Skip to content

Filter#

Filters → FFilters

A Filter is an ordered list of filter entries that match certain packets and perform an action for those packets. Packets can be matched by their source IP, destination IP, source port, destination port, and many others. There are 2 types of filters:

  • IP filters that can match based on the IP header of an IP packet
  • MAC filters that can match based on the layer 2 (ethernet) header of an ethernet frame

Note

A Filter resource is deployed through resources like RoutedInterface or IRBInterface that determine which sub-interface the Filter applies to. For system-wide control plane filters, check out the ControlPlaneFilter resource.

The packet is filtered through all filter entries in-order. If there is no match, the packet is evaluated against the next entry and so on. Once a packet matches a particular entry, evaluation of the chain ends and the action specified in the entry is performed on the packet. 

flowchart TB
    packet --> e10[Entry 10]
    e10 --> e20[Entry 20]
    e20 --> e30[Entry 30]
    e30 -.-|stop evaluation| e40[Entry 40]
    e40 -.- e50[Entry 50]
    e10 -.- n10[No match]
    e20 -.- n20[No match]
    e30 --> n30[Match]
    n30 --> Drop

Dependencies#

The Filter resource has no dependency on other resources.

Referenced resources#

PrefixSet#

In the ipEntry context, source and destination prefixes can be entered manually through the sourcePrefix and destinationPrefix properties. If the entry must execute the same action for source / destination IP addresses in multiple discontiguous subnets, consider using a PrefixSet to group those subnets together.

Examples#

apiVersion: filters.eda.nokia.com/v1
kind: Filter
metadata:
  namespace: eda
  name: my-dataplane-filter
spec:
  entries:
    - type: Auto
      ipEntry:
        protocolName: ICMP
        action: RateLimit
        icmpTypeName: Echo
        rateLimit:
          peakRateKbps: 10000
          entrySpecificPolicer: false
          scope: Global
      description: Rate-limit ICMP Echo requests
    - type: Auto
      description: Accept all other traffic
      ipEntry:
        sourcePrefix: 0.0.0.0/0
        action: Accept

cat << 'EOF' | kubectl apply -f -
apiVersion: filters.eda.nokia.com/v1
kind: Filter
metadata:
  namespace: eda
  name: my-dataplane-filter
spec:
  entries:
    - type: Auto
      ipEntry:
        protocolName: ICMP
        action: RateLimit
        icmpTypeName: Echo
        rateLimit:
          peakRateKbps: 10000
          entrySpecificPolicer: false
          scope: Global
      description: Rate-limit ICMP Echo requests
    - type: Auto
      description: Accept all other traffic
      ipEntry:
        sourcePrefix: 0.0.0.0/0
        action: Accept
EOF

Custom Resource Definition#

To browse the Custom Resource Definition go to crd.eda.dev.

Filter

filters.eda.nokia.com / v1

SPEC

Filter allows for the creation and management of ordered filtering rules based on IP or MAC criteria. The resource supports various conditions and actions, enabling fine-grained control over network traffic by specifying rules for source and destination addresses, ports, and protocols.

  • #
  • #

STATUS

FilterStatus defines the observed state of Filter