Re: [Ntop-misc] pfring filtering fails or not clear
Hello, Amir! I suggest you switch to hardware NIC level filtering rules from ethtool interface directly: https://github.com/FastVPSEestiOu/fastnetmon/wiki/Traffic-filtration-using-NIC-capabilities-on-wire-speed-(10GE,-14Mpps) Because it works on wire speed and has zero cost for cpu resources. On Sunday, April 5, 2015, Amir Kaduri akadur...@gmail.com wrote: Hi, I think I've made some progress: AFAIU, the packets that I see despite the rule that supposed to filter them, are packets the receive during the time interval from rule-set to rule-apply by pfring. I'll appreciate getting some answers about the following: 1. If I use the pfring_purge_idle_hash_rules(..) API, is there any way to know which rules-ids are set and which are vacant? This is because I have to follow the rules-ids when setting them, but when I purge them, I don't know which of them were removed. 2. Does this API also purges HW rules? 3. According to the documentation, I know that HW rules have a limit of 32,000. What is the limit for hash rules? IS this limit includes the 32,000 of the HW, or additional to it? 4. I have a valid rule, but whenever I call pfring_get_hash_filtering_rule_stats(..), it fails.Any idea why? - I've add the stats code to the pfcount_82599 tester - In /var/log/messages I see the following message that is probably originated from ring_setsockopt(): kernel: [PF_RING] Found rule but pluginId 0 is not registered Thanks, Amir On Thu, Apr 2, 2015 at 5:06 PM, Amir Kaduri akadur...@gmail.com javascript:_e(%7B%7D,'cvml','akadur...@gmail.com'); wrote: Hi Alfredo, Thanks for referring to my question. I hope the following answers: [root@CT10K10G]# cat /etc/pf_ring/pfring.conf min_num_slots=1024 transparent_mode=2 enable_frag_coherence=1 enable_ip_defrag=1 [root@CT10K10G]# cat /proc/net/pf_ring/info PF_RING Version : 6.0.1 ($Revision: exported$) Total rings : 0 Standard (non DNA) Options Ring slots : 1024 Slot version : 15 Capture TX : Yes [RX+TX] IP Defragment: Yes Socket Mode : Standard Transparent mode : No [mode 2] Total plugins: 0 Cluster Fragment Queue : 0 Cluster Fragment Discard : 0 Thanks, Amir On Thu, Apr 2, 2015 at 4:10 PM, Alfredo Cardigliano cardigli...@ntop.org javascript:_e(%7B%7D,'cvml','cardigli...@ntop.org'); wrote: Hi Amir how did you load pf_ring.ko? Can I see the command line? Please also try using latest code from svn, this helps us debugging the issue. Br Alfredo On 01 Apr 2015, at 18:22, Amir Kaduri akadur...@gmail.com javascript:_e(%7B%7D,'cvml','akadur...@gmail.com'); wrote: Hello, I’m using PF_RING-6.0.1. I’m trying to develop an application that runs some algorithm consisting on rules. I made some tests using the “pfcount” tester, and unfortunately, I don’t understand the behavior: I’m running the following command line: “./pfcount -i eth3 -u 2 -v 1 -r –m” which AFAIU, adds a wildcard filter for each incoming packet. If I get it correctly, once a rule was added, I should not expect other packets of the same session to receive, and this is not what I’m getting. For example: --- [root@CT10K10G examples]# ./pfcount -i eth3 -u 2 -v 1 -r -m Adding wildcard filtering rules Using PF_RING v.6.0.1 Capturing from eth3 [00:E0:ED:FE:18:19][ifIndex: 11] # Device RX channels: 6 # Polling threads:1 Dumping statistics on /proc/net/pf_ring/stats/11993-eth3.1074 18:52:35.956295950 [RX][if_index=11][00:08:E3:FF:FC:C8 - 00:01:02:03:04:05] [vlan 70] [direction 1] [IPv4][10.61.10.9:52311 - 10.70.150.108:60189] [l3_proto=TCP][hash=344283189][tos=0][tcp_seq_num=596843063] [caplen=128][len=1522][parsed_header_len=0][eth_offset=-14][l3_offset=18][l4_offset=38][payload_offset=58] Rule 0 added successfully... 18:52:35.956301616 [RX][if_index=11][00:08:E3:FF:FC:C8 - 00:01:02:03:04:05] [vlan 70] [direction 1] [IPv4][10.61.10.9:52311 - 10.70.150.108:60189] [l3_proto=TCP][hash=344283189][tos=0][tcp_seq_num=596844523] [caplen=128][len=650][parsed_header_len=0][eth_offset=-14][l3_offset=18][l4_offset=38][payload_offset=58] Rule 1 added successfully... 18:52:35.956303262 [RX][if_index=11][00:08:E3:FF:FC:C8 - 00:01:02:03:04:05] [vlan 70] [direction 1] [IPv4][10.61.10.9:52311 - 10.70.150.108:60189] [l3_proto=TCP][hash=344283189][tos=0][tcp_seq_num=596845111] [caplen=128][len=1086][parsed_header_len=0][eth_offset=-14][l3_offset=18][l4_offset=38][payload_offset=58] Rule 2 added successfully... : --- How come, that once rule #0 was added for [10.61.10.9:52311 - 10.70.150.108:60189], I still see such packets in the next lines? Shouldn’t they be filtered by the rule that just as added? (BTW, when I use the command “./pfcount -i eth3 -u 1 -v 1 -r
