Re: [dpdk-users] Troube with firewall configuration in ip_pipeline

["Singh, Jasvinder" <jasvinder.singh@intel.com>]

Hi Matheus,

> -----Original Message-----
> From: users [mailto:users-bounces@dpdk.org] On Behalf Of Matheus
> Salgueiro Castanho
> Sent: Thursday, March 17, 2016 3:40 PM
> To: users@dpdk.org
> Subject: [dpdk-users] Troube with firewall configuration in ip_pipeline
> 
> Hello everyone,
> 
> I sent this to the wrong email address first, so I hope this one gets through.
> 
> I've been trying to run a simple firewall with the ip_pipeline example
> application but without success so far.
> 
> After some initial setup issues, I was able to successfully run the firewall and
> add specific rules to it. But the problem is, if I have understood the
> parameters correctly, my rules don't seem to have any effect on accepting or
> rejecting packets through the firewall.
> 
> On my current tests, I have 2 different hosts (10.0.0.1 and 10.10.0.1),
> connected to a central host that runs the firewall. This central host should be
> responsible for blocking/accepting packets between these two hosts, but I
> don't seem to get any packets through. I configure two links for the
> ip_pipeline application (config file below) and I check the connections (and
> they work) before starting the application. This is the config file I'm using:
> 
> [PIPELINE0]
> type = MASTER
> core = 0
> 
> [PIPELINE1]
> type = FIREWALL
> core = 1
> pktq_in = RXQ0.0 RXQ1.0
> pktq_out = TXQ0.0 TXQ1.0
> 
> When the application is running, I add these two rules:
> 
> p 1 firewall add ipv4 1 10.0.0.0 24 10.10.0.0 24 0 65535 0 65535 0 0 1 p 1 firewall
> add ipv4 2 10.10.0.0 24 10.0.0.0 24 0 65535 0 65535 0 0 0
> 
> The first, as far as I understood the parameters, should accept packets
> coming from 10.0.0.0/24 and bound to 10.10.0.0/24, for any TCP port (0-
> 65535), both for destination and source, for any protocol (protocol mask = 0)
> and forward them to link 1, which is connected to the host 10.10.0.1.
> 
> The second is similar to the first, but on the other direction 10.10.0.0/24  ->
> 10.0.0.0/24.
> 
> When I try pinging a host from the other, I can see the packets being
> received by the application (command "link ls" shows # of RX packets
> increasing gradually) but none of them gets transmitted to the specified link.
> The only situation in which I can get packets to the other side, is when I allow
> all traffic through the "p 1 firewall add default <link>"
> command.

> I wondered if the packets were being modified somewhere, so I looked for
> the place in the code where the packets were actually being matched against
> the rules so I could print them and check. While looking through the code, I
> saw that the dpdk ACL data structure was being used to implement the rules,
> and after reading the DPDK Programmer's Guide chapter regarding the acl
> library (Chapter 22), I saw that the function rte_acl_classify should be called
> to match the packets against the rules, but I couldn't find this function being
> called anywhere in the code or in the libraries being used by the application.
> 
> So my question is: Am I missing anything in my configuration in order to
> successfully run the firewall? Did I interpret the rule parameters correctly?
> Or, although I think this is less likely, is the firewall failing to match the
> packets against the rules?
> 

I run firewall pipeline with your rules set and found packets flowing through the pipe. 

Please check your packets if they are being produced with the right ip_header fields.

Thanks,
Jasvinder