# DPDK Packet Filtering Application

# 1. System Overview

In this project, we are developing a packet filter system designed to control and secure the flow of network traffic between an internal network and an external network. The core purpose of this system is to ensure that devices inside the internal network can freely initiate outbound connections to the external network, while preventing any unsolicited or unauthorized inbound traffic originating from external sources. This architecture enhances organizational security by reducing attack surfaces and blocking potentially harmful external actors from reaching internal resources.

## Primary Users

- **Network administrators** – configure and manage filtering rules.  
- **Internal network users or devices** – rely on the filter to safely communicate with the outside world.

## Core System Functions

- Outbound packet forwarding  
- Inbound packet blocking  
- Connection state tracking  
- Rule enforcement based on predefined security policies
	

<figure style="text-align: center;">
  <img src="./figs/topology.png" width="800" style="display: block; margin: 0 auto;">
</figure>

# 2. Threat Modeling

## Attack Tree (AT)

<figure style="text-align: center;">
  <img src="./threat-model/Firewall_evasion_attack-1.png" width="2000" style="display: block; margin: 0 auto;">
</figure>

## Attack-Defense Tree (ADT)

<figure style="text-align: center;">
  <img src="./threat-model/Firewall_evasion_attack_defence-1.png" width="2000" style="display: block; margin: 0 auto;">
</figure>

## Data Flow Diagram (DFD) and STRIDE [: full report](./threat-model/full-report.pdf)

<figure style="text-align: center;">
  <img src="./threat-model/stride.png" width="2000" style="display: block; margin: 0 auto;">
</figure>

# 3. Project Setup

## Step 1:  Configuring the environment

Before running this notebook, you will need to configure your environment using the [Configure Environment](../../../configure_and_validate.ipynb) notebook. Please stop here, open and run that notebook, then return to this notebook.

If you are using the FABRIC JupyterHub many of the environment variables will be automatically configured for you.  You will still need to set your bastion username, upload your bastion private key, and set the path to where you put your bastion private key. Your bastion username and private key should already be in your possession.  

If you are using the FABRIC API outside of the JupyterHub you will need to configure all of the environment variables. Defaults below will be correct in many situations but you will need to confirm your configuration.  If you have questions about this configuration, please contact the FABRIC admins using the [FABRIC User Forum](https://learn.fabric-testbed.net/forums/) 

More information about accessing your experiments through the FABRIC bastion hosts can be found [here](https://learn.fabric-testbed.net/knowledge-base/logging-into-fabric-vms/).

## Step 2: Import the FABlib library

In [3]:
from fabrictestbed_extensions.fablib.fablib import FablibManager as fablib_manager
fablib = fablib_manager()

User: choueiri@email.sc.edu bastion key is valid!
Configuration is valid


## Step 3: Create the experiment slice

The following creates three nodes with basic compute and networking capabilities. You build a slice by creating a new slice and adding resources to the slice. After you build the slice, you must submit a request for the slice to be instantiated.   

### Step 3.1: Create a slice
The code below creates a new slice

In [3]:
slice = fablib.new_slice(name="itec760Project")

### Step 3.2: Define the sites
The code below requests three random sites from FABRIC based on the condition that the following resources are available:

<ul>
    <li> 1 SmartNIC</li>
    <li> 8 CPU cores</li>
    <li> 8GB RAM </li>
    <li> 20GB disc size
</ul>

In [4]:
sites= fablib.get_random_sites(count=3, filter_function=lambda x: x['nic_connectx_6_available'] > 1 and x['cores_available'] > 16 and x['ram_available'] > 16 and x['disk_available'] > 200)

print (f'The selected sites are {sites[0]}, {sites[1]} and {sites[2]}')

The selected sites are SRI, CLEM and PSC


### Step 3.3: Creating the nodes
The code below creates three nodes: server1, server2 and server3. The servers use the following:
<ul>
    <li> 16 CPU cores</li>
    <li> 16GB RAM </li>
    <li> 200GB disc size </li>
    <li> Image: Ubuntu 20.04
</ul>

server1 will be created in site1, server2 will be created in site2 and server3 will be created in site3

<img src="./figs/03_creating_nodes.png" width="550"><br>

In [5]:
server1 = slice.add_node(name="server1", 
                      site=sites[0], 
                      cores=16, 
                      ram=16, 
                      disk=200, 
                      image='default_ubuntu_20')

server2 = slice.add_node(name="server2", 
                      site=sites[1], 
                      cores=16, 
                      ram=16, 
                      disk=200, 
                      image='default_ubuntu_20')
server3 = slice.add_node(name="server3", 
                      site=sites[2], 
                      cores=16, 
                      ram=16, 
                      disk=200, 
                      image='default_ubuntu_20')

### Step 3.4: Adding the interfaces to the servers
The code below adds a Network Interface Card (NIC) to each server.

<img src="./figs/04_adding_nics.png" width="550"><br>

In [6]:
server1_iface = server1.add_component(model='NIC_ConnectX_6', name='nic').get_interfaces()[0]
server2_1_iface = server2.add_component(model='NIC_ConnectX_6', name='nic2').get_interfaces()[0]
server2_3_iface = server2.get_component(name='nic2').get_interfaces()[1]
server3_iface = server3.add_component(model='NIC_ConnectX_6', name='nic3').get_interfaces()[0]

### Step 3.5: Connecting server1 and server2
Create a network between server1 and server2 connecting them together and a network between server2 and server3 connecting them together.

<img src="./figs/05_connecting_nodes.png" width="550"><br>

In [7]:
net1 = slice.add_l2network(name='net1', interfaces=[server1_iface, server2_1_iface])
net2 = slice.add_l2network(name='net2', interfaces=[server2_3_iface, server3_iface])

### Step 3.6: Submitting the slice
The code below submits the slice. 
By default, the submit function will block until the node is ready and will display the progress of your slice being built.

