Hi All
I'm trying to scale a security inspection device. The rate limiting
step is a single threaded process that analyses and extracts data from
network flows.
As a short-term goal, I would like to scale this by load-balancing
from the physical capture interface to internal dummy or tap
interfaces and then have multiple versions of the single threaded
process running using those as input.
Each instance of the single threaded process requires complete network
flows (i.e. matching tuple). I don't care about the traffic after it
will hit the dummy interfaces - it's then dropped so I don't need to
worry about return paths or anything related.
After some reading, I think that flow based hashing and tc-mirred
redirect action might be the solution I am looking for.
So, I've got this far:
# Set up the interfaces
PHYS="eth1"
INT_COUNT=4 # Derived from number of CPU cores
# Create some dummy interfaces
for i in {1..$INT_COUNT}
do ip link add dummy$i type dummy
ip link set dummy$i up
done
# Create the qdisc
tc qdisc add dev $PHY ingress
# Filter based on flow tuple. Classes are created automatically due to divisor
tc filter add dev $PHYS parent ffff: handle 1 \
flow hash keys src,dst,proto,proto-src,proto-dst \
divisor $INT_COUNT
# Now somehow apply the redirect action to the created classes
# for each of the dummy interfaces
for i in {1..$INT_COUNT}
do tc filter add dev $PHYS parent ffff: protocol ip u32 match u32 0 0 \
action mirred egress redirect dev dummy$i
done
It's that last part I cannot seem to understand.
The classes are created automatically with the divisor statement in
the filtering, As divisor is using modulo of the hash I should get
classes that I can reference. How can I say "class "N", go to dummyN"?
I've done a lot of reading on this but I think there's some key part
that I'm not understanding. I'm thinking I need flowid in the action
but am not sure.
Any tips or suggestions on this would be greatly appreciated.
Thanks and a Happy New Year to all.
