Document the new flowtable objects available since Linux kernel 4.16-rc.
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
doc/nft.xml | 103 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 103 insertions(+)
diff --git a/doc/nft.xml b/doc/nft.xml
index 9e979af3c280..1b901c17b5a0 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -1160,6 +1160,91 @@ filter input iif $int_ifs accept
</refsect1>
<refsect1>
+ <title>Flowtables</title>
+ <para>
+ <cmdsynopsis>
+ <group choice="req">
+ <arg>add</arg>
+ <arg>create</arg>
+ </group>
+ <command>flowtable</command>
+ <arg choice="opt"><replaceable>family</replaceable></arg>
+ <arg choice="plain"><replaceable>table</replaceable></arg>
+ <arg choice="plain"><replaceable>flowtable</replaceable></arg>
+ <arg choice="req">
+ hook <replaceable>hook</replaceable>
+ priority <replaceable>priority</replaceable> ;
+ devices = { <replaceable>device</replaceable>[,...] } ;
+ </arg>
+ </cmdsynopsis>
+ <cmdsynopsis>
+ <group choice="req">
+ <arg>delete</arg>
+ <arg>list</arg>
+ </group>
+ <command>flowtable</command>
+ <arg choice="opt"><replaceable>family</replaceable></arg>
+ <replaceable>table</replaceable>
+ <replaceable>flowtable</replaceable>
+ </cmdsynopsis>
+ </para>
+
+ <para>
+ Flowtables allow you to accelerate packet forwarding in software.
+ Flowtables entries are represented through a tuple that is composed of the
+ input interface, source and destination address, source and destination
+ port; and layer 3/4 protocols. Each entry also caches the destination
+ interface and the gateway address - to update the destination link-layer
+ address - to forward packets. The ttl and hoplimit fields are also
+ decremented. Hence, flowtables provides an alternative path that allow
+ packets to bypass the classic forwarding path. Flowtables reside in the
+ ingress hook, that is located before the prerouting hook. You can select
+ what flows you want to offload through the <literal>flow offload</literal>
+ expression from the <literal>forward</literal> chain. Flowtables are
+ identified by their address family and their name. The address family
+ must be one of
+
+ <simplelist type="inline">
+ <member><literal>ip</literal></member>
+ <member><literal>ip6</literal></member>
+ <member><literal>inet</literal></member>
+ </simplelist>.
+
+ The <literal>inet</literal> address family is a dummy family which is used to create
+ hybrid IPv4/IPv6 tables.
+
+ When no address family is specified, <literal>ip</literal> is used by default.
+ </para>
+
+ <variablelist>
+ <varlistentry>
+ <term><option>add</option></term>
+ <listitem>
+ <para>
+ Add a new flowtable for the given family with the given name.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>delete</option></term>
+ <listitem>
+ <para>
+ Delete the specified flowtable.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>list</option></term>
+ <listitem>
+ <para>
+ List all flowtables.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
<title>Stateful objects</title>
<para>
<cmdsynopsis>
@@ -4917,6 +5002,24 @@ add rule nat prerouting tcp dport 22 redirect to :2222
</example>
</para>
</refsect2>
+
+ <refsect2>
+ <title>Flow offload statement</title>
+ <para>
+ A flow offload statement allows us to select what flows
+ you want to accelerate forwarding through layer 3 network
+ stack bypass. You have to specify the flowtable name where
+ you want to offload this flow.
+ </para>
+ <para>
+ <cmdsynopsis>
+ <command>flow offload</command>
+ <literal>@flowtable</literal>
+ </cmdsynopsis>
+ </para>
+
+ </refsect2>
+
<refsect2>
<title>Queue statement</title>
<para>
--
2.11.0
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
