P4 use case

There are many possible use cases for P4, but I will introduce some representative ones.

P4 use case

NAT implementation image

This time, we implemented the NAT function as shown in the figure below on the FPGA Smart NIC using P4.

In P4, we will describe the match & action table that rewrites each according to the conditions of the IP address and port number of the incoming packet.

NAT function implementation image

Writing P4 code

I can't explain all the P4 descriptions this time, but I will introduce the key points.

The first thing I will explain is the description of the match & action table. What is described in the top reads of the table description is the parameter to be read as a condition. In this description, IP address and TCP/UDP port number are used as conditions.

Next, actions at the bottom of the table description list the actions to be executed when the conditions are met. By making such a description, it becomes possible to specify which action to perform based on the condition of the header of the incoming packet.

Actions to be executed when the conditions are met must be described separately. I won't explain it in detail, but this time I'm writing to convert the address and port number by implementing NAT.

Once written, the P4 code is compiled using a compiler for FPGA Smart NIC and the binary image is written to the FPGA.

table description

Action description

Configuring Match & Action Rules

In the previous description, a match & action table for NAT was implemented in the FPGA, but that alone does not work as a NAT. By default, the table is empty, so it is necessary for the user to populate the rules.

Intel® PAC N3000 provides an SDK that allows rules to be entered from the server via the command line.

If you set the rules as shown in the example below, when a packet that matches the conditions of source address 1.1.1.1, destination address 2.2.2.2, TCP source port 1000, and destination port 2000 is input, , the destination address and port will be rewritten as 10.10.10.10:1111 respectively.

By adding/modifying/deleting rules as necessary, it is possible to control the intended behavior.

# table_nat keys ( ipv4.srcAddr 1.1.1.1 ipv4.dstAddr 2.2.2.2 tcp true tcp.srcPort 1000 tcp.dstPort 2000 udp false udp.srcPort 0 udp.dstPort 0 ) action dstnat_tcp params ( ipaddr 10.10.10.10 port 1111 )

Actual operation verification

Finally, I will post the results when I actually run it.
I made the following rule settings and captured what was output after packet input.
It can also filter packets, so it can be used as a firewall.

# table_nat keys ( ipv4.srcAddr 10.10.10.10 ipv4.dstAddr 20.20.20.20 tcp true tcp.srcPort 1000 tcp.dstPort 2000 udp false udp.srcPort 0 udp.dstPort 0 ) action dstnat_tcp params ( ipaddr 2.2.2.2 port 2222 )
# table_nat keys ( ipv4.srcAddr 10.10.10.10 ipv4.dstAddr 20.20.20.20 tcp false tcp.srcPort 0 tcp.dstPort 0 udp true udp.srcPort 1000 udp.dstPort 2000 ) action drop_act
# table_nat keys ( ipv4.srcAddr 30.30.30.30 ipv4.dstAddr 40.40.40.40 tcp true tcp.srcPort 3000 tcp.dstPort 4000 udp false udp.srcPort 0 udp.dstPort 0 ) action drop_act
# table_nat keys ( ipv4.srcAddr 30.30.30.30 ipv4.dstAddr 40.40.40.40 tcp false tcp.srcPort 0 tcp.dstPort 0 udp true udp.srcPort 3000 udp.dstPort 4000 ) action srcnat_udp params ( ipaddr 3.3.3.3 port 3333 )

Below is a capture of the input and output packets.

You can see that packets are processed according to the rules.

input packet

output packet