gatekeeper
gatekeeper copied to clipboard
AltraMayor
Is it feasible to use mysql for policy storage
If you want to use mysql to store the corresponding policy records, after each update of mysql, use update_gt_lua_states to refresh policy.lua. Is it possible to load a new strategy?
Feasible is, but without an understanding of what you want to build, I can't be specific. My comments below are a big picture of what I see in this problem space.
If you make a policy to query a database for each flow being established or renewed, you'll have two potential problems: reliability and speed. If the database is not available for any reason, you'd bring the protected network down. Even if reliability is addressed, the speed problem would still be there. A Grantor server using LPM tables typically makes a policy decision in microseconds. A database query would easily bring this time to milliseconds. That is, one would need more Grantor servers and/or to work their code out to better deal with the high waiting time on queries.
A way to circumvent both these problems is to patch Drib, so it can synchronize with your database, and let it do the updating of your Grantor servers. This way, if the database is offline, your Grantor servers would rely on the freshest information that they have. And the policy decisions would still be in microseconds. This solution is analogous to what is typically done with authoritative DNS servers in production.
My idea is that the program automatically adds, deletes, modifies and checks policy.lua, and adds or deletes the corresponding policy. Is it feasible?My scenario is to flexibly read the corresponding bpf group parameter for the destination address