@@ -6,9 +6,10 @@
4. [Pass Action Example Usage](#pass-action-example-usage)
5. [Trap Action Example Usage](#trap-action-example-usage)
6. [Multi-table/Multi-chain Support](#multi-tablemulti-chain-support)
- 7. [Mirred Action Example Usage](#mirred-action-example-usage)
- 8. [Shared Blocks Support](#shared-blocks-support)
- 9. [More Examples](#more-examples)
+ 7. [Chain Templates Support](#chain-templates-support)
+ 8. [Mirred Action Example Usage](#mirred-action-example-usage)
+ 9. [Shared Blocks Support](#shared-blocks-support)
+ 10. [More Examples](#more-examples)
2. [Further Resources](#further-resources)
TC Flower
@@ -151,6 +152,80 @@ to use the action `goto chain`:
$ tc filter add dev enp3s0np1 parent ffff: protocol ip pref 10 flower skip_sw dst_ip 192.168.101.1 action goto chain 100
```
+If a chain does not exist before a filter is added, it is implicitly created.
+Similarly, after the last filter is removed, implicitly created chain
+is destroyed. However, it is possible to explicitly create and destroy chains.
+
+To create `chain 11`, run the following command:
+
+```
+$ tc chain add dev enp3s0np1 ingress chain 11
+```
+
+To list existing chains, run:
+
+```
+$ tc chain show dev enp3s0np1 ingress
+chain parent ffff: chain 11
+```
+
+And you can destroy the chain by running following command:
+
+```
+$ tc chain del dev enp3s0np1 ingress chain 11
+```
+
+**Note:** The above command will will delete both implicitly and explicitly
+created chains along with any possible existing filters.
+
+#### Chain Templates Support
+
+For filter insertions to chains, the `mlxsw` driver needs to hold
+a magic ball. With the first inserted rule into hardware it needs to guess
+all the fields that are going to be used for the matching in the chain.
+If later on this guess proves to be wrong and user adds a filter with
+different fields to match, there is a problem. `mlxsw` resolves it now
+with couple of predefined patterns. Those try to cover as many match
+fields as possible. This approach is far from optimal, both
+performance-wise and scale-wise. Also, the insertion of certain
+filters might fail, depending on the insertion order.
+
+Most of the time, when user inserts filters in chain, he knows
+how the filters are going to look like in advance - what type and
+option will they have. For example, it is possible that the user
+knows that only filters of type flower matching on destination
+IP are required. The user can specify a template that would cover
+all the filters which are going to be inserted in the chain.
+
+The template is passed along during the chain creation like this:
+
+```
+$ tc chain add dev enp3s0np1 ingress proto ip chain 11 flower dst_ip 0.0.0.0/16
+```
+
+The template is then shown in an output of chain list:
+
+```
+$ tc chain show dev enp3s0np1 ingress
+chain parent ffff: flower chain 11
+ eth_type ipv4
+ dst_ip 0.0.0.0/16
+```
+
+Addition of filters that fit the template will be successful:
+
+```
+$ tc filter add dev enp3s0np1 ingress proto ip chain 11 flower dst_ip 10.0.0.1/8 action drop
+```
+
+Addition of filters that does not fit the template will fail:
+
+```
+$ tc filter add dev enp3s0np1 ingress proto ip chain 11 flower dst_ip 10.0.0.1/24 action drop
+Error: cls_flower: Mask does not fit the template.
+We have an error talking to the kernel, -1
+```
+
#### Mirred Action Example Usage
```
@@ -71,7 +71,7 @@ from the underlying hardware.
| [4.15](4.15-Release-notes) | IPv4 multicast router, IPv4 non-equal-cost multi-path, multi-path hash policy, RED queueing discipline |
| [4.16](4.16-Release-notes) | IPv6 non-equal-cost multi-path, PRIO scheduler, flow based mirroring |
| [4.17](4.17-Release-notes) | RED as a child of PRIO, IPv6 multicast router, ERSPAN |
-| 4.19 | Virtual Router Redundancy Protocol (VRRP) |
+| 4.19 | Virtual Router Redundancy Protocol (VRRP), TC chain templates |
#### Known Issues