gatekeeper icon indicating copy to clipboard operation
gatekeeper copied to clipboard
verified publisher icon AltraMayor

Add port configuration for applications behind KNI

Open cjdoucette opened this issue 4 years ago • 2 comments

Gatekeeper currently supports some Linux applications and services through the KNI:

  • ARP and ND, since Gatekeeper intercepts ARP/ND requests from the KNI and replies using the Gatekeeper L2 resolution cache
  • ICMP Ping (IPv4 and IPv6), since Gatekeeper passes ping replies to the KNI
  • BGP, since Gatekeeper passes BGP packets to the KNI

To support other tools and applications, we can add an option to the CPS block that allows the user to specify TCP and UDP ports. Packets that arrive to Gatekeeper on these ports should be passed to the KNI so that Linux applications can receive them. These ports should also have ntuple filters or ACL filters configured for them so that they can be steered to the CPS block.

This is basically a generalization of the way that BGP packets are handled.

cjdoucette avatar Mar 29 '21 14:03 cjdoucette

An alternative solution would be to have filters for the IP addresses of Gatekeeper and forward to the KNI interfaces whatever Gatekeeper doesn't need.

AltraMayor avatar Jul 28 '21 15:07 AltraMayor

Pull request #514 forwards all local TCP traffic to the KNI interfaces. The same cannot be done for UDP at this time because our current filter subsystem doesn't match the longest filter, so filtering all UDP packets conflicts with the filter of the GGU block.

AltraMayor avatar Jul 29 '21 19:07 AltraMayor