1.. SPDX-License-Identifier: BSD-3-Clause 2 Copyright(c) 2010-2014 Intel Corporation. 3 4L3 Forwarding with Access Control Sample Application 5==================================================== 6 7The L3 Forwarding with Access Control application is a simple example of packet processing using the DPDK. 8The application performs a security check on received packets. 9Packets that are in the Access Control List (ACL), which is loaded during initialization, are dropped. 10Others are forwarded to the correct port. 11 12Overview 13-------- 14 15The application demonstrates the use of the ACL library in the DPDK to implement access control 16and packet L3 forwarding. 17The application loads two types of rules at initialization: 18 19* Route information rules, which are used for L3 forwarding 20 21* Access Control List (ACL) rules that block packets with a specific characteristic 22 23When packets are received from a port, 24the application extracts the necessary information from the TCP/IP header of the received packet and 25performs a lookup in the rule database to figure out whether the packets should be dropped (in the ACL range) 26or forwarded to desired ports. 27The initialization and run-time paths are similar to those of the :doc:`l3_forward`. 28However, there are significant differences in the two applications. 29For example, the original L3 forwarding application uses either LPM or 30an exact match algorithm to perform forwarding port lookup, 31while this application uses the ACL library to perform both ACL and route entry lookup. 32The following sections provide more detail. 33 34Classification for both IPv4 and IPv6 packets is supported in this application. 35The application also assumes that all the packets it processes are TCP/UDP packets and 36always extracts source/destination port information from the packets. 37 38Tuple Packet Syntax 39~~~~~~~~~~~~~~~~~~~ 40 41The application implements packet classification for the IPv4/IPv6 5-tuple syntax specifically. 42The 5-tuple syntax consist of a source IP address, a destination IP address, 43a source port, a destination port and a protocol identifier. 44The fields in the 5-tuple syntax have the following formats: 45 46* **Source IP address and destination IP address** 47 : Each is either a 32-bit field (for IPv4), or a set of 4 32-bit fields (for IPv6) represented by a value and a mask length. 48 For example, an IPv4 range of 192.168.1.0 to 192.168.1.255 could be represented by a value = [192, 168, 1, 0] and a mask length = 24. 49 50* **Source port and destination port** 51 : Each is a 16-bit field, represented by a lower start and a higher end. 52 For example, a range of ports 0 to 8192 could be represented by lower = 0 and higher = 8192. 53 54* **Protocol identifier** 55 : An 8-bit field, represented by a value and a mask, that covers a range of values. 56 To verify that a value is in the range, use the following expression: "(VAL & mask) == value" 57 58The trick in how to represent a range with a mask and value is as follows. 59A range can be enumerated in binary numbers with some bits that are never changed and some bits that are dynamically changed. 60Set those bits that dynamically changed in mask and value with 0. 61Set those bits that never changed in the mask with 1, in value with number expected. 62For example, a range of 6 to 7 is enumerated as 0b110 and 0b111. 63Bit 1-7 are bits never changed and bit 0 is the bit dynamically changed. 64Therefore, set bit 0 in mask and value with 0, set bits 1-7 in mask with 1, and bits 1-7 in value with number 0b11. 65So, mask is 0xfe, value is 0x6. 66 67.. note:: 68 69 The library assumes that each field in the rule is in LSB or Little Endian order when creating the database. 70 It internally converts them to MSB or Big Endian order. 71 When performing a lookup, the library assumes the input is in MSB or Big Endian order. 72 73Access Rule Syntax 74~~~~~~~~~~~~~~~~~~ 75 76In this sample application, each rule is a combination of the following: 77 78* 5-tuple field: This field has a format described in Section. 79 80* priority field: A weight to measure the priority of the rules. 81 The rule with the higher priority will ALWAYS be returned if the specific input has multiple matches in the rule database. 82 Rules with lower priority will NEVER be returned in any cases. 83 84* userdata field: A user-defined field that could be any value. 85 It can be the forwarding port number if the rule is a route table entry or it can be a pointer to a mapping address 86 if the rule is used for address mapping in the NAT application. 87 The key point is that it is a useful reserved field for user convenience. 88 89ACL and Route Rules 90~~~~~~~~~~~~~~~~~~~ 91 92The application needs to acquire ACL and route rules before it runs. 93Route rules are mandatory, while ACL rules are optional. 94To simplify the complexity of the priority field for each rule, all ACL and route entries are assumed to be in the same file. 95To read data from the specified file successfully, the application assumes the following: 96 97* Each rule occupies a single line. 98 99* Only the following four rule line types are valid in this application: 100 101* ACL rule line, which starts with a leading character '@' 102 103* Route rule line, which starts with a leading character 'R' 104 105* Comment line, which starts with a leading character '#' 106 107* Empty line, which consists of a space, form-feed ('\f'), newline ('\n'), 108 carriage return ('\r'), horizontal tab ('\t'), or vertical tab ('\v'). 