Usage¶
The linux-fp-sync.sh script starts:
- the fast path manager,
- the fast path statistics feature,
- the hit flags synchronization feature,
- the cache manager.
You can also launch manually the cache manager.
Starting Linux - Fast Path Synchronization¶
Adapt the Linux - Fast Path Synchronization default configuration file (
/etc/linux-fp-sync.env) to your needs.Start Linux - Fast Path Synchronization:
# linux-fp-sync.sh startNote
To use a custom configuration file, use the CONF_FILE_linux_fp_sync environment variable. For instance:
# CONF_FILE_linux_fp_sync=/path/to/conf/conf_file linux-fp-sync.sh start
Stopping Linux - Fast Path Synchronization¶
To stop Linux - Fast Path Synchronization:
# linux-fp-sync.sh stop
Restarting Linux - Fast Path Synchronization¶
To restart Linux - Fast Path Synchronization:
# linux-fp-sync.sh restart
Displaying the Linux - Fast Path Synchronization status¶
To display the current status of running Linux - Fast Path Synchronization threads:
# linux-fp-sync.sh statusTo display the current status of running Linux - Fast Path Synchronization threads and of the current installation (inserted
.ko, for example):# linux-fp-sync.sh status complete
Starting manually the cache manager¶
The cache manager daemon:
- listens to network changes in Linux, and,
- forwards network changes to the fast path manager daemon via the FPC API.
To start the cache manager, enter:
# cmgr.sh start
Providing options¶
The cmgr.sh script reads the /etc/cmgr.env default configuration
file before actually starting the cache manager.
You can edit this file to customize the cache manager configuration.
Note
To use a custom configuration file, use the CONF_FILE_cmgr environment variable. For instance:
# CONF_FILE_cmgr=/path/to/conf/conf_file cmgr.sh start
If a variable specified in the configuration file already exists in the
environment (for instance, by calling HA=true cmgr.sh start), the latter will
be used.
Note
To have configuration file variables supersede global environment variables, specify them in the configuration file according to the following syntax:
HA=true
instead of:
: ${HA:=true}
You can set the most common options via a dedicated variable such as DEBUG.
To set common options, use the CMGR_OPTIONS variable and specify
them using the appropriate option delimiter (-b for socket buffer size, -I
for the cache manager identification number, etc.).
Parameters to disable the synchronization per feature
Default is to synchronize all features supported by the fast path.
Runtime parameters can be set in CMGR_OPTIONS to disable some of them.
-
--disable-sync-vxlan¶
This will disable the synchronization of Linux VXLAN.
-
--disable-sync-bridge¶
This will disable the synchronization of Linux bridge.
-
--disable-sync-ebtables¶
This will disable the synchronization of Linux netfilter ebtables rules.
-
--disable-sync-gre¶
This will disable the synchronization of Linux GRE.
-
--disable-sync-vlan¶
This will disable the synchronization of Linux VLAN.
-
--disable-sync-macvlan¶
This will disable the synchronization of Linux macvlan.
-
--disable-sync-lag¶
This will disable the synchronization of Linux Bonding.
-
--disable-sync-tunnel¶
This will disable the synchronization of Linux tunnels.
-
--disable-sync-ipsec¶
This will disable the synchronization of Linux XFRM IPsec, including Linux VTI.
-
--disable-sync-svti¶
This will disable the synchronization of Linux VTI.
-
--disable-sync-nat¶
This will disable the synchronization of Linux netfilter NAT rules.
-
--disable-sync-netfilter¶
This will disable the synchronization of Linux netfilter IPv4 / IPv6 rules, including NAT and conntrack.
-
--disable-sync-bpf¶
This will disable the synchronization of Linux BPF.
-
--disable-sync-mcast¶
This will disable the synchronization of Linux IPv4 and IPv6 multicast.
-
--disable-sync-ipv6¶
This will disable the synchronization of Linux IPv6 routing.
-
--disable-sync-conntrack¶
This will disable the synchronization of Linux conntrack.
Alternatively, it is possible to specify the list of features to synchronize in a single option:
-
-S,--sync-mask<mask>¶ Specify the list of features to synchronize.
Feature flag VXLAN 0x00000001 bridge 0x00000002 VLAN 0x00000004 MACVLAN 0x00000008 LAG 0x00000010 ebtables 0x00000020 GRE/GREtap 0x00000040 tunnel 0x00000080 IPsec 0x00000100 SVTI 0x00000200 filter/audit 0x00000400 conntrack 0x00000800 NAT 0x00001000 BPF (tap) 0x00002000 tap pattern only 0x00004000 multicast routes 0x00008000 IPv6 0x00010000
Parameters to enable feature options
Some features support options, disabled by default. The following options can be enabled:
-
-A,--sync-bpf-all¶ This is an option of the BPF (tap) feature.
Default is to synchronize BPF only for the applications: tcpdump, ethereal, wireshark, tshark, nmap.
The option -A forces the BPF synchronization for any application.
Alternately, you can set
: ${BPF_OPT:=true}in the configuration file.
-
-R,--sync-ipsec-replay¶ This is an option of the IPsec feature.
It enables the synchronization of IPsec replay information (SA input and output sequence numbers) from Linux to fast path. This option is used for IPsec HA.
Alternately, you can set
: ${HA_IPSEC:=true}in the configuration file.This option may be dynamically enabled or disabled without restarting the cache manager. See Configuring HA IPsec dynamically.
