[PATCH 0/5] netfilter: nf_flow_table_path: L2 bridge offload
Daniel Pawlik
pawlik.dan at gmail.com
Mon Jun 29 05:32:48 PDT 2026
This series adds L2 bridge offload support to nft_flow_offload, allowing
bridged IPv4/IPv6 flows to be accelerated by the flowtable fast path
without requiring L3 routing.
Background
----------
Hardware flow offload engines (e.g. MediaTek PPE) can accelerate bridged
traffic but require that nft_flow_offload detect and handle bridged flows
differently from routed ones: no routing table lookup, MAC addresses from
the Ethernet header, and VLAN context pre-populated from the bridge port.
Patches
-------
1/5 net: export __dev_fill_forward_path
Refactors dev_fill_forward_path() to expose __dev_fill_forward_path()
which accepts a caller-supplied net_device_path_ctx, needed to
pre-populate VLAN state before the forward path walk.
2/5 net: bridge: add flow offload helpers
Adds br_fdb_has_forwarding_entry_rcu(), br_vlan_get_offload_info_rcu()
and br_vlan_is_enabled_rcu() to expose bridge state to nft_flow_offload
without requiring inclusion of net/bridge/br_private.h.
3/5 netfilter: nf_flow_table_path: add L2 bridge offload
Core of the series. Adds nft_flow_offload_is_bridging() detection,
nft_flow_route_bridging() which avoids nf_route() (fails for
bridged-only subnets), MAC/VLAN pre-population for bridged flows,
and a dst leak fix (allocation references in dsts[] were never
released after nft_default_forward_path() transferred ownership).
nft_flow_route() becomes a thin dispatcher.
4/5 netfilter: nf_flow_table_path: handle DEV_PATH_MTK_WDMA in path info
Fixes zero-source-MAC in PPE entries when a bridged flow traverses
MT7996/MT7915 WiFi WDMA hardware.
5/5 netfilter: nf_flow_table_path: add VLAN passthrough support
Records VLAN encap info for passthrough-mode bridge ports so hardware
offload entries include the correct VLAN tag.
Rebase note
-----------
Originally developed against OpenWrt pending-6.18 patches by Ryan Chen
<rchen14b at gmail.com> and Bo-Cun Chen <bc-bocun.chen at mediatek.com>.
Rebased to current upstream: path discovery infrastructure moved to
nf_flow_table_path.c in commit 93d7a7ed0734 ("netfilter: flowtable: move
path discovery infrastructure to its own file"), so all netfilter changes
now land in that file rather than nft_flow_offload.c.
How to enable bridge offload
-----------------------------
1. Load kmod-br-netfilter so that bridged IP traffic traverses the
netfilter forward chain.
2. Enable netfilter hooks on the bridge:
echo 1 > /sys/class/net/<br>/bridge/nf_call_iptables
echo 1 > /sys/class/net/<br>/bridge/nf_call_ip6tables
3. Register bridge member interfaces in the nft flowtable:
table inet filter {
flowtable f {
hook ingress priority filter
devices = { eth0, wlan0 }
}
chain forward {
type filter hook forward priority filter
meta l4proto { tcp, udp } flow add @f
}
}
Daniel Pawlik (1):
net: bridge: add flow offload helpers
Ryan Chen (4):
net: export __dev_fill_forward_path
netfilter: nf_flow_table_path: add L2 bridge offload
netfilter: nf_flow_table_path: handle DEV_PATH_MTK_WDMA in path info
netfilter: nf_flow_table_path: add VLAN passthrough support
include/linux/if_bridge.h | 23 ++++
include/linux/netdevice.h | 2 +
net/bridge/br_fdb.c | 32 +++++
net/bridge/br_vlan.c | 45 +++++++
net/core/dev.c | 32 +++--
net/netfilter/nf_flow_table_path.c | 201 +++++++++++++++++++++++++++--
6 files changed, 312 insertions(+), 23 deletions(-)
--
2.54.0
More information about the Linux-mediatek
mailing list