Scott Baker | d3a7ec5 | 2021-11-08 22:59:07 -0800 | [diff] [blame^] | 1 | .. |
| 2 | SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org> |
| 3 | SPDX-License-Identifier: Apache-2.0 |
| 4 | |
| 5 | Application Filtering |
| 6 | ===================== |
| 7 | |
| 8 | Application filtering allows configuration of the application endpoints that a |
| 9 | device is allowed to connect to. Configuration is possible of not only whether an |
| 10 | application endpoint is reachable or not, but also what maximum bitrate and traffic |
| 11 | class should be associated with that endpoint. |
| 12 | |
| 13 | A VCS may have a total of five user-defined application endpoints associated with it. Logically |
| 14 | this could be one application with five endpoints, five applications with one endpoint |
| 15 | each, or any other combination that is less than or equal to five endpoints total. |
| 16 | |
| 17 | In addition to |
| 18 | these five user configurable endpoints, the default behavior can be set to either |
| 19 | ALLOW-ALL, DENY-ALL, or ALLOW-PUBLIC. ALLOW-PUBLIC is a special rule that denies traffic |
| 20 | to private IPv4 networks (as per RFC1918) and then allows everything else. |
| 21 | |
| 22 | Configuring Applications |
| 23 | ------------------------ |
| 24 | |
| 25 | Begin by creating Applications. Each application has an address field which may be |
| 26 | set to an IPv4 address or an IPv4 subnet, which may in turn match several IPv4 |
| 27 | addresses. Once the address is set, move on to creating endpoints. |
| 28 | |
| 29 | Each endpoint is a port range, specified by its start and end port. A range of |
| 30 | exactly one port is also acceptable. The protocol may be set to either TCP or UDP. Each |
| 31 | endpoint may also have associated with it a maximum bitrate and a traffic-class. The |
| 32 | maximum bitrate is per-device to the application; it is not the sum of all devices to the |
| 33 | application. |
| 34 | |
| 35 | Adding Applications to VCSes |
| 36 | ---------------------------- |
| 37 | |
| 38 | Each VCS has an application filter, which is a list of applications. Each entry |
| 39 | in this list has a priority and an allow|deny setting. Keep in mind that the total |
| 40 | number of endpoints for all applications attached to the VCS must be less than or |
| 41 | equal to five. |
| 42 | |
| 43 | Also configurable for the VCS is the default-behavior, which will automatically |
| 44 | be evaluated at the lowest priority, only taking effect if no other rule matches. |
| 45 | The default behavior does not count against the 5-endpoint limit. |
| 46 | |
| 47 | How Application Filtering is Evaluated |
| 48 | -------------------------------------- |
| 49 | |
| 50 | Application filtering is evaluated from highest priority (0) to the lowest |
| 51 | priority (250). The first rule to match will have its action applied. Subsequent |
| 52 | rules after a match are not evaluated. |
| 53 | |
| 54 | For example, assume the following filter is configured: |
| 55 | |
| 56 | * Priority=0, Address=10.0.0.1, Protocol=TCP, Port=8000, Action=Allow |
| 57 | * Priority=1, Address=10.0.0.0/24, Action=Deny |
| 58 | * Default_Behavior = Allow All |
| 59 | |
| 60 | The above rule would allow traffic to 10.0.0.1 on TCP port 8000, but deny |
| 61 | traffic to all other hosts on the IPv4 subnet 10.0.0.0/24. Ports other than |
| 62 | 8000 on 10.0.0.1 would be denied, as would protocols other than TCP. Traffic to |
| 63 | subnets other than 10.0.0.0/24 would be allowed. |