From: David Ahern <dsahern@gmail.com>
To: Lorenz Bauer <lmb@cloudflare.com>
Cc: bpf <bpf@vger.kernel.org>, Networking <netdev@vger.kernel.org>,
Martynas Pumputis <m@lambda.lt>,
kernel-team <kernel-team@cloudflare.com>
Subject: Re: "Forwarding" from TC classifier
Date: Thu, 14 May 2020 12:54:49 -0600 [thread overview]
Message-ID: <5cca7bce-0052-d854-5ead-b09d43cb9eb9@gmail.com> (raw)
In-Reply-To: <CACAyw9-95He2yq0qoxuWFy3wqQt1kAtAQcRw2UTrqse2hUq1tA@mail.gmail.com>
On 5/14/20 9:41 AM, Lorenz Bauer wrote:
> On Wed, 13 May 2020 at 18:48, David Ahern <dsahern@gmail.com> wrote:
>>
>> On 5/13/20 10:40 AM, Lorenz Bauer wrote:
>>> We've recently open sourced a key component of our L4 load balancer:
>>> cls_redirect [1].
>>> In the commit description, I call out the following caveat:
>>>
>>> cls_redirect relies on receiving encapsulated packets directly
>>> from a router. This is
>>> because we don't have access to the neighbour tables from BPF, yet.
>>
>> Can you explain more about this limitation? Why does access to neighbor
>> tables solve the problem?
>
> We want to forward the packet to another machine, based on an IP address
> stored in our custom encapsulation header.
> If we always receive packets from a router we can plug in the new IP, swap
> the MAC and send the packet back to the router. Inefficient, but it means we
> don't have to deal with MAC addresses ourselves.
Ok, so swapping source and destination addresses in the IP header, doing
a fib lookup and redirecting to an interface based on the lookup. That
does require a neighbor entry for the dest address. Access to the
neighbor table does not directly solve that problem - if it is not there
for the fib lookup, it won't be there for the straight neigh lookup.
You could let the first packet go up the stack to create and resolve the
neighbor entry. At that point follow on packets will take the fast path.
Alternatively, you can create static entries in the table for known
forwarding addresses or have a process on the server initiate neighbor
resolution for none forwarding addresses.
>>
>> Usually, 'output' is for locally generated traffic headed out. XDP
>> programs run on ingress are from an Rx perspective and do the lookup
>> from the perspective of 'is this forwarded or locally delivered'.
>
> What if the XDP encapsulates the packet? At this point I know that I
> want to forward it elsewhere. Would that use LOOKUP_OUTPUT?
Yes, if you want the lookup to respond as if it is a locally sent packet
versus a forwarded packet.
next prev parent reply other threads:[~2020-05-14 18:54 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-13 16:40 "Forwarding" from TC classifier Lorenz Bauer
2020-05-13 17:48 ` David Ahern
2020-05-14 15:41 ` Lorenz Bauer
2020-05-14 18:54 ` David Ahern [this message]
2020-05-15 9:59 ` Lorenz Bauer
2020-05-15 14:24 ` David Ahern
2020-05-18 9:38 ` Lorenz Bauer
2020-05-18 14:32 ` David Ahern
2020-05-13 21:23 ` David Ahern
2020-05-14 15:41 ` Lorenz Bauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5cca7bce-0052-d854-5ead-b09d43cb9eb9@gmail.com \
--to=dsahern@gmail.com \
--cc=bpf@vger.kernel.org \
--cc=kernel-team@cloudflare.com \
--cc=lmb@cloudflare.com \
--cc=m@lambda.lt \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.