Adding a Firewall NF #80
Conversation
|
@dennisafa Fix Makefile conflict @nks5295 Did you have any specific tests in mind? As this is just an example like most of our NFs the testing was pretty minimal. If not I'll just run a few quick tests and merge |
|
There are a few issues I need to take care of since the latest merge. I will fix asap @koolzz |
|
@onvm do your thing |
CI MessageYour results will arrive shortly |
There was a problem hiding this comment.
@onvm do your thing
CI Message
Run successful see results:
✔️ PR submitted to develop branch
✔️ Speed tester performance check passed
❌ Linter Failed (please fix style errors)
[Results from nimbnode30]
- Median TX pps for Speed Tester: 35231909
- Performance rating - 100.66% (compared to 35000000 average)
Linter Output
examples/firewall/firewall.c:47: "unistd.h" already included at examples/firewall/firewall.c:42 [build/include] [4]
examples/firewall/firewall.c:114: Lines should be <= 120 characters long [whitespace/line_length] [5]
examples/firewall/firewall.c:137: Almost always, snprintf is better than strcpy [runtime/printf] [4]
examples/firewall/firewall.c:142: Lines should very rarely be longer than 150 characters [whitespace/line_length] [4]
examples/firewall/firewall.c:265: Almost always, snprintf is better than strcpy [runtime/printf] [4]
Total errors found: 5
onvm/onvm_nflib/onvm_pkt_helper.c:378: Lines should be <= 120 characters long [whitespace/line_length] [5]
onvm/onvm_nflib/onvm_pkt_helper.c:378: Never use sprintf. Use snprintf instead. [runtime/printf] [5]
Total errors found: 2
There was a problem hiding this comment.
@dennisafa alsmost good to merge, pls fix the linter suggestions from ci + the ones I've pointed out.
|
@onvm dance your dance |
CI MessageYour results will arrive shortly |
There was a problem hiding this comment.
@onvm dance your dance
CI Message
Run successful see results:
✔️ PR submitted to develop branch
✔️ Speed tester performance check passed
✔️ Linter passed
[Results from nimbnode30]
- Median TX pps for Speed Tester: 35246316
- Performance rating - 100.70% (compared to 35000000 average)
|
@onvm one more time |
CI MessageYour results will arrive shortly |
There was a problem hiding this comment.
@onvm one more time
CI Message
Run successful see results:
✔️ PR submitted to develop branch
✔️ Speed tester performance check passed
✔️ Linter passed
[Results from nimbnode30]
- Median TX pps for Speed Tester: 35241691
- Performance rating - 100.69% (compared to 35000000 average)
Continuing @AaronCoplan 's work of adding a firewall NF. This adds LPM rules json parsing functionality and debug mode.
Summary:
This NF drops packets based on rules that follow LPM (longest prefix matching) protocol. Default behavior is to drop unless the packet matches a rule.
Usage:
Merging notes:
TODO before merging :
Test Plan:
Run from examples directory with ./start_nf.sh firewall 1 -d 1 -f rules.json for normal mode, or ./start_nf.sh firewall 1 -d 1 -b -f rules.json for debug mode (this will print when packets are dropped/forwarded)
You could also run from within the firewall directory.
Used pcap files to verify that packets that do not follow LPM rules are dropped. Verify that packets that match rules are forwarded.
Review:
Sanity checks, assigned to @koolzz @kevindweb
Code style, assigned to @koolzz @kevindweb
Code design, assigned to @koolzz @kevindweb
Performance, assigned to @koolzz @kevindweb
Documentation, assigned to @koolzz @kevindweb