pcn-firewall: add HORUS optimization

HORUS - Homogeneous RUleset analySis

Horus optimization allows to
 a) offload a group of contiguous rules matching on same field
 b) match the group of offloaded rules with complexity O(1) - single hashmap lookup
 c) dynamically adapting to different groups of rules, matching each
     combination of ipsrc/dst, portsrc/dst, tcpflags
 d) dynamically check when the optimization is possible according to current
     ruleset. It means check orthogonality
     of rules before the offloaded group, respect to the group itself.

each pkt received by the program, is looked-up vs the HORUS HASHMAP.
hit:
 -DROP action: drop the packet;
 -ACCEPT action: goto CTLABELING and CTTABLEUPDATE without going through pipeline
miss:
 -GOTO all pipeline steps

Signed-off-by: Matteo Bertrone <m.bertrone@gmail.com>

Author: mbertrone

src/services/pcn-firewall/src/CMakeLists.txt

@@ -43,6 +43,7 @@ load_file_as_variable(pcn-firewall datapaths/Firewall_L4PortLookup_dp.c firewall
 load_file_as_variable(pcn-firewall datapaths/Firewall_L4ProtocolLookup_dp.c firewall_code_l4protolookup)
 load_file_as_variable(pcn-firewall datapaths/Firewall_Parser_dp.c firewall_code_parser)
 load_file_as_variable(pcn-firewall datapaths/Firewall_TcpFlagsLookup_dp.c firewall_code_tcpflagslookup)
+load_file_as_variable(pcn-firewall datapaths/Firewall_Horus_dp.c firewall_code_horus)
 
 # load datamodel in a variable
 load_file_as_variable(pcn-firewall

src/services/pcn-firewall/src/Chain.cpp

@@ -138,10 +138,18 @@ ChainResetCountersOutputJsonObject Chain::resetCounters() {
   ChainResetCountersOutputJsonObject result;
   try {
     std::vector<Firewall::Program *> *programs;
+
+    bool * horus_runtime_enabled_;
+    bool * horus_swap_;
+
     if (name == ChainNameEnum::INGRESS) {
       programs = &parent_.ingress_programs;
+      horus_runtime_enabled_ = &parent_.horus_runtime_enabled_ingress_;
+      horus_swap_ = &parent_.horus_swap_ingress_;
     } else if (name == ChainNameEnum::EGRESS) {
-       programs = &parent_.egress_programs;
+      programs = &parent_.egress_programs;
+      horus_runtime_enabled_ = &parent_.horus_runtime_enabled_egress_;
+      horus_swap_ = &parent_.horus_swap_egress_;
     } else {
       return result;
     }
@@ -153,12 +161,25 @@ ChainResetCountersOutputJsonObject Chain::resetCounters() {
     auto actionProgram = dynamic_cast<Firewall::ActionLookup *>(
         programs->at(ModulesConstants::ACTION));
 
+    Firewall::Horus * horusProgram;
+
+    if (*horus_runtime_enabled_) {
+      if (!(*horus_swap_)) {
+        horusProgram = dynamic_cast<Firewall::Horus *>(programs->at(ModulesConstants::HORUS_INGRESS));
+      } else {
+        horusProgram = dynamic_cast<Firewall::Horus *>(programs->at(ModulesConstants::HORUS_INGRESS_SWAP));
+      }
+    }
+
     for (auto cr : rules_) {
       actionProgram->flushCounters(cr->getId());
+      if (*horus_runtime_enabled_){
+        horusProgram->flushCounters(cr->getId());
+      }
     }
 
     dynamic_cast<Firewall::DefaultAction *>(
-        programs->at(ModulesConstants::DEFAULTACTION))->flushCounters(name);
+            programs->at(ModulesConstants::DEFAULTACTION))->flushCounters(name);
 
     counters_.clear();
 
@@ -189,10 +210,17 @@ uint32_t Chain::getNrRules() {
 
 void Chain::updateChain() {
   std::vector<Firewall::Program *> *programs;
+  bool * horus_runtime_enabled_;
+  bool * horus_swap_;
+
   if (name == ChainNameEnum::INGRESS) {
     programs = &parent_.ingress_programs;
+    horus_runtime_enabled_ = &parent_.horus_runtime_enabled_ingress_;
+    horus_swap_ = &parent_.horus_swap_ingress_;
   } else if (name == ChainNameEnum::EGRESS) {
      programs = &parent_.egress_programs;
+    horus_runtime_enabled_ = &parent_.horus_runtime_enabled_egress_;
+    horus_swap_ = &parent_.horus_swap_egress_;
   } else {
     return;
   }
@@ -203,11 +231,11 @@ void Chain::updateChain() {
   // std::lock_guard<std::mutex> lkBpf(parent_.bpfInjectMutex);
   auto start = std::chrono::high_resolution_clock::now();
 
