[Cake] triple flow isolation

Thu Jan 14 11:05:12 EST 2016

> On 14 Jan, 2016, at 17:48, moeller0 <moeller0 at gmx.de> wrote:
> 
> I am still curious about the non-NAT fairness by internal IP addresses only performance, as far as I understand that is the main request/use case people seem to have.

Non-NAT should work fine, once I’ve fixed the algorithm.  That’s a major part of what I intended triple-isolation to do.  It still won’t isolate a given host from it’s *own* swarm traffic, unless you also apply Diffserv, but it should prevent one host from monopolising the link with a swarm.

NAT is a problem for Cake instances operating on the “outside” of the boundary, in both directions; they see only the public IP address of the local network, and the addresses of the remote hosts.  The only real solution is probably to integrate connection tracking with the flow dissector (or to hurry along the migration to IPv6).  That’s beyond my area of expertise in the kernel.

 - Jonathan Morton