§ 7.1 – 7.16 Linux Network Stack — Sockets to BGP

1. First packet: NIC fires hard IRQ → IRQ handler disables NIC RX interrupt + calls napi_schedule()
2. Softirq net_rx_action() runs on the same CPU, calls napi.poll(quota)
3. Driver processes up to quota descriptors per poll — builds one sk_buff per packet
4. If work < quota → ring drained → call napi_complete_done() → re-enable NIC interrupt → back to interrupt-driven
5. If work == quota → ring may still have more → softirq re-schedules poll (no interrupt re-arm)

1. Create root htb qdisc on eth0: tc qdisc add dev eth0 root handle 1: htb default 10
2. Add per-VM class: tc class add dev eth0 parent 1: classid 1:1 htb rate 400mbit ceil 1000mbit
3. Attach leaf qdisc (fq_codel for AQM): tc qdisc add dev eth0 parent 1:1 handle 10: fq_codel
4. Attach filter to steer VM packets to the class: tc filter add dev eth0 ... match ip src 10.0.0.5 classid 1:1

1. First packet hits POSTROUTING hook; nf_nat module sees no existing entry
2. nf_nat_get_unique_tuple() picks an ephemeral port (1024–65535) not already used by another conn
3. Kernel rewrites skb src IP + src port; updates IP/TCP checksums
4. Stores original ↔ NATted tuple pair in nf_conn
5. Reply arrives with dst = NATted port; conntrack lookup finds the entry; reverse rewrite restores original dst

When a route becomes unreachable, RIP routers may advertise stale hop counts back to each other, incrementing forever until max (16 = infinity). Mitigations: split horizon (never advertise a route back out the interface it was learned on), poison reverse (advertise with metric 16 back on that interface — faster convergence), and triggered updates (send immediately on topology change rather than waiting 30 s).

During VM live migration, the destination hypervisor needs to attract traffic for the migrated VM's IP without waiting for ARP to age out on every ToR switch. The hypervisor runs a BIRD BGP daemon that announces the VM's /32 host route to the ToR via iBGP/eBGP. The ToR installs a more-specific /32 that overrides the /24 subnet route, redirecting traffic immediately. After migration completes, the source hypervisor withdraws its announcement.

head/end bound the allocated buffer (never move). data points to the start of current packet data; tail to the end. Headroom (head→data) is reserved for TX header prepending via skb_push(). skb_shared_info lives at end for scatter-gather fragments and GSO metadata.

NAPI switches from per-packet hard IRQs to a polling model under load. The first packet triggers a hard IRQ; the handler disables NIC RX interrupts and schedules a softirq poll. The poll processes up to budget packets per call. When the ring drains, the NIC interrupt is re-armed. This amortizes interrupt overhead: at 14 Mpps, per-packet IRQs would consume 100% CPU in interrupt context.

write()/sendmsg() → tcp_sendmsg() (segments, adds TCP header) → ip_queue_xmit() (IP header + route lookup) → dev_queue_xmit() (enqueue to qdisc) → qdisc dequeues → ndo_start_xmit() (driver fills TX ring descriptor) → NIC DMA reads descriptor + payload → TX complete interrupt frees skb.

skb_clone() creates a new sk_buff header pointing to the same data buffer (users++ on shared_info). Zero cost but cloned skb data is read-only. skb_copy() allocates a completely new buffer and copies all data — required before in-place modification (e.g., NAT IP rewrite). pskb_copy() copies the linear area but shares frags[].

HTB builds a class hierarchy. Each leaf class has a rate (guaranteed) and ceil (burst). The dequeue path walks the hierarchy, selects the class with the earliest eligible packet by virtual time (deficit round-robin at each level). A class below rate borrows tokens from its parent up to ceil when the parent has surplus. This ensures minimum guaranteed bandwidth while allowing burst into idle capacity.

ip_rcv_finish() calls ip_route_input_noref() which performs a FIB lookup. If the destination matches a local address the dst.input is set to ip_local_deliver(). If IP forwarding is enabled and the route is to a remote host, dst.input is ip_forward(). ip_forward() decrements TTL, checks MTU (fragments if needed), then calls ip_output() to re-enter the TX path.

