FSM: Inline Protection NFQUEUE Enhancement

Owned by Former user (Deleted)
Last updated: Jul 06, 2023 by Quyen Bui (Deactivated)
2 min read

Design

This feature enhances the FSM using multiple Netfilter nfqueues in router mode. De-multiplexing the traffic helps prioritize specific traffic types, such as DNS.

Controller Involvement

Step 1: Configuring the FSM to make it aware of the existence of multiple queues.

Step 2: The core_dpi_dispatch plugin needs to be instructed to use multiple nfqueues to tap traffic. It can be configured as:

$ ovsh -j s Flow_Service_Manager_Config -w handler==core_dpi_dispatch [     {         "if_name": "br-home.dpi",         "_version": [             "uuid",             "XXXXX9f7-d05f-4bf3-8431-fd4b04d145bd"         ],         "other_config": [             "map",             [                 [                     "excluded_devices",                     "${all_gateways}"                 ],                 [                     "tap_type",                     "fsm_tap_nfqueues"                 ],                 [                     "queue_num",                     "M-N"                 ]             ]         ],         "type": "dpi_dispatcher",         "plugin": "",         "_uuid": [             "uuid",             "XXXXX6ad-b3de-4f8f-bc5c-35f92f949e3d"         ],         "pkt_capt_filter": "",         "handler": "core_dpi_dispatch"     } ] ]

In the above schema, the other_config  "queue_num" parameter is used to configure multiple nfqueues where:

  • M(0) → first queue number (lower queue number)

  • N(1) → last queue number (higher queue number)

If queue_num is not specified as part of other_config, a single queue with queue number 0 is created.

  • DNS traffic queue number → 1     

  • Rest of the traffic queue number → 0 (the same as for single queue implementation) 

Step 3: Configure the OVSDB Netfilter entries.
These are the four extra iptables rules to be added to support multiple NFQUEUES. Here DNS traffic is redirected to queue 1. 

iptables -t mangle -I FORWARD -p udp --dport 53 -m connmark --mark 0x1 -j NFQUEUE --queue-num 1 --queue-bypass; iptables -t mangle -I FORWARD -p udp --sport 53 -m connmark --mark 0x1 -j NFQUEUE --queue-num 1 --queue-bypass; iptables -t mangle -I INPUT -p udp --dport 53 -m connmark --mark 0x1 -j NFQUEUE --queue-num 1 --queue-bypass; iptables -t mangle -I OUTPUT -p udp --dport 53 -m connmark --mark 0x1 -j NFQUEUE --queue-num 1 --queue-bypass;   Equivalent Netfilter rules: ovsh i Netfilter name:="dev_dpi.nfqueue_dns_out" priority:=0 protocol:="ipv4" rule:="-p udp --dport 53 -m connmark --mark 0x1 --queue-num 1 --queue-bypass" status:="enabled" table:="mangle" target:="NFQUEUE" chain:="DPI_NFQUEUE" enable:="true"; ovsh i Netfilter name:="dev_dpi.nfqueue_dns_in" priority:=0 protocol:="ipv4" rule:="-p udp --sport 53 -m connmark --mark 0x1 --queue-num 1 --queue-bypass" status:="enabled" table:="mangle" target:="NFQUEUE" chain:="DPI_NFQUEUE" enable:="true"; 

OpenFlow rules and iptables rules for a single NFQUEUE implementation remain unaltered. These additional rules configure multiple nfqueues support. 

Published Content

https://www.opensync.io/s/EDE-021-030-501_FSM_Plugins.pdf

https://www.opensync.io/s/ERE-021-061-701_FSM_Plugin_Requirements.pdf