109 110Other lines types are considered invalid. 111 112* Rules are organized in descending order of priority, 113 which means rules at the head of the file always have a higher priority than those further down in the file. 114 115* A typical IPv4 ACL rule line should have a format as shown below: 116 117 118.. _figure_ipv4_acl_rule: 119 120.. figure:: img/ipv4_acl_rule.* 121 122 A typical IPv4 ACL rule 123 124 125IPv4 addresses are specified in CIDR format as specified in RFC 4632. 126They consist of the dot notation for the address and a prefix length separated by '/'. 127For example, 192.168.0.34/32, where the address is 192.168.0.34 and the prefix length is 32. 128 129Ports are specified as a range of 16-bit numbers in the format MIN:MAX, 130where MIN and MAX are the inclusive minimum and maximum values of the range. 131The range 0:65535 represents all possible ports in a range. 132When MIN and MAX are the same value, a single port is represented, for example, 20:20. 133 134The protocol identifier is an 8-bit value and a mask separated by '/'. 135For example: 6/0xfe matches protocol values 6 and 7. 136 137* Route rules start with a leading character 'R' and have the same format as ACL rules except an extra field at the tail 138 that indicates the forwarding port number. 139 140Rules File Example 141~~~~~~~~~~~~~~~~~~ 142 143.. _figure_example_rules: 144 145.. figure:: img/example_rules.* 146 147 Rules example 148 149 150Each rule is explained as follows: 151 152* Rule 1 (the first line) tells the application to drop those packets with source IP address = [1.2.3.*], 153 destination IP address = [192.168.0.36], protocol = [6]/[7] 154 155* Rule 2 (the second line) is similar to Rule 1, except the source IP address is ignored. 156 It tells the application to forward packets with destination IP address = [192.168.0.36], 157 protocol = [6]/[7], destined to port 1. 158 159* Rule 3 (the third line) tells the application to forward all packets to port 0. 160 This is something like a default route entry. 161 162As described earlier, the application assume rules are listed in descending order of priority, 163therefore Rule 1 has the highest priority, then Rule 2, and finally, 164Rule 3 has the lowest priority. 165 166Consider the arrival of the following three packets: 167 168* Packet 1 has source IP address = [1.2.3.4], destination IP address = [192.168.0.36], and protocol = [6] 169 170* Packet 2 has source IP address = [1.2.4.4], destination IP address = [192.168.0.36], and protocol = [6] 171 172* Packet 3 has source IP address = [1.2.3.4], destination IP address = [192.168.0.36], and protocol = [8] 173 174Observe that: 175 176* Packet 1 matches all of the rules 177 178* Packet 2 matches Rule 2 and Rule 3 179 180* Packet 3 only matches Rule 3 181 182For priority reasons, Packet 1 matches Rule 1 and is dropped. 183Packet 2 matches Rule 2 and is forwarded to port 1. 184Packet 3 matches Rule 3 and is forwarded to port 0. 185 186For more details on the rule file format, 187please refer to rule_ipv4.db and rule_ipv6.db files (inside dpdk/examples/l3fwd-acl/). 188 189Application Phases 190~~~~~~~~~~~~~~~~~~ 191 192Once the application starts, it transitions through three phases: 193 194* **Initialization Phase** 195 - Perform the following tasks: 196 197* Parse command parameters. Check the validity of rule file(s) name(s), number of logical cores, receive and transmit queues. 198 Bind ports, queues and logical cores. Check ACL search options, and so on. 199 200* Call Environmental Abstraction Layer (EAL) and Poll Mode Driver (PMD) functions to initialize the environment and detect possible NICs. 201 The EAL creates several threads and sets affinity to a specific hardware thread CPU based on the configuration specified 202 by the command line arguments. 203 204* Read the rule files and format the rules into the representation that the ACL library can recognize. 205 Call the ACL library function to add the rules into the database and compile them as a trie of pattern sets. 206 Note that application maintains a separate AC contexts for IPv4 and IPv6 rules. 207 208* **Runtime Phase** 209 - Process the incoming packets from a port. Packets are processed in three steps: 210 211 * Retrieval: Gets a packet from the receive queue. Each logical core may process several queues for different ports. 212 This depends on the configuration specified by command line arguments. 213 214 * Lookup: Checks that the packet type is supported (IPv4/IPv6) and performs a 5-tuple lookup over corresponding AC context. 215 If an ACL rule is matched, the packets will be dropped and return back to step 1. 216 If a route rule is matched, it indicates the packet is not in the ACL list and should be forwarded. 217 If there is no matches for the packet, then the packet is dropped. 218 219 * Forwarding: Forwards the packet to the corresponding port. 220 221* **Final Phase** - Perform the following tasks: 222 223 Calls the EAL, PMD driver and ACL library to free resource, then quits. 224 225Compiling the Application 226------------------------- 227 228To compile the sample application see :doc:`compiling`. 229 230The application is located in the ``l3fwd-acl`` sub-directory. 231 232Running the Application 233----------------------- 234 235The application has a number of command line options: 236 237.. code-block:: console 238 239 ./<build_dir>/examples/dpdk-l3fwd-acl [EAL options] -- -p PORTMASK [-P] --config(port,queue,lcore)[,(port,queue,lcore)] --rule_ipv4 FILENAME --rule_ipv6 FILENAME [--alg=<val>] [--enable-jumbo [--max-pkt-len PKTLEN]] [--no-numa] [--eth-dest=X,MM:MM:MM:MM:MM:MM] 240 241 242where, 243 244* -p PORTMASK: Hexadecimal bitmask of ports to configure 245 246* -P: Sets all ports to promiscuous mode so that packets are accepted regardless of the packet's Ethernet MAC destination address. 247 Without this option, only packets with the Ethernet MAC destination address set to the Ethernet address of the port are accepted. 248 249* --config (port,queue,lcore)[,(port,queue,lcore)]: determines which queues from which ports are mapped to which cores 250 251* --rule_ipv4 FILENAME: Specifies the IPv4 ACL and route rules file 252 253* --rule_ipv6 FILENAME: Specifies the IPv6 ACL and route rules file 254 255* --alg=<val>: optional, ACL classify method to use, one of: 256 ``scalar|sse|avx2|neon|altivec|avx512x16|avx512x32`` 257 258* --enable-jumbo: optional, enables jumbo frames 259 260* --max-pkt-len: optional, maximum packet length in decimal (64-9600) 261 262* --no-numa: optional, disables numa awareness 263 264* --eth-dest=X,MM:MM:MM:MM:MM:MM: optional, ethernet destination for port X 265 266For example, consider a dual processor socket platform with 8 physical cores, where cores 0-7 and 16-23 appear on socket 0, 267while cores 8-15 and 24-31 appear on socket 1. 268 269To enable L3 forwarding between two ports, assuming that both ports are in the same socket, using two cores, cores 1 and 2, 270(which are in the same socket too), use the following command: 271 272.. code-block:: console 273 274 ./<build_dir>/examples/dpdk-l3fwd-acl -l 1,2 -n 4 -- -p 0x3 --config="(0,0,1),(1,0,2)" --rule_ipv4="rule_ipv4.db" --rule_ipv6="rule_ipv6.db" --alg=scalar 275 276In this command: 277 278* The -l option enables cores 1, 2 279 280* The -p option enables ports 0 and 1 281 282* The --config option enables one queue on each port and maps each (port,queue) pair to a specific core. 283 The following table shows the mapping in this example: 284 285 +----------+------------+-----------+-------------------------------------+ 286 | **Port** | **Queue** | **lcore** | **Description** | 287 | | | | | 288 +==========+============+===========+=====================================+ 289 | 0 | 0 | 1 | Map queue 0 from port 0 to lcore 1. | 290 | | | | | 291 +----------+------------+-----------+-------------------------------------+ 292 | 1 | 0 | 2 | Map queue 0 from port 1 to lcore 2. | 293 | | | | | 294 +----------+------------+-----------+-------------------------------------+ 295 296* The --rule_ipv4 option specifies the reading of IPv4 rules sets from the rule_ipv4.db file. 297 298* The --rule_ipv6 option specifies the reading of IPv6 rules sets from the rule_ipv6.db file. 299 300* The --alg=scalar option specifies the performing of rule lookup with a scalar function. 301 302Explanation 303----------- 304 305The following sections provide some explanation of the sample application code. 306The aspects of port, device and CPU configuration are similar to those of the :doc:`l3_forward`. 307The following sections describe aspects that are specific to L3 forwarding with access control. 308 309Parse Rules from File 310~~~~~~~~~~~~~~~~~~~~~ 311 312As described earlier, both ACL and route rules are assumed to be saved in the same file. 313The application parses the rules from the file and adds them to the database by calling the ACL library function. 314It ignores empty and comment lines, and parses and validates the rules it reads. 315If errors are detected, the application exits with messages to identify the errors encountered. 316 317The application needs to consider the userdata and priority fields. 318The ACL rules save the index to the specific rules in the userdata field, 319while route rules save the forwarding port number. 320In order to differentiate the two types of rules, ACL rules add a signature in the userdata field. 321As for the priority field, the application assumes rules are organized in descending order of priority. 322Therefore, the code only decreases the priority number with each rule it parses. 323 324Setting Up the ACL Context 325~~~~~~~~~~~~~~~~~~~~~~~~~~ 326 327For each supported AC rule format (IPv4 5-tuple, IPv6 6-tuple) application creates a separate context handler 328from the ACL library for each CPU socket on the board and adds parsed rules into that context. 329 330Note, that for each supported rule type, 331application needs to calculate the expected offset of the fields from the start of the packet. 332That's why only packets with fixed IPv4/ IPv6 header are supported. 333That allows to perform ACL classify straight over incoming packet buffer - 334no extra protocol field retrieval need to be performed. 335 336Subsequently, the application checks whether NUMA is enabled. 337If it is, the application records the socket IDs of the CPU cores involved in the task. 338 339Finally, the application creates contexts handler from the ACL library, 340adds rules parsed from the file into the database and build an ACL trie. 341It is important to note that the application creates an independent copy of each database for each socket CPU 342involved in the task to reduce the time for remote memory access. 343