I’ve added a new feature that I would like to share.
The pf_ring feature allows packets sampling of packets that belong to a sw
filtered session.
In other words, if a sw filter is applied, you will be able not to block
100% of the packets (till filtering rule removal). Some packets will be
allowed to “pass” the filter.
The use case is keeping the advantage of improved performance by filtering
most (e.g. 90%) of the traffic, while being able to get some (e.g. 10%) of
the traffic for analysis purposes. This will allow the application not be
100% blind.
This feature is not good for applications that are sensitive to
out-of-sequence packets.
Technical code details:
1. New pf_ring param “filtering_sampling_segment_size” is set to 100
by default.
2. New pf_ring userspace API int
pfring_set_sw_filtering_sampling_rate(pfring *ring, u_int32_t rate /* 0 =
no sampling */) was added.
This API should be used right after adding a new SW hash filtering rule,
with a “rate” parameter.
A rate=10 means that the 10 first packets of every segment of 100 filtered
packets of the session, will be forwarded.
If the API is not called, then the default rate=0, thus no change in
current behavior (i.e. 100% of the packets are filtered, since 0 filtered
packets are forwarded).
3. I’ve had to add a new member variable to struct pf_ring_socket
which is ‘sw_filtering_hash_filtered’ that counts the actual filtered
packets.
Current ‘sw_filtering_hash_match’ is not good enough anymore for this
purpose since it counts the matches before excluding the forwarded packets,
but it has a great help
in calculating the sampled filtered packets.
Technical build/test details:
1. Functionality was tested based on pf_ring version 6.6.0 (on CentOS
7)
2. Attached patch was created based on latest pf_ring code-base
(Sep-7, 2017), and tested for compilation only. Not functionality.
If this feature will ever make it to the main code, it would be great.
Any comments are welcome.
Amir
The pf_ring feature allows packets sampling of packets that belong to a sw
filtered session.
In other words, if a sw filter is applied, you will be able not to block
100% of the packets (till filtering rule removal). Some packets will be
allowed to “pass” the filter.
The use case is keeping the advantage of improved performance by filtering
most (e.g. 90%) of the traffic, while being able to get some (e.g. 10%) of
the traffic for analysis purposes. This will allow the application not be
100% blind.
This feature is not good for applications that are sensitive to
out-of-sequence packets.
Technical code details:
1. New pf_ring param “filtering_sampling_segment_size” is set to 100
by default.
2. New pf_ring userspace API int
pfring_set_sw_filtering_sampling_rate(pfring *ring, u_int32_t rate /* 0 =
no sampling */) was added.
This API should be used right after adding a new SW hash filtering rule,
with a “rate” parameter.
A rate=10 means that the 10 first packets of every segment of 100 filtered
packets of the session, will be forwarded.
If the API is not called, then the default rate=0, thus no change in
current behavior (i.e. 100% of the packets are filtered, since 0 filtered
packets are forwarded).
3. I’ve had to add a new member variable to struct pf_ring_socket
which is ‘sw_filtering_hash_filtered’ that counts the actual filtered
packets.
Current ‘sw_filtering_hash_match’ is not good enough anymore for this
purpose since it counts the matches before excluding the forwarded packets,
but it has a great help
in calculating the sampled filtered packets.
Technical build/test details:
1. Functionality was tested based on pf_ring version 6.6.0 (on CentOS
7)
2. Attached patch was created based on latest pf_ring code-base
(Sep-7, 2017), and tested for compilation only. Not functionality.
If this feature will ever make it to the main code, it would be great.
Any comments are welcome.
Amir