airvantage / sbulb Goto Github PK

This idea is either to use ipv4 or ipv6 for real and virtual server but not both at same time
Meaning that you can have a virtual v4 ip and real server v6 ips or vice&versa.

When systemd launches a daemon (such as ulb.py) it does not wait to see if there was an error after the process was launched. Thus, even the bpf code compilation failed, systemd will start the dependents services as if everything was ok.

To solve this issue, ulb.py simply needs to call /bin/systemd-notify --ready to signal it is ready to accept connections.

The idea is to use DTLS connection ID to be able to load-balance traffic.

This idea is more detailed here.

The load balancer store the associations in a LRU map.
For each association an entry foreing peer+port => real server is created.

The number of entries allowed for this LRU map must be configurable.

Hello, in your code, only the checksum of the udp modification target ip is recalculated. If I change the source ip:port of this packet, and also modify the destination ip:port, how can I compute the checksum efficiently? My current implementation is to use a for loop to calculate the checksum on the packet, but it feels very inefficient.

See #18 (comment) for more details.

Remove unused code, cleaning warning, add some documentation, fix TODO ...
(#1 is related to this issue)

The idea would be to :

1. give a file in parameter.
2. watch for file modification
3. update configuration accordingly.

The targeted setting is mainly all about real server, to be able to handle real server redeployment.

The RFC 791 says :

The Options provide for control functions needed or useful in some
situations but unnecessary for the most common communications. The
options include provisions for timestamps, security, and special
routing.

Here is the iana list of IP options.

My guess is that we don't need to support that.
Katran does not support that too.

Move repository to https://github.com/AirVantage organization.

Maybe before we need to choose and open-source license before...

For now this is now clear which license we can use with bpf and maybe bcc already choose a license for us ...

• see §Licensing issues in https://lwn.net/Articles/603983
• iovisor/bcc#1804

Currently the algorithm to dispatch traffic is very simple.
It's just a simple circular rotation :

1. For 1st association we take the 1st real server,
2. Then 2nd association we take the 2nd real server,
3. After the last real server we go back to the beginning.

To do that we need a state : the last(or next) real server used.

The idea of "doing a random pick" was raised. This way we could remove the state.
We could investigate this.

Maybe we can use : bpf_get_prandom_u32 helper function.

This issue aims to centralize all possible amelioration about current logging facilities (#22):

• use the python logging facilities instead of print
• logging level should also impact python output (not only bpf one)
• currently in log we only show MAC/IP, maybe it would make more sense to show MAC/IP:port
  when possible.
• add support of syslog, maybe using sysloghandler
• bpf log could show if packet is DROP, PASS, TX.
• use macro for bpf logging instead of if to improve performance ? we should first find a way to measure performance !

To make sbulb more reactive to configuration changes, we should listen to a signal (typically HUP) that would trigger configuration reloading.

RFC 791 says:

Fragmentation of an internet datagram is necessary when it
originates in a local net that allows a large packet size and must
traverse a local net that limits packets to a smaller size to reach
its destination.

My guess is that we don't need to support that.
Katran does not support that too.

i have this issue even though i have installed bcc in ubuntu
Traceback (most recent call last):
File "/usr/lib/python3.6/runpy.py", line 183, in _run_module_as_main
mod_name, mod_spec, code = _get_module_details(mod_name, _Error)
File "/usr/lib/python3.6/runpy.py", line 142, in _get_module_details
return _get_module_details(pkg_main_name, error)
File "/usr/lib/python3.6/runpy.py", line 109, in _get_module_details
import(pkg_name)
File "/home/alla/Bureau/loadbalancer/sbulb/sbulb/init.py", line 2, in
from bcc import BPF
ImportError: cannot import name 'BPF'

Logs will just be print on standard output.
4 levels logs : NONE / ERROR / DEBUG / TRACE

NONE : nothing printed
ERROR : for unexpected state
DEBUG : ERROR + all packet unmodified packet.
TRACE : DEBUG + all modified packet.

(can not be changed without restart)

It seems this could be possible to create python unit tests for bpf/XDP thanks to bpf: program testing framework

Here some example based on bcc/scapy.

Linux Observability with BPF: Advanced Programming for Performance Analysis and Networking book (by David Calavera, Lorenzo Fontana) contains also some hints.

To facilitate refactoring, maybe it could make sense to use type hints to allow us to static type checking.

see :

• https://docs.python.org/3/library/typing.html
• http://mypy-lang.org/
• https://realpython.com/python-type-checking
• https://medium.com/@ageitgey/learn-how-to-use-static-type-checking-in-python-3-6-in-10-minutes-12c86d72677b

From README.md:

For egress traffic :

• we search if we have an clientip:port/realserverip association.
• if yes, we drop the packet (as this server is not associated to this clientip:port)
• if no, we create a new association using the source IP address(real server IP address) and replacing source address(source NAT) by the virtual server ip address.

My feeling is, that the drop in the second cause trouble. Doesn't that depend on the server sending it? If it's the "associated one", then the packet should pass as in the third.

The IP header contains a TTL field (see RFC 791):

This field indicates the maximum time the datagram is allowed to
remain in the internet system. If this field contains the value
zero, then the datagram must be destroyed. This field is modified
in internet header processing. The time is measured in units of
seconds, but since every module that processes a datagram must
decrease the TTL by at least one even if it process the datagram in
less than a second, the TTL must be thought of only as an upper
bound on the time a datagram may exist. The intention is to cause
undeliverable datagrams to be discarded, and to bound the maximum
datagram lifetime.

The wikipedia explanation is maybe better :

The time-to-live value can be thought of as an upper bound on the time that an IP datagram can exist in an Internet system. The TTL field is set by the sender of the datagram, and reduced by every router on the route to its destination. If the TTL field reaches zero before the datagram arrives at its destination, then the datagram is discarded and an Internet Control Message Protocol (ICMP) error datagram (11 - Time Exceeded) is sent back to the sender. The purpose of the TTL field is to avoid a situation in which an undeliverable datagram keeps circulating on an Internet system, and such a system eventually becoming swamped by such "immortals".

We can consider sbulb as a router, so If we want to be a good internet citizen we should update TTL field and discard packet if needed. This part should be easy to implement.

About sending an ICMP packet, I don't know if this is easy maybe we can just let the Linux kernel do that ? (return XDP_PASS)

For now this is now clear which license we can use with bpf and maybe bcc already choose a license for us ...

• see §Licensing issues in https://lwn.net/Articles/603983
• iovisor/bcc#1804

For egress traffic, if we find an association we must ensure that real server is still alive.

Currently we recalculate all the IP checksum, we could be better using : https://tools.ietf.org/html/rfc1624 like we do for UDP checksum update.