Weblog

Crossbow flows is one of the new features introduced by Project Crossbow. The important aspects of flows are 1) how is a packet classified into a flow, 2) what happens once it has been classified and 3) how can you keep track of the flows' traffic.

Flow classification is straightforward and is apparent from how the flow is created with flowadm(1M) through the use of attributes.

#flowadm add-flow -l <link> -a <attribute> -p <property> <flowname>

• Flows can be created with one of the following sets of attributes
  • source ip
  • dest ip
  • transport/[local port]
  • dsfield/[mask]

It is important to note that you cannot combine attributes in one flow and you cannot add flows with different types of attributes on the same link. The only exceptions are transport + local port and dsfield + mask. This is required to avoid an overly complex set of restrictions as well as a complex (and slow) classifier. (Yes, we tried)

additionally...

• Flows must have unique names. Otherwise you wouldn't be able to delete a flow with only the name or make sense of statistics for flows with the same name.
• Flows are created on links. This includes the primary link like e1000g0 or bge0 as well as virtual links such as vnics, aggregations or vlans. Creating a flow on an etherstub doesn't really make sense and is not allowed.
• There must be at least 1 attribute for each flow. Without attributes, the flow would take all the traffic for a link and wouldn't be very useful.

Valid Flows

#flowadm add-flow -l vnic1 -a local_ip=10.1.1.1 flow1
#flowadm add-flow -l vnic1 -a local_ip=10.1.1.2 flow2
#flowadm add-flow -l vnic1 -a local_ip=10.1.1.3 flow3

#flowadm add-flow -l vnic2 -a remote_ip=192.168.0.4 flow4
#flowadm add-flow -l vnic2 -a remote_ip=192.168.0.5 flow5
#flowadm add-flow -l vnic2 -a remote_ip=192.168.0.6 flow6

#flowadm add-flow -l e1000g0 -a transport=tcp flowtcp
#flowadm add-flow -l e1000g0 -a transport=udp flowudp
#flowadm add-flow -l e1000g0 -a transport=sctp flowsctp

#flowadm add-flow -l nxge3 -a transport=tcp flowtcp
#flowadm add-flow -l nxge3 -a transport=tcp,port=80 flowhttp
#flowadm add-flow -l nxge3 -a transport=tcp,port=23 flowtelnet

#flowadm add-flow -l bge1 -a dsfield=0x3/oxff flowds3
#flowadm add-flow -l bge1 -a dsfield=0x4/oxff flowds4
#flowadm add-flow -l bge1 -a dsfield=0x5/oxff flowds5

Invalid Flows

#flowadm add-flow -l vnic1 -a local_ip=10.1.1.1 flow1
#flowadm add-flow -l vnic1 -a local_ip=10.1.1.2 flow1
(flows must have unique names)
 
#flowadm add-flow -l etherstub1 -a local_ip=10.1.1.1 flow1
(flows can't be created on etherstubs)
 
#flowadm add-flow -l vnic1 -a local_ip=10.1.1.1,remote_ip=192.168.0.4 flow1
(cannot have more than 1 type of attribute for one flow)
 
#flowadm add-flow -l vnic1 -a local_ip=10.1.1.1 flow1
#flowadm add-flow -l vnic2 -a remote_ip=192.168.0.4 flow4
(cannot have different types of attributes on different flows on one link)

( Jan 20 2009, 04:18:07 PM PST ) Permalink

Packet Filtering @ Sun I've been at Sun for about 8 years now and nearly all of them have been working on packet filtering. That's got to be a record of some sort. From SunScreen SPF to Solaris IP Filter, stealth to pfil, standalone product to part of the OS, it's been an interesting ride.

Most recently, I worked with Darren Reed and others to integrate his excellent firewall package, IP Filter, into Solaris 10. In the following weeks, I hope to shed some light on the changes we made (and why) as well as how it compares to SunScreen.
( Jun 06 2005, 03:14:06 PM PDT ) Permalink Comments [1]