In [8]:
slice.submit();


Retry: 11, Time: 273 sec


0,1
ID,77208544-ae53-4ece-95d2-e6c2d251843f
Name,itec760Project
Lease Expiration (UTC),2025-11-07 16:29:08 +0000
Lease Start (UTC),2025-11-06 16:29:08 +0000
Project ID,7bd49888-1cce-4020-82e3-625d8b27f79f
State,StableOK
Email,CHOUEIRI@email.sc.edu
UserId,78504735-b34f-42a8-be20-8e71d6acf13e


ID,Name,Cores,RAM,Disk,Image,Image Type,Host,Site,Username,Management IP,State,Error,SSH Command,Public SSH Key File,Private SSH Key File
b7bf4752-0a19-4a8d-a04b-69f8163508f6,server1,16,16,500,default_ubuntu_20,qcow2,sri-w2.fabric-testbed.net,SRI,ubuntu,192.5.67.182,Active,,ssh -i /home/fabric/work/fabric_config/slice_key -F /home/fabric/work/fabric_config/ssh_config ubuntu@192.5.67.182,/home/fabric/work/fabric_config/slice_key.pub,/home/fabric/work/fabric_config/slice_key
c5d4ea9c-2ee5-4813-9d27-c2cfa21773f3,server2,16,16,500,default_ubuntu_20,qcow2,clem-w2.fabric-testbed.net,CLEM,ubuntu,2620:103:a006:12:f816:3eff:fe94:95f6,Active,,ssh -i /home/fabric/work/fabric_config/slice_key -F /home/fabric/work/fabric_config/ssh_config ubuntu@2620:103:a006:12:f816:3eff:fe94:95f6,/home/fabric/work/fabric_config/slice_key.pub,/home/fabric/work/fabric_config/slice_key
718d34e8-7cac-4d60-94de-9b9108f1786e,server3,16,16,500,default_ubuntu_20,qcow2,psc-w2.fabric-testbed.net,PSC,ubuntu,2001:5e8:ff00:ffff:f816:3eff:fe31:e0d9,Active,,ssh -i /home/fabric/work/fabric_config/slice_key -F /home/fabric/work/fabric_config/ssh_config ubuntu@2001:5e8:ff00:ffff:f816:3eff:fe31:e0d9,/home/fabric/work/fabric_config/slice_key.pub,/home/fabric/work/fabric_config/slice_key


ID,Name,Layer,Type,Site,Subnet,Gateway,State,Error
6f92ab05-a2fe-44d2-95da-d78c2c88dbac,net1,L2,L2STS,,,,Active,
d54add6f-0541-4301-9218-3a3ec71fca6f,net2,L2,L2STS,,,,Active,


Name,Short Name,Node,Network,Bandwidth,Mode,VLAN,MAC,Physical Device,Device,IP Address,Numa Node,Switch Port
server1-nic-p2,p2,server1,,100,config,,10:70:FD:E5:CD:79,enp8s0,enp8s0,,6,
server1-nic-p1,p1,server1,net1,100,config,,10:70:FD:E5:CD:78,enp7s0,enp7s0,fe80::1270:fdff:fee5:cd78,6,HundredGigE0/0/0/4
server2-nic2-p1,p1,server2,net1,100,config,,08:C0:EB:4E:B3:B2,enp7s0,enp7s0,fe80::ac0:ebff:fe4e:b3b2,1,HundredGigE0/0/0/0
server2-nic2-p2,p2,server2,net2,100,config,,08:C0:EB:4E:B3:B3,enp8s0,enp8s0,fe80::ac0:ebff:fe4e:b3b3,1,HundredGigE0/0/0/2
server3-nic3-p2,p2,server3,,100,config,,10:70:FD:E5:9A:B1,enp8s0,enp8s0,,1,
server3-nic3-p1,p1,server3,net2,100,config,,10:70:FD:E5:9A:B0,enp7s0,enp7s0,fe80::1270:fdff:fee5:9ab0,1,HundredGigE0/0/0/0



Time to print interfaces 283 seconds


## Step 4: Installing the required packages
In this step, we will install the required packages to run the lab. Specifically, we will install the Mellanox drivers, DPDK library, the P4 compiler (p4c), and all needed dependencies.

### Step 4.1 Appending list of servers
All servers are appended to a list to execute commands in parallel

In [6]:
slice = fablib.get_slice(name="itec760Project")

servers = []

servers.append(slice.get_node(name="server1"))     
servers.append(slice.get_node(name="server2"))
servers.append(slice.get_node(name="server3"))

server1 = servers[0]
server2 = servers[1]
server3 = servers[2]

### Step 4.2 NAT64 setup
The code below checks if an IPv6 address is available to set up NAT64. We will upload the script [scripts/nat64.sh](./scripts/nat64.sh) to the all servers and execute it

In [10]:
from ipaddress import ip_address, IPv6Address

threads = []

for server in servers:
    if type(ip_address(server.get_management_ip())) is IPv6Address:
        server.upload_file('scripts/nat64.sh', 'nat64.sh')
        threads.append(server.execute_thread(f'chmod +x nat64.sh && ./nat64.sh'))

for thread in threads:
    thread.result()

### Step 4.3 Installing dependencies
The code below installs packages that are prerequisites to the upcoming installations and needed to run the lab experiments

In [11]:
threads = []

for server in servers:
    threads.append(server.execute_thread('''
        sudo apt-get update;
        sudo apt-get install -y build-essential python3-pip python3-pyelftools libnuma-dev pkg-config net-tools hping3;
        sudo pip3 install meson ninja
    '''))

for thread in threads:
    thread.result()

### Step 4.4 Installing Mellanox drivers
Since ConnectX-6 NICs are used in this lab, it is essential to install the supporting drivers. The code below downloads and installs Mellanox drivers on all servers while enabling DPDK

In [12]:
threads = []

for server in servers:
    threads.append(server.execute_thread('''
        wget https://content.mellanox.com/ofed/MLNX_OFED-23.07-0.5.0.0/MLNX_OFED_LINUX-23.07-0.5.0.0-ubuntu20.04-x86_64.tgz; 
        tar xvfz MLNX_OFED_LINUX-23.07-0.5.0.0-ubuntu20.04-x86_64.tgz; 
        cd MLNX_OFED_LINUX-23.07-0.5.0.0-ubuntu20.04-x86_64; 
        echo "y" | sudo ./mlnxofedinstall --upstream-libs --dpdk --basic --without-fw-update --enable-sriov --hypervisor
    '''))
    
for thread in threads:
    thread.result()

### Step 4.5 Installing DPDK
The code below downloads, builds, and installs DPDK on all servers

In [13]:
threads = []

for server in servers:
    threads.append(server.execute_thread('''
        git clone --branch v24.07-rc4 https://github.com/DPDK/dpdk.git; 
        cd dpdk;
        sudo meson build;
        cd build;
        sudo ninja;
        sudo ninja install; 
        sudo ldconfig
    '''))

for thread in threads:
    thread.result()

