├── README.md
├── common-scripts
├── disable_conntrack.sh
└── set_irq_affinity
├── micro-benchmarks
├── bpf-iptables-overhead
│ ├── bpf-iptables-overhead-tcp
│ │ ├── awk-scripts
│ │ │ ├── print_avg_multi.awk
│ │ │ ├── print_max_multi.awk
│ │ │ └── print_min_multi.awk
│ │ ├── rulesets
│ │ │ ├── helpers.bash
│ │ │ └── rules_0.sh
│ │ └── run-tests_weighttp.sh
│ └── bpf-iptables-overhead-udp
│ │ ├── bpf-iptables-overhead.lua
│ │ ├── config_dut_routing.sh
│ │ ├── rulesets
│ │ ├── helpers.bash
│ │ ├── nftables-rules
│ │ │ └── nftables_0.sh
│ │ └── rules_0.sh
│ │ └── run-tests-multi-forward.sh
└── xdp-vs-tc-ingress
│ └── README
├── realistic-scenarios
├── ddos-mitigator
│ ├── README.md
│ ├── config_dut_routing.sh
│ ├── ddos-mitigator.lua
│ ├── rulesets
│ │ ├── helpers.bash
│ │ ├── ipset-rules
│ │ │ └── ipset_rulset.sh
│ │ ├── nftables-rules
│ │ │ ├── nftables_ddos.sh
│ │ │ └── rules_nft_map.sh
│ │ └── rules_ddos.sh
│ ├── run-tests.sh
│ ├── sum_iptables_output.awk
│ ├── sum_nftables_output.awk
│ ├── sum_pcn_iptables_output.awk
│ ├── sysctl.conf.dut
│ └── sysctl.conf.generator
└── enterprise-public-servers
│ ├── README.md
│ ├── config_dut_routing.sh
│ ├── enterprise-public2.lua
│ ├── rulesets
│ ├── helpers.bash
│ ├── nftables-rules
│ │ ├── nftables_100.sh
│ │ ├── nftables_1000.sh
│ │ ├── nftables_50.sh
│ │ ├── nftables_500.sh
│ │ └── nftables_5000.sh
│ ├── rules_100.sh
│ ├── rules_1000.sh
│ ├── rules_50.sh
│ ├── rules_500.sh
│ └── rules_5000.sh
│ ├── run-tests.sh
│ ├── sum_iptables_output.awk
│ ├── sum_nftables_output.awk
│ └── sum_pcn_iptables_output.awk
└── system-benchmarking
├── conntrack-performance
├── README.md
├── rulesets
│ ├── conntrack_rules.sh
│ └── helpers.bash
├── run-tests_weighttp.sh
├── sysctl.conf.dut
└── sysctl.conf.generator
├── rule-complexity
├── README.md
├── config_dut_routing.sh
├── rule-complexity.lua
├── rulesets
│ ├── helpers.bash
│ ├── nftables-rules
│ │ ├── nftables_all.sh
│ │ ├── nftables_ipsrc.sh
│ │ ├── nftables_ipsrc_ipdst.sh
│ │ ├── nftables_ipsrc_ipdst_proto.sh
│ │ └── nftables_ipsrc_ipdst_proto_portsrc.sh
│ ├── rules_all.sh
│ ├── rules_ipsrc.sh
│ ├── rules_ipsrc_ipdst.sh
│ ├── rules_ipsrc_ipdst_proto.sh
│ └── rules_ipsrc_ipdst_proto_portsrc.sh
└── run-tests.sh
└── ruleset-size
├── README.md
├── config_dut_routing.sh
├── ruleset-size.lua
├── rulesets
├── helpers.bash
├── nftables-rules
│ ├── nftables_100.sh
│ ├── nftables_1000.sh
│ ├── nftables_50.sh
│ ├── nftables_500.sh
│ └── nftables_5000.sh
├── rules_100.sh
├── rules_1000.sh
├── rules_50.sh
├── rules_500.sh
└── rules_5000.sh
├── run-tests-multi.sh
└── run-tests-single.sh
/README.md:
--------------------------------------------------------------------------------
1 | # Securing Linux with a Faster and Scalable Iptables
2 |
3 | This repository contains the datasets and the scripts used for the evaluation section of the paper "Securing Linux with a Faster and Scalable Iptables", which has been submitted to the SIGCOMM Computer Communication Review.
4 |
5 |
6 |
7 | ## Test environment
8 |
9 | ### Setup
10 |
11 | Our testbed includes a first server used as DUT running the firewall under test and a second used as packet generator (and possibly receiver).
12 | The DUT encompasses an Intel Xeon Gold 5120 14-cores CPU @2.20GHz (hyper-threading disabled) with support for Intel's Data Direct I/O (DDIO), 19.25 MB of L3 cache and two 32GB RAM modules.
13 | The packet generator is equipped with an Intel Xeon CPU E3-1245 v5 4-cores CPU @3.50GHz (8 cores with hyper-threading), 8MB of L3 cache and two 16GB RAM modules.
14 |
15 | Both servers run Ubuntu 18.04.1 LTS, with the packet generator using kernel 4.15.0-36 and the DUT running kernel 4.19.0.
16 | Each server has a dual-port Intel XL710 40Gbps NIC, each port directly connected to the corresponding one of the other server.
17 |
18 | To correctly replicate the results described in the paper, you should use a similar setup since the scripts have been created with that setup in mind.
19 |
20 | **Important**: All the tests assumes that sudo without password is enabled on the DUT. In this way the scripts running on the packet generator can set all the environment variables and launch the bpf-iptables commands.
21 |
22 |
23 |
24 | ### Testing tools
25 |
26 | ##### Pktgen-DPDK
27 |
28 | For UDP tests, we used **pktgen-dpdk** to generate traffic. We used a customized version, which supports the possibility to generate packets randomly distributed in a given range.
29 |
30 | Our version can be download at [this](https://github.com/sebymiano/pktgen-dpdk) URL and installed with the following commands:
31 |
32 | ```bash
33 | # Dependency: DPDK v18.08 installed on the system
34 | # Install Pktgen-DPDK
35 | $ mkdir -p $HOME/dev
36 | $ cd $HOME/dev && git clone https://github.com/sebymiano/pktgen-dpdk
37 | $ cd pktgen-dpdk && make -j4
38 |
39 | ```
40 |
41 | Note: it is important to install pktgen-dpdk under the directory `$HOME/dev` since this is the default path used in the test scripts.
42 |
43 |
--------------------------------------------------------------------------------
/common-scripts/disable_conntrack.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | set -x
4 |
5 | sudo iptables -F -t nat
6 | sudo iptables -F -t filter
7 | sudo iptables -F -t mangle
8 | sudo iptables -F -t raw
9 | sudo iptables -F -t security
10 |
11 | sudo rmmod iptable_nat
12 | sudo rmmod ipt_MASQUERADE
13 | sudo rmmod openvswitch
14 | sudo rmmod nf_nat_ipv6
15 | sudo rmmod nf_nat_ipv4
16 | sudo rmmod nf_nat
17 | sudo rmmod nf_conncount
18 | sudo rmmod xt_conntrack
19 | sudo rmmod nf_conntrack_netlink
20 | sudo rmmod nf_conntrack
21 | sudo rmmod iptable_filter
22 | sudo rmmod ip6table_filter
23 | sudo rmmod ebtable_filter
24 | sudo rmmod iptable_mangle
25 | sudo rmmod iptable_security
26 | sudo rmmod iptable_raw
27 | sudo rmmod ip_tables
28 | sudo rmmod nf_defrag_ipv6
29 | sudo rmmod nf_defrag_ipv4
30 | sudo rmmod ebtables
31 | sudo rmmod xt_tcpudp
32 | sudo rmmod xt_CHECKSUM
33 | sudo rmmod ip6_tables
34 | sudo rmmod ipt_REJECT
35 | sudo rmmod x_tables
36 | sudo rmmod ip_set_hash_ipport
37 | sudo rmmod ip_set
38 | sudo rmmod nf_reject_ipv4
39 | sudo rmmod nf_tables
40 | sudo rmmod bpfilter
41 |
--------------------------------------------------------------------------------
/common-scripts/set_irq_affinity:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #
3 | # Copyright (c) 2014, Intel Corporation
4 | #
5 | # Redistribution and use in source and binary forms, with or without
6 | # modification, are permitted provided that the following conditions are met:
7 | #
8 | # * Redistributions of source code must retain the above copyright notice,
9 | # this list of conditions and the following disclaimer.
10 | # * Redistributions in binary form must reproduce the above copyright
11 | # notice, this list of conditions and the following disclaimer in the
12 | # documentation and/or other materials provided with the distribution.
13 | # * Neither the name of Intel Corporation nor the names of its contributors
14 | # may be used to endorse or promote products derived from this software
15 | # without specific prior written permission.
16 | #
17 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
18 | # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 | # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
20 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
21 | # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 | # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
23 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
24 | # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
25 | # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
26 | # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 | #
28 | # Affinitize interrupts to cores
29 | #
30 | # typical usage is (as root):
31 | # set_irq_affinity -x local eth1
32 | #
33 | # to get help:
34 | # set_irq_affinity
35 |
36 | usage()
37 | {
38 | echo
39 | echo "Usage: $0 [-x|-X] {all|local|remote|one|custom} [ethX] <[ethY]>"
40 | echo " options: -x Configure XPS as well as smp_affinity"
41 | echo " options: -X Disable XPS but set smp_affinity"
42 | echo " options: {remote|one} can be followed by a specific node number"
43 | echo " Ex: $0 local eth0"
44 | echo " Ex: $0 remote 1 eth0"
45 | echo " Ex: $0 custom eth0 eth1"
46 | echo " Ex: $0 0-7,16-23 eth0"
47 | echo
48 | exit 1
49 | }
50 |
51 | usageX()
52 | {
53 | echo "options -x and -X cannot both be specified, pick one"
54 | exit 1
55 | }
56 |
57 | if [ "$1" == "-x" ]; then
58 | XPS_ENA=1
59 | shift
60 | fi
61 |
62 | if [ "$1" == "-X" ]; then
63 | if [ -n "$XPS_ENA" ]; then
64 | usageX
65 | fi
66 | XPS_DIS=2
67 | shift
68 | fi
69 |
70 | if [ "$1" == -x ]; then
71 | usageX
72 | fi
73 |
74 | if [ -n "$XPS_ENA" ] && [ -n "$XPS_DIS" ]; then
75 | usageX
76 | fi
77 |
78 | if [ -z "$XPS_ENA" ]; then
79 | XPS_ENA=$XPS_DIS
80 | fi
81 |
82 | num='^[0-9]+$'
83 | # Vars
84 | AFF=$1
85 | shift
86 |
87 | case "$AFF" in
88 | remote) [[ $1 =~ $num ]] && rnode=$1 && shift ;;
89 | one) [[ $1 =~ $num ]] && cnt=$1 && shift ;;
90 | all) ;;
91 | local) ;;
92 | custom) ;;
93 | [0-9]*) ;;
94 | -h|--help) usage ;;
95 | "") usage ;;
96 | *) IFACES=$AFF && AFF=all ;; # Backwards compat mode
97 | esac
98 |
99 | # append the interfaces listed to the string with spaces
100 | while [ "$#" -ne "0" ] ; do
101 | IFACES+=" $1"
102 | shift
103 | done
104 |
105 | # for now the user must specify interfaces
106 | if [ -z "$IFACES" ]; then
107 | usage
108 | exit 1
109 | fi
110 |
111 | # support functions
112 |
113 | set_affinity()
114 | {
115 | VEC=$core
116 | if [ $VEC -ge 32 ]
117 | then
118 | MASK_FILL=""
119 | MASK_ZERO="00000000"
120 | let "IDX = $VEC / 32"
121 | for ((i=1; i<=$IDX;i++))
122 | do
123 | MASK_FILL="${MASK_FILL},${MASK_ZERO}"
124 | done
125 |
126 | let "VEC -= 32 * $IDX"
127 | MASK_TMP=$((1<<$VEC))
128 | MASK=$(printf "%X%s" $MASK_TMP $MASK_FILL)
129 | else
130 | MASK_TMP=$((1<<$VEC))
131 | MASK=$(printf "%X" $MASK_TMP)
132 | fi
133 |
134 | printf "%s" $MASK > /proc/irq/$IRQ/smp_affinity
135 | printf "%s %d %s -> /proc/irq/$IRQ/smp_affinity\n" $IFACE $core $MASK
136 | case "$XPS_ENA" in
137 | 1)
138 | printf "%s %d %s -> /sys/class/net/%s/queues/tx-%d/xps_cpus\n" $IFACE $core $MASK $IFACE $((n-1))
139 | printf "%s" $MASK > /sys/class/net/$IFACE/queues/tx-$((n-1))/xps_cpus
140 | ;;
141 | 2)
142 | MASK=0
143 | printf "%s %d %s -> /sys/class/net/%s/queues/tx-%d/xps_cpus\n" $IFACE $core $MASK $IFACE $((n-1))
144 | printf "%s" $MASK > /sys/class/net/$IFACE/queues/tx-$((n-1))/xps_cpus
145 | ;;
146 | *)
147 | esac
148 | }
149 |
150 | # Allow usage of , or -
151 | #
152 | parse_range () {
153 | RANGE=${@//,/ }
154 | RANGE=${RANGE//-/..}
155 | LIST=""
156 | for r in $RANGE; do
157 | # eval lets us use vars in {#..#} range
158 | [[ $r =~ '..' ]] && r="$(eval echo {$r})"
159 | LIST+=" $r"
160 | done
161 | echo $LIST
162 | }
163 |
164 | # Affinitize interrupts
165 | #
166 | setaff()
167 | {
168 | CORES=$(parse_range $CORES)
169 | ncores=$(echo $CORES | wc -w)
170 | n=1
171 |
172 | # this script only supports interrupt vectors in pairs,
173 | # modification would be required to support a single Tx or Rx queue
174 | # per interrupt vector
175 |
176 | queues="${IFACE}-.*TxRx"
177 |
178 | irqs=$(grep "$queues" /proc/interrupts | cut -f1 -d:)
179 | [ -z "$irqs" ] && irqs=$(grep $IFACE /proc/interrupts | cut -f1 -d:)
180 | [ -z "$irqs" ] && irqs=$(for i in `ls -Ux /sys/class/net/$IFACE/device/msi_irqs` ;\
181 | do grep "$i:.*TxRx" /proc/interrupts | grep -v fdir | cut -f 1 -d : ;\
182 | done)
183 | [ -z "$irqs" ] && echo "Error: Could not find interrupts for $IFACE"
184 |
185 | echo "IFACE CORE MASK -> FILE"
186 | echo "======================="
187 | for IRQ in $irqs; do
188 | [ "$n" -gt "$ncores" ] && n=1
189 | j=1
190 | # much faster than calling cut for each
191 | for i in $CORES; do
192 | [ $((j++)) -ge $n ] && break
193 | done
194 | core=$i
195 | set_affinity
196 | ((n++))
197 | done
198 | }
199 |
200 | # now the actual useful bits of code
201 |
202 | # these next 2 lines would allow script to auto-determine interfaces
203 | #[ -z "$IFACES" ] && IFACES=$(ls /sys/class/net)
204 | #[ -z "$IFACES" ] && echo "Error: No interfaces up" && exit 1
205 |
206 | # echo IFACES is $IFACES
207 |
208 | CORES=$(max+0.0)
7 | max = $2;
8 | }
9 | }
10 | END {
11 | printf("%.f\n", max);
12 | }
13 |
--------------------------------------------------------------------------------
/micro-benchmarks/bpf-iptables-overhead/bpf-iptables-overhead-tcp/awk-scripts/print_min_multi.awk:
--------------------------------------------------------------------------------
1 | BEGIN {
2 | min=10000000.0;
3 | }
4 | {
5 | if(NR==9 || NR==17 || NR==25 || NR==33 || NR==41) {
6 | if ($2 < min+0.0)
7 | min = $2;
8 | }
9 | }
10 | END {
11 | printf("%.f\n", min);
12 | }
13 |
--------------------------------------------------------------------------------
/micro-benchmarks/bpf-iptables-overhead/bpf-iptables-overhead-tcp/rulesets/helpers.bash:
--------------------------------------------------------------------------------
1 | # use a clean instance of polycubed to run each test
2 | RELAUNCH_POLYCUBED=true
3 | polycubed="sudo polycubed -l off" #todo log off
4 |
5 | function initialize_pcn_iptables {
6 | pcn-iptables-init-xdp
7 | # $HOME/polycube/services/pcn-iptables/iptables-compatibility/iptables-init.sh
8 | }
9 |
10 | # Check if polycubed rest server is responding
11 | function polycubed_is_responding {
12 | ret=$(polycubectl ? > /dev/null)
13 | ret=$(echo $?)
14 | echo $ret
15 | }
16 |
17 | # Relaunch polycubed, if deamon is not running
18 | function polycubed_relaunch_if_not_running {
19 | alive=$(ps -el | grep polycubed)
20 | if [ -z "$alive" ]; then
21 | echo "polycubed not running ..."
22 | echo "relaunching polycubed ..."
23 | $polycubed >> /dev/null 2>&1 &
24 | fi
25 | }
26 |
27 | # Launch polycubed, and wait until it becomes responsive
28 | function launch_and_wait_polycubed_is_responding {
29 | if $RELAUNCH_POLYCUBED; then
30 | echo "starting polycubed ..."
31 | $polycubed >> /dev/null 2>&1 &
32 | else
33 | polycubed_alive=$(ps -el | grep polycubed)
34 | if [ -z "$polycubed_alive" ]; then
35 | echo "polycubed not running ..."
36 | echo "relaunching polycubed ..."
37 | $polycubed >> /dev/null 2>&1 &
38 | fi
39 | fi
40 |
41 | done=0
42 | i=0
43 | while : ; do
44 | sleep 1
45 | responding=$(polycubed_is_responding)
46 | if [[ $responding -eq 0 ]]; then
47 | done=1
48 | else
49 | polycubed_relaunch_if_not_running
50 | fi
51 | i=$((i+1))
52 | if [ "$done" -ne 0 ]; then
53 | if $RELAUNCH_POLYCUBED; then
54 | echo "starting polycubed in $i seconds"
55 | else
56 | if [ -z "$polycubed_alive" ]; then
57 | echo "relaunching polycubed in $i seconds"
58 | fi
59 | fi
60 | break
61 | fi
62 | done
63 | }
64 |
65 | # Kill polycubed, and wait all services to be unloaded and process to be completely killed
66 | function polycubed_kill_and_wait {
67 | echo "killing polycubed ..."
68 | sudo pkill polycubed >> /dev/null
69 |
70 | done=0
71 | i=0
72 | while : ; do
73 | sleep 1
74 | alive=$(ps -el | grep polycubed)
75 | if [ -z "$alive" ]; then
76 | done=1
77 | fi
78 |
79 | i=$((i+1))
80 |
81 | if [ "$done" -ne 0 ]; then
82 | echo "killing polycubed in $i seconds"
83 | break
84 | fi
85 | done
86 | }
87 |
88 | function launch_pcn_iptables {
89 | export PATH=$PATH:/home/polycube/go/bin
90 | export PATH=$PATH:/home/polycube/polycube/services/pcn-iptables/scripts
91 | launch_and_wait_polycubed_is_responding
92 | initialize_pcn_iptables
93 | }
94 |
--------------------------------------------------------------------------------
/micro-benchmarks/bpf-iptables-overhead/bpf-iptables-overhead-tcp/rulesets/rules_0.sh:
--------------------------------------------------------------------------------
1 | source "${BASH_SOURCE%/*}/helpers.bash"
2 | # usage:
3 | # rules_xxx.sh [iptables|pcn-iptables] [INPUT|FORWARD]
4 |
5 | # set -x
6 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"
7 |
8 | NFTABLES_DIR=nftables-rules
9 | IPTABLES="sudo iptables"
10 | CHAIN="INPUT"
11 | REMOTE_IP=10.10.10.2
12 | REMOTE_PORT=80
13 |
14 | echo ""
15 | echo "usage:"
16 | echo "$0 [iptables|pcn-iptables|nftables] [FORWARD] [10.10.10.1] [$REMOTE_PORT]"
17 | echo ""
18 |
19 | CHAIN=$2
20 | REMOTE_IP=$3
21 | REMOTE_PORT=$4
22 |
23 | if [ "$1" == "pcn-iptables" ]; then
24 | echo "Using pcn-iptables"
25 | IPTABLES="pcn-iptables"
26 | launch_pcn_iptables
27 | elif [ "$1" == "nftables" ]; then
28 | echo "Using nftables"
29 | IPTABLES="sudo nft"
30 | else
31 | echo "Using iptables"
32 | IPTABLES="sudo iptables"
33 | fi
34 |
35 |
36 |
37 | if [ "$1" == "nftables" ]; then
38 | $IPTABLES add table ip filter
39 | $IPTABLES add chain ip filter $CHAIN { type filter hook input priority 0 \; }
40 | $IPTABLES add rule ip filter $CHAIN ct state established counter accept
41 | $IPTABLES flush table ip filter
42 | elif [ "$1" == "pcn-iptables" ]; then
43 | $IPTABLES -F $CHAIN
44 | $IPTABLES -P $CHAIN ACCEPT
45 | else
46 | $IPTABLES -F $CHAIN
47 | $IPTABLES -P $CHAIN ACCEPT
48 | $IPTABLES -A $CHAIN -m conntrack --ctstate ESTABLISHED -j ACCEPT
49 | $IPTABLES -F $CHAIN
50 | fi
51 |
52 | exit 0
53 |
--------------------------------------------------------------------------------
/micro-benchmarks/bpf-iptables-overhead/bpf-iptables-overhead-tcp/run-tests_weighttp.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | # This test requires an nginx server on the remote DUT. We suggest to set the following
4 | # parameters on both the remote and local server in order to prevent the consumption
5 | # of ephimeral ports.
6 | # For this test we use wrk (https://github.com/wg/wrk), a HTTP benchmarking tool
7 | #
8 | # To make this script work correctly you need to increase the limit of file descriptor
9 | # opened by a single process, so we can stress the conntrack table.
10 | # You can execute the following commands to do this:
11 | # The modification below works after a reboot (if an user is logged):
12 | # sudo nano /etc/security/limits.conf
13 | # * soft nofile 200000
14 | # * hard nofile 200000
15 | #
16 | # If you are logged as 'root' in a terminal, type (instant effect):
17 | # ulimit -HSn 200000
18 | #
19 | # sudo nano /etc/sysctl.conf
20 | # net.core.netdev_max_backlog = 400000
21 | # net.ipv4.ip_local_port_range = 1024 65535
22 | # net.ipv4.tcp_max_syn_backlog = 12000
23 | # net.ipv4.tcp_wmem = 30000000 30000000 30000000
24 | # net.ipv4.tcp_tw_reuse = 1
25 | #
26 | # To apply the configuration, type:
27 | # sudo sysctl -p /etc/sysctl.conf
28 |
29 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
30 | NOW=$(date +"%m-%d-%Y-%T")
31 |
32 | # Remote configurations (DUT)
33 | REMOTE_DUT=IPADDRESS
34 | REMOTE_FOLDER="~/bpf-iptables-tests/micro-benchmarks/bpf-iptables-overhead/bpf-iptables-overhead-tcp"
35 | INGRESS_REMOTE_IFACE_NAME="enp101s0f0"
36 | REMOTE_SERVER_ADDR=10.10.10.1
37 | REMOTE_SERVER_PORT=80
38 | REMOTE_SERVER_FILE=static_file # 100Byte file places in the server
39 | SET_IRQ_SCRIPT="~/bpf-iptables-tests/common-scripts/set_irq_affinity"
40 |
41 | polycubed="sudo polycubed"
42 | polycubectl="$GOPATH/bin/polycubectl"
43 |
44 | # Local configurations (Pkt generator)
45 | POLYCUBE_VERSION="none"
46 | INGRESS_LOCAL_IFACE_NAME="enp1s0f0"
47 | LOCAL_CLIENT_ADDR=10.10.10.2
48 | IPTABLES="pcn-iptables"
49 | LOCAL_NAME=cube1
50 | LOCAL_DUT=IPADDRESS
51 |
52 | TEST_DURATION=30s
53 | TEST_START_RANGE=1000
54 | TEST_END_RANGE=1000
55 | TEST_STEP=1000
56 |
57 | function show_help() {
58 | usage="$(basename "$0") [-h] [-r #runs] [-o output_file] [-d duration][-i|-n]
59 | Run tests of pcn-iptables for the FORWARD chain with a different number of rules
60 |
61 | where:
62 | -h show this help text
63 | -r number of runs for the test
64 | -o path to file where the results are placed
65 | -d duration of the test, e.g. 2s, 2m, 2h
66 | -i use iptables
67 | -n use nftables"
68 |
69 | echo "$usage"
70 | }
71 |
72 | # Kill polycubed, and wait all services to be unloaded and process to be completely killed
73 | function polycubed_kill_and_wait {
74 | echo "killing polycubed ..."
75 | sudo pkill polycubed > /dev/null 2>&1
76 |
77 | done=0
78 | i=0
79 | while : ; do
80 | sleep 1
81 | alive=$(ps -el | grep polycubed)
82 | if [ -z "$alive" ]; then
83 | done=1
84 | fi
85 |
86 | i=$((i+1))
87 |
88 | if [ "$done" -eq 1 ]; then
89 | echo "killing polycubed in $i seconds"
90 | break
91 | fi
92 | done
93 | }
94 |
95 | function check_ping {
96 | local result='failed'
97 | ping -c 1 10.10.10.1 > /dev/null 2>&1
98 |
99 | if [ $? -eq 0 ]; then
100 | result='success'
101 | else
102 | result='failed'
103 | fi
104 | echo "$result"
105 | }
106 |
107 | function setup_environment {
108 | sudo ifconfig $INGRESS_LOCAL_IFACE_NAME $LOCAL_CLIENT_ADDR/24 up
109 | ssh polycube@$REMOTE_DUT "sudo service docker restart"
110 | CONTAINER_ID=$(ssh polycube@$REMOTE_DUT "sudo docker run -id --name bpf-iptables --rm --privileged --network host -v /lib/modules:/lib/modules:ro -v /usr/src:/usr/src:ro -v /etc/localtime:/etc/localtime:ro netgrouppolito/bpf-iptables:latest bash")
111 | ssh polycube@$REMOTE_DUT << EOF
112 | set -x
113 | sudo service nginx restart
114 | sudo ifconfig $INGRESS_REMOTE_IFACE_NAME $REMOTE_SERVER_ADDR/24 up
115 | sudo sysctl -p /etc/sysctl.conf
116 | EOF
117 | }
118 |
119 | function load_rules {
120 | ssh polycube@$REMOTE_DUT << EOF
121 | set -x
122 | sudo docker exec -d bpf-iptables bash -c "$REMOTE_FOLDER/rulesets/rules_0.sh $IPTABLES INPUT $LOCAL_CLIENT_ADDR $REMOTE_SERVER_PORT"
123 | EOF
124 | }
125 |
126 | function cleanup_environment {
127 | ssh polycube@$REMOTE_DUT << EOF
128 | $(typeset -f polycubed_kill_and_wait)
129 | polycubed_kill_and_wait
130 | sudo iptables -F INPUT
131 | sudo docker stop ${CONTAINER_ID} &> /dev/null
132 | sudo docker rm -f bpf-iptables &> /dev/null
133 | sudo nft flush table ip filter &> /dev/null
134 | sudo nft delete table ip filter &> /dev/null
135 | EOF
136 | }
137 |
138 | function wait_for_remote_machine {
139 | ssh -q polycube@$REMOTE_DUT exit
140 | result=$?
141 | sleep 5
142 | while [ $result -ne 0 ]; do
143 | ssh -q polycube@$REMOTE_DUT exit #Loop until the host becomes ready
144 | result=$?
145 | sleep 5
146 | done
147 | }
148 |
149 | function reboot_remote_dut {
150 | ssh polycube@$REMOTE_DUT << EOF
151 | set -x
152 | sudo reboot
153 | EOF
154 | }
155 |
156 | function check_conntrack {
157 | local enabled=$(ssh polycube@$REMOTE_DUT "lsmod | grep conntrack")
158 | local result='disabled'
159 | if [ -z "$enabled"]; then
160 | # Conntrack is disabled
161 | result='disabled'
162 | else
163 | result='enabled'
164 | fi
165 | echo "$result"
166 | }
167 |
168 | function disable_conntrack {
169 | ssh polycube@$REMOTE_DUT << EOF
170 | set -x
171 | sudo $REMOTE_CONNTRACK_SCRIPT_FOLDER/disable.sh
172 | sudo rmmod iptable_nat
173 | sudo rmmod ipt_MASQUERADE
174 | sudo rmmod nf_nat_ipv4
175 | sudo rmmod nf_nat
176 | sudo rmmod xt_conntrack
177 | sudo rmmod nf_conntrack_netlink
178 | sudo rmmod nf_conntrack
179 | sudo rmmod iptable_filter
180 | sudo rmmod ip_tables
181 | sudo rmmod nf_defrag_ipv6
182 | sudo rmmod nf_defrag_ipv4
183 | sudo rmmod x_tables
184 | EOF
185 | }
186 |
187 | function disable_nft {
188 | ssh polycube@$REMOTE_DUT << EOF
189 | set -x
190 | sudo rmmod nft_counter
191 | sudo rmmod nft_ct
192 | sudo rmmod nf_tables
193 | EOF
194 | }
195 |
196 | function cleanup {
197 | set +e
198 | cleanup_environment
199 | }
200 |
201 | function calculate_range {
202 | #set +x
203 | local var1=$( echo "scale=2; l($1)/l(10)" | bc -l )
204 | local var2=$( echo "scale=2; l($2)/l(10)" | bc -l )
205 | let exp=mod=result=exp2=0
206 | var1=$( echo "scale=2; $var1*10" | bc )
207 | var2=$( echo "scale=2; $var2*10 + 1.0" | bc )
208 | var1=$(( ${var1%.*} + 0 ))
209 | var2=$(( ${var2%.*} + 0 ))
210 |
211 | if [ $var1 -eq 0 ]; then
212 | var1=1;
213 | fi
214 |
215 | for x in `seq ${var1} ${var2}`; do
216 | exp=$((x/10))
217 | exp=$(( ${exp%.*} + 0 ))
218 | mod=$(($x%10))
219 | if [ $mod -eq 0 ]; then
220 | continue
221 | fi
222 | exp2=$((10**exp))
223 | result=$((mod*exp2))
224 | test_range[$x]=$result
225 | done
226 | }
227 |
228 | function calculate_range2 {
229 | local start=$1
230 | local end=$2
231 | local step=$3
232 | local i=1;
233 |
234 | for x in `seq ${start} ${step} ${end}`; do
235 | test_range[$i]=$x
236 | (( i++ ))
237 | done
238 | }
239 |
240 | # The argument of this function is the range of cores to be used
241 | # or 'all' in case all cores are used
242 | function set_irq_affinity {
243 | ssh polycube@$REMOTE_DUT << EOF
244 | set -x
245 | sudo docker exec bpf-iptables bash -c "$SET_IRQ_SCRIPT $1 $INGRESS_REMOTE_IFACE_NAME"
246 | EOF
247 | }
248 |
249 | #set -e
250 |
251 | while getopts :r:o:d:inh option; do
252 | case "${option}" in
253 | h|\?)
254 | show_help
255 | exit 0
256 | ;;
257 | r) NUMBER_RUNS=${OPTARG}
258 | ;;
259 | o) OUT_FILE=${OPTARG}
260 | ;;
261 | d) TEST_DURATION=${OPTARG}
262 | ;;
263 | i) IPTABLES="iptables"
264 | ;;
265 | n) IPTABLES="nftables"
266 | ;;
267 | :)
268 | echo "Option -$OPTARG requires an argument." >&2
269 | show_help
270 | exit 0
271 | ;;
272 | esac
273 | done
274 |
275 | if [ -z ${NUMBER_RUNS+x} ]; then
276 | echo "You should specify the number of runs with the -r option" >&2;
277 | show_help
278 | exit 0
279 | fi
280 |
281 | if [ -z ${OUT_FILE+x} ]; then
282 | echo "You should specify the output file with the -o option" >&2;
283 | show_help
284 | exit 0
285 | fi
286 |
287 | set -x
288 |
289 | set -e
290 | cleanup
291 |
292 | if [ ${IPTABLES} == "pcn-iptables" ]; then
293 | ssh polycube@$REMOTE_DUT "$polycubed --version" > $DIR/"$OUT_FILE.txt"
294 | elif [ ${IPTABLES} == "iptables" ]; then
295 | ssh polycube@$REMOTE_DUT "sudo iptables --version" > $DIR/"$OUT_FILE.txt"
296 | else
297 | ssh polycube@$REMOTE_DUT "sudo nft --version" > $DIR/"$OUT_FILE.txt"
298 | fi
299 |
300 | test_range=()
301 | calculate_range2 $TEST_START_RANGE $TEST_END_RANGE $TEST_STEP
302 |
303 | set -x
304 | for run in `seq 1 $NUMBER_RUNS`; do
305 | echo "Run Number: $run" >> $DIR/"$OUT_FILE.txt"
306 | ssh polycube@$REMOTE_DUT "uname -r" >> $DIR/"$OUT_FILE.txt"
307 | echo "" >> $DIR/"$OUT_FILE.txt"
308 |
309 | cleanup_environment
310 |
311 | echo "#####################################################" >> $DIR/"$OUT_FILE.txt"
312 | echo "# Execute the first test with interrupts set to all #" >> $DIR/"$OUT_FILE.txt"
313 | echo "#####################################################" >> $DIR/"$OUT_FILE.txt"
314 |
315 | echo "Number of clients, Requests per second" |& tee -a $DIR/"$OUT_FILE.txt"
316 | for range_value in "${test_range[@]}"; do
317 | setup_environment
318 | set_irq_affinity "all"
319 |
320 | result_ping=$(check_ping)
321 | if [ ${result_ping} == "failed" ]; then
322 | echo "Ping failed. Test aborted..."
323 | exit 1
324 | fi
325 |
326 | load_rules
327 | #if [ $IPTABLES == "pcn-iptables" ]; then
328 | # disable_nft
329 | # disable_conntrack
330 | #fi
331 |
332 | sleep 5
333 |
334 | if [ $range_value -lt 8 ]; then
335 | THREAD_COUNT=$range_value
336 | else
337 | THREAD_COUNT=8
338 | fi
339 |
340 | if [ $range_value -eq 0 ]; then
341 | range_value=1
342 | THREAD_COUNT=1
343 | fi
344 |
345 | if [ $range_value -gt $TEST_END_RANGE ]; then
346 | echo "Done! Closing..."
