Henry Du Blog

Reading Notes: Netfilter and iptables Netfilter is firewalling subsystem in the Linux kernel as a modular[1]. For example, some fields are included in the sk_buf data structure only if the kernel is compiled with support for Netfilter feature. struct sk_buff is defined in linux/include/skbuff.h. There is a well defined document on the top of the file. It include the netfilter common header file #if IS_ENABLED(CONFIG_NF_CONNTRACK) #include <linux/netfilter/nf_conntrack_common.h>#endif Firewalling, essentially, hooks into certain places in the network stack code that packets always pass through when the packets or the kernel meet certain conditions.

Golang Inversion of Control IoC Introduction Inversion of Control (IoC) is a programming design pattern which follows Dependency Inversion principle (DIP). It achieves decoupling the control logic and business logic. For instance, we normally will add control logic in the business logic, because it is very common in terms of human beings thinking logic. For example, we may add toggle-switch object when implement light bulb. We may also implement customized toggle-switch when making another electric device.

Golang Decorator Pattern Decorator pattern is the one of twenty-three well-known design patter from Gang of Four design patterns. It is categorized in structural design pattern, along with Adapter pattern, Proxy pattern etc. The decorator pattern allows behavior to be added to an individual object, dynamically, without affecting the behavior of other objects from the same class. It tries to resolve the problem that single responsibility, following the Single Responsibility Principle, should be added to or removed from an object dynamically at run-time.

Cross-host Container Networks - VXLAN mode VXLAN We have reviewed the UDP mode of cross-host container networks. We realized that there will be a performance issue because the IP packets have to be processed by the user space application. VXLAN allows us to handle the encapsulation/decapsulation in Linux kernel space. Virtual Extensible LAN a.k.a VXLAN (RFC7348) is supported by Linux kernel. It is able to encapsulate the IP packets by another layer and construct the overlay networks like the UDP tunnel does.

Cross-host Container Networks - UDP mode In the previous article, we walked through containers network in one Linux host. However, by default Docker configuration, one container is unable to communicate with the other container in different host. In order to solve cross-host container communication problem, there are many solutions. We will go through some of them one by one. First and very famous one is Flannel CNI. Flannel CNI Flannel CNI project is the one of the projects developed by CoreOS.