The ONL NPR Tutorial

NPR Tutorial >> Filters, Queues and Bandwidth

TOC

Basic Packet Filtering

Advanced routers use packet classification to identify incoming packets that should be blocked or should be given special treatement. For example, a choke router might drop all Telnet (TCP protocol, destination port 23) packets going to certain subnets for security reasons. Packet classification generalizes the packet matching found in routing tables by inspecting fields other than a packet's destination IP address. An NPR filter table is a set of rules where each rule indicates the action for matching packets.

The PLC (Parse, Lookup and Classify) block of an NPR searches both a filter table and a route table in parallel. The filter table contains packet forwarding rules that extend the rules in a route table. In the simplest case, the NPR selects the highest-priority, matching entry found in the route table and filter table.

In the approach described here, we assume that the filter table contains only simple primary filters. Packet filter rules allow you to not only direct a packet to one of 64 datagram output queues managed by a Queue Manager but also to drop the packet or forward the packet to other NPR components (e.g., plugin microengine) and reserved flow queues. (In a more sophisticated approach described elsewhere, you can use a filter table to duplicate a packet by installing either a filter with the multicast feature or an auxilliary filters).

This page describes how to use simple features of primary filters, and how to modify filters. An example based on some of the concepts discussed on this page is given in NPR Tutorial => Examples => Filters, Queues and Bandwidth. The sections in this page are:

• The NPR Filter Table
• Installing a Simple Primary Filter
• The Filter Table Edit Menu
• Testing a Filter

Conceptually, each port of an NPR has a filter table in which each entry has 14 fields. These fields fall into one of three groups:

• Filter Key: Used to determine whether a packet matches the entry.
• Action: Indicates what to do with a packet (drop the packet or send it to the Queue Manager or plugin microengine).
• Control: Indicates the priority of the entry.

Unlike a route table entry that allows you to match only on a portion of the the destination IP address in the IP header, a filter extends the match over multiple fields. These comparison fields are located in the IP and transport layer (TCP, UDP) headers. The five most basic key fields are:

• The destination address/mask is matched against a packet's destination IP address and has the same form as the prefix/mask field in a route table entry (i.e., a subnet address in CIDR format using dotted decimal notation).
• The source address/mask is matched against a packet's source IP address and has the CIDR subnet format.
• The source port is matched against the source transport layer port number.
• The destination port is matched against the destination transport layer port number.
• The protocol is matched against the protocol field in the IP header.

Every filter has a non-negative, integer priority between 0 and 63 that is used to select between the best matching route entry and the best matching primary filter. 0 is considered to be the highest priority and 63 the lowest. Recall that when multiple route entries match a route table, the one with the longest prefix is selected. But when multiple filters match a filter table with only primary filters, the one with the highest priority (lowest priority number) is chosen. PLC chooses the highest priority entry from a search of both the route table and the primary filters in the filter table. Another difference between a route table and a filter table is that all entries in a route table have the same priority (60 by default); but each entry in a filter table has its own priority (50 by default).

The action fields indicate what to do with a matching packet. A simple filter allows you to drop a matching packet or forward it to a scheduling queue at an output port. Complex filters (discussed elsewhere) allow you to send a packet to a plugin microengine, or to generate duplicate packets (e.g., multicast) for forwarding to multiple outputs.

There are 8,192 packet scheduling queues at each of the NPR's five output ports. Each output port has a packet scheduler (PS) that orders packets based on a weighted deficit round-robin (WDRR) algorithm. Each queue has a Queue ID (QID) numbered from 0 to 8191. QIDs 0-63 are for datagram queues, and QIDs 64-8191 are for reserved queues. If only route tables are used, the NPR forwards packets to a datagram queue which is determined by the hash algorithm described in Filters,_Queues_and_Bandwidth => Mapping Flows to Queues . But a primary filter allows you to forward the packet to any one of 40,960 queues (5 ports x 8,192 queues/port).

Here is how you install a simple primary filter:

• RLI Window: Select the NPR port where you want to install the filter.

An empty filter table will appear.

• Filter Table: Select Edit => Add Filter

A filter window will appear.

• Filter Window: Modify the entries in the filter dialogue window, and select the Add button at the bottom of the window.

The filter will appear in the Filter Table window.

The figure below shows that we have changed some fields from their default values so that the filter will match UDP packets coming from any IP address (0.0.0.0/0) and port number (*) and going to any port at any host in the 192.168.2.0/24 subnet. In this case, all packets destined for NPR 2 will match this key. A matching packet will be sent to queue 64 at output port 4. And the priority of the filter is 50 making it higher priority than the default priority of 60 for route tables.

Key Fields

The basic key fields in a simple primary filter are matched against the classic 5-tuple found in a packet's IP header and transport layer (TCP, UDP) header: destination IP address, destination port, source IP address, source port, and protocol. As noted earlier, you use the same a.b.c.d/x dotted decimal CIDR notation as was used for route tables to specify a filter's destination address/mask. By default, the filter starts with the value 0.0.0.0/0 which will match any IP address. Similarly, a filter's source address/mask is matched against a packet's source IP address.

