vpp-policy

vpp-policy enforces per-application permit/deny rules. It reads the flow classification from VPP buffer metadata (written by vpp-ndpi) and looks up a priority-ordered policy table. Actions: permit, drop, DSCP mark.

Status

Carrier enforcement product. Delivered to production. Available as a PacketFlow commercial engagement.

Policy model

Rules are matched by (app_id, category, risk_flags, interface) in priority order. Linear scan over typically <100 rules: <200 ns at 1M PPS.

CLI reference

# Drop BitTorrent globally
vppctl ndpi policy add app BitTorrent action drop

# DSCP-mark video streaming on WAN interface
vppctl ndpi policy add category Streaming interface eth1 action dscp 46

# Drop flows with critical risk flags
vppctl ndpi policy add risk-mask 0x1 action drop priority 1

# Show active rules
vppctl show ndpi policy

Availability

Contact PacketFlow for pricing and scope.