diff --git a/tools/check-path.sh b/tools/check-path.sh index e3116b365ac0b80ba55be01865b3e8c1f727848d..04207d68a8b73617349d08c68d38b4a194764107 100755 --- a/tools/check-path.sh +++ b/tools/check-path.sh @@ -50,3 +50,16 @@ check_ldp() echo "Found libvcl_ldpreload.so at: ${LDP_PATH}" } + +check_vpp_daq() +{ + echo "Checking VPP DAQ binary path..." + DAQ_PATH="${DATAPLANE_TOP}/components/vpp/build-root/install-vpp-native/vpp/lib/aarch64-linux-gnu/daq" + if ! [[ -e ${DAQ_PATH} ]]; then + echo + echo "Can't find vppdaq binary at: ${DAQ_PATH}" + echo + exit 1 + fi + echo "Found VPP DAQ binary at: ${DAQ_PATH}" +} diff --git a/usecase/vpp_snort/run_snort_ngfw.sh b/usecase/vpp_snort/run_snort_ngfw.sh new file mode 100755 index 0000000000000000000000000000000000000000..8e890ee6db5d478ba3c01d3c5f1e2bf7a9e9027e --- /dev/null +++ b/usecase/vpp_snort/run_snort_ngfw.sh @@ -0,0 +1,160 @@ +#!/usr/bin/env bash + +# Copyright (c) 2024, Arm Limited. +# +# SPDX-License-Identifier: Apache-2.0 + +set -e + +export vppctl_binary +export vpp_binary +export DIR +export DATAPLANE_TOP +export MAIN_CORE +export WORKER_CORE +export PHY_IFACE +export PCIe_addr +export DAQ_PATH +export lua_file + +DIR=$(cd "$(dirname "$0")" || exit 1 ;pwd) +DATAPLANE_TOP=${DIR}/../.. +. "${DATAPLANE_TOP}"/tools/check-path.sh + +help_func() +{ + echo "Usage: ./run_snort_ngfw.sh OPTS [ARGS]" + echo "where OPTS := -s number of Snort Instances" + echo " := -l Snort lua" + echo " := -h help" + echo " := \"-s\" number of Snort instances that needs to be created" + echo " and assign the VPP interfaces to it" + echo " Example: -s " + echo " := \"-l\" lua rules file for configuring Snort" + echo " supported lua: " + echo " maximum --> for maximum-detection.lua" + echo " security --> for security-over-connectivity.lua" + echo " connectivity --> for connectivity-over-security.lua" + echo " Example: -l maximum" + echo " Example:" + echo " ./run_snort_ngfw.sh -s 36 -l maximum" + echo +} + + +err_cleanup() +{ + echo "SNORT setup error, cleaning up..." + snort_ngfw_pid=$(cat "${snort_ngfw_pidfile}") + sudo kill -9 "${snort_ngfw_pid}" + sudo rm "${snort_ngfw_pidfile}" + exit 1 +} + + +vppctl_snort_config() +{ + echo "Configuring snort instance for both interfaces - eth0: ${PCIe_addr[0]}, eth1: ${PCIe_addr[1]}" + for i in $(seq $SNORT_NUM); do + sudo "${vppctl_binary}" -s "${sockfile}" snort create-instance name snort$i queue-size 8192 + sudo "${vppctl_binary}" -s "${sockfile}" snort attach instance snort$i interface eth0 + sudo "${vppctl_binary}" -s "${sockfile}" snort attach instance snort$i interface eth1 + echo "Created Snort$i and assigned to both interfaces" + done +} + + +create_lua() +{ + echo "Creating lua files" + for i in $(seq $SNORT_NUM); do + sudo cp $lua_file.lua "$lua_file"_$i.lua + done +} + + +starting_snort() +{ + # Starting Snort Instances in Linux Command line..... + for i in $(seq $SNORT_NUM); do + sudo snort --c "$lua_file"_$i.lua --lua detection.allow_missing_so_rules=true --snaplen 0 --plugin-path ${DATAPLANE_TOP}/components/snort/lightspd/modules/3.1.44.0/ftd-aarch64/ --daq-dir=${DAQ_PATH} --daq vpp --daq-var debug -i snort$i -k none -Q --warn-conf-strict > output$i.log 2>&1 & + done + LOG=$(sudo "${vppctl_binary}" -s "${sockfile}" show snort clients) + if [[ "${LOG}" == *$SNORT_NUM* ]]; then + echo "Successfully created and started Snort instances" + else + echo "Failed to start snort instance" + err_cleanup + fi +} + + +options=(-o "hs:l:") +opts=$(getopt "${options[@]}" -- "$@") +eval set -- "$opts" + +while true; do + case "$1" in + -h) + help_func + exit 0 + ;; + -s) + if ! [[ "$2" =~ ^[0-9]{1,3}$ ]]; then + echo "error: \"-s\" requires number of snort instances that needs to be configured" + help_func + exit 1 + fi + SNORT_NUM=$(echo "$2" | cut -d "," -f 1) + if [[ -z "$SNORT_NUM" ]]; then + echo "error: \"-s\" option bad usage" + help_func + exit 1 + fi + shift 2 + ;; + -l) + case $2 in + maximum) + echo "Maximum_detection.lua will be used for configuring SNORT" + lua_file=${DATAPLANE_TOP}/components/snort/lightspd/policies/3.1.0.0-0/maximum-detection + ;; + security) + echo "Security_over_connectivity.lua will be used for configuring SNORT" + lua_file=${DATAPLANE_TOP}/components/snort/lightspd/policies/3.1.0.0-0/security-over-connectivity + ;; + connectivity) + echo "connectivity-over-security.lua will be used for configuring SNORT" + lua_file=${DATAPLANE_TOP}/components/snort/lightspd/policies/3.1.0.0-0/connectivity-over-security + ;; + esac + shift 2 + ;; + --) + shift + break + ;; + *) + echo "Invalid Option!!" + help_func + exit 1 + ;; + esac +done + +check_vpp +check_vppctl +check_vpp_daq + +sockfile="/run/vpp/cli_sw.sock" +snort_ngfw_pidfile="/run/vpp/snort_ngfw.pid" + +echo +create_lua +echo +vppctl_snort_config +echo +echo "----- Starting Snort Instances -------" +starting_snort +echo +echo "Done!" diff --git a/usecase/vpp_snort/run_trex_udp.sh b/usecase/vpp_snort/run_trex_udp.sh new file mode 100755 index 0000000000000000000000000000000000000000..6bda2eaea268974bd2fcbd03f2f2f56d7e2bfe02 --- /dev/null +++ b/usecase/vpp_snort/run_trex_udp.sh @@ -0,0 +1,136 @@ +#!/usr/bin/env bash + +# Copyright (c) 2024, Arm Limited. +# +# SPDX-License-Identifier: Apache-2.0 + +set -e + +export vppctl_binary +export vpp_binary +export DIR +export DATAPLANE_TOP=${DIR}/../.. +export PCIe_addr + +DIR=$(cd "$(dirname "$0")" || exit 1;pwd) +DATAPLANE_TOP=${DIR}/../.. +. "${DATAPLANE_TOP}"/tools/check-path.sh +TREX_PATH=${DIR}/../../tools/traffic-gen/trex/scripts + +help_func() +{ + echo "Usage: ./run_trex_udp.sh OPTS [ARGS]" + echo "where OPTS := -c cpu core assignments" + echo " := -m multipier value" + echo " := -l number of latency threads " + echo " := -d duration os traffic run in secs" + echo " := -s UDP Packet size " + echo " := -h help" + echo " ARGS := \"-c\" number of CPU cores used for Trex Traffic run" + echo " Example: -c " + echo " ARGS := \"-m\" Multiplier value for Trex Traffic run" + echo " Multiplier is the traffic rate, TRex will multiply it with" + echo " CPS value to generate more traffic flows." + echo " Higher the "-m" value will trigger more traffic " + echo " Example: -m " + echo " ARGS := \"-l\" number of Latency threads for Trex Traffic run" + echo " Example: -l " + echo " ARGS := \"-d\" Duration of Trex Traffic run" + echo " Example: -d " + echo " ARGS := \"-s\" UDP packet size of