347 | break
348 | fi
349 |
350 | set_irq_affinity "all"
351 | weighttp -n 100000 -c $range_value -t $THREAD_COUNT http://$REMOTE_SERVER_ADDR:$REMOTE_SERVER_PORT/$REMOTE_SERVER_FILE &> /tmp/weighttp_output.txt
352 | num_lines=$(awk 'END{print NR}' /tmp/weighttp_output.txt)
353 | num_lines=$(( $num_lines-3 ))
354 | conn_sec=$(awk 'NR=='$num_lines'{print $10}' /tmp/weighttp_output.txt)
355 | echo "$range_value, $conn_sec" |& tee -a $DIR/"$OUT_FILE.txt"
356 |
357 | cleanup_environment
358 | sleep 120
359 | done
360 |
361 | sleep 15
362 | done
363 | ssh polycube@$REMOTE_DUT "sudo service docker restart"
364 |
365 | exit 0
366 |
--------------------------------------------------------------------------------
/micro-benchmarks/bpf-iptables-overhead/bpf-iptables-overhead-udp/config_dut_routing.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | sudo ifconfig enp101s0f0 192.168.0.254/24 up
4 | sudo ifconfig enp101s0f1 192.168.1.254/24 up
5 |
6 | sudo ifconfig enp101s0f0 up
7 | sudo ifconfig enp101s0f1 up
8 |
9 | sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
10 |
11 | while true; do
12 | sudo arp -s 192.168.0.1 3c:fd:fe:af:ec:48
13 | sudo arp -s 192.168.0.2 3c:fd:fe:af:ec:48
14 | sudo arp -s 192.168.0.3 3c:fd:fe:af:ec:48
15 | sudo arp -s 192.168.0.4 3c:fd:fe:af:ec:48
16 | sudo arp -s 192.168.0.5 3c:fd:fe:af:ec:48
17 | sudo arp -s 192.168.0.6 3c:fd:fe:af:ec:48
18 | sudo arp -s 192.168.0.7 3c:fd:fe:af:ec:48
19 | sudo arp -s 192.168.0.8 3c:fd:fe:af:ec:48
20 | sudo arp -s 192.168.0.9 3c:fd:fe:af:ec:48
21 | sudo arp -s 192.168.0.10 3c:fd:fe:af:ec:48
22 | sudo arp -s 192.168.0.11 3c:fd:fe:af:ec:48
23 |
24 | sudo arp -s 192.168.1.1 3c:fd:fe:af:ec:49
25 | sudo arp -s 192.168.1.2 3c:fd:fe:af:ec:49
26 | sudo arp -s 192.168.1.3 3c:fd:fe:af:ec:49
27 | sudo arp -s 192.168.1.4 3c:fd:fe:af:ec:49
28 | sudo arp -s 192.168.1.5 3c:fd:fe:af:ec:49
29 | sudo arp -s 192.168.1.6 3c:fd:fe:af:ec:49
30 | sudo arp -s 192.168.1.7 3c:fd:fe:af:ec:49
31 | sudo arp -s 192.168.1.8 3c:fd:fe:af:ec:49
32 | sudo arp -s 192.168.1.9 3c:fd:fe:af:ec:49
33 | sudo arp -s 192.168.1.10 3c:fd:fe:af:ec:49
34 | sudo arp -s 192.168.1.11 3c:fd:fe:af:ec:49
35 |
36 | sleep 10
37 | done
--------------------------------------------------------------------------------
/micro-benchmarks/bpf-iptables-overhead/bpf-iptables-overhead-udp/rulesets/helpers.bash:
--------------------------------------------------------------------------------
1 | # use a clean instance of polycubed to run each test
2 | RELAUNCH_POLYCUBED=true
3 | polycubed="sudo polycubed -l off" #todo log off
4 |
5 | function initialize_pcn_iptables {
6 | bpf-iptables-init-xdp
7 | # $HOME/polycube/services/pcn-iptables/iptables-compatibility/iptables-init.sh
8 | }
9 |
10 | # Check if polycubed rest server is responding
11 | function polycubed_is_responding {
12 | ret=$(polycubectl ? > /dev/null)
13 | ret=$(echo $?)
14 | echo $ret
15 | }
16 |
17 | # Relaunch polycubed, if deamon is not running
18 | function polycubed_relaunch_if_not_running {
19 | alive=$(ps -el | grep polycubed)
20 | if [ -z "$alive" ]; then
21 | echo "polycubed not running ..."
22 | echo "relaunching polycubed ..."
23 | $polycubed >> /dev/null 2>&1 &
24 | fi
25 | }
26 |
27 | # Launch polycubed, and wait until it becomes responsive
28 | function launch_and_wait_polycubed_is_responding {
29 | if $RELAUNCH_POLYCUBED; then
30 | echo "starting polycubed ..."
31 | $polycubed >> /dev/null 2>&1 &
32 | else
33 | polycubed_alive=$(ps -el | grep polycubed)
34 | if [ -z "$polycubed_alive" ]; then
35 | echo "polycubed not running ..."
36 | echo "relaunching polycubed ..."
37 | $polycubed >> /dev/null 2>&1 &
38 | fi
39 | fi
40 |
41 | done=0
42 | i=0
43 | while : ; do
44 | sleep 1
45 | responding=$(polycubed_is_responding)
46 | if [[ $responding -eq 0 ]]; then
47 | done=1
48 | else
49 | polycubed_relaunch_if_not_running
50 | fi
51 | i=$((i+1))
52 | if [ "$done" -ne 0 ]; then
53 | if $RELAUNCH_POLYCUBED; then
54 | echo "starting polycubed in $i seconds"
55 | else
56 | if [ -z "$polycubed_alive" ]; then
57 | echo "relaunching polycubed in $i seconds"
58 | fi
59 | fi
60 | break
61 | fi
62 | done
63 | }
64 |
65 | # Kill polycubed, and wait all services to be unloaded and process to be completely killed
66 | function polycubed_kill_and_wait {
67 | echo "killing polycubed ..."
68 | sudo pkill polycubed >> /dev/null
69 |
70 | done=0
71 | i=0
72 | while : ; do
73 | sleep 1
74 | alive=$(ps -el | grep polycubed)
75 | if [ -z "$alive" ]; then
76 | done=1
77 | fi
78 |
79 | i=$((i+1))
80 |
81 | if [ "$done" -ne 0 ]; then
82 | echo "killing polycubed in $i seconds"
83 | break
84 | fi
85 | done
86 | }
87 |
88 | function launch_pcn_iptables {
89 | export PATH=$PATH:/home/polycube/go/bin
90 | export PATH=$PATH:/home/polycube/polycube/services/pcn-iptables/scripts
91 | launch_and_wait_polycubed_is_responding
92 | initialize_pcn_iptables
93 | }
94 |
--------------------------------------------------------------------------------
/micro-benchmarks/bpf-iptables-overhead/bpf-iptables-overhead-udp/rulesets/nftables-rules/nftables_0.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | nft add table ip filter
4 | nft add chain filter $CHAIN \{ type filter hook forward priority 0\; policy accept\; \}
5 | nft add rule ip filter $CHAIN counter accept
6 |
--------------------------------------------------------------------------------
/micro-benchmarks/bpf-iptables-overhead/bpf-iptables-overhead-udp/rulesets/rules_0.sh:
--------------------------------------------------------------------------------
1 | source "${BASH_SOURCE%/*}/helpers.bash"
2 | # usage:
3 | # rules_xxx.sh [iptables|pcn-iptables] [INPUT|FORWARD]
4 |
5 | # set -x
6 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"
7 |
8 | NFTABLES_DIR=nftables-rules
9 | IPTABLES="sudo iptables"
10 | CHAIN="FORWARD"
11 |
12 | echo ""
13 | echo "usage:"
14 | echo "$0 [iptables|pcn-iptables|nftables] [FORWARD]"
15 | echo ""
16 |
17 | if [ "$1" == "pcn-iptables" ]; then
18 | echo "Using bpf-iptables"
19 | IPTABLES="bpf-iptables"
20 | launch_pcn_iptables
21 | elif [ "$1" == "nftables" ]; then
22 | echo "Using nftables"
23 | IPTABLES="nft"
24 | else
25 | echo "Using iptables"
26 | IPTABLES="sudo iptables"
27 | fi
28 |
29 | if [ "$1" == "nftables" ]; then
30 | echo "Loading nftables rules"
31 | export CHAIN
32 | exec $DIR/$NFTABLES_DIR/nftables_50.sh
33 | exit 0
34 | elif [ "$1" == "pcn-iptables" ]; then
35 | polycubectl pcn-iptables set interactive=false
36 | else
37 | $IPTABLES -A $CHAIN -m conntrack --ctstate ESTABLISHED -j ACCEPT
38 | $IPTABLES -F $CHAIN
39 | fi
40 |
41 | $IPTABLES -P $CHAIN ACCEPT
42 |
43 | if [ "$1" == "pcn-iptables" ];
44 | then
45 | polycubectl pcn-iptables chain $CHAIN apply-rules
46 | fi
47 |
--------------------------------------------------------------------------------
/micro-benchmarks/bpf-iptables-overhead/bpf-iptables-overhead-udp/run-tests-multi-forward.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
4 | NOW=$(date +"%m-%d-%Y-%T")
5 |
6 | # Remote configurations (DUT)
7 | REMOTE_DUT=IPADDRESS
8 | REMOTE_FOLDER="~/bpf-iptables-tests/micro-benchmarks/bpf-iptables-overhead/bpf-iptables-overhead-udp"
9 | SET_IRQ_SCRIPT="~/bpf-iptables-tests/common-scripts/set_irq_affinity"
10 | DST_MAC_IF0="3cfd:feaf:ec30"
11 | DST_MAC_IF1="3cfd:feaf:ec31"
12 | INGRESS_IFACE_NAME="enp101s0f0"
13 |
14 | polycubed="sudo polycubed"
15 | polycubectl="$GOPATH/bin/polycubectl"
16 |
17 | # Local configurations (Pkt generator)
18 | FORWARD_TEST_LOG=forward_test.$NOW.log
19 | PKTGEN_FOLDER="$HOME/dev/pktgen-dpdk"
20 | POLYCUBE_VERSION="none"
21 | IPTABLES="pcn-iptables"
22 | LOCAL_NAME=cube1
23 | LOCAL_DUT=IPADDRESS
24 | START_RATE=50.0
25 |
26 | declare -a ruleset_values=("0")
27 |
28 | #######################################
29 | # Specific Test (srcip) Configuration #
30 | #######################################
31 | function generate_test_configuration() {
32 | local test_name=$1
33 | if [ $test_name == "0" ]; then
34 | START_SRC_IP=192.168.0.2
35 | END_SRC_IP=192.168.0.11
36 | NUM_IP_SRC=10
37 | START_DST_IP=192.168.1.2
38 | END_DST_IP=192.168.1.11
39 | NUM_IP_DST=10
40 | START_SPORT=10100
41 | END_SPORT=10109
42 | START_DPORT=8080
43 | END_DPORT=8089
44 | else
45 | echo "Test case not supported"
46 | exit 1
47 | fi
48 | }
49 |
50 |
51 | function show_help() {
52 | usage="$(basename "$0") [-h] [-r #runs] [-o output_file] [-i|-n]
53 | Run tests of pcn-iptables for the FORWARD chain with a different number of rules
54 |
55 | where:
56 | -h show this help text
57 | -r number of runs for the test
58 | -o path to file where the results are placed
59 | -i use iptables
60 | -n use nftables"
61 |
62 | echo "$usage"
63 | }
64 |
65 | # Kill polycubed, and wait all services to be unloaded and process to be completely killed
66 | function polycubed_kill_and_wait {
67 | echo "killing polycubed ..."
68 | sudo pkill polycubed > /dev/null 2>&1
69 |
70 | done=0
71 | i=0
72 | while : ; do
73 | sleep 1
74 | alive=$(ps -el | grep polycubed)
75 | if [ -z "$alive" ]; then
76 | done=1
77 | fi
78 |
79 | i=$((i+1))
80 |
81 | if [ "$done" -eq 1 ]; then
82 | echo "killing polycubed in $i seconds"
83 | break
84 | fi
85 | done
86 | }
87 |
88 | function setup_environment {
89 | size=$1
90 | ssh polycube@$REMOTE_DUT "sudo service docker restart"
91 | CONTAINER_ID=$(ssh polycube@$REMOTE_DUT "sudo docker run -id --name bpf-iptables --rm --privileged --network host -v /lib/modules:/lib/modules:ro -v /usr/src:/usr/src:ro -v /etc/localtime:/etc/localtime:ro netgrouppolito/bpf-iptables:latest bash")
92 | ssh polycube@$REMOTE_DUT << EOF
93 | set -x
94 | sudo docker exec -d bpf-iptables bash -c "exec -a config_dut $REMOTE_FOLDER/config_dut_routing.sh > ~/log 2>&1 &"
95 | sudo docker exec -d bpf-iptables bash -c "$REMOTE_FOLDER/rulesets/rules_$size.sh $IPTABLES FORWARD"
96 | EOF
97 | }
98 |
99 | function cleanup_environment {
100 | ssh polycube@$REMOTE_DUT << EOF
101 | $(typeset -f polycubed_kill_and_wait)
102 | polycubed_kill_and_wait
103 | sudo iptables -F FORWARD
104 | sudo docker exec bpf-iptables bash -c "sudo pkill config_dut"
105 | sudo docker stop ${CONTAINER_ID} &> /dev/null
106 | sudo docker rm -f bpf-iptables &> /dev/null
107 | sudo nft flush table ip filter &> /dev/null
108 | sudo nft delete table ip filter &> /dev/null
109 | EOF
110 | }
111 |
112 | function wait_for_remote_machine {
113 | ssh -q polycube@$REMOTE_DUT exit
114 | result=$?
115 | sleep 5
116 | while [ $result -ne 0 ]; do
117 | ssh -q polycube@$REMOTE_DUT exit #Loop until the host becomes ready
118 | result=$?
119 | sleep 5
120 | done
121 | }
122 |
123 | function reboot_remote_dut {
124 | ssh polycube@$REMOTE_DUT << EOF
125 | set -x
126 | sudo reboot
127 | EOF
128 | }
129 |
130 | function check_conntrack {
131 | local enabled=$(ssh polycube@$REMOTE_DUT "lsmod | grep conntrack")
132 | local result='disabled'
133 | if [ -z "$enabled"]; then
134 | # Conntrack is disabled
135 | result='disabled'
136 | else
137 | result='enabled'
138 | fi
139 | echo "$result"
140 | }
141 |
142 | function disable_conntrack {
143 | ssh polycube@$REMOTE_DUT << EOF
144 | sudo $REMOTE_CONNTRACK_SCRIPT_FOLDER/disable.sh
145 | sudo rmmod iptable_nat
146 | sudo rmmod ipt_MASQUERADE
147 | sudo rmmod nf_nat_ipv4
148 | sudo rmmod nf_nat
149 | sudo rmmod xt_conntrack
150 | sudo rmmod nf_conntrack_netlink
151 | sudo rmmod nf_conntrack
152 | sudo rmmod iptable_filter
153 | sudo rmmod ip_tables
154 | sudo rmmod nf_defrag_ipv6
155 | sudo rmmod nf_defrag_ipv4
156 | sudo rmmod x_tables
157 | sudo rmmod ip_set_hash_ipport
158 | sudo rmmod ip_set
159 | EOF
160 | }
161 |
162 | function disable_nft {
163 | ssh polycube@$REMOTE_DUT << EOF
164 | sudo rmmod nft_counter
165 | sudo rmmod nft_ct
166 | sudo rmmod nf_tables
167 | EOF
168 | }
169 |
170 | function cleanup {
171 | set +e
172 | cleanup_environment
173 | }
174 |
175 | # The argument of this function is the range of cores to be used
176 | # or 'all' in case all cores are used
177 | function set_irq_affinity {
178 | ssh polycube@$REMOTE_DUT << EOF
179 | set -x
180 | sudo docker exec bpf-iptables bash -c "$SET_IRQ_SCRIPT $1 $INGRESS_IFACE_NAME"
181 | EOF
182 | }
183 |
184 | function generate_pktgen_config_file {
185 | #Create configuration file for swagger-codegen
186 | cat > ${PKTGEN_FOLDER}/config.lua << EOF
187 | -- config.lua
188 | -- Automatically generated at ${NOW}
189 |
190 | local _M = {}
191 |
192 | _M.test = {
193 | dstMac0 = "${DST_MAC_IF0}",
194 | dstMac1 = "${DST_MAC_IF1}",
195 | num_runs = ${NUMBER_RUNS},
196 | simple_test = $1,
197 | startSrcIP = "${START_SRC_IP}",
198 | endSrcIP = "${END_SRC_IP}",
199 | startDstIP = "${START_DST_IP}",
200 | endDstIP = "${END_DST_IP}",
201 | startSport = ${START_SPORT},
202 | endSport = ${END_SPORT},
203 | startDport = ${START_DPORT},
204 | endDport = ${END_DPORT},
205 | startRate = ${START_RATE},
206 | }
207 |
208 | return _M
209 | EOF
210 | }
211 |
212 | #set -e
213 |
214 | while getopts :r:o:inh option; do
215 | case "${option}" in
216 | h|\?)
217 | show_help
218 | exit 0
219 | ;;
220 | r) NUMBER_RUNS=${OPTARG}
221 | ;;
222 | o) OUT_FILE=${OPTARG}
223 | ;;
224 | i) IPTABLES="iptables"
225 | ;;
226 | n) IPTABLES="nftables"
227 | ;;
228 | :)
229 | echo "Option -$OPTARG requires an argument." >&2
230 | show_help
231 | exit 0
232 | ;;
233 | esac
234 | done
235 |
236 | if [ -f $FORWARD_TEST_LOG ]; then
237 | rm $FORWARD_TEST_LOG
238 | fi
239 |
240 | if [ -z ${NUMBER_RUNS+x} ]; then
241 | echo "You should specify the number of runs with the -r option" >&2;
242 | show_help
243 | exit 0
244 | fi
245 |
246 | if [ -z ${OUT_FILE+x} ]; then
247 | echo "You should specify the output file with the -o option" >&2;
248 | show_help
249 | exit 0
250 | fi
251 |
252 | set -x
253 |
254 | for size in "${ruleset_values[@]}"; do
255 | set +e
256 |
257 | generate_test_configuration $size
258 |
259 | set -e
260 | cleanup
261 |
262 | if [ ${IPTABLES} == "pcn-iptables" ]; then
263 | ssh polycube@$REMOTE_DUT "$polycubed --version" > $DIR/"$OUT_FILE-$size.txt"
264 | elif [ ${IPTABLES} == "iptables" ]; then
265 | ssh polycube@$REMOTE_DUT "sudo iptables --version" > $DIR/"$OUT_FILE-$size.txt"
266 | else
267 | ssh polycube@$REMOTE_DUT "sudo nft --version" > $DIR/"$OUT_FILE-$size.txt"
268 | fi
269 |
270 | echo "Processing size: $size" >> $DIR/"$OUT_FILE-$size.txt"
271 | ssh polycube@$REMOTE_DUT "uname -r" >> $DIR/"$OUT_FILE-$size.txt"
272 | echo "" >> $DIR/"$OUT_FILE-$size.txt"
273 | #####################################################
274 | # Execute the first test with interrupts set to all #
275 | #####################################################
276 | START_RATE=50.0
277 | setup_environment $size
278 | set_irq_affinity "all"
279 |
280 | sleep 5
281 | generate_pktgen_config_file 0
282 |
283 | #if [ ${IPTABLES} == "pcn-iptables" ]; then
284 | # disable_nft
285 | # disable_conntrack
286 | #fi
287 |
288 | cd $PKTGEN_FOLDER
289 | sudo ./app/x86_64-native-linuxapp-gcc/pktgen -c ff -n 4 --proc-type auto --file-prefix pg -- -T -P -m "[1:2/3/4/5].0, [6/7].1" -f $DIR/bpf-iptables-overhead.lua
290 | sleep 5
291 |
292 | cat "pcn-iptables-forward.csv" >> $DIR/"$OUT_FILE-$size.txt"
293 |
294 | cleanup_environment
295 | sleep 30
296 | cd $DIR
297 | done
298 |
299 | ssh polycube@$REMOTE_DUT "sudo service docker restart"
300 | exit 0
301 |
--------------------------------------------------------------------------------
/micro-benchmarks/xdp-vs-tc-ingress/README:
--------------------------------------------------------------------------------
1 | Command used on the client side to generate reports:
2 |
3 | cat ../iperf | parallel sudo iperf -c {} -e -t 30 |& tee report-{n}.txt
4 |
5 | On the server side I ran iperf with in server mode with the following command
6 |
7 | sudo iperf -s -D
8 |
9 | And then I took the PID of the process and I assigned a taskset to avoid it will be executed on core 1, where the firewall is executed.
10 |
11 | sudo taskset -cp 2-13 {IPERF_PID}
12 |
13 | Finally, I set the interrupts for the ingress NIC to core #1
14 |
--------------------------------------------------------------------------------
/realistic-scenarios/ddos-mitigator/README.md:
--------------------------------------------------------------------------------
1 | # DDoS Mitigation Performance
2 |
3 | This tests evaluates the performance of the system under DDoS attack, which represents an optimization provided by `bpf-iptables` thanks to the `HORUS` analysis (described in the paper).
4 |
5 | ## Rule-sets
6 |
7 | The rule-sets used for this tests can be found in the [rulsets](./rulesets) folder.
8 | We used a fixed set of rules (i.e., 1000) matching on IP source, protocol and L4 source port, `DROP` action.
9 | Two additional rules involve the connection tracking to guarantee the reachability of internal servers; (*i*) *accepts* all the `ESTABLISHED` connections and (*ii*) *accepts* all the `NEW` connection with destination L4 port 80.
10 |
11 | ## Test description
12 |
13 | The packet generator sends 64Bytes UDP packets towards the server with the same set of source IP addresses and L4 ports configured in the set of blacklisting rules.
14 | DDoS traffic is sent on a first port connected to the DUT, while a `weighttp` client sends traffic on a second port, simulating a legitimate traffic towards a `nginx` server running in the DUT.
15 | `Weighttp` generates 1M HTTP requests using 1000 concurrent clients; we report the number of successfully completed requests/s, with a timeout of 5 seconds, varying the rate of DDoS traffic.
16 |
17 | ### Setup
18 |
19 | The packet generator and the DUT should be connected each other through a XDP-compatible NIC.
20 | The first interface of the generator is connected to the first interface of the DUT and is attached to DPDK, so that `pktgen-dpdk` can be used to generate the DDoS traffic.
21 | The second interface of the generator is directly attached to the second interface of the DUT and it is used to generate the legitimate traffic (we suggest to use a separate machine to generate the legitimate traffic in order to avoid interference with the malicious traffic generator)
22 |
23 | In addition, both machine should be able to communicate at IP level through an additional interface. The IP addresses of those interface should be configured in the following scripts.
24 |
25 | The test requires an `nginx` server running on the remote DUT.
26 | Moreover, you need to create a file named `static_file` and place it under the default web server folder. For the tests described in our paper we used a 100MB file generated with this command.
27 | ```bash
28 | $ dd if=/dev/zero of=static_file count=1024 bs=102400
29 | ```
30 |
31 | On the generator machine, it is necessary to install `weighttp`, which can be downloaded at [this](https://github.com/lighttpd/weighttp.git) url.
32 | Follow the instructions provided to install the tool.
33 |
34 | To correctly replicate the results you need to increase the limit of file descriptors opened by a single process.
35 | To do this you can use the `sysctl.conf.generator` and the `sysctl.conf.dut` file available under this folder.
36 | To apply the configuration type:
37 | ```bash
38 | $ sudo sysctl -p sysctl.conf.generator
39 | ```
40 | on the generator and
41 | ```bash
42 | $ sudo sysctl -p sysctl.conf.dut
43 | ```
44 | on the DUT.
45 |
46 | ### Scripts
47 |
48 | This folder contains a single script [run-tests](./run-tests.sh) that is used to execute the test, which can be configured by passing the correct parameters through the command line, for example:
49 |
50 | ```bash
51 | $ ./run-tests.sh -h
52 | run-tests.sh [-h] [-r \#runs] [-o output_file] [-i|-n|-s|-d]
53 | Run tests of pcn-iptables for the INPUT chain with a different number of rules
54 |
55 | where:
56 | -h show this help text
57 | -r number of runs for the test
58 | -o path to file where the results are placed
59 | -i use iptables
60 | -n use nftables
61 | -s use ipset
62 | -d use nft_set
63 | ```
64 |
65 | In addition, you should modify the script with the correct IP addresses and folders used in your environment. The parameters that should be set are the following:
66 |
67 | ```bash
68 | # Remote configurations (DUT)
69 | REMOTE_DUT=1.1.1.1 (IP Address of the DUT)
70 | REMOTE_FOLDER="~/bpf-iptables-tests/realistic-scenarios/ddos-mitigator"
71 | DST_MAC_IF0="3cfd:feaf:ec30" (MAC of the receiver interface of the DUT)
72 | DST_MAC_IF1="3cfd:feaf:ec31"
73 | INGRESS_REMOTE_IFACE_NAME="enp101s0f0" (Name of the receiver interface of the DUT)
74 | EGRESS_REMOTE_IFACE_NAME="enp101s0f1"
75 |
76 | # Local configurations (Pkt generator)
77 | PKTGEN_FOLDER="$HOME/dev/pktgen-dpdk"
78 | INGRESS_LOCAL_IFACE_NAME="enp1s0f0"
79 | EGRESS_LOCAL_IFACE_NAME="enp1s0f1"
80 | LOCAL_NAME=cube1 (Name of the user in the pkt generator machine)
81 | LOCAL_DUT=IPADDRESS (IP address of the pkt generator machine)
82 | ```
83 |
84 | For example, to execute a single run of the multi-core test using `bpf-iptables` you should execute the following command:
85 |
86 | ```bash
87 | $ ./run-tests.sh -r 1 -o bpf-iptables-results
88 | ```
89 |
90 |
--------------------------------------------------------------------------------
/realistic-scenarios/ddos-mitigator/config_dut_routing.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | START_IP_SRC=(192 168 0 2)
4 |
5 | NUM_IP_SRC=40
6 | DELETE_ENTRIES=0
7 |
8 | sudo ifconfig enp101s0f0 192.168.0.1/22 up
9 | sudo ifconfig enp101s0f1 10.10.10.1/24 up
10 |
11 | #sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
12 |
13 | function ip_to_int() {
14 | #Returns the integer representation of an IP arg, passed in ascii dotted-decimal notation (x.x.x.x)
15 | IP=$1; IPNUM=0
16 | for (( i=0 ; i<4 ; ++i )); do
17 | ((IPNUM+=${IP%%.*}*$((256**$((3-${i}))))))
18 | IP=${IP#*.}
19 | done
20 | echo $IPNUM
21 | }
22 |
23 | function int_to_ip() {
24 | #returns the dotted-decimal ascii form of an IP arg passed in integer format
25 | echo -n $(($(($(($((${1}/256))/256))/256))%256)).
26 | echo -n $(($(($((${1}/256))/256))%256)).
27 | echo -n $(($((${1}/256))%256)).
28 | echo $((${1}%256))
29 | }
30 |
31 |
32 | while getopts :o:s:rh option; do
33 | case "${option}" in
34 | h|\?)
35 | show_help
36 | exit 0
37 | ;;
38 | o) OUT_FILE=${OPTARG}
39 | ;;
40 | s) NUM_IP_SRC=${OPTARG}
41 | ;;
42 | r) DELETE_ENTRIES=1
43 | ;;
44 | :)
45 | echo "Option -$OPTARG requires an argument." >&2
46 | show_help
47 | exit 0
48 | ;;
49 | esac
50 | done
51 |
52 | while true; do
53 | NEW_IP_SRC=$( IFS=$'.'; echo "${START_IP_SRC[*]}" )
54 | for i in `seq 1 $NUM_IP_SRC`; do
55 | if [ $DELETE_ENTRIES -eq 0 ]; then
56 | sudo arp -s ${NEW_IP_SRC} 3c:fd:fe:af:ec:48
57 | else
58 | sudo arp -d ${NEW_IP_SRC}
59 | fi
60 | NEW_IP_SRC=$(int_to_ip $(( $(ip_to_int $NEW_IP_SRC)+1 )))
61 | done
62 |
63 | if [ $DELETE_ENTRIES -eq 1 ]; then
64 | break
65 | fi
66 | sleep 25
67 | done
68 |
--------------------------------------------------------------------------------
/realistic-scenarios/ddos-mitigator/ddos-mitigator.lua:
--------------------------------------------------------------------------------
1 | -- RFC2544 Throughput Test
2 | -- as defined by https://www.ietf.org/rfc/rfc2544.txt
3 | package.path = package.path ..";?.lua;test/?.lua;app/?.lua;../?.lua"
4 | require "Pktgen";
5 | require "os";
6 |
7 | local config = require "config";
8 |
9 | -- define packet sizes to test
10 | -- local pkt_sizes = { 64, 128, 256, 512, 1024, 1280, 1518 };
11 | local pkt_sizes = { 64 };
12 | -- Time in seconds to transmit for
13 | local duration = 15000;
14 | local durationSimpleTest = 60000;
15 | local confirmDuration = 60000;
16 | local intraRunTime = 15000;
17 | local pauseTime = 1000;
18 | local pauseWarmUp = 1000;
19 | local warmDuration = 1000;
20 | local runNum = 5;
21 | local simpleTest = false;
22 |
23 | -- define the ports in use
24 | local sendport = "0";
25 |
26 | -- ip addresses to use
27 | local dstip = "192.168.1.1";
28 | local srcip = "192.168.0.1";
29 | local netmask = "/24";
30 | local remoteDstMAC0 = "3cfd:feaf:ec30"
31 | local remoteDstMAC1 = "3cfd:feaf:ec31"
32 |
33 | --src and dest l4 ports
34 | local dstport = "0x5678"
35 | local srcport = "0x9988"
36 |
37 | local initialRate = 50.0;
38 | local warmUpRate = 0.01;
39 | local maxLossRate = 0.011;
40 | local rateThreshold = 0.01;
41 |
42 | --specific test (rule-complexity) configuration
43 | --the configuration is read from the config file
44 | local startSrcIP = "0.0.0.0"
45 | local endSrcIP = "0.0.0.0"
46 | local startDstIP = "0.0.0.0"
47 | local endDstIP = "0.0.0.0"
48 | local startSport = 0
49 | local endSport = 0
50 | local startDport = 0
51 | local endDport = 0
52 |
53 | local function setupTraffic()
54 | printf("Setup Traffic\n");
55 | pktgen.set_mac(sendport, remoteDstMAC0);
56 |
57 | pktgen.set_ipaddr(sendport, "dst", dstip);
58 | pktgen.set_ipaddr(sendport, "src", srcip..netmask);
59 |
60 | pktgen.set_range(sendport, "on");
61 |
62 | pktgen.delay(1000);
63 | pktgen.src_ip(sendport, "start", startSrcIP);
64 | pktgen.src_ip(sendport, "inc", "0.0.0.1");
65 | pktgen.src_ip(sendport, "min", startSrcIP);
66 | pktgen.src_ip(sendport, "max", endSrcIP);
67 |
68 | pktgen.delay(1000);
69 | pktgen.dst_ip(sendport, "start", startDstIP);
70 | pktgen.dst_ip(sendport, "inc", "0.0.0.1");
71 | pktgen.dst_ip(sendport, "min", startDstIP);
72 | pktgen.dst_ip(sendport, "max", endDstIP);
73 |
74 | pktgen.ip_proto(sendport, "udp");
75 |
76 | pktgen.delay(1000);
77 | pktgen.src_port(sendport, "start", startSport);
78 | pktgen.src_port(sendport, "inc", 1);
79 | pktgen.src_port(sendport, "min", startSport);
80 | pktgen.src_port(sendport, "max", endSport);
81 |
82 | pktgen.delay(1000);
83 | pktgen.dst_port(sendport, "start", startDport);
84 | pktgen.dst_port(sendport, "inc", 1);
85 | pktgen.dst_port(sendport, "min", startDport);
86 | pktgen.dst_port(sendport, "max", endDport);
87 |
88 | pktgen.pkt_size(sendport,"start", 68);
89 | pktgen.pkt_size(sendport,"inc", 0);
90 | pktgen.pkt_size(sendport,"start", 68);
91 | pktgen.pkt_size(sendport,"start", 68);
92 |
93 | pktgen.dst_mac(sendport, "start", remoteDstMAC0);
94 | pktgen.dst_mac(sendport, "inc", "0000:0000:0000");
95 | pktgen.dst_mac(sendport, "min", "0000:0000:0000");
96 | pktgen.dst_mac(sendport, "max", "0000:0000:0000");
97 |
98 | -- set Pktgen to send continuous stream of traffic
99 | pktgen.set(sendport, "count", 0);
100 | end
101 |
102 | local function runTrial(rate, duration, count)
103 | local num_tx, mpps;
104 | local results = {spkts = 0, mpps = 0.0}
105 | local duration_sec = duration / 1000
106 | printf("Setting rate to %f \n", rate);
107 | print("Setting rate to " .. rate);
108 | pktgen.clr();
109 |
110 | pktgen.set(sendport, "rate", rate);
111 | pktgen.start(sendport);
112 |
113 | print("Running trial " .. count .. ". % Rate: " .. rate .. ". Duration (mS):" .. duration_sec);
114 |
115 | pktgen.delay(duration);
116 | pktgen.stop(sendport);
117 | pktgen.delay(pauseTime);
118 |
119 | statTx = pktgen.portStats(sendport, "port")[tonumber(sendport)];
120 | num_tx = statTx.opackets;
121 | results.spkts = num_tx
122 | results.mpps = num_tx / 10^6 / duration_sec
123 |
124 | print("Tx: " .. num_tx .. ". Mpps: " .. results.mpps .. "\n");
125 |
126 | pktgen.delay(pauseTime);
127 |
128 | return results;
129 | end
130 |
131 | local function runSimpleTest(startRate)
132 | local lossRate, max_rate, min_rate, trial_rate, last_rate, maxLossRate, finished;
133 | str = ""
134 | printf("Start rate %f\n", startRate);
135 | result = runTrial(startRate, durationSimpleTest, 1);
136 | print("Sent Mpps: " .. result.mpps .. "\n");
137 | file:write("Pktgen Sent Mpps: " .. result.mpps .. "\n");
138 | end
139 |
140 | function tableHasKey(table,key)
141 | return table[key] ~= nil
142 | end
143 |
144 | local function configureGlobalVariable()
145 | remoteDstMAC0 = config.test.dstMac0;
146 | remoteDstMAC1 = config.test.dstMac1;
147 | runNum = config.test.num_runs;
148 |
149 | if config.test.simple_test == 1 then
150 | simpleTest = true;
151 | end
152 |
153 | startSrcIP = config.test.startSrcIP
154 | endSrcIP = config.test.endSrcIP
155 | startDstIP = config.test.startDstIP
156 | endDstIP = config.test.endDstIP
157 | startSport = config.test.startSport
158 | endSport = config.test.endSport
159 | startDport = config.test.startDport
160 | endDport = config.test.endDport
161 |
162 | if tableHasKey(config.test, "startRate") then
163 | initialRate = config.test.startRate
164 | end
165 | end
166 |
167 | -- The first parameter passed to this script if set to false doesn't perform
168 | -- the binary search for the throughput
169 | function main()
170 | local file_name = "pcn-iptables-forward.csv";
171 |
172 | file = io.open(file_name, "w+");
173 |
174 | if tableHasKey(config, "test") then
175 | configureGlobalVariable();
176 | end
177 |
178 | for _,size in pairs(pkt_sizes)
179 | do
180 | setupTraffic();
181 | if simpleTest then
182 | runSimpleTest(initialRate);
183 | end
184 | end
185 |
186 | file:write("\n");
187 | file:flush();
188 | file:close();
189 | end
190 |
191 | main();
192 | pktgen.quit();
193 |
--------------------------------------------------------------------------------
/realistic-scenarios/ddos-mitigator/rulesets/helpers.bash:
--------------------------------------------------------------------------------
1 | # use a clean instance of polycubed to run each test
2 | RELAUNCH_POLYCUBED=true
3 | polycubed="sudo polycubed -l off -a 0.0.0.0"
4 |
5 | function initialize_pcn_iptables {
6 | bpf-iptables-init-xdp
7 | polycubectl iptables pcn-iptables set horus=ON
8 | # $HOME/polycube/services/pcn-iptables/iptables-compatibility/iptables-init.sh
9 | }
10 |
11 | # Check if polycubed rest server is responding
12 | function polycubed_is_responding {
13 | ret=$(polycubectl ? > /dev/null)
14 | ret=$(echo $?)
15 | echo $ret
16 | }
17 |
18 | # Relaunch polycubed, if deamon is not running
19 | function polycubed_relaunch_if_not_running {
20 | alive=$(ps -el | grep polycubed)
21 | if [ -z "$alive" ]; then
22 | echo "polycubed not running ..."
23 | echo "relaunching polycubed ..."
24 | $polycubed >> /dev/null 2>&1 &
25 | fi
26 | }
27 |
28 | # Launch polycubed, and wait until it becomes responsive
29 | function launch_and_wait_polycubed_is_responding {
30 | if $RELAUNCH_POLYCUBED; then
31 | echo "starting polycubed ..."
32 | $polycubed >> /dev/null 2>&1 &
33 | else
34 | polycubed_alive=$(ps -el | grep polycubed)
35 | if [ -z "$polycubed_alive" ]; then
36 | echo "polycubed not running ..."
37 | echo "relaunching polycubed ..."
38 | $polycubed >> /dev/null 2>&1 &
39 | fi
40 | fi
41 |
42 | done=0
43 | i=0
44 | while : ; do
45 | sleep 1
46 | responding=$(polycubed_is_responding)
47 | if [[ $responding -eq 0 ]]; then
48 | done=1
49 | else
50 | polycubed_relaunch_if_not_running
51 | fi
52 | i=$((i+1))
53 | if [ "$done" -ne 0 ]; then
54 | if $RELAUNCH_POLYCUBED; then
55 | echo "starting polycubed in $i seconds"
56 | else
57 | if [ -z "$polycubed_alive" ]; then
58 | echo "relaunching polycubed in $i seconds"
59 | fi
60 | fi
61 | break
62 | fi
63 | done
64 | }
65 |
66 | # Kill polycubed, and wait all services to be unloaded and process to be completely killed
67 | function polycubed_kill_and_wait {
68 | echo "killing polycubed ..."
