2 * Copyright (c) 2016-2018 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 #include <netinet/in.h>
18 #include <vlib/vlib.h>
19 #include <vnet/vnet.h>
20 #include <vppinfra/error.h>
24 #include <vnet/ip/icmp46_packet.h>
26 #include <plugins/acl/fa_node.h>
27 #include <plugins/acl/acl.h>
28 #include <plugins/acl/lookup_context.h>
29 #include <plugins/acl/public_inlines.h>
30 #include <plugins/acl/session_inlines.h>
32 #include <vppinfra/bihash_40_8.h>
33 #include <vppinfra/bihash_template.h>
40 u32 match_acl_in_index;
48 #define foreach_acl_fa_error \
49 _(ACL_DROP, "ACL deny packets") \
50 _(ACL_PERMIT, "ACL permit packets") \
51 _(ACL_NEW_SESSION, "new sessions added") \
52 _(ACL_EXIST_SESSION, "existing session packets") \
53 _(ACL_CHECK, "checked packets") \
54 _(ACL_RESTART_SESSION_TIMER, "restart session timer") \
55 _(ACL_TOO_MANY_SESSIONS, "too many sessions to add new") \
60 #define _(sym,str) ACL_FA_ERROR_##sym,
73 } nonip_in_out_trace_t;
75 /* packet trace format function */
77 format_nonip_in_out_trace (u8 * s, u32 is_output, va_list * args)
79 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
80 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
81 nonip_in_out_trace_t *t = va_arg (*args, nonip_in_out_trace_t *);
83 s = format (s, "%s: sw_if_index %d next_index %x ethertype %x",
84 is_output ? "OUT-ETHER-WHITELIST" : "IN-ETHER-WHITELIST",
85 t->sw_if_index, t->next_index, t->ethertype);
90 format_l2_nonip_in_trace (u8 * s, va_list * args)
92 return format_nonip_in_out_trace (s, 0, args);
96 format_l2_nonip_out_trace (u8 * s, va_list * args)
98 return format_nonip_in_out_trace (s, 1, args);
101 #define foreach_nonip_in_error \
102 _(DROP, "dropped inbound non-whitelisted non-ip packets") \
103 _(PERMIT, "permitted inbound whitelisted non-ip packets") \
106 #define foreach_nonip_out_error \
107 _(DROP, "dropped outbound non-whitelisted non-ip packets") \
108 _(PERMIT, "permitted outbound whitelisted non-ip packets") \
115 #define _(sym,str) FA_IN_NONIP_ERROR_##sym,
116 foreach_nonip_in_error
119 } l2_in_feat_arc_error_t;
121 static char *fa_in_nonip_error_strings[] = {
122 #define _(sym,string) string,
123 foreach_nonip_in_error
129 #define _(sym,str) FA_OUT_NONIP_ERROR_##sym,
130 foreach_nonip_out_error
132 FA_OUT_NONIP_N_ERROR,
133 } l2_out_feat_arc_error_t;
135 static char *fa_out_nonip_error_strings[] = {
136 #define _(sym,string) string,
137 foreach_nonip_out_error
144 is_permitted_ethertype (acl_main_t * am, int sw_if_index0, int is_output,
148 ? am->output_etype_whitelist_by_sw_if_index
149 : am->input_etype_whitelist_by_sw_if_index;
150 u16 *whitelist = vec_elt (v, sw_if_index0);
153 if (vec_len (whitelist) == 0)
156 for (i = 0; i < vec_len (whitelist); i++)
157 if (whitelist[i] == ethertype)
162 #define get_u16(addr) ( *((u16 *)(addr)) )
165 nonip_in_out_node_fn (vlib_main_t * vm,
166 vlib_node_runtime_t * node, vlib_frame_t * frame,
169 acl_main_t *am = &acl_main;
171 u16 nexts[VLIB_FRAME_SIZE], *next;
172 vlib_buffer_t *bufs[VLIB_FRAME_SIZE], **b;
173 vlib_node_runtime_t *error_node;
175 from = vlib_frame_vector_args (frame);
176 error_node = vlib_node_get_runtime (vm, node->node_index);
177 vlib_get_buffers (vm, from, bufs, frame->n_vectors);
178 /* set the initial values for the current buffer the next pointers */
182 n_left = frame->n_vectors;
187 vnet_buffer (b[0])->sw_if_index[is_output ? VLIB_TX : VLIB_RX];
192 ethernet_header_t *h0 = vlib_buffer_get_current (b[0]);
193 u8 *l3h0 = (u8 *) h0 + vnet_buffer (b[0])->l2.l2_len;
194 ethertype = clib_net_to_host_u16 (get_u16 (l3h0 - 2));
196 if (is_permitted_ethertype (am, sw_if_index0, is_output, ethertype))
197 vnet_feature_next (&next_index, b[0]);
199 next[0] = next_index;
202 b[0]->error = error_node->errors[error0];
204 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
205 && (b[0]->flags & VLIB_BUFFER_IS_TRACED)))
207 nonip_in_out_trace_t *t =
208 vlib_add_trace (vm, node, b[0], sizeof (*t));
209 t->sw_if_index = sw_if_index0;
210 t->ethertype = ethertype;
211 t->next_index = next[0];
213 next[0] = next[0] < node->n_next_nodes ? next[0] : 0;
219 vlib_buffer_enqueue_to_next (vm, node, from, nexts, frame->n_vectors);
221 return frame->n_vectors;
224 VLIB_NODE_FN (acl_in_nonip_node) (vlib_main_t * vm,
225 vlib_node_runtime_t * node,
226 vlib_frame_t * frame)
228 return nonip_in_out_node_fn (vm, node, frame, 0);
231 VLIB_NODE_FN (acl_out_nonip_node) (vlib_main_t * vm,
232 vlib_node_runtime_t * node,
233 vlib_frame_t * frame)
235 return nonip_in_out_node_fn (vm, node, frame, 1);
241 VLIB_REGISTER_NODE (acl_in_nonip_node) =
243 .name = "acl-plugin-in-nonip-l2",
244 .vector_size = sizeof (u32),
245 .format_trace = format_l2_nonip_in_trace,
246 .type = VLIB_NODE_TYPE_INTERNAL,
247 .n_errors = ARRAY_LEN (fa_in_nonip_error_strings),
248 .error_strings = fa_in_nonip_error_strings,
249 .n_next_nodes = ACL_FA_N_NEXT,
252 [ACL_FA_ERROR_DROP] = "error-drop",
256 VNET_FEATURE_INIT (acl_in_l2_nonip_fa_feature, static) =
258 .arc_name = "l2-input-nonip",
259 .node_name = "acl-plugin-in-nonip-l2",
260 .runs_before = VNET_FEATURES ("l2-input-feat-arc-end"),
263 VLIB_REGISTER_NODE (acl_out_nonip_node) =
265 .name = "acl-plugin-out-nonip-l2",
266 .vector_size = sizeof (u32),
267 .format_trace = format_l2_nonip_out_trace,
268 .type = VLIB_NODE_TYPE_INTERNAL,
269 .n_errors = ARRAY_LEN (fa_out_nonip_error_strings),
270 .error_strings = fa_out_nonip_error_strings,
271 .n_next_nodes = ACL_FA_N_NEXT,
274 [ACL_FA_ERROR_DROP] = "error-drop",
278 VNET_FEATURE_INIT (acl_out_l2_nonip_fa_feature, static) =
280 .arc_name = "l2-output-nonip",
281 .node_name = "acl-plugin-out-nonip-l2",
282 .runs_before = VNET_FEATURES ("l2-output-feat-arc-end"),
