Usage¶
In this section, it is assumed that Virtual Accelerator has been properly installed and configured. See Getting Started for more details.
# modprobe nf_conntrack_netlink
Example
# echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
# ip link set eth1 up
# ip link set eth2 up
# ip ad ad 2.0.0.1/24 dev eth1
# ip ad ad 2.1.0.1/24 dev eth2
# ip route add 100.2.2.1/32 via 2.0.0.5
# ip route add 110.2.2.1/32 via 2.1.0.5
# iptables -A FORWARD -s 100.2.2.1 -j DROP
# iptables -vL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any 100.2.2.1 anywhere
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Filtering management¶
Enabling filtering in the fast path¶
Not enabled by default. Automatically set to on
when configuring Netfilter
rules with the cache manager running.
Synopsis
nf4-set on|off
- on or off
Enable or disable Netfilter.
Example
<fp-0> nf4-set on
IPv4 netfilter is on
Displaying a Netfilter table¶
Synopsis
nf4-rules filter|mangle|raw|nat [nonzero]
- filter or mangle or raw or nat
Display the filter table, the mangle table, the raw table or the NAT table.
- nonzero
Display only rules with non null statistics.
Example
<fp-0> nf4-rules filter
Chain INPUT (policy ACCEPT 0 packets 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any 100.2.2.1 anywhere
Chain OUTPUT (policy ACCEPT 0 packets 0 bytes)
pkts bytes target prot opt in out source destination
Displaying the hook priority table or hooks in nf_conf
¶
Synopsis
nf4-hook nf_conf|priority
- nf_conf
Display all hooks present in the
nf_conf
structure.- priority
Display the hook priority table.
Example
<fp-0> nf4-hook priority
FP_NF_IP_PRE_ROUTING:
raw ct mangle nat
FP_NF_IP_LOCAL_IN:
mangle filter nat
FP_NF_IP_FORWARD:
mangle filter
FP_NF_IP_LOCAL_OUT:
raw ct mangle nat filter
FP_NF_IP_POST_ROUTING:
mangle nat
Enabling or disabling hooks in nf_conf
¶
Synopsis
nf4-hook-set TABLE|all_tables HOOK|all_hooks on|off
- TABLE or all_tables
The table the hook belongs to.
all_tables
means all hooks in all tables.- HOOK or all_hooks
The hook to enable or disable.
all_hooks
means all hooks within the table selected just before.- on or off
Enable or disable the hook.
Example
<fp-0> nf4-hook-set all_tables all_hooks on
Set filter local_in: on
Set filter forward: on
Set filter local_out: on
Set mangle pre_routing: on
Set mangle local_in: on
Set mangle forward: on
Set mangle local_out: on
Set mangle post_routing: on
Set raw pre_routing: on
Set raw local_out: on
set ct pre_routing: on
set ct local_out: on
Set nat pre_routing: on
Set nat local_in: on
Set nat local_out: on
Set nat post_routing: on
Displaying the Netfilter cache¶
Display the status of the Netfilter cache in the fast path.
Synopsis
nf4-cache [<num>]
- <num>
Maximum number of cache lines to display.
Example
<fp-0> nf4-cache
nf-cache is on
Max cached rules per entry is 8
9: 110.2.2.1 -> 100.2.2.1 tos 0 frag_flags 0x2 TCP sport 6050 dport 6050 flags A---- vr 0 indev eth2-vr0 outdev eth1-vr0 table 0 hook 2 direct-accept
#1: target STANDARD, verdict: FP_NF_ACCEPT
10: 110.2.2.1 -> 100.2.2.1 tos 0 frag_flags 0x2 TCP sport 6050 dport 6050 flags AP--- vr 0 indev eth2-vr0 outdev eth1-vr0 table 0 hook 2 direct-accept
#1: target STANDARD, verdict: FP_NF_ACCEPT
11: 100.2.2.1 -> 110.2.2.1 tos 0 frag_flags 0x2 TCP sport 6050 dport 6050 flags A---- vr 0 indev eth1-vr0 outdev eth2-vr0 table 0 hook 2 direct-accept
#1: target STANDARD, verdict: FP_NF_ACCEPT
12: 100.2.2.1 -> 110.2.2.1 tos 0 frag_flags 0x2 TCP sport 6050 dport 6050 flags AP--- vr 0 indev eth1-vr0 outdev eth2-vr0 table 0 hook 2 direct-accept
#1: target STANDARD, verdict: FP_NF_ACCEPT
Enabling, disabling or invalidating Netfilter cache¶
Synopsis
nf4-cache-set [on|off|invalidate|drop (on|off)]
- on or off
Enable or disable Netfilter cache.
- invalidate
Invalidate Netfilter cache.
- ‘drop on’ or ‘drop off’
Enable or disable the Netfilter drop cache. This feature is available when the cache is enabled.
Example
<fp-0> nf4-cache-set on
nf-cache is on
Displaying the Netfilter conntrack table¶
Synopsis
nfct4 [<number of entries>] [summary]
- <number of entries>
Maximum number of conntrack to display at once.
- summary
Shorten displayed data to one line per conntrack.
