Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. NTop>
  3. Misc
Clarification regarding pf_ring filtering using software hash filtering rule and the purge-idle feature
akaduri75 at gmail
Sep 12, 2017, 10:34 AM
Post #1 of 3 (600 views)
Permalink
Hi,



I would like to clarify a point regarding sw hash filtering rules and the
purge idle feature:

In my application, I’m using sw hash filtering rules to block sessions. For
that purpose, I’m using the API pfring_handle_hash_filtering_rule() to add
and remove rules.

When adding a rule with an ID of a rule that that has been already added,
this “add rule” action fails. This means that the application’s
responsibility to manage the rule IDs.

In other words, the application’s responsibility to know which IDs are in
use and which are not, if it wants to avoid trial-and-error every time a
rule should be added.

On the other hand, there is the API pfring_purge_idle_hash_rules() that can
assist in removing (purging) hash filtering rules that are inactive for a
while, automatically.

So the situation is that pf_ring purges a filtering rule, and the
application is not aware of it.


For this reason:
1. The application continues to keep the relevant rule-id, assuming
it’s still active.
2. The application avoids using this rule-id for filtering other
sessions, since it assumes it’s still occupied.
3. If the session suddenly revives after the purge period arrives,
the application is confused since it’s not clear to it how come packets are
forwarded while there is an active rule.

The above happens since there is no notification mechanism to the userspace
application, that a rule has been purged (removed).


Is the description correct or maybe I miss something critical in the APIs
usage?



Thanks,

Amir
Re: Clarification regarding pf_ring filtering using software hash filtering rule and the purge-idle feature [ In reply to ]
akaduri75 at gmail
Sep 13, 2017, 11:07 PM
Post #2 of 3 (597 views)
Permalink
Another question related to the same issue:

I wonder why the design is that the application responsible for
managing/allocating the rule_id, and not the infrastructure.
I would expect the API just to ask to add a rule, and the infrastructure
will return 2 parameters:
1. Success/Failure
2. The allocated rule_id in case of success (that will be used for removing
the rule)

Thanks

On Tue, Sep 12, 2017 at 8:34 PM, Amir Kaduri <akaduri75@gmail.com> wrote:

> Hi,
>
>
>
> I would like to clarify a point regarding sw hash filtering rules and the
> purge idle feature:
>
> In my application, I’m using sw hash filtering rules to block sessions.
> For that purpose, I’m using the API pfring_handle_hash_filtering_rule()
> to add and remove rules.
>
> When adding a rule with an ID of a rule that that has been already added,
> this “add rule” action fails. This means that the application’s
> responsibility to manage the rule IDs.
>
> In other words, the application’s responsibility to know which IDs are in
> use and which are not, if it wants to avoid trial-and-error every time a
> rule should be added.
>
> On the other hand, there is the API pfring_purge_idle_hash_rules() that
> can assist in removing (purging) hash filtering rules that are inactive for
> a while, automatically.
>
> So the situation is that pf_ring purges a filtering rule, and the
> application is not aware of it.
>
>
> For this reason:
> 1. The application continues to keep the relevant rule-id, assuming
> it’s still active.
> 2. The application avoids using this rule-id for filtering other
> sessions, since it assumes it’s still occupied.
> 3. If the session suddenly revives after the purge period arrives,
> the application is confused since it’s not clear to it how come packets are
> forwarded while there is an active rule.
>
> The above happens since there is no notification mechanism to the
> userspace application, that a rule has been purged (removed).
>
>
> Is the description correct or maybe I miss something critical in the APIs
> usage?
>
>
>
> Thanks,
>
> Amir
>
Re: Clarification regarding pf_ring filtering using software hash filtering rule and the purge-idle feature [ In reply to ]
akaduri75 at gmail
Sep 19, 2017, 4:42 AM
Post #3 of 3 (587 views)
Permalink
Following further investigation of the subject, I guess that I found a bug
and attached a patch with a suggested fix.



Following the problematic design I've described in this thread, at least
for my application purposes, I’ve decided to improve one of the APIs to
return the inactivity time of a specified sw hash filtering rule.

That is, enhance the API pfring_get_hash_filtering_rule_stats() to return
this data as well. That way the userland API will have the chance to know
for how long a specified hash rule is idle.

During my implementation, I’m pretty sure that I found a bug in the way the
timings are updated. This makes me assume that the
pfring_purge_idle_hash_rules() API doesn’t work well (but didn’t test it).


Anyway, attached a patch, based on pfring 6.6.0, that includes both the
fix and the enhancement for pfring_get_hash_filtering_rule_stats().

Since both of them are very short, I included them in the same patch file,
rather than splitting them into 2 separate patches (fix and enhancement).



Thanks,

Amir

On Thu, Sep 14, 2017 at 9:07 AM, Amir Kaduri <akaduri75@gmail.com> wrote:

> Another question related to the same issue:
>
> I wonder why the design is that the application responsible for
> managing/allocating the rule_id, and not the infrastructure.
> I would expect the API just to ask to add a rule, and the infrastructure
> will return 2 parameters:
> 1. Success/Failure
> 2. The allocated rule_id in case of success (that will be used for
> removing the rule)
>
> Thanks
>
> On Tue, Sep 12, 2017 at 8:34 PM, Amir Kaduri <akaduri75@gmail.com> wrote:
>
>> Hi,
>>
>>
>>
>> I would like to clarify a point regarding sw hash filtering rules and the
>> purge idle feature:
>>
>> In my application, I’m using sw hash filtering rules to block sessions.
>> For that purpose, I’m using the API pfring_handle_hash_filtering_rule()
>> to add and remove rules.
>>
>> When adding a rule with an ID of a rule that that has been already added,
>> this “add rule” action fails. This means that the application’s
>> responsibility to manage the rule IDs.
>>
>> In other words, the application’s responsibility to know which IDs are in
>> use and which are not, if it wants to avoid trial-and-error every time a
>> rule should be added.
>>
>> On the other hand, there is the API pfring_purge_idle_hash_rules() that
>> can assist in removing (purging) hash filtering rules that are inactive for
>> a while, automatically.
>>
>> So the situation is that pf_ring purges a filtering rule, and the
>> application is not aware of it.
>>
>>
>> For this reason:
>> 1. The application continues to keep the relevant rule-id,
>> assuming it’s still active.
>> 2. The application avoids using this rule-id for filtering other
>> sessions, since it assumes it’s still occupied.
>> 3. If the session suddenly revives after the purge period arrives,
>> the application is confused since it’s not clear to it how come packets are
>> forwarded while there is an active rule.
>>
>> The above happens since there is no notification mechanism to the
>> userspace application, that a rule has been purged (removed).
>>
>>
>> Is the description correct or maybe I miss something critical in the APIs
>> usage?
>>
>>
>>
>> Thanks,
>>
>> Amir
>>
>
>

Attached Files:

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal