How it Works

Onload User Guide (UG1586)

Document ID
Release Date
1.2 English

Before Onload accelerates a socket it first checks the Onload firewall module. If the firewall module indicates the acceleration of the socket would violate a firewall rule, the acceleration request is denied and the socket is handed off to the kernel. Network traffic sent or received on the socket is not accelerated.

Onload firewall rules are parsed in ascending numerical order. The first rule to match the newly created socket - which can indicate to accelerate or decelerate the socket - is selected and no further rules are parsed.

If the Onload firewall rules are an exact copy of the kernel iptables, with no additional rules added by the Onload user, then a socket handed off to the kernel because of an iptables rule violation will be unable to receive data through either path.

Changing rules using onload_iptables will not interrupt existing network connections.

Note: Onload firewall rules will not persist over network driver restarts.
Note: The onload_iptables “IP rules” will only block hardware IP filters from being inserted and onload_iptables “MAC rules” will only block hardware MAC filters from being inserted. Therefore it is possible that if a rule is inserted to block a MAC address, the user is still able to accept traffic from the specified host by Onload inserting an appropriate IP hardware filter.