290 get_current_policy_epoch (acl_main_t * am, int is_input, u32 sw_if_index0)
293 is_input ? &am->input_policy_epoch_by_sw_if_index :
294 &am->output_policy_epoch_by_sw_if_index;
295 u16 current_policy_epoch =
296 sw_if_index0 < vec_len (*p_epoch_vec) ? vec_elt (*p_epoch_vec,
298 : (is_input * FA_POLICY_EPOCH_IS_INPUT);
299 return current_policy_epoch;
303 maybe_trace_buffer (vlib_main_t * vm, vlib_node_runtime_t * node,
304 vlib_buffer_t * b, u32 sw_if_index0, u32 lc_index0,
305 u16 next0, int match_acl_in_index, int match_rule_index,
306 fa_5tuple_t * fa_5tuple, u8 action, u32 trace_bitmap)
308 if (PREDICT_FALSE (b->flags & VLIB_BUFFER_IS_TRACED))
310 acl_fa_trace_t *t = vlib_add_trace (vm, node, b, sizeof (*t));
311 t->sw_if_index = sw_if_index0;
312 t->lc_index = lc_index0;
313 t->next_index = next0;
314 t->match_acl_in_index = match_acl_in_index;
315 t->match_rule_index = match_rule_index;
316 t->packet_info[0] = fa_5tuple->kv_40_8.key[0];
317 t->packet_info[1] = fa_5tuple->kv_40_8.key[1];
318 t->packet_info[2] = fa_5tuple->kv_40_8.key[2];
319 t->packet_info[3] = fa_5tuple->kv_40_8.key[3];
320 t->packet_info[4] = fa_5tuple->kv_40_8.key[4];
321 t->packet_info[5] = fa_5tuple->kv_40_8.value;
323 t->trace_bitmap = trace_bitmap;
329 stale_session_deleted (acl_main_t * am, int is_input,
330 acl_fa_per_worker_data_t * pw, u64 now,
331 u32 sw_if_index0, fa_full_session_id_t f_sess_id)
333 u16 current_policy_epoch =
334 get_current_policy_epoch (am, is_input, sw_if_index0);
336 /* if the MSB of policy epoch matches but not the LSB means it is a stale session */
338 ((current_policy_epoch ^
339 f_sess_id.intf_policy_epoch) &
340 FA_POLICY_EPOCH_IS_INPUT))
341 && (current_policy_epoch != f_sess_id.intf_policy_epoch))
343 /* delete session and increment the counter */
344 vec_validate (pw->fa_session_epoch_change_by_sw_if_index, sw_if_index0);
345 vec_elt (pw->fa_session_epoch_change_by_sw_if_index, sw_if_index0)++;
346 if (acl_fa_conn_list_delete_session (am, f_sess_id, now))
348 /* delete the session only if we were able to unlink it */
349 acl_fa_two_stage_delete_session (am, sw_if_index0, f_sess_id, now);
362 get_sw_if_index_xN (int vector_sz, int is_input, vlib_buffer_t ** b,
363 u32 * out_sw_if_index)
366 for (ii = 0; ii < vector_sz; ii++)
368 out_sw_if_index[ii] = vnet_buffer (b[ii])->sw_if_index[VLIB_RX];
370 out_sw_if_index[ii] = vnet_buffer (b[ii])->sw_if_index[VLIB_TX];
374 fill_5tuple_xN (int vector_sz, acl_main_t * am, int is_ip6, int is_input,
375 int is_l2_path, vlib_buffer_t ** b, u32 * sw_if_index,
376 fa_5tuple_t * out_fa_5tuple)
379 for (ii = 0; ii < vector_sz; ii++)
380 acl_fill_5tuple (am, sw_if_index[ii], b[ii], is_ip6,
381 is_input, is_l2_path, &out_fa_5tuple[ii]);
385 make_session_hash_xN (int vector_sz, acl_main_t * am, int is_ip6,
386 u32 * sw_if_index, fa_5tuple_t * fa_5tuple,
390 for (ii = 0; ii < vector_sz; ii++)
