Best option to process packet ACL

[Ze Claudio Pastore]

2016-04-28 14:46 GMT-03:00 Jim Thompson <jim at netgate.com>:

>
> If your application is already using DPDK then:
>
> 1) it’s not “mostly bypassing the kernel”, it *is* bypassing the kernel.
>
> 2) ACLs are already a thing in DPDK:
> http://dpdk.org/doc/guides/prog_guide/packet_classif_access_ctrl.html
>
> 200Kpps is not a lot of load for even ‘pf’ on slow hardware.
>
> > On Apr 28, 2016, at 12:35 PM, Alan Somers <asomers at freebsd.org> wrote:
> >
> > Even if your application is not a traditional firewall, using pf or ipfw
> > would save much development time compared to writing your own packet
> > filter.  They can be configured to do things like redirect packets to
> > different ports.  You can use that to offload packet filtering from your
> > application to the firewall, and open multiple sockets in your
> application
> > to receive prefiltered packets.
> >
> > Of course, pf/ipfw can't be used in combination with DPDK, as you
> > discovered.  Doesn't DPDK provide access to each queue of a multiqueue
> > NIC?  If so, you can create multiple filtering threads, and associate
> each
> > thread to a single queue of your NIC.
> >
> > Good luck, you've got a lot of work ahead of you.
>

ok, again, it's not a L3/L4 ACL, I am looking into L3/L4 information but on
a request basis not per packet, depending on other previous criteria I will
them split the processing, I am running a proxy so I am not looking to
replace my ACL needs by something else, only want to discuss how to better
process it, I have previous information from L7 affinity, headers, request
which helps me split some load, now I happen to need to filter it, it's not
a firewall, it's much like a squid based ACL need where you look for L3
info on a different moment, ipfw/pf won't do it for me, ordinary firewall
fits somethwere else in the topology not in this application.

back on focus, I need to understand how to better split this load among
IDLE CPUs