Repository files navigation

Wonderful news : we are now supporting AF_XDP and supporting(almost) getting packets directly from Linux. So you do not need to write 3(three) different applications to process packets coming from different type of drivers of PMDs. You just write everything in NFF-Go, and it can dynamically use whatever you would like underneath. Contactus if you need help.

NFF-Go is a set of libraries for creating and deploying cloud-native NetworkFunctions (NFs). It simplifies the creation of network functions withoutsacrificing performance.

• Higher level abstractions than DPDK. Using DPDK as a fast I/O engine for performance
• Go language: safety, productivity, performance, concurrency
• Network functions are application programs not virtual machines
• Built-in scheduler to auto-scale processing based on input traffic. Both up and down.

• Easily leverage Intel hardware capabilities: multi-cores, AES-NI, CAT, QAT, DPDK
• 10x reduction in lines of code
• No need to be an expert network programmer to develop performant network function
• Similar performance with C/DPDK per box
• No need to worry on elasticity - done automatically
• Take advantage of cloud native deployment: continuous delivery, micro-services, containers

Simple ACL based firewall

funcmain() {// Initialize NFF-GO library to use 8 cores max.config:= flow.Config{CPUCoresNumber:8,}flow.CheckFatal(flow.SystemInit(&config))// Get filtering rules from access control file.L3Rules,err:=packet.GetL3ACLFromTextTable("Firewall.conf")flow.CheckFatal(err)// Receive packets from zero port. Receive queue will be added automatically.inputFlow,err:=flow.SetReceiver(uint8(0))flow.CheckFatal(err)// Separate packet flow based on ACL.rejectFlow,err:=flow.SetSeparator(inputFlow,L3Separator,nil)flow.CheckFatal(err)// Drop rejected packets.flow.CheckFatal(flow.SetStopper(rejectFlow))// Send accepted packets to first port. Send queue will be added automatically.flow.CheckFatal(flow.SetSender(inputFlow,uint8(1)))// Begin to process packets.flow.CheckFatal(flow.SystemStart())}// User defined function for separating packetsfuncL3Separator(currentPacket*packet.Packet,context flow.UserContext)bool {currentPacket.ParseL4()// Return whether packet is accepted or not. Based on ACL rules.returncurrentPacket.L3ACLPermit(L3Rules)}

NFF-GO is an Open Source BSD licensed project that runs mostly in Linux userland. The most recent patches and enhancements provided by the community areavailable in thedevelop branch. master branch provides the latest stable released version under the appropriate tag.

Starting with release 0.7.0 NFF-Go uses go.mod for getting dependencies,therefore Go version 1.11 or later is required. To checkout NFF-Gosources use the following command

    git clone --recurse-submodules http://github.com/intel-go/nff-go

NFF-GO uses DPDK, so you must setup your system to build and run DPDK. SeeSystemRequirements in the DPDK Getting Started Guide forLinux for moreinformation.

By default NFF-Go is build with Mellanox cards support out of the box youneed to install additional dependencies required for MLX networkdrivers. On Ubuntu they are calledlibmnl-dev andlibibverbs-dev. For more details see MLX drivers respective pagesforMLX4 andMLX5. If thesedependencies cannot be satisfied, and Mellanox drivers are not needed,you can set variableNFF_GO_NO_MLX_DRIVERS to some unempty value todisable MLX drivers compilation.

Additional dependencies are required for pktgen, especially if you arerunning RedHat or CentOS Linux distributions. Seethisfilefor details. LUA section for RedHat and CentOS is in its end.

After building a DPDK driver with the make command, you must register networkcards to work with the DPDK driver, load necessary kernel modules, and bindcards to the modules. SeeCompiling the DPDK Target fromSource andHow to getbest performance with NICs on Intelplatformsin the DPDK Getting Started Guide for Linux for more information.

The kernel module, which is required for DPDK user-mode drivers, is built butnot installed into kernel directory. You can load it using the full path to themodule file:nff-go/test/dpdk/dpdk/x86_64-native-linuxapp-gcc/kmod/igb_uio.ko

Use Go version 1.11.4 or higher. To check the version of Go, do:

    go version

AF_XDP support is enabled by default, and it requires you to installlibbpf package. At the time of writing Ubuntu doesn't have thislibrary among its packages, so it is necessary to buildlibbpf fromsources or disable AF_XDP socket support.

To disable it set variableNFF_GO_NO_BPF_SUPPORT to some unemptyvalue. When NFF_GO is built with it, AF_XDP support is disaled andusing it results in errors.

If you want to buildlibbpf from sources you can do it in twodifferent ways.

• If you are using stock Linux kernel from distribution,downloadlibbpf from GitHub, thenexecutecd src; make; sudo make install. Add /usr/lib64 to yourldconfig path.
• If you build Linux kernel from sources, you can buildlibbpf fromLinux source tree using commandscd tools/lib/bpf; make; sudo make install install_headers. Add /usr/local/lib64 to your ldconfig path.

When Go compiler runs for the first time it downloads all dependentpackages listed ingo.mod file. This operation cannot be done inparallel because otherwise Go package cache gets corrupted. Because ofthat it is necessary to run commandgo mod download before firstmake is done. Another option is to use single processmake -j1when it is run for the first time, but may be quite slow.

    cd nff-go    go mod download        # do it once before first build    make -j8

make debug -j8

Online API documentation is available ongodoc.orgsite. API usage isexplained on ourWiki pages.

Invoking make in the top-level directory builds the testing framework andexamples. NFF-GO distributed tests are packaged inside of Docker containerimages. There are also single node unit tests in some packages that you canrun using the command:

     make testing

To create Docker images on the local default target (either the default UNIXsocket in /var/run/docker.sock or whatever is defined in the DOCKER_HOSTvariable), use themake images command.

To deploy Docker images for use in distributed testing, use themake deploycommand. This command requires two environment variables:

• NFF_GO_HOSTS="hostname1 hostname2 ... hostnameN"* - a list of all hostnames for deployed test Docker images
• DOCKER_PORT=2375* - the port number to connect to Docker daemons running on hosts in the NFF_GO_HOSTS variable

To delete generated images in the default Docker target, use themakeclean-images command.

After the Docker images are deployed on all test hosts, you can run distributednetwork tests. The test framework is located in the test/main directory andaccepts a JSON file with a test specification. There are predefined configs forperformance and stability tests in the same directory. To run these tests,changehostname1 andhostname2 to the hosts from the NFF_GO_HOSTS listin these JSON files.

To clean all generated binaries, use themake clean command. To delete alldeployed images listed in NFF_GO_HOSTS, use themake cleanall command.

If you want to contribute to NFF-Go, check ourContributingguide. We alsorecommend checking the bugs with 'help-wanted' or 'easyfix' in our list of open issues; these bugscan be solved without an extensive knowledge of NFF-Go. We would love to helpyou start contributing.

You can reach the NFF-Go development team via ourmailing list.