Andrew

In its maximal case soft offload puts slightly modified packets in front of qdisc-s, there is a chance non-offloaded packet stays behind too long.

You can spread load to all cores to make lockup less likely, or get into driver programming and turn watchdog fail into non-fatal log record.

Exactly that ``` !!!! Sun Jul 16 20:31:12 2023 kern.debug kernel: [328426.487591] dev_watchdog+0x330/0x33c Sun Jul 16 20:31:12 2023 kern.debug kernel: [328426.491326] call_timer_fn.constprop.0+0x20/0x80 ```

The watchdog at say 10kHz tracks qdisc-ed, i.e not offloaded packet reaching the wire while offload pushes packets into netcard queue (ethtool -g/-G) preempting that from happening. That queue is...

@jow- diff is identical to #20 , share if any (non-revolutionary) changes can improve it. Diff visualisation misses logic change: old: filter.forward if offload add flow dispatch states new: filter.forward...

Dropping invalid packets over localhost would be swapping iif lo and ct state in output along removing iif != in new prerouting. I dont feel either way, so I maintained...

@jow- this alters semantics for improved safety discarding invalid (out of state and bad checksum) packets before nat alg helpers.

@jow- made it vmap, netfilters own examples now has vmaps everywhere.... - drop invalid early - change comments (not meant to obfuscate change) - use whole output lines in place...

@jow- hi, got nice pro feedback at https://forum.openwrt.org/t/first-rule-in-chain-input-output-for-firewall4/204723 and implemented best parts, 1 cosmetic 2 improves NAT performance by dozen hairs

Also discovered that this adds easy flowtable exception via /e/n.d/ for more fifo-ish behaviour (still to dig up test case)