summaryrefslogtreecommitdiffstats
path: root/docs/vFW/README.rst
diff options
context:
space:
mode:
authorAnand B Jyoti <anand.b.jyoti@intel.com>2017-07-04 10:26:39 +0530
committerDeepak S <deepak.s@linux.intel.com>2017-07-14 06:23:48 +0000
commit29bfcbc9b8c1d9b1ebe62e3170524f0c53467110 (patch)
treed341463204cbf96d3703e7bfaa1c14fc5c6f2691 /docs/vFW/README.rst
parent82416b375a275837689cddfd1782d82996fecaca (diff)
docs: Update install and release docs for DPDK migration support
JIRA: SAMPLEVNF-48 Updating INSTALL.rst and RELEASE_NOTES.rst for DPDK migration support. The additional files are created to make it as per the opnfv document standard to generate the html files. Change-Id: I4b0af4c3afeef91fc806285b02c0ce47d61ebfbd Signed-off-by: Anand B Jyoti <anand.b.jyoti@intel.com>
Diffstat (limited to 'docs/vFW/README.rst')
-rw-r--r--docs/vFW/README.rst78
1 files changed, 47 insertions, 31 deletions
diff --git a/docs/vFW/README.rst b/docs/vFW/README.rst
index 45e8a17d..cc3c2b40 100644
--- a/docs/vFW/README.rst
+++ b/docs/vFW/README.rst
@@ -4,11 +4,11 @@
.. (c) opnfv, national center of scientific research "demokritos" and others.
========================================================
-Virtual Firewall - vFW
+vFW - Readme
========================================================
-1. Introduction
-==============
+Introduction
+===============
The virtual firewall (vFW) is an application implements Firewall. vFW is used
as a barrier between secure internal and an un-secure external network. The
firewall performs Dynamic Packet Filtering. This involves keeping track of the
@@ -19,6 +19,7 @@ be performed by Connection Tracking component, similar to that supported in
linux. The firewall also supports Access Controlled List(ACL) for rule based
policy enforcement. Firewall is built on top of DPDK and uses the packet library.
+----------
About DPDK
----------
The DPDK IP Pipeline Framework provides a set of libraries to build a pipeline
@@ -29,12 +30,12 @@ This document assumes the reader possesses the knowledge of DPDK concepts and
packet framework. For more details, read DPDK Getting Started Guide, DPDK
Programmers Guide, DPDK Sample Applications Guide.
-2. Scope
+Scope
==========
This application provides a standalone DPDK based high performance vFW Virtual
Network Function implementation.
-3. Features
+Features
===========
The vFW VNF currently supports the following functionality:
• Basic packet filtering (malformed packets, IP fragments)
@@ -52,7 +53,7 @@ The vFW VNF currently supports the following functionality:
• ICMP (terminal echo, echo response, passthrough)
• ICMPv6 and ND (Neighbor Discovery)
-4. High Level Design
+High Level Design
====================
The Firewall performs basic filtering for malformed packets and dynamic packet
filtering incoming packets using the connection tracker library.
@@ -77,41 +78,46 @@ across multiple worker threads. The hardware loadbalancing require ethernet
flow director support from hardware (eg. Fortville x710 NIC card).
The Input and Output FIFOs will be implemented using DPDK Ring Buffers.
-===================
-5. Components of vFW
-===================
+Components of vFW
+====================
+
In vFW, each component is constructed using packet framework pipelines.
It includes Rx and Tx Driver, Master pipeline, load balancer pipeline and
vfw worker pipeline components. A Pipeline framework is a collection of input
ports, table(s),output ports and actions (functions).
+---------------------------
Receive and Transmit Driver
-******************************
+---------------------------
Packets will be received in bulk and provided to LoadBalancer(LB) thread.
Transimit takes packets from worker threads in a dedicated ring and sent to
hardware queue.