Parameters for debug purpose
Here are parameters useful for debug purpose:
-
-d<mask>¶ Debug mask value.
Alternately, you can set
: ${DEBUG:=<mask>}in the configuration file.
-
-F¶ Foreground.
-
-b<val>¶ Custom value of the socket buffer size, default is 2M.
-
-l<val>¶ Custom value of the netlink socket buffer size, default is 64M.
-
-h¶ Display the full list of options.
-
-o¶ Display compilation options and exit.
-
-I<val>¶ Specify a number to identify a cache manager instance (only when the control plane manages more than one fast path). The value is called the instance id of the cache manager instance.
If a value is specified, syslog logs cmgrd<val>, and the console is at /tmp/.cmgrd<val>.
Dumping or changing current configuration¶
You can dump statistics such as netlink received messages and debug the queuing mechanism in a console.
Accessing the console¶
The cache manager console is reachable using the 6WIND daemonctl tool:
# daemonctl cmgrd <daemon_command>
The following example uses daemonctl to display available commands:
# daemonctl cmgrd help
help - Show help
? - Show help
quit - Quit the shell
show - show statistics
ipsec - ipsec commands
# daemonctl cmgrd show
pid - show pid
netlink - show netlink packets
queue - show queued msg
conf - show conf variables
modules - show registered modules
interfaces - show registered interfaces
sync-features - show synchronized feartures
Dumping statistics and configuration¶
# daemonctl cmgrd show netlink
Dump netlink socket statistics:
netlink socket name packets received
netlink-route-listen-0 16
RTM_NEWLINK 1
RTM_NEWADDR 2
RTM_NEWROUTE 9
RTM_DELROUTE 4
netlink-route-cmd-0 47
RTM_NEWLINK 8
RTM_NEWADDR 3
RTM_NEWROUTE 15
RTM_NEWNEIGH 2
RTM_[80] 19
netlink-xfrm-listen-0 0
netlink-xfrm-cmd-0 0
netlink-vnb-listen-0 3
VNB_C_DUMP 2
VNB_C_NEW 1
netlink-netfilter-conntrack-lis 3
IPCTNL_MSG_CT_NEW 3
netlink-audit-listen-0 34
AUDIT_[2] 1
AUDIT_[1300] 11
AUDIT_[1320] 11
AUDIT_NETFILTER_CFG 11
# daemonctl cmgrd show queue
Queue information
- sent: 98
- directly: 5
- in-queue: 0
- highest in-queue: 89
- has blocked: 0
- partially sent: 0
- errors: 0
- ev armed: 0
command_show_queue: address=0x1318920
current=0x7f7e5aba4000
chk_count=1
chk_total_count=1
obj_count=0
obj_total_count=191
obj_malloc_count=0
obj_ignored_free=0
next_free=0x7f7e5aba400c
# daemonctl cmgrd show modules
xfrm-migrate
vnb
# daemonctl cmgrd show interfaces
Interfaces list:
br0 vrfid 0 (ifindex: 15, ifuid: 0x42e9f282)
type: 6, subtype: 5, flags: 0x60, mtu: 1500
master_ifuid: 0x0, vnb_nodeid: 0x8
in_l_bond: no, blade_id: 254
eth1 vrfid 0 (ifindex: 11, ifuid: 0x33117022)
type: 6, subtype: 0, flags: 0x60, mtu: 1500
master_ifuid: 0x82f2e942, vnb_nodeid: 0x4
in_l_bond: no, blade_id: 254
fpn0 vrfid 0 (ifindex: 10, ifuid: 0x64247322)
type: 6, subtype: 0, flags: 0x63, mtu: 1500
master_ifuid: 0x0, vnb_nodeid: 0x3
in_l_bond: no, blade_id: 254
eth0 vrfid 0 (ifindex: 2, ifuid: 0x61a1e72)
type: 6, subtype: 0, flags: 0x63, mtu: 1500
master_ifuid: 0x0, vnb_nodeid: 0x2
in_l_bond: no, blade_id: 254
lo vrfid 0 (ifindex: 1, ifuid: 0x754c6fa8)
type: 24, subtype: 0, flags: 0x63, mtu: 65536
master_ifuid: 0x0, vnb_nodeid: 0x0
in_l_bond: no, blade_id: 254
Bridge interfaces list:
eth1 vrfid 0 (ifindex: 11, ifuid: 0x33117022)
type: 249, subtype: 0, master_ifuid: 0x82f2e942
# daemonctl cmgrd show sync-features
Cache manager uses FPM configuration
Features Status (enabled/disabled)
vxlan enabled
bridge enabled
gre enabled
vlan enabled
macvlan enabled
lag enabled
ebtables enabled
tunnel enabled
ipsec enabled
svti enabled
netfilter enabled
conntrack enabled
nat enabled
bpf disabled
multicast enabled
ipv6 enabled
Configuring HA IPsec dynamically¶
The synchronization of IPsec HA related information (IPsec SA sequence numbers) may be enabled or disabled dynamically without restarting the cache manager.
To display the current IPsec HA status, use the following command:
# daemonctl cmgrd ipsec ha show
IPsec High Availability disabled
To enable the support of IPsec HA:
# daemonctl cmgrd ipsec ha enable
To disable the support of IPsec HA:
# daemonctl cmgrd ipsec ha disable