DPI Sample Applications

DOCA provides a DPI engine that leverages several individual components to provide a framework for examining the full content of data packets. Two sample DPI applications with their source code are included with Bluefield DOCA software:

  • Application Recognition
  • URL filtering

The files for these applications are found in /opt/mellanox/doca/examples

I tried to run and test the URL filtering application. I am so sorry to say this but the information found at DOCA SDK documentation is kinda useless as it is.
Can someone clarify these important aspects I tried to summarize below?
It’s a bit long, but I wanted to include everything that others might ask later.

  1. Still, there is no information available on what the DPDK EAL options are. I could figure out that representor has something to do with VF-PF mapping, which helps us not bother ourselves with manually setting them up. However, I am not sure about this and if I don’t set that EAL argument, the URL filter app does not start and says
Cause: Application does not support more than 2 ports

Very “meaningful” error.

Furthermore, class=regex:eth is also not clear. DPDK documentation says it is used to access the DPI engine (i.e., RegEx HW accelerator on the Bluefield). It is okay then, but is there any meaning behind regex:? eth is just for ETHERNET, or it tries to identify an interface ID?

sft_en=0 - I have not found any information about this at all.

Besides the EAL options, using the app is also not straightforward. There is no pattern to follow how URLs should be defined. I found out by having a quick look at the source code that is used Suricata…so it creates Suricata definitions from the CLI commands.

  1. So, would this filter also work on different layers? Or at least, could we define filtering rules for specific IPs not for the whole HOST_NET?

3.1. How to test the application? There is no information about how the “testing” environment should look like.
3.2 What interface we should send out the HTTP queries (for instance, by using SCAPY for brevity) to check the output of the URL filter?
3.3 The URL filters should not be quit, right? The output should be seen on its CLI?
3.4. Also not clear from which part of the system we should send the testing packets? Do they come from the Host? If yes, then there is no information about in which mode the SmartNIC should be? SEPERATED_HOST or EMBEDDED_CPU? I guess the latter, but still, then what application will connect the HOST’s logical interfaces to the Bluefield’s physical interfaces, i.e., the interfaces seen as ens5f0 (for instance in my case), connected through pf0hpf logical interface and the p0 physical interface on the Bluefield? Should there be an OvS running? If yes, again, can we run two DPDK applications on the same port? URL filter already consumes all the CPU cores by default…how will OvS run then?

I tried to filter on slashdot.org via this filter command:

filter http "asd" "www.slashdot.org"

it was eaten by the app but then did not know how to proceed. My Bluefield ports are, of course, not the internet-facing ports in my experiment, so I tried sending scapy-crafted packets on the physical ports, both from the host and from the Bluefield. In particular, from Host’s ens5f0, from Bluefield’s pf0hpf, and p0. Scapy said packet sent, but no message is observed in the URL filter app.

Thanks, and sorry for the avalanche of questions :)

Okay, it seems that after gaining access to all materials, the answers for some of the questions above can be found in the DOCA SDK documentation. Just not necessarily at the particular applications’ descriptions (like in the case of URL Filter) but at the programming and DPI/RegEx applications’ documentations. It would be nice to have cross-references :)

Create DPI rules for the URL filter app: DPI Compiler :: NVIDIA DOCA SDK Documentation

Regarding the EAL flags, there is a note here: Application Recognition :: NVIDIA DOCA SDK Documentation

About representors: vSwitch and Representors Model :: NVIDIA DOCA SDK Documentation

Thanks