[dpdk-dev] ip_pipeline firewall customization

Dumitrescu, Cristian cristian.dumitrescu at intel.com
Thu Mar 9 11:06:46 CET 2017

Previous message: [dpdk-dev] ip_pipeline firewall customization
Next message: [dpdk-dev] ip_pipeline firewall customization
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Shyam,

> -----Original Message-----
> From: dev [mailto:dev-bounces at dpdk.org] On Behalf Of Shyam Shrivastav
> Sent: Wednesday, March 8, 2017 3:55 PM
> To: dev at dpdk.org
> Cc: Shyam Shrivastav <shrivastav.shyam at gmail.com>
> Subject: [dpdk-dev] ip_pipeline firewall customization
> 
> Hi All
> 
> I am using ip_pipeline firewall as base for our project, need
> comments/suggestions/corrections regarding following
> 
> 1) We can not configure firewall  rule to drop packets, as portid is
> mandatory in command. I am planning to allow this for our requirement with
> following code changes
>       a) Allow "port" as optional parameter (pipeline_firewall.c), pass -1
> as port id if "port" is not specified to app_pipeline_firewall_add_rule and
> change that parameter to int32_t.
>       b) Make required changes in pipeline_firewall_msg_req_add_handler if
> portid is -1, that is table entry action to be .action =
> RTE_PIPELINE_ACTION_DROP.
> 

You don't really need to do this for implementing a drop action. You can simply create a SINK output port (which basically drops all the packets directed to it) and set this as the output port for all rules that drop packet.

See ip_pipeline/config/firewall.cfg as example.

> 2) I am registering a f_action_hit function for firewall table to perform
> certain translations if action is pass (RTE_PIPELINE_ACTION_PORT).

What type of actions are you performing? If generic enough, it would be interesting to add them to this pipeline, so I encourage you to contribute with ideas and code patches.

> Configured a rule like following
> 
> pipeline>p 1 firewall add priority 1 ipv4 0.0.0.0 0 0.0.0.0 0 0 65535 0
> 65535 0 0 port 0
> 
> which should be hit only by ipv4 packets. However even ARP packets are hit
> by this ACL and my routine is called. If I configure a specific src or dst
> ip then everything works fine and arp packets are not hit , for example
> following rule hits only ipv4 icmp packets
> 
> pipeline>  p 1 firewall add priority 1 ipv4 0.0.0.0 0 45.35.70.12 32 0
> 65535 0 65535 1 0xf port 0
> 
> Is this a bug or am I missing something ?
> 

You can make sure no ARP packets are received by the firewall pipeline by simply filtering all the ARP packets to a separate RXQ of the NIC port, which can be further handled by a separate function.

See ip_pipeline/config/network_layers.cfg as example:
[LINK0]
arp_q = 4

> 
> Thanks
> Shyam

Regards,
Cristian

Previous message: [dpdk-dev] ip_pipeline firewall customization
Next message: [dpdk-dev] ip_pipeline firewall customization
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the dev mailing list