69 | sudo pkill polycubed >> /dev/null
70 |
71 | done=0
72 | i=0
73 | while : ; do
74 | sleep 1
75 | alive=$(ps -el | grep polycubed)
76 | if [ -z "$alive" ]; then
77 | done=1
78 | fi
79 |
80 | i=$((i+1))
81 |
82 | if [ "$done" -ne 0 ]; then
83 | echo "killing polycubed in $i seconds"
84 | break
85 | fi
86 | done
87 | }
88 |
89 | function launch_pcn_iptables {
90 | export PATH=$PATH:/home/polycube/go/bin
91 | export PATH=$PATH:/home/polycube/polycube/services/pcn-iptables/scripts
92 | launch_and_wait_polycubed_is_responding
93 | initialize_pcn_iptables
94 | }
95 |
--------------------------------------------------------------------------------
/realistic-scenarios/ddos-mitigator/sum_iptables_output.awk:
--------------------------------------------------------------------------------
1 | BEGIN {
2 | total=0;
3 | }
4 | {
5 | if (NR == 1) {
6 | total=total+$5;
7 | } else if (NR != 2) {
8 | total=total+$1;
9 | }
10 | }
11 | END {
12 | print total;
13 | }
14 |
--------------------------------------------------------------------------------
/realistic-scenarios/ddos-mitigator/sum_nftables_output.awk:
--------------------------------------------------------------------------------
1 | BEGIN {
2 | total=0;
3 | }
4 | {
5 | j=0;
6 | for (i = 1; i <= NF; ++i) {
7 | if ($i == "packets") {
8 | j = i + 1;
9 | total = total + $j;
10 | }
11 | }
12 | }
13 | END {
14 | print total;
15 | }
16 |
--------------------------------------------------------------------------------
/realistic-scenarios/ddos-mitigator/sum_pcn_iptables_output.awk:
--------------------------------------------------------------------------------
1 | BEGIN {
2 | total=0;
3 | }
4 | {
5 | total=total+$3;
6 | }
7 | END {
8 | total=total+$4;
9 | print total;
10 | }
11 |
--------------------------------------------------------------------------------
/realistic-scenarios/ddos-mitigator/sysctl.conf.dut:
--------------------------------------------------------------------------------
1 | #
2 | # /etc/sysctl.conf - Configuration file for setting system variables
3 | # See /etc/sysctl.d/ for additional system variables.
4 | # See sysctl.conf (5) for information.
5 | #
6 |
7 | #kernel.domainname = example.com
8 |
9 | # Uncomment the following to stop low-level messages on console
10 | #kernel.printk = 3 4 1 3
11 |
12 | ##############################################################3
13 | # Functions previously found in netbase
14 | #
15 |
16 | # Uncomment the next two lines to enable Spoof protection (reverse-path filter)
17 | # Turn on Source Address Verification in all interfaces to
18 | # prevent some spoofing attacks
19 | #net.ipv4.conf.default.rp_filter=1
20 | #net.ipv4.conf.all.rp_filter=1
21 |
22 | # Uncomment the next line to enable TCP/IP SYN cookies
23 | # See http://lwn.net/Articles/277146/
24 | # Note: This may impact IPv6 TCP sessions too
25 | #net.ipv4.tcp_syncookies=1
26 |
27 | # Uncomment the next line to enable packet forwarding for IPv4
28 | #net.ipv4.ip_forward=1
29 |
30 | # Uncomment the next line to enable packet forwarding for IPv6
31 | # Enabling this option disables Stateless Address Autoconfiguration
32 | # based on Router Advertisements for this host
33 | #net.ipv6.conf.all.forwarding=1
34 |
35 |
36 | ###################################################################
37 | # Additional settings - these settings can improve the network
38 | # security of the host and prevent against some network attacks
39 | # including spoofing attacks and man in the middle attacks through
40 | # redirection. Some network environments, however, require that these
41 | # settings are disabled so review and enable them as needed.
42 | #
43 | # Do not accept ICMP redirects (prevent MITM attacks)
44 | #net.ipv4.conf.all.accept_redirects = 0
45 | #net.ipv6.conf.all.accept_redirects = 0
46 | # _or_
47 | # Accept ICMP redirects only for gateways listed in our default
48 | # gateway list (enabled by default)
49 | # net.ipv4.conf.all.secure_redirects = 1
50 | #
51 | # Do not send ICMP redirects (we are not a router)
52 | #net.ipv4.conf.all.send_redirects = 0
53 | #
54 | # Do not accept IP source route packets (we are not a router)
55 | #net.ipv4.conf.all.accept_source_route = 0
56 | #net.ipv6.conf.all.accept_source_route = 0
57 | #
58 | # Log Martian Packets
59 | #net.ipv4.conf.all.log_martians = 1
60 | #
61 |
62 | ###################################################################
63 | # Magic system request Key
64 | # 0=disable, 1=enable all
65 | # Debian kernels have this set to 0 (disable the key)
66 | # See https://www.kernel.org/doc/Documentation/sysrq.txt
67 | # for what other values do
68 | #kernel.sysrq=1
69 |
70 | ###################################################################
71 | # Protected links
72 | #
73 | # Protects against creating or following links under certain conditions
74 | # Debian kernels have both set to 1 (restricted)
75 | # See https://www.kernel.org/doc/Documentation/sysctl/fs.txt
76 | #fs.protected_hardlinks=0
77 | #fs.protected_symlinks=0
78 | net.core.netdev_max_backlog = 400000
79 | net.core.somaxconn = 100000
80 | net.ipv4.ip_local_port_range = 1024 65535
81 | net.ipv4.tcp_max_syn_backlog = 65535
82 | net.ipv4.tcp_max_tw_buckets = 2000000
83 | net.netfilter.nf_conntrack_max = 262144
84 |
85 | # optionally, avoid TIME_WAIT states on localhost no-HTTP Keep-Alive tests:
86 | # "error: connect() failed: Cannot assign requested address (99)"
87 | # On Linux, the 2MSL time is hardcoded to 60 seconds in /include/net/tcp.h:
88 | # #define TCP_TIMEWAIT_LEN (60*HZ)
89 | # The option below is safe to use:
90 | net.ipv4.tcp_tw_reuse = 1
91 |
92 |
--------------------------------------------------------------------------------
/realistic-scenarios/ddos-mitigator/sysctl.conf.generator:
--------------------------------------------------------------------------------
1 | #
2 | # /etc/sysctl.conf - Configuration file for setting system variables
3 | # See /etc/sysctl.d/ for additional system variables.
4 | # See sysctl.conf (5) for information.
5 | #
6 |
7 | #kernel.domainname = example.com
8 |
9 | # Uncomment the following to stop low-level messages on console
10 | #kernel.printk = 3 4 1 3
11 |
12 | ##############################################################3
13 | # Functions previously found in netbase
14 | #
15 |
16 | # Uncomment the next two lines to enable Spoof protection (reverse-path filter)
17 | # Turn on Source Address Verification in all interfaces to
18 | # prevent some spoofing attacks
19 | #net.ipv4.conf.default.rp_filter=1
20 | #net.ipv4.conf.all.rp_filter=1
21 |
22 | # Uncomment the next line to enable TCP/IP SYN cookies
23 | # See http://lwn.net/Articles/277146/
24 | # Note: This may impact IPv6 TCP sessions too
25 | #net.ipv4.tcp_syncookies=1
26 |
27 | # Uncomment the next line to enable packet forwarding for IPv4
28 | #net.ipv4.ip_forward=1
29 |
30 | # Uncomment the next line to enable packet forwarding for IPv6
31 | # Enabling this option disables Stateless Address Autoconfiguration
32 | # based on Router Advertisements for this host
33 | #net.ipv6.conf.all.forwarding=1
34 |
35 |
36 | ###################################################################
37 | # Additional settings - these settings can improve the network
38 | # security of the host and prevent against some network attacks
39 | # including spoofing attacks and man in the middle attacks through
40 | # redirection. Some network environments, however, require that these
41 | # settings are disabled so review and enable them as needed.
42 | #
43 | # Do not accept ICMP redirects (prevent MITM attacks)
44 | #net.ipv4.conf.all.accept_redirects = 0
45 | #net.ipv6.conf.all.accept_redirects = 0
46 | # _or_
47 | # Accept ICMP redirects only for gateways listed in our default
48 | # gateway list (enabled by default)
49 | # net.ipv4.conf.all.secure_redirects = 1
50 | #
51 | # Do not send ICMP redirects (we are not a router)
52 | #net.ipv4.conf.all.send_redirects = 0
53 | #
54 | # Do not accept IP source route packets (we are not a router)
55 | #net.ipv4.conf.all.accept_source_route = 0
56 | #net.ipv6.conf.all.accept_source_route = 0
57 | #
58 | # Log Martian Packets
59 | #net.ipv4.conf.all.log_martians = 1
60 | #
61 |
62 | ###################################################################
63 | # Magic system request Key
64 | # 0=disable, 1=enable all
65 | # Debian kernels have this set to 0 (disable the key)
66 | # See https://www.kernel.org/doc/Documentation/sysrq.txt
67 | # for what other values do
68 | #kernel.sysrq=1
69 |
70 | ###################################################################
71 | # Protected links
72 | #
73 | # Protects against creating or following links under certain conditions
74 | # Debian kernels have both set to 1 (restricted)
75 | # See https://www.kernel.org/doc/Documentation/sysctl/fs.txt
76 | #fs.protected_hardlinks=0
77 | #fs.protected_symlinks=0
78 | net.ipv4.ip_local_port_range = 1024 65535
79 | net.ipv4.tcp_wmem = 30000000 30000000 30000000
80 | # optionally, avoid TIME_WAIT states on localhost no-HTTP Keep-Alive tests:
81 | # "error: connect() failed: Cannot assign requested address (99)"
82 | # On Linux, the 2MSL time is hardcoded to 60 seconds in /include/net/tcp.h:
83 | # #define TCP_TIMEWAIT_LEN (60*HZ)
84 | # The option below is safe to use:
85 | net.ipv4.tcp_tw_reuse = 1
86 |
87 | # The option below lets you reduce TIME_WAITs further
88 | # but this option is for benchmarks, NOT for production (NAT issues)
89 | #net.ipv4.tcp_tw_recycle = 1
90 |
--------------------------------------------------------------------------------
/realistic-scenarios/enterprise-public-servers/README.md:
--------------------------------------------------------------------------------
1 | # Enterprise Public Servers
2 |
3 | This test mimics the configuration of an enterprise firewall used as *front-end* device, which controls the traffic directed to a protected network (e.g., `DMZ`) that hosts a set of servers that must be reachable from the outside world.
4 | We increase the number of public servers that needs to be protected, hence tests were repeated with different number of rules.
5 |
6 | ## Rule-sets
7 |
8 | The rule-sets used for this tests can be found in the [rulsets](./rulesets) folder.
9 | The first rule *accepts* all the `ESTABLISHED` connections towards the protected network; then, a set of rules *accept* `NEW` connections generated by the servers in the protected network toward the outside world; the latest set of rules enable the communication towards the services exposed in the protected network by matching on the destination IP, protocol and L4 port destination of the incoming packets.
10 | Among the different runs we used an increasing number of rules ranging from 50 to 5K, depending on the number of public services that are exposed to the outside world.
11 |
12 | ## Test description
13 |
14 | All the rules are loaded in the `FORWARD` chain and the traffic is generated so that the 90% is evenly distributed among all the rules and the 10% matches the default `DROP` rule.
15 | The packet generator is connected to the DUT through two interfaces, simulating a scenario where the firewall is in between the two (public and protected) networks.
16 | In particular, the first interface simulates the traffic coming from the external network i.e., a set of clients contacting the internal services, while the second interface simulates a response from the internal services to the clients.
17 | For this reason, during this test, when the traffic coming from the external and the internal network reaches the firewall, it considers all the connection as `ESTABLISHED`, hence matching the first rule of the ruleset, which represents a common scenario in an enterprise network.
18 |
19 | ### Setup
20 |
21 | The packet generator and the DUT should be connected each other through an XDP-compatible NIC. In particular, the first interface of the generator is connected to the first interface of the DUT and the same for the second interface (which are configured accordingly in the following scripts).
22 | Both interfaces of the generator should be attached to DPDK so that `pktgen-dpdk` can be used to generate the traffic.
23 |
24 | In addition, both machine should be able to communicate at IP level through an additional interface. The IP addresses of those interface should be configured in the following scripts.
25 |
26 | ### Scripts
27 |
28 | This folder contains a single script [run-tests](./run-tests.sh) that is used to execute the test.
29 |
30 | Both scripts can be configurable by passing the correct parameters through the command line, for example:
31 |
32 | ```bash
33 | $ ./run-tests.sh -h
34 | run-tests.sh [-h] [-r #runs] [-o output_file] [-i|-n]
35 |
36 | where:
37 | -h show this help text
38 | -r number of runs for the test
39 | -o path to file where the results are placed
40 | -i use iptables
41 | -n use nftables
42 | ```
43 |
44 | In addition, you should modify the script with the correct IP addresses and folders used in your environment. The parameters that should be set are the following:
45 |
46 | ```bash
47 | # Remote configurations (DUT)
48 | REMOTE_DUT=1.1.1.1 (IP Address of the DUT)
49 | REMOTE_FOLDER="~/bpf-iptables-tests/realistic-scenarios/enterprise-public-servers"
50 | DST_MAC_IF0="3cfd:feaf:ec30" (MAC of the receiver interface of the DUT)
51 | DST_MAC_IF1="3cfd:feaf:ec31" (MAC of the sender interface of the DUT)
52 | INGRESS_IFACE_NAME="enp101s0f0" (Name of the receiver interface of the DUT)
53 | EGRESS_IFACE_NAME="enp101s0f1" (Name of the sender interface of the DUT)
54 |
55 | # Local configurations (Pkt generator)
56 | PKTGEN_FOLDER="$HOME/dev/pktgen-dpdk"
57 | LOCAL_NAME=cube1 (Name of the user in the pkt generator machine)
58 | LOCAL_DUT=IPADDRESS (IP address of the pkt generator machine)
59 | ```
60 |
61 | For example, to execute a single run of the multi-core test using bpf-iptables you should execute the following command:
62 |
63 | ```bash
64 | $ ./run-tests.sh -r 1 -o bpf-iptables-results
65 | ```
66 |
67 |
--------------------------------------------------------------------------------
/realistic-scenarios/enterprise-public-servers/config_dut_routing.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | START_IP_SRC=(192 168 0 2)
4 | START_IP_DST=(192 168 10 2)
5 |
6 | NUM_IP_SRC=40
7 | NUM_IP_DST=25
8 | DELETE_ENTRIES=0
9 |
10 | sudo ifconfig enp101s0f0 up
11 | sudo ifconfig enp101s0f1 up
12 |
13 | sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
14 |
15 | function ip_to_int() {
16 | #Returns the integer representation of an IP arg, passed in ascii dotted-decimal notation (x.x.x.x)
17 | IP=$1; IPNUM=0
18 | for (( i=0 ; i<4 ; ++i )); do
19 | ((IPNUM+=${IP%%.*}*$((256**$((3-${i}))))))
20 | IP=${IP#*.}
21 | done
22 | echo $IPNUM
23 | }
24 |
25 | function int_to_ip() {
26 | #returns the dotted-decimal ascii form of an IP arg passed in integer format
27 | echo -n $(($(($(($((${1}/256))/256))/256))%256)).
28 | echo -n $(($(($((${1}/256))/256))%256)).
29 | echo -n $(($((${1}/256))%256)).
30 | echo $((${1}%256))
31 | }
32 |
33 |
34 | while getopts :o:s:d:rh option; do
35 | case "${option}" in
36 | h|\?)
37 | show_help
38 | exit 0
39 | ;;
40 | o) OUT_FILE=${OPTARG}
41 | ;;
42 | s) NUM_IP_SRC=${OPTARG}
43 | ;;
44 | d) NUM_IP_DST=${OPTARG}
45 | ;;
46 | r) DELETE_ENTRIES=1
47 | ;;
48 | :)
49 | echo "Option -$OPTARG requires an argument." >&2
50 | show_help
51 | exit 0
52 | ;;
53 | esac
54 | done
55 |
56 | while true; do
57 | sudo ifconfig enp101s0f0 192.168.0.1/24 up
58 | sudo ifconfig enp101s0f1 192.168.10.1/24 up
59 |
60 | NEW_IP_SRC=$( IFS=$'.'; echo "${START_IP_SRC[*]}" )
61 | for i in `seq 1 $NUM_IP_SRC`; do
62 | if [ $DELETE_ENTRIES -eq 0 ]; then
63 | sudo arp -s ${NEW_IP_SRC} 3c:fd:fe:af:ec:48
64 | else
65 | sudo arp -d ${NEW_IP_SRC}
66 | fi
67 | NEW_IP_SRC=$(int_to_ip $(( $(ip_to_int $NEW_IP_SRC)+1 )))
68 | done
69 |
70 | NEW_IP_DST=$( IFS=$'.'; echo "${START_IP_DST[*]}" )
71 | for i in `seq 1 $NUM_IP_DST`; do
72 | if [ $DELETE_ENTRIES -eq 0 ]; then
73 | sudo arp -s ${NEW_IP_DST} 3c:fd:fe:af:ec:49
74 | else
75 | sudo arp -d ${NEW_IP_DST}
76 | fi
77 | NEW_IP_DST=$(int_to_ip $(( $(ip_to_int $NEW_IP_DST)+1 )))
78 | done
79 |
80 | if [ $DELETE_ENTRIES -eq 1 ]; then
81 | break
82 | fi
83 | sleep 25
84 | done
85 |
--------------------------------------------------------------------------------
/realistic-scenarios/enterprise-public-servers/enterprise-public2.lua:
--------------------------------------------------------------------------------
1 | -- RFC2544 Throughput Test
2 | -- as defined by https://www.ietf.org/rfc/rfc2544.txt
3 | package.path = package.path ..";?.lua;test/?.lua;app/?.lua;../?.lua"
4 | require "Pktgen";
5 | require "os";
6 |
7 | local config = require "config";
8 |
9 | -- define packet sizes to test
10 | -- local pkt_sizes = { 64, 128, 256, 512, 1024, 1280, 1518 };
11 | local pkt_sizes = { 64 };
12 | -- Time in seconds to transmit for
13 | local duration = 15000;
14 | local durationSimpleTest = 60000;
15 | local confirmDuration = 60000;
16 | local intraRunTime = 15000;
17 | local pauseTime = 1000;
18 | local pauseWarmUp = 1000;
19 | local warmDuration = 1000;
20 | local runNum = 5;
21 | local simpleTest = false;
22 |
23 | -- define the ports in use
24 | local sendport = "0";
25 | local recvport = "1";
26 |
27 | -- ip addresses to use
28 | local dstip = "192.168.1.1";
29 | local srcip = "192.168.0.1";
30 | local netmask = "/24";
31 | local remoteDstMAC0 = "3cfd:feaf:ec30"
32 | local remoteDstMAC1 = "3cfd:feaf:ec31"
33 |
34 | --src and dest l4 ports
35 | local dstport = "0x5678"
36 | local srcport = "0x9988"
37 |
38 | local initialRate = 50;
39 | local warmUpRate = 0.01;
40 | local maxLossRate = 0.01;
41 | rateThreshold = 0.1;
42 |
43 | --specific test (rule-complexity) configuration
44 | --the configuration is read from the config file
45 | local startSrcIP = "0.0.0.0"
46 | local endSrcIP = "0.0.0.0"
47 | local startDstIP = "0.0.0.0"
48 | local endDstIP = "0.0.0.0"
49 | local startSport = 0
50 | local endSport = 0
51 | local startDport = 0
52 | local endDport = 0
53 |
54 | local function setupTrafficPort0()
55 | pktgen.set_range(sendport, "on");
56 |
57 | pktgen.delay(1000);
58 | pktgen.src_ip(sendport, "start", startSrcIP);
59 | pktgen.src_ip(sendport, "inc", "0.0.0.1");
60 | pktgen.src_ip(sendport, "min", startSrcIP);
61 | pktgen.src_ip(sendport, "max", endSrcIP);
62 |
63 | pktgen.delay(1000);
64 | pktgen.dst_ip(sendport, "start", startDstIP);
65 | pktgen.dst_ip(sendport, "inc", "0.0.0.1");
66 | pktgen.dst_ip(sendport, "min", startDstIP);
67 | pktgen.dst_ip(sendport, "max", endDstIP);
68 |
69 | pktgen.ip_proto("all", "udp");
70 |
71 | pktgen.delay(1000);
72 | pktgen.src_port(sendport, "start", startSport);
73 | pktgen.src_port(sendport, "inc", 1);
74 | pktgen.src_port(sendport, "min", startSport);
75 | pktgen.src_port(sendport, "max", endSport);
76 |
77 | pktgen.delay(1000);
78 | pktgen.dst_port(sendport, "start", startDport);
79 | pktgen.dst_port(sendport, "inc", 1);
80 | pktgen.dst_port(sendport, "min", startDport);
81 | pktgen.dst_port(sendport, "max", endDport);
82 |
83 | pktgen.pkt_size(sendport,"start", 68);
84 | pktgen.pkt_size(sendport,"inc", 0);
85 | pktgen.pkt_size(sendport,"start", 68);
86 | pktgen.pkt_size(sendport,"start", 68);
87 |
88 | pktgen.dst_mac(sendport, "start", remoteDstMAC0);
89 | pktgen.dst_mac(sendport, "inc", "0000:0000:0000");
90 | pktgen.dst_mac(sendport, "min", "0000:0000:0000");
91 | pktgen.dst_mac(sendport, "max", "0000:0000:0000");
92 |
93 | -- set Pktgen to send continuous stream of traffic
94 | pktgen.set(sendport, "count", 0);
95 | end
96 |
97 | local function setupTrafficPort1()
98 | pktgen.set_range(recvport, "on");
99 |
100 | pktgen.delay(1000);
101 | pktgen.src_ip(recvport, "start", startDstIP);
102 | pktgen.src_ip(recvport, "inc", "0.0.0.1");
103 | pktgen.src_ip(recvport, "min", startDstIP);
104 | pktgen.src_ip(recvport, "max", endDstIP);
105 |
106 | pktgen.delay(1000);
107 | pktgen.dst_ip(recvport, "start", startSrcIP);
108 | pktgen.dst_ip(recvport, "inc", "0.0.0.1");
109 | pktgen.dst_ip(recvport, "min", startSrcIP);
110 | pktgen.dst_ip(recvport, "max", endSrcIP);
111 |
112 | pktgen.ip_proto("all", "udp");
113 |
114 | pktgen.delay(1000);
115 | pktgen.src_port(recvport, "start", startDport);
116 | pktgen.src_port(recvport, "inc", 1);
117 | pktgen.src_port(recvport, "min", startDport);
118 | pktgen.src_port(recvport, "max", endDport);
119 |
120 | pktgen.delay(1000);
121 | pktgen.dst_port(recvport, "start", startSport);
122 | pktgen.dst_port(recvport, "inc", 1);
123 | pktgen.dst_port(recvport, "min", startSport);
124 | pktgen.dst_port(recvport, "max", endSport);
125 |
126 | pktgen.pkt_size(recvport,"start", 68);
127 | pktgen.pkt_size(recvport,"inc", 0);
128 | pktgen.pkt_size(recvport,"start", 68);
129 | pktgen.pkt_size(recvport,"start", 68);
130 |
131 | pktgen.dst_mac(recvport, "start", remoteDstMAC1);
132 | pktgen.dst_mac(recvport, "inc", "0000:0000:0000");
133 | pktgen.dst_mac(recvport, "min", "0000:0000:0000");
134 | pktgen.dst_mac(recvport, "max", "0000:0000:0000");
135 |
136 | -- set Pktgen to send continuous stream of traffic
137 | pktgen.set(recvport, "count", 0);
138 | end
139 |
140 | local function runTrial(pkt_size, rate, duration, count)
141 | local num_port0_tx, num_port0_rx, num_port1_tx, num_port1_rx, num_port0_dropped, num_port1_dropped, lossRate_port0, lossRate_port1, mpps;
142 | local results = {port0_spkts = 0, port0_rpkts = 0, port1_spkts = 0, port1_rpkts = 0, port0_mpps = 0.0, port1_mpps = 0.0, pkt_size = pkt_size}
143 | local duration_sec = duration / 1000
144 | printf("Setting rate to %f \n", rate);
145 | print("Setting rate to " .. rate);
146 | pktgen.clr();
147 | --pktgen.set(recvport, "rate", 100);
148 | pktgen.set("all", "rate", rate);
149 | pktgen.set("all", "size", pkt_size);
150 | pktgen.start("all");
151 |
152 | print("Running trial " .. count .. ". % Rate: " .. rate .. ". Packet Size: " .. pkt_size .. ". Duration (mS):" .. duration_sec);
153 |
154 | pktgen.delay(duration);
155 | pktgen.stop("all");
156 | pktgen.delay(pauseTime);
157 |
158 | statPort0 = pktgen.portStats(sendport, "port")[tonumber(sendport)];
159 | statPort1 = pktgen.portStats(recvport, "port")[tonumber(recvport)];
160 | num_port0_tx = statPort0.opackets;
161 | num_port0_rx = statPort0.ipackets;
162 | num_port1_tx = statPort1.opackets;
163 | num_port1_rx = statPort1.ipackets;
164 |
165 | num_port0_dropped = num_port0_tx - num_port1_rx;
166 | num_port1_dropped = num_port1_tx - num_port0_rx;
167 | lossRate_port0 = num_port0_dropped / num_port0_tx
168 | lossRate_port1 = num_port1_dropped / num_port1_tx
169 | validRun = lossRate_port0 <= maxLossRate
170 | results.port0_spkts = num_port0_tx
171 | results.port0_rpkts = num_port0_rx
172 | results.port1_spkts = num_port1_tx
173 | results.port1_rpkts = num_port1_rx
174 |
175 | results.port0_mpps = num_port1_rx / 10^6 / duration_sec -- Before was num_tx
176 | results.port1_mpps = num_port0_rx / 10^6 / duration_sec -- Before was num_tx
177 | results.pkt_size = pkt_size
178 |
179 | print("Port0_tx: " .. num_port0_tx .. ". Port0_tx: " .. num_port0_rx .. ". Port1_tx: " .. num_port1_tx .. ". Port1_tx: " .. num_port1_rx);
180 | print("Port0_dropped: " .. num_port0_dropped .. " Port1_dropped: " .. num_port1_dropped);
181 | print("Port0_lossRate: " .. lossRate_port0 .. " Port1_lossRate: " .. lossRate_port1);
182 | print("Port0_mpps: " .. results.port0_mpps .. " Port1_mpps: " .. results.port1_mpps);
183 |
184 | pktgen.delay(pauseTime);
185 | return results, lossRate_port0, lossRate_port1, validRun;
186 | end
187 |
188 | local function getCSVHeader()
189 | local str = "iteration, frame size(byte),duration(s),max loss rate(%),rate threshold(packets)";
190 | str = str .. "," .. "rate(mpps),spkts,rpkts,throughput(Mbit/s),throughput wire rate(Mbit/s)\n";
191 | return str;
192 | end
193 |
194 | local function runSimpleTest(pkt_size, startRate)
195 | local lossRate_port0, lossRate_port1, max_rate, min_rate, trial_rate, last_rate, maxLossRate, finished;
196 | str = ""
197 | printf("Start rate %f\n", startRate);
198 | result, lossRate_port0, lossRate_port1, validRun = runTrial(pkt_size, startRate, durationSimpleTest, 1);
199 | print("Found Port0_mpps: " .. result.port0_mpps .. "\n");
200 | print("Found Port1_mpps: " .. result.port1_mpps .. "\n");
201 | file:write("Size: " .. pkt_size .. " Found Port0_mpps: " .. result.port0_mpps .. " Port0_LossRate: " .. lossRate_port0 .. "\n");
202 | file:write("Size: " .. pkt_size .. " Found Port1_mpps: " .. result.port1_mpps .. " Port1_LossRate: " .. lossRate_port1 .. "\n");
203 | end
204 |
205 | function tableHasKey(table,key)
206 | return table[key] ~= nil
207 | end
208 |
209 | local function configureGlobalVariable()
210 | remoteDstMAC0 = config.test.dstMac0;
211 | remoteDstMAC1 = config.test.dstMac1;
212 | runNum = config.test.num_runs;
213 |
214 | if config.test.simple_test == 1 then
215 | simpleTest = true;
216 | end
217 |
218 | startSrcIP = config.test.startSrcIP
219 | endSrcIP = config.test.endSrcIP
220 | startDstIP = config.test.startDstIP
221 | endDstIP = config.test.endDstIP
222 | startSport = config.test.startSport
223 | endSport = config.test.endSport
224 | startDport = config.test.startDport
225 | endDport = config.test.endDport
226 |
227 | if tableHasKey(config.test, "startRate") then
228 | initialRate = config.test.startRate
229 | end
230 |
231 | if tableHasKey(config.test, "testDuration") then
232 | durationSimpleTest = config.test.testDuration
233 | end
234 | end
235 |
236 | function main()
237 | local file_name = "pcn-iptables-forward.csv";
238 |
239 | file = io.open(file_name, "w+");
240 |
241 | if tableHasKey(config, "test") then
242 | configureGlobalVariable();
243 | end
244 |
245 | for _,size in pairs(pkt_sizes)
246 | do
247 | setupTrafficPort0();
248 | setupTrafficPort1();
249 | if simpleTest then
250 | runSimpleTest(size, initialRate);
251 | else
252 | pktgen.quit();
253 | end
254 | end
255 |
256 | file:write("\n");
257 | file:flush();
258 | file:close();
259 | end
260 |
261 | main();
262 | pktgen.quit();
263 |
--------------------------------------------------------------------------------
/realistic-scenarios/enterprise-public-servers/rulesets/helpers.bash:
--------------------------------------------------------------------------------
1 | # use a clean instance of polycubed to run each test
2 | RELAUNCH_POLYCUBED=true
3 | polycubed="sudo polycubed -l off -a 0.0.0.0"
4 |
5 | function initialize_pcn_iptables {
6 | bpf-iptables-init-xdp
7 | # $HOME/polycube/services/pcn-iptables/iptables-compatibility/iptables-init.sh
8 | }
9 |
10 | # Check if polycubed rest server is responding
11 | function polycubed_is_responding {
12 | ret=$(polycubectl ? > /dev/null)
13 | ret=$(echo $?)
14 | echo $ret
15 | }
16 |
17 | # Relaunch polycubed, if deamon is not running
18 | function polycubed_relaunch_if_not_running {
19 | alive=$(ps -el | grep polycubed)
20 | if [ -z "$alive" ]; then
21 | echo "polycubed not running ..."
22 | echo "relaunching polycubed ..."
23 | $polycubed >> /dev/null 2>&1 &
24 | fi
25 | }
26 |
27 | # Launch polycubed, and wait until it becomes responsive
28 | function launch_and_wait_polycubed_is_responding {
29 | if $RELAUNCH_POLYCUBED; then
30 | echo "starting polycubed ..."
31 | $polycubed >> /dev/null 2>&1 &
32 | else
33 | polycubed_alive=$(ps -el | grep polycubed)
34 | if [ -z "$polycubed_alive" ]; then
35 | echo "polycubed not running ..."
36 | echo "relaunching polycubed ..."
37 | $polycubed >> /dev/null 2>&1 &
38 | fi
39 | fi
40 |
41 | done=0
42 | i=0
43 | while : ; do
44 | sleep 1
45 | responding=$(polycubed_is_responding)
46 | if [[ $responding -eq 0 ]]; then
47 | done=1
48 | else
49 | polycubed_relaunch_if_not_running
50 | fi
51 | i=$((i+1))
52 | if [ "$done" -ne 0 ]; then
53 | if $RELAUNCH_POLYCUBED; then
54 | echo "starting polycubed in $i seconds"
55 | else
56 | if [ -z "$polycubed_alive" ]; then
57 | echo "relaunching polycubed in $i seconds"
58 | fi
59 | fi
60 | break
61 | fi
62 | done
63 | }
64 |
65 | # Kill polycubed, and wait all services to be unloaded and process to be completely killed
66 | function polycubed_kill_and_wait {
67 | echo "killing polycubed ..."
