l3_forward_access_ctrl.rst revision 97f17497
1..  BSD LICENSE
2    Copyright(c) 2010-2014 Intel Corporation. All rights reserved.
3    All rights reserved.
4
5    Redistribution and use in source and binary forms, with or without
6    modification, are permitted provided that the following conditions
7    are met:
8
9    * Redistributions of source code must retain the above copyright
10    notice, this list of conditions and the following disclaimer.
11    * Redistributions in binary form must reproduce the above copyright
12    notice, this list of conditions and the following disclaimer in
13    the documentation and/or other materials provided with the
14    distribution.
15    * Neither the name of Intel Corporation nor the names of its
16    contributors may be used to endorse or promote products derived
17    from this software without specific prior written permission.
18
19    THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
20    "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
21    LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
22    A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
23    OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
24    SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
25    LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
26    DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
27    THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
28    (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
29    OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30
31L3 Forwarding with Access Control Sample Application
32====================================================
33
34The L3 Forwarding with Access Control application is a simple example of packet processing using the DPDK.
35The application performs a security check on received packets.
36Packets that are in the Access Control List (ACL), which is loaded during initialization, are dropped.
37Others are forwarded to the correct port.
38
39Overview
40--------
41
42The application demonstrates the use of the ACL library in the DPDK to implement access control
43and packet L3 forwarding.
44The application loads two types of rules at initialization:
45
46*   Route information rules, which are used for L3 forwarding
47
48*   Access Control List (ACL) rules that blacklist (or block) packets with a specific characteristic
49
50When packets are received from a port,
51the application extracts the necessary information from the TCP/IP header of the received packet and
52performs a lookup in the rule database to figure out whether the packets should be dropped (in the ACL range)
53or forwarded to desired ports.
54The initialization and run-time paths are similar to those of the :doc:`l3_forward`.
55However, there are significant differences in the two applications.
56For example, the original L3 forwarding application uses either LPM or
57an exact match algorithm to perform forwarding port lookup,
58while this application uses the ACL library to perform both ACL and route entry lookup.
59The following sections provide more detail.
60
61Classification for both IPv4 and IPv6 packets is supported in this application.
62The application also assumes that all the packets it processes are TCP/UDP packets and
63always extracts source/destination port information from the packets.
64
65Tuple Packet Syntax
66~~~~~~~~~~~~~~~~~~~
67
68The application implements packet classification for the IPv4/IPv6 5-tuple syntax specifically.
69The 5-tuple syntax consist of a source IP address, a destination IP address,
70a source port, a destination port and a protocol identifier.
71The fields in the 5-tuple syntax have the following formats:
72
73*   **Source IP address and destination IP address**
74    : Each is either a 32-bit field (for IPv4), or a set of 4 32-bit fields (for IPv6) represented by a value and a mask length.
75    For example, an IPv4 range of 192.168.1.0 to 192.168.1.255 could be represented by a value = [192, 168, 1, 0] and a mask length = 24.
76
77*   **Source port and destination port**
78    : Each is a 16-bit field, represented by a lower start and a higher end.
79    For example, a range of ports 0 to 8192 could be represented by lower = 0 and higher = 8192.
80
81*   **Protocol identifier**
82    : An 8-bit field, represented by a value and a mask, that covers a range of values.
83    To verify that a value is in the range, use the following expression: "(VAL & mask) == value"
84
85The trick in how to represent a range with a mask and value is as follows.
86A range can be enumerated in binary numbers with some bits that are never changed and some bits that are dynamically changed.
87Set those bits that dynamically changed in mask and value with 0.
88Set those bits that never changed in the mask with 1, in value with number expected.
89For example, a range of 6 to 7 is enumerated as 0b110 and 0b111.
90Bit 1-7 are bits never changed and bit 0 is the bit dynamically changed.
91Therefore, set bit 0 in mask and value with 0, set bits 1-7 in mask with 1, and bits 1-7 in value with number 0b11.
92So, mask is 0xfe, value is 0x6.
93
94.. note::
95
96    The library assumes that each field in the rule is in LSB or Little Endian order when creating the database.
97    It internally converts them to MSB or Big Endian order.
98    When performing a lookup, the library assumes the input is in MSB or Big Endian order.
99
100Access Rule Syntax
101~~~~~~~~~~~~~~~~~~
102
103In this sample application, each rule is a combination of the following:
104
105*   5-tuple field: This field has a format described in Section.