-  int index = 3 + (chainNumber * ModulesConstants::NR_MODULES);
+  int index = ModulesConstants::NR_INITIAL_MODULES + (chainNumber * ModulesConstants::NR_MODULES);
 
   int startingIndex = index;
   Firewall::Program *firstProgramLoaded;
-  std::vector<Firewall::Program *> newProgramsChain(3 + ModulesConstants::NR_MODULES + 2);
+  std::vector<Firewall::Program *> newProgramsChain(ModulesConstants::NR_INITIAL_MODULES + ModulesConstants::NR_MODULES + 1);
   std::map<uint8_t, std::vector<uint64_t>> conntrack_map;
   std::map<struct IpAddr, std::vector<uint64_t>> ipsrc_map;
   std::map<struct IpAddr, std::vector<uint64_t>> ipdst_map;
@@ -216,6 +244,105 @@ void Chain::updateChain() {
   std::map<int, std::vector<uint64_t>> protocol_map;
   std::vector<std::vector<uint64_t>> flags_map;
 
+  std::map<struct HorusRule, struct HorusValue> horus;
+
+
+  /*
+   * HORUS - Homogeneous RUleset analySis
+   *
+   * Horus optimization allows to
+   * a) offload a group of contiguous rules matching on same field
+   * b) match the group of offloaded rules with complexity O(1) - single hashmap lookup
+   * c) dynamically adapting to different groups of rules, matching each
+   *    combination of ipsrc/dst, portsrc/dst, tcpflags
+   * d) dynamically check when the optimization is possible according to current
+   *    ruleset. It means check orthogonality
+   *    of rules before the offloaded group, respect to the group itself.
+   *
+   * each pkt received by the program, is looked-up vs the HORUS HASHMAP.
+   * hit ->
+   *  -DROP action: drop the packet;
+   *  -ACCEPT action: goto CTLABELING and CTTABLEUPDATE without going through pipeline
+   * miss ->
+   *  -GOTO all pipeline steps
+   */
+
+  *horus_runtime_enabled_ = false;
+
+  // Apply Horus optimization only if it is enabled
+  if (parent_.horus_enabled) {
+    // if len Chain >= MIN_RULES_HORUS_OPTIMIZATION
+    if (getRuleList().size() >= HorusConst::MIN_RULE_SIZE_FOR_HORUS) {
+      // calculate horus ruleset
+      horusFromRulesToMap(horus, getRuleList());
+
+      // if horus.size() >= MIN_RULES_HORUS_OPTIMIZATION
+      if (horus.size() >= HorusConst::MIN_RULE_SIZE_FOR_HORUS) {
+        logger()->info("Horus Optimization ENABLED for this rule-set");
+
+        *horus_runtime_enabled_ = true;
+
+        // SWAP indexes
+        *horus_swap_ = !(*horus_swap_);
+
+        uint8_t horus_index_new = -1;
+        uint8_t horus_index_old = -1;
+
+        // Apply Horus optimization
+
+        // Calculate current new/old indexes
+        if (*horus_swap_) {
+          horus_index_new = ModulesConstants::HORUS_INGRESS_SWAP;
+          horus_index_old = ModulesConstants::HORUS_INGRESS;
+        } else {
+          horus_index_old = ModulesConstants::HORUS_INGRESS_SWAP;
+          horus_index_new = ModulesConstants::HORUS_INGRESS;
+        }
+
+        // Compile and inject program
+
+        std::vector<Firewall::Program *> *prog;
+
+        if (name == ChainNameEnum::INGRESS) {
+          prog = &parent_.ingress_programs;
+        } else if (name == ChainNameEnum::EGRESS) {
+          prog = &parent_.egress_programs;
+        } else {
+          throw std::runtime_error("No ingress/egress chain");
+        }
+
+        Firewall::Horus * horusptr =
+                new Firewall::Horus(horus_index_new, parent_, name, horus);
+        prog->at(horus_index_new) = horusptr;
+
+        auto horusProgram = dynamic_cast<Firewall::Horus *>(
+                programs->at(horus_index_new));
+
+        horusProgram->updateMap(horus);
+
+        auto parserIngress = dynamic_cast<Firewall::Parser *>(programs->at(ModulesConstants::PARSER));
+        parserIngress->reload();
+
+        // Delete old Horus, if present
+
+        if (programs->at(horus_index_old) != nullptr) {
+          delete programs->at(horus_index_old);
+        }
+        programs->at(horus_index_old) = nullptr;
+      }
+    }
+  }
+  if (*horus_runtime_enabled_ == false) {
+    auto parserIngress = dynamic_cast<Firewall::Parser *>(programs->at(ModulesConstants::PARSER));
+    parserIngress->reload();
+
+    // Delete old Horus, if present
+    delete programs->at(ModulesConstants::HORUS_INGRESS);
+    delete programs->at(ModulesConstants::HORUS_INGRESS_SWAP);
+    programs->at(ModulesConstants::HORUS_INGRESS) = nullptr;
+    programs->at(ModulesConstants::HORUS_INGRESS_SWAP) = nullptr;
+  }
+
 
