vACL samplevnf

1. vACL - Release Notes

1.1. Introduction

This is a beta release for Sample Virtual ACL VNF. This vACL can application can be run independently (refer INSTALL.rst).

1.2. User Guide

Refer to README.rst for further details on vACL, HLD, features supported, test plan. For build configurations and execution requisites please refer to INSTALL.rst.

1.3. Feature for this release

The vACL VNF currently supports the following functionality:

• CLI based Run-time rule configuration.(Add,Delete,List,Display,Clear,Modify)
• Ipv4 and ipv6 standard 5 tuple packet Selector support.
• Multithread support
• Multiple physical port support
• Hardware and Software Load Balancing
• L2L3 stack support for ARP/ICMP handling
• ARP (request, response, gratuitous)
• ICMP (terminal echo, echo response, passthrough)
• ICMPv6 and ND (Neighbor Discovery)

1.4. System requirements - OS and kernel version

This is supported on Ubuntu 14.04 and 16.04 and kernel version less than 4.5

VNFs on BareMetal support:

OS: Ubuntu 14.04 or 16.04 LTS kernel: < 4.5 http://releases.ubuntu.com/16.04/ Download/Install the image: ubuntu-16.04.1-server-amd64.iso

VNFs on Standalone Hypervisor

HOST OS: Ubuntu 14.04 or 16.04 LTS http://releases.ubuntu.com/16.04/ Download/Install the image: ubuntu-16.04.1-server-amd64.iso

• OVS (DPDK) - 2.5
• kernel: < 4.5
• Hypervisor - KVM
• VM OS - Ubuntu 16.04/Ubuntu 14.04

1.5. Known Bugs and limitations

• Hardware Load Balancer feature is supported on Fortville nic ACL version 4.53 and below.
• Hardware Checksum offload is not supported for IPv6 traffic.
• vACL on sriov is tested upto 4 threads

1.6. Future Work

Following would be possible enhancements

• Performance optimization on different platforms

1.7. References

Following links provides additional information for differenet version of DPDKs

2. vACL - Readme

2.1. Introduction

This application implements Access Control List (ACL). ACL is typically used for rule based policy enforcement. It restricts access to a destination IP address/port based on various header fields, such as source IP address/port, destination IP address/port and protocol. It is built on top of DPDK and uses the packet framework infrastructure.

2.1.1. About DPDK

The DPDK IP Pipeline Framework provides a set of libraries to build a pipeline application. In this document, vACL will be explained in detail with its own building blocks.

This document assumes the reader possesses the knowledge of DPDK concepts and packet framework. For more details, read DPDK Getting Started Guide, DPDK Programmers Guide, DPDK Sample Applications Guide.

2.2. Scope

This application provides a standalone DPDK based high performance vACL Virtual Network Function implementation.

2.3. Features

The vACL VNF currently supports the following functionality

• CLI based Run-time rule configuration.(Add, Delete, List, Display, Clear, Modify)
• Ipv4 and ipv6 standard 5 tuple packet Selector support.
• Multithread support
• Multiple physical port support
• Hardware and Software Load Balancing
• L2L3 stack support for ARP/ICMP handling
• ARP (request, response, gratuitous)
• ICMP (terminal echo, echo response, passthrough)
• ICMPv6 and ND (Neighbor Discovery)

2.4. High Level Design

The ACL Filter performs bulk filtering of incoming packets based on rules in current ruleset, discarding any packets not permitted by the rules. The mechanisms needed for building the rule database and performing lookups are provided by the DPDK API. http://dpdk.org/doc/api/rte__acl_8h.html

The Input FIFO contains all the incoming packets for ACL filtering. Packets will be dequeued from the FIFO in bulk for processing by the ACL. Packets will be enqueued to the output FIFO. The Input and Output FIFOs will be implemented using DPDK Ring Buffers.

The DPDK ACL example: http://dpdk.org/doc/guides/sample_app_ug/l3_forward_access_ctrl.html #figure-ipv4-acl-rule contains a suitable syntax and parser for ACL rules.

2.5. Components of vACL

In vACL, each component is constructed using packet framework pipelines. It includes Rx and Tx Driver, Master pipeline, load balancer pipeline and vACL worker pipeline components. A Pipeline framework is a collection of input ports, table(s),output ports and actions (functions).

2.5.1. Receive and Transmit Driver

Packets will be received in bulk and provided to LoadBalancer(LB) thread. Transimit takes packets from worker threads in a dedicated ring and sent to hardware queue.

2.5.2. Master Pipeline

The Master component is part of all the IP Pipeline applications. This component does not process any packets and should configure with Core 0, to allow other cores for processing of the traffic. This component is responsible for 1. Initializing each component of the Pipeline application in different threads 2. Providing CLI shell for the user control/debug 3. Propagating the commands from user to the corresponding components

2.5.3. ARPICMP Pipeline

This pipeline processes the APRICMP packets.

