Removal of EAMT entries too slow; Need a faster removal using file handle

[raj-R-Reddy]

The removal of EAMT entries taking too long when done in linear mode.
Is there a quick way to use a file handle for removal of some EAMT entries selectively out of several mappings?

It would be even better if we can have the EAMT removed if there is no traffic for a configured amount of time on that entry.

[ydahhrk]

Is there a quick way to use a file handle for removal of some EAMT entries selectively out of several mappings?

Yes; make a file including only the entries you want (in addition to other relevant configuration), then apply it.

It would be even better if we can have the EAMT removed if there is no traffic for a configured amount of time on that entry.

So you want a stateful setup? You sure you wouldn't be better off using Stateful NAT64?

[raj-R-Reddy]

Thank you for the quick response.
Well, here is the scenario:
I have a multihome Linux router where there are over 1000 users behind it with private IP addresses accessing internet using NAT. Now to reach out to IPV6 destinations, I have setup Jool and altered the DNS to serve fake IPv4 IPs for IPv6 destinations while setting up the EAMT entries on the fly. So, in this scenario I want to remove the EAMT entries after certain period.

The DNS on the other hand maintains a database (SQLite) of these mappings and also maintains the last request time for respective IPv6 IPs. Now, I want to remove those entries where the request hasn't come for a long time or over TTL period.

So, flushing and re-adding entries using a file would be a bad idea since the existing traffic gets interrupted.
I truly appreciate if you could suggest anything else.

[ydahhrk]

So, flushing and re-adding entries using a file would be a bad idea since the existing traffic gets interrupted.

There will be no traffic interruption. Not even for a nanosecond.

file handle is called "atomic configuration" because it's specifically designed to be an all-or-nothing operation. And it does so by building a completely separate translator (with its own EAM table) before committing it. If it didn't do this, it wouldn't be atomic. If Jool modified the running translator, but some modification failed, then rolling back the already applied changes would be extremely difficult (and possibly even unreliable). So this is what it does:

1. Build new (offline) translator using file config (old translator is still running)
2. Validate new translator (old translator is still running)
3. Replace old translator with new translator using a simple and atomic pointer assignment (now, old translator keeps handling its already owned packets, but new translator handles any new packets)
4. Once all packets held by the old translator have been sent, delete old translator

One nanosecond the old instance is being used, next nanosecond the next instance is being used. Each translator has its own EAM table.

[ydahhrk]

Forgot to mention: The above applies if you use a file handle to replace an instance.

ie. don't run instance remove beforehand.

[raj-R-Reddy]

Well, I have built the new translator using file config just as mentioned by you and it really went well.
However, initially I have had the line of global configuration defining the pool6 in it with which my DNS stopped accepting requests. If I add the global configuration the very first time it is fine but after that if the global pool6 line is present this weird thing is happening. Even upon restarting the DNS service it isn't accepting the requests. To make it work I had to unload jool_siit module and probe it again.
But in any case my purpose is solved by not including the global config in the file. I just thought you wanted to know this behavior.

[ydahhrk]

I add the global configuration the very first time it is fine but after that if the global pool6 line is present this weird thing is happening.

Don't know why.

But in any case my purpose is solved by not including the global config in the file.

You sure this is doing what you want? Deleting the global block induces default global configuration, not "retain old global configuration." In other words, no global means no pool6. (Remember: It's a completely new instance.)

If you're willing to debug it, can you enable debug and post what it prints before and after it stops working?

[raj-R-Reddy]

Well, I am not worried about pool6 not being present in jool_siit global at this point since I am not expecting outside hosts to connect to the ipv4 clients inside.
But the problem can be easily reproduced by changing pool6 using jool_siit global update. Right after running it the DNS server(unbound) stops receiving requests and it does that until the jool_siit module is unloaded. I haven't really tested with other applications yet whether or not they are receiving new connections. I believe the module is blocking somewhere in the netfilter while passing packet to the application.