summaryrefslogtreecommitdiff
path: root/docs/configuration
diff options
context:
space:
mode:
Diffstat (limited to 'docs/configuration')
-rw-r--r--docs/configuration/interfaces/ethernet.rst28
-rw-r--r--docs/configuration/service/https.rst37
-rw-r--r--docs/configuration/trafficpolicy/index.rst69
3 files changed, 126 insertions, 8 deletions
diff --git a/docs/configuration/interfaces/ethernet.rst b/docs/configuration/interfaces/ethernet.rst
index bbf52112..a1151fd4 100644
--- a/docs/configuration/interfaces/ethernet.rst
+++ b/docs/configuration/interfaces/ethernet.rst
@@ -61,6 +61,22 @@ Offloading
Enable different types of hardware offloading on the given NIC.
+ :abbr:`LRO (Large Receive Offload)` is a technique designed to boost the
+ efficiency of how your computer's network interface card (NIC) processes
+ incoming network traffic. Typically, network data arrives in smaller chunks
+ called packets. Processing each packet individually consumes CPU (central
+ processing unit) resources. Lots of small packets can lead to a performance
+ bottleneck. Instead of handing the CPU each packet as it comes in, LRO
+ instructs the NIC to combine multiple incoming packets into a single, larger
+ packet. This larger packet is then passed to the CPU for processing.
+
+ .. note:: Under some circumstances, LRO is known to modify the packet headers
+ of forwarded traffic, which breaks the end-to-end principle of computer
+ networking. LRO is also only able to offload TCP segments encapsulated in
+ IPv4 packets. Due to these limitations, it is recommended to use GRO
+ (Generic Receive Offload) where possible. More information on the
+ limitations of LRO can be found here: https://lwn.net/Articles/358910/
+
:abbr:`GSO (Generic Segmentation Offload)` is a pure software offload that is
meant to deal with cases where device drivers cannot perform the offloads
described above. What occurs in GSO is that a given skbuff will have its data
@@ -87,13 +103,13 @@ Offloading
placing the packet on the desired CPU's backlog queue and waking up the CPU
for processing. RPS has some advantages over RSS:
- - it can be used with any NIC,
- - software filters can easily be added to hash over new protocols,
- - it does not increase hardware device interrupt rate (although it does
- introduce inter-processor interrupts (IPIs)).
+ - it can be used with any NIC
+ - software filters can easily be added to hash over new protocols
+ - it does not increase hardware device interrupt rate, although it does
+ introduce inter-processor interrupts (IPIs)
- .. note:: In order to use TSO/LRO with VMXNET3 adaters one must also enable
- the SG offloading option.
+ .. note:: In order to use TSO/LRO with VMXNET3 adapters, the SG offloading
+ option must also be enabled.
Authentication (EAPoL)
----------------------
diff --git a/docs/configuration/service/https.rst b/docs/configuration/service/https.rst
index 973c5355..af397456 100644
--- a/docs/configuration/service/https.rst
+++ b/docs/configuration/service/https.rst
@@ -53,7 +53,11 @@ Configuration
.. cfgcmd:: set service https vrf <name>
- Start Webserver in given VRF.
+ Start Webserver in given VRF.
+
+.. cfgcmd:: set service https request-body-size-limit <size>
+
+ Set the maximum request body size in megabytes. Default is 1MB.
API
===
@@ -70,7 +74,36 @@ API
.. cfgcmd:: set service https api strict
- Enforce strict path checking
+ Enforce strict path checking.
+
+.. cfgcmd:: set service https api cors allow-origin <origin>
+
+ Allow cross-origin requests from `<origin>`.
+
+GraphQL
+=======
+
+.. cfgcmd:: set service https api graphql introspection
+
+ Enable GraphQL Schema introspection.
+
+.. note:: Do not leave introspection enabled in production, it is a security risk.
+
+.. cfgcmd:: set service https api graphql authentication type <key | token>
+
+ Set the authentication type for GraphQL, default option is key. Available options are:
+
+ * ``key`` use API keys configured in ``service https api keys``
+
+ * ``token`` use JWT tokens.
