You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This commit aims to introduce batch operation in firewall, to optimize network usage under certain
situations. For example, it would be both time and resource consuming performing 1000 requests to add/remove
rules, which was still required in the previous "transaction" mode. So I decided to introduce an endpoint which can accept a list of operations to be performed.
Moreover, I have also changed the default action policy, previously set to DROP. I set it to FORWARD, to avoid that
a remote client which interacts with Polycube is completely cut out from the system, since the DROP policy would
block ALL the incoming traffic.
Signed-off-by: Simone Magnani <[email protected]>
Copy file name to clipboardExpand all lines: Documentation/services/pcn-firewall/firewall.rst
+29-5Lines changed: 29 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -43,17 +43,40 @@ Rule insertion
43
43
44
44
Rule insertion is guaranteed to be *atomic*: during the computation of the new datapath, the old rule set is used until the new rule set is ready, and only at that moment the new policies will be applied.
45
45
46
-
Rule insertion is an expensive operation. For this reason, there are two modes that can be used based on the needs:
46
+
Rule insertion is an expensive operation. For this reason, we have thought about different endpoints to optimize expensive operations:
47
47
48
-
- ``Interactive mode:`` this is the default mode. It makes the commands to modify policies synchronous, so that they return only when the modification is reflected in the datapath. This is the slowest mode, as it requires to recompute the datapath for each command, but it has the advantage that a command returns only when the operation is completed.
49
-
- ``Transaction mode:`` in this mode commands on the policies are chained and asynchronously applied to the datapath altogether when the user asks it. The performance gain is sensible when commands have to be issued together (e.g. a set of rules), as it requires only one interaction with the datapath at the end. To switch in the transaction mode, it is necessary to issue the command ``polycubectl firewall fwname set interactive=false``. In this way, rules can be inserted normally, but to apply them the command ``polycubectl firewall fwname chain INGRESS apply-rules`` has to be issued. Notice: this command is specific for the chain, and updates the specified chain only.
48
+
- ``/insert``, ``/delete``, ``/append`` and ``PUT`` on ``rule/<id>`` (update): these endpoints are used to perform a single operation on a rule. As soon as the rule-set is updated, it is compiled and all the modifications are immediately inserted in the datapath.
49
+
- ``/batch``: as suggested by the name, this endpoint is used to perform multiple operation on a single HTTP request. Instead of compiling the new rule-set as soon as a single operation is fulfilled, it waits for all the actions described in the request to be executed. Finally, a single compilation is performed and the datapath is updated once.
50
50
51
+
Concerning the batch endpoint, it accepts a JSON list of rules like:
As you can see, every element of the ``rules`` array MUST contain an operation (insert, append, update, delete) plus a rule/id which is the actual target.
67
+
All the listed operation are performed sequentially, meaning that the user must sent the operation already ordered as he wants. Pay attention when sending some DELETE with other INSERT, you have to take in mind that during such operations IDs may vary (increase or decrease).
68
+
69
+
This features is also available from the ``polycubectl`` command line. It is strongly suggested to create a JSON file containing the batch of rules and then type:
Using the redirection diamond you are able to insert the file content in the body of the HTTP POST request generated from the command.
51
74
52
75
Default action
53
76
^^^^^^^^^^^^^^
54
77
55
-
The default action if no rule is matched is drop. This can be changed for each chain independently by issuing the command
56
-
``polycubectl firewall fwname chain INGRESS set default=FORWARD`` or ``polycubectl firewall fwname chain EGRESS set default=FORWARD``.
78
+
The default action if no rule is matched is forward. This can be changed for each chain independently by issuing the command
79
+
``polycubectl firewall fwname chain INGRESS set default=DROP`` or ``polycubectl firewall fwname chain EGRESS set default=DROP``.
57
80
58
81
Statistics
59
82
^^^^^^^^^^
@@ -65,6 +88,7 @@ Examples
65
88
66
89
The `examples source folder <https://github.com/polycube-network/polycube/tree/master/src/services/pcn-firewall/examples/>`_ contains some simple scripts to show how to configure the service.
67
90
91
+
Also under the test directory, there are plenty of scripts that test the firewall using both single and batch rule insertion/deletion.
