/
FSM: Inline Protection NFQUEUE Enhancement

FSM: Inline Protection NFQUEUE Enhancement

Owned by Former user (Deleted)
Last updated: Jul 06, 2023 by Quyen Bui (Deactivated)
2 min read

Design

This feature enhances the FSM using multiple Netfilter nfqueues in router mode. De-multiplexing the traffic helps prioritize specific traffic types, such as DNS.

Controller Involvement

Step 1: Configuring the FSM to make it aware of the existence of multiple queues.

Step 2: The core_dpi_dispatch plugin needs to be instructed to use multiple nfqueues to tap traffic. It can be configured as:

$ ovsh -j s Flow_Service_Manager_Config -w handler==core_dpi_dispatch [     {         "if_name": "br-home.dpi",         "_version": [             "uuid",             "XXXXX9f7-d05f-4bf3-8431-fd4b04d145bd"         ],         "other_config": [             "map",             [                 [                     "excluded_devices",                     "${all_gateways}"                 ],                 [                     "tap_type",                     "fsm_tap_nfqueues"                 ],                 [                     "queue_num",                     "M-N"                 ]             ]         ],         "type": "dpi_dispatcher",         "plugin": "",         "_uuid": [             "uuid",             "XXXXX6ad-b3de-4f8f-bc5c-35f92f949e3d"         ],         "pkt_capt_filter": "",         "handler": "core_dpi_dispatch"     } ] ]

In the above schema, the other_config  "queue_num" parameter is used to configure multiple nfqueues where:

  • M(0) → first queue number (lower queue number)

  • N(1) → last queue number (higher queue number)

If queue_num is not specified as part of other_config, a single queue with queue number 0 is created.

  • DNS traffic queue number → 1     

  • Rest of the traffic queue number → 0 (the same as for single queue implementation) 

Step 3: Configure the OVSDB Netfilter entries.
These are the four extra iptables rules to be added to support multiple NFQUEUES. Here DNS traffic is redirected to queue 1. 

iptables -t mangle -I FORWARD -p udp --dport 53 -m connmark --mark 0x1 -j NFQUEUE --queue-num 1 --queue-bypass; iptables -t mangle -I FORWARD -p udp --sport 53 -m connmark --mark 0x1 -j NFQUEUE --queue-num 1 --queue-bypass; iptables -t mangle -I INPUT -p udp --dport 53 -m connmark --mark 0x1 -j NFQUEUE --queue-num 1 --queue-bypass; iptables -t mangle -I OUTPUT -p udp --dport 53 -m connmark --mark 0x1 -j NFQUEUE --queue-num 1 --queue-bypass;   Equivalent Netfilter rules: ovsh i Netfilter name:="dev_dpi.nfqueue_dns_out" priority:=0 protocol:="ipv4" rule:="-p udp --dport 53 -m connmark --mark 0x1 --queue-num 1 --queue-bypass" status:="enabled" table:="mangle" target:="NFQUEUE" chain:="DPI_NFQUEUE" enable:="true"; ovsh i Netfilter name:="dev_dpi.nfqueue_dns_in" priority:=0 protocol:="ipv4" rule:="-p udp --sport 53 -m connmark --mark 0x1 --queue-num 1 --queue-bypass" status:="enabled" table:="mangle" target:="NFQUEUE" chain:="DPI_NFQUEUE" enable:="true"; 

OpenFlow rules and iptables rules for a single NFQUEUE implementation remain unaltered. These additional rules configure multiple nfqueues support. 

Published Content

https://www.opensync.io/s/EDE-021-030-501_FSM_Plugins.pdf

https://www.opensync.io/s/ERE-021-061-701_FSM_Plugin_Requirements.pdf

 

Related content

FSM Realtime In-line Flow Blocking DPI Support for Router Mode
FSM Realtime In-line Flow Blocking DPI Support for Router Mode
OpenSync
More like this
FSM: DPI Client Plugins Rework
FSM: DPI Client Plugins Rework
OpenSync
More like this
ARP and NDP FSM Plugin Redesign for Improved Resource Allocation
ARP and NDP FSM Plugin Redesign for Improved Resource Allocation
OpenSync
More like this
FSM: DNS Parser Plugin Enhancements
FSM: DNS Parser Plugin Enhancements
OpenSync
More like this
WiFi Security Modes OVSDB Schema Update
WiFi Security Modes OVSDB Schema Update
OpenSync
Read with this
FSM: Gatekeeper Service Updates
FSM: Gatekeeper Service Updates
OpenSync
More like this