Onload User Guide (UG1586)

Document ID
Release Date
1.2 English

The Linux netfilter iptables feature provides filtering based on user-configurable rules with the aim of managing access to network devices and preventing unauthorized or malicious passage of network traffic. Packets delivered to an application via the Onload accelerated path are not visible to the OS kernel and, as a result, these packets are not visible to the kernel firewall (iptables).

The onload_iptables feature allows the user to configure rules which determine which hardware filters Onload is permitted to insert on the adapter and therefore which connections and sockets can bypass the kernel and, as a consequence, bypass iptables.

The onload_iptables command can convert a snapshot copy of the kernel iptables rules into Onload firewall rules.

Note: Any changes to kernel iptables subsequent to the snapshot will not be reflected in the Onload firewall.

These Onload firewall rules are used to determine if sockets, created by an Onloaded process, are retained by Onload or handed off to the kernel network stack. Additionally, user-defined filter rules can be added to the Onload firewall on a per interface basis. The Onload firewall applies to the receive filter path only.