Trex Traffic " + echo " Example: -s " + echo " Packet Sizes availabe - 64, 512, 1024, 1518, imix" + echo "Example:" + echo " ./run_trex_udp.sh -c 12 -m 3000 -l 2 -d 10 -s 1024" + echo +} + + +options=(-o "hc:m:l:d:s:") +opts=$(getopt "${options[@]}" -- "$@") +eval set -- "$opts" + +while true; do + case "$1" in + -h) + help_func + exit 0 + ;; + -c) + if ! [[ "$2" =~ ^[0-9]{1,3}$ ]]; then + echo "error: \"-c\" requires no.of cpu cores to be used" + help_func + exit 1 + fi + cores=$(echo "$2") + shift 2 + ;; + -m) + if ! [[ "$2" =~ ^[0-9]{1,4}$ ]]; then + echo "error: \"-m\" requires proper multiciplity value to be used" + help_func + exit 1 + fi + multiciplity=$(echo "$2") + shift 2 + ;; + -l) + if ! [[ "$2" =~ ^[0-9]{1,2}$ ]]; then + echo "error: \"-l\" requires proper Latency thread value to be used" + help_func + exit 1 + fi + latency_threads=$(echo "$2") + shift 2 + ;; + -d) + if ! [[ "$2" =~ ^[0-9]{1,9}$ ]]; then + echo "error: \"-d\" requires proper duration in seconds to be used" + help_func + exit 1 + fi + duration=$(echo "$2") + shift 2 + ;; + -s) + if ! [[ "$2" =~ ^[0-9a-z]{1,4}$ ]]; then + echo "error: \"-s\" requires proper packet size to be used." + echo "Acceptable packet size - 64, 512, 1024, 1518, imix" + help_func + exit 1 + fi + packet_size=$(echo "$2") + if [[ $packet_size != @(64|512|1024|1518|imix) ]]; then + echo "Requires a valid packet size" + help_func + exit 1 + fi + shift 2 + ;; + --) + shift + break + ;; + *) + echo "Invalid Option!!" + help_func + exit 1 + ;; + esac +done + +#Navigating to Trex repo. Path needs to be updated based on trex location +cd $TREX_PATH +sudo sed -i "s/pcap_yaml\/udp_.*/pcap_yaml\/udp_$packet_size.pcap/g" pcap_yaml/traffic_yaml.yaml + +if grep "pcap_yaml/udp_$packet_size" pcap_yaml/traffic_yaml.yaml; then + echo "Traffic yaml file is updated to use \"$packet_size\"B Size pcap" +else + echo "Traffic yaml is not updated...! Please update manually" +fi + +sudo ./t-rex-64 -f pcap_yaml/traffic_yaml.yaml -c "$cores" -l "$latency_threads" -m "$multiciplity" -d "$duration" --cfg pcap_yaml/trex_cfg.yaml + +echo ====Traffic Ran successfully==== + +echo "Done!" diff --git a/usecase/vpp_snort/run_trex_yaml.sh b/usecase/vpp_snort/run_trex_yaml.sh new file mode 100755 index 0000000000000000000000000000000000000000..0ea5e01f63759963915c9466331eed60ef1568dd --- /dev/null +++ b/usecase/vpp_snort/run_trex_yaml.sh @@ -0,0 +1,82 @@ +#!/usr/bin/env bash + +# Copyright (c) 2024, Arm Limited. +# +# SPDX-License-Identifier: Apache-2.0 + +set -e + +export vppctl_binary +export vpp_binary +export DIR +export DATAPLANE_TOP +export PHY_IFACE +export PCIe_addr + +DIR=$(cd "$(dirname "$0")" || exit 1;pwd) +DATAPLANE_TOP=${DIR}/../.. +TREX_PATH=${DATAPLANE_TOP}/tools/traffic-gen/trex/scripts + +help_func() +{ + echo "Usage: ./run_trex_yaml.sh OPTS [ARGS]" + echo "where OPTS := -p PCI address of NIC" + echo " := -h help" + echo " ARGS := \"-p\" requires two physical NIC PCIe addresses, example: -p " + echo " using \"lshw -c net -businfo\" get physical NIC PCIe address" + echo "Example:" + echo " ./run_trex_yaml.sh -p 0000:17:00.0,0000:17:00.1" + echo +} + + +options=(-o "hp:") +opts=$(getopt "${options[@]}" -- "$@") +eval set -- "$opts" + +while true; do + case "$1" in + -h) + help_func + exit 0 + ;; + -p) + PHY_IFACE="1" + PCIe_pattern='[0-9a-fA-F]{4}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}\.