129 lines
3.8 KiB
Diff
129 lines
3.8 KiB
Diff
|
From: Pablo Neira Ayuso <pablo@netfilter.org>
|
||
|
Date: Tue, 23 Jan 2018 12:58:30 +0100
|
||
|
Subject: [PATCH] doc: nft: document flowtable
|
||
|
|
||
|
Document the new flowtable objects available since Linux kernel 4.16-rc.
|
||
|
|
||
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||
|
---
|
||
|
|
||
|
--- a/doc/nft.xml
|
||
|
+++ b/doc/nft.xml
|
||
|
@@ -1166,6 +1166,91 @@ filter input iif $int_ifs accept
|
||
|
</refsect1>
|
||
|
|
||
|
<refsect1>
|
||
|
+ <title>Flowtables</title>
|
||
|
+ <para>
|
||
|
+ <cmdsynopsis>
|
||
|
+ <group choice="req">
|
||
|
+ <arg>add</arg>
|
||
|
+ <arg>create</arg>
|
||
|
+ </group>
|
||
|
+ <command>flowtable</command>
|
||
|
+ <arg choice="opt"><replaceable>family</replaceable></arg>
|
||
|
+ <arg choice="plain"><replaceable>table</replaceable></arg>
|
||
|
+ <arg choice="plain"><replaceable>flowtable</replaceable></arg>
|
||
|
+ <arg choice="req">
|
||
|
+ hook <replaceable>hook</replaceable>
|
||
|
+ priority <replaceable>priority</replaceable> ;
|
||
|
+ devices = { <replaceable>device</replaceable>[,...] } ;
|
||
|
+ </arg>
|
||
|
+ </cmdsynopsis>
|
||
|
+ <cmdsynopsis>
|
||
|
+ <group choice="req">
|
||
|
+ <arg>delete</arg>
|
||
|
+ <arg>list</arg>
|
||
|
+ </group>
|
||
|
+ <command>flowtable</command>
|
||
|
+ <arg choice="opt"><replaceable>family</replaceable></arg>
|
||
|
+ <replaceable>table</replaceable>
|
||
|
+ <replaceable>flowtable</replaceable>
|
||
|
+ </cmdsynopsis>
|
||
|
+ </para>
|
||
|
+
|
||
|
+ <para>
|
||
|
+ Flowtables allow you to accelerate packet forwarding in software.
|
||
|
+ Flowtables entries are represented through a tuple that is composed of the
|
||
|
+ input interface, source and destination address, source and destination
|
||
|
+ port; and layer 3/4 protocols. Each entry also caches the destination
|
||
|
+ interface and the gateway address - to update the destination link-layer
|
||
|
+ address - to forward packets. The ttl and hoplimit fields are also
|
||
|
+ decremented. Hence, flowtables provides an alternative path that allow
|
||
|
+ packets to bypass the classic forwarding path. Flowtables reside in the
|
||
|
+ ingress hook, that is located before the prerouting hook. You can select
|
||
|
+ what flows you want to offload through the <literal>flow offload</literal>
|
||
|
+ expression from the <literal>forward</literal> chain. Flowtables are
|
||
|
+ identified by their address family and their name. The address family
|
||
|
+ must be one of
|
||
|
+
|
||
|
+ <simplelist type="inline">
|
||
|
+ <member><literal>ip</literal></member>
|
||
|
+ <member><literal>ip6</literal></member>
|
||
|
+ <member><literal>inet</literal></member>
|
||
|
+ </simplelist>.
|
||
|
+
|
||
|
+ The <literal>inet</literal> address family is a dummy family which is used to create
|
||
|
+ hybrid IPv4/IPv6 tables.
|
||
|
+
|
||
|
+ When no address family is specified, <literal>ip</literal> is used by default.
|
||
|
+ </para>
|
||
|
+
|
||
|
+ <variablelist>
|
||
|
+ <varlistentry>
|
||
|
+ <term><option>add</option></term>
|
||
|
+ <listitem>
|
||
|
+ <para>
|
||
|
+ Add a new flowtable for the given family with the given name.
|
||
|
+ </para>
|
||
|
+ </listitem>
|
||
|
+ </varlistentry>
|
||
|
+ <varlistentry>
|
||
|
+ <term><option>delete</option></term>
|
||
|
+ <listitem>
|
||
|
+ <para>
|
||
|
+ Delete the specified flowtable.
|
||
|
+ </para>
|
||
|
+ </listitem>
|
||
|
+ </varlistentry>
|
||
|
+ <varlistentry>
|
||
|
+ <term><option>list</option></term>
|
||
|
+ <listitem>
|
||
|
+ <para>
|
||
|
+ List all flowtables.
|
||
|
+ </para>
|
||
|
+ </listitem>
|
||
|
+ </varlistentry>
|
||
|
+ </variablelist>
|
||
|
+ </refsect1>
|
||
|
+
|
||
|
+ <refsect1>
|
||
|
<title>Stateful objects</title>
|
||
|
<para>
|
||
|
<cmdsynopsis>
|
||
|
@@ -4923,6 +5008,24 @@ add rule nat prerouting tcp dport 22 red
|
||
|
</example>
|
||
|
</para>
|
||
|
</refsect2>
|
||
|
+
|
||
|
+ <refsect2>
|
||
|
+ <title>Flow offload statement</title>
|
||
|
+ <para>
|
||
|
+ A flow offload statement allows us to select what flows
|
||
|
+ you want to accelerate forwarding through layer 3 network
|
||
|
+ stack bypass. You have to specify the flowtable name where
|
||
|
+ you want to offload this flow.
|
||
|
+ </para>
|
||
|
+ <para>
|
||
|
+ <cmdsynopsis>
|
||
|
+ <command>flow offload</command>
|
||
|
+ <literal>@flowtable</literal>
|
||
|
+ </cmdsynopsis>
|
||
|
+ </para>
|
||
|
+
|
||
|
+ </refsect2>
|
||
|
+
|
||
|
<refsect2>
|
||
|
<title>Queue statement</title>
|
||
|
<para>
|