106
107*   priority field: A weight to measure the priority of the rules.
108    The rule with the higher priority will ALWAYS be returned if the specific input has multiple matches in the rule database.
109    Rules with lower priority will NEVER be returned in any cases.
110
111*   userdata field: A user-defined field that could be any value.
112    It can be the forwarding port number if the rule is a route table entry or it can be a pointer to a mapping address
113    if the rule is used for address mapping in the NAT application.
114    The key point is that it is a useful reserved field for user convenience.
115
116ACL and Route Rules
117~~~~~~~~~~~~~~~~~~~
118
119The application needs to acquire ACL and route rules before it runs.
120Route rules are mandatory, while ACL rules are optional.
121To simplify the complexity of the priority field for each rule, all ACL and route entries are assumed to be in the same file.
122To read data from the specified file successfully, the application assumes the following:
123
124*   Each rule occupies a single line.
125
126*   Only the following four rule line types are valid in this application:
127
128*   ACL rule line, which starts with a leading character '@'
129
130*   Route rule line, which starts with a leading character 'R'
131
132*   Comment line, which starts with a leading character '#'
133
134*   Empty line, which consists of a space, form-feed ('\f'), newline ('\n'),
135    carriage return ('\r'), horizontal tab ('\t'), or vertical tab ('\v').
136
137Other lines types are considered invalid.
138
139*   Rules are organized in descending order of priority,
140    which means rules at the head of the file always have a higher priority than those further down in the file.
141
142*   A typical IPv4 ACL rule line should have a format as shown below:
143
144
145.. _figure_ipv4_acl_rule:
146
147.. figure:: img/ipv4_acl_rule.*
148
149   A typical IPv4 ACL rule
150
151
152IPv4 addresses are specified in CIDR format as specified in RFC 4632.
153They consist of the dot notation for the address and a prefix length separated by '/'.
154For example, 192.168.0.34/32, where the address is 192.168.0.34 and the prefix length is 32.
155
156Ports are specified as a range of 16-bit numbers in the format MIN:MAX,
157where MIN and MAX are the inclusive minimum and maximum values of the range.
158The range 0:65535 represents all possible ports in a range.
159When MIN and MAX are the same value, a single port is represented, for example, 20:20.
160
161The protocol identifier is an 8-bit value and a mask separated by '/'.
162For example: 6/0xfe matches protocol values 6 and 7.
163
164*   Route rules start with a leading character 'R' and have the same format as ACL rules except an extra field at the tail
165    that indicates the forwarding port number.
166
167Rules File Example
168~~~~~~~~~~~~~~~~~~
169
170.. _figure_example_rules:
171
172.. figure:: img/example_rules.*
173
174   Rules example
175
176
177Each rule is explained as follows:
178
179*   Rule 1 (the first line) tells the application to drop those packets with source IP address = [1.2.3.*],
180    destination IP address = [192.168.0.36], protocol = [6]/[7]
181
182*   Rule 2 (the second line) is similar to Rule 1, except the source IP address is ignored.
183    It tells the application to forward packets with destination IP address = [192.168.0.36],
184    protocol = [6]/[7], destined to port 1.
185
186*   Rule 3 (the third line) tells the application to forward all packets to port 0.
187    This is something like a default route entry.
188
189As described earlier, the application assume rules are listed in descending order of priority,
190therefore Rule 1 has the highest priority, then Rule 2, and finally,
191Rule 3 has the lowest priority.
192
193Consider the arrival of the following three packets:
194
195*   Packet 1 has source IP address = [1.2.3.4], destination IP address = [192.168.0.36], and protocol = [6]
196
197*   Packet 2 has source IP address = [1.2.4.4], destination IP address = [192.168.0.36], and protocol = [6]
198
199*   Packet 3 has source IP address = [1.2.3.4], destination IP address = [192.168.0.36], and protocol = [8]
200
201Observe that:
202
203*   Packet 1 matches all of the rules
204
205*   Packet 2 matches Rule 2 and Rule 3
206
207*   Packet 3 only matches Rule 3
208
209For priority reasons, Packet 1 matches Rule 1 and is dropped.
