HighPerformancePacketClassifier
-- Main.GianniAntichi - 22 Mar 2011
This Classifier is a 5-tuple deterministic classifier delta-FA based, a compressed version of DFAs. It could process packets at wire speed and it is on-the-fly reconfigurable.
- Status :
- Version :
- Authors :
Software: Gianni Antichi
- NetFPGA source :
- Wire-speed 5-tuple Classifier
- Up to ~100000 rules
- On-the-fly reconfigurable
First of all you may want to download Michela Becchi's regex-tool (http://regex.wustl.edu) to generate a DFA from regular expressions and Domenico Ficara's deltaFA tool (http://wwwtlc.iet.unipi.it/NP/software/) to create the deltaFA data structure starting from the DFA.
After that download the bitfile on NetFPGA. The classification rules, expressed as regex, are defined in "rule.re" file. In this file insert one regex per line and insert next to the regex the associated rule. The physical output port from a given rule is obtained in this way:
physical_output_port = flow_rule % 4;
The field order is : Proto/SrcIP/DestIP/SrcPort/DestPort. After that, launch the "ClassifierConfig.sh" bash script and the Classifier is ready to work. During the normal operation of the Classifier you can change classification rules simply changing "rule.re" file and re-launching the bash script.
REMEMBER: put the Classifier directory in "$NF2_ROOT/projects".
REMEMBER: put the regex-tool in /projects/Classifier_NetFPGA/sw/DFA_UTILS/regex and the deltafa tool in /projects/Classifier_NetFPGA/sw/DFA_UTILS/deltaFA
^.\xC0\xA8\x01\x00\xC0\xA8\x03\x00.... 3
in this case we forward the flow with PROTOCOL = * , IP.SRC = 192.168.1.0, IP.DST = 192.168.3.0, PORT.SRC = *, PORT.DST = * to physical port 3
^.\xC0\xA8\x01\x02\xC0\xA8\x02\x02\x00\x08.. 4
in this case we forward the flow with PROTOCOL = * , IP.SRC = 192.168.1.2, IP.DST = 192.168.2.2, PORT.SRC = 8, PORT.DST = * to physical port 0
The software plane allows to create the data structure starting from the "rule.re" file and store it in the NetFPGA SRAM in order to guarantee the correct funcionality of the Classifier.
The bash script calls six simple programs in order to do that.
These programs order the rules in order to guarantee the Longest Prefix Match (LPM), create the DFA associated to the regexes declared in "rule.re", create the deltaFA and store the data structure in the SRAM of the NetFPGA.
A complete description is available in the paper cited below in the references.
However, in a nutshell, a deltaFA is a representation of a DFA that tries to store only the differences between a state and its next states. This remarkably reduces the amount of memory needed and requires a single memory access per state-traversal only (however some states may require another access).
Sources for the project can be downloaded from netfpga.HighPerformanceClassifier.2_1.tar.gz
(Note - this section is written by a netFPGA and centOS newbie)
1. Obtain the netfpga 2.0 package. The .rpm files are available at http://netfpga.org/yum/el5/RPMS/i386/ . I've installed the netfpga-kernel-2.0.0-beta, netfpga-utils-2.0.0-beta, and netfpga-base-2.0.0-beta package. Packages can be installed with "rpm -i package_name".
2. Create NF2 directory:
/usr/local/NF2/lib/scripts/user_account_setup/user_account_setup.pl
Note, that for newer packages the default installation paths is /root/netfpga, whereas for the 2.0 version the path is /root/NF2.
3. Insert the netfpga card in your computer. Also insert two additional Ethernet interface cards. Connect the SATA cable as described in Run_Selftest.
4. Turn on your machine and check the Ethernet interfaces. "ifconfig -a" should list eth0, eth1, eth2. If your interfaces are named differently you might want to rename them. To do so, adapt the /etc/modprobe.conf file and make sure you have the correct files in /etc/sysconfig/network-scripts/ifcfg-ethX. If you had to make a change, reboot your machine and verify that you now have the correct interfaces.
