diff options
| -rw-r--r-- | docs/configuration/interfaces/ethernet.rst | 28 | ||||
| -rw-r--r-- | docs/configuration/service/https.rst | 37 | ||||
| -rw-r--r-- | docs/configuration/trafficpolicy/index.rst | 69 | 
3 files changed, 126 insertions, 8 deletions
| diff --git a/docs/configuration/interfaces/ethernet.rst b/docs/configuration/interfaces/ethernet.rst index bbf52112..a1151fd4 100644 --- a/docs/configuration/interfaces/ethernet.rst +++ b/docs/configuration/interfaces/ethernet.rst @@ -61,6 +61,22 @@ Offloading    Enable different types of hardware offloading on the given NIC. +  :abbr:`LRO (Large Receive Offload)` is a technique designed to boost the +  efficiency of how your computer's network interface card (NIC) processes +  incoming network traffic. Typically, network data arrives in smaller chunks +  called packets. Processing each packet individually consumes CPU (central +  processing unit) resources. Lots of small packets can lead to a performance +  bottleneck. Instead of handing the CPU each packet as it comes in, LRO +  instructs the NIC to combine multiple incoming packets into a single, larger +  packet. This larger packet is then passed to the CPU for processing. + +  .. note:: Under some circumstances, LRO is known to modify the packet headers +     of forwarded traffic, which breaks the end-to-end principle of computer +     networking. LRO is also only able to offload TCP segments encapsulated in +     IPv4 packets. Due to these limitations, it is recommended to use GRO +     (Generic Receive Offload) where possible. More information on the +     limitations of LRO can be found here: https://lwn.net/Articles/358910/ +    :abbr:`GSO (Generic Segmentation Offload)` is a pure software offload that is    meant to deal with cases where device drivers cannot perform the offloads    described above. What occurs in GSO is that a given skbuff will have its data @@ -87,13 +103,13 @@ Offloading    placing the packet on the desired CPU's backlog queue and waking up the CPU    for processing. RPS has some advantages over RSS: -  - it can be used with any NIC, -  - software filters can easily be added to hash over new protocols, -  - it does not increase hardware device interrupt rate (although it does -    introduce inter-processor interrupts (IPIs)). +  - it can be used with any NIC +  - software filters can easily be added to hash over new protocols +  - it does not increase hardware device interrupt rate, although it does +    introduce inter-processor interrupts (IPIs) -  .. note:: In order to use TSO/LRO with VMXNET3 adaters one must also enable -     the SG offloading option. +  .. note:: In order to use TSO/LRO with VMXNET3 adapters, the SG offloading +     option must also be enabled.  Authentication (EAPoL)  ---------------------- diff --git a/docs/configuration/service/https.rst b/docs/configuration/service/https.rst index 973c5355..af397456 100644 --- a/docs/configuration/service/https.rst +++ b/docs/configuration/service/https.rst @@ -53,7 +53,11 @@ Configuration  .. cfgcmd:: set service https vrf <name> -   Start Webserver in given  VRF. +   Start Webserver in given VRF. + +.. cfgcmd:: set service https request-body-size-limit <size> + +   Set the maximum request body size in megabytes. Default is 1MB.  API  === @@ -70,7 +74,36 @@ API  .. cfgcmd:: set service https api strict -   Enforce strict path checking +   Enforce strict path checking. + +.. cfgcmd:: set service https api cors allow-origin <origin> + +   Allow cross-origin requests from `<origin>`. + +GraphQL +======= + +.. cfgcmd:: set service https api graphql introspection + +   Enable GraphQL Schema introspection. + +.. note:: Do not leave introspection enabled in production, it is a security risk. + +.. cfgcmd:: set service https api graphql authentication type <key | token> + +   Set the authentication type for GraphQL, default option is key. Available options are: + +   * ``key`` use API keys configured in ``service https api keys`` + +   * ``token`` use JWT tokens. + +.. cfgcmd:: set service https api graphql authentication expiration + +   Set the lifetime for JWT tokens in seconds. Default is 3600 seconds. + +.. cfgcmd:: set service https api graphql authentication secret-length + +   Set the byte length of the JWT secret. Default is 32.  *********************  Example Configuration diff --git a/docs/configuration/trafficpolicy/index.rst b/docs/configuration/trafficpolicy/index.rst index 3463592f..ed63b21f 100644 --- a/docs/configuration/trafficpolicy/index.rst +++ b/docs/configuration/trafficpolicy/index.rst @@ -1145,6 +1145,74 @@ A simple example of Shaper using priorities.     set qos policy shaper MY-HTB default priority '7'     set qos policy shaper MY-HTB default queue-type 'fair-queue' +.. _CAKE: + +CAKE +------ + +| **Queueing discipline:** Deficit mode. +| **Applies to:** Outbound traffic. + +`Common Applications Kept Enhanced`_ (CAKE) is a comprehensive queue management +system, implemented as a queue discipline (qdisc) for the Linux kernel. It is +designed to replace and improve upon the complex hierarchy of simple qdiscs +presently required to effectively tackle the bufferbloat problem at the network +edge. + +.. cfgcmd:: set qos policy cake <text> bandwidth <value> + +   Set the shaper bandwidth, either as an explicit bitrate or a percentage +   of the interface bandwidth. + +.. cfgcmd:: set qos policy cake <text> description + +   Set a description for the shaper. + +.. cfgcmd:: set qos policy cake <text> flow-isolation blind + +   Disables flow isolation, all traffic passes through a single queue. + +.. cfgcmd:: set qos policy cake <text> flow-isolation dst-host + +   Flows are defined only by destination address. + +.. cfgcmd:: set qos policy cake <text> flow-isolation dual-dst-host + +   Flows are defined by the 5-tuple. Fairness is applied first over destination +   addresses, then over individual flows. + +.. cfgcmd:: set qos policy cake <text> flow-isolation dual-src-host + +   Flows are defined by the 5-tuple. Fairness is applied first over source +   addresses, then over individual flows. + +.. cfgcmd:: set qos policy cake <text> flow-isolation flow + +   Flows are defined by the entire 5-tuple (source IP address, source port, +   destination IP address, destination port, transport protocol). + +.. cfgcmd:: set qos policy cake <text> flow-isolation host + +   Flows are defined by source-destination host pairs. + +.. cfgcmd:: set qos policy cake <text> flow-isolation nat + +   Perform NAT lookup before applying flow-isolation rules. + +.. cfgcmd:: set qos policy cake <text> flow-isolation src-host + +   Flows are defined only by source address. + +.. cfgcmd:: set qos policy cake <text> flow-isolation triple-isolate + +   **(Default)** Flows are defined by the 5-tuple, fairness is applied over source and +   destination addresses and also over individual flows. + +.. cfgcmd:: set qos policy cake <text> rtt + +   Defines the round-trip time used for active queue management (AQM) in +   milliseconds. The default value is 100. +  Applying a traffic policy  ========================= @@ -1220,5 +1288,6 @@ That is how it is possible to do the so-called "ingress shaping".  .. _tocken bucket: https://en.wikipedia.org/wiki/Token_bucket  .. _HFSC: https://en.wikipedia.org/wiki/Hierarchical_fair-service_curve  .. _Intermediate Functional Block: https://www.linuxfoundation.org/collaborate/workgroups/networking/ifb +.. _Common Applications Kept Enhanced: https://www.bufferbloat.net/projects/codel/wiki/Cake/  .. start_vyoslinter | 
