VMware Networking Community
WiseWolf007
Contributor
Contributor

NSX-T DFW packet flow

HI, 

I have been looking at the NSX-T product documentation on the DFW/L7 packet flow, and it only talks about the flow for a new packet (with no match in the flow table), but it does not mention what happens to the packet that already has an entry in the flow table?

it is the consensus of people in the field that the DFW only inspects the first couple of packets in the flow, and the rest is fast pathed for the sake of performance , I have been looking for any document that negates this but could not find any

 

TIA for any assistance 

 

Regards

Wise

Reply
0 Kudos
7 Replies
p0wertje
Hot Shot
Hot Shot

Hi,

 

Is this what you are looking for ? :

https://communities.vmware.com/t5/VMware-NSX-Documents/VMware-NSX-T-Reference-Design/ta-p/2778093
Page 116 "NSX-T DFW Policy Lookup and Packet Flow"

Cheers,
p0wertje | VCIX6-NV | JNCIS-ENT | vExpert
Please kudo helpful posts and mark the thread as solved if solved
Reply
0 Kudos
WiseWolf007
Contributor
Contributor

Hi p0wertje

the document says on page 117

"Subsequent packets in this TCP session checked against this flow in the flow table for the state match. Once the session terminates, theflow information is removed from the flow table"

 

so since the rest of the flow is only checked through the flow table, I guess that this means that it will not be checked against the rule table. i.e. not inspected! or am i missing something here ?

Reply
0 Kudos
p0wertje
Hot Shot
Hot Shot

Hi,

 

This is what i can find about the Layer7 profiling: https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.1/administration/GUID-5A73D94A-1B37-4D3C-9E09-...

When a context-profile has been used in a rule, any traffic coming in from a virtual machine is matched against the rule-table based on 5-tuple. If the rule matches the flow also includes a Layer 7 context profile, that packet is redirected to a user-space component called the vDPI engine. A few subsequent packets are punted to that vDPI engine for each flow, and after it has determined the App Id, this information is stored in the in-kernel context-table. When the next packet for the flow comes in, the information in the context table is compared with the rule table again and is matched on 5-tuple, and on the layer 7 App Id. The appropriate action as defined in the fully matched rule is taken, and if there is an ALLOW-rule, all subsequent packets for the flow are process in the kernel, and matched against the connection table. For fully matched DROP rule a reject packet is generated. Logs generated by the firewall will include the Layer 7 App Id and applicable URL, if that flow was punted to DPI.

Rule processing for an incoming packet:
  1. Upon entering a DFW or Gateway filter, packets are looked up in the flow table based on 5-tuple.
  2. If no flow/state is found, the flow is matched against the rule-table based on 5-tuple and an entry is created in the flow table.
  3. If the flow matches a rule with a Layer 7 service object, the flow table state is marked as “DPI In Progress.”
  4. The traffic is then punted to the DPI engine. The DPI Engine determines the App Id.
  5. After the App Id has been determined, the DPI Engine sends down the attribute which is inserted into the context table for this flow. The "DPI In Progress" flag is removed, and traffic is no longer punted to the DPI engine.
  6. The flow (now with App Id) is reevaluated against all rules that match the App Id, starting with the original rule that was matched based on 5-tuple, and the first fully matched L4/L7 rule is picked up. The appropriate action is taken (allow/deny/reject) and the flow table entry is updated accordingly.
Cheers,
p0wertje | VCIX6-NV | JNCIS-ENT | vExpert
Please kudo helpful posts and mark the thread as solved if solved
Reply
0 Kudos
WiseWolf007
Contributor
Contributor

Hi,

 

Yes, this is exactly my question, all the documents I found have this in common : 

2. If no flow/state is found, the flow is matched against the rule-table based on 5-tuple and an entry is created in the flow table.

 

so what happens to the following packet, when there is a hit in the flow table? it says it checks the rule table if there is no flow found in the flow table! 

Thanks

Reply
0 Kudos
p0wertje
Hot Shot
Hot Shot

Hi,

The following packet is matched against the flow table. And thus not matches against a rule ( because it is part of the established flow)
If there is not an established flow it is matched against the rules. and added to the flow table, next packets, as part of the est. flow, match against the flow table and 'bypassing' the rules again.

 

Cheers,
p0wertje | VCIX6-NV | JNCIS-ENT | vExpert
Please kudo helpful posts and mark the thread as solved if solved
WiseWolf007
Contributor
Contributor

Thanks,

 

not what I was hoping for, but thanks for the help

 

Best Regards

Reply
0 Kudos
p0wertje
Hot Shot
Hot Shot

Hi,

 

It is pretty common to do it this way. Cisco fw does the same

 

p0wertje_1-1617723921375.png

 

 

 

Cheers,
p0wertje | VCIX6-NV | JNCIS-ENT | vExpert
Please kudo helpful posts and mark the thread as solved if solved
Reply
0 Kudos