Le sam. 11 avr. 2020 à 12:48, Etienne Champetier <champetier.etie...@gmail.com> a écrit : > > Hello OpenWrt hackers, > > I'm playing around with OpenWrt master on a MikroTik RB750Gr3 and > would like to do hardware accelerated statefull bridge firewalling. My > end goal is to learn and make PhanTap > (https://github.com/nccgroup/phantap) work at line rate. > > MT7621 supports flow offload, so the high level idea would be to: > - create a linux bridge with 2 ports (say lan4/lan5) > - disable normal switch offload (do not forward just based on mac > dest) and have the packets go through netfilter > - have netfilter create/install flow offload rules for most > connections like we do for the routing case. > - enjoy > > My questions are: > - will the hardware let me do that (any restrictions on the flow > offload rules or ...) ? > - is it already possible with OpenWrt master (I was not able to have a > bridge without offload yet) ? > - any pointer to ongoing work in that area (while writing this email I > just found NF_CONNTRACK_BRIDGE)
I spent part of the day randomly patching out some part of the kernel, example: --- a/drivers/net/dsa/mt7530.c +++ b/drivers/net/dsa/mt7530.c @@ -1658,15 +1658,15 @@ static const struct dsa_switch_ops mt753 .port_enable = mt7530_port_enable, .port_disable = mt7530_port_disable, .port_stp_state_set = mt7530_stp_state_set, - .port_bridge_join = mt7530_port_bridge_join, - .port_bridge_leave = mt7530_port_bridge_leave, - .port_fdb_add = mt7530_port_fdb_add, - .port_fdb_del = mt7530_port_fdb_del, + //.port_bridge_join = mt7530_port_bridge_join, + //.port_bridge_leave = mt7530_port_bridge_leave, + //.port_fdb_add = mt7530_port_fdb_add, + //.port_fdb_del = mt7530_port_fdb_del, .port_fdb_dump = mt7530_port_fdb_dump, - .port_vlan_filtering = mt7530_port_vlan_filtering, - .port_vlan_prepare = mt7530_port_vlan_prepare, - .port_vlan_add = mt7530_port_vlan_add, - .port_vlan_del = mt7530_port_vlan_del, + //.port_vlan_filtering = mt7530_port_vlan_filtering, + //.port_vlan_prepare = mt7530_port_vlan_prepare, + //.port_vlan_add = mt7530_port_vlan_add, + //.port_vlan_del = mt7530_port_vlan_del, .port_mirror_add = mt7530_port_mirror_add, .port_mirror_del = mt7530_port_mirror_del, .phylink_validate = mt7530_phylink_validate, I was only able to break unicast traffic :( L2 broadcast works fine but I don't see unicast responses if the dst MAC is not the one of the switch As a first step I just want all traffic of lanX to go to the software bridge, but no luck so far > > Thanks > Etienne _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel