Add a Firewall NF which uses the DPDK LPM Library (#80)

The firewall NF drops or forwards packets based on rules provided in the json file. This is achieved using DPDK's LPM (longest prefix matching) library. Default behavior is to drop a packet unless the packet matches a rule. The NF also has a debug mode to print decisions for every packet and an inverse match mode where default behavior is to forward a packet if it is not found in the table. Commit log: * Syncing with current * Updates for ubuntu 18 * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Updates * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update onvm_config_common.c * Update onvm_config_common.c * Updates * Update onvm_config_common.c * Updates * updates * Update onvm_config_common.c * Update onvm_config_common.c * Update firewall.c * Update firewall.c * test * Update firewall.c * test * Update firewall.c * Update firewall.c * test * Update firewall.c * Update firewall.c * Update onvm_config_common.c * updates * Update firewall.c * Update firewall.c * Update rules.json * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * test * updates * updates * Update go.sh * Updates * Revert "Updates" This reverts commit 120b624. * Update firewall.c * updates * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * updates * Update onvm_config_common.c * Update onvm_config_common.c * Update firewall.c * Delete rules.json * Update firewall.c * Update firewall.c * Update firewall.c * Update README.md * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update onvm_nflib.c * Update onvm_nflib.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update firewall.c * Update onvm_nf.c * modifying go script, removing unnecessary code * Update firewall.c * Update firewall.c * Update firewall.c * Style fixes * more style fixes * More style fixes * Moving rules file, logic for if running from examples directory * Moving rules.json file * Delete rules.json from examples direc * Nuking custom go.sh script * Update README.md adding -f to the readme * Adding pkt total, drop, accepted stats * fixing readme * documentation and style fixes * bug fix: logic of dropping/accepting packets * bug fix: logic of dropping/accepting packets * style: change to 8 space indents * Multiple run support * style updates * added not ipv4 field * specify directory to rules.json file instead of specific name * IP's are now entered in proper format in rules.json * printing IP's in debug mode * Style fixes * Style fixes * Style fixes/double free/corruption error * Style fixes/double free/corruption error * style * Revert "style" This reverts commit b2753a6. * Style fixes * Style fixes/whitespace * spacing fix * spacing fix * Space fix * Double free/corruption fix * Fixed depth issue * Style fixes * Read me updates * Parsing ip as cpu * Compatibility with onvm_pkt_parse_ip PR merge * Small fix in load_balancer * Remove unused fw accept tag * Creating function for char to ip * Adding a function to parse string to ip * Style nit * Style nit * Style nits and TODO * TODO * ip_disp to ip_string * Restoring lpm struct (accidentally deleted) * Restoring lpm status macro * Style fixes, naming, etc * Style fixes, naming * Style fixes * Style nit
sdnfv · May 23, 2019 · a003a40 · a003a40
1 parent 20941c6
commit a003a40
Show file tree

Hide file tree

Showing 14 changed files with 584 additions and 2 deletions.
diff --git a/examples/Makefile b/examples/Makefile
@@ -40,7 +40,7 @@ $(error "Please define RTE_SDK environment variable")
 endif
 
 # To add new examples, append the directory name to this variable
-examples = bridge basic_monitor simple_forward speed_tester flow_table test_flow_dir aes_encrypt aes_decrypt flow_tracker load_balancer arp_response nf_router scaling_example load_generator payload_scan
+examples = bridge basic_monitor simple_forward speed_tester flow_table test_flow_dir aes_encrypt aes_decrypt flow_tracker load_balancer arp_response nf_router scaling_example load_generator payload_scan firewall
 
 ifeq ($(NDPI_HOME),)
 $(warning "Skipping ndpi_stats NF as NDPI_HOME is not set")

diff --git a/examples/firewall/.gitignore b/examples/firewall/.gitignore
@@ -0,0 +1,2 @@
+firewall/
+build/
diff --git a/examples/firewall/Makefile b/examples/firewall/Makefile
@@ -0,0 +1,62 @@
+#                    openNetVM
+#      https://github.com/sdnfv/openNetVM
+#
+# BSD LICENSE
+#
+# Copyright(c)
+#          2015-2016 George Washington University
+#          2015-2016 University of California Riverside
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in
+# the documentation and/or other materials provided with the
+# distribution.
+# The name of the author may not be used to endorse or promote
+# products derived from this software without specific prior
+# written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+ifeq ($(RTE_SDK),)
+$(error "Please define RTE_SDK environment variable")
+endif
+
+RTE_TARGET ?= $(RTE_TARGET)
+
+# Default target, can be overriden by command line or environment
+include $(RTE_SDK)/mk/rte.vars.mk
+
+# binary name
+APP = firewall
+
+# all source are stored in SRCS-y
+SRCS-y := firewall.c
+
+# OpenNetVM path
+ONVM= $(SRCDIR)/../../onvm
+
+CFLAGS += -O3 $(USER_FLAGS)
+
+CFLAGS += -I$(ONVM)/onvm_nflib
+CFLAGS += -I$(ONVM)/lib
+LDFLAGS += $(ONVM)/onvm_nflib/$(RTE_TARGET)/libonvm.a
+LDFLAGS += $(ONVM)/lib/$(RTE_TARGET)/lib/libonvmhelper.a -lm
+
+include $(RTE_SDK)/mk/rte.extapp.mk
diff --git a/examples/firewall/README.md b/examples/firewall/README.md
@@ -0,0 +1,31 @@
+Firewall
+==
+The Firewall NF drops/forwards packets based on LPM rules specified in the  rules.json file.
+A user would enter a rule in the following format:
+
+````
+"ruleName": {
+		"ip": "127.1.1.0",
+		"depth": 32,
+		"action": 0
+	}
+````
+Compilation and Execution
+--
+```
+cd examples
+make
+cd firewall
+./go.sh SERVICE_ID -d DESTINATION_ID -f RULES_FILE
+
+OR 
+
+./go.sh -F CONFIG_FILE -- -- -d DST -f RULES_FILE [-p PRINT_DELAY] [-b debug mode]
+```
+
+App Specific Arguments
+--
+  - `-b`: specifies debug mode. Prints individual packet source ip addresses.
+  - `-f <rules_file>`: rules used for LPM lookup.
+  - `-p <print_delay`: number of packets between each print, e.g. -p 1 prints every packets.
+