Dear maintainers,
I am using flowtables and conntrack in my testing environment and could not figure some things by reading the man-page. Could you kindly provide some assistance with the following questions?
1) How can one resize the flowtable and is it recommended to use some specific values for example anything with power of 2?
2) What would happen if the flowtable were to get full? Would the rule that insert a new entry just skip and the packet would follow the traditional forwarding path?
3) Should I be using one big enough flowtable or use multiple smaller ones? I am expecting around 200k active connections.
4) I have resized the maximum conntrack size by using the sysctl-variable. Should the hashsize of the conntrack-module also be increased and what is the recommended ratio here? Is using 1:1-ratio going to cause any specific issues other than using more RAM?
I am currently using a rule to add flow entries before accepting packets with normal CT ESTABLISHED -rule like this:
add rule ip filter FORWARD ct state established iif $wan-if oif $lan-if counter flow offload @fastpath comment "LAN <-> INTERNET FASTPATH TEST"
add rule ip filter FORWARD ct state vmap @ct_map comment "ANY <-> ANY, ESTABLISHED, RELATED"
[.. other accept-rules]
add rule ip filter FORWARD log group 31 counter drop comment "POLICY DROP FORWARD"
5) For testing purposes I am matching on conntrack first before adding the flow to the flowtable. If I understood correctly, this is not really needed and I should probably remove that match and just add the flow. Is this the way it should be used?
And the flowtable itself looks like this:
add flowtable ip filter fastpath { hook ingress priority filter ; devices = { enp6s0f0, enp6s0f1 }; }
The GNU/Linux distribution is the latest Debian testing with kernel 5.2.0-2-amd64 #1 SMP Debian 5.2.9-2 (2019-08-21) x86_64 GNU/Linux.
