Your proposals

From NFWS 2019
Revision as of 11:52, 12 July 2019 by Admin (talk | contribs) (BZ session)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Place your proposals here

XFRM integration with netfilter

  • Who: Florian
  • Duration: 15 minutes
  1. flow table infra
    • Could be even made configureable via ruleset (i.e. trigger encrypt/decrypt from flowtable).
  2. policy lookups/assignments with nft obj infra.
    • (lwt)?

Steffen and Daniel talked about XFRM for XDP at netconf and I think its going to be quite hard given XFRM/crypto reliance on skb (async crypto..), so I think we should investigate alternatives. At this time, secpath means we can't offload and will push skb via normal forwarding path. Lets discuss: 1. rx path: handle ipsec decryption in ingress hook. 2. tx path: handle encryption in ingress hook.

This would require caching the secpath to use in the flowtable, so we need a faster way to invalidate it in case there are changes. (flow cache suffered from expensive health checks).

TPROXY infra

  • Who: Florian
  • Duration: ?

Basically the cloudflare use cases.

  1. Where to optimize core infra (listener with no reference on sk)
  2. Is nft tproxy good enough (have not checked yet, at least ip/port pairs are coming from registers, so might integrate better. Jakub provided some iptables rules/scenarios they use, I'd like to investigate this more wrt. what we have in nft).

See https://lore.kernel.org/netdev/87sgs6ey43.fsf@cloudflare.com/