### Step 4.6 Installing Pktgen
In this lab, we will send from server1 packets at a high rate to server2 using a DPDK-based packet generation tool called pktgen [<a href="#References">5</a>]. The code below downloads and installs Pktgen-DPDK on all servers

In [14]:
threads = []

for server in servers:
    threads.append(server.execute_thread('''
        sudo git clone --branch pktgen-24.07.1 https://github.com/pktgen/Pktgen-DPDK; 
        sudo sed -i \"s/deps += \\[dependency('numa', required: true)\\]/deps += \\[dependency('numa', required: false)\\]/\" /home/ubuntu/Pktgen-DPDK/app/meson.build;
        sudo apt-get install -y cmake libpcap-dev libbsd-dev;
        cd Pktgen-DPDK &&  sudo meson build && sudo ninja -C build && cd build/ && sudo meson install
    '''))

for thread in threads:
    thread.result()

### Step 4.7 Build pipeline library
The code below builds the DPDK pipeline library in server 2 (on which the pipeline will be running) to put all its functions into effect 

In [15]:
stdout, stderr = server2.execute(f'cd dpdk/examples/pipeline && sudo make', quiet=True)

### Step 4.8 Install p4c
The code below downloads and installs the p4c compiler needed to compile the p4 code into a DPDK pipeline. In this lab, p4c is built from a version where the architecture has been modified.

In [16]:
stdout, stderr = server2.execute('git clone https://github.com/CILab-USC/p4c.git', quiet = True)
stdout, stderr = server2.execute('sudo apt-get install -y cmake g++ git automake libtool libgc-dev bison flex libfl-dev libboost-dev libboost-iostreams-dev libboost-graph-dev llvm pkg-config python3 python3-pip tcpdump', quiet = True)
stdout, stderr = server2.execute('cd p4c && pip3 install --user -r requirements.txt && mkdir build && cd build && cmake .. && make -j4  && sudo make install', quiet = True)

### Step 4.9 Reboot
After installing the ConnectX Mellanox divers, it is essential to reboot the servers to complete the installation process or to ensure that updates are applied correctly

In [17]:
for server in servers:
    server.os_reboot()

## Step 5: Configuring Network
In this step, we will assign IPv4 addresses to the interfaces of the servers and hardcode the MAC addresses. We will also configure forwarding and routing.

### Step 5.1: Get interfaces names
In this step we will get the interface names so that we can assign IP addresses to them. Map the printed interface names to those seen in this figure:

<img src="./figs/07_getting_interfaces.png" width="550"><br>

In [18]:
node1_iface = server1.get_interface(network_name='net1') 
server1_iface_name = node1_iface.get_device_name()+'np0'
print(f'server1_iface: {server1_iface_name}')

node2_iface1 = server2.get_interface(network_name='net1') 
server2_iface1_name = node2_iface1.get_device_name()+'np0'
print(f'server2_iface1: {server2_iface1_name}')

node2_iface2 = server2.get_interface(network_name='net2') 
server2_iface2_name = node2_iface2.get_device_name()+'np1'
print(f'server2_iface2: {server2_iface2_name}')

node3_iface = server3.get_interface(network_name='net2') 
server3_iface_name = node3_iface.get_device_name()+'np0'
print(f'server3_iface: {server3_iface_name}')

server1_iface: enp7s0np0
server2_iface1: enp7s0np0
server2_iface2: enp8s0np1
server3_iface: enp7s0np0


### Step 5.2: Turning all interfaces up
In this step, we will use the ip link command to turn the interfaces up

<img src="./figs/08_interfaces_up.png" width="550"><br>

In [19]:
stdout, stderr = server1.execute(f'sudo ip link set dev {server1_iface_name} up', quiet=True)
stdout, stderr = server2.execute(f'sudo ip link set dev {server2_iface1_name} up', quiet=True)
stdout, stderr = server2.execute(f'sudo ip link set dev {server2_iface2_name} up', quiet=True)
stdout, stderr = server3.execute(f'sudo ip link set dev {server3_iface_name} up', quiet=True)

### Step 5.3: Hardcode MAC addresses
For simplicity, we will use the following MAC addresses for the interfaces:
<ul>
    <li> server1_iface_MAC = '00:00:00:00:00:01' (shown as 00:01 in the figure below) </li>
    <li>server2_iface1_MAC = '00:00:00:00:00:21' (shown as 00:21 in the figure below)</li>
    <li>server2_iface2_MAC = '00:00:00:00:00:22' (shown as 00:22 in the figure below)</li>
    <li>server3_iface_MAC = '00:00:00:00:00:03' (shown as 00:03 in the figure below)</li>
</ul>

<img src="./figs/09_mac_addresses.png" width="550"><br>

In [20]:
server1_iface_MAC = '00:00:00:00:00:01'
server2_iface1_MAC = '00:00:00:00:00:21'
server2_iface2_MAC = '00:00:00:00:00:22'
server3_iface_MAC = '00:00:00:00:00:03'

### Step 5.4 Configuring the IP and MAC addresses on server1_iface and server2_iface1

We will use the network 192.168.10.0/24 between server1 and server2. We will assign the IP address 192.168.10.1 to server1's interface and 192.168.10.2 to its neighboring interface on server2.

<img src="./figs/10_IPs_1_2.png" width="550"><br>

In [21]:
server1_server2_subnet = "192.168.10.0/24"
server1_ip = '192.168.10.1/24'
server2_1_ip = '192.168.10.2/24'

stdout, stderr = server1.execute(f'sudo ifconfig {server1_iface_name} {server1_ip}')
stdout, stderr = server2.execute(f'sudo ifconfig {server2_iface1_name} {server2_1_ip}')

stdout, stderr = server1.execute(f'sudo ifconfig {server1_iface_name} hw ether {server1_iface_MAC}')
stdout, stderr = server2.execute(f'sudo ifconfig {server2_iface1_name} hw ether {server2_iface1_MAC}')

### Step 5.5 Configuring the IP and MAC addresses on server2_iface2 and server3_iface

We will use the network 192.168.20.0/24 between server2 and server3. We will assign the IP address 192.168.20.1 to server3's interface and 192.168.20.2 to its neighboring interface on server2.

