Stateful Flow Table - SFT 2020 DPDK users pace summit
Download as PPTX, PDF0 likes315 views
The document presents an extensive overview of the StateFlow Table (SFT) concept, which is a connection tracking library designed to manage the state of network connections across various applications. It delves into definitions, operations, and the application pipeline, and provides detailed descriptions of SFT APIs along with example code implementations. The presentation emphasizes the importance of SFT in enhancing performance for modern firewalls, load balancers, and related networking features.
Stateful Flow Table - SFT 2020 DPDK users pace summit
- 2. Stateful Flow Table – SFT ANDREY VESNOVATY ORI KAM
- 3. 3 Agenda • SFT Intro • Connection tracking • What is SFT? • Basic concept • Operations • Why iSFT? • API • SFT lib • SFT PMD • RTE flow • SFT example.
- 4. 4 SFT Intro • Connection tracking library Keep track of the state of network connections • TCP streams • UDP datagrams • ICMP messages • Flow context SW Framework for applications that need to maintain context across different packets of the connection
- 5. 5 SFT Intro (cont.) • NG Firewalls • IPSIDS • WAF • VSwitch • Gateways • L4 load balancers ADCs All share the same feature path !!
- 6. 6 SFT Intro - Application pipeline Ingress Conn Track Inspect Busines s Logic Forward/ Drop SFT!! ApplicationRTE flow RTE flow
- 7. 7 Connection Tracking – Definitions • Initiator The first packet of the connection arrives from the initiator • Initiate (reverse flow) The response side of the connection • Bidirectional flows Tracking flow by endpoints (L3/L5 addressing)
- 8. 8 Connection Tracking – Identifying flows (cont) • 5-tuple (Src IP, Src port, IP Proto, Dest IP, Dest port) • Reverse 5-tuple Network configurations where reverse 5-tuple isn’t mirrored 5-tuple from initiator (NAT)
- 9. 9 Connection Tracking – Identifying flows (cont) • Is 5-tuple enough to identify flow? • VLAN – partitioning • VxLAN - tunneling There more cases of complicated network configuration where “inner” 5-tuple may collide • Zone Differentiator for flows having same 5-tuple • VLAN - VLAN ID • VxLAN – VNI • 6-tuple (zone, 5-tuple)
- 10. 10 Connection Tracking – Sates • New • No previous record • Will be Established if transport proto validation passed • Established • Existing record • Transport proto validation passed • Tracked – tracking status • Related – relates to existing record • Invalid – proto validation failed
- 11. 11 SFT - Definition • Stateful – connection tracking and more • CT state • Multiple application defined contexts • Flow aging • Flow Same contexts maintained for both flow directions • Table • Cross flow references • Resource management • Global view
- 12. 12 SFT in application pipeline Ingress SFT Inspect Busines s Logic Forward/ Drop • CT • App CTXs ApplicationRTE flow RTE flow
- 13. 13 Ingress SFT Lookup FIF FIF validation New SFT flow Drop Update CT state PKT process SFT First In Flow packet (FIF) SFT RTE flow App
- 14. 14 SFT First In Flow packet • Flow table lookup miss Prepare for new flow creation • Validation • Basic transport proto validation check • App validation • Anti DDOS • Complete flow creation • Allocation & initialization • Prepare application defined contexts
- 15. 15 Ingress SFT Lookup FIF FIF validation New SFT flow Drop Update CT state PKT process SFT Handle existing flow packet SFT RTE flow App
- 16. 16 SFT - Handle existing flow packet • Flow table lookup hit • Acquire flow context • Handle OOO • Connection tracking state Analyze received packet
- 17. 17 SFT Aging • Flow max aging the time period passed since the last flow packet arrived, once exceeded flow considered aged • SFT Overflow • HW resources • App memory allocated for SFT • SFT Overflow handling • Provide more resources for aged flows resource deallocation • Dynamically update max aging for selected flows
- 18. 18 SFT offloading Ingress SFT lookup Inspect Busines s Logic Forward/ Drop Full offload based on CT state HW SFTSW
- 19. 19 SFT – Why? • Lookup acceleration • HW assisted aging • Full offload of Established connections • Multiple applications need same logic • Identify flow by 6-tuple • Handle OOO • CT state • Multiple application defined contexts • Flow aging
- 20. 20 SFT – Why? (cont.) • NG Firewalls • IPSIDS • WAF • VSwitch • Gateways • L4 load balancers ADCs All share the same feature path !!
