Usage

In this section, it is assumed that Virtual Accelerator has been properly installed and configured. See Getting Started for more details.

# modprobe nf_conntrack_netlink

Example

# echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
# ip link set eth1 up
# ip link set eth2 up
# ip ad ad 3ffe:2:100::1/64 dev eth1
# ip ad ad 3ffe:2:110::1/64 dev eth2
# ip route add 3ffe:110:2:2::1/128 via 3ffe:2:11::5
# ip route add 3ffe:100:2:2::1/128 via 3ffe:2:10::5
# ip6tables -F
# ip6tables -P INPUT ACCEPT
# ip6tables -P FORWARD ACCEPT
# ip6tables -P OUTPUT ACCEPT
# ip6tables -A FORWARD -p icmpv6 -s 3ffe:110:2:2::1 -j DROP
# ip6tables -A FORWARD -p icmpv6 -s 3ffe:100:2:2::1 -j DROP
# ip6tables -vL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source            destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source            destination
    0     0 DROP       ipv6-icmp    any    any     3ffe:110:2:2::1   anywhere
    0     0 DROP       ipv6-icmp    any    any     3ffe:100:2:2::1   anywhere

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source            destination

Filtering management

Displaying Netfilter status

Synopsis

nf6

Example

<fp-0> nf6
IPv6 netfilter is off

Enabling or disabling Netfilter in the fast path

Enable IPv6 filtering in fast path. Not enabled by default. Automatically set to on when configuring Netfilter rules with the cache manager running.

Synopsis

nf6-set on|off

Parameters

on or off

Enable or disable Netfilter.

<fp-0> nf6-set on
IPv6 netfilter is on

Displaying a Netfilter table

Synopsis

nf6-rules filter|mangle|raw [nonzero]

filter or mangle or raw

Display the filter table, the mangle table or the raw table.

nonzero

Display only rules with non null statistics.

Example

<fp-0> nf6-rules filter
Chain INPUT (policy ACCEPT 0 packets 0 bytes)
    pkts      bytes target    prot opt  in     out    source              destination

Chain FORWARD (policy ACCEPT 0 packets 0 bytes)
    pkts      bytes target    prot opt  in     out    source              destination
       0          0 DROP      ipv6-icmp      any    any    3ffe:110:2:2::1   anywhere
       0          0 DROP      ipv6-icmp      any    any    3ffe:100:2:2::1   anywhere

Chain OUTPUT (policy ACCEPT 0 packets 0 bytes)
    pkts      bytes target    prot opt  in     out    source              destination

Displaying the hook priority table or hooks in nf_conf

Synopsis

nf6-hook nf_conf|priority

nf_conf

Display all hooks present in the nf_conf structure.

priority

Display the hook priority table.

Example

<fp-0> nf6-hook priority
FP_NF_IP_PRE_ROUTING:
        raw ct mangle
FP_NF_IP_LOCAL_IN:
        mangle filter
FP_NF_IP_FORWARD:
        mangle filter
FP_NF_IP_LOCAL_OUT:
        raw ct mangle filter
FP_NF_IP_POST_ROUTING:
        mangle

Enabling or disabling hooks in nf_conf

Synopsis

nf6-hook-set TABLE|all_tables HOOK|all_hooks on|off

TABLE or all_tables

The table the hook belongs to. all_tables means all hooks in all tables.

HOOK or all_hooks

The hook to enable or disable. all_hooks means all hooks within the table selected just before.

on or off

Enable or disable the hook.

Example

<fp-0> nf6-hook-set all_tables all_hooks on
set filter local_in: on
set filter forward: on
set filter local_out: on
set mangle pre_routing: on
set mangle local_in: on
set mangle forward: on
set mangle local_out: on
set mangle post_routing: on
set raw pre_routing: on
set raw local_out: on
set ct pre_routing: on
set ct local_out: on

Displaying the Netfilter cache

Display the status of the Netfilter cache in the fast path.

Synopsis

nf6-cache [<num>]

<num>

Maximum number of cache lines to display.

