[dpdk-users] Request for a valid ip_pipeline example to configure firewall

Singh, Jasvinder jasvinder.singh at intel.com
Sun Jul 17 09:53:05 CEST 2016

Previous message: [dpdk-users] Request for a valid ip_pipeline example to configure firewall
Next message: [dpdk-users] Proposal -- Add APIs allowing for VF management
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tao Wang [mailto:tao.wang0221 at gmail.com]
Sent: Saturday, July 16, 2016 6:58 AM
To: Singh, Jasvinder <jasvinder.singh at intel.com>
Cc: users at dpdk.org
Subject: Re: [dpdk-users] Request for a valid ip_pipeline example to configure firewall

Hi, Jasvinder,

Thanks for your concern.

On Sat, Jul 16, 2016 at 12:01 AM, Singh, Jasvinder <jasvinder.singh at intel.com<mailto:jasvinder.singh at intel.com>> wrote:
Hi Tao,

> -----Original Message-----
> From: users [mailto:users-bounces at dpdk.org<mailto:users-bounces at dpdk.org>] On Behalf Of Tao Wang
> Sent: Friday, July 15, 2016 3:59 PM
> To: users at dpdk.org<mailto:users at dpdk.org>
> Subject: [dpdk-users] Request for a valid ip_pipeline example to configure
> firewall
>
> Dear all,
>
> I am using the dpdp-16.04 in a qemu-kvm based CentOS7 VM.
>
> I am running the ip_pipeline example. However, I can not get firewall
> configured rightly according to the config files posted at
> http://dpdk.org/browse/dpdk/tree/examples/ip_pipeline/config.
>
> But there are some problems,
>
> 1) CLI command "p 1 firewall add priority 1 ipv4 0.0.0.0 0 100.0.0.0 10 0
> 65535 0 65535 6 0xF port 0" returns "bad argument"

If you are working on 16.04, the command format for adding firewall rule is as below;

p <pipeline_id> firewall add ipv4 <priority> <src ip><src ip mask><dst ip><ds tip mask><src_port_from><src_port_to><dst_port_from><dst_port_to><protocol><protocol_mask><port id>

The reason why your command is failing is because in 16.07 we have changed the command format for adding rule to firewall pipeline.
I add an CLI command "p 1 firewall add ipv4 2 192.168.10.171 32 192.168.10.172 32 0 65535 0 65535 6 0xF 0" to the firewall. Does it mean that the firewall block the ipv4 traffic from 192.168.10.171/32<http://192.168.10.171/32> to 192.168.10.172/32<http://192.168.10.172/32>?

[Jasvinder]  Firewall with above rule will allow all the packets matching above fields to pass through it.  You should be able to see packets with above src  ip, dst ip, tcp ports (src, dst) addresses coming out of the pipeline. Check your traffic  settings in case, if you don’t see that.

Also, another question is how can we set the default firewall to pass through all the traffic? I run "p 1 firewall ls" CLI command, it shows that the default operation of the firewall is to drop all the traffic.

[Jasvinder]  For changing the default action,  you can use the following command;

P <pipeline id> firewall add default <port id>

In this case , packets not matching any of the firewall rules will sent out to the set port id.

Moreover, I do not know how to verify my configuration. Like the pipeline firewall I have created above, on the 192.168.10.171 host, I just ping the 192.168.10.172 host. And I run "p 1 firewall stats port in 0" or "p 1 firewall stats port 0", it just returns

"Pipeline 1 - stats for input port 0:
          Pkts in: 0
          Pkts dropped by AH: 0
          Pkts dropped by other: 0"

and

"Pipeline 1 - stats for output port 0:
          Pkts in: 0
          Pkts dropped by AH: 0
          Pkts dropped by other: 0"

BTW, the topology is as below,

-------------------------                                   ---------------------------
|                         |                                  |                         |
| 192.168.10.171  |------pipeline firewall------| 192.168.10.171  |
|                         |                                  |                         |
--------------------------                                   ---------------------------

[Jasvinder]   To see stats,  you need to enable three flags (show below) in dpdk/config/common_base;

CONFIG_RTE_PIPELINE_STATS_COLLECT=y
CONFIG_RTE_TABLE_STATS_COLLECT=y
CONFIG_RTE_PORT_STATS_COLLECT=y

Also, if I change the pipeline firewall application to the pipeline l2fwd application, the forwarding function works correctly, but the statistics are also "0".

[Jasvinder] – please enable stats collection flag as suggested above.

Wish for your reply :-).

> 2) CLI command "p 1 firewall add default 4 #SINK0" returns "command failed"

I guess you have configured 4 ports  (port  id 0 -3), so if this is the case, use right port id.
>
> So how to configure it rightly? What's the right semantics of the CLI command
> for firewall?

To learn the command format, please follow the code - ip_pipeline/pipeline/pipeline_firewall.c

> Wish for your reply.
>
> Best,
> Tao

Jasvinder

Best,
Tao

Previous message: [dpdk-users] Request for a valid ip_pipeline example to configure firewall
Next message: [dpdk-users] Proposal -- Add APIs allowing for VF management
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the users mailing list