- 21. 21 rte_flow SFT Lib SFT Main SW Modules SFT RTE flow App SFT PMD
- 22. 22 SFT API • Signature int rte_sft_process_mbuf(struct rte_mbuf *mbuf_in, struct rte_mbuf **mbuf_out, struct rte_sft_flow_status *status, struct rte_sft_error *error); • Description The main sft function. This function is called for each mbuf and returns the sft status for this packet. This function also implements the ordering and fragmentation logic. using this function assumes that the mbuf was set with zone using rte_flow. This function calls the decode function in the pmd.
- 23. 23 SFT API - cont • Signature int rte_sft_process_mbuf_with_zone(struct rte_mbuf *mbuf_in, uint32_t zone, struct rte_mbuf **mbuf_out, struct rte_sft_flow_status *status, struct rte_sft_error *error); • Description Just like the rte_sft_process_mbuf function, with a small difference that the zone is coming from the application and was not set in the packet.
- 24. 24 SFT API - cont • Signature int rte_sft_flow_activate(uint32_t fid, const struct rte_sft_7tuple *reverse_tuple, const struct rte_flow_item_sft *ctx, uint8_t ct_enable, uint8_t dev_id, uint8_t port_id, struct rte_sft_flow_status *status, struct rte_sft_error *error); • Description This function commits the connection to the HW, and binds the reverse flow.
- 25. 25 SFT API - cont • Signature int rte_sft_flow_create(const struct rte_sft_7tuple *tuple, const struct rte_sft_7tuple *reverse_tuple, const struct rte_flow_item_sft *ctx, uint8_t ct_enable, struct rte_sft_flow_status *status, struct rte_sft_error *error); • Description offload a flow to the sft without receiving the first packet.
- 26. 26 SFT API - cont • Signature int rte_sft_flow_set_ctx(uint32_t fid, const struct rte_flow_item_sft *ctx, struct rte_sft_error *error); • Description the state and user context for the given connection. .
- 27. 27 rte_flow SFT Lib SFT Main SW Modules – rte flow SFT RTE flow App SFT PMD
- 28. 28 RTE flow API changes • New RTE flow action: RTE_FLOW_ACTION_TYPE_SFT set the requested zone and send the packet to the SFT HW component. This action is not terminating action and should normally be followed by a jump action. example: flow create 0 ingress group 0 pattern eth / end actions sft / jump group 2 /end • New rte flow item: RTE_FLOW_ITEM_TYPE_SFT Enables matches on state defined by the app and user data. example: flow create 0 ingress group 2 pattern sft.state = invalid / queue index 1 / end .
- 29. 29 rte_flow SFT Lib SFT Main SW Modules – PMD SFT RTE flow App SFT PMD
- 30. 30 SFT PMD • The SFT PMD is part of he ethdev PMD • Its supply’s the following functionality: • Offload the SFT rule to the HW. • Restore the state of the packet.
- 31. 31 SFT PMD API • Signature typedef struct rte_sft_entry *(*sft_entry_create_t) (struct rte_eth_dev *dev, const struct rte_sft_5tuple *tuple, const struct rte_sft_5tuple *nat_tuple, const uint32_t aging, const struct rte_flow_item_sft *ctx, const uint32_t fid, uint16_t *queue_index, struct rte_sft_error *error); • Description This function creates an entry in the HW, that matches the requested 5 tuple. If the 5 tuple are matched, then the packet is marked with the fid. If NAT is supplied, the packet header is modified accordingly. In case aging is greater than 0, aging is done on this connection. The PMD should keep the needed information that it requires in order to restore the state when getting packets from the application .
- 32. 32 SFT PMD API • Signature typedef int (*sft_entry_destroy_t)(struct rte_eth_dev *dev, struct rte_sft_entry *entry, struct rte_sft_error *error) • Description Destroy the SFT entry. .
- 33. 33 SFT PMD API • Signature typedef struct rte_flow_item_sft *(*sft_entry_mbuf_decode_ctx_t)(struct rte_eth_dev *dev, const struct rte_mbuf *mbuf, struct rte_sft_error *error); • Description returns the SFT state that was set for the packet. The state should be extracted from the mbuf. .
- 34. 34 Example security • System description simple gateway application, that gets UDP traffic on a given port and forward it after security check. The application should offload the traffic, after the connection is established. In this example we only show one-way connection.
