[dpdk-dev] ip_pipeline firewall customization
shrivastav.shyam at gmail.com
Fri Mar 10 06:30:13 CET 2017
Please find my comments inline
> [Jasvinder] - You need to set the right proto field and accordingly the
> mask in the above rule. You can keep src/dst ip addresses intact. Proto
> field defines the protocol used in the data portion of the IP datagram and
> can be find here
> <https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers>. For e.g. in
> case you packet is TCP packet then firewall rule should be as below and you
> will see arp packets filtered out.
> p 1 firewall add priority 1 ipv4 0.0.0.0 0 0.0.0.0 0 0 65535 0 65535 6 0x6
> port 0
[Shyam] Yes it works already saw that, simple reason that it would be
rare for an arp packet to have exactly same value at that offset (9 which
contains mac address). Still in my view ARP packets must be filtered out
and must never hit firewall/ACL table.
> Yes dropping of packets can be achieved by creating a sink port. However
> we need further processing to be done for a packet hitting a pass rule, and
> best way for this processing is f_action_hit table handler. In this
> routine we can distinguish between drop/pass actions as
> rte_pipeline_table_entry is passed to it, which also contains portid but
> no generic way to distinguish between normal or sink port.
> I think it would be value addition to allow this action in firewall
> pipeline, please let me know your thoughts. As for our project looks like
> we have to include this.
> [Jasvinder] - If I understand your context correctly, you want to
> distinguish Sink port from other normal out ports in the action handler.
> Can do that by keeping sink port last among the pipeline output ports and
> then in action handler you can compare the port id (highest value) to see
> whether the port id is sink port or not.
[Shyam] That doesn't seem to be generic at all. Requirement is to be able
to configure and distinguish between pass and drop rules, so that required
translations can be done for pass rules. Support for drop action exist in
the underlying table/acl code , we just need to change the firewall part.
We should not do this based on port number in my view ....
Thanks and rgds
More information about the dev