You can enter a source port number, or you can select the asterisk (*) if you want to match any source port. You can also specify a destination port number in a similar manner. Both TCP and UDP use 16-bit port numbers to identify applications or services (e.g., 80 for Web server, 22 for SSH login). Clients connecting to applications/services typically use ephemeral (short-lived) port numbers that are assigned by the client's operating system.

The protocol field menu allows you to select one of three protocols (tcp, udp, icpmp) or asterisk (*) if you don't care about the packet's protocol field or you can enter a protocol number (e.g., 2 for IGMP, 46 for RSVP).

Action Fields

The simplest packet action is to drop a matching packet by selecting the drop box. But more typically, you will want to forward a packet to one of the packet scheduling queues:

• Enter a number between 0 and 4 in the output ports box;
• Enter a number between 0 and 8191 in the qid field (see note below about port 0); and
• Accept the default value of port only in the port/plugin selection box.

Note (port 0): A value of 0 in the qid field has special meaning: it means that you want the RLI to compute the datagram QID based on the NPR's stochastic fair queueing hash algorithm to be described later.

Recall that packets are directed to queues 0-63 (datagram queues) by matches using the route table. Although you can use a filter to direct packets to datagram queues 1-63, you usually use a filter to direct packets to a queue numbered between 64 and 8191.

Control Fields

The priority box was described earlier.

The Filter Table Window

After adding the filter to the filter table, the Filter Table window (above) shows a compact form of the filter we just added. The fields that we modified are shown enclosed in red boxes. There are three fields that were not shown in the Add Filter window:

• type:

  All filters are primary unicast filters unless you select the aux checkbox or the multicast checkbox (described elsewhere) in the Add Filter dialogue window.

• stats:

  This field is the stats index for this filter and can be used to monitor the associated byte and packet counters in the same manner as described in The Remote Laboratory Interface => Basic Monitoring.

• on:

  Each new filter is shown with an on checkbox to the far right that is checked by default. You can disable the filter by unchecking this box and committing. In reality, the RLI deletes the filter from the actual filter table and reinstalls the filter when you check the box and commit again. This feature is usually used as a convenience to avoid having to delete a filter and then reenter it at a later time during debugging.

A Filter Table Window has four menu items:

• Add Filter
• Edit Filter
• Stop/Start Stats
• Delete Filter

The Stop/Start Stats menu item is a feature of our NSP (Network Service Platform) routers and has no meaning in the NPR.

You can verify that a filter is being selected by monitoring the stats counter associated with the filter. In our example above, the filter was assigned stats counter 31 which can be monitored in the same way that we monitored the matching of a route table entry in The Remote Laboratory Interface => Basic Monitoring.

Here is a simple experiment to test the above filter:

• Build the dumbbell topology with default routing tables at all input ports.
• Install the above filter at port 1.3.

  The filter should put packets headed for NPR 2 into queue 64 at output port 4.

• Create a monitoring display to show the packet counts associated with the route table entry and the filter that matches ping packets from n1p3 to any host attached to NPR 2.

  Recall that a stats counter can be monitored by selecting the center of the NPR icon and selecting Monitoring => ReadRegisterPacket. This will open a dialogue box that will allow you to enter the stats index (e.g., 31).

• Send a continous stream of ping packets from n1p3 to n2p2.
• While the packets are flowing from n1p3 to n2p2, repeatedly toggle the filter on and off by entering:
  • Select on
  • Select File => Commit

Recap

• Simple Packet Filtering:
  An NPR searches a filter table and a route table in parallel and selects the highest-priority (0-63), matching entry. A filter rule allows you to not only forward a packet to an output port but also to drop the packet, forward the packet to a plugin or to a specific queue in the Queue Manager.
• Filter Fields:
  Each filter has three types of fields:
  • The filter key specifies the conditions for a packet match.
  • The action field(s) indicates what to do with a matching packet: drop it or where to send the packet (ME block).
  • The control field indicates the priority of the filter.
• Priority:
  When multiple filters match a filter table with only primary filters, the one with the highest priority (lowest priority number) is chosen. Since there can be a best match in both the route table and the filter table, PLC chooses the highest priority one to determine the action for a matching packet.
• Packet Action:
  A simple filter allows you to drop a matching packet or forward it it to a scheduling queue at an output port. Complex filters (discussed elsewhere) allow you to send a packet to a plugin microengine, or to generate duplicate packets (e.g., multicast) for forwarding to multiple outputs. By default, packets are placed in one of the 64 datagram queues numbered from 0 to 63 using a stochastic fair queueing hash function. But you can forward a packet to any of the 8,192 queues located at each of five output ports using a filter.
• Disabling a Filter:
  You can disable a filter by unchecking its on checkbox and selecting File => Commit. By default, all filters are initially enabled.

NPR Tutorial >> Filters, Queues and Bandwidth	TOC