nftables: update to 0.8.2, backport flowtable support

Signed-off-by: Felix Fietkau <nbd@nbd.name>

1 files changed, 128 insertions, 0 deletions

diff --git a/package/network/utils/nftables/patches/205-doc-nft-document-flowtable.patch b/package/network/utils/nftables/patches/205-doc-nft-document-flowtable.patch
new file mode 100644
index 0000000..dd6faa5
--- /dev/null
+++ b/package/network/utils/nftables/patches/205-doc-nft-document-flowtable.patch
@@ -0,0 +1,128 @@
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Tue, 23 Jan 2018 12:58:30 +0100
+Subject: [PATCH] doc: nft: document flowtable
+
+Document the new flowtable objects available since Linux kernel 4.16-rc.
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+
+--- a/doc/nft.xml
++++ b/doc/nft.xml
+@@ -1166,6 +1166,91 @@ filter input iif $int_ifs accept
+ 	</refsect1>
+ 
+ 	<refsect1>
++		<title>Flowtables</title>
++		<para>
++			<cmdsynopsis>
++				<group choice="req">
++					<arg>add</arg>
++					<arg>create</arg>
++				</group>
++				<command>flowtable</command>
++				<arg choice="opt"><replaceable>family</replaceable></arg>
++				<arg choice="plain"><replaceable>table</replaceable></arg>
++				<arg choice="plain"><replaceable>flowtable</replaceable></arg>
++				<arg choice="req">
++					hook <replaceable>hook</replaceable>
++					priority <replaceable>priority</replaceable> ;
++					devices = { <replaceable>device</replaceable>[,...] } ;
++				</arg>
++			</cmdsynopsis>
++			<cmdsynopsis>
++				<group choice="req">
++					<arg>delete</arg>
++					<arg>list</arg>
++				</group>
++				<command>flowtable</command>
++				<arg choice="opt"><replaceable>family</replaceable></arg>
++				<replaceable>table</replaceable>
++				<replaceable>flowtable</replaceable>
++			</cmdsynopsis>
++		</para>
++
++		<para>
++			Flowtables allow you to accelerate packet forwarding in software.
++			Flowtables entries are represented through a tuple that is composed of the
++			input interface, source and destination address, source and destination
++			port; and layer 3/4 protocols. Each entry also caches the destination
++			interface and the gateway address - to update the destination link-layer
++			address - to forward packets. The ttl and hoplimit fields are also
++			decremented. Hence, flowtables provides an alternative path that allow
++			packets to bypass the classic forwarding path. Flowtables reside in the
++			ingress hook, that is located before the prerouting hook. You can select
++			what flows you want to offload through the <literal>flow offload</literal>
++			expression from the <literal>forward</literal> chain. Flowtables are
++			identified by their address family and their name. The address family
++			must be one of
++
++			<simplelist type="inline">
++				<member><literal>ip</literal></member>
++				<member><literal>ip6</literal></member>
++				<member><literal>inet</literal></member>
++			</simplelist>.
++
++			The <literal>inet</literal> address family is a dummy family which is used to create
++			hybrid IPv4/IPv6 tables.
++
++			When no address family is specified, <literal>ip</literal> is used by default.
++		</para>
++
++		<variablelist>
++			<varlistentry>
++				<term><option>add</option></term>
++				<listitem>
++					<para>
++						Add a new flowtable for the given family with the given name.
++					</para>
++				</listitem>
++			</varlistentry>
++			<varlistentry>
++				<term><option>delete</option></term>
++				<listitem>
++					<para>
++						Delete the specified flowtable.
++					</para>
++				</listitem>
++			</varlistentry>
++			<varlistentry>
++				<term><option>list</option></term>
++				<listitem>
++					<para>
++						List all flowtables.
++					</para>
++				</listitem>
++			</varlistentry>
++		</variablelist>
++	</refsect1>
++
++	<refsect1>
+ 		<title>Stateful objects</title>
+ 		<para>
+ 			<cmdsynopsis>
+@@ -4923,6 +5008,24 @@ add rule nat prerouting tcp dport 22 red
+ 				</example>
+ 			</para>
+ 		</refsect2>
++
++		<refsect2>
++			<title>Flow offload statement</title>
++			<para>
++				A flow offload statement allows us to select what flows
++				you want to accelerate forwarding through layer 3 network
++				stack bypass. You have to specify the flowtable name where
++				you want to offload this flow.
++			</para>
++			<para>
++				<cmdsynopsis>
++					<command>flow offload</command>
++					<literal>@flowtable</literal>
++				</cmdsynopsis>
++			</para>
++
++		</refsect2>
++
+ 		<refsect2>
+ 			<title>Queue statement</title>
+ 			<para>