From: Jake Owen <jake.owen@superloop.com>
To: netfilter-devel@vger.kernel.org
Subject: nfqueue hashing on TCP/UDP port
Date: Tue, 15 Jun 2021 10:42:58 +1000 [thread overview]
Message-ID: <CAD353mmiYns6u5tb3XQz3Rfh_23EMES-4FX1d4pJrQwBd3NvGQ@mail.gmail.com> (raw)
Hello!
tl;dr Is there a technical reason why nfqueue balance as implemented
does not use TCP/UDP ports as well as source/destination IP addresses?
We've been having trouble with the queue hashing algorithm used by
iptable's `--queue-balance` for traffic generated on-box (e.g. by a
squid proxy) where a large percentage of traffic would be TCP, source
IP of the proxy, and one google/microsoft/apple destination IP. This
is made worse if the random seed causes two or more of these high
traffic services to hash to the same queue. We are working on
preserving the original client IP as the source IP to provide
sufficient randomness to balance accurately, but in the meantime have
wondered if balancing by port was not implemented because it was
deemed unnecessary, or because of some technical reason which escapes
me.
I've been able to write a kernel patch which hashes based on protocol,
IP and port for the CentOS 7 kernel we have in production which
_appears_ to be stable. Is there an existing test harness I can use to
validate this implementation? I'm willing to propose a solution for
the latest 5.x kernel if other people think that this is a valid
solution/use case.
Kind Regards,
Jake Owen
next reply other threads:[~2021-06-15 0:44 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-15 0:42 Jake Owen [this message]
2021-06-15 13:06 ` nfqueue hashing on TCP/UDP port Florian Westphal
2021-06-15 22:58 ` Jake Owen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAD353mmiYns6u5tb3XQz3Rfh_23EMES-4FX1d4pJrQwBd3NvGQ@mail.gmail.com \
--to=jake.owen@superloop.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).