mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 18:18:55 +00:00
9cd25d70d8
By default, RPS (Receive Packet Steering) is disabled on Linux which means the CPU handling the interrupt for an incoming packet also handles the packet. Under high-load, this can causes packet reordering in your test setup where at least two routers are in the path between Client and Gateway. To ensure our test suite is deterministic, we enable RPS and set it to 1, meaning always CPU 1 will handle all packets. Local testing has shown that this fixes the warnings of "packet counter too old" on the Gateway and instead, all packets arrive entirely in order. Source: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/performance_tuning_guide/network-rps
Router
This container acts as a simple router how they are found on the public Internet. By default, no inbound traffic is allowed, except for:
- responses of previously outgoing connections
- explicit port forwarding
The router uses nftables to enforce these rules.
We also make several assumptions about the docker-compose setup that we are running in:
- The network interface between the router and its container must be called
internal - The public network interface on the other side must be called
internet - IPv4 and IPv6 must be available on both interfaces