5. I had to update the files /usr/local/sbin/cpci_reprogram.pl and /usr/local/sbin/loadregs.sh . in the cpci_reprogram.pl file change the line
if ($words[5] eq $NF2_device_id)into
if ($line=~ /.*\s$NF2_device_id$/)And in the loadregs.sh file I had to add the following code at line 44.
if[ "$REG" = "" ] ; then continue fiNote: those changes were obtained by comparing the files with the corresponding files from the 2.1 netfpga package.
7. Perform the self-test as described in NetFPGA.OneGig.Guide#Run_Selftest
If the self test is working you can skip the regression tests and try the reference_nic as described here: Refernence NIC Walkthrough . If everything works your installation should be fine.
8. Connect the Ethernet cables as follows: eth1 -> nf2c0, eth2 -> nf2c1, as shown here: Connect Ethernet test cables
9. Obtain the Classifier code, and the regex and deltaFA tool as described above. Copy them to the corresponding directories (starting with /root/NF2/projects), and compile them by typing "make" in these directories
10. reset the board:
/usr/local/sbin/cpci_reprogram.pl --all
11. download the bitfile:
nf_download /root/NF2/projects/5tuple_classifier/synth/nf2_top_par.bit
12. adapt the /root/NF2/projects/5tuple_classifier/sw/rule.re file with the following content (syntax as described above: "." correspond to "don't cares", "4" correspnds to nf2c0, "1" corresponds to nf2c1, the rest is hexadecimal encoding of source and destination IP address):
^.\xC0\xA8\x01\x02\xC0\xA8\x01\x01.... 4 ^.\xC1\xA8\x01\x02\xC0\xA8\x01\x01.... 1
13. Execute the Config script:
./ClassifierConfig.sh
the output should be similar to:
7)Saving deltaFA to rule.delta... done 8)State and statistics table deallocation ... done ---DELTA-FA-file created--- <---Regex Mapper---> ---RULES MAPPED--- SRAM-configuration file created Found net device: nf2c0 Start to store the nodes in SRAM Found net device: nf2c0 Write: Reg 0x02000000 (33554432): 0x00000000 (0) INITIALIZATION COMPLETE!!! Starting Classifier.... STARTED!!! Now Classifier is Watching you!
if you get a segmentation fault "./ClassifierConfig.sh: line 13:" you have to change the mapping.c file. Add the following two lines on line 69:
fgets(riga_in, 2048, f_in1); fgets(riga_in, 2048, f_in1);
compile the project again with "make" and execute the ClassifierConfig.sh script again. Now the netfpga board should be setup correctly.
14. In order to test the setup a traffic generator is needed. You might want to use the "brute" traffic generator that can be downloaded from: http://netgroup.iet.unipi.it/software/brute You will have to adapt the example/brute-conf file with the following content:
cbr msec=100000; saddr=193.168.1.2; daddr=192.168.1.1; rate=100; len=64; sport=8; dport=9;
All the other lines should be commented out ("#" at the beginning of a line) . The traffic generator is started as follows:
./brute -f ../example/brute-conf -i eth1 -s 01:02:03:04:05:06 -d 00:25:4b:bd:68:ba
where
-f the config file that specifies the packets -i the interface where to send packets out -s the source MAC address (does not need to be the actual address of the interface) -d the destination MAC address (does not need to be the actual address of the target interface)
15. Check the statistics. compile the stats tool in /root/NF2/projects/5tuple_classifier/sw/statistics with "make" and execute it:
/root/NF2/projects/5tuple_classifier/sw/statistics/stat
You should see which interface has received how many packets.
Number of Packets Forwarded on Port 0: 0 Number of Packets Forwarded on Port 1: 10000 Number of Packets Forwarded on Port 2: 0 Number of Packets Forwarded on Port 3: 0
The deltaFA tool implements the procedures described in:
- Domenico Ficara, Stefano Giordano, Gregorio Procissi, Fabio Vitucci, Gianni Antichi and Andrea Di Pietro.
The classifier is described in:
- Gianni Antichi, Andrea Di Pietro, Domenico Ficara, Stefano Giordano, Gregorio Procissi and Fabio Vitucci.
We used a little part of the code of the regex-tool by Michela Becchi: http://regex.wustl.edu For more details about our works: http://wwwtlc.iet.unipi.it/NP If you'd like to comment, plan to modify or simply use our Classifier, please let me know by e-mail. Gianni Antichi antichi.gianni<at>gmail.com