Configure Nmeta¶
System Configuration¶
A YAML file holds the system configuration. It’s location is:
~/nmeta/nmeta/config/config.yaml
Configure Main Policy¶
The main policy configures how nmeta works with data plane traffic. This includes traffic classification rules. The main policy is stored in the YAML file:
~/nmeta/nmeta/config/main_policy.yaml
It is used to control what classifiers are used, in what order and what actions are taken.
The traffic classification policy is based off a root key tc_rules. This root contains a ruleset name (only one ruleset supported at this stage), which in turn contains one or more rules.
Rules are an ordered list (denoted by preceding dash). Each rule contains:
- Comment
- A comment to describe the purpose of the rule (optional). A comment must start with the attribute comment: and any single-line string can follow
- Match Type
- A match type is one of any or all
- Conditions List
- A single conditions_list stanza that contains one or more conditions stanzas
Example simple traffic classification policy with a single rule:
A conditions_list stanza contains:
- A match type, consisting of any or all
- One or more conditions as list items (denoted by dash preceding the first item)
- One or more classifiers (see below)
A conditions stanza is a list item in a conditions list and contains:
- A match type, consisting of any or all
- One or more classifiers (see below)
A actions stanza contains one or more attribute/value pairs
Here is a more complex traffic classification policy:
Conditions invoke classifiers. There are three types of classifier supported:
- Static
- Identity
- Custom (Payload / Statistical / Multi-classifier)
Static Classifiers¶
Static classifiers match on attributes in packet headers, or on environmental attributes such as port numbers.
Supported attributes are:
eth_src: | Ethernet source MAC address. Example: eth_src: 08:00:27:4a:2d:41
|
---|---|
eth_dst: | Ethernet destination MAC address. Example: eth_dst: 08:00:27:4a:2d:42
|
eth_type: | Ethernet type. Can be in hex (starting with 0x) or decimal. Examples: eth_type: 0x0800
eth_type: 35020
|
ip_src: | IP source address. Can be a single address, a network with a mask in CIDR notation, or an IP range with two addresses separated by a hyphen. Both addresses in a range must be the same type, and the second address must be higher than the first. Examples: ip_src: 192.168.56.12
ip_src: 192.168.56.0/24
ip_src: 192.168.56.12-192.168.56.31
|
ip_dst: | IP destination address. Can be a single address, a network with a mask in CIDR notation, or an IP range with two addresses separated by a hyphen. Both addresses in a range must be the same type, and the second address must be higher than the first. Examples: ip_dst: 192.168.57.40
ip_dst: 192.168.57.0/24
ip_dst: 192.168.57.36-192.168.78.31
|
tcp_src: | TCP source port. Example: tcp_src: 22
|
tcp_dst: | TCP destination port. Example: tcp_dst: 80
|
Identity Classifiers¶
All identity classifiers are prefixed with:
identity_
LLDP systemname may be matched as a regular expression. The match pattern must be contained in single quotes. For example, to match system names of *.audit.example.com, add this policy condition:
identity_lldp_systemname_re: '.*\.audit\.example\.com'
Supported attributes are:
identity_lldp_systemname: | |
---|---|
Exact match against a system name discovered via LLDP. Example: identity_lldp_systemname: bob.example.com
|
|
identity_lldp_systemname_re: | |
Regular expression match against a system name discovered via LLDP. Example: identity_lldp_systemname_re: '.*\.audit\.example\.com'
|
|
identity_service_dns: | |
identity_service_dns: www.example.com
|
|
identity_service_dns_re: | |
Regular expression match of either IP address in a flow against a DNS domain. Example: identity_service_dns_re: '.*\.example\.com'
|
Custom Classifiers¶
Nmeta supports the creation of custom classifiers.
All custom classifiers have the attribute:
custom
The value determines the custom .py file to load from the nmeta/classifiers directory
For example, the following condition loads a custom classifier file ~/nmeta/nmeta/classifiers/statistical_qos_bandwidth_1.py
:
custom: statistical_qos_bandwidth_1
Actions¶
Actions are specific to a rule, and define what nmeta should do when the rule is matched.
Supported attributes are:
qos_treatment: | Specify QoS treatment for flow. Example: qos_treatment: classifier_return
Values can be:
|
---|---|
set_desc: | Set description for the flow. This is a convenience for humans. Example: set_desc: "This is a flow type description"
|
QoS Treatment¶
Quality of Service (QoS) treatment parameters are configured in main policy under the qos_treatment root directive. They map qos action values to queue numbers. Example:
qos_treatment:
# Control Quality of Service (QoS) treatment mapping of
# names to output queue numbers:
default_priority: 0
constrained_bw: 1
high_priority: 2
low_priority: 3