2.5.4. TXRX Pipelines

The TXTX and RXRX pipelines are pass through pipelines to forward both ingress and egress traffic to Loadbalancer. This is required when the Software Loadbalancer is used.

2.5.5. Load Balancer Pipeline

The vACL support both hardware and software balancing for load blalcning of traffic across multiple VNF threads. The Hardware load balncing require support from hardware like Flow Director for steering of packets to application through hardware queues.

The Software Load balancer is also supported if hardware loadbalancing can’t be used for any reason. The TXRX along with LOADB pipeline provides support for software load balancing by distributing the flows to Multiple vACL worker threads. Loadbalancer (HW or SW) distributes traffic based on the 5 tuple (src addr, src port, dest addr, dest port and protocol) applying an XOR logic distributing to active worker threads, thereby maintaining an affinity of flows to worker threads.

2.5.6. vACL Pipeline

The vACL performs the rule-based packet filtering.

2.5.6.1. vACL Topology

IXIA(Port 0)-->(Port 0)VNF(Port 1)-->(Port 1) IXIA
operation:

  Egress --> The packets sent out from ixia(port 0) will be sent through ACL to ixia(port 1).

  Igress --> The packets sent out from ixia(port 1) will be sent through ACL to ixia(port 0).

2.5.6.2. vACL Topology (L4REPLAY)

IXIA(Port 0)-->(Port 0)VNF(Port 1)-->(Port 0)L4REPLAY

operation:

  Egress --> The packets sent out from ixia will pass through vACL to L3FWD/L4REPLAY.

  Ingress --> The L4REPLAY upon reception of packets (Private to Public Network),
  will immediately replay back the traffic to IXIA interface. (Pub -->Priv).

2.5.6.3. How to run L4Replay

After the installation of samplevnf

go to <samplevnf/VNFs/L4Replay>
./buid/L4replay -c  core_mask -n no_of_channels(let it be as 2) -- -p PORT_MASK --config="(port,queue,lcore)"
eg: ./L4replay -c 0xf -n 4 -- -p 0x3 --config="(0,0,1)"

2.6. Installation, Compile and Execution

Plase refer to <samplevnf>/docs/vACL/INSTALL.rst for installation, configuration, compilation and execution.

3. vACL - Installation Guide

3.1. vACL Compilation

After downloading (or doing a git clone) in a directory (samplevnf)

3.1.1. Dependencies

• DPDK supported versions ($DPDK_RTE_VER = 16.04, 16.11, 17.02 or 17.05): Downloaded and installed via vnf_build.sh or manually from [here] (http://fast.dpdk.org/rel/)
• libpcap-dev
• libzmq
• libcurl

3.1.2. Environment variables

Apply all the additional patches in ‘patches/dpdk_custom_patch/’ and build dpdk

export RTE_SDK=<dpdk directory>
export RTE_TARGET=x86_64-native-linuxapp-gcc

This is done by vnf_build.sh script.

3.2. Auto Build:

$ ./tools/vnf_build.sh in samplevnf root folder

Follow the steps in the screen from option [1] –> [9] and select option [8] to build the vnfs. It will automatically download selected DPDK version and any required patches and will setup everything and build vACL VNFs.

Following are the options for setup:

----------------------------------------------------------
 Step 1: Environment setup.
----------------------------------------------------------
[1] Check OS and network connection
[2] Select DPDK RTE version

----------------------------------------------------------
 Step 2: Download and Install
----------------------------------------------------------
[3] Agree to download
[4] Download packages
[5] Download DPDK zip
[6] Build and Install DPDK
[7] Setup hugepages

----------------------------------------------------------
 Step 3: Build VNFs
----------------------------------------------------------
[8] Build all VNFs (vACL, vCGNAPT, vFW, UDP_Replay)

[9] Exit Script

An vACL executable will be created at the following location samplevnf/VNFs/vACL/build/vACL

3.3. Manual Build:

1. Download DPDK supported version from dpdk.org

   • http://dpdk.org/browse/dpdk/snapshot/dpdk-$DPDK_RTE_VER.zip

2. unzip dpdk-$DPDK_RTE_VER.zip and apply dpdk patches only in case of 16.04 (Not required for other DPDK versions)

   • cd dpdk

     • patch -p1 < VNF_CORE/patches/dpdk_custom_patch/i40e-fix-link-management.patch
     • patch -p1 < VNF_CORE/patches/dpdk_custom_patch/i40e-fix-Rx-hang-when-disable-LLDP.patch
     • patch -p1 < VNF_CORE/patches/dpdk_custom_patch/i40e-fix-link-status-change-interrupt.patch
     • patch -p1 < VNF_CORE/patches/dpdk_custom_patch/i40e-fix-VF-bonded-device-link-down.patch
     • patch -p1 < $VNF_CORE/patches/dpdk_custom_patch/disable-acl-debug-logs.patch
     • patch -p1 < $VNF_CORE/patches/dpdk_custom_patch/set-log-level-to-info.patch

   • build dpdk

     • make config T=x86_64-native-linuxapp-gcc O=x86_64-native-linuxapp-gcc
     • cd x86_64-native-linuxapp-gcc
     • make

   • Setup huge pages

     • For 1G/2M hugepage sizes, for example 1G pages, the size must be specified explicitly and can also be optionally set as the default hugepage size for the system. For example, to reserve 8G of hugepage memory in the form of eight 1G pages, the following options should be passed to the kernel: * default_hugepagesz=1G hugepagesz=1G hugepages=8 hugepagesz=2M hugepages=2048
     • Add this to Go to /etc/default/grub configuration file.