+
+.. cfgcmd:: set service https api graphql authentication expiration
+
+ Set the lifetime for JWT tokens in seconds. Default is 3600 seconds.
+
+.. cfgcmd:: set service https api graphql authentication secret-length
+
+ Set the byte length of the JWT secret. Default is 32.
*********************
Example Configuration
diff --git a/docs/configuration/trafficpolicy/index.rst b/docs/configuration/trafficpolicy/index.rst
index 3463592f..ed63b21f 100644
--- a/docs/configuration/trafficpolicy/index.rst
+++ b/docs/configuration/trafficpolicy/index.rst
@@ -1145,6 +1145,74 @@ A simple example of Shaper using priorities.
set qos policy shaper MY-HTB default priority '7'
set qos policy shaper MY-HTB default queue-type 'fair-queue'
+.. _CAKE:
+
+CAKE
+------
+
+| **Queueing discipline:** Deficit mode.
+| **Applies to:** Outbound traffic.
+
+`Common Applications Kept Enhanced`_ (CAKE) is a comprehensive queue management
+system, implemented as a queue discipline (qdisc) for the Linux kernel. It is
+designed to replace and improve upon the complex hierarchy of simple qdiscs
+presently required to effectively tackle the bufferbloat problem at the network
+edge.
+
+.. cfgcmd:: set qos policy cake <text> bandwidth <value>
+
+ Set the shaper bandwidth, either as an explicit bitrate or a percentage
+ of the interface bandwidth.
+
+.. cfgcmd:: set qos policy cake <text> description
+
+ Set a description for the shaper.
+
+.. cfgcmd:: set qos policy cake <text> flow-isolation blind
+
+ Disables flow isolation, all traffic passes through a single queue.
+
+.. cfgcmd:: set qos policy cake <text> flow-isolation dst-host
+
+ Flows are defined only by destination address.
+
+.. cfgcmd:: set qos policy cake <text> flow-isolation dual-dst-host
+
+ Flows are defined by the 5-tuple. Fairness is applied first over destination
+ addresses, then over individual flows.
+
+.. cfgcmd:: set qos policy cake <text> flow-isolation dual-src-host
+
+ Flows are defined by the 5-tuple. Fairness is applied first over source
+ addresses, then over individual flows.
+
+.. cfgcmd:: set qos policy cake <text> flow-isolation flow
+
+ Flows are defined by the entire 5-tuple (source IP address, source port,
+ destination IP address, destination port, transport protocol).
+
+.. cfgcmd:: set qos policy cake <text> flow-isolation host
+
+ Flows are defined by source-destination host pairs.
+
+.. cfgcmd:: set qos policy cake <text> flow-isolation nat
+
+ Perform NAT lookup before applying flow-isolation rules.
+
+.. cfgcmd:: set qos policy cake <text> flow-isolation src-host
+
+ Flows are defined only by source address.
+
+.. cfgcmd:: set qos policy cake <text> flow-isolation triple-isolate
+
+ **(Default)** Flows are defined by the 5-tuple, fairness is applied over source and
+ destination addresses and also over individual flows.
+
+.. cfgcmd:: set qos policy cake <text> rtt
+
+ Defines the round-trip time used for active queue management (AQM) in
+ milliseconds. The default value is 100.
+
Applying a traffic policy
=========================
@@ -1220,5 +1288,6 @@ That is how it is possible to do the so-called "ingress shaping".
.. _tocken bucket: https://en.wikipedia.org/wiki/Token_bucket
.. _HFSC: https://en.wikipedia.org/wiki/Hierarchical_fair-service_curve
.. _Intermediate Functional Block: https://www.linuxfoundation.org/collaborate/workgroups/networking/ifb
+.. _Common Applications Kept Enhanced: https://www.bufferbloat.net/projects/codel/wiki/Cake/
.. start_vyoslinter