pcn-firewall: implement datapath optimizations#147
Merged
Conversation
acloudiator
requested changes
Jun 10, 2019
Contributor
acloudiator
left a comment
acloudiator
left a comment
There was a problem hiding this comment.
Docker-build check is failing
this commit introduces the support for some firewall filtering pipeline modules to early break the pipeline if no rule is matched. the idea is that during the execution of the pipeline some modules are implemented in a way in wich the cost of checking if the resulting bitvector is all zero is almost negligible. this support enables to speedup the execution since is no longer needed to go through all the pipeline modules if this condition is matched. Signed-off-by: Matteo Bertrone <m.bertrone@gmail.com>
this commit introduces support for pipeline reordering. in case some filtering pipeline blocks can early break the pipeline, those modules are injected before others. Signed-off-by: Matteo Bertrone <m.bertrone@gmail.com>
this commit introduces the same connection tracking module used by pcn-iptables Main features: - avoid double lookup by ordering hashmap keys - avoid to call bpf_ktime_get_ns() by introducing a customized timestamp written by control plane Signed-off-by: Matteo Bertrone <m.bertrone@gmail.com>
mbertrone
force-pushed
the
pr/firewall_datapath_optimizations
branch
from
c5fcece to
cd585d7
Compare
HORUS - Homogeneous RUleset analySis
Horus optimization allows to
a) offload a group of contiguous rules matching on same field
b) match the group of offloaded rules with complexity O(1) - single hashmap lookup
c) dynamically adapting to different groups of rules, matching each
combination of ipsrc/dst, portsrc/dst, tcpflags
d) dynamically check when the optimization is possible according to current
ruleset. It means check orthogonality
of rules before the offloaded group, respect to the group itself.
each pkt received by the program, is looked-up vs the HORUS HASHMAP.
hit:
-DROP action: drop the packet;
-ACCEPT action: goto CTLABELING and CTTABLEUPDATE without going through pipeline
miss:
-GOTO all pipeline steps
Signed-off-by: Matteo Bertrone <m.bertrone@gmail.com>
Signed-off-by: Matteo Bertrone <m.bertrone@gmail.com>
mbertrone
force-pushed
the
pr/firewall_datapath_optimizations
branch
from
cd585d7 to
24c9c19
Compare
Contributor
|
@acloudiator Can you please merge this? The problem (Docker build was failing) has gone now. |
acloudiator
approved these changes
Jun 17, 2019
Contributor
@frisso Can you please be the second reviewer for this, so that this can be merged? |
frisso
approved these changes
Jun 18, 2019
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
pcn-firewall: introduce datapath pipeline early break
this commit introduces the support for some firewall
filtering pipeline modules to early break the pipeline
if no rule is matched.
the idea is that during the execution of the pipeline
some modules are implemented in a way in wich the cost
of checking if the resulting bitvector is all zero
is almost negligible.
this support enables to speedup the execution since is no
longer needed to go through all the pipeline modules
if this condition is matched.
pcn-firewall: dynamic pipeline reordering
this commit introduces support for pipeline reordering.
in case some filtering pipeline blocks can early break
the pipeline, those modules are injected before others.
pcn-firewall: update connection tracking module
this commit introduces the same connection tracking
module used by pcn-iptables
Main features:
a customized timestamp written by control plane
pcn-firewall: add HORUS optimization
HORUS - Homogeneous RUleset analySis
Horus optimization allows to
a) offload a group of contiguous rules matching on same field
b) match the group of offloaded rules with complexity O(1) - single hashmap lookup
c) dynamically adapting to different groups of rules, matching each
combination of ipsrc/dst, portsrc/dst, tcpflags
d) dynamically check when the optimization is possible according to current
ruleset. It means check orthogonality
of rules before the offloaded group, respect to the group itself.
each pkt received by the program, is looked-up vs the HORUS HASHMAP.
hit:
-DROP action: drop the packet;
-ACCEPT action: goto CTLABELING and CTTABLEUPDATE without going through pipeline
miss:
-GOTO all pipeline steps