Bug 204507

Summary: Flow offload does not work
Product: Networking Reporter: mike-n
Component: Netfilter/IptablesAssignee: networking_netfilter-iptables (networking_netfilter-iptables)
Status: NEW ---    
Severity: normal CC: nucleo, oldium.pro, pablo
Priority: P1    
Hardware: All   
OS: Linux   
URL: https://forum.openwrt.org/t/flow-offloading-1-is-broken-on-latest-snapshot-4-19-issue/
Kernel Version: 4.19 Subsystem:
Regression: Yes Bisected commit-id:
Attachments: patch for xt_OFFLOAD

Description mike-n 2019-08-05 18:48:35 UTC 
When using linux on my Archer C7 v2, the flow control doesn't work. I'm using OpenWRT, and after discussion on their forums I decided to file a bug here.

Here's the discussion at the openwrt forums: https://forum.openwrt.org/t/flow-offloading-1-is-broken-on-latest-snapshot-4-19-issue/

In short, with 4.19 kernel flow offload doesn't work, and it seems it's caused by this patch: https://lkml.org/lkml/2019/2/12/1545

As one of the forum members mentioned:
> simple swap of ft->iifidx with ft->oifidx and vice versa restores flow
> offload to a working state
Comment 1 mike-n 2019-08-05 18:49:23 UTC 
It seems to be a regression by the way, cause it works with 4.14, which I am on now.
Comment 2 Pablo Neira Ayuso 2019-08-06 13:30:54 UTC 
Created attachment 284217 [details]
patch for xt_OFFLOAD

Could you apply this patch to target_linux_generic_hack-4.19_650-netfilter-add-xt_OFFLOAD-target.patch ?

patch -p0 target_linux_generic_hack-4.19_650-netfilter-add-xt_OFFLOAD-target.patch < x.patch
Comment 3 mike-n 2019-08-06 13:41:38 UTC 
On it
Comment 4 mike-n 2019-08-07 02:14:48 UTC 
With this patch, when flow offload is enabled TCP completely stops working. Websites do not open. I was able to connect to router itself though, and disable flow offload  - after which websites loaded (google chrome).

Nothing unusual in dmesg.

https://github.com/MOZGIII/archer-c7-v2-builder/tree/linux-4.19-offload-patch - I used this to build the image.
And here are built files of the image: https://github.com/MOZGIII/archer-c7-v2-builds/tree/manual-4.19-2019-08-07-1

Any ideas?
Comment 5 Pablo Neira Ayuso 2019-08-08 09:50:38 UTC 
Is your iptables rule added to PREROUTING? If so, did you try from the FORWARD chain?
Comment 6 Pablo Neira Ayuso 2019-08-08 11:47:27 UTC 
meanwhile, could you also point me to the URI that contains the iptables patch to add libxt_FLOWOFFLOAD for userspace that I can download from the openwrt website?

That would allow me to test my patches here. Thanks.
Comment 7 mike-n 2019-08-08 13:11:18 UTC 
I think this is the one: https://git.openwrt.org/?p=openwrt/openwrt.git;a=blob;f=package/network/utils/iptables/patches/800-flowoffload_target.patch;h=2f79ee835a6fd5e17fa93339ab946030ab100015;hb=HEAD

I have very little understanding of the inner workings of openwrt so far, but it looks like what you're looking for.