68 | sudo pkill polycubed >> /dev/null
69 |
70 | done=0
71 | i=0
72 | while : ; do
73 | sleep 1
74 | alive=$(ps -el | grep polycubed)
75 | if [ -z "$alive" ]; then
76 | done=1
77 | fi
78 |
79 | i=$((i+1))
80 |
81 | if [ "$done" -ne 0 ]; then
82 | echo "killing polycubed in $i seconds"
83 | break
84 | fi
85 | done
86 | }
87 |
88 | function launch_pcn_iptables {
89 | export PATH=$PATH:/home/polycube/go/bin
90 | export PATH=$PATH:/home/polycube/polycube/services/pcn-iptables/scripts
91 | launch_and_wait_polycubed_is_responding
92 | initialize_pcn_iptables
93 | }
94 |
--------------------------------------------------------------------------------
/realistic-scenarios/enterprise-public-servers/rulesets/nftables-rules/nftables_100.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | nft add table ip filter
4 | nft add chain filter $CHAIN \{ type filter hook forward priority 0\; policy drop\; \}
5 | nft add rule ip filter $CHAIN ct state established counter accept
6 | nft add rule ip filter $CHAIN ip saddr 192.168.10.2 ct state new counter accept
7 | nft add rule ip filter $CHAIN ip saddr 192.168.10.3 ct state new counter accept
8 | nft add rule ip filter $CHAIN ip saddr 192.168.10.4 ct state new counter accept
9 | nft add rule ip filter $CHAIN ip saddr 192.168.10.5 ct state new counter accept
10 | nft add rule ip filter $CHAIN ip saddr 192.168.10.6 ct state new counter accept
11 | nft add rule ip filter $CHAIN ip saddr 192.168.10.7 ct state new counter accept
12 | nft add rule ip filter $CHAIN ip saddr 192.168.10.8 ct state new counter accept
13 | nft add rule ip filter $CHAIN ip saddr 192.168.10.9 ct state new counter accept
14 | nft add rule ip filter $CHAIN ip saddr 192.168.10.10 ct state new counter accept
15 | nft add rule ip filter $CHAIN ip saddr 192.168.10.11 ct state new counter accept
16 | nft add rule ip filter $CHAIN ip daddr 192.168.10.2 udp dport 8080 counter accept
17 | nft add rule ip filter $CHAIN ip daddr 192.168.10.2 udp dport 8081 counter accept
18 | nft add rule ip filter $CHAIN ip daddr 192.168.10.2 udp dport 8082 counter accept
19 | nft add rule ip filter $CHAIN ip daddr 192.168.10.2 udp dport 8083 counter accept
20 | nft add rule ip filter $CHAIN ip daddr 192.168.10.2 udp dport 8084 counter accept
21 | nft add rule ip filter $CHAIN ip daddr 192.168.10.2 udp dport 8085 counter accept
22 | nft add rule ip filter $CHAIN ip daddr 192.168.10.2 udp dport 8086 counter accept
23 | nft add rule ip filter $CHAIN ip daddr 192.168.10.2 udp dport 8087 counter accept
24 | nft add rule ip filter $CHAIN ip daddr 192.168.10.2 udp dport 8088 counter accept
25 | nft add rule ip filter $CHAIN ip daddr 192.168.10.3 udp dport 8080 counter accept
26 | nft add rule ip filter $CHAIN ip daddr 192.168.10.3 udp dport 8081 counter accept
27 | nft add rule ip filter $CHAIN ip daddr 192.168.10.3 udp dport 8082 counter accept
28 | nft add rule ip filter $CHAIN ip daddr 192.168.10.3 udp dport 8083 counter accept
29 | nft add rule ip filter $CHAIN ip daddr 192.168.10.3 udp dport 8084 counter accept
30 | nft add rule ip filter $CHAIN ip daddr 192.168.10.3 udp dport 8085 counter accept
31 | nft add rule ip filter $CHAIN ip daddr 192.168.10.3 udp dport 8086 counter accept
32 | nft add rule ip filter $CHAIN ip daddr 192.168.10.3 udp dport 8087 counter accept
33 | nft add rule ip filter $CHAIN ip daddr 192.168.10.3 udp dport 8088 counter accept
34 | nft add rule ip filter $CHAIN ip daddr 192.168.10.4 udp dport 8080 counter accept
35 | nft add rule ip filter $CHAIN ip daddr 192.168.10.4 udp dport 8081 counter accept
36 | nft add rule ip filter $CHAIN ip daddr 192.168.10.4 udp dport 8082 counter accept
37 | nft add rule ip filter $CHAIN ip daddr 192.168.10.4 udp dport 8083 counter accept
38 | nft add rule ip filter $CHAIN ip daddr 192.168.10.4 udp dport 8084 counter accept
39 | nft add rule ip filter $CHAIN ip daddr 192.168.10.4 udp dport 8085 counter accept
40 | nft add rule ip filter $CHAIN ip daddr 192.168.10.4 udp dport 8086 counter accept
41 | nft add rule ip filter $CHAIN ip daddr 192.168.10.4 udp dport 8087 counter accept
42 | nft add rule ip filter $CHAIN ip daddr 192.168.10.4 udp dport 8088 counter accept
43 | nft add rule ip filter $CHAIN ip daddr 192.168.10.5 udp dport 8080 counter accept
44 | nft add rule ip filter $CHAIN ip daddr 192.168.10.5 udp dport 8081 counter accept
45 | nft add rule ip filter $CHAIN ip daddr 192.168.10.5 udp dport 8082 counter accept
46 | nft add rule ip filter $CHAIN ip daddr 192.168.10.5 udp dport 8083 counter accept
47 | nft add rule ip filter $CHAIN ip daddr 192.168.10.5 udp dport 8084 counter accept
48 | nft add rule ip filter $CHAIN ip daddr 192.168.10.5 udp dport 8085 counter accept
49 | nft add rule ip filter $CHAIN ip daddr 192.168.10.5 udp dport 8086 counter accept
50 | nft add rule ip filter $CHAIN ip daddr 192.168.10.5 udp dport 8087 counter accept
51 | nft add rule ip filter $CHAIN ip daddr 192.168.10.5 udp dport 8088 counter accept
52 | nft add rule ip filter $CHAIN ip daddr 192.168.10.6 udp dport 8080 counter accept
53 | nft add rule ip filter $CHAIN ip daddr 192.168.10.6 udp dport 8081 counter accept
54 | nft add rule ip filter $CHAIN ip daddr 192.168.10.6 udp dport 8082 counter accept
55 | nft add rule ip filter $CHAIN ip daddr 192.168.10.6 udp dport 8083 counter accept
56 | nft add rule ip filter $CHAIN ip daddr 192.168.10.6 udp dport 8084 counter accept
57 | nft add rule ip filter $CHAIN ip daddr 192.168.10.6 udp dport 8085 counter accept
58 | nft add rule ip filter $CHAIN ip daddr 192.168.10.6 udp dport 8086 counter accept
59 | nft add rule ip filter $CHAIN ip daddr 192.168.10.6 udp dport 8087 counter accept
60 | nft add rule ip filter $CHAIN ip daddr 192.168.10.6 udp dport 8088 counter accept
61 | nft add rule ip filter $CHAIN ip daddr 192.168.10.7 udp dport 8080 counter accept
62 | nft add rule ip filter $CHAIN ip daddr 192.168.10.7 udp dport 8081 counter accept
63 | nft add rule ip filter $CHAIN ip daddr 192.168.10.7 udp dport 8082 counter accept
64 | nft add rule ip filter $CHAIN ip daddr 192.168.10.7 udp dport 8083 counter accept
65 | nft add rule ip filter $CHAIN ip daddr 192.168.10.7 udp dport 8084 counter accept
66 | nft add rule ip filter $CHAIN ip daddr 192.168.10.7 udp dport 8085 counter accept
67 | nft add rule ip filter $CHAIN ip daddr 192.168.10.7 udp dport 8086 counter accept
68 | nft add rule ip filter $CHAIN ip daddr 192.168.10.7 udp dport 8087 counter accept
69 | nft add rule ip filter $CHAIN ip daddr 192.168.10.7 udp dport 8088 counter accept
70 | nft add rule ip filter $CHAIN ip daddr 192.168.10.8 udp dport 8080 counter accept
71 | nft add rule ip filter $CHAIN ip daddr 192.168.10.8 udp dport 8081 counter accept
72 | nft add rule ip filter $CHAIN ip daddr 192.168.10.8 udp dport 8082 counter accept
73 | nft add rule ip filter $CHAIN ip daddr 192.168.10.8 udp dport 8083 counter accept
74 | nft add rule ip filter $CHAIN ip daddr 192.168.10.8 udp dport 8084 counter accept
75 | nft add rule ip filter $CHAIN ip daddr 192.168.10.8 udp dport 8085 counter accept
76 | nft add rule ip filter $CHAIN ip daddr 192.168.10.8 udp dport 8086 counter accept
77 | nft add rule ip filter $CHAIN ip daddr 192.168.10.8 udp dport 8087 counter accept
78 | nft add rule ip filter $CHAIN ip daddr 192.168.10.8 udp dport 8088 counter accept
79 | nft add rule ip filter $CHAIN ip daddr 192.168.10.9 udp dport 8080 counter accept
80 | nft add rule ip filter $CHAIN ip daddr 192.168.10.9 udp dport 8081 counter accept
81 | nft add rule ip filter $CHAIN ip daddr 192.168.10.9 udp dport 8082 counter accept
82 | nft add rule ip filter $CHAIN ip daddr 192.168.10.9 udp dport 8083 counter accept
83 | nft add rule ip filter $CHAIN ip daddr 192.168.10.9 udp dport 8084 counter accept
84 | nft add rule ip filter $CHAIN ip daddr 192.168.10.9 udp dport 8085 counter accept
85 | nft add rule ip filter $CHAIN ip daddr 192.168.10.9 udp dport 8086 counter accept
86 | nft add rule ip filter $CHAIN ip daddr 192.168.10.9 udp dport 8087 counter accept
87 | nft add rule ip filter $CHAIN ip daddr 192.168.10.9 udp dport 8088 counter accept
88 | nft add rule ip filter $CHAIN ip daddr 192.168.10.10 udp dport 8080 counter accept
89 | nft add rule ip filter $CHAIN ip daddr 192.168.10.10 udp dport 8081 counter accept
90 | nft add rule ip filter $CHAIN ip daddr 192.168.10.10 udp dport 8082 counter accept
91 | nft add rule ip filter $CHAIN ip daddr 192.168.10.10 udp dport 8083 counter accept
92 | nft add rule ip filter $CHAIN ip daddr 192.168.10.10 udp dport 8084 counter accept
93 | nft add rule ip filter $CHAIN ip daddr 192.168.10.10 udp dport 8085 counter accept
94 | nft add rule ip filter $CHAIN ip daddr 192.168.10.10 udp dport 8086 counter accept
95 | nft add rule ip filter $CHAIN ip daddr 192.168.10.10 udp dport 8087 counter accept
96 | nft add rule ip filter $CHAIN ip daddr 192.168.10.10 udp dport 8088 counter accept
97 | nft add rule ip filter $CHAIN ip daddr 192.168.10.11 udp dport 8080 counter accept
98 | nft add rule ip filter $CHAIN ip daddr 192.168.10.11 udp dport 8081 counter accept
99 | nft add rule ip filter $CHAIN ip daddr 192.168.10.11 udp dport 8082 counter accept
100 | nft add rule ip filter $CHAIN ip daddr 192.168.10.11 udp dport 8083 counter accept
101 | nft add rule ip filter $CHAIN ip daddr 192.168.10.11 udp dport 8084 counter accept
102 | nft add rule ip filter $CHAIN ip daddr 192.168.10.11 udp dport 8085 counter accept
103 | nft add rule ip filter $CHAIN ip daddr 192.168.10.11 udp dport 8086 counter accept
104 | nft add rule ip filter $CHAIN ip daddr 192.168.10.11 udp dport 8087 counter accept
105 | nft add rule ip filter $CHAIN ip daddr 192.168.10.11 udp dport 8088 counter accept
106 | nft add rule ip filter $CHAIN counter drop
107 |
--------------------------------------------------------------------------------
/realistic-scenarios/enterprise-public-servers/rulesets/nftables-rules/nftables_50.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | nft add table ip filter
4 | nft add chain filter $CHAIN \{ type filter hook forward priority 0\; policy drop\; \}
5 | nft add rule ip filter $CHAIN ct state established counter accept
6 | nft add rule ip filter $CHAIN ip saddr 192.168.10.2 ct state new counter accept
7 | nft add rule ip filter $CHAIN ip saddr 192.168.10.3 ct state new counter accept
8 | nft add rule ip filter $CHAIN ip saddr 192.168.10.4 ct state new counter accept
9 | nft add rule ip filter $CHAIN ip saddr 192.168.10.5 ct state new counter accept
10 | nft add rule ip filter $CHAIN ip saddr 192.168.10.6 ct state new counter accept
11 | nft add rule ip filter $CHAIN ip daddr 192.168.10.2 udp dport 8080 counter accept
12 | nft add rule ip filter $CHAIN ip daddr 192.168.10.2 udp dport 8081 counter accept
13 | nft add rule ip filter $CHAIN ip daddr 192.168.10.2 udp dport 8082 counter accept
14 | nft add rule ip filter $CHAIN ip daddr 192.168.10.2 udp dport 8083 counter accept
15 | nft add rule ip filter $CHAIN ip daddr 192.168.10.2 udp dport 8084 counter accept
16 | nft add rule ip filter $CHAIN ip daddr 192.168.10.2 udp dport 8085 counter accept
17 | nft add rule ip filter $CHAIN ip daddr 192.168.10.2 udp dport 8086 counter accept
18 | nft add rule ip filter $CHAIN ip daddr 192.168.10.2 udp dport 8087 counter accept
19 | nft add rule ip filter $CHAIN ip daddr 192.168.10.2 udp dport 8088 counter accept
20 | nft add rule ip filter $CHAIN ip daddr 192.168.10.3 udp dport 8080 counter accept
21 | nft add rule ip filter $CHAIN ip daddr 192.168.10.3 udp dport 8081 counter accept
22 | nft add rule ip filter $CHAIN ip daddr 192.168.10.3 udp dport 8082 counter accept
23 | nft add rule ip filter $CHAIN ip daddr 192.168.10.3 udp dport 8083 counter accept
24 | nft add rule ip filter $CHAIN ip daddr 192.168.10.3 udp dport 8084 counter accept
25 | nft add rule ip filter $CHAIN ip daddr 192.168.10.3 udp dport 8085 counter accept
26 | nft add rule ip filter $CHAIN ip daddr 192.168.10.3 udp dport 8086 counter accept
27 | nft add rule ip filter $CHAIN ip daddr 192.168.10.3 udp dport 8087 counter accept
28 | nft add rule ip filter $CHAIN ip daddr 192.168.10.3 udp dport 8088 counter accept
29 | nft add rule ip filter $CHAIN ip daddr 192.168.10.4 udp dport 8080 counter accept
30 | nft add rule ip filter $CHAIN ip daddr 192.168.10.4 udp dport 8081 counter accept
31 | nft add rule ip filter $CHAIN ip daddr 192.168.10.4 udp dport 8082 counter accept
32 | nft add rule ip filter $CHAIN ip daddr 192.168.10.4 udp dport 8083 counter accept
33 | nft add rule ip filter $CHAIN ip daddr 192.168.10.4 udp dport 8084 counter accept
34 | nft add rule ip filter $CHAIN ip daddr 192.168.10.4 udp dport 8085 counter accept
35 | nft add rule ip filter $CHAIN ip daddr 192.168.10.4 udp dport 8086 counter accept
36 | nft add rule ip filter $CHAIN ip daddr 192.168.10.4 udp dport 8087 counter accept
37 | nft add rule ip filter $CHAIN ip daddr 192.168.10.4 udp dport 8088 counter accept
38 | nft add rule ip filter $CHAIN ip daddr 192.168.10.5 udp dport 8080 counter accept
39 | nft add rule ip filter $CHAIN ip daddr 192.168.10.5 udp dport 8081 counter accept
40 | nft add rule ip filter $CHAIN ip daddr 192.168.10.5 udp dport 8082 counter accept
41 | nft add rule ip filter $CHAIN ip daddr 192.168.10.5 udp dport 8083 counter accept
42 | nft add rule ip filter $CHAIN ip daddr 192.168.10.5 udp dport 8084 counter accept
43 | nft add rule ip filter $CHAIN ip daddr 192.168.10.5 udp dport 8085 counter accept
44 | nft add rule ip filter $CHAIN ip daddr 192.168.10.5 udp dport 8086 counter accept
45 | nft add rule ip filter $CHAIN ip daddr 192.168.10.5 udp dport 8087 counter accept
46 | nft add rule ip filter $CHAIN ip daddr 192.168.10.5 udp dport 8088 counter accept
47 | nft add rule ip filter $CHAIN ip daddr 192.168.10.6 udp dport 8080 counter accept
48 | nft add rule ip filter $CHAIN ip daddr 192.168.10.6 udp dport 8081 counter accept
49 | nft add rule ip filter $CHAIN ip daddr 192.168.10.6 udp dport 8082 counter accept
50 | nft add rule ip filter $CHAIN ip daddr 192.168.10.6 udp dport 8083 counter accept
51 | nft add rule ip filter $CHAIN ip daddr 192.168.10.6 udp dport 8084 counter accept
52 | nft add rule ip filter $CHAIN ip daddr 192.168.10.6 udp dport 8085 counter accept
53 | nft add rule ip filter $CHAIN ip daddr 192.168.10.6 udp dport 8086 counter accept
54 | nft add rule ip filter $CHAIN ip daddr 192.168.10.6 udp dport 8087 counter accept
55 | nft add rule ip filter $CHAIN ip daddr 192.168.10.6 udp dport 8088 counter accept
56 | nft add rule ip filter $CHAIN counter drop
57 |
--------------------------------------------------------------------------------
/realistic-scenarios/enterprise-public-servers/rulesets/rules_100.sh:
--------------------------------------------------------------------------------
1 | source "${BASH_SOURCE%/*}/helpers.bash"
2 |
3 | # set -x
4 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"
5 |
6 | NFTABLES_DIR=nftables-rules
7 | IPTABLES="$1"
8 | CHAIN="$2"
9 |
10 | if [ -z ${IPTABLES} ]; then
11 | echo ""
12 | echo "usage:"
13 | echo "$0 [iptables|pcn-iptables|nftables] [FORWARD]"
14 | echo ""
15 | exit 0
16 | fi
17 |
18 | if [ -z ${CHAIN} ]; then
19 | echo ""
20 | echo "usage:"
21 | echo "$0 [iptables|pcn-iptables|nftables] [FORWARD]"
22 | echo ""
23 | exit 0
24 | fi
25 |
26 | if [ "$1" == "pcn-iptables" ]; then
27 | echo "Using bpf-iptables"
28 | IPTABLES="bpf-iptables"
29 | launch_pcn_iptables
30 | elif [ "$1" == "nftables" ]; then
31 | echo "Using nftables"
32 | IPTABLES="nft"
33 | elif [ "$1" == "iptables" ]; then
34 | echo "Using iptables"
35 | IPTABLES="sudo iptables"
36 | else
37 | echo "$1 is not supported"
38 | exit 1
39 | fi
40 |
41 | if [ "$1" == "nftables" ]; then
42 | echo "Loading nftables rules"
43 | export CHAIN
44 | exec $DIR/$NFTABLES_DIR/nftables_100.sh
45 | exit 0
46 | elif [ "$1" == "pcn-iptables" ]; then
47 | pcn-iptables -F $CHAIN
48 | polycubectl pcn-iptables set interactive=false
49 | else
50 | $IPTABLES -F $CHAIN
51 | fi
52 |
53 | $IPTABLES -P $CHAIN DROP
54 | $IPTABLES -A $CHAIN -m conntrack --ctstate ESTABLISHED -j ACCEPT
55 | $IPTABLES -A $CHAIN -m conntrack --ctstate NEW -s 192.168.10.2 -j ACCEPT
56 | $IPTABLES -A $CHAIN -m conntrack --ctstate NEW -s 192.168.10.3 -j ACCEPT
57 | $IPTABLES -A $CHAIN -m conntrack --ctstate NEW -s 192.168.10.4 -j ACCEPT
58 | $IPTABLES -A $CHAIN -m conntrack --ctstate NEW -s 192.168.10.5 -j ACCEPT
59 | $IPTABLES -A $CHAIN -m conntrack --ctstate NEW -s 192.168.10.6 -j ACCEPT
60 | $IPTABLES -A $CHAIN -m conntrack --ctstate NEW -s 192.168.10.7 -j ACCEPT
61 | $IPTABLES -A $CHAIN -m conntrack --ctstate NEW -s 192.168.10.8 -j ACCEPT
62 | $IPTABLES -A $CHAIN -m conntrack --ctstate NEW -s 192.168.10.9 -j ACCEPT
63 | $IPTABLES -A $CHAIN -m conntrack --ctstate NEW -s 192.168.10.10 -j ACCEPT
64 | $IPTABLES -A $CHAIN -m conntrack --ctstate NEW -s 192.168.10.11 -j ACCEPT
65 | $IPTABLES -A $CHAIN -d 192.168.10.2 -p udp --dport 8080 -j ACCEPT
66 | $IPTABLES -A $CHAIN -d 192.168.10.2 -p udp --dport 8081 -j ACCEPT
67 | $IPTABLES -A $CHAIN -d 192.168.10.2 -p udp --dport 8082 -j ACCEPT
68 | $IPTABLES -A $CHAIN -d 192.168.10.2 -p udp --dport 8083 -j ACCEPT
69 | $IPTABLES -A $CHAIN -d 192.168.10.2 -p udp --dport 8084 -j ACCEPT
70 | $IPTABLES -A $CHAIN -d 192.168.10.2 -p udp --dport 8085 -j ACCEPT
71 | $IPTABLES -A $CHAIN -d 192.168.10.2 -p udp --dport 8086 -j ACCEPT
72 | $IPTABLES -A $CHAIN -d 192.168.10.2 -p udp --dport 8087 -j ACCEPT
73 | $IPTABLES -A $CHAIN -d 192.168.10.2 -p udp --dport 8088 -j ACCEPT
74 | $IPTABLES -A $CHAIN -d 192.168.10.3 -p udp --dport 8080 -j ACCEPT
75 | $IPTABLES -A $CHAIN -d 192.168.10.3 -p udp --dport 8081 -j ACCEPT
76 | $IPTABLES -A $CHAIN -d 192.168.10.3 -p udp --dport 8082 -j ACCEPT
77 | $IPTABLES -A $CHAIN -d 192.168.10.3 -p udp --dport 8083 -j ACCEPT
78 | $IPTABLES -A $CHAIN -d 192.168.10.3 -p udp --dport 8084 -j ACCEPT
79 | $IPTABLES -A $CHAIN -d 192.168.10.3 -p udp --dport 8085 -j ACCEPT
80 | $IPTABLES -A $CHAIN -d 192.168.10.3 -p udp --dport 8086 -j ACCEPT
81 | $IPTABLES -A $CHAIN -d 192.168.10.3 -p udp --dport 8087 -j ACCEPT
82 | $IPTABLES -A $CHAIN -d 192.168.10.3 -p udp --dport 8088 -j ACCEPT
83 | $IPTABLES -A $CHAIN -d 192.168.10.4 -p udp --dport 8080 -j ACCEPT
84 | $IPTABLES -A $CHAIN -d 192.168.10.4 -p udp --dport 8081 -j ACCEPT
85 | $IPTABLES -A $CHAIN -d 192.168.10.4 -p udp --dport 8082 -j ACCEPT
86 | $IPTABLES -A $CHAIN -d 192.168.10.4 -p udp --dport 8083 -j ACCEPT
87 | $IPTABLES -A $CHAIN -d 192.168.10.4 -p udp --dport 8084 -j ACCEPT
88 | $IPTABLES -A $CHAIN -d 192.168.10.4 -p udp --dport 8085 -j ACCEPT
89 | $IPTABLES -A $CHAIN -d 192.168.10.4 -p udp --dport 8086 -j ACCEPT
90 | $IPTABLES -A $CHAIN -d 192.168.10.4 -p udp --dport 8087 -j ACCEPT
91 | $IPTABLES -A $CHAIN -d 192.168.10.4 -p udp --dport 8088 -j ACCEPT
92 | $IPTABLES -A $CHAIN -d 192.168.10.5 -p udp --dport 8080 -j ACCEPT
93 | $IPTABLES -A $CHAIN -d 192.168.10.5 -p udp --dport 8081 -j ACCEPT
94 | $IPTABLES -A $CHAIN -d 192.168.10.5 -p udp --dport 8082 -j ACCEPT
95 | $IPTABLES -A $CHAIN -d 192.168.10.5 -p udp --dport 8083 -j ACCEPT
96 | $IPTABLES -A $CHAIN -d 192.168.10.5 -p udp --dport 8084 -j ACCEPT
97 | $IPTABLES -A $CHAIN -d 192.168.10.5 -p udp --dport 8085 -j ACCEPT
98 | $IPTABLES -A $CHAIN -d 192.168.10.5 -p udp --dport 8086 -j ACCEPT
99 | $IPTABLES -A $CHAIN -d 192.168.10.5 -p udp --dport 8087 -j ACCEPT
100 | $IPTABLES -A $CHAIN -d 192.168.10.5 -p udp --dport 8088 -j ACCEPT
101 | $IPTABLES -A $CHAIN -d 192.168.10.6 -p udp --dport 8080 -j ACCEPT
102 | $IPTABLES -A $CHAIN -d 192.168.10.6 -p udp --dport 8081 -j ACCEPT
103 | $IPTABLES -A $CHAIN -d 192.168.10.6 -p udp --dport 8082 -j ACCEPT
104 | $IPTABLES -A $CHAIN -d 192.168.10.6 -p udp --dport 8083 -j ACCEPT
105 | $IPTABLES -A $CHAIN -d 192.168.10.6 -p udp --dport 8084 -j ACCEPT
106 | $IPTABLES -A $CHAIN -d 192.168.10.6 -p udp --dport 8085 -j ACCEPT
107 | $IPTABLES -A $CHAIN -d 192.168.10.6 -p udp --dport 8086 -j ACCEPT
108 | $IPTABLES -A $CHAIN -d 192.168.10.6 -p udp --dport 8087 -j ACCEPT
109 | $IPTABLES -A $CHAIN -d 192.168.10.6 -p udp --dport 8088 -j ACCEPT
110 | $IPTABLES -A $CHAIN -d 192.168.10.7 -p udp --dport 8080 -j ACCEPT
111 | $IPTABLES -A $CHAIN -d 192.168.10.7 -p udp --dport 8081 -j ACCEPT
112 | $IPTABLES -A $CHAIN -d 192.168.10.7 -p udp --dport 8082 -j ACCEPT
113 | $IPTABLES -A $CHAIN -d 192.168.10.7 -p udp --dport 8083 -j ACCEPT
114 | $IPTABLES -A $CHAIN -d 192.168.10.7 -p udp --dport 8084 -j ACCEPT
115 | $IPTABLES -A $CHAIN -d 192.168.10.7 -p udp --dport 8085 -j ACCEPT
116 | $IPTABLES -A $CHAIN -d 192.168.10.7 -p udp --dport 8086 -j ACCEPT
117 | $IPTABLES -A $CHAIN -d 192.168.10.7 -p udp --dport 8087 -j ACCEPT
118 | $IPTABLES -A $CHAIN -d 192.168.10.7 -p udp --dport 8088 -j ACCEPT
119 | $IPTABLES -A $CHAIN -d 192.168.10.8 -p udp --dport 8080 -j ACCEPT
120 | $IPTABLES -A $CHAIN -d 192.168.10.8 -p udp --dport 8081 -j ACCEPT
121 | $IPTABLES -A $CHAIN -d 192.168.10.8 -p udp --dport 8082 -j ACCEPT
122 | $IPTABLES -A $CHAIN -d 192.168.10.8 -p udp --dport 8083 -j ACCEPT
123 | $IPTABLES -A $CHAIN -d 192.168.10.8 -p udp --dport 8084 -j ACCEPT
124 | $IPTABLES -A $CHAIN -d 192.168.10.8 -p udp --dport 8085 -j ACCEPT
125 | $IPTABLES -A $CHAIN -d 192.168.10.8 -p udp --dport 8086 -j ACCEPT
126 | $IPTABLES -A $CHAIN -d 192.168.10.8 -p udp --dport 8087 -j ACCEPT
127 | $IPTABLES -A $CHAIN -d 192.168.10.8 -p udp --dport 8088 -j ACCEPT
128 | $IPTABLES -A $CHAIN -d 192.168.10.9 -p udp --dport 8080 -j ACCEPT
129 | $IPTABLES -A $CHAIN -d 192.168.10.9 -p udp --dport 8081 -j ACCEPT
130 | $IPTABLES -A $CHAIN -d 192.168.10.9 -p udp --dport 8082 -j ACCEPT
131 | $IPTABLES -A $CHAIN -d 192.168.10.9 -p udp --dport 8083 -j ACCEPT
132 | $IPTABLES -A $CHAIN -d 192.168.10.9 -p udp --dport 8084 -j ACCEPT
133 | $IPTABLES -A $CHAIN -d 192.168.10.9 -p udp --dport 8085 -j ACCEPT
134 | $IPTABLES -A $CHAIN -d 192.168.10.9 -p udp --dport 8086 -j ACCEPT
135 | $IPTABLES -A $CHAIN -d 192.168.10.9 -p udp --dport 8087 -j ACCEPT
136 | $IPTABLES -A $CHAIN -d 192.168.10.9 -p udp --dport 8088 -j ACCEPT
137 | $IPTABLES -A $CHAIN -d 192.168.10.10 -p udp --dport 8080 -j ACCEPT
138 | $IPTABLES -A $CHAIN -d 192.168.10.10 -p udp --dport 8081 -j ACCEPT
139 | $IPTABLES -A $CHAIN -d 192.168.10.10 -p udp --dport 8082 -j ACCEPT
140 | $IPTABLES -A $CHAIN -d 192.168.10.10 -p udp --dport 8083 -j ACCEPT
141 | $IPTABLES -A $CHAIN -d 192.168.10.10 -p udp --dport 8084 -j ACCEPT
142 | $IPTABLES -A $CHAIN -d 192.168.10.10 -p udp --dport 8085 -j ACCEPT
143 | $IPTABLES -A $CHAIN -d 192.168.10.10 -p udp --dport 8086 -j ACCEPT
144 | $IPTABLES -A $CHAIN -d 192.168.10.10 -p udp --dport 8087 -j ACCEPT
145 | $IPTABLES -A $CHAIN -d 192.168.10.10 -p udp --dport 8088 -j ACCEPT
146 | $IPTABLES -A $CHAIN -d 192.168.10.11 -p udp --dport 8080 -j ACCEPT
147 | $IPTABLES -A $CHAIN -d 192.168.10.11 -p udp --dport 8081 -j ACCEPT
148 | $IPTABLES -A $CHAIN -d 192.168.10.11 -p udp --dport 8082 -j ACCEPT
149 | $IPTABLES -A $CHAIN -d 192.168.10.11 -p udp --dport 8083 -j ACCEPT
150 | $IPTABLES -A $CHAIN -d 192.168.10.11 -p udp --dport 8084 -j ACCEPT
151 | $IPTABLES -A $CHAIN -d 192.168.10.11 -p udp --dport 8085 -j ACCEPT
152 | $IPTABLES -A $CHAIN -d 192.168.10.11 -p udp --dport 8086 -j ACCEPT
153 | $IPTABLES -A $CHAIN -d 192.168.10.11 -p udp --dport 8087 -j ACCEPT
154 | $IPTABLES -A $CHAIN -d 192.168.10.11 -p udp --dport 8088 -j ACCEPT
155 |
156 | if [ "$1" == "pcn-iptables" ];
157 | then
158 | polycubectl pcn-iptables chain $CHAIN apply-rules
159 | fi
160 |
--------------------------------------------------------------------------------
/realistic-scenarios/enterprise-public-servers/rulesets/rules_50.sh:
--------------------------------------------------------------------------------
1 | source "${BASH_SOURCE%/*}/helpers.bash"
2 |
3 | # set -x
4 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"
5 |
6 | NFTABLES_DIR=nftables-rules
7 | IPTABLES="$1"
8 | CHAIN="$2"
9 |
10 | if [ -z ${IPTABLES} ]; then
11 | echo ""
12 | echo "usage:"
13 | echo "$0 [iptables|pcn-iptables|nftables] [FORWARD]"
14 | echo ""
15 | exit 0
16 | fi
17 |
18 | if [ -z ${CHAIN} ]; then
19 | echo ""
20 | echo "usage:"
21 | echo "$0 [iptables|pcn-iptables|nftables] [FORWARD]"
22 | echo ""
23 | exit 0
24 | fi
25 |
26 | if [ "$1" == "pcn-iptables" ]; then
27 | echo "Using bpf-iptables"
28 | IPTABLES="bpf-iptables"
29 | launch_pcn_iptables
30 | elif [ "$1" == "nftables" ]; then
31 | echo "Using nftables"
32 | IPTABLES="nft"
33 | elif [ "$1" == "iptables" ]; then
34 | echo "Using iptables"
35 | IPTABLES="sudo iptables"
36 | else
37 | echo "$1 is not supported"
38 | exit 1
39 | fi
40 |
41 | if [ "$1" == "nftables" ]; then
42 | echo "Loading nftables rules"
43 | export CHAIN
44 | exec $DIR/$NFTABLES_DIR/nftables_50.sh
45 | exit 0
46 | elif [ "$1" == "pcn-iptables" ]; then
47 | pcn-iptables -F $CHAIN
48 | polycubectl pcn-iptables set interactive=false
49 | else
50 | $IPTABLES -F $CHAIN
51 | fi
52 |
53 | $IPTABLES -P $CHAIN DROP
54 | $IPTABLES -A $CHAIN -m conntrack --ctstate ESTABLISHED -j ACCEPT
55 | $IPTABLES -A $CHAIN -m conntrack --ctstate NEW -s 192.168.10.2 -j ACCEPT
56 | $IPTABLES -A $CHAIN -m conntrack --ctstate NEW -s 192.168.10.3 -j ACCEPT
57 | $IPTABLES -A $CHAIN -m conntrack --ctstate NEW -s 192.168.10.4 -j ACCEPT
58 | $IPTABLES -A $CHAIN -m conntrack --ctstate NEW -s 192.168.10.5 -j ACCEPT
59 | $IPTABLES -A $CHAIN -m conntrack --ctstate NEW -s 192.168.10.6 -j ACCEPT
60 | $IPTABLES -A $CHAIN -d 192.168.10.2 -p udp --dport 8080 -j ACCEPT
61 | $IPTABLES -A $CHAIN -d 192.168.10.2 -p udp --dport 8081 -j ACCEPT
62 | $IPTABLES -A $CHAIN -d 192.168.10.2 -p udp --dport 8082 -j ACCEPT
63 | $IPTABLES -A $CHAIN -d 192.168.10.2 -p udp --dport 8083 -j ACCEPT
64 | $IPTABLES -A $CHAIN -d 192.168.10.2 -p udp --dport 8084 -j ACCEPT
65 | $IPTABLES -A $CHAIN -d 192.168.10.2 -p udp --dport 8085 -j ACCEPT
66 | $IPTABLES -A $CHAIN -d 192.168.10.2 -p udp --dport 8086 -j ACCEPT
67 | $IPTABLES -A $CHAIN -d 192.168.10.2 -p udp --dport 8087 -j ACCEPT
68 | $IPTABLES -A $CHAIN -d 192.168.10.2 -p udp --dport 8088 -j ACCEPT
69 | $IPTABLES -A $CHAIN -d 192.168.10.3 -p udp --dport 8080 -j ACCEPT
70 | $IPTABLES -A $CHAIN -d 192.168.10.3 -p udp --dport 8081 -j ACCEPT
71 | $IPTABLES -A $CHAIN -d 192.168.10.3 -p udp --dport 8082 -j ACCEPT
72 | $IPTABLES -A $CHAIN -d 192.168.10.3 -p udp --dport 8083 -j ACCEPT
73 | $IPTABLES -A $CHAIN -d 192.168.10.3 -p udp --dport 8084 -j ACCEPT
74 | $IPTABLES -A $CHAIN -d 192.168.10.3 -p udp --dport 8085 -j ACCEPT
75 | $IPTABLES -A $CHAIN -d 192.168.10.3 -p udp --dport 8086 -j ACCEPT
76 | $IPTABLES -A $CHAIN -d 192.168.10.3 -p udp --dport 8087 -j ACCEPT
77 | $IPTABLES -A $CHAIN -d 192.168.10.3 -p udp --dport 8088 -j ACCEPT
78 | $IPTABLES -A $CHAIN -d 192.168.10.4 -p udp --dport 8080 -j ACCEPT
79 | $IPTABLES -A $CHAIN -d 192.168.10.4 -p udp --dport 8081 -j ACCEPT
80 | $IPTABLES -A $CHAIN -d 192.168.10.4 -p udp --dport 8082 -j ACCEPT
81 | $IPTABLES -A $CHAIN -d 192.168.10.4 -p udp --dport 8083 -j ACCEPT
82 | $IPTABLES -A $CHAIN -d 192.168.10.4 -p udp --dport 8084 -j ACCEPT
83 | $IPTABLES -A $CHAIN -d 192.168.10.4 -p udp --dport 8085 -j ACCEPT
84 | $IPTABLES -A $CHAIN -d 192.168.10.4 -p udp --dport 8086 -j ACCEPT
85 | $IPTABLES -A $CHAIN -d 192.168.10.4 -p udp --dport 8087 -j ACCEPT
86 | $IPTABLES -A $CHAIN -d 192.168.10.4 -p udp --dport 8088 -j ACCEPT
87 | $IPTABLES -A $CHAIN -d 192.168.10.5 -p udp --dport 8080 -j ACCEPT
88 | $IPTABLES -A $CHAIN -d 192.168.10.5 -p udp --dport 8081 -j ACCEPT
89 | $IPTABLES -A $CHAIN -d 192.168.10.5 -p udp --dport 8082 -j ACCEPT
90 | $IPTABLES -A $CHAIN -d 192.168.10.5 -p udp --dport 8083 -j ACCEPT
91 | $IPTABLES -A $CHAIN -d 192.168.10.5 -p udp --dport 8084 -j ACCEPT
92 | $IPTABLES -A $CHAIN -d 192.168.10.5 -p udp --dport 8085 -j ACCEPT
93 | $IPTABLES -A $CHAIN -d 192.168.10.5 -p udp --dport 8086 -j ACCEPT
94 | $IPTABLES -A $CHAIN -d 192.168.10.5 -p udp --dport 8087 -j ACCEPT
95 | $IPTABLES -A $CHAIN -d 192.168.10.5 -p udp --dport 8088 -j ACCEPT
96 | $IPTABLES -A $CHAIN -d 192.168.10.6 -p udp --dport 8080 -j ACCEPT
97 | $IPTABLES -A $CHAIN -d 192.168.10.6 -p udp --dport 8081 -j ACCEPT
98 | $IPTABLES -A $CHAIN -d 192.168.10.6 -p udp --dport 8082 -j ACCEPT
99 | $IPTABLES -A $CHAIN -d 192.168.10.6 -p udp --dport 8083 -j ACCEPT
100 | $IPTABLES -A $CHAIN -d 192.168.10.6 -p udp --dport 8084 -j ACCEPT
101 | $IPTABLES -A $CHAIN -d 192.168.10.6 -p udp --dport 8085 -j ACCEPT
102 | $IPTABLES -A $CHAIN -d 192.168.10.6 -p udp --dport 8086 -j ACCEPT
103 | $IPTABLES -A $CHAIN -d 192.168.10.6 -p udp --dport 8087 -j ACCEPT
104 | $IPTABLES -A $CHAIN -d 192.168.10.6 -p udp --dport 8088 -j ACCEPT
105 |
106 | if [ "$1" == "pcn-iptables" ];
107 | then
108 | polycubectl pcn-iptables chain $CHAIN apply-rules
109 | fi
110 |
--------------------------------------------------------------------------------
/realistic-scenarios/enterprise-public-servers/sum_iptables_output.awk:
--------------------------------------------------------------------------------
1 | BEGIN {
2 | total=0;
3 | }
4 | {
5 | if (NR == 1) {
6 | total=total+$5;
7 | } else if (NR != 2) {
8 | total=total+$1;
9 | }
10 | }
11 | END {
12 | print total;
13 | }
14 |
--------------------------------------------------------------------------------
/realistic-scenarios/enterprise-public-servers/sum_nftables_output.awk:
--------------------------------------------------------------------------------
1 | BEGIN {
2 | total=0;
3 | }
4 | {
5 | j=0;
6 | for (i = 1; i <= NF; ++i) {
7 | if ($i == "packets") {
8 | j = i + 1;
9 | total = total + $j;
10 | }
11 | }
12 | }
13 | END {
14 | print total;
15 | }
16 |
--------------------------------------------------------------------------------
/realistic-scenarios/enterprise-public-servers/sum_pcn_iptables_output.awk:
--------------------------------------------------------------------------------
1 | BEGIN {
2 | total=0;
3 | }
4 | {
5 | total=total+$3;
6 | }
7 | END {
8 | total=total+$4;
9 | print total;
10 | }
11 |
--------------------------------------------------------------------------------
/system-benchmarking/conntrack-performance/README.md:
--------------------------------------------------------------------------------
1 | # Connection tracking performance
2 |
3 | This test evaluates the performance of the connection tracking module of `bpf-iptables`, which is required to enable stateful filtering.