392 acl_fa_make_session_hash (am, is_ip6, sw_if_index[ii], &fa_5tuple[ii]);
396 prefetch_session_entry (acl_main_t * am, fa_full_session_id_t f_sess_id)
398 fa_session_t *sess = get_session_ptr_no_check (am, f_sess_id.thread_index,
399 f_sess_id.session_index);
400 CLIB_PREFETCH (sess, 2 * CLIB_CACHE_LINE_BYTES, STORE);
404 process_established_session (vlib_main_t * vm, acl_main_t * am,
405 u32 counter_node_index, int is_input, u64 now,
406 fa_full_session_id_t f_sess_id,
407 u32 * sw_if_index, fa_5tuple_t * fa_5tuple,
408 u32 pkt_len, int node_trace_on,
412 fa_session_t *sess = get_session_ptr_no_check (am, f_sess_id.thread_index,
413 f_sess_id.session_index);
415 int old_timeout_type = fa_session_get_timeout_type (am, sess);
417 acl_fa_track_session (am, is_input, sw_if_index[0], now,
418 sess, &fa_5tuple[0], pkt_len);
419 int new_timeout_type = fa_session_get_timeout_type (am, sess);
420 /* Tracking might have changed the session timeout type, e.g. from transient to established */
421 if (PREDICT_FALSE (old_timeout_type != new_timeout_type))
423 acl_fa_restart_timer_for_session (am, now, f_sess_id);
424 vlib_node_increment_counter (vm, counter_node_index,
425 ACL_FA_ERROR_ACL_RESTART_SESSION_TIMER, 1);
428 0x00010000 + ((0xff & old_timeout_type) << 8) +
429 (0xff & new_timeout_type);
432 * I estimate the likelihood to be very low - the VPP needs
433 * to have >64K interfaces to start with and then on
434 * exactly 64K indices apart needs to be exactly the same
435 * 5-tuple... Anyway, since this probability is nonzero -
436 * print an error and drop the unlucky packet.
437 * If this shows up in real world, we would need to bump
438 * the hash key length.
440 if (PREDICT_FALSE (sess->sw_if_index != sw_if_index[0]))
443 ("BUG: session LSB16(sw_if_index)=%d and 5-tuple=%d collision!",
444 sess->sw_if_index, sw_if_index[0]);
451 #define ACL_PLUGIN_VECTOR_SIZE 4
452 #define ACL_PLUGIN_PREFETCH_GAP 3
455 acl_fa_node_common_prepare_fn (vlib_main_t * vm,
456 vlib_node_runtime_t * node,
457 vlib_frame_t * frame, int is_ip6, int is_input,
458 int is_l2_path, int with_stateful_datapath)
459 /* , int node_trace_on,
460 int reclassify_sessions) */
463 acl_main_t *am = &acl_main;
464 uword thread_index = os_get_thread_index ();
465 acl_fa_per_worker_data_t *pw = &am->per_worker_data[thread_index];
469 fa_5tuple_t *fa_5tuple;
474 from = vlib_frame_vector_args (frame);
475 vlib_get_buffers (vm, from, pw->bufs, frame->n_vectors);
477 /* set the initial values for the current buffer the next pointers */
479 sw_if_index = pw->sw_if_indices;
480 fa_5tuple = pw->fa_5tuples;
485 * fill the sw_if_index, 5tuple and session hash,
486 * First in strides of size ACL_PLUGIN_VECTOR_SIZE,
487 * with buffer prefetch being
488 * ACL_PLUGIN_PREFETCH_GAP * ACL_PLUGIN_VECTOR_SIZE entries
489 * in front. Then with a simple single loop.
