gso_segment;
> > +
> > + dev_put(lag_slave);
> > }
> >
> > int nft_flow_route(const struct nft_pktinfo *pkt, const struct nf_conn *ct,
>
On 5/26/26 02:25, Pablo Neira Ayuso wrote:
> On Tue, May 26, 2026 at 01:33:09AM +0900, Jihong Min wrote:
>> Sorry for the noise.
>>
>> While preparing the git-send-email command, I noticed that the subject
>> prefix was not set correctly. This should have been sent with the
>> nf-next prefix.
>>
>> I also noticed that the Assisted-by trailer was missing. Most of the
>> patch was written by me, but I did get help from GPT-5.5 for some of
>> the RCU and lifetime details, so the patch should have included:
>>
>> Assisted-by: Codex:gpt-5.5
>>
>> Also, this change was tested on a Lumen W1700K2 with a Linux 6.18
>> OpenWrt-based image, where it enabled flow offload in a bonding setup.
>> I have also applied the same diff on top of nf-next and completed a
>> compile test there. I checked that the relevant infrastructure for
>> bonding flow offload support is identical between the tested tree and
>> nf-next.
>
> Can you make this work with fill_forward_path in the bonding device?
>
Hi Pablo,
Sure, I will do that.
The scope became a bit wider than I initially expected, since this now
needs the generic forward path extension, bonding support, and the
netfilter flowtable change to fit together cleanly.
I will send the next submission against net-next, with netdev as the
main target list.
Sincerely,
Jihong Min
>> I will be more careful in the next submission and will correct this
>> there.
>>
>> Best regards,
>> Jihong
>>
>> On 5/26/26 01:24, Jihong Min wrote:
>>> FLOW_OFFLOAD_XMIT_DIRECT path discovery can stop at a LAG master because
>>> the real egress port is selected later through ndo_get_xmit_slave().
>>> Hardware flow offload drivers that program per-port redirects need the
>>> selected lower device, while software forwarding must still transmit
>>> through the LAG master.
>>>
>>> Keep the route tuple software egress ifindex on the LAG master and carry
>>> a separate hardware redirect ifindex. When the direct egress device is a
>>> LAG master, resolve the selected slave with netdev_get_xmit_slave(),
>>> verify that it belongs to the flowtable, and store it as the hardware
>>> redirect device.
>>>
>>> Signed-off-by: Jihong Min <hurryman2212@gmail.com>
>>> ---
>>> include/net/netfilter/nf_flow_table.h | 1 +
>>> net/netfilter/nf_flow_table_core.c | 1 +
>>> net/netfilter/nf_flow_table_offload.c | 2 +-
>>> net/netfilter/nf_flow_table_path.c | 34 ++++++++++++++++++++++++++-
>>> 4 files changed, 36 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h
>>> index 7b23b245a5a8..ada9db7e5c38 100644
>>> --- a/include/net/netfilter/nf_flow_table.h
>>> +++ b/include/net/netfilter/nf_flow_table.h
>>> @@ -163,6 +163,7 @@ struct flow_offload_tuple {
>>> };
>>> struct {
>>> u32 ifidx;
>>> + u32 hw_ifidx;
>>> u8 h_source[ETH_ALEN];
>>> u8 h_dest[ETH_ALEN];
>>> } out;
>>> diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c
>>> index 785d8c244a77..bc329420f882 100644
>>> --- a/net/netfilter/nf_flow_table_core.c
>>> +++ b/net/netfilter/nf_flow_table_core.c
>>> @@ -132,6 +132,7 @@ static int flow_offload_fill_route(struct flow_offload *flow,
>>> memcpy(flow_tuple->out.h_source, route->tuple[dir].out.h_source,
>>> ETH_ALEN);
>>> flow_tuple->out.ifidx = route->tuple[dir].out.ifindex;
>>> + flow_tuple->out.hw_ifidx = route->tuple[dir].out.hw_ifindex;
>>> dst_release(dst);
>>> break;
>>> case FLOW_OFFLOAD_XMIT_XFRM:
>>> diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c
