diff options
author | Anand B Jyoti <anand.b.jyoti@intel.com> | 2017-07-04 10:26:39 +0530 |
---|---|---|
committer | Deepak S <deepak.s@linux.intel.com> | 2017-07-14 06:23:48 +0000 |
commit | 29bfcbc9b8c1d9b1ebe62e3170524f0c53467110 (patch) | |
tree | d341463204cbf96d3703e7bfaa1c14fc5c6f2691 /docs/vFW/README.rst | |
parent | 82416b375a275837689cddfd1782d82996fecaca (diff) |
docs: Update install and release docs for DPDK migration support
JIRA: SAMPLEVNF-48
Updating INSTALL.rst and RELEASE_NOTES.rst for DPDK migration
support. The additional files are created to make it as per the
opnfv document standard to generate the html files.
Change-Id: I4b0af4c3afeef91fc806285b02c0ce47d61ebfbd
Signed-off-by: Anand B Jyoti <anand.b.jyoti@intel.com>
Diffstat (limited to 'docs/vFW/README.rst')
-rw-r--r-- | docs/vFW/README.rst | 78 |
1 files changed, 47 insertions, 31 deletions
diff --git a/docs/vFW/README.rst b/docs/vFW/README.rst index 45e8a17d..cc3c2b40 100644 --- a/docs/vFW/README.rst +++ b/docs/vFW/README.rst @@ -4,11 +4,11 @@ .. (c) opnfv, national center of scientific research "demokritos" and others. ======================================================== -Virtual Firewall - vFW +vFW - Readme ======================================================== -1. Introduction -============== +Introduction +=============== The virtual firewall (vFW) is an application implements Firewall. vFW is used as a barrier between secure internal and an un-secure external network. The firewall performs Dynamic Packet Filtering. This involves keeping track of the @@ -19,6 +19,7 @@ be performed by Connection Tracking component, similar to that supported in linux. The firewall also supports Access Controlled List(ACL) for rule based policy enforcement. Firewall is built on top of DPDK and uses the packet library. +---------- About DPDK ---------- The DPDK IP Pipeline Framework provides a set of libraries to build a pipeline @@ -29,12 +30,12 @@ This document assumes the reader possesses the knowledge of DPDK concepts and packet framework. For more details, read DPDK Getting Started Guide, DPDK Programmers Guide, DPDK Sample Applications Guide. -2. Scope +Scope ========== This application provides a standalone DPDK based high performance vFW Virtual Network Function implementation. -3. Features +Features =========== The vFW VNF currently supports the following functionality: • Basic packet filtering (malformed packets, IP fragments) @@ -52,7 +53,7 @@ The vFW VNF currently supports the following functionality: • ICMP (terminal echo, echo response, passthrough) • ICMPv6 and ND (Neighbor Discovery) -4. High Level Design +High Level Design ==================== The Firewall performs basic filtering for malformed packets and dynamic packet filtering incoming packets using the connection tracker library. @@ -77,41 +78,46 @@ across multiple worker threads. The hardware loadbalancing require ethernet flow director support from hardware (eg. Fortville x710 NIC card). The Input and Output FIFOs will be implemented using DPDK Ring Buffers. -=================== -5. Components of vFW -=================== +Components of vFW +==================== + In vFW, each component is constructed using packet framework pipelines. It includes Rx and Tx Driver, Master pipeline, load balancer pipeline and vfw worker pipeline components. A Pipeline framework is a collection of input ports, table(s),output ports and actions (functions). +--------------------------- Receive and Transmit Driver -****************************** +--------------------------- Packets will be received in bulk and provided to LoadBalancer(LB) thread. Transimit takes packets from worker threads in a dedicated ring and sent to hardware queue. +--------------------------- Master Pipeline -****************************** +--------------------------- The Master component is part of all the IP Pipeline applications. This component does not process any packets and should configure with Core 0, to allow other cores for processing of the traffic. This component is responsible for - 1. Initializing each component of the Pipeline application in different threads - 2. Providing CLI shell for the user control/debug - 3. Propagating the commands from user to the corresponding components +1. Initializing each component of the Pipeline application in different threads +2. Providing CLI shell for the user control/debug +3. Propagating the commands from user to the corresponding components +------------------ ARPICMP Pipeline -****************************** +------------------ This pipeline processes the APRICMP packets. +--------------- TXRX Pipelines -****************************** +--------------- The TXTX and RXRX pipelines are pass through pipelines to forward both ingress and egress traffic to Loadbalancer. This is required when the Software Loadbalancer is used. +---------------------- Load Balancer Pipeline -****************************** +---------------------- The vFW support both hardware and software balancing for load balancing of traffic across multiple VNF threads. The Hardware load balancing require support from hardware like Flow Director for steering of packets to application through @@ -126,8 +132,9 @@ port, dest addr, dest port and protocol) applying an XOR logic distributing to active worker threads, thereby maintaining an affinity of flows to worker threads. +--------------- vFW Pipeline -****************************** +--------------- The vFW performs the basic packet filtering and will drop the invalid and malformed packets.The Dynamic packet filtering done using the connection tracker library. The packets are processed in bulk and Hash table is used to maintain @@ -135,32 +142,41 @@ the connection details. Every TCP/UDP packets are passed through connection tracker library for valid connection. The ACL library integrated to firewall provide rule based filtering. -vFW Topology: ------------------------ +vFW Topology +------------------------ + :: + IXIA(Port 0)-->(Port 0)VNF(Port 1)-->(Port 1) IXIA operation: - Egress --> The packets sent out from ixia(port 0) will be Firewalled to ixia(port 1). - Igress --> The packets sent out from ixia(port 1) will be Firewalled to ixia(port 0). + Egress --> The packets sent out from ixia(port 0) will be Firewalled to ixia(port 1). + Igress --> The packets sent out from ixia(port 1) will be Firewalled to ixia(port 0). -vFW Topology (L4REPLAY): ------------------------------------ +vFW Topology (L4REPLAY) +------------------------------------ + :: + IXIA(Port 0)-->(Port 0)VNF(Port 1)-->(Port 0)L4REPLAY operation: - Egress --> The packets sent out from ixia will pass through vFW to L3FWD/L4REPLAY. - Ingress --> The L4REPLAY upon reception of packets (Private to Public Network), - will immediately replay back the traffic to IXIA interface. (Pub -->Priv). + Egress --> The packets sent out from ixia will pass through vFW to L3FWD/L4REPLAY. + Ingress --> The L4REPLAY upon reception of packets (Private to Public Network), + will immediately replay back the traffic to IXIA interface. (Pub -->Priv). -How to run L4Replay: -------------------- +How to run L4Replay +-------------------- +After the installation of samplevnf + :: - 1. After the installation of samplevnf: - go to <samplevnf/VNFs/L4Replay> - 2. ./buid/L4replay -c core_mask -n no_of_channels(let it be as 2) -- -p PORT_MASK --config="(port,queue,lcore)" + + go to <samplevnf/VNFs/L4Replay> + ./buid/L4replay -c core_mask -n no_of_channels(let it be as 2) -- -p PORT_MASK --config="(port,queue,lcore)" eg: ./L4replay -c 0xf -n 4 -- -p 0x3 --config="(0,0,1)" -6. Installation, Compile and Execution ------------------------------------------------------------------ +Installation, Compile and Execution +==================================== Plase refer to <samplevnf>/docs/vFW/INSTALL.rst for installation, configuration, compilation and execution. |