; BSD LICENSE ; ; Copyright(c) 2016 Intel Corporation. All rights reserved. ; All rights reserved. ; ; Redistribution and use in source and binary forms, with or without ; modification, are permitted provided that the following conditions ; are met: ; ; * Redistributions of source code must retain the above copyright ; notice, this list of conditions and the following disclaimer. ; * Redistributions in binary form must reproduce the above copyright ; notice, this list of conditions and the following disclaimer in ; the documentation and/or other materials provided with the ; distribution. ; * Neither the name of Intel Corporation nor the names of its ; contributors may be used to endorse or promote products derived ; from this software without specific prior written permission. ; ; THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ; "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT ; LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR ; A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT ; OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ; SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT ; LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, ; DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY ; THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT ; (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE ; OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ; The diagram below shows how additional protocol components can be plugged into ; the IP layer implemented by the ip_pipeline application. Pick your favorite ; open source components for dynamic ARP, ICMP, UDP or TCP termination, etc and ; connect them through SWQs to the IP infrastructure. ; ; The input packets with local destination are sent to the UDP/TCP applications ; while the input packets with remote destination are routed back to the ; network. Additional features can easily be added to this setup: ; * IP Reassembly: add SWQs with IP reassembly enabled (typically required for ; the input traffic with local destination); ; * IP Fragmentation: add SWQs with IP fragmentation enabled (typically ; required to enforce the MTU for the routed output traffic); ; * Traffic Metering: add Flow Action pipeline instances (e.g. for metering the ; TCP connections or ICMP input traffic); ; * Traffic Management: add TMs for the required output LINKs; ; * Protocol encapsulations (QinQ, MPLS) for the output packets: part of the ; routing pipeline configuration. ; ; _________ _________ ; | | | | ; | UDP | | TCP | ; | App | | App | ; |_________| |_________| ; ^ | ^ | ; __|___V__ __|___V__ ; | | SWQ0 (UDP TX) | | SWQ1 (TCP TX) ; | UDP |-------+ | TCP |------------+ ; | | | | | | ; |_________| | |_________| | ; ^ | ^ | ; | SWQ2 | | SWQ3 | ; | (UDP RX) | | (TCP RX) | ; ____|____ | ____|____ | ; | | | | | | ; RXQ<0..3>.1 ------>|Firewall +--->| | +------>| Flow +--->| | ; (UDP local dest) | (P2) | SINK0 | | | (P3) | SINK1 | ; |_________| (Deny)| | |_________| (RST) | ; RXQ<0..3>.2 -------------------------|-----+ | ; (TCP local dest) | | ; | +------------------------------+ ; | | ; _V_____V_ ; | | ; | Routing | TXQ<0..3>.0 ; RXQ<0..3>.0 ---------------------->| & ARP +-----------------------------> ; (IP remote dest) | (P1) | ; |_________| ; | ^ | ; SWQ4 +-------------+ | | SWQ5 (ARP miss) ; (Route miss) | | +------------+ ; | +-------------+ | ; ___V__|__ SWQ6 ____V____ ; | | (ICMP TX) | | TXQ<0..3>.1 ; RXQ<0..3>.3 ------>| ICMP | +------>| Dyn ARP +-------------> ; (IP local dest) | | | | | ; |_________| | |_________| ; RXQ<0..3>.4 -------------------------------+ ; (ARP) ; ; This configuration file implements the diagram presented below, where the ; dynamic ARP, ICMP, UDP and TCP components have been stubbed out and replaced ; with loop-back and packet drop devices. ; ; _________ _________ ; | | SWQ0 (UDP TX) | | SWQ1 (TCP TX) ; |Loobpack |-------+ |Loopback |------------+ ; | (P4) | | | (P5) | | ; |_________| | |_________| | ; ^ | ^ | ; | SWQ2 | | SWQ3 | ; | (UDP RX) | | (TCP RX) | ; ____|____ | ____|____ | ; | | | | | | ; RXQ<0..3>.1 ------>|Firewall +--->| | +------>| Flow +--->| | ; (UDP local dest) | (P2) | SINK0 | | | (P3) | SINK1 | ; |_________| (Deny)| | |_________| (RST) | ; RXQ<0..3>.2 -------------------------|-----+ | ; (TCP local dest) | | ; | +------------------------------+ ; | | ; _V_____V_ ; | | ; | Routing | TXQ<0..3>.0 ; RXQ<0..3>.0 ---------------------->| & ARP +-----------------------------> ; (IP remote dest) | (P1) | ; |_________| ; | | ; SINK2 |<---+ +--->| SINK3 ; (Route miss) (ARP miss) ; ; _________ _________ ; | | | | ; RXQ<0..3>.3 ------>| Drop +--->| SINK<4..7> +------>| Drop +--->| SINK<8..11> ; (IP local dest) | (P6) | (IP local dest) | | (P7) | (ARP) ; |_________| | |_________| ; RXQ<0..3>.4 ------------------------------------+ ; (ARP) ; ; ; Input packet: Ethernet/IPv4 or Ethernet/ARP ; Output packet: Ethernet/IPv4 or Ethernet/ARP ; ; Packet buffer layout (for input IPv4 packets): ; # Field Name Offset (Bytes) Size (Bytes) ; 0 Mbuf 0 128 ; 1 Headroom 128 128 ; 2 Ethernet header 256 14 ; 3 IPv4 header 270 20 ; 4 ICMP/UDP/TCP header 290 8/8/20 [EAL] log_level = 0 [LINK0] udp_local_q = 1 tcp_local_q = 2 ip_local_q = 3 arp_q = 4 [LINK1] udp_local_q = 1 tcp_local_q = 2 ip_local_q = 3 arp_q = 4 [LINK2] udp_local_q = 1 tcp_local_q = 2 ip_local_q = 3 arp_q = 4 [LINK3] udp_local_q = 1 tcp_local_q = 2 ip_local_q = 3 arp_q = 4 [PIPELINE0] type = MASTER core = 0 [PIPELINE1] type = ROUTING core = 1 pktq_in = RXQ0.0 RXQ1.0 RXQ2.0 RXQ3.0 SWQ0 SWQ1 pktq_out = TXQ0.0 TXQ1.0 TXQ2.0 TXQ3.0 SINK2 SINK3 port_local_dest = 4 ; SINK2 (Drop) n_arp_entries = 1000 ip_hdr_offset = 270 arp_key_offset = 128 [PIPELINE2] type = FIREWALL core = 1 pktq_in = RXQ0.1 RXQ1.1 RXQ2.1 RXQ3.1 pktq_out = SWQ2 SINK0 n_rules = 4096 [PIPELINE3] type = FLOW_CLASSIFICATION core = 1 pktq_in = RXQ0.2 RXQ1.2 RXQ2.2 RXQ3.2 pktq_out = SWQ3 SINK1 n_flows = 65536 key_size = 16 ; IPv4 5-tuple key size key_offset = 278 ; IPv4 5-tuple key offset key_mask = 00FF0000FFFFFFFFFFFFFFFFFFFFFFFF ; IPv4 5-tuple key mask flowid_offset = 128 ; Flow ID effectively acts as TCP socket ID [PIPELINE4] type = PASS-THROUGH ; Loop-back (UDP place-holder) core = 1 pktq_in = SWQ2 pktq_out = SWQ0 swap = 282 286 ; IPSRC <-> IPDST swap = 290 292 ; PORTSRC <-> PORTDST [PIPELINE5] type = PASS-THROUGH ; Loop-back (TCP place-holder) core = 1 pktq_in = SWQ3 pktq_out = SWQ1 swap = 282 286 ; IPSRC <-> IPDST swap = 290 292 ; PORTSRC <-> PORTDST [PIPELINE6] type = PASS-THROUGH ; Drop (ICMP place-holder) core = 1 pktq_in = RXQ0.3 RXQ1.3 RXQ2.3 RXQ3.3 pktq_out = SINK4 SINK5 SINK6 SINK7 [PIPELINE7] type = PASS-THROUGH ; Drop (Dynamic ARP place-holder) core = 1 pktq_in = RXQ0.4 RXQ1.4 RXQ2.4 RXQ3.4 pktq_out = SINK8 SINK9 SINK10 SINK11