Expand all lines: src/services/pcn-firewall/datamodel/firewall.yang
+23-17Lines changed: 23 additions & 17 deletions
Original file line number
Diff line number
Diff line change
@@ -22,7 +22,7 @@ module firewall {
22
22
enum LOG;
23
23
enum FORWARD;
24
24
}
25
-
defaultDROP;
25
+
defaultFORWARD;
26
26
}
27
27
28
28
typedef conntrackstatus {
@@ -34,6 +34,14 @@ module firewall {
34
34
}
35
35
}
36
36
37
+
typedef operation {
38
+
typeenumeration {
39
+
enum INSERT;
40
+
enum APPEND;
41
+
enum DELETE;
42
+
enum UPDATE;
43
+
}
44
+
}
37
45
38
46
grouping rule-fields {
39
47
leaf src {
@@ -81,7 +89,6 @@ module firewall {
81
89
description"Connection status (NEW, ESTABLISHED, RELATED, INVALID)";
82
90
}
83
91
84
-
85
92
leaf action {
86
93
type action;
87
94
polycube-base:init-only-config;
@@ -113,12 +120,6 @@ module firewall {
113
120
description"If Connection Tracking is enabled, all packets belonging to ESTABLISHED connections will be forwarded automatically. Default is ON.";
114
121
}
115
122
116
-
leaf interactive {
117
-
typeboolean;
118
-
description"Interactive mode applies new rules immediately; if 'false', the command 'apply-rules' has to be used to apply all the rules at once. Default is TRUE.";
119
-
defaulttrue;
120
-
}
121
-
122
123
list session-table {
123
124
key"src dst l4proto sport dport";
124
125
configfalse;
@@ -250,18 +251,23 @@ module firewall {
250
251
}
251
252
}
252
253
253
-
action reset-counters {
254
-
description"Reset the counters to 0 for the chain.";
255
-
output {
256
-
leaf result {
257
-
typeboolean;
258
-
description"True if the operation is successful";
254
+
action batch {
255
+
input {
256
+
list rules {
257
+
key"id";
258
+
leaf id {
259
+
typeuint32;
260
+
}
261
+
leaf operation {
262
+
type operation;
263
+
}
264
+
uses"firewall:rule-fields";
259
265
}
260
266
}
261
267
}
262
268
263
-
action apply-rules {
264
-
description"Applies the rules when in batch mode (interactive==false)";
269
+
action reset-counters {
270
+
description"Reset the counters to 0 for the chain.";
Copy file name to clipboardExpand all lines: src/services/pcn-firewall/examples/README.md
+2-1Lines changed: 2 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,6 +4,7 @@ The example folder contains a set of simple scripts to understand how the firewa
4
4
## Prerequisites
5
5
All scripts assume that polycubed has been already launched, and that there is a standard cube running with two ports belonging to two namespaces already created and configured. Moreover, a firewall instance should be running and attached to one of the standard cube's port.
6
6
To set up all the needed components, please execute the script [setup_env.sh](./setup_env.sh).
7
+
Moreover, these examples contain a set of rules to allow some traffic, while denying the rest of it. To make this happen, since the default policy is FORWARD, the setup script automatically patches the default rule to DROP.
7
8
8
9
## Examples:
9
10
-[Ping](./allow_ping.sh): Connects the firewall to one of the standard cube's port, and allows only the ICMP echo requests/responses. In order to test that the configuration succeeded, you can launch the script [test_ping.sh](./test_ping.sh).
@@ -14,7 +15,7 @@ To set up all the needed components, please execute the script [setup_env.sh](./
14
15
-[Transactions](./use_transactions.sh): This example is like the Ping one, as the rule set is the same, but it shows how to use transactions instead of the interactive mode. This mode is strongly suggested when more than one rule has to be inserted, like in the example. **For each chain**, after the rules have been inserted, the command `polycubectl firewall fw chain INGRESS apply-rules` (*for the ingress chain*) is issued to apply the rule set, requiring a single interaction with the datapath.
15
16
-[Host Mode](./host_mode.sh): This example shows how to use the firewall in the host mode, intercepting the traffic **from the outside to the host**. At the moment it is not possible to intercept traffic in the other direction. This example considers the physical interface connected to the internet.
16
17
17
-
Please note that some example does not volountarly delete used resources like firewall or network namespace, since a user can play with multiple rules (e.g. allow IP and TCP). Thus, the behaviour of some tests may change depending on the allowed scripts run.
18
+
Please note that some example does not voluntarily delete used resources like firewall or network namespace, since a user can play with multiple rules (e.g. allow IP and TCP). Thus, the behaviour of some tests may change depending on the allowed scripts run.
18
19
19
20
To cleanup the entire environment or only the firewall's rules, refer to the following sections.
0 commit comments