1 From: Pablo Neira Ayuso <pablo@netfilter.org>
2 Date: Tue, 23 Jan 2018 12:58:30 +0100
3 Subject: [PATCH] doc: nft: document flowtable
5 Document the new flowtable objects available since Linux kernel 4.16-rc.
7 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 @@ -1166,6 +1166,91 @@ filter input iif $int_ifs accept
16 + <title>Flowtables</title>
19 + <group choice="req">
23 + <command>flowtable</command>
24 + <arg choice="opt"><replaceable>family</replaceable></arg>
25 + <arg choice="plain"><replaceable>table</replaceable></arg>
26 + <arg choice="plain"><replaceable>flowtable</replaceable></arg>
28 + hook <replaceable>hook</replaceable>
29 + priority <replaceable>priority</replaceable> ;
30 + devices = { <replaceable>device</replaceable>[,...] } ;
34 + <group choice="req">
38 + <command>flowtable</command>
39 + <arg choice="opt"><replaceable>family</replaceable></arg>
40 + <replaceable>table</replaceable>
41 + <replaceable>flowtable</replaceable>
46 + Flowtables allow you to accelerate packet forwarding in software.
47 + Flowtables entries are represented through a tuple that is composed of the
48 + input interface, source and destination address, source and destination
49 + port; and layer 3/4 protocols. Each entry also caches the destination
50 + interface and the gateway address - to update the destination link-layer
51 + address - to forward packets. The ttl and hoplimit fields are also
52 + decremented. Hence, flowtables provides an alternative path that allow
53 + packets to bypass the classic forwarding path. Flowtables reside in the
54 + ingress hook, that is located before the prerouting hook. You can select
55 + what flows you want to offload through the <literal>flow offload</literal>
56 + expression from the <literal>forward</literal> chain. Flowtables are
57 + identified by their address family and their name. The address family
60 + <simplelist type="inline">
61 + <member><literal>ip</literal></member>
62 + <member><literal>ip6</literal></member>
63 + <member><literal>inet</literal></member>
66 + The <literal>inet</literal> address family is a dummy family which is used to create
67 + hybrid IPv4/IPv6 tables.
69 + When no address family is specified, <literal>ip</literal> is used by default.
74 + <term><option>add</option></term>
77 + Add a new flowtable for the given family with the given name.
82 + <term><option>delete</option></term>
85 + Delete the specified flowtable.
90 + <term><option>list</option></term>
93 + List all flowtables.
101 <title>Stateful objects</title>
104 @@ -4923,6 +5008,24 @@ add rule nat prerouting tcp dport 22 red
110 + <title>Flow offload statement</title>
112 + A flow offload statement allows us to select what flows
113 + you want to accelerate forwarding through layer 3 network
114 + stack bypass. You have to specify the flowtable name where
115 + you want to offload this flow.
119 + <command>flow offload</command>
120 + <literal>@flowtable</literal>
127 <title>Queue statement</title>