NVIDIA DOCA Firewall Application Guide
This document provides an example of firewall implementation on top of NVIDIA® BlueField® DPU.
A firewall application is a network security application that leverages the DPU's hardware capability to monitor incoming and outgoing network traffic and allow or block packets based on a set of preconfigured rules.
The firewall application is based on DOCA Flow gRPC, used for remote programming of the DPU's hardware.
The firewall can operate in two modes:
- Static mode – the firewall application gets 5-tuple traffic from the user with a JSON file for packets to be dropped. The packets that do not match any of the 5-tuple are forwarded by a hairpin pipe.
- Interactive mode – the user can add rules from the command line in real time to execute different firewall rules
The firewall application is designed to run on the host and to use DOCA Flow gRPC client to send instructions to a server that runs on the BlueField DPU instance. The DPU intercepts ingress traffic from the wire and either drops it or forwards it to the egress port using a hairpin. The decision is made using traffic classification.
The firewall runs on top of DOCA Flow gRPC to classify packets.
3.1. Static Mode
- The firewall application builds 4 pipes for each port: One control pipe, two drop pipes, and a hairpin pipe.
- The drop pipes match only 5-tuple traffic with specific source and destination IPs and source and destination ports.
- One of the drop pipes matches TCP traffic and the other matches UDP
- The hairpin pipe matches every packet (no misses)
- The control pipe serves as a root pipe and has two entries: The first entry forwards the TCP traffic to the TCP drop pipe, and the second entry forwards UDP traffic to the UDP drop pipe
- The hairpin pipe serves as a forwarding miss component to the drop pipes. Therefore, every received packet is checked first against the drop pipes. If there is a match, then it is dropped, otherwise, it is forwarded to the hairpin pipe and is then matched.
3.2. Interactive Mode
Running in interactive mode initializes 2 ports, and the user then configures the pipes and entries.
- When adding a pipe or an entry, one must run commands to create the relevant structs beforehand
- Optional parameters must be specified by the user in the command line. Otherwise, NULL is used.
- After a pipe or an entry is created successfully, the relevant ID is printed for future use
Available commands:
- create [struct] [field=value,…]
- Struct options: pipe_match, entry_match, match_mask, actions, monitor, fwd, fwd_miss
- Match struct fields:
Fields Field Options flags out_src_mac out_dst_mac out_eth_type out_vlan_id out_src_ip_type ipv4, ipv6 out_src_ip_addr out_dst_ip_type ipv4, ipv6 out_dst_ip_addr out_l4_type tcp, udp, gre out_tcp_flags FIN, SYN, RST, PSH, ACK, URG, ECE, CWR out_src_port out_dst_port tun_type vxlan-tun_id gre_key gtp_teid in_src_mac in_dst_mac in_eth_type in_vlan_id in_src_ip_type ipv4, ipv6 in_src_ip_addr in_dst_ip_type ipv4, ipv6 in_dst_ip_addr in_l4_type tcp, udp in_tcp_flags FIN, SYN, RST, PSH, ACK, URG, ECE, CWR in_src_port in_dst_port
- Actions struct fields:
Fields Field Options decap true, false mod_src_mac mod_dst_mac mod_src_ip_type ipv4, ipv6 mod_src_ip_addr mod_dst_ip_type ipv4, ipv6 mod_dst_ip_addr mod_src_port mod_dst_port dec_ttl true, false has_encap true, false encap_src_mac encap_dst_mac encap_src_ip_type ipv4, ipv6 encap_src_ip_addr encap_dst_ip_type ipv4, ipv6 encap_dst_ip_addr encap_tup_type vxlan, gtpu,
gre
encap_vxlan-tun_id encap_gre_key encap_gtp_teid
- FWD struct fields:
Fields Field Options type rss, port, pipe, drop rss_flags rss_queues num_of_queues rss_mark port_id next_pipe_id
- Monitor struct fields:
- flags
- id
- cir
- cbs
- aging
- Match struct fields:
- Struct options: pipe_match, entry_match, match_mask, actions, monitor, fwd, fwd_miss
The following is an example for creating a pipe and adding an entry:
create pipe_match out_l4_type=udp,out_src_ip_type=ipv4,out_src_ip_addr=0xffffffff,out_dst_ip_type=ipv4,out_dst_ip_addr=0xffffffff
create fwd type=drop
create fwd_miss type=pipe,next_pipe_id=1
create pipe port_id=0,name=drop,root_enable=1,fwd=1,fwd_miss=1
create pipe succeed with pipe id: 2
create entry_match out_src_ip_type=ipv4,out_src_ip_addr=10.1.20.208,out_dst_ip_type=ipv4,out_dst_ip_addr=10.1.3.216
add entry pipe_id=2,pipe_queue=0
add entry succeed with entry id: 0
This application leverages the DOCA Flow library.