210Packet 2 matches Rule 2 and is forwarded to port 1.
211Packet 3 matches Rule 3 and is forwarded to port 0.
212
213For more details on the rule file format,
214please refer to rule_ipv4.db and rule_ipv6.db files (inside <RTE_SDK>/examples/l3fwd-acl/).
215
216Application Phases
217~~~~~~~~~~~~~~~~~~
218
219Once the application starts, it transitions through three phases:
220
221*   **Initialization Phase**
222    - Perform the following tasks:
223
224*   Parse command parameters. Check the validity of rule file(s) name(s), number of logical cores, receive and transmit queues.
225    Bind ports, queues and logical cores. Check ACL search options, and so on.
226
227*   Call Environmental Abstraction Layer (EAL) and Poll Mode Driver (PMD) functions to initialize the environment and detect possible NICs.
228    The EAL creates several threads and sets affinity to a specific hardware thread CPU based on the configuration specified
229    by the command line arguments.
230
231*   Read the rule files and format the rules into the representation that the ACL library can recognize.
232    Call the ACL library function to add the rules into the database and compile them as a trie of pattern sets.
233    Note that application maintains a separate AC contexts for IPv4 and IPv6 rules.
234
235*   **Runtime Phase**
236    - Process the incoming packets from a port. Packets are processed in three steps:
237
238    *   Retrieval: Gets a packet from the receive queue. Each logical core may process several queues for different ports.
239        This depends on the configuration specified by command line arguments.
240
241    *   Lookup: Checks that the packet type is supported (IPv4/IPv6) and performs a 5-tuple lookup over corresponding AC context.
242        If an ACL rule is matched, the packets will be dropped and return back to step 1.
243        If a route rule is matched, it indicates the packet is not in the ACL list and should be forwarded.
244        If there is no matches for the packet, then the packet is dropped.
245
246    *   Forwarding: Forwards the packet to the corresponding port.
247
248*   **Final Phase** - Perform the following tasks:
249
250    Calls the EAL, PMD driver and ACL library to free resource, then quits.
251
252Compiling the Application
253-------------------------
254
255To compile the application:
256
257#.  Go to the sample application directory:
258
259    ..  code-block:: console
260
261        export RTE_SDK=/path/to/rte_sdk
262        cd ${RTE_SDK}/examples/l3fwd-acl
263
264#.  Set the target (a default target is used if not specified). For example:
265
266    ..  code-block:: console
267
268        export RTE_TARGET=x86_64-native-linuxapp-gcc
269
270    See the *DPDK IPL Getting Started Guide* for possible RTE_TARGET values.
271
272#.  Build the application:
273
274    ..  code-block:: console
275
276        make
277
278Running the Application
279-----------------------
280
281The application has a number of command line options:
282
283..  code-block:: console
284
285    ./build/l3fwd-acl [EAL options] -- -p PORTMASK [-P] --config(port,queue,lcore)[,(port,queue,lcore)] --rule_ipv4 FILENAME rule_ipv6 FILENAME [--scalar] [--enable-jumbo [--max-pkt-len PKTLEN]] [--no-numa]
286
287
288where,
289
290*   -p PORTMASK: Hexadecimal bitmask of ports to configure
291
292*   -P: Sets all ports to promiscuous mode so that packets are accepted regardless of the packet's Ethernet MAC destination address.
293    Without this option, only packets with the Ethernet MAC destination address set to the Ethernet address of the port are accepted.
294
295*   --config (port,queue,lcore)[,(port,queue,lcore)]: determines which queues from which ports are mapped to which cores
296
297*   --rule_ipv4 FILENAME: Specifies the IPv4 ACL and route rules file
298
299*   --rule_ipv6 FILENAME: Specifies the IPv6 ACL and route rules file
300
301*   --scalar: Use a scalar function to perform rule lookup
302
303*   --enable-jumbo: optional, enables jumbo frames
304
305*   --max-pkt-len: optional, maximum packet length in decimal (64-9600)
306
307*   --no-numa: optional, disables numa awareness
308
309As an example, consider a dual processor socket platform where cores 0, 2, 4, 6, 8 and 10 appear on socket 0,
310while cores 1, 3, 5, 7, 9 and 11 appear on socket 1.
311Let's say that the user wants to use memory from both NUMA nodes,
312the platform has only two ports and the user wants to use two cores from each processor socket to do the packet processing.
