Skip to Content.
Sympa Menu

rare-users - Re: [RARE-users] [rare-dev] new feature is approaching: stateful firewall....

Subject: RARE user and assistance email list

List archive

Re: [RARE-users] [rare-dev] new feature is approaching: stateful firewall....


Chronological Thread 
  • From: Frédéric LOUI <>
  • To:
  • Cc: "" <>
  • Subject: Re: [RARE-users] [rare-dev] new feature is approaching: stateful firewall....
  • Date: Thu, 10 Feb 2022 10:54:30 +0100
  • Dkim-filter: OpenDKIM Filter v2.10.3 zmtaauth01.partage.renater.fr D4E31140A81

Please adjust capa & sub-capability list if any :)

If you are also reworking global ig_ctl.p4 and subsequent messages feel free
to add safe guard
in order to prevent useless entry programmation in case of unsupported
feature.

Features should be automatically added the object without explicit property
creation:
https://bitbucket.software.geant.org/projects/RARE/repos/rare/browse/bfrt_python/rare/bf_forwarder/__init__.py#268

Thanks & and good luck !
Excited about this FW features :)

I’d gladly imagine a T32D with one pipe handling routing function and another
pipe handling FW function and all within a Nix profile !


> Le 10 févr. 2022 à 10:21, mc36 <> a écrit :
>
> hi,
> with this smaller change,
> https://github.com/mc36/freeRouter/commit/dddffab433a17491802daf818308b7fbc8ea0e30
> the bmv2 p4 dataplane got the firewall feature, and just passed all the
> tests
> (including the new ones for inspection) tofino will be a bigger piece of
> hack
> because i'll have to rework the whole ig_ctrl a bit...
> regards,
> cs
>
>
> On 2/9/22 20:44, mc36 wrote:
>> hi,
>> it was a bigger change to have everything in place but fortunately the
>> forwarder part
>> only got a very small amount, and at an already protected place so if not
>> activated,
>> this feature does not consume cpu... :)
>> https://github.com/mc36/freeRouter/commit/09cecfd74af9298adc6cbefafc70b30d380b7a5f
>> next steps will be to cover it with tests and then bmv2 and finally tofino
>> dataplanes....
>> regards,
>> cs
>> On 2/9/22 06:37, mc36 wrote:
>>> hi,
>>> here are some more fixes to the acl export and the poc for bmv2...
>>> https://github.com/mc36/freeRouter/commit/c6c22bada52209759197736aaceed80ffe063878
>>> after a quick check on the tofino code, it uses a bit different pre-tm
>>> processing
>>> logic to gain stages which needs reworking to be able to punt from outacl
>>> (inacl is feasible with < 10 loc), but i badly want to have something,
>>> so for now, i abandon the multi-tbps firewall idea for a while and i'll
>>> concentrate on the dpdk and the bmv2 stuff (i'll check back for it later
>>> when i clearly see what need to be changed in the bmv2 stuff) and will
>>> progress to export the session table and use the freshly introduced punt
>>> knob of ace to get the new ones... after a quick feasibility check, it
>>> should be easy-peasy, but we'll see... :)
>>> regards,
>>> cs
>>>
>>>
>>> On 2/8/22 11:45, mc36 wrote:
>>>> hi,
>>>> yesterday i had a nice chat with a guy and he asked the right questions
>>>> and then he allowed to use him as rubber-duck-debugger,
>>>> so i got the idea, what if we introduce a new ace mode called 'punt'
>>>> (while keeping the existing deny/permit)...
>>>> then we'll have reflexive acls, but this punt functionality, later could
>>>> be used (if programmed automatically) to do inspection...
>>>> then, we can delay the programming of the inspect rules until we saw the
>>>> tlc.sni to do domain based filtering, if needed...
>>>> here is the proof-of-concept on dpdk, plus the export capability to
>>>> freerouter:
>>>> https://github.com/mc36/freeRouter/commit/8399d4e0c629b792f7e27f07945786ee6a4b90d5
>>>> and the fixes needed to pass the testcase for racl:
>>>> https://github.com/mc36/freeRouter/commit/71131ac28dff19289d8edbaebe3085e62175a2db
>>>> it's racl so it'll go to tcam (and linearly searched in dpdk) but the
>>>> concept seems to work,
>>>> and the inspect sessions will be all-exact matches, that is, they'll
>>>> consume sram (and binary search in dpdk) like the nat rules...
>>>> next steps will be the bmv2 and tofino codebase to have the 'punt'
>>>> functionality, then i'll proceed with the inspection....
>>>> until that, try to imagine the wedge as a stateful firewall... :))
>>>> regards,
>>>> cs




Archive powered by MHonArc 2.6.19.

Top of Page