Re: [Ntop-misc] pfring filtering fails or not clear
Hi, I think I've made some progress: AFAIU, the packets that I see despite the rule that supposed to filter them, are packets the receive during the time interval from rule-set to rule-apply by pfring. I'll appreciate getting some answers about the following: 1. If I use the pfring_purge_idle_hash_rules(..) API, is there any way to know which rules-ids are set and which are vacant? This is because I have to follow the rules-ids when setting them, but when I purge them, I don't know which of them were removed. 2. Does this API also purges HW rules? 3. According to the documentation, I know that HW rules have a limit of 32,000. What is the limit for hash rules? IS this limit includes the 32,000 of the HW, or additional to it? 4. I have a valid rule, but whenever I call pfring_get_hash_filtering_rule_stats(..), it fails.Any idea why? - I've add the stats code to the pfcount_82599 tester - In /var/log/messages I see the following message that is probably originated from ring_setsockopt(): kernel: [PF_RING] Found rule but pluginId 0 is not registered Thanks, Amir On Thu, Apr 2, 2015 at 5:06 PM, Amir Kaduri akadur...@gmail.com wrote: Hi Alfredo, Thanks for referring to my question. I hope the following answers: [root@CT10K10G]# cat /etc/pf_ring/pfring.conf min_num_slots=1024 transparent_mode=2 enable_frag_coherence=1 enable_ip_defrag=1 [root@CT10K10G]# cat /proc/net/pf_ring/info PF_RING Version : 6.0.1 ($Revision: exported$) Total rings : 0 Standard (non DNA) Options Ring slots : 1024 Slot version : 15 Capture TX : Yes [RX+TX] IP Defragment: Yes Socket Mode : Standard Transparent mode : No [mode 2] Total plugins: 0 Cluster Fragment Queue : 0 Cluster Fragment Discard : 0 Thanks, Amir On Thu, Apr 2, 2015 at 4:10 PM, Alfredo Cardigliano cardigli...@ntop.org wrote: Hi Amir how did you load pf_ring.ko? Can I see the command line? Please also try using latest code from svn, this helps us debugging the issue. Br Alfredo On 01 Apr 2015, at 18:22, Amir Kaduri akadur...@gmail.com wrote: Hello, I’m using PF_RING-6.0.1. I’m trying to develop an application that runs some algorithm consisting on rules. I made some tests using the “pfcount” tester, and unfortunately, I don’t understand the behavior: I’m running the following command line: “./pfcount -i eth3 -u 2 -v 1 -r –m” which AFAIU, adds a wildcard filter for each incoming packet. If I get it correctly, once a rule was added, I should not expect other packets of the same session to receive, and this is not what I’m getting. For example: --- [root@CT10K10G examples]# ./pfcount -i eth3 -u 2 -v 1 -r -m Adding wildcard filtering rules Using PF_RING v.6.0.1 Capturing from eth3 [00:E0:ED:FE:18:19][ifIndex: 11] # Device RX channels: 6 # Polling threads:1 Dumping statistics on /proc/net/pf_ring/stats/11993-eth3.1074 18:52:35.956295950 [RX][if_index=11][00:08:E3:FF:FC:C8 - 00:01:02:03:04:05] [vlan 70] [direction 1] [IPv4][10.61.10.9:52311 - 10.70.150.108:60189] [l3_proto=TCP][hash=344283189][tos=0][tcp_seq_num=596843063] [caplen=128][len=1522][parsed_header_len=0][eth_offset=-14][l3_offset=18][l4_offset=38][payload_offset=58] Rule 0 added successfully... 18:52:35.956301616 [RX][if_index=11][00:08:E3:FF:FC:C8 - 00:01:02:03:04:05] [vlan 70] [direction 1] [IPv4][10.61.10.9:52311 - 10.70.150.108:60189] [l3_proto=TCP][hash=344283189][tos=0][tcp_seq_num=596844523] [caplen=128][len=650][parsed_header_len=0][eth_offset=-14][l3_offset=18][l4_offset=38][payload_offset=58] Rule 1 added successfully... 18:52:35.956303262 [RX][if_index=11][00:08:E3:FF:FC:C8 - 00:01:02:03:04:05] [vlan 70] [direction 1] [IPv4][10.61.10.9:52311 - 10.70.150.108:60189] [l3_proto=TCP][hash=344283189][tos=0][tcp_seq_num=596845111] [caplen=128][len=1086][parsed_header_len=0][eth_offset=-14][l3_offset=18][l4_offset=38][payload_offset=58] Rule 2 added successfully... : --- How come, that once rule #0 was added for [10.61.10.9:52311 - 10.70.150.108:60189], I still see such packets in the next lines? Shouldn’t they be filtered by the rule that just as added? (BTW, when I use the command “./pfcount -i eth3 -u 1 -v 1 -r –m” (i.e. –u is 1 rather than 2), the tester uses hash filters, and in this case, I get errors: 18:53:19.052549112 [RX][if_index=11][00:08:E3:FF:FC:C8 - 00:01:02:03:04:05] [vlan 70] [direction 1] [IPv4][10.61.10.9:52311 - 10.70.150.108:60189] [l3_proto=TCP][hash=344283189][tos=0][tcp_seq_num=596847159] [caplen=128][len=1490][parsed_header_len=0][eth_offset=-14][l3_offset=18][l4_offset=38][payload_offset=58] pfring_add_hash_filtering_rule(1) failed) Any help will be appreciated. Thanks, Amir