313
314To enable L3 forwarding between two ports, using two cores from each processor,
315while also taking advantage of local memory access by optimizing around NUMA,
316the user must enable two queues from each port,
317pin to the appropriate cores and allocate memory from the appropriate NUMA node.
318This is achieved using the following command:
319
320..  code-block:: console
321
322    ./build/l3fwd-acl -c f -n 4 -- -p 0x3 --config="(0,0,0),(0,1,2),(1,0,1),(1,1,3)" --rule_ipv4="./rule_ipv4.db" -- rule_ipv6="./rule_ipv6.db" --scalar
323
324In this command:
325
326*   The -c option enables cores 0, 1, 2, 3
327
328*   The -p option enables ports 0 and 1
329
330*   The --config option enables two queues on each port and maps each (port,queue) pair to a specific core.
331    Logic to enable multiple RX queues using RSS and to allocate memory from the correct NUMA nodes is included in the application
332    and is done transparently.
333    The following table shows the mapping in this example:
334
335    +----------+------------+-----------+------------------------------------------------+
336    | **Port** | **Queue**  | **lcore** |            **Description**                     |
337    |          |            |           |                                                |
338    +==========+============+===========+================================================+
339    | 0        | 0          | 0         | Map queue 0 from port 0 to lcore 0.            |
340    |          |            |           |                                                |
341    +----------+------------+-----------+------------------------------------------------+
342    | 0        | 1          | 2         | Map queue 1 from port 0 to lcore 2.            |
343    |          |            |           |                                                |
344    +----------+------------+-----------+------------------------------------------------+
345    | 1        | 0          | 1         | Map queue 0 from port 1 to lcore 1.            |
346    |          |            |           |                                                |
347    +----------+------------+-----------+------------------------------------------------+
348    | 1        | 1          | 3         | Map queue 1 from port 1 to lcore 3.            |
349    |          |            |           |                                                |
350    +----------+------------+-----------+------------------------------------------------+
351
352*   The --rule_ipv4 option specifies the reading of IPv4 rules sets from the ./ rule_ipv4.db file.
353
354*   The --rule_ipv6 option specifies the reading of IPv6 rules sets from the ./ rule_ipv6.db file.
355
356*   The --scalar option specifies the performing of rule lookup with a scalar function.
357
358Explanation
359-----------
360
361The following sections provide some explanation of the sample application code.
362The aspects of port, device and CPU configuration are similar to those of the :doc:`l3_forward`.
363The following sections describe aspects that are specific to L3 forwarding with access control.
364
365Parse Rules from File
366~~~~~~~~~~~~~~~~~~~~~
367
368As described earlier, both ACL and route rules are assumed to be saved in the same file.
369The application parses the rules from the file and adds them to the database by calling the ACL library function.
370It ignores empty and comment lines, and parses and validates the rules it reads.
371If errors are detected, the application exits with messages to identify the errors encountered.
372
373The application needs to consider the userdata and priority fields.
374The ACL rules save the index to the specific rules in the userdata field,
375while route rules save the forwarding port number.
376In order to differentiate the two types of rules, ACL rules add a signature in the userdata field.
377As for the priority field, the application assumes rules are organized in descending order of priority.
378Therefore, the code only decreases the priority number with each rule it parses.
379
380Setting Up the ACL Context
381~~~~~~~~~~~~~~~~~~~~~~~~~~
382
383For each supported AC rule format (IPv4 5-tuple, IPv6 6-tuple) application creates a separate context handler
384from the ACL library for each CPU socket on the board and adds parsed rules into that context.
385
386Note, that for each supported rule type,
387application needs to calculate the expected offset of the fields from the start of the packet.
388That's why only packets with fixed IPv4/ IPv6 header are supported.
389That allows to perform ACL classify straight over incoming packet buffer -
390no extra protocol field retrieval need to be performed.
391
392Subsequently, the application checks whether NUMA is enabled.
393If it is, the application records the socket IDs of the CPU cores involved in the task.
394
395Finally, the application creates contexts handler from the ACL library,
396adds rules parsed from the file into the database and build an ACL trie.
397It is important to note that the application creates an independent copy of each database for each socket CPU
398involved in the task to reduce the time for remote memory access.
399