RARE user and assistance email list

[Frédéric LOUI <>]

Nice !

>  try to imagine the wedge as a stateful firewall
Starting to chase into Palo Alto realm …

At the price of 100GE FW port processing  (does it even exist ?) I presume 
that WEDGE can be an interesting candidate. 
Granted the fact that P4 FW profile can provide enough resources. 


> Le 8 févr. 2022 à 11:45, mc36 <> a écrit :
> 
> hi,
> yesterday i had a nice chat with a guy and he asked the right questions and 
> then he allowed to use him as rubber-duck-debugger,
> so i got the idea, what if we introduce a new ace mode called 'punt' (while 
> keeping the existing deny/permit)...
> then we'll have reflexive acls, but this punt functionality, later could be 
> used (if programmed automatically) to do inspection...
> then, we can delay the programming of the inspect rules until we saw the 
> tlc.sni to do domain based filtering, if needed...
> here is the proof-of-concept on dpdk, plus the export capability to 
> freerouter:
> https://github.com/mc36/freeRouter/commit/8399d4e0c629b792f7e27f07945786ee6a4b90d5
> and the fixes needed to pass the testcase for racl:
> https://github.com/mc36/freeRouter/commit/71131ac28dff19289d8edbaebe3085e62175a2db
> it's racl so it'll go to tcam (and linearly searched in dpdk) but the 
> concept seems to work,
> and the inspect sessions will be all-exact matches, that is, they'll 
> consume sram (and binary search in dpdk) like the nat rules...
> next steps will be the bmv2 and tofino codebase to have the 'punt' 
> functionality, then i'll proceed with the inspection....
> until that, try to imagine the wedge as a stateful firewall... :))
> regards,
> cs