   // calculate bitvectors, and check if no wildcard is present.
   // if no wildcard is present, we can early break the pipeline.

src/services/pcn-firewall/src/Chain.h

@@ -120,4 +120,11 @@ class Chain : public ChainBase {
           std::map<uint8_t, std::vector<uint64_t>> &statusMap,
           const std::vector<std::shared_ptr<ChainRule>> &rules);
 
+  static void horusFromRulesToMap(
+      std::map<struct HorusRule, struct HorusValue> &horus,
+      const std::vector<std::shared_ptr<ChainRule>> &rules);
+
+  static bool fromRuleToHorusKeyValue(std::shared_ptr<ChainRule> rule,
+                                      struct HorusRule &key,
+                                      struct HorusValue &value);
 };

src/services/pcn-firewall/src/ChainStats.cpp

@@ -97,11 +97,18 @@ void ChainStats::fetchCounters(const Chain &parent, const uint32_t &id,
   pkts = 0;
   bytes = 0;
 
+  bool * horus_runtime_enabled_;
+  bool * horus_swap_;
+
   std::vector<Firewall::Program *> *programs;
   if (parent.name == ChainNameEnum::INGRESS) {
     programs = &parent.parent_.ingress_programs;
+    horus_runtime_enabled_ = &parent.parent_.horus_runtime_enabled_ingress_;
+    horus_swap_ = &parent.parent_.horus_swap_ingress_;
   } else if (parent.name == ChainNameEnum::EGRESS) {
      programs = &parent.parent_.egress_programs;
+    horus_runtime_enabled_ = &parent.parent_.horus_runtime_enabled_egress_;
+    horus_swap_ = &parent.parent_.horus_swap_egress_;
   } else {
     return;
   }
@@ -116,6 +123,24 @@ void ChainStats::fetchCounters(const Chain &parent, const uint32_t &id,
   bytes = actionProgram->getBytesCount(id);
   pkts = actionProgram->getPktsCount(id);
   actionProgram->flushCounters(id);
+
+  if (*horus_runtime_enabled_) {
+    if (!(*horus_swap_)) {
+      auto horusProgram = dynamic_cast<Firewall::Horus *>(
+              programs->at(ModulesConstants::HORUS_INGRESS));
+
+      bytes += horusProgram->getBytesCount(id);
+      pkts += horusProgram->getPktsCount(id);
+      horusProgram->flushCounters(id);
+    } else {
+      auto horusProgram = dynamic_cast<Firewall::Horus *>(
+              programs->at(ModulesConstants::HORUS_INGRESS_SWAP));
+
+      bytes += horusProgram->getBytesCount(id);
+      pkts += horusProgram->getPktsCount(id);
+      horusProgram->flushCounters(id);
+    }
+  }
 }
 
 std::shared_ptr<ChainStats> ChainStats::getDefaultActionCounters(

src/services/pcn-firewall/src/Firewall.cpp

@@ -30,23 +30,23 @@ Firewall::Firewall(const std::string name, const FirewallJsonObject &conf)
   addChain(ChainNameEnum::EGRESS, chain);
   logger()->debug("Ingress and Egress chain added");
 
-  ingress_programs.resize(3 + ModulesConstants::NR_MODULES + 2, nullptr);
-  egress_programs.resize(3 + ModulesConstants::NR_MODULES + 2, nullptr);
+  ingress_programs.resize(ModulesConstants::NR_INITIAL_MODULES + ModulesConstants::NR_MODULES, nullptr);
+  egress_programs.resize(ModulesConstants::NR_INITIAL_MODULES + ModulesConstants::NR_MODULES, nullptr);
 
   /* Initialize ingress programs */
   ingress_programs[ModulesConstants::PARSER] =
-    new Firewall::Parser(0, ChainNameEnum::INGRESS, *this);
+    new Firewall::Parser(ModulesConstants::PARSER, ChainNameEnum::INGRESS, *this);
   ingress_programs[ModulesConstants::CONNTRACKLABEL] =
-    new Firewall::ConntrackLabel(1, ChainNameEnum::INGRESS, *this);
+    new Firewall::ConntrackLabel(ModulesConstants::CONNTRACKLABEL, ChainNameEnum::INGRESS, *this);
   ingress_programs[ModulesConstants::CHAINFORWARDER] =
-    new Firewall::ChainForwarder(2, ChainNameEnum::INGRESS, *this);
+    new Firewall::ChainForwarder(ModulesConstants::CHAINFORWARDER, ChainNameEnum::INGRESS, *this);
 
