[Cake] customizing Cake's isolation with ipsets, tc-flow and eBPF
Toke Høiland-Jørgensen
toke at toke.dk
Sun Jun 6 15:59:14 EDT 2021
Pete Heist <pete at heistp.net> writes:
> I've always wanted a way to customize Cake's host and flow isolation in
> a way that would be usable e.g. for small ISPs, and this is what I came
> up with:
>
> https://github.com/heistp/cake-custom-isolation
>
> ipsets are used to set the skb priority or mark, then tc-flow or a
> simple eBPF classifier is used in a child filter of cake to get the
> major and minor class IDs set, which override the host and flow hashes.
Very cool! Awesome to see the customisation options being used for
something neat like this! :)
> To show it in action, the cakeiso.sh script sets up a netns environment
> and runs competition between two "subscribers" and three flows, two TCP
> flows and one unresponsive UDP flow. Several configurations are run to
> show what is and isn't possible.
>
> If anyone knows of a simpler way than eBPF to get both the major and
> minor class ID set from ipsets, I'd like to hear it, but the included
> classifiers are at least very simple one-liners...
Well, you could go the other way? Instead of ipset, just do the
classification in eBPF and use a BPF map to store the IP addresses.
There's even an LPM map type, so you can use arbitrary prefix lengths
for each class (or not, and just use a hashmap)...
-Toke
More information about the Cake
mailing list