Example

<fp-0> nf6-cache
nf6-cache is on
Max cached rules per entry is 11
2: 3ffe:100:2:2::1 -> 3ffe:110:2:2::1 tcclass 0x0 TCP sport 6050 dport 6050 flags AP--- vr 0 indev eth1-vr0 outdev eth2-vr0 table 0 hook 2 direct-accept
     #1: target STANDARD, verdict: FP_NF_ACCEPT
3: 3ffe:110:2:2::1 -> 3ffe:100:2:2::1 tcclass 0x0 TCP sport 6050 dport 6050 flags AP--- vr 0 indev eth2-vr0 outdev eth1-vr0 table 0 hook 2 direct-accept
     #1: target STANDARD, verdict: FP_NF_ACCEPT

Enabling, disabling or invalidating Netfilter cache

Synopsis

nf6-cache-set [on|off|invalidate|drop (on|off)]

on or off

Enable or disable Netfilter cache.

invalidate

Invalidate Netfilter cache.

‘drop on’ or ‘drop off’

Enable or disable the Netfilter drop cache. This feature is available when the cache is enabled.

Example

<fp-0> nf6-cache-set on
nf6-cache is on

Displaying the Netfilter conntrack table

Synopsis

nfct6 [<number of entries>] [summary]

Parameters

<number of entries>

Maximum number of conntrack entries to display simultaneously.

summary

Shorten displayed data to one line per conntrack.

Example

<fp-0> nfct6
Number of flows: 1/1024
Flow: #0
     Proto: 6
     Original: src: 3ffe:0100:0002:0002:0000:0000:0000:0001:6050
               dst: 3ffe:0110:0002:0002:0000:0000:0000:0001:6050
     Reply:    src: 3ffe:0110:0002:0002:0000:0000:0000:0001:6050
               dst: 3ffe:0100:0002:0002:0000:0000:0000:0001:6050
     VRF-ID: 0       Zone: 0    Mark: 0x0
     Flag: 0x11, hitflag: 0x01,
                 assured: yes, seen_reply: no,
                 unreplied: no, expected: no,
                 update: yes, end: no
     Stats:
             Original: pkt: 99, bytes: 32216
             Reply:    pkt: 49, bytes: 28616

Configuring the conntrack refresh policy

Synopsis

nfct6-hitflags-set <period in seconds> <max scanned> <max sent>

Parameters

<period in seconds>

Period in seconds of connection track checking.

<max scanned>

Maximum number of conntracks to scan on a given period of time.

<max sent>

Maximum number of refresh messages to send over a given period of time.

Example

<fp-0> nfct6-hitflags-set 7 500 500

Displaying hashlimit hashtables content

Synopsis

nf6-dump-hashtable [name]

Parameters

No parameter

Display all existing hashtable contents

name

Display the content of hashtable named <name>

Example

<fp-0> nf6-dump-hashtable
table#0 : ping
         9 fd00:0100:0000:0000:0000:0000:0000:0001:0->0000:0000:0000:0000:0000:0000:0000:0000:0 6171792834560 348432718233600 69686543646720
         9 fd00:0200:0000:0000:0000:0000:0000:0001:0->0000:0000:0000:0000:0000:0000:0000:0000:0 1160680046592 348432718233600 69686543646720

Providing options

Some capabilities can be tuned for this module.

Example

FP_OPTIONS="--mod-opt=filter6:--max-ct=512"

--max-rules

Maximum number of IPv6 Netfilter rules.

At least 13 IPv6 Netfilter rules (in filter, mangle and raw tables) are created per VR

Default value

2048

Memory footprint per IPv6 Netfilter rule

35 KB

Range

0 .. 40K

--max-ct

Maximum number of IPv6 Netfilter conntracks

Default value

1024

Memory footprint per IPv6 Netfilter conntrack

100 B

Range

0 .. 1M

--ct-hash-order

Size order of IPv6 conntrack hash table. Value automatically updated if --max-ct is changed.

Default value

16

Range

16 .. 20

--cache-order

Size order of IPv6 Netfilter flows stored in cache.

Default value

14

Memory footprint per IPv6 Netfilter flow

128 B

Range

1 .. 31

--cache-hash-order

Size order of IPv6 Netfilter cache hash table. If this value is not specified, it defaults to –cache-order value for better performances.

Default value

14

Memory footprint per IPv6 Netfilter rule

16 B

Range

1 .. 31

Note

See Fast Path Capabilities documentation for impact of the available memory on the default value of configurable capabilities