Subject: Rare project developers
List archive
- From: mc36 <>
- To: "" <>, "" <>
- Subject: Re: [rare-dev] new feature is approaching: stateful firewall....
- Date: Wed, 9 Feb 2022 06:37:45 +0100
hi,
here are some more fixes to the acl export and the poc for bmv2...
https://github.com/mc36/freeRouter/commit/c6c22bada52209759197736aaceed80ffe063878
after a quick check on the tofino code, it uses a bit different pre-tm
processing
logic to gain stages which needs reworking to be able to punt from outacl
(inacl is feasible with < 10 loc), but i badly want to have something,
so for now, i abandon the multi-tbps firewall idea for a while and i'll
concentrate on the dpdk and the bmv2 stuff (i'll check back for it later
when i clearly see what need to be changed in the bmv2 stuff) and will
progress to export the session table and use the freshly introduced punt
knob of ace to get the new ones... after a quick feasibility check, it
should be easy-peasy, but we'll see... :)
regards,
cs
On 2/8/22 11:45, mc36 wrote:
hi,
yesterday i had a nice chat with a guy and he asked the right questions and
then he allowed to use him as rubber-duck-debugger,
so i got the idea, what if we introduce a new ace mode called 'punt' (while
keeping the existing deny/permit)...
then we'll have reflexive acls, but this punt functionality, later could be
used (if programmed automatically) to do inspection...
then, we can delay the programming of the inspect rules until we saw the
tlc.sni to do domain based filtering, if needed...
here is the proof-of-concept on dpdk, plus the export capability to
freerouter:
https://github.com/mc36/freeRouter/commit/8399d4e0c629b792f7e27f07945786ee6a4b90d5
and the fixes needed to pass the testcase for racl:
https://github.com/mc36/freeRouter/commit/71131ac28dff19289d8edbaebe3085e62175a2db
it's racl so it'll go to tcam (and linearly searched in dpdk) but the concept
seems to work,
and the inspect sessions will be all-exact matches, that is, they'll consume
sram (and binary search in dpdk) like the nat rules...
next steps will be the bmv2 and tofino codebase to have the 'punt'
functionality, then i'll proceed with the inspection....
until that, try to imagine the wedge as a stateful firewall... :))
regards,
cs
- [rare-dev] new feature is approaching: stateful firewall...., mc36, 02/08/2022
- Re: [rare-dev] [RARE-users] new feature is approaching: stateful firewall...., Frédéric LOUI, 02/08/2022
- Re: [rare-dev] new feature is approaching: stateful firewall...., mc36, 02/09/2022
- Re: [rare-dev] new feature is approaching: stateful firewall...., mc36, 02/09/2022
- Re: [rare-dev] [RARE-users] new feature is approaching: stateful firewall...., mc36, 02/10/2022
- Re: [rare-dev] [RARE-users] new feature is approaching: stateful firewall...., Frédéric LOUI, 02/10/2022
- Re: [rare-dev] [RARE-users] new feature is approaching: stateful firewall...., mc36, 02/10/2022
- Re: [rare-dev] [RARE-users] new feature is approaching: stateful firewall...., mc36, 02/11/2022
- Re: [rare-dev] [RARE-users] new feature is approaching: stateful firewall...., mc36, 02/11/2022
- Message not available
- Re: [rare-dev] [RARE-users] new feature is approaching: stateful firewall...., mc36, 02/11/2022
- Re: [rare-dev] [RARE-users] new feature is approaching: stateful firewall...., mc36, 02/10/2022
- Re: [rare-dev] new feature is approaching: stateful firewall...., mc36, 02/09/2022
Archive powered by MHonArc 2.6.19.