RARE user and assistance email list

[mc36 <>]

hi,
it was a bigger change to have everything in place but fortunately the 
forwarder part
only got a very small amount, and at an already protected place so if not 
activated,
this feature does not consume cpu... :)
https://github.com/mc36/freeRouter/commit/09cecfd74af9298adc6cbefafc70b30d380b7a5f
next steps will be to cover it with tests and then bmv2 and finally tofino 
dataplanes....
regards,
cs


On 2/9/22 06:37, mc36 wrote:
> hi,
> here are some more fixes to the acl export and the poc for bmv2...
> https://github.com/mc36/freeRouter/commit/c6c22bada52209759197736aaceed80ffe063878
> after a quick check on the tofino code, it uses a bit different pre-tm 
> processing
> logic to gain stages which needs reworking to be able to punt from outacl
> (inacl is feasible with < 10 loc), but i badly want to have something,
> so for now, i abandon the multi-tbps firewall idea for a while and i'll
> concentrate on the dpdk and the bmv2 stuff (i'll check back for it later
> when i clearly see what need to be changed in the bmv2 stuff) and will
> progress to export the session table and use the freshly introduced punt
> knob of ace to get the new ones... after a quick feasibility check, it
> should be easy-peasy, but we'll see... :)
> regards,
> cs
>
>
> On 2/8/22 11:45, mc36 wrote:
> > hi,
> > yesterday i had a nice chat with a guy and he asked the right questions and 
> > then he allowed to use him as rubber-duck-debugger,
> > so i got the idea, what if we introduce a new ace mode called 'punt' (while 
> > keeping the existing deny/permit)...
> > then we'll have reflexive acls, but this punt functionality, later could be 
> > used (if programmed automatically) to do inspection...
> > then, we can delay the programming of the inspect rules until we saw the 
> > tlc.sni to do domain based filtering, if needed...
> > here is the proof-of-concept on dpdk, plus the export capability to 
> > freerouter:
> > https://github.com/mc36/freeRouter/commit/8399d4e0c629b792f7e27f07945786ee6a4b90d5
> > and the fixes needed to pass the testcase for racl:
> > https://github.com/mc36/freeRouter/commit/71131ac28dff19289d8edbaebe3085e62175a2db
> > it's racl so it'll go to tcam (and linearly searched in dpdk) but the concept 
> > seems to work,
> > and the inspect sessions will be all-exact matches, that is, they'll consume 
> > sram (and binary search in dpdk) like the nat rules...
> > next steps will be the bmv2 and tofino codebase to have the 'punt' 
> > functionality, then i'll proceed with the inspection....
> > until that, try to imagine the wedge as a stateful firewall... :))
> > regards,
> > cs