From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-vk0-f45.google.com (mail-vk0-f45.google.com [209.85.213.45]) by dpdk.org (Postfix) with ESMTP id CF0E847D0 for ; Sat, 16 Jul 2016 07:58:26 +0200 (CEST) Received: by mail-vk0-f45.google.com with SMTP id x130so181418448vkc.0 for ; Fri, 15 Jul 2016 22:58:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Xi+D7DPZ8yKN+GpcYwkXdrlTS00LycunGdRasdAxQOY=; b=ZAi2xumuAlzvSaeqm9zEqKokYsSKEDO13CDVDoeBT15xUBtEVhEZSORPQFPrDTNLMK 0B2RoBBoYgoHXGVoBmiABMZYAlR5F9WVLnO5hqoLkkXRLjn9WU5XK4C/4ahQRxwYdeg7 2iEh8RnlutWNI4nTUYUqsHnnh4eUTwemfV749YMP0/iz+7dzJL1ibIefGEL4wxh0HF8N CMUikHDYP1z809JNmu+D29czpq4nKIyiNVr+GqDwBOXd1GrbxXQkiTGCTrrTC8u1ZyqS CHABhilrPokqU3oB4S0JGokExP+W6BKruEXbcVZRyMA6sUo+RqmOaDgt3yySeBMV+8wq x0yg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Xi+D7DPZ8yKN+GpcYwkXdrlTS00LycunGdRasdAxQOY=; b=AAV31jDx7jECDus8lO1XPds3bW0JXh29iw8EJz7L3fnrQIRhvoKm081OWRLafEdHY3 uPJdUNH90xi1hgRYPVK95KPDdDqvL/k2uP5b1EgQrQleB12ZMPfUlmk76IMU6CAluPQa uzGc6VxJyfLGZ+z3kgxkVieDYNASt1l1p7FrQZZbfN6TKLYyY9KMlAMoOJ2gdVND+XJk TiVktidn5GEQWVwBE/Oncr9rb7XXkexfhcA/ZRGFM04ewm5oyaDJ2J27mx061seqepp/ Ou0Opb52iaA/HolnMkVBI4zFgzPKdo+gO+Qjbnf1urNjjYMj3/vZVBmdddTwj/Hb8hL2 kyAw== X-Gm-Message-State: ALyK8tLZBaZthezSyrsQbmzI+X34fkGSnC1OBzAd2fVPdV1YMWSk6GJ6CQFY4ycI1fbIPsTiW0zZNE6n1ZWOlw== X-Received: by 10.159.34.202 with SMTP id 68mr12379758uan.115.1468648706307; Fri, 15 Jul 2016 22:58:26 -0700 (PDT) MIME-Version: 1.0 Received: by 10.176.69.140 with HTTP; Fri, 15 Jul 2016 22:58:25 -0700 (PDT) In-Reply-To: <54CBAA185211B4429112C315DA58FF6DE7C444@IRSMSX103.ger.corp.intel.com> References: <54CBAA185211B4429112C315DA58FF6DE7C444@IRSMSX103.ger.corp.intel.com> From: Tao Wang Date: Sat, 16 Jul 2016 13:58:25 +0800 Message-ID: To: "Singh, Jasvinder" Cc: "users@dpdk.org" Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.15 Subject: Re: [dpdk-users] Request for a valid ip_pipeline example to configure firewall X-BeenThere: users@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: usage discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Jul 2016 05:58:27 -0000 Hi, Jasvinder, Thanks for your concern. On Sat, Jul 16, 2016 at 12:01 AM, Singh, Jasvinder < jasvinder.singh@intel.com> wrote: > Hi Tao, > > > -----Original Message----- > > From: users [mailto:users-bounces@dpdk.org] On Behalf Of Tao Wang > > Sent: Friday, July 15, 2016 3:59 PM > > To: users@dpdk.org > > Subject: [dpdk-users] Request for a valid ip_pipeline example to > configure > > firewall > > > > Dear all, > > > > I am using the dpdp-16.04 in a qemu-kvm based CentOS7 VM. > > > > I am running the ip_pipeline example. However, I can not get firewall > > configured rightly according to the config files posted at > > http://dpdk.org/browse/dpdk/tree/examples/ip_pipeline/config. > > > > But there are some problems, > > > > 1) CLI command "p 1 firewall add priority 1 ipv4 0.0.0.0 0 100.0.0.0 10 0 > > 65535 0 65535 6 0xF port 0" returns "bad argument" > > If you are working on 16.04, the command format for adding firewall rule > is as below; > > p firewall add ipv4 ip> mask> id> > > The reason why your command is failing is because in 16.07 we have changed > the command format for adding rule to firewall pipeline. > > I add an CLI command "p 1 firewall add ipv4 2 192.168.10.171 32 192.168.10.172 32 0 65535 0 65535 6 0xF 0" to the firewall. Does it mean that the firewall block the ipv4 traffic from 192.168.10.171/32 to 192.168.10.172/32? Also, another question is how can we set the default firewall to pass through all the traffic? I run "p 1 firewall ls" CLI command, it shows that the default operation of the firewall is to drop all the traffic. Moreover, I do not know how to verify my configuration. Like the pipeline firewall I have created above, on the 192.168.10.171 host, I just ping the 192.168.10.172 host. And I run "p 1 firewall stats port in 0" or "p 1 firewall stats port 0", it just returns "Pipeline 1 - stats for input port 0: Pkts in: 0 Pkts dropped by AH: 0 Pkts dropped by other: 0" and "Pipeline 1 - stats for output port 0: Pkts in: 0 Pkts dropped by AH: 0 Pkts dropped by other: 0" BTW, the topology is as below, ------------------------- --------------------------- | | | | | 192.168.10.171 |------pipeline firewall------| 192.168.10.171 | | | | | -------------------------- --------------------------- Also, if I change the pipeline firewall application to the pipeline l2fwd application, the forwarding function works correctly, but the statistics are also "0". Wish for your reply :-). > 2) CLI command "p 1 firewall add default 4 #SINK0" returns "command > failed" > > I guess you have configured 4 ports (port id 0 -3), so if this is the > case, use right port id. > > > > So how to configure it rightly? What's the right semantics of the CLI > command > > for firewall? > > To learn the command format, please follow the code - > ip_pipeline/pipeline/pipeline_firewall.c > > > > Wish for your reply. > > > > Best, > > Tao > > > Jasvinder > Best, Tao