<img src="./figs/11_IPs_2_3.png" width="550"><br>

In [22]:
server2_server3_subnet = "192.168.20.0/24"
server2_2_ip = '192.168.20.2/24'
server3_ip = '192.168.20.1/24'

stdout, stderr = server2.execute(f'sudo ifconfig {server2_iface2_name} {server2_2_ip}')
stdout, stderr = server3.execute(f'sudo ifconfig {server3_iface_name} {server3_ip}')

stdout, stderr = server2.execute(f'sudo ifconfig {server2_iface2_name} hw ether {server2_iface2_MAC}')
stdout, stderr = server3.execute(f'sudo ifconfig {server3_iface_name} hw ether {server3_iface_MAC}')

### Step 5.6: Enable forwarding on server2

The command "sudo sysctl -w net.ipv4.ip_forward=1" is used to enable IP forwarding on a Linux system.

IP forwarding is a feature that allows a system to act as a router by forwarding network packets from one network interface to another. By default, IP forwarding is usually disabled on Linux systems for security reasons. 

The command will be executed on the server2.

In [23]:
stdout, stderr = server2.execute(f'sudo sysctl -w net.ipv4.ip_forward=1', quiet=True)

### Step 5.7: Configure ARP and static routing

In this step, we will configure static ARP entries and static routing on server1, server2, and server3.

In [24]:
ip1 = server1_ip.split('/')[0]
ip2_1 = server2_1_ip.split('/')[0]
ip2_2 = server2_2_ip.split('/')[0]
ip3 = server3_ip.split('/')[0]
subnet1 = "192.168.10.0/24"
subnet2 = "192.168.20.0/24"

stdout, stderr = server1.execute(f'sudo arp -s {ip2_1} {server2_iface1_MAC}')
stdout, stderr = server1.execute(f'sudo ip route add {subnet2} via {ip2_1}')

stdout, stderr = server2.execute(f'sudo arp -s {ip1} {server1_iface_MAC}')
stdout, stderr = server2.execute(f'sudo arp -s {ip3} {server3_iface_MAC}')

stdout, stderr = server3.execute(f'sudo arp -s {ip2_2} {server2_iface2_MAC}')
stdout, stderr = server3.execute(f'sudo ip route add {subnet1} via {ip2_2}')

### Step 5.8: Mellanox devices

In this step, we will inspect and start all Mellanox devices.

In [25]:
stdout, stderr = server1.execute(f'sudo ibdev2netdev')
stdout, stderr = server1.execute(f'sudo mst status', quiet=True)
stdout, stderr = server1.execute(f'sudo mst start', quiet=True)
stdout, stderr = server1.execute(f'sudo mst status', quiet=True)

stdout, stderr = server2.execute(f'sudo ibdev2netdev')
stdout, stderr = server2.execute(f'sudo mst status', quiet=True)
stdout, stderr = server2.execute(f'sudo mst start', quiet=True)
stdout, stderr = server2.execute(f'sudo mst status', quiet=True)

stdout, stderr = server3.execute(f'sudo ibdev2netdev')
stdout, stderr = server3.execute(f'sudo mst status', quiet=True)
stdout, stderr = server3.execute(f'sudo mst start', quiet=True)
stdout, stderr = server3.execute(f'sudo mst status', quiet=True)

mlx5_0 port 1 ==> enp7s0np0 (Up)
mlx5_1 port 1 ==> enp8s0np1 (Down)
mlx5_0 port 1 ==> enp7s0np0 (Up)
mlx5_1 port 1 ==> enp8s0np1 (Up)
mlx5_0 port 1 ==> enp7s0np0 (Up)
mlx5_1 port 1 ==> enp8s0np1 (Down)


In the output above, you can see that there are two interfaces that are turned down. This is because each server has a Connect-X6 NIC attached, which is a dual-port NIC, and only one port in the NICs of server1 and server3 is used in this topology. 

# 4. Structured Design

## 1. Decomposition and Modularization

### Bad design

All in one huge code: packet inspection, stats, port initialization, forwarding, CLI parsing sharing globals

    // bad: huge monolithic file with unrelated responsibilities
    static uint16_t block_port = 80;
    static struct stats st;
    
    int init_port(uint16_t port) { /* long function */ }
    int inspect_packet(struct rte_mbuf *m, uint16_t in_port) { /* long function */ }
    
    int main(int argc, char **argv) {
        init_port(0);
        init_port(1);
        while (1) inspect_packet(...);
    }

### Good design

Clear separation into modules, each with one responsability

    fw/
      include/fw_ctx.h
      include/fw_inspect.h
      include/fw_stats.h
      include/fw_packet.h
      src/fw_inspect.c
      src/fw_stats.c
      src/fw_packet.c
      src/main.c

### Justification
Breaking the system into modules ensures that each component handles a specific job, improving maintainability, readability, testability, and reuse.

## 2. Coupling and Cohesion

### Bad design
Modules depend directly on global variables, and each function performs unrelated tasks:

    extern uint16_t block_port;
    extern struct stats st;
    
    int init_port(uint16_t port) {
        if (block_port == 80) st.total++;  /* cross-module abuse */
    }

### Good design
Use a fw_ctx structure to hold shared state. Each module interacts only with the context through well-defined APIs.

    struct fw_ctx {
        struct fw_config cfg;
        struct fw_stats *stats;
        struct fw_net_ops *net;
    };
    
    fw_inspect_packet(&ctx, mbuf, in_port);

### Justification
Loose coupling ensures modules operate independently. High cohesion ensures each module focuses on one purpose. This leads to cleaner interfaces and stronger modular control.

## 3. Abstraction

### Bad design
Raw pointer arithmetic is spread across multiple modules:

    uint8_t *p = (uint8_t *)eth + sizeof(*eth);
    struct rte_ipv4_hdr *ip = (struct rte_ipv4_hdr*)p;
    uint8_t ihl = (ip->version_ihl & 0x0f) * 4;
    struct rte_tcp_hdr *tcp = (struct rte_tcp_hdr*)((uint8_t*)ip + ihl);

### Good design
A packet abstraction hides all parsing logic:

    struct packet_view {
        struct rte_mbuf *mbuf;
        struct rte_ether_hdr *eth;
        struct rte_ipv4_hdr *ip;
        struct rte_tcp_hdr *tcp;
        int is_ipv4;
        int is_tcp;
    };
    
    packet_view_init(&pv, m);

### Justification
Abstraction reduces complexity by hiding low-level details. It avoids duplicated parsing logic and keeps high-level code clean and easier to maintain.