4 | The test is based on TCP traffic in order to stress the rather complex state machine of the TCP protocol; it generates a high number of *new* connections per second, taking the number of successfully completed sessions as performance indicator.
5 |
6 | ## Rule-sets
7 |
8 | The rule-sets used for this tests can be found in the [rulsets](./rulesets) folder.
9 | It is composed of three rules loaded in the `INPUT` chain so that only packets directed to a local application will be processed by the firewall.
10 | The first rule *accepts* all packets belonging to an `ESTABLISHED` session, the second rule *accepts* all the `NEW` packets coming from the packet generator and with the TCP destination port equal to 80 and finally, the last rule *drops* all the other packets coming from the packet generator.
11 |
12 | ## Test description
13 |
14 | In this test `weighttp` generates 1M HTTP requests towards the DUT, using an increasing number of concurrent clients to stress the connection tracking module.
15 | At each request, a file of 100 byte is returned by the `nginx` web server running in the DUT.
16 | Once the request is completed, the current connection is closed and a new connection is created.
17 | This required to increase the limit of `1024` open file descriptors per process imposed by Linux in order to allow the sender to generate a larger number of new requests per second and to enable the *net.ipv4.tcp_tw_reuse* flag to reuse sessions in `TIME_WAIT` state in both sender and receiver machines.
18 |
19 | ### Setup
20 |
21 | The packet generator and the DUT should be connected each other through a XDP-compatible NIC.
22 | The first interface of the generator is connected to the first interface of the DUT (which are configured accordingly in the following scripts).
23 |
24 | In addition, both machine should be able to communicate at IP level through an additional interface. The IP addresses of those interface should be configured in the following scripts.
25 |
26 | The test requires an `nginx` server running on the remote DUT.
27 | Moreover, you need to create a file named `static_file` and place it under the default web server folder. For the tests described in our paper we used a 100MB file generated with this command.
28 | ```bash
29 | $ dd if=/dev/zero of=static_file count=1024 bs=102400
30 | ```
31 |
32 | On the generator machine, it is necessary to install `weighttp`, which can be downloaded at [this](https://github.com/lighttpd/weighttp.git) url.
33 | Follow the instructions provided to install the tool.
34 |
35 | To correctly replicate the results you need to increase the limit of file descriptors opened by a single process.
36 | To do this you can use the `sysctl.conf.generator` and the `sysctl.conf.dut` file available under this folder.
37 | To apply the configuration type:
38 | ```bash
39 | $ sudo sysctl -p sysctl.conf.generator
40 | ```
41 | on the generator and
42 | ```bash
43 | $ sudo sysctl -p sysctl.conf.dut
44 | ```
45 | on the DUT.
46 |
47 | ### Scripts
48 |
49 | This folder contains a single script [run-tests](./run-tests_weighttp.sh) that is used to execute the test, which can be configured by passing the correct parameters through the command line, for example:
50 |
51 | ```bash
52 | $ ./run-tests_weighttp.sh -h
53 | run-tests_weighttp.sh [-h] [-r #runs] [-o output_file] [-d duration][-i|-n]
54 |
55 | where:
56 | -h show this help text
57 | -r number of runs for the test
58 | -o path to file where the results are placed
59 | -d duration of the test, e.g. 2s, 2m, 2h
60 | -i use iptables
61 | -n use nftables
62 | ```
63 |
64 | In addition, you should modify the script with the correct IP addresses and folders used in your environment. The parameters that should be set are the following:
65 |
66 | ```bash
67 | # Remote configurations (DUT)
68 | REMOTE_DUT=1.1.1.1 (IP Address of the DUT)
69 | REMOTE_FOLDER="~/bpf-iptables-tests/system-benchmarking/conntrack-performance"
70 | INGRESS_REMOTE_IFACE_NAME="3cfd:feaf:ec30" (MAC of the receiver interface of the DUT)
71 |
72 | # Local configurations (Pkt generator)
73 | INGRESS_LOCAL_IFACE_NAME="enp1s0f0"
74 | LOCAL_NAME=cube1 (Name of the user in the pkt generator machine)
75 | LOCAL_DUT=IPADDRESS (IP address of the pkt generator machine)
76 | ```
77 |
78 | For example, to execute a single run of the multi-core test using bpf-iptables you should execute the following command:
79 |
80 | ```bash
81 | $ ./run-tests_weighttp.sh -r 1 -o bpf-iptables-results
82 | ```
83 |
84 |
--------------------------------------------------------------------------------
/system-benchmarking/conntrack-performance/rulesets/conntrack_rules.sh:
--------------------------------------------------------------------------------
1 | source "${BASH_SOURCE%/*}/helpers.bash"
2 | # usage:
3 | # rules_xxx.sh [iptables|pcn-iptables] [INPUT|FORWARD]
4 |
5 | # set -x
6 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"
7 |
8 | NFTABLES_DIR=nftables-rules
9 | IPTABLES="sudo iptables"
10 | CHAIN="INPUT"
11 | REMOTE_IP=10.10.10.2
12 | REMOTE_PORT=80
13 |
14 | echo ""
15 | echo "usage:"
16 | echo "$0 [iptables|pcn-iptables|nftables] [FORWARD] [10.10.10.1] [$REMOTE_PORT]"
17 | echo ""
18 |
19 | CHAIN=$2
20 | REMOTE_IP=$3
21 | REMOTE_PORT=$4
22 |
23 | if [ "$1" == "pcn-iptables" ]; then
24 | echo "Using bpf-iptables"
25 | IPTABLES="bpf-iptables"
26 | launch_pcn_iptables
27 | elif [ "$1" == "nftables" ]; then
28 | echo "Using nftables"
29 | IPTABLES="sudo nft"
30 | else
31 | echo "Using iptables"
32 | IPTABLES="sudo iptables"
33 | fi
34 |
35 |
36 |
37 | if [ "$1" == "nftables" ]; then
38 | $IPTABLES add table ip filter
39 | $IPTABLES add chain ip filter $CHAIN { type filter hook input priority 0 \; }
40 | $IPTABLES add rule ip filter $CHAIN ct state established counter accept
41 | $IPTABLES add rule ip filter INPUT ct state new tcp dport $REMOTE_PORT counter accept
42 | #$IPTABLES add rule ip filter INPUT ip saddr $REMOTE_IP counter drop
43 | else
44 | $IPTABLES -F $CHAIN
45 | $IPTABLES -A $CHAIN -m conntrack --ctstate ESTABLISHED -j ACCEPT
46 | $IPTABLES -A $CHAIN -m conntrack --ctstate NEW -p tcp --dport $REMOTE_PORT -j ACCEPT
47 | #$IPTABLES -A $CHAIN -s $REMOTE_IP -j DROP
48 | fi
49 |
50 | exit 0
51 |
--------------------------------------------------------------------------------
/system-benchmarking/conntrack-performance/rulesets/helpers.bash:
--------------------------------------------------------------------------------
1 | # use a clean instance of polycubed to run each test
2 | RELAUNCH_POLYCUBED=true
3 | polycubed="sudo polycubed -l off" #todo log off
4 |
5 | function initialize_pcn_iptables {
6 | bpf-iptables-init-xdp
7 | # $HOME/polycube/services/pcn-iptables/iptables-compatibility/iptables-init.sh
8 | }
9 |
10 | # Check if polycubed rest server is responding
11 | function polycubed_is_responding {
12 | ret=$(polycubectl ? > /dev/null)
13 | ret=$(echo $?)
14 | echo $ret
15 | }
16 |
17 | # Relaunch polycubed, if deamon is not running
18 | function polycubed_relaunch_if_not_running {
19 | alive=$(ps -el | grep polycubed)
20 | if [ -z "$alive" ]; then
21 | echo "polycubed not running ..."
22 | echo "relaunching polycubed ..."
23 | $polycubed >> /dev/null 2>&1 &
24 | fi
25 | }
26 |
27 | # Launch polycubed, and wait until it becomes responsive
28 | function launch_and_wait_polycubed_is_responding {
29 | if $RELAUNCH_POLYCUBED; then
30 | echo "starting polycubed ..."
31 | $polycubed >> /dev/null 2>&1 &
32 | else
33 | polycubed_alive=$(ps -el | grep polycubed)
34 | if [ -z "$polycubed_alive" ]; then
35 | echo "polycubed not running ..."
36 | echo "relaunching polycubed ..."
37 | $polycubed >> /dev/null 2>&1 &
38 | fi
39 | fi
40 |
41 | done=0
42 | i=0
43 | while : ; do
44 | sleep 1
45 | responding=$(polycubed_is_responding)
46 | if [[ $responding -eq 0 ]]; then
47 | done=1
48 | else
49 | polycubed_relaunch_if_not_running
50 | fi
51 | i=$((i+1))
52 | if [ "$done" -ne 0 ]; then
53 | if $RELAUNCH_POLYCUBED; then
54 | echo "starting polycubed in $i seconds"
55 | else
56 | if [ -z "$polycubed_alive" ]; then
57 | echo "relaunching polycubed in $i seconds"
58 | fi
59 | fi
60 | break
61 | fi
62 | done
63 | }
64 |
65 | # Kill polycubed, and wait all services to be unloaded and process to be completely killed
66 | function polycubed_kill_and_wait {
67 | echo "killing polycubed ..."
68 | sudo pkill polycubed >> /dev/null
69 |
70 | done=0
71 | i=0
72 | while : ; do
73 | sleep 1
74 | alive=$(ps -el | grep polycubed)
75 | if [ -z "$alive" ]; then
76 | done=1
77 | fi
78 |
79 | i=$((i+1))
80 |
81 | if [ "$done" -ne 0 ]; then
82 | echo "killing polycubed in $i seconds"
83 | break
84 | fi
85 | done
86 | }
87 |
88 | function launch_pcn_iptables {
89 | export PATH=$PATH:/home/polycube/go/bin
90 | export PATH=$PATH:/home/polycube/polycube/services/pcn-iptables/scripts
91 | launch_and_wait_polycubed_is_responding
92 | initialize_pcn_iptables
93 | }
94 |
--------------------------------------------------------------------------------
/system-benchmarking/conntrack-performance/sysctl.conf.dut:
--------------------------------------------------------------------------------
1 | #
2 | # /etc/sysctl.conf - Configuration file for setting system variables
3 | # See /etc/sysctl.d/ for additional system variables.
4 | # See sysctl.conf (5) for information.
5 | #
6 |
7 | #kernel.domainname = example.com
8 |
9 | # Uncomment the following to stop low-level messages on console
10 | #kernel.printk = 3 4 1 3
11 |
12 | ##############################################################3
13 | # Functions previously found in netbase
14 | #
15 |
16 | # Uncomment the next two lines to enable Spoof protection (reverse-path filter)
17 | # Turn on Source Address Verification in all interfaces to
18 | # prevent some spoofing attacks
19 | #net.ipv4.conf.default.rp_filter=1
20 | #net.ipv4.conf.all.rp_filter=1
21 |
22 | # Uncomment the next line to enable TCP/IP SYN cookies
23 | # See http://lwn.net/Articles/277146/
24 | # Note: This may impact IPv6 TCP sessions too
25 | #net.ipv4.tcp_syncookies=1
26 |
27 | # Uncomment the next line to enable packet forwarding for IPv4
28 | #net.ipv4.ip_forward=1
29 |
30 | # Uncomment the next line to enable packet forwarding for IPv6
31 | # Enabling this option disables Stateless Address Autoconfiguration
32 | # based on Router Advertisements for this host
33 | #net.ipv6.conf.all.forwarding=1
34 |
35 |
36 | ###################################################################
37 | # Additional settings - these settings can improve the network
38 | # security of the host and prevent against some network attacks
39 | # including spoofing attacks and man in the middle attacks through
40 | # redirection. Some network environments, however, require that these
41 | # settings are disabled so review and enable them as needed.
42 | #
43 | # Do not accept ICMP redirects (prevent MITM attacks)
44 | #net.ipv4.conf.all.accept_redirects = 0
45 | #net.ipv6.conf.all.accept_redirects = 0
46 | # _or_
47 | # Accept ICMP redirects only for gateways listed in our default
48 | # gateway list (enabled by default)
49 | # net.ipv4.conf.all.secure_redirects = 1
50 | #
51 | # Do not send ICMP redirects (we are not a router)
52 | #net.ipv4.conf.all.send_redirects = 0
53 | #
54 | # Do not accept IP source route packets (we are not a router)
55 | #net.ipv4.conf.all.accept_source_route = 0
56 | #net.ipv6.conf.all.accept_source_route = 0
57 | #
58 | # Log Martian Packets
59 | #net.ipv4.conf.all.log_martians = 1
60 | #
61 |
62 | ###################################################################
63 | # Magic system request Key
64 | # 0=disable, 1=enable all
65 | # Debian kernels have this set to 0 (disable the key)
66 | # See https://www.kernel.org/doc/Documentation/sysrq.txt
67 | # for what other values do
68 | #kernel.sysrq=1
69 |
70 | ###################################################################
71 | # Protected links
72 | #
73 | # Protects against creating or following links under certain conditions
74 | # Debian kernels have both set to 1 (restricted)
75 | # See https://www.kernel.org/doc/Documentation/sysctl/fs.txt
76 | #fs.protected_hardlinks=0
77 | #fs.protected_symlinks=0
78 | net.core.netdev_max_backlog = 400000
79 | net.core.somaxconn = 100000
80 | net.ipv4.ip_local_port_range = 1024 65535
81 | net.ipv4.tcp_max_syn_backlog = 65535
82 | net.ipv4.tcp_max_tw_buckets = 2000000
83 | net.netfilter.nf_conntrack_max = 262144
84 |
85 | # optionally, avoid TIME_WAIT states on localhost no-HTTP Keep-Alive tests:
86 | # "error: connect() failed: Cannot assign requested address (99)"
87 | # On Linux, the 2MSL time is hardcoded to 60 seconds in /include/net/tcp.h:
88 | # #define TCP_TIMEWAIT_LEN (60*HZ)
89 | # The option below is safe to use:
90 | net.ipv4.tcp_tw_reuse = 1
91 |
92 |
--------------------------------------------------------------------------------
/system-benchmarking/conntrack-performance/sysctl.conf.generator:
--------------------------------------------------------------------------------
1 | #
2 | # /etc/sysctl.conf - Configuration file for setting system variables
3 | # See /etc/sysctl.d/ for additional system variables.
4 | # See sysctl.conf (5) for information.
5 | #
6 |
7 | #kernel.domainname = example.com
8 |
9 | # Uncomment the following to stop low-level messages on console
10 | #kernel.printk = 3 4 1 3
11 |
12 | ##############################################################3
13 | # Functions previously found in netbase
14 | #
15 |
16 | # Uncomment the next two lines to enable Spoof protection (reverse-path filter)
17 | # Turn on Source Address Verification in all interfaces to
18 | # prevent some spoofing attacks
19 | #net.ipv4.conf.default.rp_filter=1
20 | #net.ipv4.conf.all.rp_filter=1
21 |
22 | # Uncomment the next line to enable TCP/IP SYN cookies
23 | # See http://lwn.net/Articles/277146/
24 | # Note: This may impact IPv6 TCP sessions too
25 | #net.ipv4.tcp_syncookies=1
26 |
27 | # Uncomment the next line to enable packet forwarding for IPv4
28 | #net.ipv4.ip_forward=1
29 |
30 | # Uncomment the next line to enable packet forwarding for IPv6
31 | # Enabling this option disables Stateless Address Autoconfiguration
32 | # based on Router Advertisements for this host
33 | #net.ipv6.conf.all.forwarding=1
34 |
35 |
36 | ###################################################################
37 | # Additional settings - these settings can improve the network
38 | # security of the host and prevent against some network attacks
39 | # including spoofing attacks and man in the middle attacks through
40 | # redirection. Some network environments, however, require that these
41 | # settings are disabled so review and enable them as needed.
42 | #
43 | # Do not accept ICMP redirects (prevent MITM attacks)
44 | #net.ipv4.conf.all.accept_redirects = 0
45 | #net.ipv6.conf.all.accept_redirects = 0
46 | # _or_
47 | # Accept ICMP redirects only for gateways listed in our default
48 | # gateway list (enabled by default)
49 | # net.ipv4.conf.all.secure_redirects = 1
50 | #
51 | # Do not send ICMP redirects (we are not a router)
52 | #net.ipv4.conf.all.send_redirects = 0
53 | #
54 | # Do not accept IP source route packets (we are not a router)
55 | #net.ipv4.conf.all.accept_source_route = 0
56 | #net.ipv6.conf.all.accept_source_route = 0
57 | #
58 | # Log Martian Packets
59 | #net.ipv4.conf.all.log_martians = 1
60 | #
61 |
62 | ###################################################################
63 | # Magic system request Key
64 | # 0=disable, 1=enable all
65 | # Debian kernels have this set to 0 (disable the key)
66 | # See https://www.kernel.org/doc/Documentation/sysrq.txt
67 | # for what other values do
68 | #kernel.sysrq=1
69 |
70 | ###################################################################
71 | # Protected links
72 | #
73 | # Protects against creating or following links under certain conditions
74 | # Debian kernels have both set to 1 (restricted)
75 | # See https://www.kernel.org/doc/Documentation/sysctl/fs.txt
76 | #fs.protected_hardlinks=0
77 | #fs.protected_symlinks=0
78 | net.ipv4.ip_local_port_range = 1024 65535
79 | net.ipv4.tcp_wmem = 30000000 30000000 30000000
80 | # optionally, avoid TIME_WAIT states on localhost no-HTTP Keep-Alive tests:
81 | # "error: connect() failed: Cannot assign requested address (99)"
82 | # On Linux, the 2MSL time is hardcoded to 60 seconds in /include/net/tcp.h:
83 | # #define TCP_TIMEWAIT_LEN (60*HZ)
84 | # The option below is safe to use:
85 | net.ipv4.tcp_tw_reuse = 1
86 |
87 | # The option below lets you reduce TIME_WAITs further
88 | # but this option is for benchmarks, NOT for production (NAT issues)
89 | #net.ipv4.tcp_tw_recycle = 1
90 |
--------------------------------------------------------------------------------
/system-benchmarking/rule-complexity/README.md:
--------------------------------------------------------------------------------
1 | # Performance dependency on the number of matching fieds
2 |
3 | Since the `bpf-iptables` modular pipeline requires a separate eBPF program (hence an additional processing penalty) for each matching field, this test evaluates the throughput of `bpf-iptables` when augmenting the number of matching fields in the deployed rules in order to characterize the (possible) performance degradation when operating on a growing number of protocol fields.
4 |
5 | ## Rule-sets
6 |
7 | The rule-sets used for this tests can be found in the [rulsets](./rulesets) folder.
8 |
9 | ## Test description
10 |
11 | The packet generator is configured to generate traffic uniformly distributed among all the rules so that all packets will uniformly match the rules and no packet will match the default action of the chain, in other words, the number of flows generated is equal to the number of rules under consideration.
12 |
13 | ### Setup
14 |
15 | The packet generator and the DUT should be connected each other through an XDP-compatible NIC. In particular, the first interface of the generator is connected to the first interface of the DUT and the same for the second interface (which are configured accordingly in the following scripts).
16 |
17 | In addition, both machine should be able to communicate at IP level through an additional interface. The IP addresses of those interface should be configured in the following scripts.
18 |
19 | ### Scripts
20 |
21 | This folder contains a single script [run-tests](./run-tests.sh) that is used to execute the multi-core and single-core tests.
22 |
23 | Both scripts can be configurable by passing the correct parameters through the command line, for example:
24 |
25 | ```bash
26 | $ ./run-tests-multi.sh -h
27 | run-tests.sh [-h] [-r #runs] [-o output_file] [-i|-n]
28 | Run tests of pcn-iptables for the FORWARD chain with a different number of matching fields (1000 rules)
29 |
30 | where:
31 | -h show this help text
32 | -r number of runs for the test
33 | -o path to file where the results are placed
34 | -i use iptables
35 | -n use nftables
36 | ```
37 |
38 | In addition, you should modify the script with the correct IP addresses and folders used in your environment. The parameters that should be set are the following:
39 |
40 | ```bash
41 | # Remote configurations (DUT)
42 | REMOTE_DUT=1.1.1.1 (IP Address of the DUT)
43 | REMOTE_FOLDER="~/bpf-iptables-tests/system-benchmarking/ruleset-size"
44 | DST_MAC_IF0="3cfd:feaf:ec30" (MAC of the receiver interface of the DUT)
45 | DST_MAC_IF1="3cfd:feaf:ec31" (MAC of the sender interface of the DUT)
46 | INGRESS_IFACE_NAME="enp101s0f0" (Name of the receiver interface of the DUT)
47 |
48 | # Local configurations (Pkt generator)
49 | PKTGEN_FOLDER="$HOME/dev/pktgen-dpdk"
50 | LOCAL_NAME=cube1 (Name of the user in the pkt generator machine)
51 | LOCAL_DUT=IPADDRESS (IP address of the pkt generator machine)
52 | ```
53 |
54 | For example, to execute a single run of the multi-core test using bpf-iptables you should execute the following command:
55 |
56 | ```bash
57 | $ ./run-tests.sh -r 1 -o bpf-iptables-results
58 | ```
59 |
60 |
--------------------------------------------------------------------------------
/system-benchmarking/rule-complexity/config_dut_routing.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | START_IP_SRC=(192 168 0 2)
4 | START_IP_DST=(192 168 10 2)
5 |
6 | NUM_IP_SRC=40
7 | NUM_IP_DST=25
8 | DELETE_ENTRIES=0
9 |
10 | sudo ifconfig enp101s0f0 up
11 | sudo ifconfig enp101s0f1 up
12 |
13 | sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
14 |
15 | function ip_to_int() {
16 | #Returns the integer representation of an IP arg, passed in ascii dotted-decimal notation (x.x.x.x)
17 | IP=$1; IPNUM=0
18 | for (( i=0 ; i<4 ; ++i )); do
19 | ((IPNUM+=${IP%%.*}*$((256**$((3-${i}))))))
20 | IP=${IP#*.}
21 | done
22 | echo $IPNUM
23 | }
24 |
25 | function int_to_ip() {
26 | #returns the dotted-decimal ascii form of an IP arg passed in integer format
27 | echo -n $(($(($(($((${1}/256))/256))/256))%256)).
28 | echo -n $(($(($((${1}/256))/256))%256)).
29 | echo -n $(($((${1}/256))%256)).
30 | echo $((${1}%256))
31 | }
32 |
33 |
34 | while getopts :o:s:d:rh option; do
35 | case "${option}" in
36 | h|\?)
37 | show_help
38 | exit 0
39 | ;;
40 | o) OUT_FILE=${OPTARG}
41 | ;;
42 | s) NUM_IP_SRC=${OPTARG}
43 | ;;
44 | d) NUM_IP_DST=${OPTARG}
45 | ;;
46 | r) DELETE_ENTRIES=1
47 | ;;
48 | :)
49 | echo "Option -$OPTARG requires an argument." >&2
50 | show_help
51 | exit 0
52 | ;;
53 | esac
54 | done
55 |
56 | while true; do
57 | sudo ifconfig enp101s0f0 192.168.0.254/22 up
58 | sudo ifconfig enp101s0f1 192.168.10.254/24 up
59 |
60 | NEW_IP_SRC=$( IFS=$'.'; echo "${START_IP_SRC[*]}" )
61 | for i in `seq 1 $NUM_IP_SRC`; do
62 | if [ $DELETE_ENTRIES -eq 0 ]; then
63 | sudo arp -s ${NEW_IP_SRC} 3c:fd:fe:af:ec:48
64 | else
65 | sudo arp -d ${NEW_IP_SRC}
66 | fi
67 | NEW_IP_SRC=$(int_to_ip $(( $(ip_to_int $NEW_IP_SRC)+1 )))
68 | done
69 |
70 | NEW_IP_DST=$( IFS=$'.'; echo "${START_IP_DST[*]}" )
71 | for i in `seq 1 $NUM_IP_DST`; do
72 | if [ $DELETE_ENTRIES -eq 0 ]; then
73 | sudo arp -s ${NEW_IP_DST} 3c:fd:fe:af:ec:49
74 | else
75 | sudo arp -d ${NEW_IP_DST}
76 | fi
77 | NEW_IP_DST=$(int_to_ip $(( $(ip_to_int $NEW_IP_DST)+1 )))
78 | done
79 |
80 | if [ $DELETE_ENTRIES -eq 1 ]; then
81 | break
82 | fi
83 | sleep 25
84 | done
85 |
--------------------------------------------------------------------------------
/system-benchmarking/rule-complexity/rule-complexity.lua:
--------------------------------------------------------------------------------
1 | -- RFC2544 Throughput Test
2 | -- as defined by https://www.ietf.org/rfc/rfc2544.txt
3 | package.path = package.path ..";?.lua;test/?.lua;app/?.lua;../?.lua"
4 | require "Pktgen";
5 | require "os";
6 |
7 | local config = require "config";
8 |
9 | -- define packet sizes to test
10 | -- local pkt_sizes = { 64, 128, 256, 512, 1024, 1280, 1518 };
11 | local pkt_sizes = { 64 };
12 | -- Time in seconds to transmit for
13 | local duration = 15000;
14 | local durationSimpleTest = 60000;
15 | local confirmDuration = 60000;
16 | local intraRunTime = 15000;
17 | local pauseTime = 1000;
18 | local pauseWarmUp = 1000;
19 | local warmDuration = 1000;
20 | local runNum = 5;
21 | local simpleTest = false;
22 |
23 | -- define the ports in use
24 | local sendport = "0";
25 | local recvport = "1";
26 |
27 | -- ip addresses to use
28 | local dstip = "192.168.1.1";
29 | local srcip = "192.168.0.1";
30 | local netmask = "/24";
31 | local remoteDstMAC0 = "3cfd:feaf:ec30"
32 | local remoteDstMAC1 = "3cfd:feaf:ec31"
33 |
34 | --src and dest l4 ports
35 | local dstport = "0x5678"
36 | local srcport = "0x9988"
37 |
38 | local initialRate = 50.0;
39 | local warmUpRate = 0.01;
40 | local maxLossRate = 0.011;
41 | local rateThreshold = 0.01;
42 |
43 | --specific test (rule-complexity) configuration
44 | --the configuration is read from the config file
45 | local startSrcIP = "0.0.0.0"
46 | local endSrcIP = "0.0.0.0"
47 | local startDstIP = "0.0.0.0"
48 | local endDstIP = "0.0.0.0"
49 | local startSport = 0
50 | local endSport = 0
51 | local startDport = 0
52 | local endDport = 0
53 |
54 | local binarySearch = {}
55 | binarySearch.__index = binarySearch
56 |
57 | function binarySearch:create(lower, upper)
58 | local self = setmetatable({}, binarySearch)
59 | self.lowerLimit = lower
60 | self.upperLimit = upper
61 | return self
62 | end
63 |
64 | setmetatable(binarySearch, { __call = binarySearch.create })
65 |
66 | function binarySearch:init(lower, upper)
67 | self.lowerLimit = lower
68 | self.upperLimit = upper
69 | end
70 |
71 | function binarySearch:next(curr, top, threshold)
72 | if top then
73 | if curr == self.upperLimit then
74 | return curr, true
75 | else
76 | self.lowerLimit = curr
77 | end
78 | else
79 | if curr == lowerLimit then
80 | return curr, true
81 | else
82 | self.upperLimit = curr
83 | end
84 | end
85 | local nextVal = (self.lowerLimit + self.upperLimit)/2
86 | --local nextVal = math.ceil((self.lowerLimit + self.upperLimit) / 2)
87 | if (math.abs(nextVal - curr) < threshold) then
88 | return curr, true
89 | end
90 | return nextVal, false
91 | end
92 |
93 | local function setupTraffic()
94 | printf("Setup Traffic\n");
95 | pktgen.set_mac(sendport, remoteDstMAC0);
96 | pktgen.set_mac(recvport, remoteDstMAC1);
97 |
98 | pktgen.set_ipaddr(sendport, "dst", dstip);
99 | pktgen.set_ipaddr(sendport, "src", srcip..netmask);
100 | pktgen.set_ipaddr(recvport, "dst", srcip);
101 | pktgen.set_ipaddr(recvport, "src", dstip..netmask);
102 |
103 | pktgen.set_range(sendport, "on");
104 |
105 | pktgen.delay(1000);
106 | pktgen.src_ip(sendport, "start", startSrcIP);
107 | pktgen.src_ip(sendport, "inc", "0.0.0.1");
108 | pktgen.src_ip(sendport, "min", startSrcIP);
109 | pktgen.src_ip(sendport, "max", endSrcIP);
110 |
111 | pktgen.delay(1000);
112 | pktgen.dst_ip(sendport, "start", startDstIP);
113 | pktgen.dst_ip(sendport, "inc", "0.0.0.1");
114 | pktgen.dst_ip(sendport, "min", startDstIP);
115 | pktgen.dst_ip(sendport, "max", endDstIP);
116 |
117 | pktgen.ip_proto(sendport, "udp");
118 |
119 | pktgen.delay(1000);
120 | pktgen.src_port(sendport, "start", startSport);
121 | pktgen.src_port(sendport, "inc", 1);
122 | pktgen.src_port(sendport, "min", startSport);
123 | pktgen.src_port(sendport, "max", endSport);
124 |
125 | pktgen.delay(1000);
126 | pktgen.dst_port(sendport, "start", startDport);
127 | pktgen.dst_port(sendport, "inc", 1);
128 | pktgen.dst_port(sendport, "min", startDport);
129 | pktgen.dst_port(sendport, "max", endDport);
130 |
131 | pktgen.pkt_size(sendport,"start", 68);
132 | pktgen.pkt_size(sendport,"inc", 0);
133 | pktgen.pkt_size(sendport,"start", 68);
134 | pktgen.pkt_size(sendport,"start", 68);
135 |
136 | pktgen.dst_mac(sendport, "start", remoteDstMAC0);
137 | pktgen.dst_mac(sendport, "inc", "0000:0000:0000");
138 | pktgen.dst_mac(sendport, "min", "0000:0000:0000");
139 | pktgen.dst_mac(sendport, "max", "0000:0000:0000");
140 |
141 | -- set Pktgen to send continuous stream of traffic
142 | pktgen.set(sendport, "count", 0);
143 | end
144 |
145 | local function runTrial(pkt_size, rate, duration, count)
146 | local num_tx, num_rx, num_dropped, loss_rate, mpps;
147 | local results = {spkts = 0, rpkts = 0, mpps = 0.0, pkt_size = pkt_size}
148 | local duration_sec = duration / 1000
149 | printf("Setting rate to %f \n", rate);
150 | print("Setting rate to " .. rate);
151 | pktgen.clr();
152 | --pktgen.set(recvport, "rate", 100);
153 | pktgen.set(sendport, "rate", rate);
154 | pktgen.set(sendport, "size", pkt_size);
155 | pktgen.start(sendport);
156 | print("Running trial " .. count .. ". % Rate: " .. rate .. ". Packet Size: " .. pkt_size .. ". Duration (mS):" .. duration_sec);
157 | -- file:write("Running trial " .. count .. ". % Rate: " .. rate .. ". Packet Size: " .. pkt_size .. ". Duration (mS):" .. duration_sec);
158 | -- file:write("Running trial " .. count .. ". % Rate: " .. rate .. ". Packet Size: " .. pkt_size .. ". Duration (mS):" .. duration .. "\n");
159 | pktgen.delay(duration);
160 | pktgen.stop(sendport);
161 | pktgen.delay(pauseTime);
162 | statTx = pktgen.portStats(sendport, "port")[tonumber(sendport)];
163 | statRx = pktgen.portStats(recvport, "port")[tonumber(recvport)];
164 | num_tx = statTx.opackets;
165 | num_rx = statRx.ipackets;
166 | num_dropped = num_tx - num_rx;
167 | lossRate = num_dropped / num_tx
168 | validRun = lossRate <= maxLossRate
169 | results.spkts = num_tx
170 | results.rpkts = num_rx
171 | results.mpps = num_rx / 10^6 / duration_sec -- Before was num_tx
172 | results.pkt_size = pkt_size
173 | results.lossRate = lossRate
174 | --if validRun then
175 | -- results = {spkts = num_tx, rpkts = num_rx, mpps = mpps, pkt_size = pkt_size}
176 | --end
177 | print("Tx: " .. num_tx .. ". Rx: " .. num_rx .. ". Dropped: " .. num_dropped .. ". LossRate: " .. lossRate .. ". Mpps: " .. results.mpps .. "\n");
178 | -- file:write("Tx: " .. num_tx .. ". Rx: " .. num_rx .. ". Dropped: " .. num_dropped .. ". LossRate: " .. lossRate .. "\n");
179 | -- file:write("Tx: " .. num_tx .. ". Rx: " .. num_rx .. ". Dropped: " .. num_dropped .. ". LossRate: " .. lossRate .. ". Mpps: " .. results.mpps .. "\n");
180 | pktgen.delay(pauseTime);
181 | return results, lossRate, validRun;
182 | end
183 |
184 | function deep_copy(obj, seen)
185 | -- Handle non-tables and previously-seen tables.
186 | if type(obj) ~= 'table' then return obj end
187 | if seen and seen[obj] then return seen[obj] end
188 |
189 | -- New table; mark it as seen an copy recursively.
190 | local s = seen or {}
191 | local res = setmetatable({}, getmetatable(obj))
192 | s[obj] = res
193 | for k, v in pairs(obj) do res[deep_copy(k, s)] = deep_copy(v, s) end
194 | return res
195 | end
196 |
197 | local function runThroughputTest(pkt_size)
198 | local lossRate, max_rate, min_rate, trial_rate, last_rate, maxLossRate, finished;
199 | local binSearch = binarySearch()
200 | local final_result = {}
201 | final_result.mpps = 0.0;
202 | final_result.lossRate = 1.0;
203 | maxLossRate = 0.01;
204 | max_rate = 100.0;
205 | min_rate = 1;
206 | str = ""
207 | for count=1, runNum, 1 do
208 | binSearch:init(0.0, max_rate);
209 | trial_rate = initialRate;
210 | while true do
211 | printf("Trial rate %f\n", trial_rate);
212 | result, lossRate, validRun = runTrial(pkt_size, trial_rate, duration, count);
213 | if validRun then
214 | final_result = deep_copy(result)
215 | end
216 | last_rate = trial_rate;
217 | trial_rate, finished = binSearch:next(trial_rate, validRun, rateThreshold);
218 | if finished then
219 | local duration_sec = duration / 1000
220 | str = count .. "," .. pkt_size .. "," .. duration_sec .. "," .. maxLossRate * 100 .. "," .. rateThreshold .. "," .. result.mpps .. "," .. result.spkts .. "," .. result.rpkts .. "," .. (result.mpps * result.pkt_size * 8) .. "," .. (result.mpps * (result.pkt_size + 20) * 8)
221 | -- file:write(str .. "\n");
222 | print("Found Mpps: " .. final_result.mpps .. "\n");
223 | file:write("Size: " .. pkt_size .. " Found Mpps: " .. final_result.mpps .. " LossRate: " .. final_result.lossRate .. "\n");
224 | --file:write("Found Mpps: " .. result.mpps .. "\n");
225 | break
226 | end
227 | printf("changing rate from %f to %f\n", last_rate, trial_rate);
228 | pktgen.delay(pauseTime);
229 | end
230 | pktgen.delay(intraRunTime);
231 |
232 | end
233 | end
234 |
235 | local function runSimpleTest(pkt_size, startRate)
236 | local lossRate, max_rate, min_rate, trial_rate, last_rate, maxLossRate, finished;
237 | str = ""
238 | printf("Start rate %f\n", startRate);
239 | result, lossRate, validRun = runTrial(pkt_size, startRate, durationSimpleTest, 1);
240 | print("Found Mpps: " .. result.mpps .. "\n");
241 | file:write("Size: " .. pkt_size .. " Found Mpps: " .. result.mpps .. " LossRate: " .. lossRate .. "\n");
242 | end
243 |
244 | function tableHasKey(table,key)
245 | return table[key] ~= nil
246 | end
247 |
248 | local function configureGlobalVariable()
249 | remoteDstMAC0 = config.test.dstMac0;
250 | remoteDstMAC1 = config.test.dstMac1;
251 | runNum = config.test.num_runs;
252 |
253 | if config.test.simple_test == 1 then
254 | simpleTest = true;
255 | end
256 |
257 | startSrcIP = config.test.startSrcIP
258 | endSrcIP = config.test.endSrcIP
259 | startDstIP = config.test.startDstIP
260 | endDstIP = config.test.endDstIP
261 | startSport = config.test.startSport
262 | endSport = config.test.endSport
263 | startDport = config.test.startDport
264 | endDport = config.test.endDport
265 |
266 | if tableHasKey(config.test, "startRate") then
267 | initialRate = config.test.startRate
268 | end
269 |
270 | if tableHasKey(config.test, "testDuration") then
271 | durationSimpleTest = config.test.testDuration
272 | end
273 | end
274 |
275 | -- The first parameter passed to this script if set to false doesn't perform
276 | -- the binary search for the throughput
277 | function main()
278 | local file_name = "pcn-iptables-forward.csv";
279 |
280 | file = io.open(file_name, "w+");
281 |
282 | if tableHasKey(config, "test") then
283 | configureGlobalVariable();
284 | end
285 |
286 | for _,size in pairs(pkt_sizes)
287 | do
288 | setupTraffic();
289 | if simpleTest then
290 | runSimpleTest(size, initialRate);
291 | else
292 | runThroughputTest(size);
293 | end
294 | end
295 |
296 | file:write("\n");
297 | file:flush();
298 | file:close();
299 | end
300 |
301 | main();
302 | pktgen.quit();
303 |
--------------------------------------------------------------------------------
/system-benchmarking/rule-complexity/rulesets/helpers.bash:
--------------------------------------------------------------------------------
1 | # use a clean instance of polycubed to run each test
2 | RELAUNCH_POLYCUBED=true
3 | polycubed="sudo polycubed -a 0.0.0.0 -l off" #todo log off
4 |
5 | function initialize_pcn_iptables {
6 | bpf-iptables-init-xdp
7 | # $HOME/polycube/services/pcn-iptables/iptables-compatibility/iptables-init.sh
8 | }
9 |
10 | # Check if polycubed rest server is responding
11 | function polycubed_is_responding {
12 | ret=$(polycubectl ? > /dev/null)
13 | ret=$(echo $?)
