nftables flowtable support#9458
Open
caseydavenport wants to merge 3 commits intoprojectcalico:masterfrom
Open
Conversation
marvin-tigera
added
release-note-required
caseydavenport
force-pushed
the
casey-flowtables
branch
from
b633dff to
bc2e9ac
Compare
|
This PR is stale because it has been open for 60 days with no activity. |
|
This PR is stale because it has been open for 60 days with no activity. |
caseydavenport
force-pushed
the
casey-flowtables
branch
from
bc2e9ac to
5a94ed0
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Proof-of-concept implementation to explore nftables flowtable offload in Felix, aiming to speed up established connections by offloading them from parts of the Linux networking stack.
Changes:
- Add a new generic
FlowOffload()action and nftables fragment rendering forflow offload @<flowtable>. - Add prototype wiring to update an nftables flowtable’s device list from the dataplane.
- Prototype nftables VMAP-based workload dispatch chain rendering.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 10 comments.
Show a summary per file
| File | Description |
|---|---|
felix/rules/static.go |
Adds a FORWARD-chain rule intended to offload established flows to a flowtable (nftables-only). |
felix/rules/dispatch.go |
Switches workload dispatch chain rendering toward an nftables VMAP approach (prototype). |
felix/nftables/table.go |
Introduces an interface/device handler to program a knftables.Flowtable based on interface updates. |
felix/nftables/actions.go |
Implements nftables FlowOffloadAction rendering (flow offload @...). |
felix/iptables/actions.go |
Adds an iptables FlowOffload() stub implementation to satisfy the action factory interface. |
felix/generictables/actions.go |
Extends ActionFactory with FlowOffload(table string). |
felix/dataplane/linux/int_dataplane.go |
Wires an InterfaceHandler from the nftables root table into the endpoint manager. |
felix/dataplane/linux/endpoint_mgr.go |
Updates nftables dispatch maps and (prototype) pushes an interface list into the flowtable handler. |
caseydavenport
changed the title
- Fix compile errors: r.NFTables -> r.nft, add missing test parameter - Revert WorkloadDispatchChains to use existing vmap dispatch (correct map names, works for both iptables and nftables) - Replace hardcoded interface names with dynamic overlay device detection from encapsulation config (VXLAN, IPIP, WireGuard) and workload interface tracking from endpoint manager - Move flowtable programming into Apply() transaction instead of running a separate transaction with log.Fatal on failure - Scope flowtable offload rule to only Calico-accepted traffic by checking the accept mark bit, and move it to the forward append rules - Remove unused chainExists method Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
caseydavenport
force-pushed
the
casey-flowtables
branch
from
4aeb569 to
05294ab
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This is a proof-of-concept PR for implementing nftables flowtable support in Calico. flowtables allow bypassing of large parts of the Linux networking stack for established connections, which should theoretically substantially improve the performance especially for longer lived connections.
Some key things to consider here:
Related issues/PRs
Kube-proxy implementation: kubernetes/kubernetes#128392
Todos
Release Note
Reminder for the reviewer
Make sure that this PR has the correct labels and milestone set.
Every PR needs one
docs-*label.docs-pr-required: This change requires a change to the documentation that has not been completed yet.docs-completed: This change has all necessary documentation completed.docs-not-required: This change has no user-facing impact and requires no docs.Every PR needs one
release-note-*label.release-note-required: This PR has user-facing changes. Most PRs should have this label.release-note-not-required: This PR has no user-facing changes.Other optional labels:
cherry-pick-candidate: This PR should be cherry-picked to an earlier release. For bug fixes only.needs-operator-pr: This PR is related to install and requires a corresponding change to the operator.