This talks shows how to implement the Application-Based Routing in the common Linux Distribution. We use the NDPI to execute the DPI function to category the packet first, use the linux kernel build-it mark to pass the information from user-space to kernel space and then the policy routing system use that mark to route the packet by different destination or interface.
5. SD-WAN
Create a virtual-overlay to abstract underlying private/public WAN connections
LTE
MPLS
Wifi
Fiber
Route WAN traffic along the best route
Latency
QoS
6. SD-WAN
Managed by a centralized controller
Remotely program edge devices and reduce provisioning times.
Minimizing the need to manually configure network devices
Security
IPSec
Firewall
43. LINUX ROUTINGTABLE
echo 201 hwchiu.test >> /etc/iproute2/rt_tables
Use ip rule to manipulate the lookup order of tables.
ip rule add fmmark 10 table 201
Ip rule add from 140.113.235.234 fwmark 25 table 202
ip rule show
44. LINUX ROUTINGTABLE
Use ip route add to add the routing rule into table.
ip route add default via 10.0.2.2 dev enp0s3 table 201
48. PERFORMANCE
All packets have same l3/l4 tuple belong to
same connection (mostly)
We don’t need to detect all packets to
know its application.
Just pass the unknown connection packets
to nDPI engine
49. PERFORMANCE
Use the connmark to set the mark to
connection tracking entry.
Save the mark based on its skb_buff
Iptables -t mangle -j CONNMARK --save-
mark