[0-9a-fA-F]' + if ! [[ "$2" =~ ^${PCIe_pattern},${PCIe_pattern}$ ]];then + echo "Incorrect PCIe addresses format: $2" + help_func + exit 1 + fi + PCIe_addr[0]=$(echo "$2" | cut -d "," -f 1) + PCIe_addr[1]=$(echo "$2" | cut -d "," -f 2) + if [[ "${PCIe_addr[0]}" == "${PCIe_addr[1]}" ]]; then + echo "error: \"-p\" option bad usage" + help_func + exit 1 + fi + shift 2 + ;; + --) + shift + break + ;; + *) + echo "Invalid Option!!" + help_func + exit 1 + ;; + esac +done + +#Navigating to Trex repo. Path needs to be updated based on trex location +cd $TREX_PATH +sudo sed -i "s/interfaces.*/interfaces : [\"${PCIe_addr[0]}\",\"${PCIe_addr[1]}\"]/g" pcap_yaml/trex_cfg.yaml + +if grep "${PCIe_addr[0]}\",\"${PCIe_addr[1]}" pcap_yaml/trex_cfg.yaml; then + echo "TREX cfg yaml file is updated with PCI address" +else + echo "Config yaml is not updated...! Please update manually" +fi + +echo "Done!" diff --git a/usecase/vpp_snort/run_vpp_ngfw.sh b/usecase/vpp_snort/run_vpp_ngfw.sh new file mode 100755 index 0000000000000000000000000000000000000000..ff010306bdd8553beda9234d3a36d8bc0248b592 --- /dev/null +++ b/usecase/vpp_snort/run_vpp_ngfw.sh @@ -0,0 +1,163 @@ +#!/usr/bin/env bash + +# Copyright (c) 2024, Arm Limited. +# +# SPDX-License-Identifier: Apache-2.0 + +set -e + +export vppctl_binary +export vpp_binary +export DIR +export DATAPLANE_TOP +export MAIN_CORE +export WORKER_CORE +export PHY_IFACE +export PCIe_addr + +DIR=$(cd "$(dirname "$0")" || exit 1 ;pwd) +DATAPLANE_TOP=${DIR}/../.. +. "${DATAPLANE_TOP}"/tools/check-path.sh + +help_func() +{ + echo "Usage: ./run_vpp_ngfw.sh OPTS [ARGS]" + echo "where OPTS := -p Test via physical NIC" + echo " := -c cpu core list" + echo " := -h help" + echo " ARGS := \"-p\" requires two physical NIC PCIe addresses, example: -p " + echo " using \"lshw -c net -businfo\" get physical NIC PCIe address" + echo " := \"-c\" Assign VPP main thread to 1st core" + echo " in list and place worker threads on other listed cores." + echo " Cores are separated by commas, and worker cores can" + echo " include ranges." + echo " Example: -c " + echo " Example:" + echo " ./run_vpp_ngfw.sh -p 0000:01:00.0,0000:01:00.1 -c 1,3-4,6,8" + echo +} + +err_cleanup() +{ + echo "VPP setup error, cleaning up..." + vpp_ngfw_pid=$(cat "${vpp_ngfw_pidfile}") + sudo kill -9 "${vpp_ngfw_pid}" + sudo rm "${vpp_ngfw_pidfile}" + exit 1 +} + +cal_cores() +{ + IFS=',' read -ra array <<< "$1" + count=0 + for item in "${array[@]}"; do + if [[ $item == *-* ]]; then + start=${item%-*} + end=${item#*-} + count=$((count + end - start + 1)) + else + count=$((count + 1)) + fi + done + echo $count +} + +vpp_config() +{ + echo "Configuring interfaces eth0: ${PCIe_addr[0]} and eth1: ${PCIe_addr[1]}" + sudo "${vppctl_binary}" -s "${sockfile}" set interface state eth0 up + sudo "${vppctl_binary}" -s "${sockfile}" set interface state eth1 up + sudo "${vppctl_binary}" -s "${sockfile}" set interface ip address eth0 10.10.1.1/24 + sudo "${vppctl_binary}" -s "${sockfile}" set