diff options
Diffstat (limited to 'docs/configuration')
| -rw-r--r-- | docs/configuration/interfaces/ethernet.rst | 28 | ||||
| -rw-r--r-- | docs/configuration/trafficpolicy/index.rst | 69 | ||||
| -rw-r--r-- | docs/configuration/vpn/ipsec.rst | 3 | 
3 files changed, 93 insertions, 7 deletions
| diff --git a/docs/configuration/interfaces/ethernet.rst b/docs/configuration/interfaces/ethernet.rst index bbf52112..a1151fd4 100644 --- a/docs/configuration/interfaces/ethernet.rst +++ b/docs/configuration/interfaces/ethernet.rst @@ -61,6 +61,22 @@ Offloading    Enable different types of hardware offloading on the given NIC. +  :abbr:`LRO (Large Receive Offload)` is a technique designed to boost the +  efficiency of how your computer's network interface card (NIC) processes +  incoming network traffic. Typically, network data arrives in smaller chunks +  called packets. Processing each packet individually consumes CPU (central +  processing unit) resources. Lots of small packets can lead to a performance +  bottleneck. Instead of handing the CPU each packet as it comes in, LRO +  instructs the NIC to combine multiple incoming packets into a single, larger +  packet. This larger packet is then passed to the CPU for processing. + +  .. note:: Under some circumstances, LRO is known to modify the packet headers +     of forwarded traffic, which breaks the end-to-end principle of computer +     networking. LRO is also only able to offload TCP segments encapsulated in +     IPv4 packets. Due to these limitations, it is recommended to use GRO +     (Generic Receive Offload) where possible. More information on the +     limitations of LRO can be found here: https://lwn.net/Articles/358910/ +    :abbr:`GSO (Generic Segmentation Offload)` is a pure software offload that is    meant to deal with cases where device drivers cannot perform the offloads    described above. What occurs in GSO is that a given skbuff will have its data @@ -87,13 +103,13 @@ Offloading    placing the packet on the desired CPU's backlog queue and waking up the CPU    for processing. RPS has some advantages over RSS: -  - it can be used with any NIC, -  - software filters can easily be added to hash over new protocols, -  - it does not increase hardware device interrupt rate (although it does -    introduce inter-processor interrupts (IPIs)). +  - it can be used with any NIC +  - software filters can easily be added to hash over new protocols +  - it does not increase hardware device interrupt rate, although it does +    introduce inter-processor interrupts (IPIs) -  .. note:: In order to use TSO/LRO with VMXNET3 adaters one must also enable -     the SG offloading option. +  .. note:: In order to use TSO/LRO with VMXNET3 adapters, the SG offloading +     option must also be enabled.  Authentication (EAPoL)  ---------------------- diff --git a/docs/configuration/trafficpolicy/index.rst b/docs/configuration/trafficpolicy/index.rst index 93f69f80..d435267d 100644 --- a/docs/configuration/trafficpolicy/index.rst +++ b/docs/configuration/trafficpolicy/index.rst @@ -1145,6 +1145,74 @@ A simple example of Shaper using priorities.     set qos policy shaper MY-HTB default priority '7'     set qos policy shaper MY-HTB default queue-type 'fair-queue' +.. _CAKE: + +CAKE +------ + +| **Queueing discipline:** Deficit mode. +| **Applies to:** Outbound traffic. + +`Common Applications Kept Enhanced`_ (CAKE) is a comprehensive queue management +system, implemented as a queue discipline (qdisc) for the Linux kernel. It is +designed to replace and improve upon the complex hierarchy of simple qdiscs +presently required to effectively tackle the bufferbloat problem at the network +edge. + +.. cfgcmd:: set qos policy cake <text> bandwidth <value> + +   Set the shaper bandwidth, either as an explicit bitrate or a percentage +   of the interface bandwidth. + +.. cfgcmd:: set qos policy cake <text> description + +   Set a description for the shaper. + +.. cfgcmd:: set qos policy cake <text> flow-isolation blind + +   Disables flow isolation, all traffic passes through a single queue. + +.. cfgcmd:: set qos policy cake <text> flow-isolation dst-host + +   Flows are defined only by destination address. + +.. cfgcmd:: set qos policy cake <text> flow-isolation dual-dst-host + +   Flows are defined by the 5-tuple. Fairness is applied first over destination +   addresses, then over individual flows. + +.. cfgcmd:: set qos policy cake <text> flow-isolation dual-src-host + +   Flows are defined by the 5-tuple. Fairness is applied first over source +   addresses, then over individual flows. + +.. cfgcmd:: set qos policy cake <text> flow-isolation flow + +   Flows are defined by the entire 5-tuple (source IP address, source port, +   destination IP address, destination port, transport protocol). + +.. cfgcmd:: set qos policy cake <text> flow-isolation host + +   Flows are defined by source-destination host pairs. + +.. cfgcmd:: set qos policy cake <text> flow-isolation nat + +   Perform NAT lookup before applying flow-isolation rules. + +.. cfgcmd:: set qos policy cake <text> flow-isolation src-host + +   Flows are defined only by source address. + +.. cfgcmd:: set qos policy cake <text> flow-isolation triple-isolate + +   **(Default)** Flows are defined by the 5-tuple, fairness is applied over source and +   destination addresses and also over individual flows. + +.. cfgcmd:: set qos policy cake <text> rtt + +   Defines the round-trip time used for active queue management (AQM) in +   milliseconds. The default value is 100. +  Applying a traffic policy  ========================= @@ -1218,5 +1286,6 @@ That is how it is possible to do the so-called "ingress shaping".  .. _tocken bucket: https://en.wikipedia.org/wiki/Token_bucket  .. _HFSC: https://en.wikipedia.org/wiki/Hierarchical_fair-service_curve  .. _Intermediate Functional Block: https://www.linuxfoundation.org/collaborate/workgroups/networking/ifb +.. _Common Applications Kept Enhanced: https://www.bufferbloat.net/projects/codel/wiki/Cake/  .. start_vyoslinter diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst index 172b3c64..d33ae37e 100644 --- a/docs/configuration/vpn/ipsec.rst +++ b/docs/configuration/vpn/ipsec.rst @@ -32,6 +32,7 @@ for the cipher and hash. Adjust this as necessary.  **************************************  IKE (Internet Key Exchange) Attributes  ************************************** +  IKE performs mutual authentication between two parties and establishes  an IKE security association (SA) that includes shared secret information  that can be used to efficiently establish SAs for Encapsulating Security @@ -226,7 +227,7 @@ On the RIGHT, setup by analogy and swap local and remote addresses.  Source tunnel from dummy interface -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +==================================  The scheme above doesn't work when one of the routers has a dynamic external  address though. The classic workaround for this is to setup an address on a | 