492 n_left = frame->n_vectors;
493 while (n_left >= (ACL_PLUGIN_PREFETCH_GAP + 1) * ACL_PLUGIN_VECTOR_SIZE)
495 const int vec_sz = ACL_PLUGIN_VECTOR_SIZE;
498 for (ii = ACL_PLUGIN_PREFETCH_GAP * vec_sz;
499 ii < (ACL_PLUGIN_PREFETCH_GAP + 1) * vec_sz; ii++)
501 CLIB_PREFETCH (b[ii], CLIB_CACHE_LINE_BYTES, LOAD);
502 CLIB_PREFETCH (b[ii]->data, 2 * CLIB_CACHE_LINE_BYTES, LOAD);
507 get_sw_if_index_xN (vec_sz, is_input, b, sw_if_index);
508 fill_5tuple_xN (vec_sz, am, is_ip6, is_input, is_l2_path, &b[0],
509 &sw_if_index[0], &fa_5tuple[0]);
510 if (with_stateful_datapath)
511 make_session_hash_xN (vec_sz, am, is_ip6, &sw_if_index[0],
512 &fa_5tuple[0], &hash[0]);
518 sw_if_index += vec_sz;
524 const int vec_sz = 1;
526 get_sw_if_index_xN (vec_sz, is_input, b, sw_if_index);
527 fill_5tuple_xN (vec_sz, am, is_ip6, is_input, is_l2_path, &b[0],
528 &sw_if_index[0], &fa_5tuple[0]);
529 if (with_stateful_datapath)
530 make_session_hash_xN (vec_sz, am, is_ip6, &sw_if_index[0],
531 &fa_5tuple[0], &hash[0]);
537 sw_if_index += vec_sz;
544 acl_fa_inner_node_fn (vlib_main_t * vm,
545 vlib_node_runtime_t * node, vlib_frame_t * frame,
546 int is_ip6, int is_input, int is_l2_path,
547 int with_stateful_datapath, int node_trace_on,
548 int reclassify_sessions)
551 u32 pkts_exist_session = 0;
552 u32 pkts_new_session = 0;
553 u32 pkts_acl_permit = 0;
554 u32 trace_bitmap = 0;
555 acl_main_t *am = &acl_main;
556 vlib_node_runtime_t *error_node;
557 vlib_error_t no_error_existing_session;
558 u64 now = clib_cpu_time_now ();
559 uword thread_index = os_get_thread_index ();
560 acl_fa_per_worker_data_t *pw = &am->per_worker_data[thread_index];
565 fa_5tuple_t *fa_5tuple;
567 /* for the delayed counters */
568 u32 saved_matched_acl_index = 0;
569 u32 saved_matched_ace_index = 0;
570 u32 saved_packet_count = 0;
571 u32 saved_byte_count = 0;
573 from = vlib_frame_vector_args (frame);
574 error_node = vlib_node_get_runtime (vm, node->node_index);
575 no_error_existing_session =
576 error_node->errors[ACL_FA_ERROR_ACL_EXIST_SESSION];
580 sw_if_index = pw->sw_if_indices;
581 fa_5tuple = pw->fa_5tuples;
585 * Now the "hard" work of session lookups and ACL lookups for new sessions.
586 * Due to the complexity, do it for the time being in single loop with
587 * the pipeline of three prefetches:
588 * 1) bucket for the session bihash
589 * 2) data for the session bihash
590 * 3) worker session record
593 fa_full_session_id_t f_sess_id_next = {.as_u64 = ~0ULL };
595 /* find the "next" session so we can kickstart the pipeline */
596 if (with_stateful_datapath)
597 acl_fa_find_session_with_hash (am, is_ip6, sw_if_index[0], hash[0],
598 &fa_5tuple[0], &f_sess_id_next.as_u64);
600 n_left = frame->n_vectors;
605 int acl_check_needed = 1;
606 u32 match_acl_in_index = ~0;
607 u32 match_acl_pos = ~0;
608 u32 match_rule_index = ~0;
610 next[0] = 0; /* drop by default */
612 /* Try to match an existing session first */
614 if (with_stateful_datapath)
616 fa_full_session_id_t f_sess_id = f_sess_id_next;
620 acl_fa_prefetch_session_bucket_for_hash (am, is_ip6, hash[5]);
624 acl_fa_prefetch_session_data_for_hash (am, is_ip6, hash[3]);
628 acl_fa_find_session_with_hash (am, is_ip6, sw_if_index[1],
629 hash[1], &fa_5tuple[1],
630 &f_sess_id_next.as_u64);
631 if (f_sess_id_next.as_u64 != ~0ULL)
633 prefetch_session_entry (am, f_sess_id_next);
637 if (f_sess_id.as_u64 != ~0ULL)
641 trace_bitmap |= 0x80000000;
643 ASSERT (f_sess_id.thread_index < vec_len (vlib_mains));
644 b[0]->error = no_error_existing_session;
645 acl_check_needed = 0;
646 pkts_exist_session += 1;
648 process_established_session (vm, am, node->node_index,
649 is_input, now, f_sess_id,
652 b[0]->current_length,
656 /* expose the session id to the tracer */
659 match_rule_index = f_sess_id.session_index;
662 if (reclassify_sessions)
665 (stale_session_deleted
666 (am, is_input, pw, now, sw_if_index[0],
669 acl_check_needed = 1;
672 trace_bitmap |= 0x40000000;
675 * If we have just deleted the session, and the next
676 * buffer is the same 5-tuple, that session prediction
677 * is wrong, correct it.
