Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve netifyd network configuration #929

Closed
6 tasks done
gsanchietti opened this issue Nov 20, 2024 · 3 comments
Closed
6 tasks done

Improve netifyd network configuration #929

gsanchietti opened this issue Nov 20, 2024 · 3 comments
Labels
verified All test cases were verified successfully
Milestone
NethSecurity 8.4

Comments

@gsanchietti
Copy link
Member

gsanchietti commented Nov 20, 2024
edited by stephdl
Loading

In accordance with Netifyd guidelines, modify the Netifyd configuration file, to limit the number of interfaces to inspect.

Actually every local interface (physical or logical) is added netifyd internal_if parameter.
Keeping both physical and VLAN interfaces introduces redundancy and has a few negative impacts:

  • Wasted memory and CPU: A new thread is created for each interface, consuming more memory and CPU time to process duplicated flows.
  • Flow duplication: Since the VLAN ID is part of the flow hashing algorithm, the same flow appears differently on both physical and VLAN interfaces, leading to duplicates in memory. This could result in inaccurate or unexpected flow processing. Best practice suggests listening only on the physical interface.

The following interfaces must be always be added to netifyd configuration:

  • Physical Interfaces: Yes
  • VLAN: No, just the underlying physical device
  • Bond: Direct bond interface
  • Bridge: Direct bridge interface

Currentlyalso VPNs and hotspots interfaces are added to netifyd configuration, but there are mixed feelings about having them in netifyd configuration.

  • somebody doesn't like to have them cause it means more cpu load to analyze flows
  • some other would like to have them so that we can see and record vpn traffic in the monitoring (e.g. a rw host is using NethSecurity as its gateway and it is doing a lot of traffic, we wouldn't see it at all if vpn interfaces are not managed) .

Proposed changes:

  • keep current logic as default for VPN and Hotspot
  • add an option to exclude some devices, the option could be a list with glob matching, like: eth1, tun*, wg*.
  • do not expose the option inside the UI, but just document how to configure it
@gsanchietti gsanchietti converted this from a draft issue Nov 20, 2024
@gsanchietti gsanchietti added this to the NethSecurity 8.5 milestone Nov 20, 2024
This was referenced Dec 2, 2024
Merged
Merged
gsanchietti added a commit that referenced this issue Dec 3, 2024
@gsanchietti
Merge pull request #946 from NethServer/sdl-929
f212ba9 
Enhance interface filtering and ensure uniqueness in netifyd configuration

#929
@gsanchietti gsanchietti moved this from ToDo 🕐 to In Progress 🛠 in NethSecurity Dec 4, 2024
@stephdl stephdl mentioned this issue Dec 5, 2024
Merged
gsanchietti added a commit that referenced this issue Dec 5, 2024
@gsanchietti
fix(ns-api): fix netifyd exclusion (#954)
7ef1d29 
Update exclusion logic and documentation for Netifyd

#929
@gsanchietti
Copy link
Member Author

Testing image: 23.05.5-ns.1.3.0-92-g7ef1d292

@gsanchietti gsanchietti added the testing Packages are available from testing repositories label Dec 5, 2024
@gsanchietti gsanchietti assigned gsanchietti and unassigned stephdl Dec 5, 2024
@nethbot nethbot moved this from In Progress 🛠 to Testing in NethSecurity Dec 5, 2024
@gsanchietti
Copy link
Member Author

Before adding the exclusion:

# uci show netifyd
netifyd.@netifyd[0]=netifyd
netifyd.@netifyd[0].enabled='1'
netifyd.@netifyd[0].autoconfig='0'
netifyd.@netifyd[0].exclude='tun*'
netifyd.@netifyd[0].internal_if='br-lan' 'eth0' 'tunrw1'
netifyd.@netifyd[0].external_if='eth1'

From ps command:

root     13954  0.1  1.1  15548 11936 ?        Sl   13:02   0:00 /usr/sbin/netifyd -R -I br-lan -I eth0 -I tunrw1 -E eth1

After added exclusion for tun*:

# uci show netifyd
netifyd.@netifyd[0]=netifyd
netifyd.@netifyd[0].enabled='1'
netifyd.@netifyd[0].autoconfig='0'
netifyd.@netifyd[0].ns_exclude='tun*'
netifyd.@netifyd[0].internal_if='eth0' 'br-lan'
netifyd.@netifyd[0].external_if='eth1'

From ps command:

root     14216  0.0  1.5  27456 16112 ?        Sl   13:04   0:00 /usr/sbin/netifyd -R -I eth0 -I br-lan -E eth1

@gsanchietti gsanchietti added verified All test cases were verified successfully and removed testing Packages are available from testing repositories labels Dec 5, 2024
@gsanchietti gsanchietti removed their assignment Dec 5, 2024
@nethbot nethbot moved this from Testing to Verified in NethSecurity Dec 5, 2024
@stephdl stephdl self-assigned this Dec 5, 2024
@gsanchietti
Copy link
Member Author

Released on 23.05.5-ns.1.4.0

@github-project-automation github-project-automation bot moved this from Verified to Done ✅ in NethSecurity Dec 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
verified All test cases were verified successfully
Projects
NethSecurity
Archived in project
Milestone
NethSecurity 8.4
Development

No branches or pull requests
2 participants
@gsanchietti @stephdl