Advanced dynamic routing with external program

Question

I need to build a system in which i am able to route packets based on a number of parameters, such as port/protocol etc, which are somehow "normal", but also on other aspects, such as queue length, and other external factors. My router is composed of 2 internal interfaces (802.11) and two external interfaces (one ADSL, one LTE). So I would like to examine each packet through an external program, and decide on what interface it should be routed.

I took a look at iproute2, but I didn't found any method to pass each packet to an external program, or somehow dynamically choose the route for each packet.

So the question: what is the best way to do this? Are there already tools that go in this direction, or should i rely on something made by myself, and passing the packet through linux standard tools?

Answer 1

Netfilter (iptables) has queue module to send frames to a userspace program. Libraries for different languages (c, python, perl, etc...) are available to examine packets. After processing a frame you will return an ACCEPT or DROP verdict, the original or modified frame, and an option to set a mark.

My guess that you can use the mark to handle this packet differently in the rest of the netfilter chain and change a routing mark to choose a specific routing table.

This would be a more elegant solution than very low level device handling but may be a performance issue depending on the choice of your userspace implementation.

I have used this in another project to modify incoming DHCP frames from a broken client but never used the mark.

Answer 2

Userspace routing can be achieved by pointing a default route at a tun device, and having a userspace program examine each received packet. It's an inefficient and brittle approach, but it has been made to work — there was an AODVv2 implementation that worked that way, due to Henning Rogge.

The other option, of course, is to implement your routing protocol within the kernel — most implementations of AODV/DYMO/AODVv2 work that way.

Before embarking on this kind of task, I would recommend considering carefully whether you need to make routing decisions for each individual packet; if possible, a better approach is to manipulate the routing tables dynamically while leaving the actual forwarding to the kernel. An example of what can be achieved using this approach is given in this draft paper. (Disclaimer: I'm a co-author.)

Answer 3

What kind of hardware are you using? It sounds like you might be working on an embedded device, in which case you should probably go with the netfilter option. But if you have more resources at your disposal, you should consider using OVS (http://openvswitch.org/), which is the de-facto open source standard for software defined networking.

Software defined networking has the concept of "data plane" vs. "control plane." Packets travel between physical/virtual switches in the data plane. In the control plane, your software sends instructions to switches for how to forward packets through the data plane.

You can set up OVS in a container and treat it as a ToR (top of router) switch for your system. Route all incoming packets to OVS, and let it decide what to do with them. Your software sends openflow instructions to the switch.

Here are some resources to get you started:

• Blog about containers/ovs, from a chief LXC contributor:
  • http://blog.scottlowe.org/2013/11/26/lxc-open-vswitch-and-gre-tunnels/
• Tutorial for pox, a python API for openflow programming:
  • http://sdnhub.org/tutorials/pox/
• Tutorial for setting up a test lab using mininet and simple openflow rules:
  • https://github.com/mininet/openflow-tutorial/wiki

Good luck!