[dpdk-users] Request for a valid ip_pipeline example to configure firewall

[dpdk-users] Request for a valid ip_pipeline example to configure firewall

[Tao Wang]

Dear all,

I am using the dpdp-16.04 in a qemu-kvm based CentOS7 VM.

I am running the ip_pipeline example. However, I can not get firewall
configured rightly according to the config files posted at
http://dpdk.org/browse/dpdk/tree/examples/ip_pipeline/config.

But there are some problems,

1) CLI command "p 1 firewall add priority 1 ipv4 0.0.0.0 0 100.0.0.0 10 0
65535 0 65535 6 0xF port 0" returns "bad argument"

2) CLI command "p 1 firewall add default 4 #SINK0" returns "command failed"

So how to configure it rightly? What's the right semantics of the CLI
command for firewall?

Wish for your reply.

Best,
Tao

Re: [dpdk-users] Request for a valid ip_pipeline example to configure firewall

[Singh, Jasvinder]

Hi Tao,

> -----Original Message-----
> From: users [mailto:users-bounces@dpdk.org] On Behalf Of Tao Wang
> Sent: Friday, July 15, 2016 3:59 PM
> To: users@dpdk.org
> Subject: [dpdk-users] Request for a valid ip_pipeline example to configure
> firewall
> 
> Dear all,
> 
> I am using the dpdp-16.04 in a qemu-kvm based CentOS7 VM.
> 
> I am running the ip_pipeline example. However, I can not get firewall
> configured rightly according to the config files posted at
> http://dpdk.org/browse/dpdk/tree/examples/ip_pipeline/config.
> 
> But there are some problems,
> 
> 1) CLI command "p 1 firewall add priority 1 ipv4 0.0.0.0 0 100.0.0.0 10 0
> 65535 0 65535 6 0xF port 0" returns "bad argument"

If you are working on 16.04, the command format for adding firewall rule is as below;

p <pipeline_id> firewall add ipv4 <priority> <src ip><src ip mask><dst ip><ds tip mask><src_port_from><src_port_to><dst_port_from><dst_port_to><protocol><protocol_mask><port id>

The reason why your command is failing is because in 16.07 we have changed the command format for adding rule to firewall pipeline.

> 2) CLI command "p 1 firewall add default 4 #SINK0" returns "command failed"

I guess you have configured 4 ports  (port  id 0 -3), so if this is the case, use right port id.
> 
> So how to configure it rightly? What's the right semantics of the CLI command
> for firewall?

To learn the command format, please follow the code - ip_pipeline/pipeline/pipeline_firewall.c 


> Wish for your reply.
> 
> Best,
> Tao


Jasvinder

Re: [dpdk-users] Request for a valid ip_pipeline example to configure firewall

[Tao Wang]

Hi, Jasvinder,

Thanks for your concern.

On Sat, Jul 16, 2016 at 12:01 AM, Singh, Jasvinder <
jasvinder.singh@intel.com> wrote:

> Hi Tao,
>
> > -----Original Message-----
> > From: users [mailto:users-bounces@dpdk.org] On Behalf Of Tao Wang
> > Sent: Friday, July 15, 2016 3:59 PM
> > To: users@dpdk.org
> > Subject: [dpdk-users] Request for a valid ip_pipeline example to
> configure
> > firewall
> >
> > Dear all,
> >
> > I am using the dpdp-16.04 in a qemu-kvm based CentOS7 VM.
> >
> > I am running the ip_pipeline example. However, I can not get firewall
> > configured rightly according to the config files posted at
> > http://dpdk.org/browse/dpdk/tree/examples/ip_pipeline/config.
> >
> > But there are some problems,
> >
> > 1) CLI command "p 1 firewall add priority 1 ipv4 0.0.0.0 0 100.0.0.0 10 0
> > 65535 0 65535 6 0xF port 0" returns "bad argument"
>
> If you are working on 16.04, the command format for adding firewall rule
> is as below;
>
> p <pipeline_id> firewall add ipv4 <priority> <src ip><src ip mask><dst
> ip><ds tip
> mask><src_port_from><src_port_to><dst_port_from><dst_port_to><protocol><protocol_mask><port
> id>
>
> The reason why your command is failing is because in 16.07 we have changed
> the command format for adding rule to firewall pipeline.
>
> I add an CLI command "p 1 firewall add ipv4 2 192.168.10.171 32
192.168.10.172 32 0 65535 0 65535 6 0xF 0" to the firewall. Does it mean
that the firewall block the ipv4 traffic from 192.168.10.171/32 to
192.168.10.172/32?

Also, another question is how can we set the default firewall to pass
through all the traffic? I run "p 1 firewall ls" CLI command, it shows that
the default operation of the firewall is to drop all the traffic.

Moreover, I do not know how to verify my configuration. Like the pipeline
firewall I have created above, on the 192.168.10.171 host, I just ping the
192.168.10.172 host. And I run "p 1 firewall stats port in 0" or "p 1
firewall stats port 0", it just returns

"Pipeline 1 - stats for input port 0:
Pkts in: 0
Pkts dropped by AH: 0
Pkts dropped by other: 0"

and

"Pipeline 1 - stats for output port 0:
Pkts in: 0
Pkts dropped by AH: 0
Pkts dropped by other: 0"

BTW, the topology is as below,

-------------------------
---------------------------
|                         |                                  |
            |
| 192.168.10.171  |------pipeline firewall------| 192.168.10.171  |
|                         |                                  |
            |
--------------------------
---------------------------

Also, if I change the pipeline firewall application to the pipeline l2fwd
application, the forwarding function works correctly, but the statistics
are also "0".

