4 * Copyright(c) 2010-2014 Intel Corporation. All rights reserved.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
11 * * Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * * Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in
15 * the documentation and/or other materials provided with the
17 * * Neither the name of Intel Corporation nor the names of its
18 * contributors may be used to endorse or promote products derived
19 * from this software without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
22 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
23 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
24 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
25 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
26 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
27 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
28 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
29 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
30 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
31 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
50 * Legacy support for 7-tuple IPv4 and VLAN rule.
51 * This structure and corresponding API is deprecated.
53 struct rte_acl_ipv4vlan_rule {
54 struct rte_acl_rule_data data; /**< Miscellaneous data for the rule. */
55 uint8_t proto; /**< IPv4 protocol ID. */
56 uint8_t proto_mask; /**< IPv4 protocol ID mask. */
57 uint16_t vlan; /**< VLAN ID. */
58 uint16_t vlan_mask; /**< VLAN ID mask. */
59 uint16_t domain; /**< VLAN domain. */
60 uint16_t domain_mask; /**< VLAN domain mask. */
61 uint32_t src_addr; /**< IPv4 source address. */
62 uint32_t src_mask_len; /**< IPv4 source address mask. */
63 uint32_t dst_addr; /**< IPv4 destination address. */
64 uint32_t dst_mask_len; /**< IPv4 destination address mask. */
65 uint16_t src_port_low; /**< L4 source port low. */
66 uint16_t src_port_high; /**< L4 source port high. */
67 uint16_t dst_port_low; /**< L4 destination port low. */
68 uint16_t dst_port_high; /**< L4 destination port high. */
72 * Specifies fields layout inside rte_acl_rule for rte_acl_ipv4vlan_rule.
75 RTE_ACL_IPV4VLAN_PROTO_FIELD,
76 RTE_ACL_IPV4VLAN_VLAN1_FIELD,
77 RTE_ACL_IPV4VLAN_VLAN2_FIELD,
78 RTE_ACL_IPV4VLAN_SRC_FIELD,
79 RTE_ACL_IPV4VLAN_DST_FIELD,
80 RTE_ACL_IPV4VLAN_SRCP_FIELD,
81 RTE_ACL_IPV4VLAN_DSTP_FIELD,
82 RTE_ACL_IPV4VLAN_NUM_FIELDS
86 * Macro to define rule size for rte_acl_ipv4vlan_rule.
88 #define RTE_ACL_IPV4VLAN_RULE_SZ \
89 RTE_ACL_RULE_SZ(RTE_ACL_IPV4VLAN_NUM_FIELDS)
92 * That effectively defines order of IPV4VLAN classifications:
94 * - VLAN (TAG and DOMAIN)
97 * - PORTS (SRC and DST)
100 RTE_ACL_IPV4VLAN_PROTO,
101 RTE_ACL_IPV4VLAN_VLAN,
102 RTE_ACL_IPV4VLAN_SRC,
103 RTE_ACL_IPV4VLAN_DST,
104 RTE_ACL_IPV4VLAN_PORTS,
108 /* rules for invalid layout test */
109 struct rte_acl_ipv4vlan_rule invalid_layout_rules[] = {
110 /* test src and dst address */
112 .data = {.userdata = 1, .category_mask = 1,
114 .src_addr = IPv4(10,0,0,0),
118 .data = {.userdata = 2, .category_mask = 1,
120 .dst_addr = IPv4(10,0,0,0),
123 /* test src and dst ports */
125 .data = {.userdata = 3, .category_mask = 1,
128 .dst_port_high = 100,
131 .data = {.userdata = 4, .category_mask = 1,
134 .src_port_high = 100,
138 .data = {.userdata = 5, .category_mask = 1,
144 .data = {.userdata = 6, .category_mask = 1,
147 .dst_port_high = 0xf,
151 /* these might look odd because they don't match up the rules. This is
152 * intentional, as the invalid layout test presumes returning the correct
153 * results using the wrong data layout.