     • Append “default_hugepagesz=1G hugepagesz=1G hugepages=8 hugepagesz=2M hugepages=2048”

       to the GRUB_CMDLINE_LINUX entry.

3. Setup Environment Variable

   • export RTE_SDK=<samplevnf>/dpdk

   • export RTE_TARGET=x86_64-native-linuxapp-gcc

   • export VNF_CORE=<samplevnf>

     or using ./tools/setenv.sh

4. Build vACL VNFs

   • cd <samplevnf>/VNFs/vACL
   • make clean
   • make

5. The vACL executable will be created at the following location

   • <samplevnf>/VNFs/vACL/build/vACL

3.4. Run

3.4.1. Setup Port to run VNF

For DPDK versions 16.04
1. cd <samplevnf>/dpdk
2. ./tools/dpdk_nic_bind.py --status <--- List the network device
3. ./tools/dpdk_nic_bind.py -b igb_uio <PCI Port 0> <PCI Port 1>
.. _More details: http://dpdk.org/doc/guides-16.04/linux_gsg/build_dpdk.html#binding-and-unbinding-network-ports-to-from-the-kernel-modules

For DPDK versions 16.11
1. cd <samplevnf>/dpdk
2. ./tools/dpdk-devbind.py --status <--- List the network device
3. ./tools/dpdk-devbind.py -b igb_uio <PCI Port 0> <PCI Port 1>
.. _More details: http://dpdk.org/doc/guides-16.11/linux_gsg/build_dpdk.html#binding-and-unbinding-network-ports-to-from-the-kernel-modules

For DPDK versions 17.xx
1. cd <samplevnf>/dpdk
2. ./usertools/dpdk-devbind.py --status <--- List the network device
3. ./usertools/dpdk-devbind.py -b igb_uio <PCI Port 0> <PCI Port 1>
.. _More details: http://dpdk.org/doc/guides-17.05/linux_gsg/build_dpdk.html#binding-and-unbinding-network-ports-to-from-the-kernel-modules


Make the necessary changes to the config files to run the vACL VNF
eg: ports_mac_list = 00:00:00:30:21:00 00:00:00:30:21:00

3.4.2. ACL run commands

Update the configuration according to system configuration.

./build/vACL -p <port mask> -f <config> -s <script> - SW_LoadB

./build/vACL -p <port mask> -f <config> -s <script> -hwlb <num_WT> - HW_LoadB

3.4.2.1. Run IPv4

Software LoadB

 cd <samplevnf>/VNFs/vACL/

 ./build/vACL -p 0x3 -f ./config/IPv4_swlb_acl_1LB_1t.cfg  -s ./config/ IPv4_swlb_acl.tc


Hardware LoadB

 cd <samplevnf>/VNFs/vACL/

 ./build/vACL -p 0x3 -f ./config/IPv4_hwlb_acl_1LB_1t.cfg  -s ./config/IPv4_hwlb_acl.tc --hwlb 1

3.4.2.2. Run IPv6

Software LoadB

cd <samplevnf>/VNFs/vACL/

./build/vACL -p 0x3 -f ./config/IPv6_swlb_acl_1LB_1t.cfg  -s ./config/IPv6_swlb_acl.tc


Hardware LoadB

cd <samplevnf>/VNFs/vACL/

./build/vACL -p 0x3 -f ./config/IPv6_hwlb_acl_1LB_1t.cfg  -s ./config/IPv6_hwlb_acl.tc --hwlb 1

3.4.2.3. vACL execution on BM & SRIOV

To run the VNF, execute the following

samplevnf/VNFs/vACL# ./build/vACL -p 0x3 -f ./config/IPv4_swlb_acl_1LB_1t.cfg  -s ./config/ IPv4_swlb_acl.tc

Command Line Params:
-p PORTMASK: Hexadecimal bitmask of ports to configure
-f CONFIG FILE: vACL configuration file
-s SCRIPT FILE: vACL script file

3.4.2.4. vACL execution on OVS

To run the VNF, execute the following:

samplevnf/VNFs/vACL# ./build/vACL -p 0x3 -f ./config/IPv4_swlb_acl_1LB_1t.cfg  -s ./config/ IPv4_swlb_acl.tc --disable-hw-csum

Command Line Params:
-p PORTMASK: Hexadecimal bitmask of ports to configure
-f CONFIG FILE: vACL configuration file
-s SCRIPT FILE: vACL script file
--disable-hw-csum :Disable TCP/UDP hw checksum