diff options
| author | Nicolas Fort <nicolasfort1988@gmail.com> | 2023-11-08 13:21:51 -0300 |
|---|---|---|
| committer | Nicolas Fort <nicolasfort1988@gmail.com> | 2023-11-08 13:51:47 -0300 |
| commit | b6c3c7f40a5d4399244e97d9e575db78389e660c (patch) | |
| tree | a51fff1e098c071cec56c0e09560c0fa3ef7cd69 /docs/configuration/firewall/flowtables.rst | |
| parent | ece28ce8097f4835ff2e6fb55bc6ca13f0d1ffc0 (diff) | |
| download | vyos-documentation-b6c3c7f40a5d4399244e97d9e575db78389e660c.tar.gz vyos-documentation-b6c3c7f40a5d4399244e97d9e575db78389e660c.zip | |
Firewall Update: improve documentation and split file for better experience while reading. Add brief notes regarding Flowtables and Bridge firewall, leaving a note that those documents are still under development. New explanation for Netfilter based firewall, which includes new diagrams.
Diffstat (limited to 'docs/configuration/firewall/flowtables.rst')
| -rw-r--r-- | docs/configuration/firewall/flowtables.rst | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/docs/configuration/firewall/flowtables.rst b/docs/configuration/firewall/flowtables.rst new file mode 100644 index 00000000..cd813298 --- /dev/null +++ b/docs/configuration/firewall/flowtables.rst @@ -0,0 +1,52 @@ +:lastproofread: 2023-11-08 + +.. _firewall-flowtables-configuration: + +################################ +Flowtables Firewal Configuration +################################ + +.. note:: **Documentation under development** + +******** +Overview +******** + +In this section there's useful information of all firewall configuration that +can be done regarding flowtables + +.. cfgcmd:: set firewall flowtables ... + +From main structure defined in :doc:`Firewall Overview</configuration/firewall/index>` +in this section you can find detailed information only for the next part +of the general structure: + +.. code-block:: none + + - set firewall + * flowtable + - custom_flow_table + + ... + + +Flowtables allows you to define a fastpath through the flowtable datapath. +The flowtable supports for the layer 3 IPv4 and IPv6 and the layer 4 TCP +and UDP protocols. + +.. figure:: /_static/images/firewall-flowtable-packet-flow.png + +Once the first packet of the flow successfully goes through the IP forwarding +path (black circles path), from the second packet on, you might decide to +offload the flow to the flowtable through your ruleset. The flowtable +infrastructure provides a rule action that allows you to specify when to add +a flow to the flowtable (On forward filtering, red circle number 6) + +A packet that finds a matching entry in the flowtable (flowtable hit) is +transmitted to the output netdevice, hence, packets bypass the classic IP +forwarding path and uses the **Fast Path** (orange circles path). The visible +effect is that you do not see these packets from any of the Netfilter +hooks coming after ingress. In case that there is no matching entry in the +flowtable (flowtable miss), the packet follows the classic IP forwarding path. + +.. note:: **Flowtable Reference:** + https://docs.kernel.org/networking/nf_flowtable.html
\ No newline at end of file |