- 35. 35 Example flow Security check passed Add packet to security client Send traffic to Hairpin queue Change sft state to Established Send queued packets to wire HW SW Yes 5 tuple match && state = established No Yes
- 36. 36 Ingress SFT HW 5 tuple + established Continue process Example packet flow – first packet SFT RTE flow App Yes No App logicSFT LibSFT PMD HW S W Sft.state = undefined Process_packet() //get state activate(state = investigate)
- 37. 37 Ingress SFT HW 5 tuple + established Continue process Example packet flow – second packet to packet N SFT RTE flow App Yes No App logicSFT LibSFT PMD HW S W Sft.state = investigate Process_packet()
- 38. 38 Ingress SFT HW 5 tuple + established Continue process Example packet flow –packet N SFT RTE flow App Yes No App logicSFT LibSFT PMD HW S W Sft.state = investigate Process_packet() set_ctx(state = established)
- 39. 39 Ingress SFT HW 5 tuple + established Continue process Example packet flow –packet N +1 SFT RTE flow App Yes No App logicSFT LibSFT PMD HW S W Sft.state = investigate
- 40. 40 Example code flow_create group 0 ingress pattern eth / end actions sft / jump group 1; flow_create group 1 ingress pattern sft.state = established / queue index 1 //hairpin queue flow_create group 1 ingress pattern sft.state = investigate / queue index 0 // normal queue flow_create group 1 ingress pattern sft.state = undefined / queue index 0 //normal queue
- 41. 41 Example code While (1) { rx_burst() for each packet { rte_sft_process_mbuf(mbuf, status) if (status.state == undefined) { // first time the app see the packet check_ddos(mbuf) rte_sft_flow_activate(status.fid, state = investigate) rte_sft_flow_set_client_obj(status.fid) security_res = security_process(mbuf, client_obj) }
- 42. 42 Example code if (status.state == investigate) { rte_sft_flow_get_client_obj() security_res = security_process(mbuf, client_obj) } if (security_res == established) { rte_sft_flow_set_ctx(status.fid, state = activate) clear_packets() } }
- 43. 43 Call for action • RFC was submitted. • Working very hard to get it to 20.11 • RFC patches can be found : • https://patches.dpdk.org/cover/77084/ • Contacts: • Ori Kam: [email protected] • Andrey Vesnovaty: [email protected]
Editor's Notes
- #22: As we can see the SFT directly controls the SFT PMD, and receive the packets using rte_flow using the application. In The following slides we will have a quick look at the main APIs of each of those components. Please remember that this is just at RFC level, so much of the API is expected to change. We will start with the SFT lib API
- #23: The main SFT function, This function should be called for each mbuf, It returns the connection state that this buffer is part of.
- #24: Same as the previous function, but in this case the zone is received from the application and not inside the mbuf.
- #25: This is the function used to create the connection. It has two main functions: Bind the reverse tuple to the connection create by the ignitor packet. Offload the connection to SFT HW. This offload will result in much faster lookup. But it doesn’t mean that the flow is fully offloaded yet. The full offload is only controlled by the application using rte_flow.
- #26: Enable manual inserting of connections to the SFT (no previous packet was received) this can be used for pre allocated connections Or for example in the case of FTP to create the shadow connection. (based on the FTP control flow)
- #27: This function is used to change the state of a connection.
- #28: The RTE flow API changes
- #29: The sft actions sends the traffic to the SFT HW, It should be followed by terminating action that will be executed after the sft HW. Show example.
- #34: This function decodes the connection state and fid for the given mbuf.
- #36: In this slide we can see the application flow. A packet arrives to the HW is matched against the 5 tuple and the connection state. The reason we also much on the 5 tuple is that depending on the 5 tuple we can add different actions for example count / apply different encap and so on. In case we have a miss the packet goes to the application which run the SFT and security check The security check can any number of packets. When completed the stored packets are sent to the wire and the state is changed to established. Which will result that no more packets for this connection will be seen by the app. The green boxes are encapsulating both rte flow and sft
- #37: First packet arrive the state is invalid The application calls the process_packet in the sft lib which calls the sft pmd to restore the state and connection id. Based on this the application activates the connection with a investigate state
- #38: second packet arrive the state is invesitgate The application calls the process_packet in the sft lib which calls the sft pmd to restore the state and connection id. The invesitgate state is returned. Based on this the application activates the connection with a investigate state
- #39: Packet N arrived the state is investigate The application calls the process_packet in the sft lib which calls the sft pmd to restore the state and connection id. Based on the app logic the app changes the state to established Based on this the application activates the connection with a investigate state
- #40: All the traffic is offloaded, there is no more app involvement