Date: Thu, 28 Apr 2016 18:21:05 -0300 From: Ze Claudio Pastore <zclaudio@bsd.com.br> To: Alan Somers <asomers@freebsd.org> Cc: "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org> Subject: Re: Best option to process packet ACL Message-ID: <CAEGk6G5vRK-OGV5xXVC%2BLKcC1aZJfS6d-QL_eB-CVSXoPOvEpg@mail.gmail.com> In-Reply-To: <D638A558-15C0-4834-868C-D0912F225444@netgate.com> References: <CAEGk6G4aMU_qxDMb3tBqyLNmUNqd3%2BRjDRZ29wMx7pK_w=kkJg@mail.gmail.com> <CAOtMX2h8tRtGeTLageLWiiXAi-Ap4Q8jqWFD2uiCtF1uCzSmOA@mail.gmail.com> <CAEGk6G6uy0n8VEY1qtH8x%2B%2Bh7523YYyWLwNwrMq4O36s33o0-g@mail.gmail.com> <CAOtMX2iKF2aaWF_PQESewMUFW4q=s3KC%2BJCEX7eakN3GKJ%2BEog@mail.gmail.com> <D638A558-15C0-4834-868C-D0912F225444@netgate.com>
next in thread | previous in thread | raw e-mail | index | archive | help
2016-04-28 14:46 GMT-03:00 Jim Thompson <jim@netgate.com>: > > If your application is already using DPDK then: > > 1) it=E2=80=99s not =E2=80=9Cmostly bypassing the kernel=E2=80=9D, it *is= * bypassing the kernel. > > 2) ACLs are already a thing in DPDK: > http://dpdk.org/doc/guides/prog_guide/packet_classif_access_ctrl.html > > 200Kpps is not a lot of load for even =E2=80=98pf=E2=80=99 on slow hardwa= re. > > > On Apr 28, 2016, at 12:35 PM, Alan Somers <asomers@freebsd.org> wrote: > > > > Even if your application is not a traditional firewall, using pf or ipf= w > > would save much development time compared to writing your own packet > > filter. They can be configured to do things like redirect packets to > > different ports. You can use that to offload packet filtering from you= r > > application to the firewall, and open multiple sockets in your > application > > to receive prefiltered packets. > > > > Of course, pf/ipfw can't be used in combination with DPDK, as you > > discovered. Doesn't DPDK provide access to each queue of a multiqueue > > NIC? If so, you can create multiple filtering threads, and associate > each > > thread to a single queue of your NIC. > > > > Good luck, you've got a lot of work ahead of you. > ok, again, it's not a L3/L4 ACL, I am looking into L3/L4 information but on a request basis not per packet, depending on other previous criteria I will them split the processing, I am running a proxy so I am not looking to replace my ACL needs by something else, only want to discuss how to better process it, I have previous information from L7 affinity, headers, request which helps me split some load, now I happen to need to filter it, it's not a firewall, it's much like a squid based ACL need where you look for L3 info on a different moment, ipfw/pf won't do it for me, ordinary firewall fits somethwere else in the topology not in this application. back on focus, I need to understand how to better split this load among IDLE CPUs
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAEGk6G5vRK-OGV5xXVC%2BLKcC1aZJfS6d-QL_eB-CVSXoPOvEpg>