From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <shrivastav.shyam@gmail.com>
Received: from mail-qk0-f179.google.com (mail-qk0-f179.google.com
 [209.85.220.179]) by dpdk.org (Postfix) with ESMTP id A7E272C01
 for <dev@dpdk.org>; Fri, 10 Mar 2017 06:30:14 +0100 (CET)
Received: by mail-qk0-f179.google.com with SMTP id v125so149913242qkh.2
 for <dev@dpdk.org>; Thu, 09 Mar 2017 21:30:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:in-reply-to:references:from:date:message-id:subject:to
 :cc; bh=aq6XaWmRuw6V91M9x64FxeP290HrXQvIJAQg/MtfO4g=;
 b=X5qoUeXuIYOIjIimtzN3Tsq8YcOhDRwWmloRjTabuorzHXFby7ZFA5vjHyVmw4jmyn
 hpwsxO7xPzDC9RtHNc13L3SJEi80uwA1MTJ/H5EQWr/9D3XW5fQ7ue20Kf8EtBMcGc5U
 LROov0jDRRRCBOihcrOcIHnciFq52rbXFWQJeWZQLljK7ESvyHYOOz7JpDwHDNzyMzsy
 eM1zncoNN0Ntr2ko7hV4cF+ECRR15BCxj4KxwQFB0pGsPV5RzVnPhJbTgj7NDDtl6dX5
 tO9fvMODawv50jqrlGQE8kHFQVpCYFEj65lCX2yzNaqU+cbMIszh1o7Jy9b7VRCxO06R
 +vOg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:in-reply-to:references:from:date
 :message-id:subject:to:cc;
 bh=aq6XaWmRuw6V91M9x64FxeP290HrXQvIJAQg/MtfO4g=;
 b=IBVXOWUBic46Qv/4f5OPp9oYOP7NJvIdc4wcx+zzHNlqLvfc2WTjAHElo/jkQapRDR
 GU2iROXKN1zIsOPYJRJ1iRMNou4Ci2fdf08pZaSmKMeA6351Jr40MsyPP7dKqZs4nzz3
 oMYxYZvVUi+iWm30rTkDABNd2+V7pan8NhHh0N07ER5LM5wUvSspo9LAK0zbYLahlL2q
 ys3lGrWVnsk6ncdpBB3fH+hmD0uGIfNX3FgWqLgkeuXDnGVaaKzRaepndhwu0sxwlw7P
 un+95P6CSD7Y8VUWDFCQE/lbH6/fWkJnH4loAcVZlDJRbZ9+Vz87frmLeKKhMusdRh/2
 ++9Q==
X-Gm-Message-State: AMke39lic+MoMvKuAf9lzlfuTfgidcoA12eaSBXh7mGh23UKLBQ2yjw7pvUw18/29HKIHS5TIYQ/Q5XXslLXXg==
X-Received: by 10.200.42.213 with SMTP id c21mr19872828qta.257.1489123813583; 
 Thu, 09 Mar 2017 21:30:13 -0800 (PST)
MIME-Version: 1.0
Received: by 10.12.156.15 with HTTP; Thu, 9 Mar 2017 21:30:13 -0800 (PST)
In-Reply-To: <54CBAA185211B4429112C315DA58FF6D31B0555C@IRSMSX101.ger.corp.intel.com>
References: <CAGSp03m0rBbo_SVzeWxJFGCOTSTRFoEuxw6Ync5degEjHERb4w@mail.gmail.com>
 <3EB4FA525960D640B5BDFFD6A3D891265275CF7A@IRSMSX108.ger.corp.intel.com>
 <CAGSp03=G24zE91Y8iVeE-SkhkrKvED4ePA1kt_cSwPzGOfQG8w@mail.gmail.com>
 <CAGSp03kZFOxoJsB0y-R1i1vSKZQyC5sXrABQjwec3sUSQkbDfw@mail.gmail.com>
 <54CBAA185211B4429112C315DA58FF6D31B0555C@IRSMSX101.ger.corp.intel.com>
From: Shyam Shrivastav <shrivastav.shyam@gmail.com>
Date: Fri, 10 Mar 2017 11:00:13 +0530
Message-ID: <CAGSp03kvMUw7CVjSNdSKovqfKASTcJ6nVQMaERd-1RtJfnnD6g@mail.gmail.com>
To: "Singh, Jasvinder" <jasvinder.singh@intel.com>
Cc: "Dumitrescu, Cristian" <cristian.dumitrescu@intel.com>,
 "dev@dpdk.org" <dev@dpdk.org>
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.15
Subject: Re: [dpdk-dev] ip_pipeline firewall customization
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <http://dpdk.org/ml/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <http://dpdk.org/ml/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Mar 2017 05:30:15 -0000

Hi Singh

Please find my comments inline


>
> [Jasvinder] -  You need to set the right proto field and accordingly the
> mask in the above rule. You can keep src/dst ip addresses intact. Proto
> field defines the protocol used in the data portion of the IP datagram and
> can be find here
> <https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers>. For e.g. in
> case you packet is TCP packet then firewall rule should be as below and you
> will see arp packets filtered out.
>
>
>
> p 1 firewall add priority 1 ipv4 0.0.0.0 0 0.0.0.0 0 0 65535 0 65535 6 0x6
> port 0
>
>

[Shyam]    Yes it works already saw that, simple reason that it would be
rare for an arp packet to have exactly same value at that offset (9 which
contains mac address). Still in my view ARP packets must be filtered out
and must never hit firewall/ACL table.




>
>
>
>
> Yes dropping of packets can be achieved by creating a sink port. However
> we need further processing to be done for a packet hitting a pass rule, and
> best way for this processing is f_action_hit table handler.  In this
> routine we can distinguish between drop/pass actions as
> rte_pipeline_table_entry is passed to it, which also contains  portid but
> no generic way to  distinguish between normal or sink port.
> I think it would be value addition to allow this action in firewall
> pipeline, please let me know your thoughts. As for our project looks like
> we have to include this.
>
>
>
> [Jasvinder] -  If I understand your context correctly, you want to
> distinguish Sink port from other normal out ports in the action handler.
> Can do that by keeping sink port last among the pipeline output  ports and
> then in action handler you can compare the port id (highest value)  to see
> whether the port id is sink port or not.
>
>
>
[Shyam]  That doesn't seem to be generic at all. Requirement is to be able
to configure and distinguish between pass and drop rules, so that required
translations can be done for pass rules.  Support for drop action exist in
the underlying table/acl code , we just need to change the firewall part.
We should not do this based on port number in my view ....


Thanks and rgds
Shyam