## 4. Separation of Interface and Implementation

### Bad design
Headers contain full implementations, exposing internals:

    /* bad: implementation in header */
    static inline void stat_inc(uint64_t *field) {
        *field += 1;
    }

### Good design
Public headers provide only function declarations and opaque types:

    /* fw_stats.h */
    struct fw_stats;
    void fw_stats_inc_total(struct fw_stats *s, uint64_t v);

    Implementation stays in .c files:
    /* fw_stats.c */
    struct fw_stats { uint64_t total; ... }; 

### Justification
Separating interface from implementation allows internal changes without breaking external code. This enhances maintainability and supports modularity.

## 5. Encapsulation and Information Hiding

### Bad design
Modules access and modify internal data directly:

    extern uint16_t block_port;
    extern struct stats st;
    int init_port(uint16_t port) {
        if (block_port == 80) st.total++;  /* cross-module abuse */
    }

### Good design
Encapsulated statistics module provides accessor functions:

    fw_stats_inc_total(ctx->stats, 1);
    fw_stats_inc_dropped_malformed(ctx->stats, 1);
    
    struct fw_stats {
        uint64_t total;
        uint64_t dropped_malformed;
        rte_spinlock_t lock;
    };

### Justification
Encapsulation prevents accidental misuse of internal data and ensures invariants are preserved. It also allows future changes without affecting other modules.

## 6. Sufficiency, Completeness, and Primitiveness

### Bad design
One function tries to parse, inspect, forward, log, drop, and free packets:

    int inspect_and_forward(struct rte_mbuf *m, uint16_t port) {
        parse();
        if (bad) free();
        forward();
        update_stats();
    }

### Good design
Small, primitive, complete operations:

    /* primitive: inspection only */
    int fw_inspect_packet(struct fw_ctx *ctx, struct rte_mbuf *m, uint16_t in_port);
    
    /* primitive: forwarding only */
    int fw_forward_burst(...);

Example of use:

    if (fw_inspect_packet(&ctx, m, in_port) == 0)
        keep_for_forwarding();
    else
        rte_pktmbuf_free(m);

### Justification

Each operation is minimal (primitive), and together they are sufficient and complete for building the full firewall behavior. This ensures clarity, reduces bugs, and provides a clean foundation for extension.

## Scripts

include/</br>
├─ [fw_ctx.h](./include/fw_ctx.h)</br>
├─ [fw_inspect.h](,/include/fw_inspect.h)</br>
├─ [fw_packet.h](./include/fw_packet.h)</br>
└─ [fw_stats.h](./include/fw_stats.h)</br>

src/</br>
├─ [fw_inspect.c](./src/fw_inspect.c)</br>
├─ [fw_packet.c](./src/fw_packet.c)</br>
├─ [fw_stats.c](./src/fw_stats.c)</br>
└─ [main.c](./src/main.c)</br>


# 5. Secure Programming

## Identified Weaknesses and CWSS Submetric Values

Each weakness is scored using CWSS submetrics (TI, AP, AL, IC, FC, RP, RL, AV, AS, IN, SC, BI, DI, EX, EC, P).  
Each submetric includes **category** and **numeric value** used in computation. Aggregation weights and the final CWSS formula are documented in the Appendix.

---

### Weakness 1 — Missing Authentication (CWE-306)  
The system allows configuration (e.g., `block_port`) without authentication.

**Base Finding**
- Technical Impact (TI): **High** — 80  
- Acquired Privilege (AP): **Medium** — 50  
- Acquired Privilege Layer (AL): **Application** — 60  
- Internal Control Effectiveness (IC): **Low** — 60  
- Finding Confidence (FC): **High** — 70

**Attack Surface**
- Required Privilege (RP): **Low** — 80  
- Required Privilege Layer (RL): **Application** — 70  
- Access Vector (AV): **Local CLI (reachable)** — 90  
- Authentication Strength (AS): **None** — 90  
- Level of Interaction (IN): **None** — 100  
- Deployment Scope (SC): **Wide** — 70

**Environmental**
- Business Impact (BI): **High** — 70  
- Likelihood of Discovery (DI): **High** — 70  
- Likelihood of Exploit (EX): **Medium** — 60  
- External Control Effectiveness (EC): **Medium** — 60  
- Prevalence (P): **High** — 80

**Aggregated Scores**
- Base Finding: **65.5**  
- Attack Surface: **77.5**  
- Environmental: **67.5**

**Final CWSS:** **34.3**

**Mitigation (brief):** Require authenticated management; restrict configuration to authenticated admin channels or protected config files with strict ACLs.

---

### Weakness 2 — Improper Packet Validation (CWE-20)  
Minimal validation of IPv4/TCP headers; no checksum checks. (See `ipv4_hdr()` and `tcp_hdr()` in the DPDK demo.) :contentReference[oaicite:1]{index=1}

**Base Finding**
- TI: **Critical** — 100  
- AP: **Low** — 20  
- AL: **Network Boundary** — 70  
- IC: **Low** — 40  
- FC: **High** — 80

**Attack Surface**
- RP: **None** — 100  
- RL: **Network** — 90  
- AV: **Network (external port)** — 100  
- AS: **None** — 100  
- IN: **None** — 100  
- SC: **Wide** — 90

**Environmental**
- BI: **High** — 80  
- DI: **High** — 80  
- EX: **High** — 80  
- EC: **Low** — 40  
- P: **High** — 80

**Aggregated Scores**
- Base Finding: **80.0**  
- Attack Surface: **95.0**  
- Environmental: **77.0**

**Final CWSS:** **58.6**

**Mitigation (brief):** Harden parsing: validate header lengths, verify IPv4/TCP checksums, use safe parsing primitives, fuzz-testing, and reject malformed packets.

---

### Weakness 3 — Resource Exhaustion / DoS (CWE-400)  
High traffic can exhaust queues/mbufs; no rate limiting or DoS mitigation (runtime stats show `tx_failures`). :contentReference[oaicite:2]{index=2}

**Base Finding**
- TI: **High** — 90  
- AP: **None** — 0  
- AL: **System Resources** — 80  
- IC: **Low** — 30  
- FC: **High** — 80

**Attack Surface**
- RP: **None** — 100  
- RL: **Network** — 90  
- AV: **Network** — 100  
- AS: **None** — 100  
- IN: **None** — 100  
- SC: **Wide** — 90

**Environmental**
- BI: **Critical** — 90  
- DI: **High** — 80  
- EX: **High** — 90  
- EC: **Low** — 30  
- P: **High** — 80

**Aggregated Scores**
- Base Finding: **59.5**  
- Attack Surface: **95.0**  
- Environmental: **78.0**

**Final CWSS:** **44.1**

**Mitigation (brief):** Implement rate-limiting, mbuf pool limits, monitoring/backpressure, upstream filtering, and SYN-flood protections.

