Usage¶
The linux-fp-sync service:
configures the exception path,
starts the fast path statistics feature,
starts the cache manager.
Starting Linux - Fast Path Synchronization¶
To start Linux - Fast Path Synchronization:
# systemctl start linux-fp-sync.service
Stopping Linux - Fast Path Synchronization¶
To stop Linux - Fast Path Synchronization:
# systemctl stop linux-fp-sync.service
Restarting Linux - Fast Path Synchronization¶
To restart Linux - Fast Path Synchronization:
# systemctl restart linux-fp-sync.service
Displaying the Linux - Fast Path Synchronization status¶
To display the current status of running Linux - Fast Path Synchronization threads:
# systemctl status linux-fp-sync.service
Starting the cache manager¶
The cache manager daemon:
listens to network changes in Linux, and,
forwards network changes to the fast path manager daemon via the FPC API.
To start or restart the cmgrd with Virtual Accelerator, the synchronization service
must be used and script cmgr.sh must NOT be manually called.
Providing options¶
The cmgr.sh script reads the /etc/cmgr.env default configuration
file before actually starting the cache manager.
You can edit this file to customize the cache manager configuration.
If a variable specified in the configuration file already exists in the environment, the latter will be used.
Note
To have configuration file variables supersede global environment variables, specify them in the configuration file according to the following syntax:
HA=true
instead of:
: ${HA:=true}
You can set the most common options via a dedicated variable such as DEBUG.
To set common options, use the CMGR_OPTIONS variable and specify
them using the appropriate option delimiter (-b for socket buffer size, -I
for the cache manager identification number, etc.).
Parameters to disable the synchronization per feature
Default is to synchronize all features supported by the fast path.
Runtime parameters can be set in CMGR_OPTIONS to disable some of them.
- --disable-sync-vxlan¶
This will disable the synchronization of Linux VXLAN.
- --disable-sync-bridge¶
This will disable the synchronization of Linux bridge.
- --disable-sync-ebtables¶
This will disable the synchronization of Linux netfilter ebtables rules.
- --disable-sync-gre¶
This will disable the synchronization of Linux GRE.
- --disable-sync-vlan¶
This will disable the synchronization of Linux VLAN.
- --disable-sync-macvlan¶
This will disable the synchronization of Linux macvlan.
- --disable-sync-lag¶
This will disable the synchronization of Linux Bonding.
- --disable-sync-tunnel¶
This will disable the synchronization of Linux tunnels.
- --disable-sync-ipsec¶
This will disable the synchronization of Linux XFRM IPsec, including Linux VTI.
- --disable-sync-svti¶
This will disable the synchronization of Linux VTI.
- --disable-sync-nat¶
This will disable the synchronization of Linux netfilter NAT rules.
- --disable-sync-netfilter¶
This will disable the synchronization of Linux netfilter IPv4 / IPv6 rules, including NAT and conntrack.
- --disable-sync-bpf¶
This will disable the synchronization of Linux BPF.
- --disable-sync-mcast¶
This will disable the synchronization of Linux IPv4 and IPv6 multicast.
- --disable-sync-ipv6¶
This will disable the synchronization of Linux IPv6 routing.
- --disable-sync-conntrack¶
This will disable the synchronization of Linux conntrack.
Alternatively, it is possible to specify the list of features to synchronize in a single option:
- -S, --sync-mask <mask>¶
Specify the list of features to synchronize.
Feature
flag
VXLAN
0x00000001
bridge
0x00000002
VLAN
0x00000004
MACVLAN
0x00000008
LAG
0x00000010
ebtables
0x00000020
GRE/GREtap
0x00000040
tunnel
0x00000080
IPsec
0x00000100
SVTI
0x00000200
filter/audit
0x00000400
conntrack
0x00000800
NAT
0x00001000
BPF (tap)
0x00002000
tap pattern only
0x00004000
multicast routes
0x00008000
IPv6
0x00010000
Parameters to enable feature options
Some features support options, disabled by default. The following options can be enabled:
- -A, --sync-bpf-all¶
This is an option of the BPF (tap) feature.
Default is to synchronize BPF only for the applications: tcpdump, ethereal, wireshark, tshark, nmap.
The option -A forces the BPF synchronization for any application.
Alternately, you can set
: ${BPF_OPT:=true}in the configuration file.
- -R, --sync-ipsec-replay¶
This is an option of the IPsec feature.
It enables the synchronization of IPsec replay information (SA input and output sequence numbers) from Linux to fast path. This option is used for IPsec HA.
Alternately, you can set
: ${HA_IPSEC:=true}in the configuration file.This option may be dynamically enabled or disabled without restarting the cache manager. See Configuring HA IPsec dynamically.
Parameters for debug purpose
Here are parameters useful for debug purpose:
- -d <mask>¶
Debug mask value.
