Pretty close to put the module in real use.
tasks
- make differnet name (at the moment kernel complains the module cannot be loaded as ng_netflow already there when original ng_netflow loaded) (UPD: Fixed, after figuring for 2 nights what's wrong just replaced all words "netflow" to new name "netfl2". Just changing self name wasn't enough, instead, it looks like symbol name of a proc or func was used by kernel to reference the name. Ok, this is a good reason to switch to another name right now, so the new name will be 'state').
- configure it process traffic as kurrent traffic shapers:
now they are implemented on linux:
-A FORWARD -p tcp -d XXXXXXXXX/19 --sport 1024:65535 -m length --length 500: -m hashlimit --hashlimit-mode dstip --hashlimit-above 15/sec --hashlimit-burst 80 --hashlimit-name P2P -j TOS --set-tos 2 -входящий к клиенту
in human words: All traffic, destined to XXXXX on higher ports and packet size 500 and higher exceeding 15 simultanious connections mark as tos2.
So, this introduces a kind of problem - there is no connection tracking info yet, so we don't know the connections no (yet).
The other problem, is that only certain users should get this filter, but it's not desirable to put as many BPF programs, as with planned payload up to 6000 customers it isn't desirable to force a packet to go through 6000 BPF programs.
So, what can be done:
1.User-switch - an ng_user which holds ip table and switches traffic on two interfaces (match, notmatch) upon presence of the ip in the table.
User switch might also solve problem of transparent proxying (and user per-user services), as IP forwarding doesn't work on L2, but there is no L3 traffic processing in our architecture (DONE)
2.Do user-switching things in the netflow itself benefits is single search in flow cache will do the job, disadvantage is loss of flexibility and mixtrure of two modules, and ... yes, it against KISS.
tasks
- make differnet name (at the moment kernel complains the module cannot be loaded as ng_netflow already there when original ng_netflow loaded) (UPD: Fixed, after figuring for 2 nights what's wrong just replaced all words "netflow" to new name "netfl2". Just changing self name wasn't enough, instead, it looks like symbol name of a proc or func was used by kernel to reference the name. Ok, this is a good reason to switch to another name right now, so the new name will be 'state').
- configure it process traffic as kurrent traffic shapers:
now they are implemented on linux:
-A FORWARD -p tcp -d XXXXXXXXX/19 --sport 1024:65535 -m length --length 500: -m hashlimit --hashlimit-mode dstip --hashlimit-above 15/sec --hashlimit-burst 80 --hashlimit-name P2P -j TOS --set-tos 2 -входящий к клиенту
in human words: All traffic, destined to XXXXX on higher ports and packet size 500 and higher exceeding 15 simultanious connections mark as tos2.
So, this introduces a kind of problem - there is no connection tracking info yet, so we don't know the connections no (yet).
The other problem, is that only certain users should get this filter, but it's not desirable to put as many BPF programs, as with planned payload up to 6000 customers it isn't desirable to force a packet to go through 6000 BPF programs.
So, what can be done:
1.User-switch - an ng_user which holds ip table and switches traffic on two interfaces (match, notmatch) upon presence of the ip in the table.
User switch might also solve problem of transparent proxying (and user per-user services), as IP forwarding doesn't work on L2, but there is no L3 traffic processing in our architecture (DONE)
2.Do user-switching things in the netflow itself benefits is single search in flow cache will do the job, disadvantage is loss of flexibility and mixtrure of two modules, and ... yes, it against KISS.
No comments:
Post a Comment