From: Tao Wang <tao.wang0221@gmail.com>
To: "Singh, Jasvinder" <jasvinder.singh@intel.com>
Cc: "users@dpdk.org" <users@dpdk.org>
Subject: Re: [dpdk-users] Request for a valid ip_pipeline example to configure firewall
Date: Sat, 16 Jul 2016 13:58:25 +0800 [thread overview]
Message-ID: <CAK0ntGjN3sKks2BuyFruzC7xuUaiBRtrMsO3ouLvhCCqORwQDQ@mail.gmail.com> (raw)
In-Reply-To: <54CBAA185211B4429112C315DA58FF6DE7C444@IRSMSX103.ger.corp.intel.com>
Hi, Jasvinder,
Thanks for your concern.
On Sat, Jul 16, 2016 at 12:01 AM, Singh, Jasvinder <
jasvinder.singh@intel.com> wrote:
> Hi Tao,
>
> > -----Original Message-----
> > From: users [mailto:users-bounces@dpdk.org] On Behalf Of Tao Wang
> > Sent: Friday, July 15, 2016 3:59 PM
> > To: users@dpdk.org
> > Subject: [dpdk-users] Request for a valid ip_pipeline example to
> configure
> > firewall
> >
> > Dear all,
> >
> > I am using the dpdp-16.04 in a qemu-kvm based CentOS7 VM.
> >
> > I am running the ip_pipeline example. However, I can not get firewall
> > configured rightly according to the config files posted at
> > http://dpdk.org/browse/dpdk/tree/examples/ip_pipeline/config.
> >
> > But there are some problems,
> >
> > 1) CLI command "p 1 firewall add priority 1 ipv4 0.0.0.0 0 100.0.0.0 10 0
> > 65535 0 65535 6 0xF port 0" returns "bad argument"
>
> If you are working on 16.04, the command format for adding firewall rule
> is as below;
>
> p <pipeline_id> firewall add ipv4 <priority> <src ip><src ip mask><dst
> ip><ds tip
> mask><src_port_from><src_port_to><dst_port_from><dst_port_to><protocol><protocol_mask><port
> id>
>
> The reason why your command is failing is because in 16.07 we have changed
> the command format for adding rule to firewall pipeline.
>
> I add an CLI command "p 1 firewall add ipv4 2 192.168.10.171 32
192.168.10.172 32 0 65535 0 65535 6 0xF 0" to the firewall. Does it mean
that the firewall block the ipv4 traffic from 192.168.10.171/32 to
192.168.10.172/32?
Also, another question is how can we set the default firewall to pass
through all the traffic? I run "p 1 firewall ls" CLI command, it shows that
the default operation of the firewall is to drop all the traffic.
Moreover, I do not know how to verify my configuration. Like the pipeline
firewall I have created above, on the 192.168.10.171 host, I just ping the
192.168.10.172 host. And I run "p 1 firewall stats port in 0" or "p 1
firewall stats port 0", it just returns
"Pipeline 1 - stats for input port 0:
Pkts in: 0
Pkts dropped by AH: 0
Pkts dropped by other: 0"
and
"Pipeline 1 - stats for output port 0:
Pkts in: 0
Pkts dropped by AH: 0
Pkts dropped by other: 0"
BTW, the topology is as below,
-------------------------
---------------------------
| | |
|
| 192.168.10.171 |------pipeline firewall------| 192.168.10.171 |
| | |
|
--------------------------
---------------------------
Also, if I change the pipeline firewall application to the pipeline l2fwd
application, the forwarding function works correctly, but the statistics
are also "0".
Wish for your reply :-).
> 2) CLI command "p 1 firewall add default 4 #SINK0" returns "command
> failed"
>
> I guess you have configured 4 ports (port id 0 -3), so if this is the
> case, use right port id.
> >
> > So how to configure it rightly? What's the right semantics of the CLI
> command
> > for firewall?
>
> To learn the command format, please follow the code -
> ip_pipeline/pipeline/pipeline_firewall.c
>
>
> > Wish for your reply.
> >
> > Best,
> > Tao
>
>
> Jasvinder
>
Best,
Tao
next prev parent reply other threads:[~2016-07-16 5:58 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-15 14:58 Tao Wang
2016-07-15 16:01 ` Singh, Jasvinder
2016-07-16 5:58 ` Tao Wang [this message]
2016-07-17 7:53 ` Singh, Jasvinder
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAK0ntGjN3sKks2BuyFruzC7xuUaiBRtrMsO3ouLvhCCqORwQDQ@mail.gmail.com \
--to=tao.wang0221@gmail.com \
--cc=jasvinder.singh@intel.com \
--cc=users@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).