Wish for your reply :-).

> 2) CLI command "p 1 firewall add default 4 #SINK0" returns "command
> failed"
>
> I guess you have configured 4 ports  (port  id 0 -3), so if this is the
> case, use right port id.
> >
> > So how to configure it rightly? What's the right semantics of the CLI
> command
> > for firewall?
>
> To learn the command format, please follow the code -
> ip_pipeline/pipeline/pipeline_firewall.c
>
>
> > Wish for your reply.
> >
> > Best,
> > Tao
>
>
> Jasvinder
>

Best,
Tao

Re: [dpdk-users] Request for a valid ip_pipeline example to configure firewall

[Singh, Jasvinder]

From: Tao Wang [mailto:tao.wang0221@gmail.com]
Sent: Saturday, July 16, 2016 6:58 AM
To: Singh, Jasvinder <jasvinder.singh@intel.com>
Cc: users@dpdk.org
Subject: Re: [dpdk-users] Request for a valid ip_pipeline example to configure firewall

Hi, Jasvinder,

Thanks for your concern.

On Sat, Jul 16, 2016 at 12:01 AM, Singh, Jasvinder <jasvinder.singh@intel.com<mailto:jasvinder.singh@intel.com>> wrote:
Hi Tao,

> -----Original Message-----
> From: users [mailto:users-bounces@dpdk.org<mailto:users-bounces@dpdk.org>] On Behalf Of Tao Wang
> Sent: Friday, July 15, 2016 3:59 PM
> To: users@dpdk.org<mailto:users@dpdk.org>
> Subject: [dpdk-users] Request for a valid ip_pipeline example to configure
> firewall
>
> Dear all,
>
> I am using the dpdp-16.04 in a qemu-kvm based CentOS7 VM.
>
> I am running the ip_pipeline example. However, I can not get firewall
> configured rightly according to the config files posted at
> http://dpdk.org/browse/dpdk/tree/examples/ip_pipeline/config.
>
> But there are some problems,
>
> 1) CLI command "p 1 firewall add priority 1 ipv4 0.0.0.0 0 100.0.0.0 10 0
> 65535 0 65535 6 0xF port 0" returns "bad argument"

If you are working on 16.04, the command format for adding firewall rule is as below;

p <pipeline_id> firewall add ipv4 <priority> <src ip><src ip mask><dst ip><ds tip mask><src_port_from><src_port_to><dst_port_from><dst_port_to><protocol><protocol_mask><port id>

The reason why your command is failing is because in 16.07 we have changed the command format for adding rule to firewall pipeline.
I add an CLI command "p 1 firewall add ipv4 2 192.168.10.171 32 192.168.10.172 32 0 65535 0 65535 6 0xF 0" to the firewall. Does it mean that the firewall block the ipv4 traffic from 192.168.10.171/32<http://192.168.10.171/32> to 192.168.10.172/32<http://192.168.10.172/32>?

[Jasvinder]  Firewall with above rule will allow all the packets matching above fields to pass through it.  You should be able to see packets with above src  ip, dst ip, tcp ports (src, dst) addresses coming out of the pipeline. Check your traffic  settings in case, if you don’t see that.


Also, another question is how can we set the default firewall to pass through all the traffic? I run "p 1 firewall ls" CLI command, it shows that the default operation of the firewall is to drop all the traffic.

[Jasvinder]  For changing the default action,  you can use the following command;

P <pipeline id> firewall add default <port id>

In this case , packets not matching any of the firewall rules will sent out to the set port id.

Moreover, I do not know how to verify my configuration. Like the pipeline firewall I have created above, on the 192.168.10.171 host, I just ping the 192.168.10.172 host. And I run "p 1 firewall stats port in 0" or "p 1 firewall stats port 0", it just returns

"Pipeline 1 - stats for input port 0:
          Pkts in: 0
          Pkts dropped by AH: 0
          Pkts dropped by other: 0"

and

"Pipeline 1 - stats for output port 0:
          Pkts in: 0
          Pkts dropped by AH: 0
          Pkts dropped by other: 0"

BTW, the topology is as below,

-------------------------                                   ---------------------------
|                         |                                  |                         |
| 192.168.10.171  |------pipeline firewall------| 192.168.10.171  |
|                         |                                  |                         |
--------------------------                                   ---------------------------

[Jasvinder]   To see stats,  you need to enable three flags (show below) in dpdk/config/common_base;

CONFIG_RTE_PIPELINE_STATS_COLLECT=y
CONFIG_RTE_TABLE_STATS_COLLECT=y
CONFIG_RTE_PORT_STATS_COLLECT=y



Also, if I change the pipeline firewall application to the pipeline l2fwd application, the forwarding function works correctly, but the statistics are also "0".

[Jasvinder] – please enable stats collection flag as suggested above.

Wish for your reply :-).

> 2) CLI command "p 1 firewall add default 4 #SINK0" returns "command failed"

I guess you have configured 4 ports  (port  id 0 -3), so if this is the case, use right port id.
>
> So how to configure it rightly? What's the right semantics of the CLI command
> for firewall?

To learn the command format, please follow the code - ip_pipeline/pipeline/pipeline_firewall.c


> Wish for your reply.
>
> Best,
> Tao

Jasvinder

Best,
Tao