package/network/utils/nftables/patches/205-doc-nft-document-flowtable.patch

   1 From: Pablo Neira Ayuso <pablo@netfilter.org>
   2 Date: Tue, 23 Jan 2018 12:58:30 +0100
   3 Subject: [PATCH] doc: nft: document flowtable
   4
   5 Document the new flowtable objects available since Linux kernel 4.16-rc.
   6
   7 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
   8 ---
   9
  10 --- a/doc/nft.xml
  11 +++ b/doc/nft.xml
  12 @@ -1166,6 +1166,91 @@ filter input iif $int_ifs accept
  13         </refsect1>
  14
  15         <refsect1>
  16 +               <title>Flowtables</title>
  17 +               <para>
  18 +                       <cmdsynopsis>
  19 +                               <group choice="req">
  20 +                                       <arg>add</arg>
  21 +                                       <arg>create</arg>
  22 +                               </group>
  23 +                               <command>flowtable</command>
  24 +                               <arg choice="opt"><replaceable>family</replaceable></arg>
  25 +                               <arg choice="plain"><replaceable>table</replaceable></arg>
  26 +                               <arg choice="plain"><replaceable>flowtable</replaceable></arg>
  27 +                               <arg choice="req">
  28 +                                       hook <replaceable>hook</replaceable>
  29 +                                       priority <replaceable>priority</replaceable> ;
  30 +                                       devices = { <replaceable>device</replaceable>[,...] } ;
  31 +                               </arg>
  32 +                       </cmdsynopsis>
  33 +                       <cmdsynopsis>
  34 +                               <group choice="req">
  35 +                                       <arg>delete</arg>
  36 +                                       <arg>list</arg>
  37 +                               </group>
  38 +                               <command>flowtable</command>
  39 +                               <arg choice="opt"><replaceable>family</replaceable></arg>
  40 +                               <replaceable>table</replaceable>
  41 +                               <replaceable>flowtable</replaceable>
  42 +                       </cmdsynopsis>
  43 +               </para>
  44 +
  45 +               <para>
  46 +                       Flowtables allow you to accelerate packet forwarding in software.
  47 +                       Flowtables entries are represented through a tuple that is composed of the
  48 +                       input interface, source and destination address, source and destination
  49 +                       port; and layer 3/4 protocols. Each entry also caches the destination
  50 +                       interface and the gateway address - to update the destination link-layer
  51 +                       address - to forward packets. The ttl and hoplimit fields are also
  52 +                       decremented. Hence, flowtables provides an alternative path that allow
  53 +                       packets to bypass the classic forwarding path. Flowtables reside in the
  54 +                       ingress hook, that is located before the prerouting hook. You can select
  55 +                       what flows you want to offload through the <literal>flow offload</literal>
  56 +                       expression from the <literal>forward</literal> chain. Flowtables are
  57 +                       identified by their address family and their name. The address family
  58 +                       must be one of
  59 +
  60 +                       <simplelist type="inline">
  61 +                               <member><literal>ip</literal></member>
  62 +                               <member><literal>ip6</literal></member>
  63 +                               <member><literal>inet</literal></member>
  64 +                       </simplelist>.
  65 +
  66 +                       The <literal>inet</literal> address family is a dummy family which is used to create
  67 +                       hybrid IPv4/IPv6 tables.
  68 +
  69 +                       When no address family is specified, <literal>ip</literal> is used by default.
  70 +               </para>
  71 +
  72 +               <variablelist>
  73 +                       <varlistentry>
  74 +                               <term><option>add</option></term>
  75 +                               <listitem>
  76 +                                       <para>
  77 +                                               Add a new flowtable for the given family with the given name.
  78 +                                       </para>
  79 +                               </listitem>
  80 +                       </varlistentry>
  81 +                       <varlistentry>
  82 +                               <term><option>delete</option></term>
  83 +                               <listitem>
  84 +                                       <para>
  85 +                                               Delete the specified flowtable.
  86 +                                       </para>
  87 +                               </listitem>
  88 +                       </varlistentry>
  89 +                       <varlistentry>
  90 +                               <term><option>list</option></term>
  91 +                               <listitem>
  92 +                                       <para>
  93 +                                               List all flowtables.
  94 +                                       </para>
  95 +                               </listitem>
  96 +                       </varlistentry>
  97 +               </variablelist>
  98 +       </refsect1>
  99 +
 100 +       <refsect1>
 101                 <title>Stateful objects</title>
 102                 <para>
 103                         <cmdsynopsis>
 104 @@ -4923,6 +5008,24 @@ add rule nat prerouting tcp dport 22 red
 105                                 </example>
 106                         </para>
 107                 </refsect2>
 108 +
 109 +               <refsect2>
 110 +                       <title>Flow offload statement</title>
 111 +                       <para>
 112 +                               A flow offload statement allows us to select what flows
 113 +                               you want to accelerate forwarding through layer 3 network
 114 +                               stack bypass. You have to specify the flowtable name where
 115 +                               you want to offload this flow.
 116 +                       </para>
 117 +                       <para>
 118 +                               <cmdsynopsis>
 119 +                                       <command>flow offload</command>
 120 +                                       <literal>@flowtable</literal>
 121 +                               </cmdsynopsis>
 122 +                       </para>
 123 +
 124 +               </refsect2>
 125 +
 126                 <refsect2>
 127                         <title>Queue statement</title>
 128                         <para>