   egress_programs[ModulesConstants::PARSER] =
-    new Firewall::Parser(0, ChainNameEnum::EGRESS, *this);
+    new Firewall::Parser(ModulesConstants::PARSER, ChainNameEnum::EGRESS, *this);
   egress_programs[ModulesConstants::CONNTRACKLABEL] =
-    new Firewall::ConntrackLabel(1, ChainNameEnum::EGRESS, *this);
+    new Firewall::ConntrackLabel(ModulesConstants::CONNTRACKLABEL, ChainNameEnum::EGRESS, *this);
   egress_programs[ModulesConstants::CHAINFORWARDER] =
-    new Firewall::ChainForwarder(2, ChainNameEnum::EGRESS, *this);
+    new Firewall::ChainForwarder(ModulesConstants::CHAINFORWARDER, ChainNameEnum::EGRESS, *this);
 
   /*
    * 3 modules in the beginning
@@ -59,19 +59,19 @@ Firewall::Firewall(const std::string name, const FirewallJsonObject &conf)
    */
 
   ingress_programs[ModulesConstants::DEFAULTACTION] =
-    new Firewall::DefaultAction(3 + ModulesConstants::NR_MODULES * 2,
+    new Firewall::DefaultAction(ModulesConstants::DEFAULTACTION,
                                 ChainNameEnum::INGRESS,*this);
 
   ingress_programs[ModulesConstants::CONNTRACKTABLEUPDATE] =
-    new Firewall::ConntrackTableUpdate(3 + ModulesConstants::NR_MODULES * 2 + 1,
+    new Firewall::ConntrackTableUpdate(ModulesConstants::CONNTRACKTABLEUPDATE,
                                        ChainNameEnum::INGRESS, *this);
 
   egress_programs[ModulesConstants::DEFAULTACTION] =
-    new Firewall::DefaultAction(3 + ModulesConstants::NR_MODULES * 2,
+    new Firewall::DefaultAction(ModulesConstants::DEFAULTACTION,
                                 ChainNameEnum::EGRESS, *this);
 
   egress_programs[ModulesConstants::CONNTRACKTABLEUPDATE] =
-    new Firewall::ConntrackTableUpdate(3 + ModulesConstants::NR_MODULES * 2 + 1,
+    new Firewall::ConntrackTableUpdate(ModulesConstants::CONNTRACKTABLEUPDATE,
                                        ChainNameEnum::EGRESS, *this);
 }
 
@@ -126,7 +126,7 @@ FirewallAcceptEstablishedEnum Firewall::getAcceptEstablished() {
 void Firewall::setAcceptEstablished(
     const FirewallAcceptEstablishedEnum &value) {
   if (conntrackMode == ConntrackModes::DISABLED) {
-    throw new std::runtime_error("Please enable conntrack first.");
+    throw std::runtime_error("Please enable conntrack first.");
   }
 
   if (value == FirewallAcceptEstablishedEnum::ON &&

src/services/pcn-firewall/src/Firewall.h

@@ -175,7 +175,31 @@ class Firewall : public FirewallBase {
     std::string getCode();
   };
 
-  class ChainForwarder : public Program {
+  class Horus : public Program {
+  public:
+      enum HorusType { HORUS_INGRESS, HORUS_EGRESS };
+
+      Horus(const int &index, Firewall &outer, const ChainNameEnum &direction,
+              const std::map<struct HorusRule, struct HorusValue> &horus);
+      ~Horus();
+
+      std::string getCode();
+      std::string defaultActionString(ChainNameEnum chain);  // Overrides
+
+      uint64_t getPktsCount(int rule_number);
+      uint64_t getBytesCount(int rule_number);
+
+      void flushCounters(int rule_number);
+      void updateTableValue(struct HorusRule horus_key,
+                            struct HorusValue horus_value);
+      void updateMap(const std::map<struct HorusRule, struct HorusValue> &horus);
+
+  private:
+      HorusType type_;
+      std::map<struct HorusRule, struct HorusValue> horus_;
+  };
+
+    class ChainForwarder : public Program {
    public:
     ChainForwarder(const int &index, const ChainNameEnum &direction,
                    Firewall &outer);
@@ -318,6 +342,16 @@ class Firewall : public FirewallBase {
   std::vector<Firewall::Program *> ingress_programs;
   std::vector<Firewall::Program *> egress_programs;
 
+  // HORUS optimization enabled by current rule set
+  bool horus_runtime_enabled_ingress_ = false;
+  bool horus_runtime_enabled_egress_ = false;
+
+  bool horus_enabled = true;
+
+  // are we on swap or regular horus program index
+  bool horus_swap_ingress_ = false;
+  bool horus_swap_egress_ = false;
+
   /*==========================
    *METHODS DECLARATION
    *==========================*/