Skip to content

Commit

Permalink
T4502: documentation for flow offload
Browse files Browse the repository at this point in the history
  • Loading branch information
vfreex committed Sep 14, 2023
1 parent 9688bca commit 226212e
Show file tree
Hide file tree
Showing 2 changed files with 68 additions and 10 deletions.
68 changes: 61 additions & 7 deletions docs/configuration/firewall/general.rst
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,50 @@ Some firewall settings are global and have an affect on the whole system.

* ``net.ipv4.icmp_echo_ignore_broadcasts``

.. cfgcmd:: set firewall global-options flow-offload disable

This setting disables flow offload even though software or hardware flow offload is enabled on interfaces.

Check warning on line 135 in docs/configuration/firewall/general.rst

View workflow job for this annotation

GitHub Actions / lint

Line too long: len=109

.. cfgcmd:: set firewall global-options flow-offload software interface <interface-name>

Check warning on line 137 in docs/configuration/firewall/general.rst

View workflow job for this annotation

GitHub Actions / lint

Line too long: len=88

This setting enables software flow offload on the specified interface.

By default, without flow offload, packets take through the kernel network stack when being forwarded (aka the slowpath).

Check warning on line 141 in docs/configuration/firewall/general.rst

View workflow job for this annotation

GitHub Actions / lint

Line too long: len=123
If software flow offload is enabled on both of the input and output interfaces,

Check warning on line 142 in docs/configuration/firewall/general.rst

View workflow job for this annotation

GitHub Actions / lint

Line too long: len=82
once the first packet of a flow (packets belonging to a TCP or UDP connection) successfully

Check warning on line 143 in docs/configuration/firewall/general.rst

View workflow job for this annotation

GitHub Actions / lint

Line too long: len=94
goes through the slowpath, from the second packet on, the flow will be offloaded in software

Check warning on line 144 in docs/configuration/firewall/general.rst

View workflow job for this annotation

GitHub Actions / lint

Line too long: len=95
through the Netfilter flowtable infrastructure in the kernel.
This makes packets of that flow bypass most of the steps of the classic forwarding path,

Check warning on line 146 in docs/configuration/firewall/general.rst

View workflow job for this annotation

GitHub Actions / lint

Line too long: len=91
which thereby accelerates packet forwarding.

Interfaces are required for both traffic directions. After a flow is offloaded,

Check warning on line 149 in docs/configuration/firewall/general.rst

View workflow job for this annotation

GitHub Actions / lint

Line too long: len=82
packets from the reply direction are accepted and offloaded as well.

If a virtual interface, such as bridge, vlan, or pppoe internace, is enabled,
all flows going through that underlying physical interface will be offloaded as well.

Check warning on line 153 in docs/configuration/firewall/general.rst

View workflow job for this annotation

GitHub Actions / lint

Line too long: len=88

Note that enabling flow offload also enables the Netfilter connection tracking (conntrack) subsystem.

Check warning on line 155 in docs/configuration/firewall/general.rst

View workflow job for this annotation

GitHub Actions / lint

Line too long: len=104
You can use :cfgcmd:`set system conntrack flow-accounting` to count packets and bytes for each offloaded flow.


.. cfgcmd:: set firewall global-options flow-offload hardware interface <interface-name>

This setting enables hardware flow offload on the specified interface.
You can only enable interfaces with hardware offload support.

By default, without flow offload, packets take through the kernel network stack when being forwarded (aka the slowpath).
If hardware flow offload is enabled on both of the input and output interfaces,
once the first packet of a flow (packets belonging to a TCP or UDP connection) successfully
goes through the slowpath, from the second packet on, the flow will be offloaded in hardware.
This makes packets of that flow bypass most of the steps of the classic forwarding path,
which thereby accelerates packet forwarding.

Interfaces are required for both traffic directions. After a flow is offloaded,
packets from the reply direction are accepted and offloaded as well.

Note that enabling flow offload also enables the Netfilter connection tracking (conntrack) subsystem.
You can use :cfgcmd:`set system conntrack flow-accounting` to count packets and bytes for each offloaded flow.

.. cfgcmd:: set firewall global-options ip-src-route [enable | disable]
.. cfgcmd:: set firewall global-options ipv6-src-route [enable | disable]

Expand Down Expand Up @@ -381,7 +425,7 @@ The action can be :

Also, **default-action** is an action that takes place whenever a packet does
not match any rule in it's chain. For base chains, possible options for
**default-action** are **accept** or **drop**.
**default-action** are **accept** or **drop**.

.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter default-action
[accept | drop]
Expand Down Expand Up @@ -415,7 +459,7 @@ Firewall Logs
=============

Logging can be enable for every single firewall rule. If enabled, other
log options can be defined.
log options can be defined.

.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> log
[disable | enable]
Expand Down Expand Up @@ -627,7 +671,7 @@ There are a lot of matching criteria against which the package can be tested.
portion of systems IPv6 address is static (for example, with SLAAC or
`tokenised IPv6 addresses
<https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_)

This functions for both individual addresses and address groups.

.. code-block:: none
Expand Down Expand Up @@ -1277,7 +1321,7 @@ Rule-set overview

.. code-block:: none
vyos@vyos:~$ show firewall
vyos@vyos:~$ show firewall
Rulesets Information
---------------------------------
Expand Down Expand Up @@ -1340,7 +1384,7 @@ Rule-set overview

.. code-block:: none
vyos@vyos:~$ show firewall summary
vyos@vyos:~$ show firewall summary
Ruleset Summary
IPv6 Ruleset:
Expand Down Expand Up @@ -1398,7 +1442,7 @@ Rule-set overview

.. code-block:: none
vyos@vyos:~$ show firewall ipv4 input filter
vyos@vyos:~$ show firewall ipv4 input filter
Ruleset Information
---------------------------------
Expand All @@ -1425,7 +1469,7 @@ Rule-set overview

.. code-block:: none
vyos@vyos:~$ show firewall group LAN
vyos@vyos:~$ show firewall group LAN
Firewall Groups
Name Type References Members
Expand Down Expand Up @@ -1498,6 +1542,16 @@ Example Partial Config
}
}
Example flow offload config
===========================

The following commands enable software flow offload on interfaces `eth0` and `eth1`:

.. code-block:: none
set firewall global-options flow-offload software interface eth0
set firewall global-options flow-offload software interface eth1
Update geoip database
=====================

Expand Down
10 changes: 7 additions & 3 deletions docs/configuration/system/conntrack.rst
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,10 @@ Configure
“connection tracking helper” modules such as FTP.
The default size of the expect table is 2048 entries.

.. cfgcmd:: set system conntrack flow-accounting

Enable connection tracking flow accounting.

.. cfgcmd:: set system conntrack hash-size <1-50000000>
:defaultvalue:

Expand Down Expand Up @@ -118,12 +122,12 @@ create a rule defining the packet and flow selector.
<port name> Named port (any name in /etc/services, e.g., http)
<1-65535> Numbered port
<start>-<end> Numbered port range (e.g., 1001-1005)
Multiple destination ports can be specified as a comma-separated list.
The whole list can also be "negated" using '!'. For example:
`!22,telnet,http,123,1001-1005``



.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol icmp <1-21474836>
.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol other <1-21474836>
Expand Down Expand Up @@ -184,4 +188,4 @@ create a rule defining the packet and flow selector.
.. cfgcmd:: set system conntrack log udp new
.. cfgcmd:: set system conntrack log udp update

Log the connection tracking events per protocol.
Log the connection tracking events per protocol.

0 comments on commit 226212e

Please sign in to comment.