Application to communicate with firewall via grpc, and do HW offload on Nvidia BlueField DPU
- Create 2 VFs for each PF on x86 side
- An option configure file can be added to /opt/mellanox/opof/opof.conf with json format. For example:
{
"grpc_addr":"169.254.33.51"
"grpc_port":3443
}
Dependency: libev (e.g, yum install -y libev libev-devel)
To build and install this daemon with all deps, run:
$ ./build.shTo only build the daemon with preconfigured deps(grpc/sessionOffload)
$ export PKG_CONFIG_PATH=/opt/mellanox/dpdk/lib/aarch64-linux-gnu/pkgconfig/
$ make && make installSetup hugepages
$ mkdir -p /dev/hugepages
$ mountpoint -q /dev/hugepages || mount -t hugetlbfs nodev /dev/hugepages
$ echo 2048 > /sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepagesThe controller has a systemd service running and a user interface tool to communicate with the service.
- Service: opof.service
- User Interface: opof
- Log: journalctl -u opof -f
User can run opof_setup to setup opof.
- As default, the script does configures below:
- Configure OVS fallback bridges. So that, when daemon is failed or killed, all traffic will be forward to PAN-OS for processing.
- Configure gRPC interface(default pf0vf1) IP address.
- Reserve hugepages, default 2048 * 2M.
- User can specify the number of HugePages
$ opof_setup -p 2048- User can specify the interface used by grpc
$ opof_setup -g pf1vf1If daemon is running on a DPU, most likely the service already started automatically. Run command below to check the status.
$ systemctl status opof.serviceIf daemon is not running, start controller by running command below. Make sure to check the status after command start.
$ systemctl start opof.serviceTo restart the daemon, run
$ systemctl restart opof.serviceEach command has its own help manual, e.g, opof query -h
- Query a session
$ opof query -i <session_id>- Query daemon offload stats
$ opof stats