xref: /linux/Documentation/networking/nf_flowtable.rst

4 Netfilter's flowtable infrastructure
7 This documentation describes the Netfilter flowtable infrastructure which allows
8 you to define a fastpath through the flowtable datapath. This infrastructure
9 also provides hardware offload support. The flowtable supports for the layer 3
17 flowtable through your ruleset. The flowtable infrastructure provides a rule
18 action that allows you to specify when to add a flow to the flowtable.
20 A packet that finds a matching entry in the flowtable (ie. flowtable hit) is
24 there is no matching entry in the flowtable (ie. flowtable miss), the packet
27 The flowtable uses a resizable hashtable. Lookups are based on the following
32 The 'flow add' action allows you to populate the flowtable, the user selectively
33 specifies what flows are placed into the flowtable. Hence, packets follow the
37 The flowtable datapath is represented in Fig.1, which describes the classic IP
38 forwarding path including the Netfilter hooks and the flowtable fastpath bypass.
56    flowtable  |                     ____\/___            |                |
62     |_____|   |                     flowtable                             |
70 	       Fig.1 Netfilter hooks and flowtable interactions
72 The flowtable entry also stores the NAT configuration, so all packets are
76 transport header is missing, in this case, flowtable lookups are not possible.
84 Enabling the flowtable bypass is relatively easy, you only need to create a
85 flowtable and add one rule to your forward chain::
88 		flowtable f {
98 This example adds the flowtable 'f' to the ingress hook of the eth0 and eth1
100 perform resource partitioning. The flowtable priority defines the order in which
102 nftables ingress chain (make sure the flowtable priority is smaller than the
103 nftables ingress chain hence the flowtable runs before in the pipeline).
106 flowtable for the TCP syn-ack packet coming in the reply direction. Once the
123 Since Linux kernel 5.13, the flowtable infrastructure discovers the real
124 netdevice behind VLAN and PPPoE netdevices. The flowtable software datapath
126 VLAN ID / PPPoE session ID which are used for the flowtable lookups. The
127 flowtable datapath also deals with layer 2 decapsulation.
129 You do not need to add the PPPoE and the VLAN devices to your flowtable,
130 instead the real device is sufficient for the flowtable to track your flows.
135 Since Linux kernel 5.13, you can add bridge ports to the flowtable. The
136 flowtable infrastructure discovers the topology behind the bridge device. This
137 allows the flowtable to define a fastpath bypass between the bridge ports
157 The flowtable infrastructure also supports for bridge VLAN filtering actions
161 If you would like that your flowtable defines a fastpath between your bridge
163 represented by the real netdevice) to your flowtable definition.
168 The flowtable can synchronize packet and byte counters with the existing
169 connection tracking entry by specifying the counter statement in your flowtable
175 		flowtable f {
187 means of the 'offload' flag in your flowtable definition, e.g.
192 		flowtable f {
199 packets might still run over the flowtable software path until the workqueue has
205 which refers to the software flowtable fastpath and [HW_OFFLOAD] which refers
208 The flowtable hardware offload infrastructure also supports for the DSA
214 The flowtable behaves like a cache. The flowtable entries might get stale if
220 - You run the flowtable in software mode and you combine bridge and IP

Last Index update Sat Jun 03 09:59:21 CST 2023