14 | echo $ret
15 | }
16 |
17 | # Relaunch polycubed, if deamon is not running
18 | function polycubed_relaunch_if_not_running {
19 | alive=$(ps -el | grep polycubed)
20 | if [ -z "$alive" ]; then
21 | echo "polycubed not running ..."
22 | echo "relaunching polycubed ..."
23 | $polycubed >> /dev/null 2>&1 &
24 | fi
25 | }
26 |
27 | # Launch polycubed, and wait until it becomes responsive
28 | function launch_and_wait_polycubed_is_responding {
29 | if $RELAUNCH_POLYCUBED; then
30 | echo "starting polycubed ..."
31 | $polycubed >> /dev/null 2>&1 &
32 | else
33 | polycubed_alive=$(ps -el | grep polycubed)
34 | if [ -z "$polycubed_alive" ]; then
35 | echo "polycubed not running ..."
36 | echo "relaunching polycubed ..."
37 | $polycubed >> /dev/null 2>&1 &
38 | fi
39 | fi
40 |
41 | done=0
42 | i=0
43 | while : ; do
44 | sleep 1
45 | responding=$(polycubed_is_responding)
46 | if [[ $responding -eq 0 ]]; then
47 | done=1
48 | else
49 | polycubed_relaunch_if_not_running
50 | fi
51 | i=$((i+1))
52 | if [ "$done" -ne 0 ]; then
53 | if $RELAUNCH_POLYCUBED; then
54 | echo "starting polycubed in $i seconds"
55 | else
56 | if [ -z "$polycubed_alive" ]; then
57 | echo "relaunching polycubed in $i seconds"
58 | fi
59 | fi
60 | break
61 | fi
62 | done
63 | }
64 |
65 | # Kill polycubed, and wait all services to be unloaded and process to be completely killed
66 | function polycubed_kill_and_wait {
67 | echo "killing polycubed ..."
68 | sudo pkill polycubed >> /dev/null
69 |
70 | done=0
71 | i=0
72 | while : ; do
73 | sleep 1
74 | alive=$(ps -el | grep polycubed)
75 | if [ -z "$alive" ]; then
76 | done=1
77 | fi
78 |
79 | i=$((i+1))
80 |
81 | if [ "$done" -ne 0 ]; then
82 | echo "killing polycubed in $i seconds"
83 | break
84 | fi
85 | done
86 | }
87 |
88 | function launch_pcn_iptables {
89 | export PATH=$PATH:/home/polycube/go/bin
90 | export PATH=$PATH:/home/polycube/polycube/services/pcn-iptables/scripts
91 | launch_and_wait_polycubed_is_responding
92 | initialize_pcn_iptables
93 | }
94 |
--------------------------------------------------------------------------------
/system-benchmarking/rule-complexity/run-tests.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
4 | NOW=$(date +"%m-%d-%Y-%T")
5 |
6 | ###############################
7 | # Remote configurations (DUT) #
8 | ###############################
9 | REMOTE_DUT=IPADDRESS
10 | REMOTE_FOLDER="~/bpf-iptables-tests/system-benchmarking/rule-complexity"
11 | DST_MAC_IF0="3cfd:feaf:ec30"
12 | DST_MAC_IF1="3cfd:feaf:ec31"
13 | INGRESS_IFACE_NAME="enp101s0f0"
14 |
15 | ########################################
16 | # Local configurations (Pkt generator) #
17 | ########################################
18 | LOCAL_DUT=IPADDRESS
19 | PKTGEN_FOLDER="$HOME/dev/pktgen-dpdk"
20 | LOCAL_NAME=cube1
21 |
22 | #####################################################
23 | # Script configuration (don't touch these variables #
24 | # if you do not know what you are doing #
25 | #####################################################
26 | CONTAINER_ID=0000
27 | polycubed="sudo polycubed"
28 | polycubectl="$GOPATH/bin/polycubectl"
29 | POLYCUBE_VERSION="none"
30 | IPTABLES="pcn-iptables"
31 | SET_IRQ_SCRIPT="~/bpf-iptables-tests/common-scripts/set_irq_affinity"
32 | DISABLE_CONNTRACK_SCRIPT="~/bpf-iptables-tests/common-scripts/disable_conntrack.sh"
33 | POLYCUBECTL_CONFIG_FILE="$HOME/.config/polycube/polycubectl_config.yaml"
34 | START_RATE=50.0
35 |
36 | declare -a ruleset_values=("ipsrc" "ipsrc_ipdst" "ipsrc_ipdst_proto" "ipsrc_ipdst_proto_portsrc" "all")
37 |
38 | #######################################
39 | # Specific Test (srcip) Configuration #
40 | #######################################
41 | function generate_test_configuration() {
42 | local test_name=$1
43 | if [ $test_name == "ipsrc" ]; then
44 | START_SRC_IP=192.168.0.2
45 | END_SRC_IP=192.168.3.233
46 | NUM_IP_SRC=1000
47 | START_DST_IP=192.168.10.2
48 | END_DST_IP=192.168.10.20
49 | NUM_IP_DST=20
50 | START_SPORT=10100
51 | END_SPORT=10110
52 | START_DPORT=8090
53 | END_DPORT=8100
54 | elif [ $test_name == "ipsrc_ipdst" ]; then
55 | START_SRC_IP=192.168.0.2
56 | END_SRC_IP=192.168.0.41
57 | NUM_IP_SRC=40
58 | START_DST_IP=192.168.10.2
59 | END_DST_IP=192.168.10.26
60 | NUM_IP_DST=25
61 | START_SPORT=10100
62 | END_SPORT=10110
63 | START_DPORT=8090
64 | END_DPORT=8100
65 | elif [ $test_name == "ipsrc_ipdst_proto" ]; then
66 | START_SRC_IP=192.168.0.2
67 | END_SRC_IP=192.168.0.41
68 | NUM_IP_SRC=40
69 | START_DST_IP=192.168.10.2
70 | END_DST_IP=192.168.10.26
71 | NUM_IP_DST=25
72 | START_SPORT=10100
73 | END_SPORT=10110
74 | START_DPORT=8090
75 | END_DPORT=8100
76 | elif [ $test_name == "ipsrc_ipdst_proto_portsrc" ]; then
77 | START_SRC_IP=192.168.0.2
78 | END_SRC_IP=192.168.0.11
79 | NUM_IP_SRC=10
80 | START_DST_IP=192.168.10.2
81 | END_DST_IP=192.168.10.11
82 | NUM_IP_DST=10
83 | START_SPORT=10100
84 | END_SPORT=10109
85 | START_DPORT=8090
86 | END_DPORT=8100
87 | elif [ $test_name == "all" ]; then
88 | START_SRC_IP=192.168.0.2
89 | END_SRC_IP=192.168.0.11
90 | NUM_IP_SRC=10
91 | START_DST_IP=192.168.10.2
92 | END_DST_IP=192.168.10.6
93 | NUM_IP_DST=5
94 | START_SPORT=10100
95 | END_SPORT=10103
96 | START_DPORT=8090
97 | END_DPORT=8094
98 | else
99 | echo "Test case not supported"
100 | exit 1
101 | fi
102 | }
103 |
104 | function show_help() {
105 | usage="$(basename "$0") [-h] [-r #runs] [-o output_file] [-i|-n]
106 | Run tests of pcn-iptables for the FORWARD chain with a different number of rules
107 |
108 | where:
109 | -h show this help text
110 | -r number of runs for the test
111 | -o path to file where the results are placed
112 | -i use iptables
113 | -n use nftables"
114 |
115 | echo "$usage"
116 | }
117 |
118 | # Kill polycubed, and wait all services to be unloaded and process to be completely killed
119 | function polycubed_kill_and_wait {
120 | echo "killing polycubed ..."
121 | sudo pkill polycubed > /dev/null 2>&1
122 | done=0
123 | i=0
124 | while : ; do
125 | sleep 1
126 | alive=$(ps -el | grep polycubed)
127 | if [ -z "$alive" ]; then
128 | done=1
129 | fi
130 |
131 | i=$((i+1))
132 |
133 | if [ "$done" -eq 1 ]; then
134 | echo "killing polycubed in $i seconds"
135 | break
136 | fi
137 | done
138 | }
139 |
140 | function setup_environment {
141 | local test_type=$1
142 | ssh polycube@$REMOTE_DUT "sudo service docker restart"
143 | CONTAINER_ID=$(ssh polycube@$REMOTE_DUT "sudo docker run -id --name bpf-iptables --rm --privileged --network host -v /lib/modules:/lib/modules:ro -v /usr/src:/usr/src:ro -v /etc/localtime:/etc/localtime:ro netgrouppolito/bpf-iptables:latest bash")
144 | ssh polycube@$REMOTE_DUT << EOF
145 | set -x
146 | sudo docker exec -d bpf-iptables bash -c "exec -a config_dut $REMOTE_FOLDER/config_dut_routing.sh -s $NUM_IP_SRC -d $NUM_IP_DST &> ~/log &"
147 | sudo docker exec bpf-iptables bash -c "$REMOTE_FOLDER/rulesets/rules_${test_type}.sh $IPTABLES FORWARD"
148 | EOF
149 | if [ ${IPTABLES} == "pcn-iptables" ]; then
150 | generate_polycube_config_file
151 | fi
152 | }
153 |
154 | function generate_polycube_config_file {
155 | #Create configuration file for polycubectl
156 | ssh polycube@$REMOTE_DUT << EOF
157 | sudo docker exec bpf-iptables bash -c "cat > ${POLYCUBECTL_CONFIG_FILE} << EOF
158 | debug: false
159 | expert: true
160 | url: http://${REMOTE_DUT}:9000/polycube/v1/
161 | version: "2"
162 | hardcodedversionenabled: true
163 | singleparameterworkaround: true
164 | EOF"
165 | EOF
166 | }
167 |
168 | function cleanup_environment {
169 | ssh polycube@$REMOTE_DUT << EOF
170 | $(typeset -f polycubed_kill_and_wait)
171 | polycubed_kill_and_wait
172 | sudo iptables -F FORWARD
173 | sudo docker exec bpf-iptables bash -c "sudo pkill config_dut"
174 | sudo docker exec bpf-iptables bash -c "$REMOTE_FOLDER/config_dut_routing.sh -s $NUM_IP_SRC -d $NUM_IP_DST -r &> /dev/null" &> /dev/null
175 | sudo docker stop ${CONTAINER_ID} &> /dev/null
176 | sudo docker rm -f bpf-iptables
177 | sudo nft flush table ip filter &> /dev/null
178 | sudo nft delete table ip filter &> /dev/null
179 | EOF
180 | }
181 |
182 | function wait_for_remote_machine {
183 | ssh -q polycube@$REMOTE_DUT exit
184 | result=$?
185 | sleep 5
186 | while [ $result -ne 0 ]; do
187 | ssh -q polycube@$REMOTE_DUT exit #Loop until the host becomes ready
188 | result=$?
189 | sleep 5
190 | done
191 | }
192 |
193 | function reboot_remote_dut {
194 | ssh polycube@$REMOTE_DUT << EOF
195 | set -x
196 | sudo reboot
197 | EOF
198 | }
199 |
200 | function check_conntrack {
201 | local enabled=$(ssh polycube@$REMOTE_DUT "lsmod | grep conntrack")
202 | local result='disabled'
203 | if [ -z "$enabled"]; then
204 | # Conntrack is disabled
205 | result='disabled'
206 | else
207 | result='enabled'
208 | fi
209 | echo "$result"
210 | }
211 |
212 | function disable_conntrack {
213 | ssh polycube@$REMOTE_DUT << EOF
214 | sudo docker exec bpf-iptables bash -c "$DISABLE_CONNTRACK_SCRIPT"
215 | EOF
216 | }
217 |
218 | function disable_nft {
219 | ssh polycube@$REMOTE_DUT << EOF
220 | sudo rmmod nft_counter
221 | sudo rmmod nft_ct
222 | sudo rmmod nf_tables
223 | EOF
224 | }
225 |
226 | function cleanup {
227 | set +e
228 | cleanup_environment
229 | }
230 |
231 | # The argument of this function is the range of cores to be used
232 | # or 'all' in case all cores are used
233 | function set_irq_affinity {
234 | ssh polycube@$REMOTE_DUT << EOF
235 | set -x
236 | sudo docker exec bpf-iptables bash -c "$SET_IRQ_SCRIPT $1 $INGRESS_IFACE_NAME"
237 | EOF
238 | }
239 |
240 | function generate_pktgen_config_file {
241 | #Create configuration file for swagger-codegen
242 | cat > ${PKTGEN_FOLDER}/config.lua << EOF
243 | -- config.lua
244 | -- Automatically generated at ${NOW}
245 |
246 | local _M = {}
247 |
248 | _M.test = {
249 | dstMac0 = "${DST_MAC_IF0}",
250 | dstMac1 = "${DST_MAC_IF1}",
251 | num_runs = ${NUMBER_RUNS},
252 | simple_test = $1,
253 | startSrcIP = "${START_SRC_IP}",
254 | endSrcIP = "${END_SRC_IP}",
255 | startDstIP = "${START_DST_IP}",
256 | endDstIP = "${END_DST_IP}",
257 | startSport = ${START_SPORT},
258 | endSport = ${END_SPORT},
259 | startDport = ${START_DPORT},
260 | endDport = ${END_DPORT},
261 | startRate = ${START_RATE},
262 | }
263 |
264 | return _M
265 | EOF
266 | }
267 |
268 | #set -e
269 |
270 | while getopts :r:o:inh option; do
271 | case "${option}" in
272 | h|\?)
273 | show_help
274 | exit 0
275 | ;;
276 | r) NUMBER_RUNS=${OPTARG}
277 | ;;
278 | o) OUT_FILE=${OPTARG}
279 | ;;
280 | i) IPTABLES="iptables"
281 | ;;
282 | n) IPTABLES="nftables"
283 | ;;
284 | :)
285 | echo "Option -$OPTARG requires an argument." >&2
286 | show_help
287 | exit 0
288 | ;;
289 | esac
290 | done
291 |
292 | if [ -z ${NUMBER_RUNS+x} ]; then
293 | echo "You should specify the number of runs with the -r option" >&2;
294 | show_help
295 | exit 0
296 | fi
297 |
298 | if [ -z ${OUT_FILE+x} ]; then
299 | echo "You should specify the output file with the -o option" >&2;
300 | show_help
301 | exit 0
302 | fi
303 |
304 | # Check if the server can connect without password
305 | ssh -o PasswordAuthentication=no -o BatchMode=yes polycube@$REMOTE_DUT exit &>/dev/null
306 | if [ $? == 0 ]; then
307 | echo "Can connect: let's continue"
308 | else
309 | echo "This client can connect to the DUT without password."
310 | echo "To make this script working you should use the publickey authentication"
311 | exit 1
312 | fi
313 |
314 | set -x
315 |
316 | #reboot_remote_dut
317 |
318 | for test_type in "${ruleset_values[@]}"; do
319 | set +e
320 |
321 | generate_test_configuration $test_type
322 |
323 | set -e
324 | cleanup
325 |
326 | if [ ${IPTABLES} == "pcn-iptables" ]; then
327 | ssh polycube@$REMOTE_DUT "$polycubed --version" > $DIR/"$OUT_FILE-${test_type}.txt"
328 | elif [ ${IPTABLES} == "iptables" ]; then
329 | ssh polycube@$REMOTE_DUT "sudo iptables --version" > $DIR/"$OUT_FILE-${test_type}.txt"
330 | else
331 | ssh polycube@$REMOTE_DUT "sudo nft --version" > $DIR/"$OUT_FILE-${test_type}.txt"
332 | fi
333 |
334 | echo "Processing type: ${test_type}" >> $DIR/"$OUT_FILE-${test_type}.txt"
335 | ssh polycube@$REMOTE_DUT "uname -r" >> $DIR/"$OUT_FILE-${test_type}.txt"
336 | echo "" >> $DIR/"$OUT_FILE-${test_type}.txt"
337 | #####################################################
338 | # Execute the first test with interrupts set to all #
339 | #####################################################
340 | START_RATE=50.0
341 | setup_environment $test_type
342 | set_irq_affinity "all"
343 |
344 | sleep 5
345 | generate_pktgen_config_file 0
346 |
347 | cd $PKTGEN_FOLDER
348 | sudo ./app/x86_64-native-linuxapp-gcc/pktgen -c ff -n 4 --proc-type auto --file-prefix pg -- -T -P -m "[1:2/3/4/5].0, [6/7].1" -f $DIR/rule-complexity.lua
349 | sleep 5
350 | cat "pcn-iptables-forward.csv" >> $DIR/"$OUT_FILE-${test_type}.txt"
351 |
352 | cleanup_environment
353 | sleep 5
354 | cd $DIR
355 | done
356 |
357 | ssh polycube@$REMOTE_DUT "sudo service docker restart"
358 |
359 | exit 0
360 |
--------------------------------------------------------------------------------
/system-benchmarking/ruleset-size/README.md:
--------------------------------------------------------------------------------
1 | ## Performance dependency on the number of rules
2 |
3 | This test evaluates the performance of `bpf-iptables` with an increasing number of rules, from 50 to 5k.
4 |
5 | ### Rule-sets
6 |
7 | The rule-sets used for this tests can be found in the [rulsets](./rulesets) folder.
8 |
9 | ### Test description
10 |
11 | The packet generator is configured to generate traffic uniformly distributed among all the rules so that all packets will uniformly match the rules and no packet will match the default action of the chain, in other words, the number of flows generated is equal to the number of rules under consideration.
12 |
13 | #### Setup
14 |
15 | The packet generator and the DUT should be connected each other through an XDP-compatible NIC. In particular, the first interface of the generator is connected to the first interface of the DUT and the same for the second interface (which are configured accordingly in the following scripts).
16 | The two interfaces of the packet generator should be attached to DPDK to execute pktgen-DPDK correctly.
17 |
18 | In addition, both machine should be able to communicate at IP level through an additional interface. The IP addresses of those interface should be configured in the following scripts.
19 |
20 | #### Scripts
21 |
22 | This folder contains two different scripts [run-tests-multi](./run-tests-multi.sh) and [run-tests-single](run-tests-single.sh) that are used to execute the multi-core and single-core tests respectively.
23 |
24 | Both scripts can be configurable by passing the correct parameters through the command line, for example:
25 |
26 | ```bash
27 | $ ./run-tests-multi.sh -h
28 | run-tests-multi.sh [-h] [-r #runs] [-o output_file] [-i|-n]
29 | Run tests of pcn-iptables for the FORWARD chain with a different number of rules
30 |
31 | where:
32 | -h show this help text
33 | -r number of runs for the test
34 | -o path to file where the results are placed
35 | -i use iptables
36 | -n use nftables
37 | ```
38 |
39 | In addition, you should modify the script with the correct IP addresses and folders used in your environment. The parameters that should be set are the following:
40 |
41 | ```bash
42 | # Remote configurations (DUT)
43 | REMOTE_DUT=1.1.1.1 (IP Address of the DUT)
44 | REMOTE_FOLDER="~/bpf-iptables-tests/system-benchmarking/ruleset-size"
45 | DST_MAC_IF0="3cfd:feaf:ec30" (MAC of the receiver interface of the DUT)
46 | DST_MAC_IF1="3cfd:feaf:ec31" (MAC of the sender interface of the DUT)
47 | INGRESS_IFACE_NAME="enp101s0f0" (Name of the receiver interface of the DUT)
48 |
49 | # Local configurations (Pkt generator)
50 | PKTGEN_FOLDER="$HOME/dev/pktgen-dpdk"
51 | LOCAL_NAME=cube1 (Name of the user in the pkt generator machine)
52 | LOCAL_DUT=IPADDRESS (IP address of the pkt generator machine)
53 | ```
54 |
55 | For example, to execute a single run of the multi-core test using bpf-iptables you should execute the following command:
56 |
57 | ```bash
58 | $ ./run-tests-multi.sh -r 1 -o bpf-iptables-results
59 | ```
60 |
61 |
--------------------------------------------------------------------------------
/system-benchmarking/ruleset-size/config_dut_routing.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | sudo ifconfig enp101s0f0 192.168.0.254/24 up
4 | sudo ifconfig enp101s0f1 192.168.1.254/24 up
5 |
6 | sudo ifconfig enp101s0f0 up
7 | sudo ifconfig enp101s0f1 up
8 |
9 | sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
10 |
11 | while true; do
12 | sudo arp -s 192.168.0.1 3c:fd:fe:af:ec:48
13 | sudo arp -s 192.168.0.2 3c:fd:fe:af:ec:48
14 | sudo arp -s 192.168.0.3 3c:fd:fe:af:ec:48
15 | sudo arp -s 192.168.0.4 3c:fd:fe:af:ec:48
16 | sudo arp -s 192.168.0.5 3c:fd:fe:af:ec:48
17 | sudo arp -s 192.168.0.6 3c:fd:fe:af:ec:48
18 | sudo arp -s 192.168.0.7 3c:fd:fe:af:ec:48
19 | sudo arp -s 192.168.0.8 3c:fd:fe:af:ec:48
20 | sudo arp -s 192.168.0.9 3c:fd:fe:af:ec:48
21 | sudo arp -s 192.168.0.10 3c:fd:fe:af:ec:48
22 | sudo arp -s 192.168.0.11 3c:fd:fe:af:ec:48
23 |
24 | sudo arp -s 192.168.1.1 3c:fd:fe:af:ec:49
25 | sudo arp -s 192.168.1.2 3c:fd:fe:af:ec:49
26 | sudo arp -s 192.168.1.3 3c:fd:fe:af:ec:49
27 | sudo arp -s 192.168.1.4 3c:fd:fe:af:ec:49
28 | sudo arp -s 192.168.1.5 3c:fd:fe:af:ec:49
29 | sudo arp -s 192.168.1.6 3c:fd:fe:af:ec:49
30 | sudo arp -s 192.168.1.7 3c:fd:fe:af:ec:49
31 | sudo arp -s 192.168.1.8 3c:fd:fe:af:ec:49
32 | sudo arp -s 192.168.1.9 3c:fd:fe:af:ec:49
33 | sudo arp -s 192.168.1.10 3c:fd:fe:af:ec:49
34 | sudo arp -s 192.168.1.11 3c:fd:fe:af:ec:49
35 |
36 | sleep 10
37 | done
--------------------------------------------------------------------------------
/system-benchmarking/ruleset-size/rulesets/helpers.bash:
--------------------------------------------------------------------------------
1 | # use a clean instance of polycubed to run each test
2 | RELAUNCH_POLYCUBED=true
3 | polycubed="sudo polycubed -l off" #todo log off
4 |
5 | function initialize_pcn_iptables {
6 | bpf-iptables-init-xdp
7 | # $HOME/polycube/services/pcn-iptables/iptables-compatibility/iptables-init.sh
8 | }
9 |
10 | # Check if polycubed rest server is responding
11 | function polycubed_is_responding {
12 | ret=$(polycubectl ? > /dev/null)
13 | ret=$(echo $?)
14 | echo $ret
15 | }
16 |
17 | # Relaunch polycubed, if deamon is not running
18 | function polycubed_relaunch_if_not_running {
19 | alive=$(ps -el | grep polycubed)
20 | if [ -z "$alive" ]; then
21 | echo "polycubed not running ..."
22 | echo "relaunching polycubed ..."
23 | $polycubed >> /dev/null 2>&1 &
24 | fi
25 | }
26 |
27 | # Launch polycubed, and wait until it becomes responsive
28 | function launch_and_wait_polycubed_is_responding {
29 | if $RELAUNCH_POLYCUBED; then
30 | echo "starting polycubed ..."
31 | $polycubed >> /dev/null 2>&1 &
32 | else
33 | polycubed_alive=$(ps -el | grep polycubed)
34 | if [ -z "$polycubed_alive" ]; then
35 | echo "polycubed not running ..."
36 | echo "relaunching polycubed ..."
37 | $polycubed >> /dev/null 2>&1 &
38 | fi
39 | fi
40 |
41 | done=0
42 | i=0
43 | while : ; do
44 | sleep 1
45 | responding=$(polycubed_is_responding)
46 | if [[ $responding -eq 0 ]]; then
47 | done=1
48 | else
49 | polycubed_relaunch_if_not_running
50 | fi
51 | i=$((i+1))
52 | if [ "$done" -ne 0 ]; then
53 | if $RELAUNCH_POLYCUBED; then
54 | echo "starting polycubed in $i seconds"
55 | else
56 | if [ -z "$polycubed_alive" ]; then
57 | echo "relaunching polycubed in $i seconds"
58 | fi
59 | fi
60 | break
61 | fi
62 | done
63 | }
64 |
65 | # Kill polycubed, and wait all services to be unloaded and process to be completely killed
66 | function polycubed_kill_and_wait {
67 | echo "killing polycubed ..."
