Configure Nmeta

System Configuration

A YAML file holds the system configuration. It’s location is:

~/nmeta/nmeta/config/config.yaml

Configure Main Policy

The main policy configures how nmeta works with data plane traffic. This includes traffic classification rules. The main policy is stored in the YAML file:

~/nmeta/nmeta/config/main_policy.yaml

It is used to control what classifiers are used, in what order and what actions are taken.

The traffic classification policy is based off a root key tc_rules. This root contains a ruleset name (only one ruleset supported at this stage), which in turn contains one or more rules.

Rules are an ordered list (denoted by preceding dash). Each rule contains:

Comment
A comment to describe the purpose of the rule (optional). A comment must start with the attribute comment: and any single-line string can follow
Match Type
A match type is one of any or all
Conditions List
A single conditions_list stanza that contains one or more conditions stanzas

Example simple traffic classification policy with a single rule:

_images/simple_tc_policy.png

A conditions_list stanza contains:

  • A match type, consisting of any or all
  • One or more conditions as list items (denoted by dash preceding the first item)
  • One or more classifiers (see below)

A conditions stanza is a list item in a conditions list and contains:

  • A match type, consisting of any or all
  • One or more classifiers (see below)

A actions stanza contains one or more attribute/value pairs

Here is a more complex traffic classification policy:

_images/complex_tc_policy.png

Conditions invoke classifiers. There are three types of classifier supported:

  • Static
  • Identity
  • Custom (Payload / Statistical / Multi-classifier)

Static Classifiers

Static classifiers match on attributes in packet headers, or on environmental attributes such as port numbers.

Supported attributes are:

eth_src:

Ethernet source MAC address.

Example:

eth_src: 08:00:27:4a:2d:41
eth_dst:

Ethernet destination MAC address.

Example:

eth_dst: 08:00:27:4a:2d:42
eth_type:

Ethernet type. Can be in hex (starting with 0x) or decimal.

Examples:

eth_type: 0x0800
eth_type: 35020
ip_src:

IP source address. Can be a single address, a network with a mask in CIDR notation, or an IP range with two addresses separated by a hyphen. Both addresses in a range must be the same type, and the second address must be higher than the first.

Examples:

ip_src: 192.168.56.12
ip_src: 192.168.56.0/24
ip_src: 192.168.56.12-192.168.56.31
ip_dst:

IP destination address. Can be a single address, a network with a mask in CIDR notation, or an IP range with two addresses separated by a hyphen. Both addresses in a range must be the same type, and the second address must be higher than the first.

Examples:

ip_dst: 192.168.57.40
ip_dst: 192.168.57.0/24
ip_dst: 192.168.57.36-192.168.78.31
tcp_src:

TCP source port.

Example:

tcp_src: 22
tcp_dst:

TCP destination port.

Example:

tcp_dst: 80

Identity Classifiers

All identity classifiers are prefixed with:

identity_

LLDP systemname may be matched as a regular expression. The match pattern must be contained in single quotes. For example, to match system names of *.audit.example.com, add this policy condition:

identity_lldp_systemname_re: '.*\.audit\.example\.com'

Supported attributes are:

identity_lldp_systemname:
 

Exact match against a system name discovered via LLDP. Example:

identity_lldp_systemname: bob.example.com
identity_lldp_systemname_re:
 

Regular expression match against a system name discovered via LLDP. Example:

identity_lldp_systemname_re: '.*\.audit\.example\.com'
identity_service_dns:
 
Exact match of either IP address in a flow against a

DNS domain. Example:

identity_service_dns: www.example.com
identity_service_dns_re:
 

Regular expression match of either IP address in a flow against a DNS domain. Example:

identity_service_dns_re: '.*\.example\.com'

Custom Classifiers

Nmeta supports the creation of custom classifiers.

All custom classifiers have the attribute:

custom

The value determines the custom .py file to load from the nmeta/classifiers directory

For example, the following condition loads a custom classifier file ~/nmeta/nmeta/classifiers/statistical_qos_bandwidth_1.py:

custom: statistical_qos_bandwidth_1

Actions

Actions are specific to a rule, and define what nmeta should do when the rule is matched.

Supported attributes are:

qos_treatment:

Specify QoS treatment for flow.

Example:

qos_treatment: classifier_return

Values can be:

  • default_priority
  • constrained_bw
  • high_priority
  • low_priority
  • classifier_return
set_desc:

Set description for the flow. This is a convenience for humans.

Example:

set_desc: "This is a flow type description"

QoS Treatment

Quality of Service (QoS) treatment parameters are configured in main policy under the qos_treatment root directive. They map qos action values to queue numbers. Example:

qos_treatment:
  # Control Quality of Service (QoS) treatment mapping of
  #  names to output queue numbers:
  default_priority: 0
  constrained_bw: 1
  high_priority: 2
  low_priority: 3