- Refer to the following documents:
- NVIDIA DOCA Installation Guide for Linux for details on how to install BlueField-related software.
- NVIDIA DOCA Troubleshooting Guide for any issue you may encounter with the installation, compilation, or execution of DOCA applications.
- NVIDIA DOCA Applications Overview for additional compilation instructions and development tips regarding the DOCA applications.
- The firewall example binary is located under
/opt/mellanox/doca/applications/firewall/bin/doca_firewall.Note:
Before building the application, make sure that gRPC support is enabled. Set the
enable_grpc_supportflag in
/opt/mellanox/doca/applications/meson_options.txtto
true.
To build all the applications together, run:
cd /opt/mellanox/doca/applications/ meson build ninja -C build
- To build only the firewall application:
Note:
- Edit the following flags in
/opt/mellanox/doca/applications/meson_options.txt:
- Set
enable_all_applicationsto
false
- Set
enable_firewallto
true
- Set
- Run the commands in step 2.
doca_firewallwill be created under
./build/firewall/src/.
Application usage:
Usage: doca_firewall [DOCA Flags] [Program Flags] DOCA Flags: -h, --help Print a help synopsis -v, --version Print program version information -l, --log-level Set the log level for the program <CRITICAL=20, ERROR=30, WARNING=40, INFO=50, DEBUG=60> --grpc-address ip_address[:port] Set the IP address for the grpc server Program Flags: -m, --mode Set running mode {static, interactive} -r, --firewall-rules <path> Path to the JSON file with 5-tuple rules when running with static modeNote:
For additional information on the app use
-h:
/opt/mellanox/doca/applications/firewall/bin/doca_firewall -h
- Edit the following flags in
- Running the application on the host:
- For instructions on running the DOCA Flow gRPC server on the BlueField, refer to NVIDIA DOCA gRPC Infrastructure User Guide.
- CLI example for running the app in interactive mode:
/opt/mellanox/doca/applications/firewall/bin/doca_firewall --grpc-address 192.168.101.2 -l 50 -m interactive
- CLI example for running the app in static mode:
/opt/mellanox/doca/applications/firewall/bin/doca_firewall --grpc-address 192.168.101.2 -l 50 -m static -d firewall_rules.json
- To run
doca_firewallusing a JSON file:
doca_firewall --json [json_file]
For example:
cd /opt/mellanox/doca/applications/firewall/bin ./doca_firewall --json firewall_params.json
Refer to NVIDIA DOCA Arg Parser User Guide for more information.
|Flag Type
|Short Flag
|Long Flag/JSON Key
|Description
|JSON Content
|General Flags
|l
|log-level
|Set the log level for the application:
|
|v
|version
|Print program version information
|N/A
|h
|help
|Print a help synopsis
|N/A
|-
|grpc-address
|Set the IP address for the gRPC server
|
|Program Flags
|m
|mode
|
Set running mode {
Note:
This flag is mandatory.
|
|r
|firewall-rules
|Path to JSON rules file
|
