Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 25 Jul 2012 20:41:04 +0200
From:      Luigi Rizzo <rizzo@iet.unipi.it>
To:        net@freebsd.org
Cc:        ipfw@freebsd.org
Subject:   PREVIEW - netmap-enabled ipfw
Message-ID:  <20120725184104.GA35621@onelab2.iet.unipi.it>

Next in thread | Raw E-Mail | Index | Archive | Help
First and foremost: this is just a preview, only usable for testing now,
but very very close to working.

	http://info.iet.unipi.it/~luigi/netmap/20120725-ipfw-user.tgz

At the above URL you can find a userspace version of ipfw that reads
packet from a netmap-compatible port (i.e. a netmap supported interface,
or a port on a VALE bridge), and processes them through ipfw.
It builds and run on both linux and FreeBSD, and uses the ipfw sources
from today's HEAD.

Right now the output is thrown away, but very shortly the code will
also send it to an output port.

The way it works is very simple (see also the picture below,
drawn with http://www.asciiflow.com/ )

The formerly-kernel-side part of the firewall now runs in a userspace
process (kipfw) and is controlled by a slightly modified ipfw that
routes the sockopt commands over TCP to localhost:5555 (hardwired).
kipfw stores rules persistently, and also reads from a netmap port.

The configuration below shows how to use pkt-gen to test the performance
of the system: you need to load the VALE-enabled netmap module,
then in one terminal run "kipfw vale-test",
in another terminal use the ipfw that you just built to
add/delete/show stuff, and you can use netmap's pkt-gen to
generate traffic.

                                                  +------------+
                                                  |            |
    +----------+          +----------------+      |            |
    |          | tcp/5555 |                |      |  pkt-gen   |
    | ipfw     +--------->|   kipfw        |      |            |
    |          |          |                |      |            |
    +----------+          +----------------+      +-----+------+
                                    ^                   |
                                    |                   |
                                    |                   |
                                    |                   v
                            +-------+--------------------------+
                            |                                  |
                            |         VALE bridge              |
                            |                                  |
                            +----------------------------------+

A quick test with a simple ruleset (4 rules, see below) shows a processing
speed of 9-10Mpps on one core. I think there is still room for a little
bit of improvement. Especially, we can now test the performance
impact of changes to the firewall code without the need for
complex hardware setups.


	> ipfw/ipfw show
	connected to 127.0.0.1:5555
	00100 30628621 1408916566 count ip from any to any dst-ip 10.1.0.1
	00100        0          0 count ip from any to any dst-ip 10.1.0.2
	00100        0          0 count ip from any to any dst-ip 10.1.0.3
	65535 30628621 1408916566 allow ip from any to any

cheers
luigi



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20120725184104.GA35621>