Exactly two years ago we introduced Intel FM10K (FM10000) support in PF_RING ZC. The Intel FM10K ethernet controller family supports 10/25/40/100 Gbit on the same NIC, at a convenient price (sub 1000$ range) and it powers NIC various models manufactured by Silicom Inc.
The most interesting aspect of the FM10K is the programmability that this adapter provides. In fact this adapter integrates an internal switch attached to the external ports (those that are physically connected to the cables) and to the internal ports (towards the CPU, those seen by the host OS) that can be instructed to filter and steer traffic between all the ports. In essence a switch has been embedded into a NIC form factor.
As we know achieving full network visibility requires a combination of a wide range of monitoring tools, and it is crucial to efficiently deliver data in real-time to those tools with activities that include:
- Efficient traffic steering from the network to the monitoring tools
- Traffic filtering to perform selective analyses with the benefit of a reduced load on the CPU
- Traffic blocking to implement policies in inline applications.
As mentioned before, we have already added support for the FM10K in PF_RING ZC, however PF_RING ZC only manages the internal (host) interfaces. What was missing was the ability to control the switch component, using a simple tool or API. This lead to the development of the nBroker framework.
nBroker is a software application that can be used for traffic steering and filtering at 100 Gbps on Intel FM10K adapters. It consists of a daemon that drives the FM10K switch, and an API that can be used to configure steering and filtering rules controlling the daemon. The communication with the daemon happens over a ZMQ channel, thus it is possible to control it using any programming language, implementing the simple communication protocol, however a C library, that takes care of the communication, is also provided. In addition to the C library, a command-line tool with auto-completion is also provided, which is really convenient for scripting your filtering logic.
An IDS/IPS is an example of inline application that can take advantage of nBroker to offload traffic forwarding. In fact an IPS usually inspects all the traffic, and sometimes decides to whitelist (forward) or blacklist (drop) specific traffic. Such activities can be offloaded to the switch by means of steering and filtering rules.
Below an example of whitelisting a specific source IP towards a specific destination port using the nBroker, using both the command-line tool and the C API.
CLI
$ nbroker-cli tcp://127.0.0.1:5555> default port eth1 pass tcp://127.0.0.1:5555> default port eth2 pass tcp://127.0.0.1:5555> set port eth1 match shost 10.0.0.1 dport 80 steer-to eth2
C API
nbroker_set_default_policy(broker, "eth1", NBROKER_POLICY_PASS);
nbroker_set_default_policy(broker, "eth2", NBROKER_POLICY_PASS);
match.shost.ip_version = 4;
match.shost.mask.v4 = 0xFFFFFFFF;
match.shost.host.v4 = inet_addr("10.0.0.1");
match.dport.low = htons(80);
rule_id = NBROKER_AUTO_RULE_ID;
nbroker_set_steering_rule(broker, "eth1", &rule_id, &match, "eth2");
nBroker is available on github: existing PF_RING ZC users do not require an additional license in order to use it.
We would like to thank Silicom Inc for the support during this development work.