LPM (Longest Prefix Match) returns the routing entry whose prefix is the most specific match for a given destination IP. Linux uses an LC-trie (level-compressed trie) called fib_trie. Internal tnodes index into child arrays using multi-bit slices of the address; leaves hold fib_alias entries. Compression reduces the average lookup depth from 32 to 4–6 steps even with 800K BGP routes.

NUD (Neighbour Unreachability Detection) tracks MAC→IP cache validity: INCOMPLETE (waiting for reply) → REACHABLE (confirmed) → STALE (timer expired) → DELAY (wait for upper-layer confirmation) → PROBE (send unicast ARP) → FAILED (drop). Gratuitous ARP is an ARP request where sender IP = target IP — it announces IP ownership, updates neighbour caches on peers, and detects IP conflicts. Used heavily for VIP failover in virtual switches.

Client: tcp_v4_connect() sends SYN, state→SYN_SENT. Server: tcp_v4_rcv()→tcp_rcv_state_process() receives SYN in LISTEN, allocates request_sock, sends SYN-ACK, state→SYN_RECEIVED. Client receives SYN-ACK, sends ACK, state→ESTABLISHED. Server: receives ACK, calls tcp_v4_syn_recv_sock()→tcp_create_openreq_child(), state→ESTABLISHED, wakes accept().

SYN cookies encode all connection state (src/dst IP, ports, MSS index, timestamp) in the initial sequence number. The server sends SYN-ACK without allocating any backlog entry. When the client's ACK arrives, the server decodes ack_num-1 and verifies the hash — if valid, creates the socket. This eliminates the SYN backlog as an attack surface. Tradeoff: TCP options like SACK and window scaling may not be negotiated, slightly reducing throughput.

Slow start: begin with cwnd=1 MSS, double cwnd each RTT (exponential growth) until cwnd reaches ssthresh, then switch to congestion avoidance (+1 MSS/RTT, linear). Fast retransmit: 3 duplicate ACKs indicate a lost segment without waiting for RTO; retransmit immediately, set ssthresh=cwnd/2, cwnd=ssthresh (fast recovery). RTO timeout is more severe: ssthresh=cwnd/2 and cwnd=1, restarting slow start.

Forwarded path: PREROUTING (conntrack, DNAT) → routing decision → FORWARD (firewall rules) → POSTROUTING (SNAT/masquerade). For locally destined packets: PREROUTING → INPUT → local socket. For locally generated packets: OUTPUT → routing → POSTROUTING. nftables and iptables both register callbacks at these same NF_INET_* hook points.

nf_nat_get_unique_tuple() tries the original port first; if it is already used by another conntrack entry (same dst IP:port), it iterates through the configured port range (1024–65535 by default) hashing through the range until it finds one where no nf_conn with the same (proto, nat_ip, nat_port, dst_ip, dst_port) exists. The result is stored in nf_conn so every subsequent packet in the same flow reuses it.

Every frame received on a bridge port triggers br_fdb_update() which looks up (or creates) an FDB entry keyed on src MAC, records the ingress port, and resets the ageing timer (default 300 s). For forwarding, br_forward() does an FDB lookup on dst MAC — if found, unicast; if not (unknown unicast, broadcast, or multicast), br_flood() copies the skb to all ports except the ingress. STP marks ports as forwarding/blocking to prevent loops.

VXLAN (RFC 7348) wraps an inner Ethernet frame in an 8-byte VXLAN header (flags + 24-bit VNI) then UDP + IP. UDP is used because: (1) the UDP src port is set to a hash of the inner 5-tuple, enabling ECMP load balancing across LAG/ECMP paths that hash on UDP ports — GRE lacks a src port and cannot ECMP. (2) UDP checksum can be disabled (inner layers handle their own). VTEP overhead is 50 bytes, reducing inner MTU from 1500 to 1450 bytes.

