FSM: Inline Protection NFQUEUE Enhancement

Design

This feature enhances the FSM using multiple Netfilter nfqueues in router mode. De-multiplexing the traffic helps prioritize specific traffic types, such as DNS.

Controller Involvement

Step 1: Configuring the FSM to make it aware of the existence of multiple queues.

Step 2: The core_dpi_dispatch plugin needs to be instructed to use multiple nfqueues to tap traffic. It can be configured as:

$ ovsh -j s Flow_Service_Manager_Config -w handler==core_dpi_dispatch
[
    {
        "if_name": "br-home.dpi",
        "_version": [
            "uuid",
            "XXXXX9f7-d05f-4bf3-8431-fd4b04d145bd"
        ],
        "other_config": [
            "map",
            [
                [
                    "excluded_devices",
                    "${all_gateways}"
                ],
                [
                    "tap_type",
                    "fsm_tap_nfqueues"
                ],
                [
                    "queue_num",
                    "M-N"
                ]
            ]
        ],
        "type": "dpi_dispatcher",
        "plugin": "",
        "_uuid": [
            "uuid",
            "XXXXX6ad-b3de-4f8f-bc5c-35f92f949e3d"
        ],
        "pkt_capt_filter": "",
        "handler": "core_dpi_dispatch"
    }
]
]

In the above schema, the other_config "queue_num" parameter is used to configure multiple nfqueues where:

M(0) → first queue number (lower queue number)
N(1) → last queue number (higher queue number)

If queue_num is not specified as part of other_config, a single queue with queue number 0 is created.

DNS traffic queue number → 1
Rest of the traffic queue number → 0 (the same as for single queue implementation)

Step 3: Configure the OVSDB Netfilter entries.
These are the four extra iptables rules to be added to support multiple NFQUEUES. Here DNS traffic is redirected to queue 1.

iptables -t mangle -I FORWARD -p udp --dport 53 -m connmark --mark 0x1 -j NFQUEUE --queue-num 1 --queue-bypass;
iptables -t mangle -I FORWARD -p udp --sport 53 -m connmark --mark 0x1 -j NFQUEUE --queue-num 1 --queue-bypass;
iptables -t mangle -I INPUT -p udp --dport 53 -m connmark --mark 0x1 -j NFQUEUE --queue-num 1 --queue-bypass;
iptables -t mangle -I OUTPUT -p udp --dport 53 -m connmark --mark 0x1 -j NFQUEUE --queue-num 1 --queue-bypass;
 
Equivalent Netfilter rules:
ovsh i Netfilter name:="dev_dpi.nfqueue_dns_out" priority:=0 protocol:="ipv4" rule:="-p udp --dport 53 -m connmark --mark 0x1 --queue-num 1 --queue-bypass" status:="enabled" table:="mangle" target:="NFQUEUE" chain:="DPI_NFQUEUE" enable:="true";
ovsh i Netfilter name:="dev_dpi.nfqueue_dns_in" priority:=0 protocol:="ipv4" rule:="-p udp --sport 53 -m connmark --mark 0x1 --queue-num 1 --queue-bypass" status:="enabled" table:="mangle" target:="NFQUEUE" chain:="DPI_NFQUEUE" enable:="true";

OpenFlow rules and iptables rules for a single NFQUEUE implementation remain unaltered. These additional rules configure multiple nfqueues support.

Published Content

https://www.opensync.io/s/EDE-021-030-501_FSM_Plugins.pdf

https://www.opensync.io/s/ERE-021-061-701_FSM_Plugin_Requirements.pdf