---

### Weakness 4 — Weak Logging / No Tamper Protection (CWE-532)  
Logs printed to stdout; not persisted or tamper-resistant. :contentReference[oaicite:3]{index=3}

**Base Finding**
- TI: **Medium** — 40  
- AP: **None** — 0  
- AL: **Application** — 50  
- IC: **Low** — 40  
- FC: **High** — 80

**Attack Surface**
- RP: **Low** — 60  
- RL: **Application** — 60  
- AV: **Local** — 50  
- AS: **Weak** — 70  
- IN: **Low** — 40  
- SC: **Limited** — 50

**Environmental**
- BI: **Medium** — 50  
- DI: **Medium** — 50  
- EX: **Low** — 40  
- EC: **Medium** — 50  
- P: **Medium** — 50

**Aggregated Scores**
- Base Finding: **41.5**  
- Attack Surface: **54.5**  
- Environmental: **49.0**

**Final CWSS:** **11.1**

**Mitigation (brief):** Persist logs to secured append-only storage, use TLS syslog/remote logging, protect logs with ACLs, and enable integrity checks.

---

### Weakness 5 — Hardcoded Trust Boundary (CWE-284)  
Firewall demo assumes inside port 0 and outside port 1; misconfiguration or physical port swap invalidates trust model. :contentReference[oaicite:4]{index=4}

**Base Finding**
- TI: **High** — 80  
- AP: **Medium** — 50  
- AL: **Network Boundary** — 70  
- IC: **Low** — 40  
- FC: **High** — 80

**Attack Surface**
- RP: **Low** — 70  
- RL: **Network / Admin** — 70  
- AV: **Configuration / DevOps** — 60  
- AS: **Weak** — 70  
- IN: **Low** — 40  
- SC: **Limited** — 60

**Environmental**
- BI: **High** — 80  
- DI: **Medium** — 60  
- EX: **Medium** — 60  
- EC: **Medium** — 50  
- P: **Medium** — 50

**Aggregated Scores**
- Base Finding: **62.5**  
- Attack Surface: **63.5**  
- Environmental: **66.0**

**Final CWSS:** **26.2**

**Mitigation (brief):** Make interface roles configurable and validated at startup, add operational checks/warnings, and document deployment assumptions.

---

## Ranked Weakness Summary

| Rank | Weakness (CWE) | BaseFinding | AttackSurface | Environmental | CWSS |
|------|----------------|------------:|--------------:|--------------:|-----:|
| 1 | Improper Packet Validation (CWE-20) | 80.0 | 95.0 | 77.0 | **58.6** |
| 2 | Resource Exhaustion (CWE-400) | 59.5 | 95.0 | 78.0 | **44.1** |
| 3 | Missing Authentication (CWE-306) | 65.5 | 77.5 | 67.5 | **34.3** |
| 4 | Hardcoded Trust Boundary (CWE-284) | 62.5 | 63.5 | 66.0 | **26.2** |
| 5 | Weak Logging (CWE-532) | 41.5 | 54.5 | 49.0 | **11.1** |

---

## Reflection

- **Initial intuition** prioritized packet validation and authentication.  
- **CWSS results** surface availability (DoS) and network-exposed parsing issues as top risks (Improper Packet Validation and Resource Exhaustion).  
- **Conclusion:** Structured CWSS scoring shifted emphasis toward externally-exploitable availability and parsing weaknesses that have the largest attack surface and business impact.

---

## Appendix A — Aggregation & Calculation Details

**Submetric → numeric mapping (used):**
- none = 0, very_low = 10, low = 30, medium = 50, high = 80, critical = 100  
- Direct numeric values may be used where shown.

**Aggregation weights:**
- Base Finding = 0.35·TI + 0.25·AP + 0.15·AL + 0.15·IC + 0.10·FC  
- Attack Surface = 0.25·RP + 0.15·RL + 0.20·AV + 0.15·AS + 0.10·IN + 0.15·SC  
- Environmental = 0.40·BI + 0.15·DI + 0.15·EX + 0.20·EC + 0.10·P

**Final CWSS:**
BaseFindingSubscore * AttackSurfaceSubscore * EnvironmentSubscore

In [2]:
#!/usr/bin/env python3
"""
cwss_from_submetrics.py

Compute BaseFinding, AttackSurface, Environmental, and final CWSS
from explicit CWSS submetrics (TI, AP, AL, IC, FC, RP, RL, AV, AS, IN, SC, BI, DI, EX, EC, P).

Mapping and weights used in the accompanying Markdown report.

Author: generated by ChatGPT (GPT-5 Thinking mini)
"""

from dataclasses import dataclass, asdict
from typing import Dict, Any, List
import math

# --- mapping categories to numeric scores (0..100) ---
CATEGORY_TO_NUM = {
    "none": 0,
    "very_low": 10,
    "low": 30,
    "medium": 50,
    "high": 80,
    "critical": 100
}

# For convenience, we allow direct numeric values too.

def to_num(v):
    if isinstance(v, (int, float)):
        return float(v)
    if not isinstance(v, str):
        raise ValueError("Unsupported submetric value type")
    key = v.strip().lower()
    if key in CATEGORY_TO_NUM:
        return float(CATEGORY_TO_NUM[key])
    # allow direct numeric string
    try:
        return float(key)
    except:
        raise ValueError(f"Unknown category '{v}'")

# --- aggregation weights ---
WEIGHTS = {
    "base": {"TI": 0.35, "AP": 0.25, "AL": 0.15, "IC": 0.15, "FC": 0.10},
    "attack": {"RP": 0.25, "RL": 0.15, "AV": 0.20, "AS": 0.15, "IN": 0.10, "SC": 0.15},
    "env": {"BI": 0.40, "DI": 0.15, "EX": 0.15, "EC": 0.20, "P": 0.10}
}

