From: "Singh, Jasvinder" <jasvinder.singh@intel.com>
To: Tao Wang <tao.wang0221@gmail.com>
Cc: "users@dpdk.org" <users@dpdk.org>
Subject: Re: [dpdk-users] Request for a valid ip_pipeline example to configure firewall
Date: Sun, 17 Jul 2016 07:53:05 +0000 [thread overview]
Message-ID: <54CBAA185211B4429112C315DA58FF6DE7DA7F@IRSMSX103.ger.corp.intel.com> (raw)
In-Reply-To: <CAK0ntGjN3sKks2BuyFruzC7xuUaiBRtrMsO3ouLvhCCqORwQDQ@mail.gmail.com>
From: Tao Wang [mailto:tao.wang0221@gmail.com]
Sent: Saturday, July 16, 2016 6:58 AM
To: Singh, Jasvinder <jasvinder.singh@intel.com>
Cc: users@dpdk.org
Subject: Re: [dpdk-users] Request for a valid ip_pipeline example to configure firewall
Hi, Jasvinder,
Thanks for your concern.
On Sat, Jul 16, 2016 at 12:01 AM, Singh, Jasvinder <jasvinder.singh@intel.com<mailto:jasvinder.singh@intel.com>> wrote:
Hi Tao,
> -----Original Message-----
> From: users [mailto:users-bounces@dpdk.org<mailto:users-bounces@dpdk.org>] On Behalf Of Tao Wang
> Sent: Friday, July 15, 2016 3:59 PM
> To: users@dpdk.org<mailto:users@dpdk.org>
> Subject: [dpdk-users] Request for a valid ip_pipeline example to configure
> firewall
>
> Dear all,
>
> I am using the dpdp-16.04 in a qemu-kvm based CentOS7 VM.
>
> I am running the ip_pipeline example. However, I can not get firewall
> configured rightly according to the config files posted at
> http://dpdk.org/browse/dpdk/tree/examples/ip_pipeline/config.
>
> But there are some problems,
>
> 1) CLI command "p 1 firewall add priority 1 ipv4 0.0.0.0 0 100.0.0.0 10 0
> 65535 0 65535 6 0xF port 0" returns "bad argument"
If you are working on 16.04, the command format for adding firewall rule is as below;
p <pipeline_id> firewall add ipv4 <priority> <src ip><src ip mask><dst ip><ds tip mask><src_port_from><src_port_to><dst_port_from><dst_port_to><protocol><protocol_mask><port id>
The reason why your command is failing is because in 16.07 we have changed the command format for adding rule to firewall pipeline.
I add an CLI command "p 1 firewall add ipv4 2 192.168.10.171 32 192.168.10.172 32 0 65535 0 65535 6 0xF 0" to the firewall. Does it mean that the firewall block the ipv4 traffic from 192.168.10.171/32<http://192.168.10.171/32> to 192.168.10.172/32<http://192.168.10.172/32>?
[Jasvinder] Firewall with above rule will allow all the packets matching above fields to pass through it. You should be able to see packets with above src ip, dst ip, tcp ports (src, dst) addresses coming out of the pipeline. Check your traffic settings in case, if you don’t see that.
Also, another question is how can we set the default firewall to pass through all the traffic? I run "p 1 firewall ls" CLI command, it shows that the default operation of the firewall is to drop all the traffic.
[Jasvinder] For changing the default action, you can use the following command;
P <pipeline id> firewall add default <port id>
In this case , packets not matching any of the firewall rules will sent out to the set port id.
Moreover, I do not know how to verify my configuration. Like the pipeline firewall I have created above, on the 192.168.10.171 host, I just ping the 192.168.10.172 host. And I run "p 1 firewall stats port in 0" or "p 1 firewall stats port 0", it just returns
"Pipeline 1 - stats for input port 0:
Pkts in: 0
Pkts dropped by AH: 0
Pkts dropped by other: 0"
and
"Pipeline 1 - stats for output port 0:
Pkts in: 0
Pkts dropped by AH: 0
Pkts dropped by other: 0"
BTW, the topology is as below,
------------------------- ---------------------------
| | | |
| 192.168.10.171 |------pipeline firewall------| 192.168.10.171 |
| | | |
-------------------------- ---------------------------
[Jasvinder] To see stats, you need to enable three flags (show below) in dpdk/config/common_base;
CONFIG_RTE_PIPELINE_STATS_COLLECT=y
CONFIG_RTE_TABLE_STATS_COLLECT=y
CONFIG_RTE_PORT_STATS_COLLECT=y
Also, if I change the pipeline firewall application to the pipeline l2fwd application, the forwarding function works correctly, but the statistics are also "0".
[Jasvinder] – please enable stats collection flag as suggested above.
Wish for your reply :-).
> 2) CLI command "p 1 firewall add default 4 #SINK0" returns "command failed"
I guess you have configured 4 ports (port id 0 -3), so if this is the case, use right port id.
>
> So how to configure it rightly? What's the right semantics of the CLI command
> for firewall?
To learn the command format, please follow the code - ip_pipeline/pipeline/pipeline_firewall.c
> Wish for your reply.
>
> Best,
> Tao
Jasvinder
Best,
Tao
prev parent reply other threads:[~2016-07-17 7:53 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-15 14:58 Tao Wang
2016-07-15 16:01 ` Singh, Jasvinder
2016-07-16 5:58 ` Tao Wang
2016-07-17 7:53 ` Singh, Jasvinder [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54CBAA185211B4429112C315DA58FF6DE7DA7F@IRSMSX103.ger.corp.intel.com \
--to=jasvinder.singh@intel.com \
--cc=tao.wang0221@gmail.com \
--cc=users@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).