+---------------------------
Master Pipeline
-******************************
+---------------------------
The Master component is part of all the IP Pipeline applications. This component
does not process any packets and should configure with Core 0, to allow
other cores for processing of the traffic. This component is responsible for
- 1. Initializing each component of the Pipeline application in different threads
- 2. Providing CLI shell for the user control/debug
- 3. Propagating the commands from user to the corresponding components
+1. Initializing each component of the Pipeline application in different threads
+2. Providing CLI shell for the user control/debug
+3. Propagating the commands from user to the corresponding components
+------------------
ARPICMP Pipeline
-******************************
+------------------
This pipeline processes the APRICMP packets.
+---------------
TXRX Pipelines
-******************************
+---------------
The TXTX and RXRX pipelines are pass through pipelines to forward both ingress
and egress traffic to Loadbalancer. This is required when the Software
Loadbalancer is used.
+----------------------
Load Balancer Pipeline
-******************************
+----------------------
The vFW support both hardware and software balancing for load balancing of
traffic across multiple VNF threads. The Hardware load balancing require support
from hardware like Flow Director for steering of packets to application through
@@ -126,8 +132,9 @@ port, dest addr, dest port and protocol) applying an XOR logic distributing to
active worker threads, thereby maintaining an affinity of flows to worker
threads.
+---------------
vFW Pipeline
-******************************
+---------------
The vFW performs the basic packet filtering and will drop the invalid and
malformed packets.The Dynamic packet filtering done using the connection tracker
library. The packets are processed in bulk and Hash table is used to maintain
@@ -135,32 +142,41 @@ the connection details.
Every TCP/UDP packets are passed through connection tracker library for valid
connection. The ACL library integrated to firewall provide rule based filtering.
-vFW Topology:
------------------------
+vFW Topology
+------------------------
+
::
+
IXIA(Port 0)-->(Port 0)VNF(Port 1)-->(Port 1) IXIA
operation:
- Egress --> The packets sent out from ixia(port 0) will be Firewalled to ixia(port 1).
- Igress --> The packets sent out from ixia(port 1) will be Firewalled to ixia(port 0).
+ Egress --> The packets sent out from ixia(port 0) will be Firewalled to ixia(port 1).
+ Igress --> The packets sent out from ixia(port 1) will be Firewalled to ixia(port 0).
-vFW Topology (L4REPLAY):
------------------------------------
+vFW Topology (L4REPLAY)
+------------------------------------
+
::
+
IXIA(Port 0)-->(Port 0)VNF(Port 1)-->(Port 0)L4REPLAY
operation:
- Egress --> The packets sent out from ixia will pass through vFW to L3FWD/L4REPLAY.
- Ingress --> The L4REPLAY upon reception of packets (Private to Public Network),
- will immediately replay back the traffic to IXIA interface. (Pub -->Priv).
+ Egress --> The packets sent out from ixia will pass through vFW to L3FWD/L4REPLAY.
+ Ingress --> The L4REPLAY upon reception of packets (Private to Public Network),
+ will immediately replay back the traffic to IXIA interface. (Pub -->Priv).
-How to run L4Replay:
--------------------
+How to run L4Replay
+--------------------
+After the installation of samplevnf
+
::
- 1. After the installation of samplevnf:
- go to <samplevnf/VNFs/L4Replay>
- 2. ./buid/L4replay -c core_mask -n no_of_channels(let it be as 2) -- -p PORT_MASK --config="(port,queue,lcore)"
+
+ go to <samplevnf/VNFs/L4Replay>
+ ./buid/L4replay -c core_mask -n no_of_channels(let it be as 2) -- -p PORT_MASK --config="(port,queue,lcore)"
eg: ./L4replay -c 0xf -n 4 -- -p 0x3 --config="(0,0,1)"
-6. Installation, Compile and Execution
------------------------------------------------------------------
+Installation, Compile and Execution
+====================================
Plase refer to <samplevnf>/docs/vFW/INSTALL.rst for installation, configuration,
compilation and execution.