See this PDF.
Implementing a Firewall using dpdk and CUDA
| line rate | 100Mbits/s | 500 Mbits/s | 1Gbit/s | 5 Gbit/s | 10 Gbit/s | 20 Gbit/s | 40 Gbit/s |
|---|---|---|---|---|---|---|---|
| reached | reached | reached | reached | reached | pending | pending |
*tested using iperf3 and two Mellanox ConnectX-3 NICs (40GigE)
| packet rate | with tap forward | without tap forward |
|---|---|---|
| ~2.8Mpps | ~12.5Mpps |
**tested using pktgen-dpdk using the asynchronous execution model (async branch) and two Mellanox ConnectX-3 NICs (40GigE)
- working bitvector search usng CUDA
- make use of dpdk table api
- simple 5 tuple rule syntax with DROP/ACCEPT actions
- l2 polling on trunk port and l2 forward to correspondending tap iface, if lookup successfully highest priority rule has ACCEPT action
- simple l2 forward of incoming packet from tap to trunk port
- switch from tap to kni
- add better stats collection to firewall
- improving speed of bitvector search
- misc. refactoring
- use
isolcpusto isolate at least two adjacent logical cores - force device managed flow steering, f.e. for Mellanox ConnectX-3:
mlx4_core.log_num_mgm_entry_size=-1 - example:
GRUB_CMDLINE_LINUX_DEFAULT="quiet isolcpus=2,3 mlx4_core.log_num_mgm_entry_size=-1"
- build dpdk (>=21.08)
make all- run:
sudo ./firewall -l0-1 --vdev=net_tap0,iface=fw0 rules.txtip a add <some ip 1> dev fw0- on second host:
ip a add <some ip 2> <some connected iface> - now test