Best option to process packet ACL

Julian Elischer julian at freebsd.org
Thu May 5 06:27:33 UTC 2016 

On 29/04/2016 5:21 AM, Ze Claudio Pastore wrote:
> 2016-04-28 14:46 GMT-03:00 Jim Thompson <jim at netgate.com>:
>
>> If your application is already using DPDK then:
>>
>> 1) it’s not “mostly bypassing the kernel”, it *is* bypassing the kernel.
>>
>> 2) ACLs are already a thing in DPDK:
>> http://dpdk.org/doc/guides/prog_guide/packet_classif_access_ctrl.html
>>
>> 200Kpps is not a lot of load for even ‘pf’ on slow hardware.
>>
>>> On Apr 28, 2016, at 12:35 PM, Alan Somers <asomers at freebsd.org> wrote:
>>>
>>> Even if your application is not a traditional firewall, using pf or ipfw
>>> would save much development time compared to writing your own packet
>>> filter.  They can be configured to do things like redirect packets to
>>> different ports.  You can use that to offload packet filtering from your
>>> application to the firewall, and open multiple sockets in your
>> application
>>> to receive prefiltered packets.
>>>
>>> Of course, pf/ipfw can't be used in combination with DPDK, as you
>>> discovered.  Doesn't DPDK provide access to each queue of a multiqueue
>>> NIC?  If so, you can create multiple filtering threads, and associate
>> each
>>> thread to a single queue of your NIC.
>>>
>>> Good luck, you've got a lot of work ahead of you.
> ok, again, it's not a L3/L4 ACL, I am looking into L3/L4 information but on
> a request basis not per packet, depending on other previous criteria I will
> them split the processing, I am running a proxy so I am not looking to
> replace my ACL needs by something else, only want to discuss how to better
> process it, I have previous information from L7 affinity, headers, request
> which helps me split some load, now I happen to need to filter it, it's not
> a firewall, it's much like a squid based ACL need where you look for L3
> info on a different moment, ipfw/pf won't do it for me, ordinary firewall
> fits somethwere else in the topology not in this application.
ok so you have  a bunch of options.
If DPDK works for you, have you looked at netmap?

If you are only interested in examining the first packet and then 
passing everything to a proxy, then use ipfw fwd, with a stateful rule.
use a table with that rule if you have a number of filtering criteria.
use multiple table and multiple fwd destinations.
  since we don't know what criteria, for how many rules it's hard to say..


you could feed everything into a netgraph module attached to your 
interface and write special purpose code.
>
> back on focus, I need to understand how to better split this load among
> IDLE CPUs
> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"
>
>

More information about the freebsd-hackers mailing list