68 | sudo pkill polycubed >> /dev/null
69 |
70 | done=0
71 | i=0
72 | while : ; do
73 | sleep 1
74 | alive=$(ps -el | grep polycubed)
75 | if [ -z "$alive" ]; then
76 | done=1
77 | fi
78 |
79 | i=$((i+1))
80 |
81 | if [ "$done" -ne 0 ]; then
82 | echo "killing polycubed in $i seconds"
83 | break
84 | fi
85 | done
86 | }
87 |
88 | function launch_pcn_iptables {
89 | export PATH=$PATH:/home/polycube/go/bin
90 | export PATH=$PATH:/home/polycube/polycube/services/pcn-iptables/scripts
91 | launch_and_wait_polycubed_is_responding
92 | initialize_pcn_iptables
93 | }
94 |
--------------------------------------------------------------------------------
/system-benchmarking/ruleset-size/rulesets/nftables-rules/nftables_100.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | nft add table ip filter
4 | nft add chain filter $CHAIN \{ type filter hook forward priority 0\; policy drop\; \}
5 | nft add rule ip filter $CHAIN ip saddr 192.168.0.2 ip daddr 192.168.1.2 udp sport 10100 udp dport 8080 counter accept
6 | nft add rule ip filter $CHAIN ip saddr 192.168.0.2 ip daddr 192.168.1.2 udp sport 10100 udp dport 8081 counter accept
7 | nft add rule ip filter $CHAIN ip saddr 192.168.0.2 ip daddr 192.168.1.2 udp sport 10101 udp dport 8080 counter accept
8 | nft add rule ip filter $CHAIN ip saddr 192.168.0.2 ip daddr 192.168.1.2 udp sport 10101 udp dport 8081 counter accept
9 | nft add rule ip filter $CHAIN ip saddr 192.168.0.2 ip daddr 192.168.1.3 udp sport 10100 udp dport 8080 counter accept
10 | nft add rule ip filter $CHAIN ip saddr 192.168.0.2 ip daddr 192.168.1.3 udp sport 10100 udp dport 8081 counter accept
11 | nft add rule ip filter $CHAIN ip saddr 192.168.0.2 ip daddr 192.168.1.3 udp sport 10101 udp dport 8080 counter accept
12 | nft add rule ip filter $CHAIN ip saddr 192.168.0.2 ip daddr 192.168.1.3 udp sport 10101 udp dport 8081 counter accept
13 | nft add rule ip filter $CHAIN ip saddr 192.168.0.2 ip daddr 192.168.1.4 udp sport 10100 udp dport 8080 counter accept
14 | nft add rule ip filter $CHAIN ip saddr 192.168.0.2 ip daddr 192.168.1.4 udp sport 10100 udp dport 8081 counter accept
15 | nft add rule ip filter $CHAIN ip saddr 192.168.0.2 ip daddr 192.168.1.4 udp sport 10101 udp dport 8080 counter accept
16 | nft add rule ip filter $CHAIN ip saddr 192.168.0.2 ip daddr 192.168.1.4 udp sport 10101 udp dport 8081 counter accept
17 | nft add rule ip filter $CHAIN ip saddr 192.168.0.2 ip daddr 192.168.1.5 udp sport 10100 udp dport 8080 counter accept
18 | nft add rule ip filter $CHAIN ip saddr 192.168.0.2 ip daddr 192.168.1.5 udp sport 10100 udp dport 8081 counter accept
19 | nft add rule ip filter $CHAIN ip saddr 192.168.0.2 ip daddr 192.168.1.5 udp sport 10101 udp dport 8080 counter accept
20 | nft add rule ip filter $CHAIN ip saddr 192.168.0.2 ip daddr 192.168.1.5 udp sport 10101 udp dport 8081 counter accept
21 | nft add rule ip filter $CHAIN ip saddr 192.168.0.2 ip daddr 192.168.1.6 udp sport 10100 udp dport 8080 counter accept
22 | nft add rule ip filter $CHAIN ip saddr 192.168.0.2 ip daddr 192.168.1.6 udp sport 10100 udp dport 8081 counter accept
23 | nft add rule ip filter $CHAIN ip saddr 192.168.0.2 ip daddr 192.168.1.6 udp sport 10101 udp dport 8080 counter accept
24 | nft add rule ip filter $CHAIN ip saddr 192.168.0.2 ip daddr 192.168.1.6 udp sport 10101 udp dport 8081 counter accept
25 | nft add rule ip filter $CHAIN ip saddr 192.168.0.3 ip daddr 192.168.1.2 udp sport 10100 udp dport 8080 counter accept
26 | nft add rule ip filter $CHAIN ip saddr 192.168.0.3 ip daddr 192.168.1.2 udp sport 10100 udp dport 8081 counter accept
27 | nft add rule ip filter $CHAIN ip saddr 192.168.0.3 ip daddr 192.168.1.2 udp sport 10101 udp dport 8080 counter accept
28 | nft add rule ip filter $CHAIN ip saddr 192.168.0.3 ip daddr 192.168.1.2 udp sport 10101 udp dport 8081 counter accept
29 | nft add rule ip filter $CHAIN ip saddr 192.168.0.3 ip daddr 192.168.1.3 udp sport 10100 udp dport 8080 counter accept
30 | nft add rule ip filter $CHAIN ip saddr 192.168.0.3 ip daddr 192.168.1.3 udp sport 10100 udp dport 8081 counter accept
31 | nft add rule ip filter $CHAIN ip saddr 192.168.0.3 ip daddr 192.168.1.3 udp sport 10101 udp dport 8080 counter accept
32 | nft add rule ip filter $CHAIN ip saddr 192.168.0.3 ip daddr 192.168.1.3 udp sport 10101 udp dport 8081 counter accept
33 | nft add rule ip filter $CHAIN ip saddr 192.168.0.3 ip daddr 192.168.1.4 udp sport 10100 udp dport 8080 counter accept
34 | nft add rule ip filter $CHAIN ip saddr 192.168.0.3 ip daddr 192.168.1.4 udp sport 10100 udp dport 8081 counter accept
35 | nft add rule ip filter $CHAIN ip saddr 192.168.0.3 ip daddr 192.168.1.4 udp sport 10101 udp dport 8080 counter accept
36 | nft add rule ip filter $CHAIN ip saddr 192.168.0.3 ip daddr 192.168.1.4 udp sport 10101 udp dport 8081 counter accept
37 | nft add rule ip filter $CHAIN ip saddr 192.168.0.3 ip daddr 192.168.1.5 udp sport 10100 udp dport 8080 counter accept
38 | nft add rule ip filter $CHAIN ip saddr 192.168.0.3 ip daddr 192.168.1.5 udp sport 10100 udp dport 8081 counter accept
39 | nft add rule ip filter $CHAIN ip saddr 192.168.0.3 ip daddr 192.168.1.5 udp sport 10101 udp dport 8080 counter accept
40 | nft add rule ip filter $CHAIN ip saddr 192.168.0.3 ip daddr 192.168.1.5 udp sport 10101 udp dport 8081 counter accept
41 | nft add rule ip filter $CHAIN ip saddr 192.168.0.3 ip daddr 192.168.1.6 udp sport 10100 udp dport 8080 counter accept
42 | nft add rule ip filter $CHAIN ip saddr 192.168.0.3 ip daddr 192.168.1.6 udp sport 10100 udp dport 8081 counter accept
43 | nft add rule ip filter $CHAIN ip saddr 192.168.0.3 ip daddr 192.168.1.6 udp sport 10101 udp dport 8080 counter accept
44 | nft add rule ip filter $CHAIN ip saddr 192.168.0.3 ip daddr 192.168.1.6 udp sport 10101 udp dport 8081 counter accept
45 | nft add rule ip filter $CHAIN ip saddr 192.168.0.4 ip daddr 192.168.1.2 udp sport 10100 udp dport 8080 counter accept
46 | nft add rule ip filter $CHAIN ip saddr 192.168.0.4 ip daddr 192.168.1.2 udp sport 10100 udp dport 8081 counter accept
47 | nft add rule ip filter $CHAIN ip saddr 192.168.0.4 ip daddr 192.168.1.2 udp sport 10101 udp dport 8080 counter accept
48 | nft add rule ip filter $CHAIN ip saddr 192.168.0.4 ip daddr 192.168.1.2 udp sport 10101 udp dport 8081 counter accept
49 | nft add rule ip filter $CHAIN ip saddr 192.168.0.4 ip daddr 192.168.1.3 udp sport 10100 udp dport 8080 counter accept
50 | nft add rule ip filter $CHAIN ip saddr 192.168.0.4 ip daddr 192.168.1.3 udp sport 10100 udp dport 8081 counter accept
51 | nft add rule ip filter $CHAIN ip saddr 192.168.0.4 ip daddr 192.168.1.3 udp sport 10101 udp dport 8080 counter accept
52 | nft add rule ip filter $CHAIN ip saddr 192.168.0.4 ip daddr 192.168.1.3 udp sport 10101 udp dport 8081 counter accept
53 | nft add rule ip filter $CHAIN ip saddr 192.168.0.4 ip daddr 192.168.1.4 udp sport 10100 udp dport 8080 counter accept
54 | nft add rule ip filter $CHAIN ip saddr 192.168.0.4 ip daddr 192.168.1.4 udp sport 10100 udp dport 8081 counter accept
55 | nft add rule ip filter $CHAIN ip saddr 192.168.0.4 ip daddr 192.168.1.4 udp sport 10101 udp dport 8080 counter accept
56 | nft add rule ip filter $CHAIN ip saddr 192.168.0.4 ip daddr 192.168.1.4 udp sport 10101 udp dport 8081 counter accept
57 | nft add rule ip filter $CHAIN ip saddr 192.168.0.4 ip daddr 192.168.1.5 udp sport 10100 udp dport 8080 counter accept
58 | nft add rule ip filter $CHAIN ip saddr 192.168.0.4 ip daddr 192.168.1.5 udp sport 10100 udp dport 8081 counter accept
59 | nft add rule ip filter $CHAIN ip saddr 192.168.0.4 ip daddr 192.168.1.5 udp sport 10101 udp dport 8080 counter accept
60 | nft add rule ip filter $CHAIN ip saddr 192.168.0.4 ip daddr 192.168.1.5 udp sport 10101 udp dport 8081 counter accept
61 | nft add rule ip filter $CHAIN ip saddr 192.168.0.4 ip daddr 192.168.1.6 udp sport 10100 udp dport 8080 counter accept
62 | nft add rule ip filter $CHAIN ip saddr 192.168.0.4 ip daddr 192.168.1.6 udp sport 10100 udp dport 8081 counter accept
63 | nft add rule ip filter $CHAIN ip saddr 192.168.0.4 ip daddr 192.168.1.6 udp sport 10101 udp dport 8080 counter accept
64 | nft add rule ip filter $CHAIN ip saddr 192.168.0.4 ip daddr 192.168.1.6 udp sport 10101 udp dport 8081 counter accept
65 | nft add rule ip filter $CHAIN ip saddr 192.168.0.5 ip daddr 192.168.1.2 udp sport 10100 udp dport 8080 counter accept
66 | nft add rule ip filter $CHAIN ip saddr 192.168.0.5 ip daddr 192.168.1.2 udp sport 10100 udp dport 8081 counter accept
67 | nft add rule ip filter $CHAIN ip saddr 192.168.0.5 ip daddr 192.168.1.2 udp sport 10101 udp dport 8080 counter accept
68 | nft add rule ip filter $CHAIN ip saddr 192.168.0.5 ip daddr 192.168.1.2 udp sport 10101 udp dport 8081 counter accept
69 | nft add rule ip filter $CHAIN ip saddr 192.168.0.5 ip daddr 192.168.1.3 udp sport 10100 udp dport 8080 counter accept
70 | nft add rule ip filter $CHAIN ip saddr 192.168.0.5 ip daddr 192.168.1.3 udp sport 10100 udp dport 8081 counter accept
71 | nft add rule ip filter $CHAIN ip saddr 192.168.0.5 ip daddr 192.168.1.3 udp sport 10101 udp dport 8080 counter accept
72 | nft add rule ip filter $CHAIN ip saddr 192.168.0.5 ip daddr 192.168.1.3 udp sport 10101 udp dport 8081 counter accept
73 | nft add rule ip filter $CHAIN ip saddr 192.168.0.5 ip daddr 192.168.1.4 udp sport 10100 udp dport 8080 counter accept
74 | nft add rule ip filter $CHAIN ip saddr 192.168.0.5 ip daddr 192.168.1.4 udp sport 10100 udp dport 8081 counter accept
75 | nft add rule ip filter $CHAIN ip saddr 192.168.0.5 ip daddr 192.168.1.4 udp sport 10101 udp dport 8080 counter accept
76 | nft add rule ip filter $CHAIN ip saddr 192.168.0.5 ip daddr 192.168.1.4 udp sport 10101 udp dport 8081 counter accept
77 | nft add rule ip filter $CHAIN ip saddr 192.168.0.5 ip daddr 192.168.1.5 udp sport 10100 udp dport 8080 counter accept
78 | nft add rule ip filter $CHAIN ip saddr 192.168.0.5 ip daddr 192.168.1.5 udp sport 10100 udp dport 8081 counter accept
79 | nft add rule ip filter $CHAIN ip saddr 192.168.0.5 ip daddr 192.168.1.5 udp sport 10101 udp dport 8080 counter accept
80 | nft add rule ip filter $CHAIN ip saddr 192.168.0.5 ip daddr 192.168.1.5 udp sport 10101 udp dport 8081 counter accept
81 | nft add rule ip filter $CHAIN ip saddr 192.168.0.5 ip daddr 192.168.1.6 udp sport 10100 udp dport 8080 counter accept
82 | nft add rule ip filter $CHAIN ip saddr 192.168.0.5 ip daddr 192.168.1.6 udp sport 10100 udp dport 8081 counter accept
83 | nft add rule ip filter $CHAIN ip saddr 192.168.0.5 ip daddr 192.168.1.6 udp sport 10101 udp dport 8080 counter accept
84 | nft add rule ip filter $CHAIN ip saddr 192.168.0.5 ip daddr 192.168.1.6 udp sport 10101 udp dport 8081 counter accept
85 | nft add rule ip filter $CHAIN ip saddr 192.168.0.6 ip daddr 192.168.1.2 udp sport 10100 udp dport 8080 counter accept
86 | nft add rule ip filter $CHAIN ip saddr 192.168.0.6 ip daddr 192.168.1.2 udp sport 10100 udp dport 8081 counter accept
87 | nft add rule ip filter $CHAIN ip saddr 192.168.0.6 ip daddr 192.168.1.2 udp sport 10101 udp dport 8080 counter accept
88 | nft add rule ip filter $CHAIN ip saddr 192.168.0.6 ip daddr 192.168.1.2 udp sport 10101 udp dport 8081 counter accept
89 | nft add rule ip filter $CHAIN ip saddr 192.168.0.6 ip daddr 192.168.1.3 udp sport 10100 udp dport 8080 counter accept
90 | nft add rule ip filter $CHAIN ip saddr 192.168.0.6 ip daddr 192.168.1.3 udp sport 10100 udp dport 8081 counter accept
91 | nft add rule ip filter $CHAIN ip saddr 192.168.0.6 ip daddr 192.168.1.3 udp sport 10101 udp dport 8080 counter accept
92 | nft add rule ip filter $CHAIN ip saddr 192.168.0.6 ip daddr 192.168.1.3 udp sport 10101 udp dport 8081 counter accept
93 | nft add rule ip filter $CHAIN ip saddr 192.168.0.6 ip daddr 192.168.1.4 udp sport 10100 udp dport 8080 counter accept
94 | nft add rule ip filter $CHAIN ip saddr 192.168.0.6 ip daddr 192.168.1.4 udp sport 10100 udp dport 8081 counter accept
95 | nft add rule ip filter $CHAIN ip saddr 192.168.0.6 ip daddr 192.168.1.4 udp sport 10101 udp dport 8080 counter accept
96 | nft add rule ip filter $CHAIN ip saddr 192.168.0.6 ip daddr 192.168.1.4 udp sport 10101 udp dport 8081 counter accept
97 | nft add rule ip filter $CHAIN ip saddr 192.168.0.6 ip daddr 192.168.1.5 udp sport 10100 udp dport 8080 counter accept
98 | nft add rule ip filter $CHAIN ip saddr 192.168.0.6 ip daddr 192.168.1.5 udp sport 10100 udp dport 8081 counter accept
99 | nft add rule ip filter $CHAIN ip saddr 192.168.0.6 ip daddr 192.168.1.5 udp sport 10101 udp dport 8080 counter accept
100 | nft add rule ip filter $CHAIN ip saddr 192.168.0.6 ip daddr 192.168.1.5 udp sport 10101 udp dport 8081 counter accept
101 | nft add rule ip filter $CHAIN ip saddr 192.168.0.6 ip daddr 192.168.1.6 udp sport 10100 udp dport 8080 counter accept
102 | nft add rule ip filter $CHAIN ip saddr 192.168.0.6 ip daddr 192.168.1.6 udp sport 10100 udp dport 8081 counter accept
103 | nft add rule ip filter $CHAIN ip saddr 192.168.0.6 ip daddr 192.168.1.6 udp sport 10101 udp dport 8080 counter accept
104 | nft add rule ip filter $CHAIN ip saddr 192.168.0.6 ip daddr 192.168.1.6 udp sport 10101 udp dport 8081 counter accept
105 |
--------------------------------------------------------------------------------
/system-benchmarking/ruleset-size/rulesets/nftables-rules/nftables_50.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | nft add table ip filter
4 | nft add chain filter $CHAIN \{ type filter hook forward priority 0\; policy drop\; \}
5 | nft add rule ip filter $CHAIN ip saddr 192.168.0.2 ip daddr 192.168.1.2 udp sport 10100 udp dport 8080 counter accept
6 | nft add rule ip filter $CHAIN ip saddr 192.168.0.2 ip daddr 192.168.1.2 udp sport 10100 udp dport 8081 counter accept
7 | nft add rule ip filter $CHAIN ip saddr 192.168.0.2 ip daddr 192.168.1.2 udp sport 10101 udp dport 8080 counter accept
8 | nft add rule ip filter $CHAIN ip saddr 192.168.0.2 ip daddr 192.168.1.2 udp sport 10101 udp dport 8081 counter accept
9 | nft add rule ip filter $CHAIN ip saddr 192.168.0.2 ip daddr 192.168.1.2 udp sport 10102 udp dport 8080 counter accept
10 | nft add rule ip filter $CHAIN ip saddr 192.168.0.2 ip daddr 192.168.1.2 udp sport 10102 udp dport 8081 counter accept
11 | nft add rule ip filter $CHAIN ip saddr 192.168.0.2 ip daddr 192.168.1.3 udp sport 10100 udp dport 8080 counter accept
12 | nft add rule ip filter $CHAIN ip saddr 192.168.0.2 ip daddr 192.168.1.3 udp sport 10100 udp dport 8081 counter accept
13 | nft add rule ip filter $CHAIN ip saddr 192.168.0.2 ip daddr 192.168.1.3 udp sport 10101 udp dport 8080 counter accept
14 | nft add rule ip filter $CHAIN ip saddr 192.168.0.2 ip daddr 192.168.1.3 udp sport 10101 udp dport 8081 counter accept
15 | nft add rule ip filter $CHAIN ip saddr 192.168.0.2 ip daddr 192.168.1.3 udp sport 10102 udp dport 8080 counter accept
16 | nft add rule ip filter $CHAIN ip saddr 192.168.0.2 ip daddr 192.168.1.3 udp sport 10102 udp dport 8081 counter accept
17 | nft add rule ip filter $CHAIN ip saddr 192.168.0.2 ip daddr 192.168.1.4 udp sport 10100 udp dport 8080 counter accept
18 | nft add rule ip filter $CHAIN ip saddr 192.168.0.2 ip daddr 192.168.1.4 udp sport 10100 udp dport 8081 counter accept
19 | nft add rule ip filter $CHAIN ip saddr 192.168.0.2 ip daddr 192.168.1.4 udp sport 10101 udp dport 8080 counter accept
20 | nft add rule ip filter $CHAIN ip saddr 192.168.0.2 ip daddr 192.168.1.4 udp sport 10101 udp dport 8081 counter accept
21 | nft add rule ip filter $CHAIN ip saddr 192.168.0.2 ip daddr 192.168.1.4 udp sport 10102 udp dport 8080 counter accept
22 | nft add rule ip filter $CHAIN ip saddr 192.168.0.2 ip daddr 192.168.1.4 udp sport 10102 udp dport 8081 counter accept
23 | nft add rule ip filter $CHAIN ip saddr 192.168.0.3 ip daddr 192.168.1.2 udp sport 10100 udp dport 8080 counter accept
24 | nft add rule ip filter $CHAIN ip saddr 192.168.0.3 ip daddr 192.168.1.2 udp sport 10100 udp dport 8081 counter accept
25 | nft add rule ip filter $CHAIN ip saddr 192.168.0.3 ip daddr 192.168.1.2 udp sport 10101 udp dport 8080 counter accept
26 | nft add rule ip filter $CHAIN ip saddr 192.168.0.3 ip daddr 192.168.1.2 udp sport 10101 udp dport 8081 counter accept
27 | nft add rule ip filter $CHAIN ip saddr 192.168.0.3 ip daddr 192.168.1.2 udp sport 10102 udp dport 8080 counter accept
28 | nft add rule ip filter $CHAIN ip saddr 192.168.0.3 ip daddr 192.168.1.2 udp sport 10102 udp dport 8081 counter accept
29 | nft add rule ip filter $CHAIN ip saddr 192.168.0.3 ip daddr 192.168.1.3 udp sport 10100 udp dport 8080 counter accept
30 | nft add rule ip filter $CHAIN ip saddr 192.168.0.3 ip daddr 192.168.1.3 udp sport 10100 udp dport 8081 counter accept
31 | nft add rule ip filter $CHAIN ip saddr 192.168.0.3 ip daddr 192.168.1.3 udp sport 10101 udp dport 8080 counter accept
32 | nft add rule ip filter $CHAIN ip saddr 192.168.0.3 ip daddr 192.168.1.3 udp sport 10101 udp dport 8081 counter accept
33 | nft add rule ip filter $CHAIN ip saddr 192.168.0.3 ip daddr 192.168.1.3 udp sport 10102 udp dport 8080 counter accept
34 | nft add rule ip filter $CHAIN ip saddr 192.168.0.3 ip daddr 192.168.1.3 udp sport 10102 udp dport 8081 counter accept
35 | nft add rule ip filter $CHAIN ip saddr 192.168.0.3 ip daddr 192.168.1.4 udp sport 10100 udp dport 8080 counter accept
36 | nft add rule ip filter $CHAIN ip saddr 192.168.0.3 ip daddr 192.168.1.4 udp sport 10100 udp dport 8081 counter accept
37 | nft add rule ip filter $CHAIN ip saddr 192.168.0.3 ip daddr 192.168.1.4 udp sport 10101 udp dport 8080 counter accept
38 | nft add rule ip filter $CHAIN ip saddr 192.168.0.3 ip daddr 192.168.1.4 udp sport 10101 udp dport 8081 counter accept
39 | nft add rule ip filter $CHAIN ip saddr 192.168.0.3 ip daddr 192.168.1.4 udp sport 10102 udp dport 8080 counter accept
40 | nft add rule ip filter $CHAIN ip saddr 192.168.0.3 ip daddr 192.168.1.4 udp sport 10102 udp dport 8081 counter accept
41 | nft add rule ip filter $CHAIN ip saddr 192.168.0.4 ip daddr 192.168.1.2 udp sport 10100 udp dport 8080 counter accept
42 | nft add rule ip filter $CHAIN ip saddr 192.168.0.4 ip daddr 192.168.1.2 udp sport 10100 udp dport 8081 counter accept
43 | nft add rule ip filter $CHAIN ip saddr 192.168.0.4 ip daddr 192.168.1.2 udp sport 10101 udp dport 8080 counter accept
44 | nft add rule ip filter $CHAIN ip saddr 192.168.0.4 ip daddr 192.168.1.2 udp sport 10101 udp dport 8081 counter accept
45 | nft add rule ip filter $CHAIN ip saddr 192.168.0.4 ip daddr 192.168.1.2 udp sport 10102 udp dport 8080 counter accept
46 | nft add rule ip filter $CHAIN ip saddr 192.168.0.4 ip daddr 192.168.1.2 udp sport 10102 udp dport 8081 counter accept
47 | nft add rule ip filter $CHAIN ip saddr 192.168.0.4 ip daddr 192.168.1.3 udp sport 10100 udp dport 8080 counter accept
48 | nft add rule ip filter $CHAIN ip saddr 192.168.0.4 ip daddr 192.168.1.3 udp sport 10100 udp dport 8081 counter accept
49 | nft add rule ip filter $CHAIN ip saddr 192.168.0.4 ip daddr 192.168.1.3 udp sport 10101 udp dport 8080 counter accept
50 | nft add rule ip filter $CHAIN ip saddr 192.168.0.4 ip daddr 192.168.1.3 udp sport 10101 udp dport 8081 counter accept
51 | nft add rule ip filter $CHAIN ip saddr 192.168.0.4 ip daddr 192.168.1.3 udp sport 10102 udp dport 8080 counter accept
52 | nft add rule ip filter $CHAIN ip saddr 192.168.0.4 ip daddr 192.168.1.3 udp sport 10102 udp dport 8081 counter accept
53 | nft add rule ip filter $CHAIN ip saddr 192.168.0.4 ip daddr 192.168.1.4 udp sport 10100 udp dport 8080 counter accept
54 | nft add rule ip filter $CHAIN ip saddr 192.168.0.4 ip daddr 192.168.1.4 udp sport 10100 udp dport 8081 counter accept
55 | nft add rule ip filter $CHAIN ip saddr 192.168.0.4 ip daddr 192.168.1.4 udp sport 10101 udp dport 8080 counter accept
56 | nft add rule ip filter $CHAIN ip saddr 192.168.0.4 ip daddr 192.168.1.4 udp sport 10101 udp dport 8081 counter accept
57 | nft add rule ip filter $CHAIN ip saddr 192.168.0.4 ip daddr 192.168.1.4 udp sport 10102 udp dport 8080 counter accept
58 | nft add rule ip filter $CHAIN ip saddr 192.168.0.4 ip daddr 192.168.1.4 udp sport 10102 udp dport 8081 counter accept
59 |
--------------------------------------------------------------------------------
/system-benchmarking/ruleset-size/rulesets/rules_100.sh:
--------------------------------------------------------------------------------
1 | source "${BASH_SOURCE%/*}/helpers.bash"
2 |
3 | # usage:
4 | # rules_xxx.sh [iptables|pcn-iptables] [INPUT|FORWARD]
5 |
6 | # set -x
7 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"
8 |
9 | NFTABLES_DIR=nftables-rules
10 | IPTABLES="sudo iptables"
11 | CHAIN="FORWARD"
12 |
13 | echo ""
14 | echo "usage:"
15 | echo "$0 [iptables|pcn-iptables|nftables] [FORWARD]"
16 | echo ""
17 |
18 | if [ "$1" == "pcn-iptables" ]; then
19 | echo "Using bpf-iptables"
20 | IPTABLES="bpf-iptables"
21 | launch_pcn_iptables
22 | elif [ "$1" == "nftables" ]; then
23 | echo "Using nftables"
24 | IPTABLES="nft"
25 | else
26 | echo "Using iptables"
27 | IPTABLES="sudo iptables"
28 | fi
29 |
30 | if [ "$1" == "nftables" ]; then
31 | echo "Loading nftables rules"
32 | export CHAIN
33 | exec $DIR/$NFTABLES_DIR/nftables_100.sh
34 | exit 0
35 | elif [ "$1" == "pcn-iptables" ]; then
36 | polycubectl pcn-iptables set interactive=false
37 | else
38 | $IPTABLES -A $CHAIN -m conntrack --ctstate ESTABLISHED -j ACCEPT
39 | $IPTABLES -F $CHAIN
40 | fi
41 |
42 | $IPTABLES -P $CHAIN DROP
43 | $IPTABLES -A $CHAIN -s 192.168.0.2 -d 192.168.1.2 -p udp --sport 10100 --dport 8080 -j ACCEPT
44 | $IPTABLES -A $CHAIN -s 192.168.0.2 -d 192.168.1.2 -p udp --sport 10100 --dport 8081 -j ACCEPT
45 | $IPTABLES -A $CHAIN -s 192.168.0.2 -d 192.168.1.2 -p udp --sport 10101 --dport 8080 -j ACCEPT
46 | $IPTABLES -A $CHAIN -s 192.168.0.2 -d 192.168.1.2 -p udp --sport 10101 --dport 8081 -j ACCEPT
47 | $IPTABLES -A $CHAIN -s 192.168.0.2 -d 192.168.1.3 -p udp --sport 10100 --dport 8080 -j ACCEPT
48 | $IPTABLES -A $CHAIN -s 192.168.0.2 -d 192.168.1.3 -p udp --sport 10100 --dport 8081 -j ACCEPT
49 | $IPTABLES -A $CHAIN -s 192.168.0.2 -d 192.168.1.3 -p udp --sport 10101 --dport 8080 -j ACCEPT
50 | $IPTABLES -A $CHAIN -s 192.168.0.2 -d 192.168.1.3 -p udp --sport 10101 --dport 8081 -j ACCEPT
51 | $IPTABLES -A $CHAIN -s 192.168.0.2 -d 192.168.1.4 -p udp --sport 10100 --dport 8080 -j ACCEPT
52 | $IPTABLES -A $CHAIN -s 192.168.0.2 -d 192.168.1.4 -p udp --sport 10100 --dport 8081 -j ACCEPT
53 | $IPTABLES -A $CHAIN -s 192.168.0.2 -d 192.168.1.4 -p udp --sport 10101 --dport 8080 -j ACCEPT
54 | $IPTABLES -A $CHAIN -s 192.168.0.2 -d 192.168.1.4 -p udp --sport 10101 --dport 8081 -j ACCEPT
55 | $IPTABLES -A $CHAIN -s 192.168.0.2 -d 192.168.1.5 -p udp --sport 10100 --dport 8080 -j ACCEPT
56 | $IPTABLES -A $CHAIN -s 192.168.0.2 -d 192.168.1.5 -p udp --sport 10100 --dport 8081 -j ACCEPT
57 | $IPTABLES -A $CHAIN -s 192.168.0.2 -d 192.168.1.5 -p udp --sport 10101 --dport 8080 -j ACCEPT
58 | $IPTABLES -A $CHAIN -s 192.168.0.2 -d 192.168.1.5 -p udp --sport 10101 --dport 8081 -j ACCEPT
59 | $IPTABLES -A $CHAIN -s 192.168.0.2 -d 192.168.1.6 -p udp --sport 10100 --dport 8080 -j ACCEPT
60 | $IPTABLES -A $CHAIN -s 192.168.0.2 -d 192.168.1.6 -p udp --sport 10100 --dport 8081 -j ACCEPT
61 | $IPTABLES -A $CHAIN -s 192.168.0.2 -d 192.168.1.6 -p udp --sport 10101 --dport 8080 -j ACCEPT
62 | $IPTABLES -A $CHAIN -s 192.168.0.2 -d 192.168.1.6 -p udp --sport 10101 --dport 8081 -j ACCEPT
63 | $IPTABLES -A $CHAIN -s 192.168.0.3 -d 192.168.1.2 -p udp --sport 10100 --dport 8080 -j ACCEPT
64 | $IPTABLES -A $CHAIN -s 192.168.0.3 -d 192.168.1.2 -p udp --sport 10100 --dport 8081 -j ACCEPT
65 | $IPTABLES -A $CHAIN -s 192.168.0.3 -d 192.168.1.2 -p udp --sport 10101 --dport 8080 -j ACCEPT
66 | $IPTABLES -A $CHAIN -s 192.168.0.3 -d 192.168.1.2 -p udp --sport 10101 --dport 8081 -j ACCEPT
67 | $IPTABLES -A $CHAIN -s 192.168.0.3 -d 192.168.1.3 -p udp --sport 10100 --dport 8080 -j ACCEPT
68 | $IPTABLES -A $CHAIN -s 192.168.0.3 -d 192.168.1.3 -p udp --sport 10100 --dport 8081 -j ACCEPT
69 | $IPTABLES -A $CHAIN -s 192.168.0.3 -d 192.168.1.3 -p udp --sport 10101 --dport 8080 -j ACCEPT
70 | $IPTABLES -A $CHAIN -s 192.168.0.3 -d 192.168.1.3 -p udp --sport 10101 --dport 8081 -j ACCEPT
71 | $IPTABLES -A $CHAIN -s 192.168.0.3 -d 192.168.1.4 -p udp --sport 10100 --dport 8080 -j ACCEPT
72 | $IPTABLES -A $CHAIN -s 192.168.0.3 -d 192.168.1.4 -p udp --sport 10100 --dport 8081 -j ACCEPT
73 | $IPTABLES -A $CHAIN -s 192.168.0.3 -d 192.168.1.4 -p udp --sport 10101 --dport 8080 -j ACCEPT
74 | $IPTABLES -A $CHAIN -s 192.168.0.3 -d 192.168.1.4 -p udp --sport 10101 --dport 8081 -j ACCEPT
75 | $IPTABLES -A $CHAIN -s 192.168.0.3 -d 192.168.1.5 -p udp --sport 10100 --dport 8080 -j ACCEPT
76 | $IPTABLES -A $CHAIN -s 192.168.0.3 -d 192.168.1.5 -p udp --sport 10100 --dport 8081 -j ACCEPT
77 | $IPTABLES -A $CHAIN -s 192.168.0.3 -d 192.168.1.5 -p udp --sport 10101 --dport 8080 -j ACCEPT
78 | $IPTABLES -A $CHAIN -s 192.168.0.3 -d 192.168.1.5 -p udp --sport 10101 --dport 8081 -j ACCEPT
79 | $IPTABLES -A $CHAIN -s 192.168.0.3 -d 192.168.1.6 -p udp --sport 10100 --dport 8080 -j ACCEPT
80 | $IPTABLES -A $CHAIN -s 192.168.0.3 -d 192.168.1.6 -p udp --sport 10100 --dport 8081 -j ACCEPT
81 | $IPTABLES -A $CHAIN -s 192.168.0.3 -d 192.168.1.6 -p udp --sport 10101 --dport 8080 -j ACCEPT
82 | $IPTABLES -A $CHAIN -s 192.168.0.3 -d 192.168.1.6 -p udp --sport 10101 --dport 8081 -j ACCEPT
83 | $IPTABLES -A $CHAIN -s 192.168.0.4 -d 192.168.1.2 -p udp --sport 10100 --dport 8080 -j ACCEPT
84 | $IPTABLES -A $CHAIN -s 192.168.0.4 -d 192.168.1.2 -p udp --sport 10100 --dport 8081 -j ACCEPT
85 | $IPTABLES -A $CHAIN -s 192.168.0.4 -d 192.168.1.2 -p udp --sport 10101 --dport 8080 -j ACCEPT
86 | $IPTABLES -A $CHAIN -s 192.168.0.4 -d 192.168.1.2 -p udp --sport 10101 --dport 8081 -j ACCEPT
87 | $IPTABLES -A $CHAIN -s 192.168.0.4 -d 192.168.1.3 -p udp --sport 10100 --dport 8080 -j ACCEPT
88 | $IPTABLES -A $CHAIN -s 192.168.0.4 -d 192.168.1.3 -p udp --sport 10100 --dport 8081 -j ACCEPT
89 | $IPTABLES -A $CHAIN -s 192.168.0.4 -d 192.168.1.3 -p udp --sport 10101 --dport 8080 -j ACCEPT
90 | $IPTABLES -A $CHAIN -s 192.168.0.4 -d 192.168.1.3 -p udp --sport 10101 --dport 8081 -j ACCEPT
91 | $IPTABLES -A $CHAIN -s 192.168.0.4 -d 192.168.1.4 -p udp --sport 10100 --dport 8080 -j ACCEPT
92 | $IPTABLES -A $CHAIN -s 192.168.0.4 -d 192.168.1.4 -p udp --sport 10100 --dport 8081 -j ACCEPT
93 | $IPTABLES -A $CHAIN -s 192.168.0.4 -d 192.168.1.4 -p udp --sport 10101 --dport 8080 -j ACCEPT
94 | $IPTABLES -A $CHAIN -s 192.168.0.4 -d 192.168.1.4 -p udp --sport 10101 --dport 8081 -j ACCEPT
95 | $IPTABLES -A $CHAIN -s 192.168.0.4 -d 192.168.1.5 -p udp --sport 10100 --dport 8080 -j ACCEPT
96 | $IPTABLES -A $CHAIN -s 192.168.0.4 -d 192.168.1.5 -p udp --sport 10100 --dport 8081 -j ACCEPT
97 | $IPTABLES -A $CHAIN -s 192.168.0.4 -d 192.168.1.5 -p udp --sport 10101 --dport 8080 -j ACCEPT
98 | $IPTABLES -A $CHAIN -s 192.168.0.4 -d 192.168.1.5 -p udp --sport 10101 --dport 8081 -j ACCEPT
99 | $IPTABLES -A $CHAIN -s 192.168.0.4 -d 192.168.1.6 -p udp --sport 10100 --dport 8080 -j ACCEPT
100 | $IPTABLES -A $CHAIN -s 192.168.0.4 -d 192.168.1.6 -p udp --sport 10100 --dport 8081 -j ACCEPT
101 | $IPTABLES -A $CHAIN -s 192.168.0.4 -d 192.168.1.6 -p udp --sport 10101 --dport 8080 -j ACCEPT
102 | $IPTABLES -A $CHAIN -s 192.168.0.4 -d 192.168.1.6 -p udp --sport 10101 --dport 8081 -j ACCEPT
103 | $IPTABLES -A $CHAIN -s 192.168.0.5 -d 192.168.1.2 -p udp --sport 10100 --dport 8080 -j ACCEPT
104 | $IPTABLES -A $CHAIN -s 192.168.0.5 -d 192.168.1.2 -p udp --sport 10100 --dport 8081 -j ACCEPT
105 | $IPTABLES -A $CHAIN -s 192.168.0.5 -d 192.168.1.2 -p udp --sport 10101 --dport 8080 -j ACCEPT
106 | $IPTABLES -A $CHAIN -s 192.168.0.5 -d 192.168.1.2 -p udp --sport 10101 --dport 8081 -j ACCEPT
107 | $IPTABLES -A $CHAIN -s 192.168.0.5 -d 192.168.1.3 -p udp --sport 10100 --dport 8080 -j ACCEPT
108 | $IPTABLES -A $CHAIN -s 192.168.0.5 -d 192.168.1.3 -p udp --sport 10100 --dport 8081 -j ACCEPT
109 | $IPTABLES -A $CHAIN -s 192.168.0.5 -d 192.168.1.3 -p udp --sport 10101 --dport 8080 -j ACCEPT
110 | $IPTABLES -A $CHAIN -s 192.168.0.5 -d 192.168.1.3 -p udp --sport 10101 --dport 8081 -j ACCEPT
111 | $IPTABLES -A $CHAIN -s 192.168.0.5 -d 192.168.1.4 -p udp --sport 10100 --dport 8080 -j ACCEPT
112 | $IPTABLES -A $CHAIN -s 192.168.0.5 -d 192.168.1.4 -p udp --sport 10100 --dport 8081 -j ACCEPT
113 | $IPTABLES -A $CHAIN -s 192.168.0.5 -d 192.168.1.4 -p udp --sport 10101 --dport 8080 -j ACCEPT
114 | $IPTABLES -A $CHAIN -s 192.168.0.5 -d 192.168.1.4 -p udp --sport 10101 --dport 8081 -j ACCEPT
115 | $IPTABLES -A $CHAIN -s 192.168.0.5 -d 192.168.1.5 -p udp --sport 10100 --dport 8080 -j ACCEPT
116 | $IPTABLES -A $CHAIN -s 192.168.0.5 -d 192.168.1.5 -p udp --sport 10100 --dport 8081 -j ACCEPT
117 | $IPTABLES -A $CHAIN -s 192.168.0.5 -d 192.168.1.5 -p udp --sport 10101 --dport 8080 -j ACCEPT
118 | $IPTABLES -A $CHAIN -s 192.168.0.5 -d 192.168.1.5 -p udp --sport 10101 --dport 8081 -j ACCEPT
119 | $IPTABLES -A $CHAIN -s 192.168.0.5 -d 192.168.1.6 -p udp --sport 10100 --dport 8080 -j ACCEPT
120 | $IPTABLES -A $CHAIN -s 192.168.0.5 -d 192.168.1.6 -p udp --sport 10100 --dport 8081 -j ACCEPT
121 | $IPTABLES -A $CHAIN -s 192.168.0.5 -d 192.168.1.6 -p udp --sport 10101 --dport 8080 -j ACCEPT
122 | $IPTABLES -A $CHAIN -s 192.168.0.5 -d 192.168.1.6 -p udp --sport 10101 --dport 8081 -j ACCEPT
123 | $IPTABLES -A $CHAIN -s 192.168.0.6 -d 192.168.1.2 -p udp --sport 10100 --dport 8080 -j ACCEPT
124 | $IPTABLES -A $CHAIN -s 192.168.0.6 -d 192.168.1.2 -p udp --sport 10100 --dport 8081 -j ACCEPT
125 | $IPTABLES -A $CHAIN -s 192.168.0.6 -d 192.168.1.2 -p udp --sport 10101 --dport 8080 -j ACCEPT
126 | $IPTABLES -A $CHAIN -s 192.168.0.6 -d 192.168.1.2 -p udp --sport 10101 --dport 8081 -j ACCEPT
127 | $IPTABLES -A $CHAIN -s 192.168.0.6 -d 192.168.1.3 -p udp --sport 10100 --dport 8080 -j ACCEPT
