From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 23 Jan 2018 12:58:30 +0100
Subject: [PATCH] doc: nft: document flowtable

Document the new flowtable objects available since Linux kernel 4.16-rc.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -1166,6 +1166,91 @@ filter input iif $int_ifs accept
 	</refsect1>
 
 	<refsect1>
+		<title>Flowtables</title>
+		<para>
+			<cmdsynopsis>
+				<group choice="req">
+					<arg>add</arg>
+					<arg>create</arg>
+				</group>
+				<command>flowtable</command>
+				<arg choice="opt"><replaceable>family</replaceable></arg>
+				<arg choice="plain"><replaceable>table</replaceable></arg>
+				<arg choice="plain"><replaceable>flowtable</replaceable></arg>
+				<arg choice="req">
+					hook <replaceable>hook</replaceable>
+					priority <replaceable>priority</replaceable> ;
+					devices = { <replaceable>device</replaceable>[,...] } ;
+				</arg>
+			</cmdsynopsis>
+			<cmdsynopsis>
+				<group choice="req">
+					<arg>delete</arg>
+					<arg>list</arg>
+				</group>
+				<command>flowtable</command>
+				<arg choice="opt"><replaceable>family</replaceable></arg>
+				<replaceable>table</replaceable>
+				<replaceable>flowtable</replaceable>
+			</cmdsynopsis>
+		</para>
+
+		<para>
+			Flowtables allow you to accelerate packet forwarding in software.
+			Flowtables entries are represented through a tuple that is composed of the
+			input interface, source and destination address, source and destination
+			port; and layer 3/4 protocols. Each entry also caches the destination
+			interface and the gateway address - to update the destination link-layer
+			address - to forward packets. The ttl and hoplimit fields are also
+			decremented. Hence, flowtables provides an alternative path that allow
+			packets to bypass the classic forwarding path. Flowtables reside in the
+			ingress hook, that is located before the prerouting hook. You can select
+			what flows you want to offload through the <literal>flow offload</literal>
+			expression from the <literal>forward</literal> chain. Flowtables are
+			identified by their address family and their name. The address family
+			must be one of
+
+			<simplelist type="inline">
+				<member><literal>ip</literal></member>
+				<member><literal>ip6</literal></member>
+				<member><literal>inet</literal></member>
+			</simplelist>.
+
+			The <literal>inet</literal> address family is a dummy family which is used to create
+			hybrid IPv4/IPv6 tables.
+
+			When no address family is specified, <literal>ip</literal> is used by default.
+		</para>
+
+		<variablelist>
+			<varlistentry>
+				<term><option>add</option></term>
+				<listitem>
+					<para>
+						Add a new flowtable for the given family with the given name.
+					</para>
+				</listitem>
+			</varlistentry>
+			<varlistentry>
+				<term><option>delete</option></term>
+				<listitem>
+					<para>
+						Delete the specified flowtable.
+					</para>
+				</listitem>
+			</varlistentry>
+			<varlistentry>
+				<term><option>list</option></term>
+				<listitem>
+					<para>
+						List all flowtables.
+					</para>
+				</listitem>
+			</varlistentry>
+		</variablelist>
+	</refsect1>
+
+	<refsect1>
 		<title>Stateful objects</title>
 		<para>
 			<cmdsynopsis>
@@ -4923,6 +5008,24 @@ add rule nat prerouting tcp dport 22 red
 				</example>
 			</para>
 		</refsect2>
+
+		<refsect2>
+			<title>Flow offload statement</title>
+			<para>
+				A flow offload statement allows us to select what flows
+				you want to accelerate forwarding through layer 3 network
+				stack bypass. You have to specify the flowtable name where
+				you want to offload this flow.
+			</para>
+			<para>
+				<cmdsynopsis>
+					<command>flow offload</command>
+					<literal>@flowtable</literal>
+				</cmdsynopsis>
+			</para>
+
+		</refsect2>
+
 		<refsect2>
 			<title>Queue statement</title>
 			<para>