GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → open-nfpsw → p4c_firewall

open-nfpsw / p4c_firewall

Licence: other
No description, website, or topics provided.

Programming Languages

python
139335 projects - #7 most used programming language
c
50402 projects - #5 most used programming language
P4
22 projects
shell
77523 projects

P4/C Firewall - Two Different Approaches

This repository contains two different approaches taken to implement a Statefull Firewall on Netronome SmartNICs using P4 and Micro-C. The Statefull Firewall makes use of Network Address Translation (NAT) to protect private IP's from untrusted external networks. All packets comming from an untrusted network are dropped unless a request was made from a private host to a host on the external network after which a connection is established and traffic is allowed between the two hosts.

Getting Started

To get started quickly using the P4/C Firewall, use the State Table approach. For more background and comparison between different implementations or if you would like to do your own comparison, read further.

Background

The first approach was to keep state by dynamically adding P4 rules as new connections are established. The dynamic rules allow traffic through as incomming packets hit the dynamically added rules allowing the packets to be forwarded. A default rule is in place to handle packets where dynamic rules were not added yet, sending the packets to a python controller which will then add the new rules before sending the packet back to the SmartNIC to be forwarded. Timeouts involves keeping track of the frequency at which the added rules are hit and clearing inactive rules periodically.

The second approach was to keep state by implementing a hashtable table in Micro-C to store the state of each flow. All P4 rules are static and the P4 program can forward or drop packets based on the state of that specific flow after doing a lookup in the state table. This eliminates the need to first send a packet to a controller, waiting for rules to be added before the packet can be sent back to be matched again before it is forwarded. A controller is only used for initial configuration and for timeouts.

Pros & Cons

In our experience the pros of the state table approach greatly outweighs the dynamic rule approach.

Dynamic Rules

Pros:
- Easier to implement using only P4 Code
Cons:
- New packets are sent to the host first reducing performance
- Controller gets congested when a large number new flows are introduced
- Large number of rules to sync to Programmer Studio when debugging

State Table

Pros:
- State updated quickly using primitive actions
- Only static P4 rules
- Higher throughput
Cons:
- More advanced c progamming to impliment the primitive actions (compared to simplicity of using P4 alone)
- Number of flows limited by memory available for hash table and bucket size
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].