Alternately, you can set
: ${DEBUG:=<mask>}in the configuration file.
- -F¶
Foreground.
- -b <val>¶
Custom value of the socket buffer size, default is 2M.
- -l <val>¶
Custom value of the netlink socket buffer size, default is 64M.
- -h¶
Display the full list of options.
- -o¶
Display compilation options and exit.
- -I <val>¶
Specify a number to identify a cache manager instance (only when the control plane manages more than one fast path). The value is called the instance id of the cache manager instance.
If a value is specified, syslog logs cmgrd<val>, and the console is at /tmp/.cmgrd<val>.
Dumping or changing current configuration¶
You can dump statistics such as netlink received messages and debug the queuing mechanism in a console.
Accessing the console¶
The cache manager console is reachable using the 6WIND daemonctl tool:
# daemonctl cmgrd <daemon_command>
The following example uses daemonctl to display available commands:
# daemonctl cmgrd help
help - Show help
? - Show help
quit - Quit the shell
show - show statistics
ipsec - ipsec commands
# daemonctl cmgrd show
pid - show pid
netlink - show netlink packets
queue - show queued msg
conf - show conf variables
modules - show registered modules
interfaces - show registered interfaces
sync-features - show synchronized feartures
Dumping statistics and configuration¶
# daemonctl cmgrd show netlink
Dump netlink socket statistics:
netlink socket name packets received
netlink-route-listen-0 16
RTM_NEWLINK 1
RTM_NEWADDR 2
RTM_NEWROUTE 9
RTM_DELROUTE 4
netlink-route-cmd-0 47
RTM_NEWLINK 8
RTM_NEWADDR 3
RTM_NEWROUTE 15
RTM_NEWNEIGH 2
RTM_[80] 19
netlink-xfrm-listen-0 0
netlink-xfrm-cmd-0 0
netlink-netfilter-conntrack-lis 3
IPCTNL_MSG_CT_NEW 3
netlink-audit-listen-0 34
AUDIT_[2] 1
AUDIT_[1300] 11
AUDIT_[1320] 11
AUDIT_NETFILTER_CFG 11
# daemonctl cmgrd show queue
Queue information
- sent: 98
- directly: 5
- in-queue: 0
- highest in-queue: 89
- has blocked: 0
- partially sent: 0
- errors: 0
- ev armed: 0
command_show_queue: address=0x1318920
current=0x7f7e5aba4000
chk_count=1
chk_total_count=1
obj_count=0
obj_total_count=191
obj_malloc_count=0
obj_ignored_free=0
next_free=0x7f7e5aba400c
# daemonctl cmgrd show modules
xfrm-migrate
# daemonctl cmgrd show interfaces
Interfaces list:
br0 vrfid 0 (ifindex: 15, ifuid: 0x42e9f282)
type: 6, subtype: 5, flags: 0x60, mtu: 1500
master_ifuid: 0x0,
in_l_bond: no
eth1 vrfid 0 (ifindex: 11, ifuid: 0x33117022)
type: 6, subtype: 0, flags: 0x60, mtu: 1500
master_ifuid: 0x82f2e942,
in_l_bond: no
fpn0 vrfid 0 (ifindex: 10, ifuid: 0x64247322)
type: 6, subtype: 0, flags: 0x63, mtu: 1500
master_ifuid: 0x0,
in_l_bond: no
eth0 vrfid 0 (ifindex: 2, ifuid: 0x61a1e72)
type: 6, subtype: 0, flags: 0x63, mtu: 1500
master_ifuid: 0x0,
in_l_bond: no
lo vrfid 0 (ifindex: 1, ifuid: 0x754c6fa8)
type: 24, subtype: 0, flags: 0x63, mtu: 65536
master_ifuid: 0x0,
in_l_bond: no
Bridge interfaces list:
eth1 vrfid 0 (ifindex: 11, ifuid: 0x33117022)
type: 249, subtype: 0, master_ifuid: 0x82f2e942
# daemonctl cmgrd show sync-features
Cache manager uses FPM configuration
Features Status (enabled/disabled)
vxlan enabled
bridge enabled
gre enabled
vlan enabled
macvlan enabled
lag enabled
ebtables enabled
tunnel enabled
ipsec enabled
svti enabled
netfilter enabled
conntrack enabled
nat enabled
bpf disabled
multicast enabled
ipv6 enabled
Configuring HA IPsec dynamically¶
The synchronization of IPsec HA related information (IPsec SA sequence numbers) may be enabled or disabled dynamically without restarting the cache manager.
To display the current IPsec HA status, use the following command:
# daemonctl cmgrd ipsec ha show
IPsec High Availability disabled
To enable the support of IPsec HA:
# daemonctl cmgrd ipsec ha enable
To disable the support of IPsec HA:
# daemonctl cmgrd ipsec ha disable