From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from iron1.mail.virginia.edu (iron1.mail.Virginia.EDU [128.143.2.226]) by dpdk.org (Postfix) with ESMTP id A45DE56A0 for ; Thu, 17 Mar 2016 16:39:56 +0100 (CET) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0AvAQAVz+pWki1SfUpeGQEBAhIBAYJIajVuBqYICgaBD0aBdQgBkBQBDYFvGYMUhBEHOBQBAQEBAQEBEQEBAQEHCwsJIS+EWhEEJVMILwIkAw8BBQEuKYgABaFPggeBMT4xizaFRYV+AYQjCoVMiRgRAYMegToFkwSEUIEphEaCcoUgjwZEhn4EhX8RHoEPDw8BAYIEAUARCIFjIi+JMIEyAQEB X-IPAS-Result: A0AvAQAVz+pWki1SfUpeGQEBAhIBAYJIajVuBqYICgaBD0aBdQgBkBQBDYFvGYMUhBEHOBQBAQEBAQEBEQEBAQEHCwsJIS+EWhEEJVMILwIkAw8BBQEuKYgABaFPggeBMT4xizaFRYV+AYQjCoVMiRgRAYMegToFkwSEUIEphEaCcoUgjwZEhn4EhX8RHoEPDw8BAYIEAUARCIFjIi+JMIEyAQEB X-IronPort-AV: E=Sophos;i="5.24,350,1454994000"; d="scan'208,217";a="775746215" X-Sender-IP: 74.125.82.45 Received: from mail-wm0-f45.google.com ([74.125.82.45]) by iron1.mail.virginia.edu with ESMTP; 17 Mar 2016 11:39:55 -0400 Received: by mail-wm0-f45.google.com with SMTP id p65so31771708wmp.1 for ; Thu, 17 Mar 2016 08:39:55 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to; bh=TNFFM+wRim63c7c/l6E4ShrGpuLkhu61DSjSrMGE+Mk=; b=Qyai5IReFJDtMoxcpPT3r3NZqB6ReASSXxoiiwwqzulYmvw6avGghTtYHqlPOztqb7 z3MFNDiDsmHc6p+ijuTjEw+21A0dZSpI9uP90CoIfyAvHYp4KvXdwECUyzIb/d3Xs7ui eCzuBkhxnk3buv0BDvUENq/yvpKsMZ/6op/BFUJxcjZewZUWxg+Cqq+a/U8lt1ZtGCVQ B4gz6gPiYJNk2/bY0tjsPCGw3q61QxR+A+iyoDJeBPxh22GCyhsuwlfCfyFOeso1OY70 PUYEsk4LEzwNS0Yxlt1Yv7n0wLxAT3Qr1EIxy9uX2/fN5O/yfDD/sOE1soACM+bUeJ7r f8AQ== X-Gm-Message-State: AD7BkJJKW3AeIhKVrr0Y/mkx2QzCEtURJnK5+E+sDEjX/sG4AknkO6uD8O713MLzQyakTUUrbTwm/XKpkQhx8Tcv25rQnit2/hNBhsTSC5e3yk3ElVdxo5ZCYouytNbTFv4iC+b9bu/o9VhOBlCFBSvulF56XA== X-Received: by 10.194.191.4 with SMTP id gu4mr10301664wjc.93.1458229194830; Thu, 17 Mar 2016 08:39:54 -0700 (PDT) MIME-Version: 1.0 X-Received: by 10.194.191.4 with SMTP id gu4mr10301653wjc.93.1458229194694; Thu, 17 Mar 2016 08:39:54 -0700 (PDT) Received: by 10.28.142.72 with HTTP; Thu, 17 Mar 2016 08:39:54 -0700 (PDT) Date: Thu, 17 Mar 2016 12:39:54 -0300 Message-ID: From: Matheus Salgueiro Castanho To: users@dpdk.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.15 Subject: [dpdk-users] Troube with firewall configuration in ip_pipeline X-BeenThere: users@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: usage discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Mar 2016 15:39:57 -0000 Hello everyone, I sent this to the wrong email address first, so I hope this one gets through. I've been trying to run a simple firewall with the ip_pipeline example application but without success so far. After some initial setup issues, I was able to successfully run the firewall and add specific rules to it. But the problem is, if I have understood the parameters correctly, my rules don't seem to have any effect on accepting or rejecting packets through the firewall. On my current tests, I have 2 different hosts (10.0.0.1 and 10.10.0.1), connected to a central host that runs the firewall. This central host should be responsible for blocking/accepting packets between these two hosts, but I don't seem to get any packets through. I configure two links for the ip_pipeline application (config file below) and I check the connections (and they work) before starting the application. This is the config file I'm using: [PIPELINE0] type = MASTER core = 0 [PIPELINE1] type = FIREWALL core = 1 pktq_in = RXQ0.0 RXQ1.0 pktq_out = TXQ0.0 TXQ1.0 When the application is running, I add these two rules: p 1 firewall add ipv4 1 10.0.0.0 24 10.10.0.0 24 0 65535 0 65535 0 0 1 p 1 firewall add ipv4 2 10.10.0.0 24 10.0.0.0 24 0 65535 0 65535 0 0 0 The first, as far as I understood the parameters, should accept packets coming from 10.0.0.0/24 and bound to 10.10.0.0/24, for any TCP port (0-65535), both for destination and source, for any protocol (protocol mask = 0) and forward them to link 1, which is connected to the host 10.10.0.1. The second is similar to the first, but on the other direction 10.10.0.0/24 -> 10.0.0.0/24. When I try pinging a host from the other, I can see the packets being received by the application (command "link ls" shows # of RX packets increasing gradually) but none of them gets transmitted to the specified link. The only situation in which I can get packets to the other side, is when I allow all traffic through the "p 1 firewall add default " command. I wondered if the packets were being modified somewhere, so I looked for the place in the code where the packets were actually being matched against the rules so I could print them and check. While looking through the code, I saw that the dpdk ACL data structure was being used to implement the rules, and after reading the DPDK Programmer's Guide chapter regarding the acl library (Chapter 22), I saw that the function rte_acl_classify should be called to match the packets against the rules, but I couldn't find this function being called anywhere in the code or in the libraries being used by the application. So my question is: Am I missing anything in my configuration in order to successfully run the firewall? Did I interpret the rule parameters correctly? Or, although I think this is less likely, is the firewall failing to match the packets against the rules? I've been working on this for a few days and I can't seem to understand what's wrong. I appreciate your kind help. Thank you. -- Matheus Salgueiro Castanho