128 | $IPTABLES -A $CHAIN -s 192.168.0.6 -d 192.168.1.3 -p udp --sport 10100 --dport 8081 -j ACCEPT
129 | $IPTABLES -A $CHAIN -s 192.168.0.6 -d 192.168.1.3 -p udp --sport 10101 --dport 8080 -j ACCEPT
130 | $IPTABLES -A $CHAIN -s 192.168.0.6 -d 192.168.1.3 -p udp --sport 10101 --dport 8081 -j ACCEPT
131 | $IPTABLES -A $CHAIN -s 192.168.0.6 -d 192.168.1.4 -p udp --sport 10100 --dport 8080 -j ACCEPT
132 | $IPTABLES -A $CHAIN -s 192.168.0.6 -d 192.168.1.4 -p udp --sport 10100 --dport 8081 -j ACCEPT
133 | $IPTABLES -A $CHAIN -s 192.168.0.6 -d 192.168.1.4 -p udp --sport 10101 --dport 8080 -j ACCEPT
134 | $IPTABLES -A $CHAIN -s 192.168.0.6 -d 192.168.1.4 -p udp --sport 10101 --dport 8081 -j ACCEPT
135 | $IPTABLES -A $CHAIN -s 192.168.0.6 -d 192.168.1.5 -p udp --sport 10100 --dport 8080 -j ACCEPT
136 | $IPTABLES -A $CHAIN -s 192.168.0.6 -d 192.168.1.5 -p udp --sport 10100 --dport 8081 -j ACCEPT
137 | $IPTABLES -A $CHAIN -s 192.168.0.6 -d 192.168.1.5 -p udp --sport 10101 --dport 8080 -j ACCEPT
138 | $IPTABLES -A $CHAIN -s 192.168.0.6 -d 192.168.1.5 -p udp --sport 10101 --dport 8081 -j ACCEPT
139 | $IPTABLES -A $CHAIN -s 192.168.0.6 -d 192.168.1.6 -p udp --sport 10100 --dport 8080 -j ACCEPT
140 | $IPTABLES -A $CHAIN -s 192.168.0.6 -d 192.168.1.6 -p udp --sport 10100 --dport 8081 -j ACCEPT
141 | $IPTABLES -A $CHAIN -s 192.168.0.6 -d 192.168.1.6 -p udp --sport 10101 --dport 8080 -j ACCEPT
142 | $IPTABLES -A $CHAIN -s 192.168.0.6 -d 192.168.1.6 -p udp --sport 10101 --dport 8081 -j ACCEPT
143 |
144 | if [ "$1" == "pcn-iptables" ];
145 | then
146 | polycubectl pcn-iptables chain $CHAIN apply-rules
147 | fi
148 |
--------------------------------------------------------------------------------
/system-benchmarking/ruleset-size/rulesets/rules_50.sh:
--------------------------------------------------------------------------------
1 | source "${BASH_SOURCE%/*}/helpers.bash"
2 | # usage:
3 | # rules_xxx.sh [iptables|pcn-iptables] [INPUT|FORWARD]
4 |
5 | # set -x
6 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"
7 |
8 | NFTABLES_DIR=nftables-rules
9 | IPTABLES="sudo iptables"
10 | CHAIN="FORWARD"
11 |
12 | echo ""
13 | echo "usage:"
14 | echo "$0 [iptables|pcn-iptables|nftables] [FORWARD]"
15 | echo ""
16 |
17 | if [ "$1" == "pcn-iptables" ]; then
18 | echo "Using bpf-iptables"
19 | IPTABLES="bpf-iptables"
20 | launch_pcn_iptables
21 | elif [ "$1" == "nftables" ]; then
22 | echo "Using nftables"
23 | IPTABLES="nft"
24 | else
25 | echo "Using iptables"
26 | IPTABLES="sudo iptables"
27 | fi
28 |
29 | if [ "$1" == "nftables" ]; then
30 | echo "Loading nftables rules"
31 | export CHAIN
32 | exec $DIR/$NFTABLES_DIR/nftables_50.sh
33 | exit 0
34 | elif [ "$1" == "pcn-iptables" ]; then
35 | polycubectl pcn-iptables set interactive=false
36 | else
37 | $IPTABLES -A $CHAIN -m conntrack --ctstate ESTABLISHED -j ACCEPT
38 | $IPTABLES -F $CHAIN
39 | fi
40 |
41 | $IPTABLES -P $CHAIN DROP
42 | $IPTABLES -A $CHAIN -s 192.168.0.2 -d 192.168.1.2 -p udp --sport 10100 --dport 8080 -j ACCEPT
43 | $IPTABLES -A $CHAIN -s 192.168.0.2 -d 192.168.1.2 -p udp --sport 10100 --dport 8081 -j ACCEPT
44 | $IPTABLES -A $CHAIN -s 192.168.0.2 -d 192.168.1.2 -p udp --sport 10101 --dport 8080 -j ACCEPT
45 | $IPTABLES -A $CHAIN -s 192.168.0.2 -d 192.168.1.2 -p udp --sport 10101 --dport 8081 -j ACCEPT
46 | $IPTABLES -A $CHAIN -s 192.168.0.2 -d 192.168.1.2 -p udp --sport 10102 --dport 8080 -j ACCEPT
47 | $IPTABLES -A $CHAIN -s 192.168.0.2 -d 192.168.1.2 -p udp --sport 10102 --dport 8081 -j ACCEPT
48 | $IPTABLES -A $CHAIN -s 192.168.0.2 -d 192.168.1.3 -p udp --sport 10100 --dport 8080 -j ACCEPT
49 | $IPTABLES -A $CHAIN -s 192.168.0.2 -d 192.168.1.3 -p udp --sport 10100 --dport 8081 -j ACCEPT
50 | $IPTABLES -A $CHAIN -s 192.168.0.2 -d 192.168.1.3 -p udp --sport 10101 --dport 8080 -j ACCEPT
51 | $IPTABLES -A $CHAIN -s 192.168.0.2 -d 192.168.1.3 -p udp --sport 10101 --dport 8081 -j ACCEPT
52 | $IPTABLES -A $CHAIN -s 192.168.0.2 -d 192.168.1.3 -p udp --sport 10102 --dport 8080 -j ACCEPT
53 | $IPTABLES -A $CHAIN -s 192.168.0.2 -d 192.168.1.3 -p udp --sport 10102 --dport 8081 -j ACCEPT
54 | $IPTABLES -A $CHAIN -s 192.168.0.2 -d 192.168.1.4 -p udp --sport 10100 --dport 8080 -j ACCEPT
55 | $IPTABLES -A $CHAIN -s 192.168.0.2 -d 192.168.1.4 -p udp --sport 10100 --dport 8081 -j ACCEPT
56 | $IPTABLES -A $CHAIN -s 192.168.0.2 -d 192.168.1.4 -p udp --sport 10101 --dport 8080 -j ACCEPT
57 | $IPTABLES -A $CHAIN -s 192.168.0.2 -d 192.168.1.4 -p udp --sport 10101 --dport 8081 -j ACCEPT
58 | $IPTABLES -A $CHAIN -s 192.168.0.2 -d 192.168.1.4 -p udp --sport 10102 --dport 8080 -j ACCEPT
59 | $IPTABLES -A $CHAIN -s 192.168.0.2 -d 192.168.1.4 -p udp --sport 10102 --dport 8081 -j ACCEPT
60 | $IPTABLES -A $CHAIN -s 192.168.0.3 -d 192.168.1.2 -p udp --sport 10100 --dport 8080 -j ACCEPT
61 | $IPTABLES -A $CHAIN -s 192.168.0.3 -d 192.168.1.2 -p udp --sport 10100 --dport 8081 -j ACCEPT
62 | $IPTABLES -A $CHAIN -s 192.168.0.3 -d 192.168.1.2 -p udp --sport 10101 --dport 8080 -j ACCEPT
63 | $IPTABLES -A $CHAIN -s 192.168.0.3 -d 192.168.1.2 -p udp --sport 10101 --dport 8081 -j ACCEPT
64 | $IPTABLES -A $CHAIN -s 192.168.0.3 -d 192.168.1.2 -p udp --sport 10102 --dport 8080 -j ACCEPT
65 | $IPTABLES -A $CHAIN -s 192.168.0.3 -d 192.168.1.2 -p udp --sport 10102 --dport 8081 -j ACCEPT
66 | $IPTABLES -A $CHAIN -s 192.168.0.3 -d 192.168.1.3 -p udp --sport 10100 --dport 8080 -j ACCEPT
67 | $IPTABLES -A $CHAIN -s 192.168.0.3 -d 192.168.1.3 -p udp --sport 10100 --dport 8081 -j ACCEPT
68 | $IPTABLES -A $CHAIN -s 192.168.0.3 -d 192.168.1.3 -p udp --sport 10101 --dport 8080 -j ACCEPT
69 | $IPTABLES -A $CHAIN -s 192.168.0.3 -d 192.168.1.3 -p udp --sport 10101 --dport 8081 -j ACCEPT
70 | $IPTABLES -A $CHAIN -s 192.168.0.3 -d 192.168.1.3 -p udp --sport 10102 --dport 8080 -j ACCEPT
71 | $IPTABLES -A $CHAIN -s 192.168.0.3 -d 192.168.1.3 -p udp --sport 10102 --dport 8081 -j ACCEPT
72 | $IPTABLES -A $CHAIN -s 192.168.0.3 -d 192.168.1.4 -p udp --sport 10100 --dport 8080 -j ACCEPT
73 | $IPTABLES -A $CHAIN -s 192.168.0.3 -d 192.168.1.4 -p udp --sport 10100 --dport 8081 -j ACCEPT
74 | $IPTABLES -A $CHAIN -s 192.168.0.3 -d 192.168.1.4 -p udp --sport 10101 --dport 8080 -j ACCEPT
75 | $IPTABLES -A $CHAIN -s 192.168.0.3 -d 192.168.1.4 -p udp --sport 10101 --dport 8081 -j ACCEPT
76 | $IPTABLES -A $CHAIN -s 192.168.0.3 -d 192.168.1.4 -p udp --sport 10102 --dport 8080 -j ACCEPT
77 | $IPTABLES -A $CHAIN -s 192.168.0.3 -d 192.168.1.4 -p udp --sport 10102 --dport 8081 -j ACCEPT
78 | $IPTABLES -A $CHAIN -s 192.168.0.4 -d 192.168.1.2 -p udp --sport 10100 --dport 8080 -j ACCEPT
79 | $IPTABLES -A $CHAIN -s 192.168.0.4 -d 192.168.1.2 -p udp --sport 10100 --dport 8081 -j ACCEPT
80 | $IPTABLES -A $CHAIN -s 192.168.0.4 -d 192.168.1.2 -p udp --sport 10101 --dport 8080 -j ACCEPT
81 | $IPTABLES -A $CHAIN -s 192.168.0.4 -d 192.168.1.2 -p udp --sport 10101 --dport 8081 -j ACCEPT
82 | $IPTABLES -A $CHAIN -s 192.168.0.4 -d 192.168.1.2 -p udp --sport 10102 --dport 8080 -j ACCEPT
83 | $IPTABLES -A $CHAIN -s 192.168.0.4 -d 192.168.1.2 -p udp --sport 10102 --dport 8081 -j ACCEPT
84 | $IPTABLES -A $CHAIN -s 192.168.0.4 -d 192.168.1.3 -p udp --sport 10100 --dport 8080 -j ACCEPT
85 | $IPTABLES -A $CHAIN -s 192.168.0.4 -d 192.168.1.3 -p udp --sport 10100 --dport 8081 -j ACCEPT
86 | $IPTABLES -A $CHAIN -s 192.168.0.4 -d 192.168.1.3 -p udp --sport 10101 --dport 8080 -j ACCEPT
87 | $IPTABLES -A $CHAIN -s 192.168.0.4 -d 192.168.1.3 -p udp --sport 10101 --dport 8081 -j ACCEPT
88 | $IPTABLES -A $CHAIN -s 192.168.0.4 -d 192.168.1.3 -p udp --sport 10102 --dport 8080 -j ACCEPT
89 | $IPTABLES -A $CHAIN -s 192.168.0.4 -d 192.168.1.3 -p udp --sport 10102 --dport 8081 -j ACCEPT
90 | $IPTABLES -A $CHAIN -s 192.168.0.4 -d 192.168.1.4 -p udp --sport 10100 --dport 8080 -j ACCEPT
91 | $IPTABLES -A $CHAIN -s 192.168.0.4 -d 192.168.1.4 -p udp --sport 10100 --dport 8081 -j ACCEPT
92 | $IPTABLES -A $CHAIN -s 192.168.0.4 -d 192.168.1.4 -p udp --sport 10101 --dport 8080 -j ACCEPT
93 | $IPTABLES -A $CHAIN -s 192.168.0.4 -d 192.168.1.4 -p udp --sport 10101 --dport 8081 -j ACCEPT
94 | $IPTABLES -A $CHAIN -s 192.168.0.4 -d 192.168.1.4 -p udp --sport 10102 --dport 8080 -j ACCEPT
95 | $IPTABLES -A $CHAIN -s 192.168.0.4 -d 192.168.1.4 -p udp --sport 10102 --dport 8081 -j ACCEPT
96 |
97 | if [ "$1" == "pcn-iptables" ];
98 | then
99 | polycubectl pcn-iptables chain $CHAIN apply-rules
100 | fi
101 |
--------------------------------------------------------------------------------
/system-benchmarking/ruleset-size/run-tests-multi.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
4 | NOW=$(date +"%m-%d-%Y-%T")
5 |
6 | ###############################
7 | # Remote configurations (DUT) #
8 | ###############################
9 | REMOTE_DUT=IPADDRESS
10 | REMOTE_FOLDER="~/bpf-iptables-tests/system-benchmarking/ruleset-size"
11 | DST_MAC_IF0="3cfd:feaf:ec30"
12 | DST_MAC_IF1="3cfd:feaf:ec31"
13 | INGRESS_IFACE_NAME="enp101s0f0"
14 |
15 | ########################################
16 | # Local configurations (Pkt generator) #
17 | ########################################
18 | LOCAL_DUT=IPADDRESS
19 | PKTGEN_FOLDER="$HOME/dev/pktgen-dpdk"
20 | LOCAL_NAME=cube1
21 |
22 | #####################################################
23 | # Script configuration (don't touch these variables #
24 | # if you do not know what you are doing #
25 | #####################################################
26 | CONTAINER_ID=0000
27 | polycubed="sudo polycubed"
28 | polycubectl="$GOPATH/bin/polycubectl"
29 | POLYCUBE_VERSION="none"
30 | IPTABLES="pcn-iptables"
31 | SET_IRQ_SCRIPT="~/bpf-iptables-tests/common-scripts/set_irq_affinity"
32 | DISABLE_CONNTRACK_SCRIPT="~/bpf-iptables-tests/common-scripts/disable_conntrack.sh"
33 | START_RATE=50.0
34 |
35 | declare -a ruleset_values=("50" "100" "500" "1000" "5000")
36 |
37 | #######################################
38 | # Specific Test (srcip) Configuration #
39 | #######################################
40 | function generate_test_configuration() {
41 | local test_name=$1
42 | if [ $test_name == "50" ]; then
43 | START_SRC_IP=192.168.0.2
44 | END_SRC_IP=192.168.0.4
45 | NUM_IP_SRC=3
46 | START_DST_IP=192.168.1.2
47 | END_DST_IP=192.168.1.4
48 | NUM_IP_DST=3
49 | START_SPORT=10100
50 | END_SPORT=10102
51 | START_DPORT=8080
52 | END_DPORT=8081
53 | elif [ $test_name == "100" ]; then
54 | START_SRC_IP=192.168.0.2
55 | END_SRC_IP=192.168.0.6
56 | NUM_IP_SRC=5
57 | START_DST_IP=192.168.1.2
58 | END_DST_IP=192.168.1.6
59 | NUM_IP_DST=5
60 | START_SPORT=10100
61 | END_SPORT=10101
62 | START_DPORT=8080
63 | END_DPORT=8081
64 | elif [ $test_name == "500" ]; then
65 | START_SRC_IP=192.168.0.2
66 | END_SRC_IP=192.168.0.6
67 | NUM_IP_SRC=5
68 | START_DST_IP=192.168.1.2
69 | END_DST_IP=192.168.1.6
70 | NUM_IP_DST=5
71 | START_SPORT=10100
72 | END_SPORT=10109
73 | START_DPORT=8080
74 | END_DPORT=8081
75 | elif [ $test_name == "1000" ]; then
76 | START_SRC_IP=192.168.0.2
77 | END_SRC_IP=192.168.0.11
78 | NUM_IP_SRC=10
79 | START_DST_IP=192.168.1.2
80 | END_DST_IP=192.168.1.6
81 | NUM_IP_DST=5
82 | START_SPORT=10100
83 | END_SPORT=10103
84 | START_DPORT=8080
85 | END_DPORT=8084
86 | elif [ $test_name == "5000" ]; then
87 | START_SRC_IP=192.168.0.2
88 | END_SRC_IP=192.168.0.11
89 | NUM_IP_SRC=10
90 | START_DST_IP=192.168.1.2
91 | END_DST_IP=192.168.1.6
92 | NUM_IP_DST=5
93 | START_SPORT=10100
94 | END_SPORT=10109
95 | START_DPORT=8080
96 | END_DPORT=8089
97 | else
98 | echo "Test case not supported"
99 | exit 1
100 | fi
101 | }
102 |
103 |
104 | function show_help() {
105 | usage="$(basename "$0") [-h] [-r #runs] [-o output_file] [-i|-n]
106 | Run tests of pcn-iptables for the FORWARD chain with a different number of rules
107 |
108 | where:
109 | -h show this help text
110 | -r number of runs for the test
111 | -o path to file where the results are placed
112 | -i use iptables
113 | -n use nftables"
114 |
115 | echo "$usage"
116 | }
117 |
118 | # Kill polycubed, and wait all services to be unloaded and process to be completely killed
119 | function polycubed_kill_and_wait {
120 | echo "killing polycubed ..."
121 | sudo pkill polycubed > /dev/null 2>&1
122 | done=0
123 | i=0
124 | while : ; do
125 | sleep 1
126 | alive=$(ps -el | grep polycubed)
127 | if [ -z "$alive" ]; then
128 | done=1
129 | fi
130 |
131 | i=$((i+1))
132 |
133 | if [ "$done" -eq 1 ]; then
134 | echo "killing polycubed in $i seconds"
135 | break
136 | fi
137 | done
138 | }
139 |
140 | function setup_environment {
141 | size=$1
142 | ssh polycube@$REMOTE_DUT "sudo service docker restart"
143 | CONTAINER_ID=$(ssh polycube@$REMOTE_DUT "sudo docker run -id --name bpf-iptables --rm --privileged --network host -v /lib/modules:/lib/modules:ro -v /usr/src:/usr/src:ro -v /etc/localtime:/etc/localtime:ro netgrouppolito/bpf-iptables:latest bash")
144 | ssh polycube@$REMOTE_DUT << EOF
145 | set -x
146 | sudo docker exec -d bpf-iptables bash -c "exec -a config_dut $REMOTE_FOLDER/config_dut_routing.sh > ~/log 2>&1 &"
147 | sudo docker exec bpf-iptables bash -c "$REMOTE_FOLDER/rulesets/rules_$size.sh $IPTABLES FORWARD"
148 | EOF
149 | }
150 |
151 | function cleanup_environment {
152 | ssh polycube@$REMOTE_DUT << EOF
153 | $(typeset -f polycubed_kill_and_wait)
154 | polycubed_kill_and_wait
155 | sudo docker exec bpf-iptables bash -c "sudo pkill config_dut"
156 | sudo docker stop ${CONTAINER_ID} &> /dev/null
157 | sudo docker rm -f bof-iptables &> /dev/null
158 | sudo iptables -F FORWARD &> /dev/null
159 | sudo nft flush table ip filter &> /dev/null
160 | sudo nft delete table ip filter &> /dev/null
161 | EOF
162 | }
163 |
164 | function wait_for_remote_machine {
165 | ssh -q polycube@$REMOTE_DUT exit
166 | result=$?
167 | sleep 5
168 | while [ $result -ne 0 ]; do
169 | ssh -q polycube@$REMOTE_DUT exit #Loop until the host becomes ready
170 | result=$?
171 | sleep 5
172 | done
173 | }
174 |
175 | function reboot_remote_dut {
176 | ssh polycube@$REMOTE_DUT << EOF
177 | set -x
178 | sudo reboot
179 | EOF
180 | }
181 |
182 | function check_conntrack {
183 | local enabled=$(ssh polycube@$REMOTE_DUT "lsmod | grep conntrack")
184 | local result='disabled'
185 | if [ -z "$enabled"]; then
186 | # Conntrack is disabled
187 | result='disabled'
188 | else
189 | result='enabled'
190 | fi
191 | echo "$result"
192 | }
193 |
194 | function disable_conntrack {
195 | ssh polycube@$REMOTE_DUT << EOF
196 | sudo docker exec bpf-iptables bash -c "$DISABLE_CONNTRACK_SCRIPT"
197 | EOF
198 | }
199 |
200 | function disable_nft {
201 | ssh polycube@$REMOTE_DUT << EOF
202 | sudo rmmod nft_counter
203 | sudo rmmod nft_ct
204 | sudo rmmod nf_tables
205 | EOF
206 | }
207 |
208 | function cleanup {
209 | set +e
210 | cleanup_environment
211 | }
212 |
213 | # The argument of this function is the range of cores to be used
214 | # or 'all' in case all cores are used
215 | function set_irq_affinity {
216 | ssh polycube@$REMOTE_DUT << EOF
217 | set -x
218 | sudo docker exec bpf-iptables bash -c "$SET_IRQ_SCRIPT $1 $INGRESS_IFACE_NAME"
219 | EOF
220 | }
221 |
222 | function generate_pktgen_config_file {
223 | #Create configuration file for swagger-codegen
224 | cat > ${PKTGEN_FOLDER}/config.lua << EOF
225 | -- config.lua
226 | -- Automatically generated at ${NOW}
227 |
228 | local _M = {}
229 |
230 | _M.test = {
231 | dstMac0 = "${DST_MAC_IF0}",
232 | dstMac1 = "${DST_MAC_IF1}",
233 | num_runs = ${NUMBER_RUNS},
234 | simple_test = $1,
235 | startSrcIP = "${START_SRC_IP}",
236 | endSrcIP = "${END_SRC_IP}",
237 | startDstIP = "${START_DST_IP}",
238 | endDstIP = "${END_DST_IP}",
239 | startSport = ${START_SPORT},
240 | endSport = ${END_SPORT},
241 | startDport = ${START_DPORT},
242 | endDport = ${END_DPORT},
243 | startRate = ${START_RATE},
244 | }
245 |
246 | return _M
247 | EOF
248 | }
249 |
250 | #set -e
251 |
252 | while getopts :r:o:inh option; do
253 | case "${option}" in
254 | h|\?)
255 | show_help
256 | exit 0
257 | ;;
258 | r) NUMBER_RUNS=${OPTARG}
259 | ;;
260 | o) OUT_FILE=${OPTARG}
261 | ;;
262 | i) IPTABLES="iptables"
263 | ;;
264 | n) IPTABLES="nftables"
265 | ;;
266 | :)
267 | echo "Option -$OPTARG requires an argument." >&2
268 | show_help
269 | exit 0
270 | ;;
271 | esac
272 | done
273 |
274 | if [ -z ${NUMBER_RUNS+x} ]; then
275 | echo "You should specify the number of runs with the -r option" >&2;
276 | show_help
277 | exit 0
278 | fi
279 |
280 | if [ -z ${OUT_FILE+x} ]; then
281 | echo "You should specify the output file with the -o option" >&2;
282 | show_help
283 | exit 0
284 | fi
285 |
286 | # Check if the server can connect without password
287 | ssh -o PasswordAuthentication=no -o BatchMode=yes polycube@$REMOTE_DUT exit &>/dev/null
288 | if [ $? == 0 ]; then
289 | echo "Can connect: let's continue"
290 | else
291 | echo "This client can connect to the DUT without password."
292 | echo "To make this script working you should use the publickey authentication"
293 | exit 1
294 | fi
295 |
296 | set -x
297 |
298 | for size in "${ruleset_values[@]}"; do
299 | set +e
300 |
301 | generate_test_configuration $size
302 |
303 | set -e
304 | cleanup
305 |
306 | if [ ${IPTABLES} == "pcn-iptables" ]; then
307 | ssh polycube@$REMOTE_DUT "$polycubed --version" > $DIR/"$OUT_FILE-$size.txt"
308 | elif [ ${IPTABLES} == "iptables" ]; then
309 | ssh polycube@$REMOTE_DUT "sudo iptables --version" > $DIR/"$OUT_FILE-$size.txt"
310 | else
311 | ssh polycube@$REMOTE_DUT "sudo nft --version" > $DIR/"$OUT_FILE-$size.txt"
312 | fi
313 |
314 | echo "Processing size: $size" >> $DIR/"$OUT_FILE-$size.txt"
315 | ssh polycube@$REMOTE_DUT "uname -r" >> $DIR/"$OUT_FILE-$size.txt"
316 | echo "" >> $DIR/"$OUT_FILE-$size.txt"
317 | #####################################################
318 | # Execute the first test with interrupts set to all #
319 | #####################################################
320 | START_RATE=50.0
321 | setup_environment $size
322 | set_irq_affinity "all"
323 |
324 | sleep 5
325 | generate_pktgen_config_file 0
326 |
327 | cd $PKTGEN_FOLDER
328 | sudo ./app/x86_64-native-linuxapp-gcc/pktgen -c ff -n 4 --proc-type auto --file-prefix pg -- -T -P -m "[1:2/3/4/5].0, [6/7].1" -f $DIR/ruleset-size.lua
329 | sleep 5
330 |
331 | cat "pcn-iptables-forward.csv" >> $DIR/"$OUT_FILE-$size.txt"
332 |
333 | cleanup_environment
334 | sleep 5
335 | ###################################################
336 | # Execute now a simple test without binary search #
337 | ###################################################
338 | setup_environment $size
339 | set_irq_affinity "all"
340 |
341 | sleep 5
342 | generate_pktgen_config_file 1
343 |
344 | cd $PKTGEN_FOLDER
345 | sudo ./app/x86_64-native-linuxapp-gcc/pktgen -c ff -n 4 --proc-type auto --file-prefix pg -- -T -P -m "[1:2/3/4/5].0, [6/7].1" -f $DIR/ruleset-size.lua
346 | sleep 5
347 |
348 | echo "" >> $DIR/"$OUT_FILE-$size.txt"
349 | echo "SimpleTest" >> $DIR/"$OUT_FILE-$size.txt"
350 |
351 | cat "pcn-iptables-forward.csv" >> $DIR/"$OUT_FILE-$size.txt"
352 |
353 | cleanup_environment
354 | sleep 30
355 | cd $DIR
356 | done
357 |
358 | ssh polycube@$REMOTE_DUT "sudo service docker restart"
359 |
360 | exit 0
361 |
--------------------------------------------------------------------------------
/system-benchmarking/ruleset-size/run-tests-single.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
4 | NOW=$(date +"%m-%d-%Y-%T")
5 |
6 | # Remote configurations (DUT)
7 | REMOTE_DUT=IPADDRESS
8 | REMOTE_FOLDER="~/bpf-iptables-tests/system-benchmarking/ruleset-size"
9 | DST_MAC_IF0="3cfd:feaf:ec30"
10 | DST_MAC_IF1="3cfd:feaf:ec31"
11 | INGRESS_IFACE_NAME="enp101s0f0"
12 |
13 | # Local configurations (Pkt generator)
14 | LOCAL_DUT=IPADDRESS
15 | PKTGEN_FOLDER="$HOME/dev/pktgen-dpdk"
16 | LOCAL_NAME=cube1
17 |
18 | # Script configuration (don't touch these variables
19 | # if you do not know what you are doing
20 |
21 | CONTAINER_ID=0000
22 | polycubed="sudo polycubed"
23 | polycubectl="$GOPATH/bin/polycubectl"
24 | POLYCUBE_VERSION="none"
25 | IPTABLES="pcn-iptables"
26 | SET_IRQ_SCRIPT="~/bpf-iptables-tests/common-scripts/set_irq_affinity"
27 | DISABLE_CONNTRACK_SCRIPT="~/bpf-iptables-tests/common-scripts/disable_conntrack.sh"
28 | START_RATE=50.0
29 | FORWARD_TEST_LOG=forward_test.$NOW.log
30 |
31 | declare -a ruleset_values=("50" "100" "500" "1000" "5000")
32 |
33 | #######################################
34 | # Specific Test (srcip) Configuration #
35 | #######################################
36 | function generate_test_configuration() {
37 | local test_name=$1
38 | if [ $test_name == "50" ]; then
39 | START_SRC_IP=192.168.0.2
40 | END_SRC_IP=192.168.0.4
41 | NUM_IP_SRC=3
42 | START_DST_IP=192.168.1.2
43 | END_DST_IP=192.168.1.4
44 | NUM_IP_DST=3
45 | START_SPORT=10100
46 | END_SPORT=10102
47 | START_DPORT=8080
48 | END_DPORT=8081
49 | elif [ $test_name == "100" ]; then
50 | START_SRC_IP=192.168.0.2
51 | END_SRC_IP=192.168.0.6
52 | NUM_IP_SRC=5
53 | START_DST_IP=192.168.1.2
54 | END_DST_IP=192.168.1.6
55 | NUM_IP_DST=5
56 | START_SPORT=10100
57 | END_SPORT=10101
58 | START_DPORT=8080
59 | END_DPORT=8081
60 | elif [ $test_name == "500" ]; then
61 | START_SRC_IP=192.168.0.2
62 | END_SRC_IP=192.168.0.6
63 | NUM_IP_SRC=5
64 | START_DST_IP=192.168.1.2
65 | END_DST_IP=192.168.1.6
66 | NUM_IP_DST=5
67 | START_SPORT=10100
68 | END_SPORT=10109
69 | START_DPORT=8080
70 | END_DPORT=8081
71 | elif [ $test_name == "1000" ]; then
72 | START_SRC_IP=192.168.0.2
73 | END_SRC_IP=192.168.0.11
74 | NUM_IP_SRC=10
75 | START_DST_IP=192.168.1.2
76 | END_DST_IP=192.168.1.6
77 | NUM_IP_DST=5
78 | START_SPORT=10100
79 | END_SPORT=10103
80 | START_DPORT=8080
81 | END_DPORT=8084
82 | elif [ $test_name == "5000" ]; then
83 | START_SRC_IP=192.168.0.2
84 | END_SRC_IP=192.168.0.11
85 | NUM_IP_SRC=10
86 | START_DST_IP=192.168.1.2
87 | END_DST_IP=192.168.1.6
88 | NUM_IP_DST=5
89 | START_SPORT=10100
90 | END_SPORT=10109
91 | START_DPORT=8080
92 | END_DPORT=8089
93 | else
94 | echo "Test case not supported"
95 | exit 1
96 | fi
97 | }
98 |
99 |
100 | function show_help() {
101 | usage="$(basename "$0") [-h] [-r #runs] [-o output_file] [-i|-n]
102 | Run tests of pcn-iptables for the FORWARD chain with a different number of rules
103 |
104 | where:
105 | -h show this help text
106 | -r number of runs for the test
107 | -o path to file where the results are placed
108 | -i use iptables
109 | -n use nftables"
110 |
111 | echo "$usage"
112 | }
113 |
114 | # Kill polycubed, and wait all services to be unloaded and process to be completely killed
115 | function polycubed_kill_and_wait {
116 | echo "killing polycubed ..."
117 | sudo pkill polycubed > /dev/null 2>&1
118 | done=0
119 | i=0
120 | while : ; do
121 | sleep 1
122 | alive=$(ps -el | grep polycubed)
123 | if [ -z "$alive" ]; then
124 | done=1
125 | fi
126 |
127 | i=$((i+1))
128 |
129 | if [ "$done" -eq 1 ]; then
130 | echo "killing polycubed in $i seconds"
131 | break
132 | fi
133 | done
134 | }
135 |
136 | function setup_environment {
137 | size=$1
138 | ssh polycube@$REMOTE_DUT "sudo service docker restart"
139 | CONTAINER_ID=$(ssh polycube@$REMOTE_DUT "sudo docker run -id --name bpf-iptables --rm --privileged --network host -v /lib/modules:/lib/modules:ro -v /usr/src:/usr/src:ro -v /etc/localtime:/etc/localtime:ro netgrouppolito/bpf-iptables:latest bash")
140 | ssh polycube@$REMOTE_DUT << EOF
141 | set -x
142 | sudo docker exec -d bpf-iptables bash -c "exec -a config_dut $REMOTE_FOLDER/config_dut_routing.sh > ~/log 2>&1 &"
143 | sudo docker exec bpf-iptables bash -c "$REMOTE_FOLDER/rulesets/rules_$size.sh $IPTABLES FORWARD"
144 | EOF
145 | }
146 |
147 | function cleanup_environment {
148 | ssh polycube@$REMOTE_DUT << EOF
149 | $(typeset -f polycubed_kill_and_wait)
150 | polycubed_kill_and_wait
151 | sudo docker exec bpf-iptables bash -c "sudo pkill config_dut"
152 | sudo docker stop ${CONTAINER_ID} &> /dev/null
153 | sudo docker rm -f bof-iptables &> /dev/null
154 | sudo iptables -F FORWARD &> /dev/null
155 | sudo nft flush table ip filter &> /dev/null
156 | sudo nft delete table ip filter &> /dev/null
157 | EOF
158 | }
159 |
160 | function wait_for_remote_machine {
161 | ssh -q polycube@$REMOTE_DUT exit
162 | result=$?
163 | sleep 5
164 | while [ $result -ne 0 ]; do
165 | ssh -q polycube@$REMOTE_DUT exit #Loop until the host becomes ready
166 | result=$?
167 | sleep 5
168 | done
169 | }
170 |
171 | function reboot_remote_dut {
172 | ssh polycube@$REMOTE_DUT << EOF
173 | set -x
174 | sudo reboot
175 | EOF
176 | }
177 |
178 | function check_conntrack {
179 | local enabled=$(ssh polycube@$REMOTE_DUT "lsmod | grep conntrack")
180 | local result='disabled'
181 | if [ -z "$enabled"]; then
182 | # Conntrack is disabled
183 | result='disabled'
184 | else
185 | result='enabled'
186 | fi
187 | echo "$result"
188 | }
189 |
190 | function disable_conntrack {
191 | ssh polycube@$REMOTE_DUT << EOF
192 | sudo docker exec bpf-iptables bash -c "$DISABLE_CONNTRACK_SCRIPT"
193 | EOF
194 | }
195 |
196 | function disable_nft {
197 | ssh polycube@$REMOTE_DUT << EOF
198 | sudo rmmod nft_counter
199 | sudo rmmod nft_ct
200 | sudo rmmod nf_tables
201 | EOF
202 | }
203 |
204 | function cleanup {
205 | set +e
206 | cleanup_environment
207 | }
208 |
209 | # The argument of this function is the range of cores to be used
210 | # or 'all' in case all cores are used
211 | function set_irq_affinity {
212 | ssh polycube@$REMOTE_DUT << EOF
213 | set -x
214 | sudo docker exec bpf-iptables bash -c "$SET_IRQ_SCRIPT $1 $INGRESS_IFACE_NAME"
215 | EOF
216 | }
217 |
218 | function generate_pktgen_config_file {
219 | #Create configuration file for swagger-codegen
220 | cat > ${PKTGEN_FOLDER}/config.lua << EOF
221 | -- config.lua
222 | -- Automatically generated at ${NOW}
223 |
224 | local _M = {}
225 |
226 | _M.test = {
227 | dstMac0 = "${DST_MAC_IF0}",
228 | dstMac1 = "${DST_MAC_IF1}",
229 | num_runs = ${NUMBER_RUNS},
230 | simple_test = $1,
231 | startSrcIP = "${START_SRC_IP}",
232 | endSrcIP = "${END_SRC_IP}",
233 | startDstIP = "${START_DST_IP}",
234 | endDstIP = "${END_DST_IP}",
235 | startSport = ${START_SPORT},
236 | endSport = ${END_SPORT},
237 | startDport = ${START_DPORT},
238 | endDport = ${END_DPORT},
239 | startRate = ${START_RATE},
240 | }
241 |
242 | return _M
243 | EOF
244 | }
245 |
246 | #set -e
247 |
248 | while getopts :r:o:inh option; do
249 | case "${option}" in
250 | h|\?)
251 | show_help
252 | exit 0
253 | ;;
254 | r) NUMBER_RUNS=${OPTARG}
255 | ;;
256 | o) OUT_FILE=${OPTARG}
257 | ;;
258 | i) IPTABLES="iptables"
259 | ;;
260 | n) IPTABLES="nftables"
261 | ;;
262 | :)
263 | echo "Option -$OPTARG requires an argument." >&2
264 | show_help
265 | exit 0
266 | ;;
267 | esac
268 | done
269 |
270 | if [ -f $FORWARD_TEST_LOG ]; then
271 | rm $FORWARD_TEST_LOG
272 | fi
273 |
274 | if [ -z ${NUMBER_RUNS+x} ]; then
275 | echo "You should specify the number of runs with the -r option" >&2;
276 | show_help
277 | exit 0
278 | fi
279 |
280 | if [ -z ${OUT_FILE+x} ]; then
281 | echo "You should specify the output file with the -o option" >&2;
282 | show_help
283 | exit 0
284 | fi
285 |
286 |
287 | ssh -o PasswordAuthentication=no -o BatchMode=yes polycube@$REMOTE_DUT exit &>/dev/null
288 | if [ $? == 0 ]; then
289 | echo "Can connect: let's continue"
290 | else
291 | echo "This client can connect to the DUT without password."
292 | echo "To make this script working you should use the publickey authentication"
293 | exit 1
294 | fi
295 |
296 | set -x
297 |
298 | for size in "${ruleset_values[@]}"; do
299 | set +e
300 |
301 | generate_test_configuration $size
302 |
303 | set -e
304 | cleanup
305 |
306 | if [ ${IPTABLES} == "pcn-iptables" ]; then
307 | ssh polycube@$REMOTE_DUT "$polycubed --version" > $DIR/"$OUT_FILE-$size.txt"
308 | elif [ ${IPTABLES} == "iptables" ]; then
309 | ssh polycube@$REMOTE_DUT "sudo iptables --version" > $DIR/"$OUT_FILE-$size.txt"
310 | else
311 | ssh polycube@$REMOTE_DUT "sudo nft --version" > $DIR/"$OUT_FILE-$size.txt"
312 | fi
313 |
314 | echo "Processing size: $size" >> $DIR/"$OUT_FILE-$size.txt"
315 | ssh polycube@$REMOTE_DUT "uname -r" >> $DIR/"$OUT_FILE-$size.txt"
316 | echo "" >> $DIR/"$OUT_FILE-$size.txt"
317 | #####################################################
318 | # Execute now a single core test with binary search #
319 | #####################################################
320 | START_RATE=5.0
321 | setup_environment $size
322 | set_irq_affinity "1" # Only core 1 is used
323 |
324 | sleep 5
325 | generate_pktgen_config_file 0
326 |
327 | cd $PKTGEN_FOLDER
328 | set_irq_affinity "1" # Only core 1 is used
329 | sudo ./app/x86_64-native-linuxapp-gcc/pktgen -c ff -n 4 --proc-type auto --file-prefix pg -- -T -P -m "[1:2/3/4/5].0, [6/7].1" -f $DIR/ruleset-size.lua
330 | sleep 5
331 |
332 | echo "" >> $DIR/"$OUT_FILE-$size.txt"
333 | echo "Single core binary search" >> $DIR/"$OUT_FILE-$size.txt"
334 |
335 | cat "pcn-iptables-forward.csv" >> $DIR/"$OUT_FILE-$size.txt"
336 |
337 | cleanup_environment
338 | sleep 5
339 | ###################################################
340 | # Execute now a simple test without binary search #
341 | ###################################################
342 | setup_environment $size
343 | set_irq_affinity "1" # Only core 1 is used
344 |
345 | sleep 5
346 | generate_pktgen_config_file 1
347 |
348 | cd $PKTGEN_FOLDER
349 | set_irq_affinity "1" # Only core 1 is used
350 | sudo ./app/x86_64-native-linuxapp-gcc/pktgen -c ff -n 4 --proc-type auto --file-prefix pg -- -T -P -m "[1:2/3/4/5].0, [6/7].1" -f $DIR/ruleset-size.lua
351 | sleep 5
352 |
353 | echo "" >> $DIR/"$OUT_FILE-$size.txt"
354 | echo "Single core" >> $DIR/"$OUT_FILE-$size.txt"
355 |
356 | cat "pcn-iptables-forward.csv" >> $DIR/"$OUT_FILE-$size.txt"
357 | cleanup_environment
358 | sleep 30
359 |
360 | cd $DIR
361 | done
362 |
363 | ssh polycube@$REMOTE_DUT "sudo service docker restart"
364 |
365 | exit 0
366 |
--------------------------------------------------------------------------------