>>> index 002ec15d988b..7c46baa1546d 100644
>>> --- a/net/netfilter/nf_flow_table_offload.c
>>> +++ b/net/netfilter/nf_flow_table_offload.c
>>> @@ -596,7 +596,7 @@ static int flow_offload_redirect(struct net *net,
>>> switch (this_tuple->xmit_type) {
>>> case FLOW_OFFLOAD_XMIT_DIRECT:
>>> this_tuple = &flow->tuplehash[dir].tuple;
>>> - ifindex = this_tuple->out.ifidx;
>>> + ifindex = this_tuple->out.hw_ifidx;
>>> break;
>>> case FLOW_OFFLOAD_XMIT_NEIGH:
>>> other_tuple = &flow->tuplehash[!dir].tuple;
>>> diff --git a/net/netfilter/nf_flow_table_path.c b/net/netfilter/nf_flow_table_path.c
>>> index 9e88ea6a2eef..10f38ca27a6f 100644
>>> --- a/net/netfilter/nf_flow_table_path.c
>>> +++ b/net/netfilter/nf_flow_table_path.c
>>> @@ -5,6 +5,7 @@
>>> #include <linux/etherdevice.h>
>>> #include <linux/netlink.h>
>>> #include <linux/netfilter.h>
>>> +#include <linux/netdevice.h>
>>> #include <linux/spinlock.h>
>>> #include <linux/netfilter/nf_conntrack_common.h>
>>> #include <linux/netfilter/nf_tables.h>
>>> @@ -76,6 +77,7 @@ static int nft_dev_fill_forward_path(const struct nf_flow_route *route,
>>> struct nft_forward_info {
>>> const struct net_device *indev;
>>> const struct net_device *outdev;
>>> + const struct net_device *hw_outdev;
>>> struct id {
>>> __u16 id;
>>> __be16 proto;
>>> @@ -179,6 +181,7 @@ static void nft_dev_path_info(const struct net_device_path_stack *stack,
>>> }
>>> }
>>> info->outdev = info->indev;
>>> + info->hw_outdev = info->indev;
>>>
>>> if (nf_flowtable_hw_offload(flowtable) &&
>>> nft_is_valid_ether_device(info->indev))
>>> @@ -250,6 +253,7 @@ static void nft_dev_forward_path(const struct nft_pktinfo *pkt,
>>> struct net_device_path_stack stack;
>>> struct nft_forward_info info = {};
>>> unsigned char ha[ETH_ALEN];
>>> + struct net_device *lag_slave = NULL;
>>> int i;
>>>
>>> if (nft_dev_fill_forward_path(route, dst, ct, dir, ha, &stack) >= 0)
>>> @@ -258,9 +262,34 @@ static void nft_dev_forward_path(const struct nft_pktinfo *pkt,
>>> if (info.outdev)
>>> route->tuple[dir].out.ifindex = info.outdev->ifindex;
>>>
>>> - if (!info.indev || !nft_flowtable_find_dev(info.indev, ft))
>>> + if (!info.indev)
>>> return;
>>>
>>> + if (info.xmit_type == FLOW_OFFLOAD_XMIT_DIRECT &&
>>> + netif_is_lag_master(info.hw_outdev)) {
>>> + rcu_read_lock();
>>> + lag_slave = netdev_get_xmit_slave((struct net_device *)info.hw_outdev,
>>> + pkt->skb, false);
>>> + if (lag_slave)
>>> + dev_hold(lag_slave);
>>> + rcu_read_unlock();
>>> +
>>> + if (!lag_slave)
>>> + return;
>>> +
>>> + if (!nft_is_valid_ether_device(lag_slave)) {
>>> + dev_put(lag_slave);
>>> + return;
>>> + }
>>> +
>>> + info.hw_outdev = lag_slave;
>>> + }
>>> +
>>> + if (!nft_flowtable_find_dev(info.hw_outdev, ft)) {
>>> + dev_put(lag_slave);
>>> + return;
>>> + }
>>> +
>>> route->tuple[!dir].in.ifindex = info.indev->ifindex;
>>> for (i = 0; i < info.num_encaps; i++) {
>>> route->tuple[!dir].in.encap[i].id = info.encap[i].id;
>>> @@ -281,9 +310,12 @@ static void nft_dev_forward_path(const struct nft_pktinfo *pkt,
>>> if (info.xmit_type == FLOW_OFFLOAD_XMIT_DIRECT) {
>>> memcpy(route->tuple[dir].out.h_source, info.h_source, ETH_ALEN);
>>> memcpy(route->tuple[dir].out.h_dest, info.h_dest, ETH_ALEN);
>>> + route->tuple[dir].out.hw_ifindex = info.hw_outdev->ifindex;
>>> route->tuple[dir].xmit_type = info.xmit_type;
>>> }
>>> route->tuple[dir].out.needs_gso_segment = info.needs_gso_segment;
>>> +
>>> + dev_put(lag_slave);
>>> }
>>>
>>> int nft_flow_route(const struct nft_pktinfo *pkt, const struct nf_conn *ct,
>>
© 2016 - 2026 Red Hat, Inc.