SLAAC (RFC 4862): (1) Host sends Router Solicitation to ff02::2. (2) Router replies with RA containing prefix (e.g., 2001:db8:1::/64) + valid/preferred lifetimes. (3) Host generates interface ID using EUI-64 from MAC (flip U/L bit, insert FF:FE) or stable privacy extension (RFC 8981). (4) Combine: prefix + IID = full /128 address. (5) DAD: send NS to solicited-node multicast address; wait 1 RTT; if no NA reply, the address is unique and assigned.

Reverse Path Forwarding check: when a multicast packet arrives on interface I from source S, the kernel performs a unicast route lookup for S. If the route to S would exit via a different interface than I, the packet is dropped. This prevents routing loops: in a loop, a multicast packet could bounce between routers indefinitely; RPF ensures the packet arrived from the correct upstream (towards the source tree). Implemented in ipmr.c for IPv4, ip6mr.c for IPv6.

IGMPv2: hosts report group membership (join *,G — any source) and send Leave Group messages, triggering Last Member Query before removing state. IGMPv3 (RFC 3376) adds Source-Specific Multicast (SSM): hosts specify which sources they want to receive from (INCLUDE mode) or exclude (EXCLUDE mode). This allows the network to build source-rooted shortest-path trees (S,G) instead of shared RP trees, eliminating the Rendezvous Point bottleneck and enabling the kernel to drop traffic from unwanted sources at the router before it reaches the receiver.

When a VM boots and broadcasts a DHCP DISCOVER, the vSwitch intercepts it on the VM's virtual port before forwarding. It looks up the VM's MAC (or port ID) in a config database pre-populated by the VPC control plane with the assigned IP, mask, gateway, DNS, and lease time. The vSwitch synthesizes a DHCP OFFER and sends it directly to the VM without involving a real DHCP server. This gives the hypervisor full control of addressing (critical for VPC isolation), eliminates the single-point-of-failure DHCP server, and allows infinite lease times so VMs never try to renew.

RIP: distance-vector, hop-count metric (max 15), 30-second full-table broadcast, slow convergence, count-to-infinity risk. Only suitable for small flat networks. OSPF: link-state, Dijkstra SPF, fast convergence (sub-second with BFD), area hierarchy scales to large enterprise. The preferred IGP. BGP: path-vector, AS_PATH prevents loops, policy-driven via LOCAL_PREF/MED/COMMUNITY, carries the full Internet table (800K+ routes). Used between ISPs, within large DCs (BGP-only fabric), and for advertising VM host routes during live migration via BIRD/FRR.

Down → Init (Hello received, neighbor's Router-ID not yet in our Hello) → 2-Way (our Router-ID appears in neighbor's Hello — basic bidirectional) → ExStart (master/slave negotiated via DBD, higher Router-ID becomes master) → Exchange (exchange full DBD summaries) → Loading (request missing LSAs via LSR, receive LSU) → Full (databases synchronized — neighbor is now an SPF input). On multi-access Ethernet, only DR/BDR reach Full with all routers; DROthers stay in 2-Way with each other.

1. Highest WEIGHT (Cisco-local, not advertised). 2. Highest LOCAL_PREF (intra-AS policy — which exit AS to prefer). 3. Locally originated (network/aggregate > iBGP learned). 4. Shortest AS_PATH (fewer AS hops). 5. Lowest ORIGIN (IGP < EGP < Incomplete). 6. Lowest MED (only compared among routes from same neighbor AS). 7. eBGP over iBGP. 8. Lowest IGP metric to NEXT_HOP. 9. Oldest eBGP route (stability). 10. Lowest BGP Router-ID (deterministic tiebreak). The winning route is installed in RIB and, if changed, triggers UPDATE messages to peers.

The destination hypervisor configures BIRD with a static /32 route for the migrating VM's IP pointing to the local vSwitch. BIRD's BGP session to the ToR switch advertises this /32 via iBGP or eBGP (depending on fabric design). The ToR's longest-prefix-match selects /32 over the existing /24 subnet route, redirecting all traffic to the new hypervisor immediately — without waiting for gratuitous ARP to propagate or neighbor caches to expire. When migration completes, the source hypervisor's BIRD withdraws its /32, and the /24 handles the now-unified traffic.