interface ip address eth1 10.10.2.1/24 + sudo "${vppctl_binary}" -s "${sockfile}" ip route add 16.0.0.0/8 via 10.10.1.2 + sudo "${vppctl_binary}" -s "${sockfile}" ip route add 48.0.0.0/8 via 10.10.2.2 + LOG=$(sudo "${vppctl_binary}" -s "${sockfile}" show interface) + if [[ "${LOG}" == *eth0* && "${LOG}" == *eth1* ]]; then + echo "Successfully set up physical NIC interface!" + else + echo "Failed to set up physical NIC interface!" + err_cleanup + fi +} + +options=(-o "hp:c:") +opts=$(getopt "${options[@]}" -- "$@") +eval set -- "$opts" + +while true; do + case "$1" in + -h) + help_func + exit 1 + ;; + -p) + PHY_IFACE="1" + PCIe_pattern='[0-9a-fA-F]{4}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}\.[0-9a-fA-F]' + if ! [[ "$2" =~ ^${PCIe_pattern},${PCIe_pattern}$ ]];then + echo "Incorrect PCIe addresses format: $2" + help_func + exit 1 + fi + PCIe_addr[0]=$(echo "$2" | cut -d "," -f 1) + PCIe_addr[1]=$(echo "$2" | cut -d "," -f 2) + if [[ "${PCIe_addr[0]}" == "${PCIe_addr[1]}" ]]; then + echo "error: \"-p\" option bad usage" + help_func + exit 1 + fi + shift 2 + ;; + -c) + if ! [[ "$2" =~ ^[0-9]{1,3}((,[0-9]{1,3})|(,[0-9]{1,3}-[0-9]{1,3}))+$ ]]; then + echo "error: \"-c\" requires correct isolated cpu core id" + help_func + exit 1 + fi + MAIN_CORE=$(echo "$2" | cut -d "," -f 1) + WORKER_CORES=$(echo "$2" | cut -d "," -f 2-) + if [[ "${MAIN_CORE}" == "${WORKER_CORES}" ]]; then + echo "error: \"-c\" option bad usage" + help_func + exit 1 + fi + queues_count=$(cal_cores "$WORKER_CORES") + shift 2 + ;; + --) + shift + break + ;; + *) + echo "Invalid Option!!" + help_func + exit 1 + ;; + esac +done + +check_vpp +check_vppctl + +sockfile="/run/vpp/cli_sw.sock" +vpp_ngfw_pidfile="/run/vpp/vpp_ngfw.pid" + +if [ -n "$PHY_IFACE" ]; then + sudo "${vpp_binary}" unix "{ cli-listen ${sockfile} pidfile ${vpp_sw_pidfile} }" \ + cpu "{ main-core ${MAIN_CORE} corelist-workers ${WORKER_CORES} }" \ + dpdk "{ dev default {num-tx-queues ${queues_count} num-rx-queues ${queues_count} } + dev ${PCIe_addr[0]} { name eth0 } dev ${PCIe_addr[1]} { name eth1 } }" + + echo "VPP starting up" + for _ in $(seq 10); do + echo -n "." + sleep 1 + done + if ! [[ $(sudo "${vppctl_binary}" -s "${sockfile}" show threads) ]]; then + echo "VPP startup failed!" + exit 1 + fi + + echo "Setting physical NIC interfaces..." + vpp_config +fi +echo "Done!" diff --git a/usecase/vpp_snort/stop.sh b/usecase/vpp_snort/stop.sh new file mode 100755 index 0000000000000000000000000000000000000000..6c6b54bf1578cebe2c62e0fc91f1b18268a328cb --- /dev/null +++ b/usecase/vpp_snort/stop.sh @@ -0,0 +1,26 @@ +#!/usr/bin/env bash + +# Copyright (c) 2022-2024, Arm Limited. +# +# SPDX-License-Identifier: Apache-2.0 + +set -e + +echo "Stop VPP/Snort in DUT and removing the lua files created..." + +snort_ngfw_pidfile="/run/vpp/snort_ngfw.pid" +vpp_ngfw_pidfile="/run/vpp/vpp_ngfw.pid" + +if [ -f "${vpp_ngfw_pidfile}" ];then + sudo kill -9 "$(cat "${vpp_ngfw_pidfile}")" + sudo rm "${vpp_ngfw_pidfile}" +fi + +if [ -f "${snort_ngfw_pidfile}" ];then + sudo kill -9 "$(cat "${snort_ngfw_pidfile}")" + sudo rm "${snort_ngfw_pidfile}" +fi + +# Deleting snort lua files +sudo rm -r $lua_file_* +echo "Done!"