Re: [dpdk-users] Request for a valid ip_pipeline example to configure firewall

[Tao Wang <tao.wang0221@gmail.com>]

Hi, Jasvinder,

Thanks for your concern.

On Sat, Jul 16, 2016 at 12:01 AM, Singh, Jasvinder <
jasvinder.singh@intel.com> wrote:

> Hi Tao,
>
> > -----Original Message-----
> > From: users [mailto:users-bounces@dpdk.org] On Behalf Of Tao Wang
> > Sent: Friday, July 15, 2016 3:59 PM
> > To: users@dpdk.org
> > Subject: [dpdk-users] Request for a valid ip_pipeline example to
> configure
> > firewall
> >
> > Dear all,
> >
> > I am using the dpdp-16.04 in a qemu-kvm based CentOS7 VM.
> >
> > I am running the ip_pipeline example. However, I can not get firewall
> > configured rightly according to the config files posted at
> > http://dpdk.org/browse/dpdk/tree/examples/ip_pipeline/config.
> >
> > But there are some problems,
> >
> > 1) CLI command "p 1 firewall add priority 1 ipv4 0.0.0.0 0 100.0.0.0 10 0
> > 65535 0 65535 6 0xF port 0" returns "bad argument"
>
> If you are working on 16.04, the command format for adding firewall rule
> is as below;
>
> p <pipeline_id> firewall add ipv4 <priority> <src ip><src ip mask><dst
> ip><ds tip
> mask><src_port_from><src_port_to><dst_port_from><dst_port_to><protocol><protocol_mask><port
> id>
>
> The reason why your command is failing is because in 16.07 we have changed
> the command format for adding rule to firewall pipeline.
>
> I add an CLI command "p 1 firewall add ipv4 2 192.168.10.171 32
192.168.10.172 32 0 65535 0 65535 6 0xF 0" to the firewall. Does it mean
that the firewall block the ipv4 traffic from 192.168.10.171/32 to
192.168.10.172/32?

Also, another question is how can we set the default firewall to pass
through all the traffic? I run "p 1 firewall ls" CLI command, it shows that
the default operation of the firewall is to drop all the traffic.

Moreover, I do not know how to verify my configuration. Like the pipeline
firewall I have created above, on the 192.168.10.171 host, I just ping the
192.168.10.172 host. And I run "p 1 firewall stats port in 0" or "p 1
firewall stats port 0", it just returns

"Pipeline 1 - stats for input port 0:
Pkts in: 0
Pkts dropped by AH: 0
Pkts dropped by other: 0"

and

"Pipeline 1 - stats for output port 0:
Pkts in: 0
Pkts dropped by AH: 0
Pkts dropped by other: 0"

BTW, the topology is as below,

-------------------------
---------------------------
|                         |                                  |
            |
| 192.168.10.171  |------pipeline firewall------| 192.168.10.171  |
|                         |                                  |
            |
--------------------------
---------------------------

Also, if I change the pipeline firewall application to the pipeline l2fwd
application, the forwarding function works correctly, but the statistics
are also "0".

Wish for your reply :-).

> 2) CLI command "p 1 firewall add default 4 #SINK0" returns "command
> failed"
>
> I guess you have configured 4 ports  (port  id 0 -3), so if this is the
> case, use right port id.
> >
> > So how to configure it rightly? What's the right semantics of the CLI
> command
> > for firewall?
>
> To learn the command format, please follow the code -
> ip_pipeline/pipeline/pipeline_firewall.c
>
>
> > Wish for your reply.
> >
> > Best,
> > Tao
>
>
> Jasvinder
>

Best,
Tao