155 struct ipv4_7tuple invalid_layout_data[] = {
156 {.ip_src = IPv4(10,0,1,0)}, /* should not match */
157 {.ip_src = IPv4(10,0,0,1), .allow = 2}, /* should match 2 */
158 {.port_src = 100, .allow = 4}, /* should match 4 */
159 {.port_dst = 0xf, .allow = 6}, /* should match 6 */
164 #define ACL_ALLOW_MASK 0x1
165 #define ACL_DENY_MASK 0x2
167 /* ruleset for ACL unit test */
168 struct rte_acl_ipv4vlan_rule acl_test_rules[] = {
169 /* destination IP addresses */
170 /* matches all packets traveling to 192.168.0.0/16 */
172 .data = {.userdata = 1, .category_mask = ACL_ALLOW_MASK,
174 .dst_addr = IPv4(192,168,0,0),
177 .src_port_high = 0xffff,
179 .dst_port_high = 0xffff,
181 /* matches all packets traveling to 192.168.1.0/24 */
183 .data = {.userdata = 2, .category_mask = ACL_ALLOW_MASK,
185 .dst_addr = IPv4(192,168,1,0),
188 .src_port_high = 0xffff,
190 .dst_port_high = 0xffff,
192 /* matches all packets traveling to 192.168.1.50 */
194 .data = {.userdata = 3, .category_mask = ACL_DENY_MASK,
196 .dst_addr = IPv4(192,168,1,50),
199 .src_port_high = 0xffff,
201 .dst_port_high = 0xffff,
204 /* source IP addresses */
205 /* matches all packets traveling from 10.0.0.0/8 */
207 .data = {.userdata = 4, .category_mask = ACL_ALLOW_MASK,
209 .src_addr = IPv4(10,0,0,0),
212 .src_port_high = 0xffff,
214 .dst_port_high = 0xffff,
216 /* matches all packets traveling from 10.1.1.0/24 */
218 .data = {.userdata = 5, .category_mask = ACL_ALLOW_MASK,
220 .src_addr = IPv4(10,1,1,0),
223 .src_port_high = 0xffff,
225 .dst_port_high = 0xffff,
227 /* matches all packets traveling from 10.1.1.1 */
229 .data = {.userdata = 6, .category_mask = ACL_DENY_MASK,
231 .src_addr = IPv4(10,1,1,1),
234 .src_port_high = 0xffff,
236 .dst_port_high = 0xffff,
240 /* matches all packets with lower 7 bytes of VLAN tag equal to 0x64 */
242 .data = {.userdata = 7, .category_mask = ACL_ALLOW_MASK,
247 .src_port_high = 0xffff,
249 .dst_port_high = 0xffff,
251 /* matches all packets with VLAN tags that have 0x5 in them */
253 .data = {.userdata = 8, .category_mask = ACL_ALLOW_MASK,
258 .src_port_high = 0xffff,
260 .dst_port_high = 0xffff,
262 /* matches all packets with VLAN tag 5 */
264 .data = {.userdata = 9, .category_mask = ACL_DENY_MASK,
269 .src_port_high = 0xffff,
271 .dst_port_high = 0xffff,
275 /* matches all packets with lower 7 bytes of domain equal to 0x64 */
277 .data = {.userdata = 10, .category_mask = ACL_ALLOW_MASK,
282 .src_port_high = 0xffff,
284 .dst_port_high = 0xffff,
286 /* matches all packets with domains that have 0x5 in them */
288 .data = {.userdata = 11, .category_mask = ACL_ALLOW_MASK,
293 .src_port_high = 0xffff,
295 .dst_port_high = 0xffff,
297 /* matches all packets with domain 5 */
299 .data = {.userdata = 12, .category_mask = ACL_DENY_MASK,
302 .domain_mask = 0xffff,
304 .src_port_high = 0xffff,
306 .dst_port_high = 0xffff,
309 /* destination port */
310 /* matches everything with dst port 80 */
312 .data = {.userdata = 13, .category_mask = ACL_ALLOW_MASK,
317 .src_port_high = 0xffff,
319 /* matches everything with dst port 22-1023 */
321 .data = {.userdata = 14, .category_mask = ACL_ALLOW_MASK,
324 .dst_port_high = 1023,
326 .src_port_high = 0xffff,
328 /* matches everything with dst port 1020 */
330 .data = {.userdata = 15, .category_mask = ACL_DENY_MASK,
332 .dst_port_low = 1020,
333 .dst_port_high = 1020,
335 .src_port_high = 0xffff,
337 /* matches everything with dst portrange 1000-2000 */
339 .data = {.userdata = 16, .category_mask = ACL_DENY_MASK,
341 .dst_port_low = 1000,
342 .dst_port_high = 2000,