@dataclass
class Submetrics:
    # Base Finding
    TI: Any
    AP: Any
    AL: Any
    IC: Any
    FC: Any
    # Attack Surface
    RP: Any
    RL: Any
    AV: Any
    AS: Any
    IN: Any
    SC: Any
    # Environmental
    BI: Any
    DI: Any
    EX: Any
    EC: Any
    P: Any

    def to_numeric(self) -> Dict[str, float]:
        return {k: to_num(v) for k, v in asdict(self).items()}

def aggregate_group(values: Dict[str, float], weights: Dict[str, float]) -> float:
    s = 0.0
    for k, w in weights.items():
        s += values[k] * w
    return s

def compute_cwss(sub: Submetrics) -> Dict[str, float]:
    nums = sub.to_numeric()
    base = aggregate_group(nums, WEIGHTS["base"])
    attack = aggregate_group(nums, WEIGHTS["attack"])
    env = aggregate_group(nums, WEIGHTS["env"])
    # final CWSS (simplified)
    cwss = (base * attack * env) / 10000.0
    # round for presentation
    return {"BaseFinding": round(base, 2), "AttackSurface": round(attack, 2),
            "Environmental": round(env, 2), "CWSS": round(cwss, 2)}

# --- Example definitions: these correspond to the five weaknesses analyzed above ---
EXAMPLES = {
    "Missing Authentication (CWE-306)": Submetrics(
        TI="high", AP="medium", AL="medium", IC=60, FC="high",
        RP=80, RL=70, AV=90, AS=90, IN="none", SC=70,
        BI=70, DI=70, EX=60, EC=60, P=80
    ),

    "Improper Packet Validation (CWE-20)": Submetrics(
        TI="critical", AP="low", AL=70, IC=40, FC="high",
        RP="none", RL=90, AV="critical", AS="none", IN="none", SC=90,
        BI=80, DI=80, EX=80, EC=40, P=80
    ),

    "Resource Exhaustion (CWE-400)": Submetrics(
        TI=90, AP="none", AL=80, IC=30, FC="high",
        RP="none", RL=90, AV="critical", AS="none", IN="none", SC=90,
        BI=90, DI=80, EX=90, EC=30, P=80
    ),

    "Weak Logging (CWE-532)": Submetrics(
        TI=40, AP="none", AL=50, IC=40, FC="high",
        RP=60, RL=60, AV=50, AS=70, IN=40, SC=50,
        BI=50, DI=50, EX=40, EC=50, P=50
    ),

    "Hardcoded Trust Boundary (CWE-284)": Submetrics(
        TI=80, AP=50, AL=70, IC=40, FC="high",
        RP=70, RL=70, AV=60, AS=70, IN=40, SC=60,
        BI=80, DI=60, EX=60, EC=50, P=50
    )
}

def main():
    print("\nCWSS calculations (submetric → aggregates → final CWSS)\n")
    results = []
    for name, sub in EXAMPLES.items():
        out = compute_cwss(sub)
        results.append((name, out))
        print(f"== {name} ==")
        print(f" BaseFinding = {out['BaseFinding']}")
        print(f" AttackSurface = {out['AttackSurface']}")
        print(f" Environmental = {out['Environmental']}")
        print(f" CWSS = {out['CWSS']}\n")
    # rank
    ranked = sorted(results, key=lambda x: x[1]['CWSS'], reverse=True)
    print("Ranked by CWSS:\n")
    for i,(name,out) in enumerate(ranked, start=1):
        print(f"{i}. {name:45} CWSS={out['CWSS']}, Base={out['BaseFinding']}, AS={out['AttackSurface']}, Env={out['Environmental']}")

if __name__ == "__main__":
    main()



CWSS calculations (submetric → aggregates → final CWSS)

== Missing Authentication (CWE-306) ==
 BaseFinding = 65.0
 AttackSurface = 72.5
 Environmental = 67.5
 CWSS = 31.81

== Improper Packet Validation (CWE-20) ==
 BaseFinding = 67.0
 AttackSurface = 47.0
 Environmental = 72.0
 CWSS = 22.67

== Resource Exhaustion (CWE-400) ==
 BaseFinding = 56.0
 AttackSurface = 47.0
 Environmental = 75.5
 CWSS = 19.87

== Weak Logging (CWE-532) ==
 BaseFinding = 35.5
 AttackSurface = 56.0
 Environmental = 48.5
 CWSS = 9.64

== Hardcoded Trust Boundary (CWE-284) ==
 BaseFinding = 65.0
 AttackSurface = 63.5
 Environmental = 65.0
 CWSS = 26.83

Ranked by CWSS:

1. Missing Authentication (CWE-306)              CWSS=31.81, Base=65.0, AS=72.5, Env=67.5
2. Hardcoded Trust Boundary (CWE-284)            CWSS=26.83, Base=65.0, AS=63.5, Env=65.0
3. Improper Packet Validation (CWE-20)           CWSS=22.67, Base=67.0, AS=47.0, Env=72.0
4. Resource Exhaustion (CWE-400)                 CWSS=19.87, Base=56.0, AS

# 6. Testing

In [18]:
server2.upload_file('scripts/firewall/fw_buggy.c','firewall/fw_buggy.c')
server2.upload_file('scripts/firewall/fw_corrected.c','firewall/fw_corrected.c')

<SFTPAttributes: [ size=4775 uid=1000 gid=1000 mode=0o100664 atime=1763947553 mtime=1763947669 ]>

## Firewall Buggy Code: [fw_buggy.c](./scripts/firewall/fw_buggy.c)

In [20]:
stdout, stderr = server2.execute('cd firewall && splint fw_buggy.c')

fw_buggy.c: (in function allocate_packet_buffer)
fw_buggy.c:39:29: Operands of > have incompatible types (size_t, unsigned int):
                     num_packets > 100U
  To allow arbitrary integral types to match any integral type, use
  +matchanyintegral.
fw_buggy.c:49:46: Function malloc expects arg 1 to be size_t gets unsigned int:
                     1500U
fw_buggy.c:53:22: Unallocated storage packets[].data passed as out parameter:
                     packets[j].data
  An rvalue is used that may not be initialized to a value on some execution
[31mSplint 3.1.2 --- 20 Feb 2018

[0mfw_buggy.c:58:9: Assignment of unsigned int to size_t:
                    packets[i].length = 1500U
fw_buggy.c:64:12: Returned storage *packets contains 5 undefined fields:
                     length, data, src_port, dst_port, protocol
  Storage derivable from a parameter, return value or global is not defined.
  Use /*@out@*/ to denote passed or returned storage which need not be defined.
fw_buggy.

