Date: Fri, 6 May 2016 20:49:21 -0300 From: Ze Claudio Pastore <zclaudio@bsd.com.br> To: Julian Elischer <julian@freebsd.org> Cc: Alan Somers <asomers@freebsd.org>, "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org> Subject: Re: Best option to process packet ACL Message-ID: <CAEGk6G7E8%2BbUPwV9oA=L6FsqYCGTfjM70YYy7TcpEOd8PzByTA@mail.gmail.com> In-Reply-To: <c7dabddd-7989-780e-7107-a7b8cfbf5639@freebsd.org> References: <CAEGk6G4aMU_qxDMb3tBqyLNmUNqd3%2BRjDRZ29wMx7pK_w=kkJg@mail.gmail.com> <CAOtMX2h8tRtGeTLageLWiiXAi-Ap4Q8jqWFD2uiCtF1uCzSmOA@mail.gmail.com> <CAEGk6G6uy0n8VEY1qtH8x%2B%2Bh7523YYyWLwNwrMq4O36s33o0-g@mail.gmail.com> <CAOtMX2iKF2aaWF_PQESewMUFW4q=s3KC%2BJCEX7eakN3GKJ%2BEog@mail.gmail.com> <D638A558-15C0-4834-868C-D0912F225444@netgate.com> <CAEGk6G5vRK-OGV5xXVC%2BLKcC1aZJfS6d-QL_eB-CVSXoPOvEpg@mail.gmail.com> <c7dabddd-7989-780e-7107-a7b8cfbf5639@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
2016-05-05 3:27 GMT-03:00 Julian Elischer <julian@freebsd.org>: > On 29/04/2016 5:21 AM, Ze Claudio Pastore wrote: > >> 2016-04-28 14:46 GMT-03:00 Jim Thompson <jim@netgate.com>: >> >> If your application is already using DPDK then: >>> >>> 1) it=E2=80=99s not =E2=80=9Cmostly bypassing the kernel=E2=80=9D, it *= is* bypassing the kernel. >>> >>> 2) ACLs are already a thing in DPDK: >>> http://dpdk.org/doc/guides/prog_guide/packet_classif_access_ctrl.html >>> >>> 200Kpps is not a lot of load for even =E2=80=98pf=E2=80=99 on slow hard= ware. >>> >>> On Apr 28, 2016, at 12:35 PM, Alan Somers <asomers@freebsd.org> wrote: >>>> >>>> Even if your application is not a traditional firewall, using pf or ip= fw >>>> would save much development time compared to writing your own packet >>>> filter. They can be configured to do things like redirect packets to >>>> different ports. You can use that to offload packet filtering from yo= ur >>>> application to the firewall, and open multiple sockets in your >>>> >>> application >>> >>>> to receive prefiltered packets. >>>> >>>> Of course, pf/ipfw can't be used in combination with DPDK, as you >>>> discovered. Doesn't DPDK provide access to each queue of a multiqueue >>>> NIC? If so, you can create multiple filtering threads, and associate >>>> >>> each >>> >>>> thread to a single queue of your NIC. >>>> >>>> Good luck, you've got a lot of work ahead of you. >>>> >>> ok, again, it's not a L3/L4 ACL, I am looking into L3/L4 information bu= t >> on >> a request basis not per packet, depending on other previous criteria I >> will >> them split the processing, I am running a proxy so I am not looking to >> replace my ACL needs by something else, only want to discuss how to bett= er >> process it, I have previous information from L7 affinity, headers, reque= st >> which helps me split some load, now I happen to need to filter it, it's >> not >> a firewall, it's much like a squid based ACL need where you look for L3 >> info on a different moment, ipfw/pf won't do it for me, ordinary firewal= l >> fits somethwere else in the topology not in this application. >> > ok so you have a bunch of options. > If DPDK works for you, have you looked at netmap? > > If you are only interested in examining the first packet and then passing > everything to a proxy, then use ipfw fwd, with a stateful rule. > use a table with that rule if you have a number of filtering criteria. > use multiple table and multiple fwd destinations. > since we don't know what criteria, for how many rules it's hard to say.. > > > you could feed everything into a netgraph module attached to your > interface and write special purpose code. hello mr elischer I was generally looking to discuss the best generic approach to test the acl match criterias taking best benefit on more CPUs as I mentioned I am looking for tipical L3 information but on a L7 payload, per request before I apply other application based criterias like headers, x-forwarded-for, etc, I know it looks like I need a firewall but it's in a different moment, a different application, that's why I'm interested on a discussion on how to best match ACL criterias and how to share the load among cpus denis suggested some stuff I am trying and measuring the performance benefits vs workload added, i'm still working on some numbers i'll share later i already have a typical networking firewall with ipfw in front of the environment, in a different box, but know i really need to match acls based on application needs not simple/plain network needs anymore, pretty much like a squid L3 based acl, but squid does not bring multithreaded suggestions for acl, I found several discussions on how people use external acl hooks to benefit performance so no good code examples there too i think if we keep the conversation in the usual firewall subject, my question would be what if I wanted ipfw to be multithreaded, how to do this? is the current approach the best one? does ipfw/pf/iptables works like mr denis mentioned it looks like, based on interrupt on multithreaded network drivers? say, like, if I run a monothreaded network NIC like rl(4) or vr(4) no matter if I have 1 or 36 CPUs, kernel based firewall will only benefit from 1, that's correct? what if I wanted to make it multithreaded, would I thread batches of rules? thread per packet? thread per match criteria? thread somehow else? not to thread? thread by other criteria? that is the discussion i tried to promote :)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAEGk6G7E8%2BbUPwV9oA=L6FsqYCGTfjM70YYy7TcpEOd8PzByTA>