最後更新: 2016-04-14

Linux Fasttrack

Fast path allows to forward packets without additional processing in the Linux kernel.

Traffic that belongs to a fast-tracked connection travels in FastPath,

  which means that it will not be visible by other router L3 facilities
  (firewall, queues, IPsec, IP accounting, VRF assignment, etc).

more than 5x performance improvement compared to regular slow path conntrack/nat

Any packet processing can be broken into:

• CP (Control path)
• DP (Data path)

There are different types of fastpath implementations in the industry today.

    * ASIC-based fastpath implementations.

    * Network-processor-based fastpath implementation

    * Control plane and data plane with some cores running CP and
      some cores running Bare Metal DP or executive fastpath.

    * Linux-network-driver-based fastpath for devices that use Linux SMP.

In a typical network-processing applicaton, there can be thousands of flows. All flows are created equal.

After the initial setup/verification, most of these flows require a simple and deterministic processing.

By recognizing and caching such flows and processing such packets in a separate highly optimized context,

these flows can be put on a fasttrack.

RouterOS Fasttrack

* ipv4 fasttrack fastpath - accelerates connection tracking and nat for marked connections (automatically)

* currently limited to TCP/UDP only;

* more than 5x performance improvement compared to regular slow path conntrack/nat

* added ~fasttrack-connection~ firewall action in filter/mangle tables for marking connections as fasttrack;

* added fastpath support for bridge interfaces - packets received and transmitted on bridge interface can go fastpath;

# At the top of the Firewall Filter

# Use firewall action "fasttrack-connection" to mark connections for FastTrack.

/ip firewall filter

add chain=forward action=fasttrack-connection connection-state=established,related \
    comment="fasttrack established/related"

add chain=forward action=accept connection-state=established,related
    comment="accept established/related"

add chain=forward action=drop connection-state=invalid

Note:

[Rule 1]

established/related connections go to "fasttrack"

 - That all packets that goes fasttrack,

   will not be visible in firewall and you will not be able to limit them in queue global.

[Rule 2]

To maintain connection tracking entries some random packets will still be sent to a slow path.

 - Not all packets in a connection can be FastTracked, even though connection is marked for FastTrack.

Linux Implement

application-specific fastpath (ASF)

All the packets entering the system are forwarded from an Ethernet driver to ASF module.

* accelerate the packet processing of most commonly used functionalities

• IPv4 forwarding
• NAT
• firewall
• IPSEC
• QoS