Example
# iptables -F
# iptables -P INPUT DROP
# iptables -P FORWARD DROP
# iptables -P OUTPUT DROP
# iptables -A FORWARD -i eth1 -o eth2 -p tcp --dport 6050 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -i eth2 -o eth1 -p tcp --sport 6050 -m state --state NEW,ESTABLISHED -j ACCEPT
# fp-cli
<fp-0> nfct4
Number of flows: 1/1024
Flow: #0
Proto: 6
Original: src: 100.2.2.1:6050 -> dst: 110.2.2.1:6050
Reply: src: 110.2.2.1:6050 -> dst: 100.2.2.1:6050
VRF-ID: 0 Zone: 0 Mark: 0x0
Flag: 0x11, hitflag: 0x01,
snat: no, dnat: no,
assured: yes, seen_reply: no,
unreplied: no, expected: no,
update: yes, end: no
Stats:
Original: pkt: 24, bytes: 7392
Reply: pkt: 13, bytes: 6820
<fp-0> fct4 1 summary
Number of flows: 1/1024
index proto original reply stats flags
#00000000 00006 100.2.2.1:6050 -> 110.2.2.1:6050 | 110.2.2.1:6050 -> 100.2.2.1:6050 [ 100 pkt| 30800 B| 51 pkt| 28252 B] VR0 Zone0 [ASSURED] [END]
Configuring the conntrack refresh policy¶
Synopsis
nfct4-hitflags-set <period in seconds> <max scanned> <max sent>
- <period in seconds>
Period in seconds of connection track checking.
- <max scanned>
Maximum number of conntracks to scan on a given period of time.
- <max sent>
Maximum number of refresh messages to send over a given period of time.
Example
<fp-0> nfct4-hitflags-set 5 1000 1000
Displaying ip sets¶
Synopsis
nf-ipset
Example
<fp-0> nf-ipset
List of nf ipsets for vrfid 0:
Ipset #0:
Name: list1
Type: hash:net
Family: AF_INET
NumEntries: 2
Members:
20.100.0.0/16
10.100.0.0/24
Ipset #1:
Name: list2
Type: hash:ip
Family: AF_INET
NumEntries: 2
Members:
20.200.0.2/32
10.200.0.1/32
Ipset #2:
Name: list3
Type: hash:net
Family: AF_INET6
NumEntries: 1
Members:
fd00:0100:0000:0000:0000:0000:0000:0000/64
Ipset #3:
Name: list4
Type: hash:ip
Family: AF_INET6
NumEntries: 1
Members:
fd00:0200:0000:0000:0000:0000:0000:0001/128
Ipset #4:
Name: list5
Type: hash:mac
Family: AF_UNSPEC
NumEntries: 1
Members:
de:ed:01:ff:ca:f4
Displaying hashlimit hashtables content¶
Synopsis
nf4-dump-hashtable [name]
Parameters
- No parameter
Display all existing hashtable contents
- name
Display the content of hashtable named <name>
Example
<fp-0> nf4-dump-hashtable
table#0 : ping
0 10.100.0.1:0->0.0.0.0:0 7711262310400 348432718233600 69686543646720
0 10.200.0.1:0->0.0.0.0:0 504919752704 348432718233600 69686543646720
Managing nfacct statistics¶
Synopsis
nfacct <get|reset> <name> [aggregated]
Parameters
- get
Retrieve accounting statistics from fastpath
- reset
Reset accounting statistics only in the fast-path
- name
Name of the target accounting object.
- aggregated
(optional) Sum kernel nfacct counters to fast-path ones Only available for ‘get’.
Example
<fp-0> nfacct get acct1
nfacct name: acct1
{ pkts = 00000000000000000002, bytes = 00000000000000000056 } = acct1;
Providing options¶
Some capabilities can be tuned for this module.
Example
FP_OPTIONS="--mod-opt=filter:--max-ct=512"
- --max-rules¶
Maximum number of IPv4 Netfilter rules.
At least 18 IPv4 Netfilter rules (in filter, mangle, raw and nat tables) are created per VR
- Default value
3072
- Memory footprint per IPv4 Netfilter rule
35 KB
- Range
0 .. 40K
- --max-ct¶
Maximum number of IPv4 Netfilter conntracks
- Default value
1024
- Memory footprint per IPv4 Netfilter conntrack
100 B
- Range
0 .. 1M
- --max-ipsets¶
Maximum number of ipsets per VRF
- Default value
64
- Memory footprint
Memory footprint (in bytes) for ipset follows the formula:
(8420 + 28 * max-ipset-entries) * max-ipsets * max-vr
See –max-vr for default values of max-vr.
- Range
0 .. 1000
- --max-ipset-entries¶
Maximum number of entries per ipset
- Default value
2048
- Memory footprint
See
--max-ipsets
- Range
0 .. 10000
- --max-large-ipsets¶
Maximum number of large ipsets per VRF When set to a positive value, a large ipset is used each time an ipset entries count exceeds
--max-ipset-entries
- Default value
0
- Memory footprint
Memory footprint (in bytes) for ipset follows the formula:
(8420 + 28 * max-large-ipset-entries) * max-large-ipsets * max-vr
See –max-vr for default values of max-vr.
- Range
0 .. 10
- --max-large-ipset-entries¶
Maximum number of entries per large ipset
- Default value
0
- Memory footprint
- Range
0 .. 100000
- --ct-hash-order¶
Size order of IPv4 conntrack hash table. Value automatically updated if
--max-ct
is changed.- Default value
16
- Range
16 .. 20
- --cache-order¶
Size order of IPv4 Netfilter flows stored in cache.
- Default value
14
- Memory footprint per IPv4 Netfilter flow
128 B
- Range
1 .. 31
- --cache-hash-order¶
Size order of IPv4 Netfilter cache hash table. If this value is not specified, it defaults to –cache-order value for better performances.
- Default value
14
- Memory footprint per IPv4 Netfilter rule
16 B
- Range
1 .. 31
- --max-nfacct-entries¶
Maximum number of nfacct supported objects
Default value
- Range
1 .. 1024
Note
See Fast Path Capabilities documentation for impact of the available memory on the default value of configurable capabilities