344 .src_port_high = 0xffff,
348 /* matches everything with src port 80 */
350 .data = {.userdata = 17, .category_mask = ACL_ALLOW_MASK,
355 .dst_port_high = 0xffff,
357 /* matches everything with src port 22-1023 */
359 .data = {.userdata = 18, .category_mask = ACL_ALLOW_MASK,
362 .src_port_high = 1023,
364 .dst_port_high = 0xffff,
366 /* matches everything with src port 1020 */
368 .data = {.userdata = 19, .category_mask = ACL_DENY_MASK,
370 .src_port_low = 1020,
371 .src_port_high = 1020,
373 .dst_port_high = 0xffff,
375 /* matches everything with src portrange 1000-2000 */
377 .data = {.userdata = 20, .category_mask = ACL_DENY_MASK,
379 .src_port_low = 1000,
380 .src_port_high = 2000,
382 .dst_port_high = 0xffff,
385 /* protocol number */
386 /* matches all packets with protocol number either 0x64 or 0xE4 */
388 .data = {.userdata = 21, .category_mask = ACL_ALLOW_MASK,
393 .src_port_high = 0xffff,
395 .dst_port_high = 0xffff,
397 /* matches all packets with protocol that have 0x5 in them */
399 .data = {.userdata = 22, .category_mask = ACL_ALLOW_MASK,
404 .src_port_high = 0xffff,
406 .dst_port_high = 0xffff,
408 /* matches all packets with protocol 5 */
410 .data = {.userdata = 23, .category_mask = ACL_DENY_MASK,
415 .src_port_high = 0xffff,
417 .dst_port_high = 0xffff,
420 /* rules combining various fields */
422 .data = {.userdata = 24, .category_mask = ACL_ALLOW_MASK,
424 /** make sure that unmasked bytes don't fail! */
425 .dst_addr = IPv4(1,2,3,4),
427 .src_addr = IPv4(5,6,7,8),
432 .src_port_high = 0xffff,
434 .dst_port_high = 1024,
438 .domain_mask = 0xffff,
441 .data = {.userdata = 25, .category_mask = ACL_DENY_MASK,
443 .dst_addr = IPv4(5,6,7,8),
445 .src_addr = IPv4(1,2,3,4),
450 .src_port_high = 0xffff,
452 .dst_port_high = 1024,
456 .domain_mask = 0xffff,
459 .data = {.userdata = 26, .category_mask = ACL_ALLOW_MASK,
461 .dst_addr = IPv4(1,2,3,4),
463 .src_addr = IPv4(5,6,7,8),
468 .src_port_high = 0xffff,
470 .dst_port_high = 1024,
475 .data = {.userdata = 27, .category_mask = ACL_DENY_MASK,
477 .dst_addr = IPv4(5,6,7,8),
479 .src_addr = IPv4(1,2,3,4),
484 .src_port_high = 0xffff,
486 .dst_port_high = 1024,
492 /* data for ACL unit test */
493 struct ipv4_7tuple acl_test_data[] = {
494 /* testing single rule aspects */
495 {.ip_src = IPv4(10,0,0,0), .allow = 4}, /* should match 4 */
496 {.ip_src = IPv4(10,1,1,2), .allow = 5}, /* should match 5 */
497 {.ip_src = IPv4(10,1,1,1), .allow = 5,
498 .deny = 6}, /* should match 5, 6 */
499 {.ip_dst = IPv4(10,0,0,0)}, /* should not match */
500 {.ip_dst = IPv4(10,1,1,2)}, /* should not match */
501 {.ip_dst = IPv4(10,1,1,1)}, /* should not match */
503 {.ip_src = IPv4(192,168,2,50)}, /* should not match */
504 {.ip_src = IPv4(192,168,1,2)}, /* should not match */
505 {.ip_src = IPv4(192,168,1,50)}, /* should not match */
506 {.ip_dst = IPv4(192,168,2,50), .allow = 1}, /* should match 1 */
507 {.ip_dst = IPv4(192,168,1,49), .allow = 2}, /* should match 2 */
508 {.ip_dst = IPv4(192,168,1,50), .allow = 2,
509 .deny = 3}, /* should match 2, 3 */
511 {.vlan = 0x64, .allow = 7}, /* should match 7 */
512 {.vlan = 0xfE4, .allow = 7}, /* should match 7 */
513 {.vlan = 0xE2}, /* should not match */
514 {.vlan = 0xD, .allow = 8}, /* should match 8 */
515 {.vlan = 0x6}, /* should not match */
516 {.vlan = 0x5, .allow = 8, .deny = 9}, /* should match 8, 9 */
518 {.domain = 0x64, .allow = 10}, /* should match 10 */
519 {.domain = 0xfE4, .allow = 10}, /* should match 10 */
520 {.domain = 0xE2}, /* should not match */
