From: Matheus Salgueiro Castanho <ms5sh@virginia.edu>
To: users@dpdk.org
Subject: [dpdk-users] Troube with firewall configuration in ip_pipeline
Date: Thu, 17 Mar 2016 12:39:54 -0300 [thread overview]
Message-ID: <CAJPsTrUKP7ZdZdeQvMyDD=A58o53ABvgdF=-o_3K6KHELqE0iQ@mail.gmail.com> (raw)
Hello everyone,
I sent this to the wrong email address first, so I hope this one gets
through.
I've been trying to run a simple firewall with the ip_pipeline example
application but without success so far.
After some initial setup issues, I was able to successfully run the
firewall and add specific rules to it. But the problem is, if I have
understood the parameters correctly, my rules don't seem to have any effect
on accepting or rejecting packets through the firewall.
On my current tests, I have 2 different hosts (10.0.0.1 and 10.10.0.1),
connected to a central host that runs the firewall. This central host
should be responsible for blocking/accepting packets between these two
hosts, but I don't seem to get any packets through. I configure two links
for the ip_pipeline application (config file below) and I check the
connections (and they work) before starting the application. This is the
config file I'm using:
[PIPELINE0]
type = MASTER
core = 0
[PIPELINE1]
type = FIREWALL
core = 1
pktq_in = RXQ0.0 RXQ1.0
pktq_out = TXQ0.0 TXQ1.0
When the application is running, I add these two rules:
p 1 firewall add ipv4 1 10.0.0.0 24 10.10.0.0 24 0 65535 0 65535 0 0 1
p 1 firewall add ipv4 2 10.10.0.0 24 10.0.0.0 24 0 65535 0 65535 0 0 0
The first, as far as I understood the parameters, should accept packets
coming from 10.0.0.0/24 and bound to 10.10.0.0/24, for any TCP port
(0-65535), both for destination and source, for any protocol (protocol mask
= 0) and forward them to link 1, which is connected to the host 10.10.0.1.
The second is similar to the first, but on the other direction 10.10.0.0/24
-> 10.0.0.0/24.
When I try pinging a host from the other, I can see the packets being
received by the application (command "link ls" shows # of RX packets
increasing gradually) but none of them gets transmitted to the specified
link. The only situation in which I can get packets to the other side, is
when I allow all traffic through the "p 1 firewall add default <link>"
command.
I wondered if the packets were being modified somewhere, so I looked for
the place in the code where the packets were actually being matched against
the rules so I could print them and check. While looking through the code,
I saw that the dpdk ACL data structure was being used to implement the
rules, and after reading the DPDK Programmer's Guide chapter regarding the
acl library (Chapter 22), I saw that the function rte_acl_classify should
be called to match the packets against the rules, but I couldn't find this
function being called anywhere in the code or in the libraries being used
by the application.
So my question is: Am I missing anything in my configuration in order to
successfully run the firewall? Did I interpret the rule parameters
correctly? Or, although I think this is less likely, is the firewall
failing to match the packets against the rules?
I've been working on this for a few days and I can't seem to understand
what's wrong.
I appreciate your kind help.
Thank you.
--
Matheus Salgueiro Castanho
next reply other threads:[~2016-03-17 15:39 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-17 15:39 Matheus Salgueiro Castanho [this message]
2016-03-18 10:03 ` Singh, Jasvinder
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAJPsTrUKP7ZdZdeQvMyDD=A58o53ABvgdF=-o_3K6KHELqE0iQ@mail.gmail.com' \
--to=ms5sh@virginia.edu \
--cc=users@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).