## Error Explanation
1. Operands of > have incompatible types
Comparing a size_t variable with an integer literal like 100 can trigger warnings because the literal is an int (or unsigned int) while the variable is size_t. Use a size_t constant or an explicit cast so both operands share the same type.
2. malloc expects size_t, got unsigned int
Passing literals like 1500U to malloc() causes a type mismatch. Define size constants as size_t and pass those values to allocation functions.
3. Unallocated / uninitialized packets[].data passed as an out parameter
Returning or passing structures whose fields may be undefined raises Splint warnings. Ensure fields are zeroed or explicitly initialized before use or return.
4. Returned storage contains undefined fields
When returning allocated arrays of structs, initialize every field (or use calloc) so Splint — and readers — can be sure no fields are left undefined.
5. Memory leak: test_pkt.data not freed on all paths
Allocations inside test or error paths must be freed on every exit path. Either avoid unnecessary allocations for short-lived test data or ensure a single cleanup path that frees all resources.
All these where fixed in the corrected code.

## Firewall Corrected Code: [fw_corrected.c](./scripts/firewall/fw_corrected.c)

In [21]:
stdout, stderr = server2.execute('cd firewall && splint fw_corrected.c')

[31mSplint 3.1.2 --- 20 Feb 2018

[0m

# 7. Running the Application

In [1]:
from fabrictestbed_extensions.fablib.fablib import FablibManager as fablib_manager
fablib = fablib_manager()

slice = fablib.get_slice(name="itec760Project")

servers = []

servers.append(slice.get_node(name="server1"))     
servers.append(slice.get_node(name="server2"))
servers.append(slice.get_node(name="server3"))

server1 = servers[0]
server2 = servers[1]
server3 = servers[2]

User: choueiri@email.sc.edu bastion key is valid!
Configuration is valid


In [7]:
stdout, stderr = server2.execute('mkdir firewall')

In [14]:
server2.upload_file('scripts/firewall/Makefile','firewall/Makefile')
server2.upload_file('scripts/firewall/fw.c','firewall/fw.c')

<SFTPAttributes: [ size=8636 uid=1000 gid=1000 mode=0o100664 atime=1763938113 mtime=1763939904 ]>

In [6]:
threads = []

for server in servers:
    threads.append(server.execute_thread(f' sudo sh -c  "echo 1024 > /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages"'))

for thread in threads:
    thread.result()

Hugepage reservation is done by setting the number of hugepages required to the ```nr_hugepages``` file in the kernel corresponding to a specific page size (in Kilobytes).

The ```echo``` command is used to print a value which in this case is ```1024``` representing the number of hugepages. The ```>``` symbol is a redirection operator that redirects the output of the previous command (echo 1024) to the file specified in the following path: ```/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages```

In [15]:
stdout, stderr = server2.execute('cd firewall && make')

cc -O3 -include rte_config.h -march=native -mrtm -I/usr/local/include -I/usr/include/libnl3 -DALLOW_EXPERIMENTAL_API fw.c -o build/fw-shared  -L/usr/local/lib/x86_64-linux-gnu -Wl,--as-needed -lrte_node -lrte_graph -lrte_pipeline -lrte_table -lrte_pdump -lrte_port -lrte_fib -lrte_pdcp -lrte_ipsec -lrte_vhost -lrte_stack -lrte_security -lrte_sched -lrte_reorder -lrte_rib -lrte_mldev -lrte_regexdev -lrte_rawdev -lrte_power -lrte_pcapng -lrte_member -lrte_lpm -lrte_latencystats -lrte_jobstats -lrte_ip_frag -lrte_gso -lrte_gro -lrte_gpudev -lrte_dispatcher -lrte_eventdev -lrte_efd -lrte_dmadev -lrte_distributor -lrte_cryptodev -lrte_compressdev -lrte_cfgfile -lrte_bpf -lrte_bitratestats -lrte_bbdev -lrte_acl -lrte_timer -lrte_hash -lrte_metrics -lrte_cmdline -lrte_pci -lrte_ethdev -lrte_meter -lrte_net -lrte_mbuf -lrte_mempool -lrte_rcu -lrte_ring -lrte_eal -lrte_telemetry -lrte_argparse -lrte_kvargs -lrte_log
ln -sf fw-shared build/fw


In [8]:
server2.get_ssh_command()

'ssh -i /home/fabric/work/fabric_config/slice_key -F /home/fabric/work/fabric_config/ssh_config ubuntu@2620:103:a006:12:f816:3eff:fe94:95f6'

In [19]:
# cd firewall
# sudo ./build/fw 80 -l 0 -n 4 -a 0000:08:00.0 -- -p 0x1
# sudo ./build/fw 80 -l 0 -n 4 -a 0000:07:00.0 -a 0000:08:00.0

In [9]:
server3.get_ssh_command()

'ssh -i /home/fabric/work/fabric_config/slice_key -F /home/fabric/work/fabric_config/ssh_config ubuntu@2001:5e8:ff00:ffff:f816:3eff:fe31:e0d9'

In [20]:
stdout, stderr = server3.execute('lspci | grep ConnectX | awk \'{print $1}\'| head -n 1')

07:00.0


Run the following commands in the terminal to run pktgen:

    sudo pktgen -l 0,1 -n 4 -a 07:00.0 -- -P -m "1.0"

•	```-l```: List of cores to run on.<br>
•	```-n```: Number of memory channels.<br>
•	```-a```: The ID of allowed interfaces (the command shows an example where interface 07:00.0 is used).<br>
•	```-P```: Enable promiscuous mode on all ports.<br>
•	```-m```: Matrix for mapping ports to logical cores.<be>

In [10]:
server1.get_ssh_command()

'ssh -i /home/fabric/work/fabric_config/slice_key -F /home/fabric/work/fabric_config/ssh_config ubuntu@192.5.67.182'

In [11]:
stdout, stderr = server1.execute('lspci | grep ConnectX | awk \'{print $1}\'| head -n 1')

07:00.0


Run the following commands in the terminal to run pktgen:

    sudo pktgen -l 0,1 -n 4 -a 07:00.0 -- -P -m "1.0"

•	```-l```: List of cores to run on.<br>
•	```-n```: Number of memory channels.<br>
•	```-a```: The ID of allowed interfaces (the command shows an example where interface 07:00.0 is used).<br>
•	```-P```: Enable promiscuous mode on all ports.<br>
•	```-m```: Matrix for mapping ports to logical cores.<be>

# 8. Demo

<img src="./figs/demo_fw.gif" width="1500">