521 {.domain = 0xD, .allow = 11}, /* should match 11 */
522 {.domain = 0x6}, /* should not match */
523 {.domain = 0x5, .allow = 11, .deny = 12}, /* should match 11, 12 */
525 {.port_dst = 80, .allow = 13}, /* should match 13 */
526 {.port_dst = 79, .allow = 14}, /* should match 14 */
527 {.port_dst = 81, .allow = 14}, /* should match 14 */
528 {.port_dst = 21}, /* should not match */
529 {.port_dst = 1024, .deny = 16}, /* should match 16 */
530 {.port_dst = 1020, .allow = 14, .deny = 15}, /* should match 14, 15 */
532 {.port_src = 80, .allow = 17}, /* should match 17 */
533 {.port_src = 79, .allow = 18}, /* should match 18 */
534 {.port_src = 81, .allow = 18}, /* should match 18 */
535 {.port_src = 21}, /* should not match */
536 {.port_src = 1024, .deny = 20}, /* should match 20 */
537 {.port_src = 1020, .allow = 18, .deny = 19}, /* should match 18, 19 */
539 {.proto = 0x64, .allow = 21}, /* should match 21 */
540 {.proto = 0xE4, .allow = 21}, /* should match 21 */
541 {.proto = 0xE2}, /* should not match */
542 {.proto = 0xD, .allow = 22}, /* should match 22 */
543 {.proto = 0x6}, /* should not match */
544 {.proto = 0x5, .allow = 22, .deny = 23}, /* should match 22, 23 */
546 /* testing matching multiple rules at once */
547 {.vlan = 0x5, .ip_src = IPv4(10,1,1,1),
548 .allow = 5, .deny = 9}, /* should match 5, 9 */
549 {.vlan = 0x5, .ip_src = IPv4(192,168,2,50),
550 .allow = 8, .deny = 9}, /* should match 8, 9 */
551 {.vlan = 0x55, .ip_src = IPv4(192,168,1,49),
552 .allow = 8}, /* should match 8 */
553 {.port_dst = 80, .port_src = 1024,
554 .allow = 13, .deny = 20}, /* should match 13,20 */
555 {.port_dst = 79, .port_src = 1024,
556 .allow = 14, .deny = 20}, /* should match 14,20 */
557 {.proto = 0x5, .ip_dst = IPv4(192,168,2,50),
558 .allow = 1, .deny = 23}, /* should match 1, 23 */
560 {.proto = 0x5, .ip_dst = IPv4(192,168,1,50),
561 .allow = 2, .deny = 23}, /* should match 2, 23 */
562 {.vlan = 0x64, .domain = 0x5,
563 .allow = 11, .deny = 12}, /* should match 11, 12 */
564 {.proto = 0x5, .port_src = 80,
565 .allow = 17, .deny = 23}, /* should match 17, 23 */
566 {.proto = 0x5, .port_dst = 80,
567 .allow = 13, .deny = 23}, /* should match 13, 23 */
568 {.proto = 0x51, .port_src = 5000}, /* should not match */
569 {.ip_src = IPv4(192,168,1,50),
570 .ip_dst = IPv4(10,0,0,0),
573 .port_dst = 5000}, /* should not match */
575 /* test full packet rules */
577 .ip_dst = IPv4(1,2,100,200),
578 .ip_src = IPv4(5,6,7,254),
586 }, /* should match 23, 24 */
588 .ip_dst = IPv4(5,6,7,254),
589 .ip_src = IPv4(1,2,100,200),
597 }, /* should match 13, 25 */
599 .ip_dst = IPv4(1,10,20,30),
600 .ip_src = IPv4(5,6,7,8),
607 }, /* should match 23, 26 */
609 .ip_dst = IPv4(5,6,7,8),
610 .ip_src = IPv4(1,10,20,30),
617 }, /* should match 13, 27 */
619 .ip_dst = IPv4(2,2,3,4),
620 .ip_src = IPv4(4,6,7,8),
627 }, /* should match 13, 23 */
629 .ip_dst = IPv4(1,2,3,4),
630 .ip_src = IPv4(4,6,7,8),
637 }, /* should match 13, 23 */
640 /* visual separator! */
642 .ip_dst = IPv4(1,2,100,200),
643 .ip_src = IPv4(5,6,7,254),
650 }, /* should match 10 */
652 .ip_dst = IPv4(5,6,7,254),
653 .ip_src = IPv4(1,2,100,200),
660 }, /* should match 10 */
662 .ip_dst = IPv4(1,10,20,30),
663 .ip_src = IPv4(5,6,7,8),
669 }, /* should match 7 */
671 .ip_dst = IPv4(5,6,7,8),
672 .ip_src = IPv4(1,10,20,30),
678 }, /* should match 7 */
680 .ip_dst = IPv4(2,2,3,4),
681 .ip_src = IPv4(4,6,7,8),
687 }, /* should match 7 */
689 .ip_dst = IPv4(1,2,3,4),
690 .ip_src = IPv4(4,6,7,8),
695 }, /* should not match */
698 #endif /* TEST_ACL_H_ */