Re: AF_PACKET fanout not working on MPLS traffic

[Martijn van Oosterhout <kleptog@svana.org>]

[-- Attachment #1: Type: text/plain, Size: 2243 bytes --]

Hoi Willem,

On Mon, Jan 14, 2019 at 03:03:42PM -0500, Willem de Bruijn wrote:
> On Mon, Jan 14, 2019 at 2:12 PM Martijn van Oosterhout wrote:
> > I see a two ways this could be fixed.
> >
> > Option 1: include FLOW_DISSECTOR_KEY_MPLS in
> > flow_keys_dissector_symmetric but that seems a big assumption, we don't
> > do that for VLANs for example.
> 
> This sounds fine to me. Though it will require extra work to make
> __skb_get_has_symmetric actually use the entropy. And in practice it's
> not clear that this will result in much entropy.

Ok, I guess this really depends on the kind of traffic. You'd have to
assume that flows in both directions get the same labels, which may or
may not be true. (The assumption here is that you want flows to stay
together, otherwise you may as well use round-robin).

> > And there is actually another problem: MPLS provides no information
> > about the next header because it assumes the endpoints in the network
> > recognise the MPLS headers. Which means you'd have to make a guess
> > about what the next layer should be.
> 
> This is the real issue. I don't think this can be done in general
> purpose code. The new BPF flow dissector, however, does allow you to
> deploy a custom dissector in environments where the inner protocol is
> known.
> 
>   https://lwn.net/Articles/764200/

Thanks for the reference! Is this code considered mature enough for
production?

Also, since this is new, I can't find much info on how to use it. But
if I understand correctly you create a flow dissector in BPF which
extracts the various parts.  There is one such dissector per namespace,
it replaces the internal one completely.  You attach it using
bpftool[1], which loads the program and confiigures where the BPF
program will store various keys.  We can then make a BPF program which
works for our traffic, load it and then the hashing code from AF_PACKET
will start using it instead of the builtin dissector.

Does that sound right?

[1]: https://patchwork.kernel.org/patch/10673201/

Thanks in advance,
-- 
Martijn van Oosterhout   <kleptog@svana.org>   http://svana.org/kleptog/
> The combine: one man, one day, wheat for half a million loaves of bread.

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 811 bytes --]