Hi Shyam, > -----Original Message----- > From: dev [mailto:dev-boun...@dpdk.org] On Behalf Of Shyam Shrivastav > Sent: Wednesday, March 8, 2017 3:55 PM > To: dev@dpdk.org > Cc: Shyam Shrivastav <shrivastav.sh...@gmail.com> > Subject: [dpdk-dev] ip_pipeline firewall customization > > Hi All > > I am using ip_pipeline firewall as base for our project, need > comments/suggestions/corrections regarding following > > 1) We can not configure firewall rule to drop packets, as portid is > mandatory in command. I am planning to allow this for our requirement with > following code changes > a) Allow "port" as optional parameter (pipeline_firewall.c), pass -1 > as port id if "port" is not specified to app_pipeline_firewall_add_rule and > change that parameter to int32_t. > b) Make required changes in pipeline_firewall_msg_req_add_handler if > portid is -1, that is table entry action to be .action = > RTE_PIPELINE_ACTION_DROP. >
You don't really need to do this for implementing a drop action. You can simply create a SINK output port (which basically drops all the packets directed to it) and set this as the output port for all rules that drop packet. See ip_pipeline/config/firewall.cfg as example. > 2) I am registering a f_action_hit function for firewall table to perform > certain translations if action is pass (RTE_PIPELINE_ACTION_PORT). What type of actions are you performing? If generic enough, it would be interesting to add them to this pipeline, so I encourage you to contribute with ideas and code patches. > Configured a rule like following > > pipeline>p 1 firewall add priority 1 ipv4 0.0.0.0 0 0.0.0.0 0 0 65535 0 > 65535 0 0 port 0 > > which should be hit only by ipv4 packets. However even ARP packets are hit > by this ACL and my routine is called. If I configure a specific src or dst > ip then everything works fine and arp packets are not hit , for example > following rule hits only ipv4 icmp packets > > pipeline> p 1 firewall add priority 1 ipv4 0.0.0.0 0 45.35.70.12 32 0 > 65535 0 65535 1 0xf port 0 > > Is this a bug or am I missing something ? > You can make sure no ARP packets are received by the firewall pipeline by simply filtering all the ARP packets to a separate RXQ of the NIC port, which can be further handled by a separate function. See ip_pipeline/config/network_layers.cfg as example: [LINK0] arp_q = 4 > > Thanks > Shyam Regards, Cristian