679 if ((f_sess_id_next.as_u64 != ~0ULL)
680 && 0 == memcmp (&fa_5tuple[1], &fa_5tuple[0],
681 sizeof (fa_5tuple[1])))
682 f_sess_id_next.as_u64 = ~0ULL;
688 if (acl_check_needed)
691 lc_index0 = am->input_lc_index_by_sw_if_index[sw_if_index[0]];
694 am->output_lc_index_by_sw_if_index[sw_if_index[0]];
696 action = 0; /* deny by default */
697 int is_match = acl_plugin_match_5tuple_inline (am, lc_index0,
698 (fa_5tuple_opaque_t *) & fa_5tuple[0], is_ip6,
705 (is_match && am->interface_acl_counters_enabled))
707 u32 buf_len = vlib_buffer_length_in_chain (vm, b[0]);
708 vlib_increment_combined_counter (am->combined_acl_counters +
709 saved_matched_acl_index,
711 saved_matched_ace_index,
714 saved_matched_acl_index = match_acl_in_index;
715 saved_matched_ace_index = match_rule_index;
716 saved_packet_count = 1;
717 saved_byte_count = buf_len;
718 /* prefetch the counter that we are going to increment */
719 vlib_prefetch_combined_counter (am->combined_acl_counters +
720 saved_matched_acl_index,
722 saved_matched_ace_index);
725 b[0]->error = error_node->errors[action];
732 if (!acl_fa_can_add_session (am, is_input, sw_if_index[0]))
733 acl_fa_try_recycle_session (am, is_input,
735 sw_if_index[0], now);
737 if (acl_fa_can_add_session (am, is_input, sw_if_index[0]))
739 u16 current_policy_epoch =
740 get_current_policy_epoch (am, is_input,
742 fa_full_session_id_t f_sess_id =
743 acl_fa_add_session (am, is_input, is_ip6,
746 current_policy_epoch);
748 /* perform the accounting for the newly added session */
749 process_established_session (vm, am,
755 b[0]->current_length,
760 * If the next 5tuple is the same and we just added the session,
761 * the f_sess_id_next can not be ~0. Correct it.
763 if ((f_sess_id_next.as_u64 == ~0ULL)
764 && 0 == memcmp (&fa_5tuple[1], &fa_5tuple[0],
765 sizeof (fa_5tuple[1])))
766 f_sess_id_next = f_sess_id;
773 [ACL_FA_ERROR_ACL_TOO_MANY_SESSIONS];
780 /* speculatively get the next0 */
781 vnet_feature_next_u16 (&next[0], b[0]);
782 /* if the action is not deny - then use that next */
783 next[0] = action ? next[0] : 0;
786 if (node_trace_on) // PREDICT_FALSE (node->flags & VLIB_NODE_FLAG_TRACE))
788 maybe_trace_buffer (vm, node, b[0], sw_if_index[0], lc_index0,
789 next[0], match_acl_in_index,
790 match_rule_index, &fa_5tuple[0], action,
803 vlib_buffer_enqueue_to_next (vm, node, from, pw->nexts, frame->n_vectors);
806 * if we were had an acl match then we have a counter to increment.
807 * else it is all zeroes, so this will be harmless.
809 vlib_increment_combined_counter (am->combined_acl_counters +
810 saved_matched_acl_index,
812 saved_matched_ace_index,
813 saved_packet_count, saved_byte_count);
815 vlib_node_increment_counter (vm, node->node_index,
816 ACL_FA_ERROR_ACL_CHECK, frame->n_vectors);
817 vlib_node_increment_counter (vm, node->node_index,
818 ACL_FA_ERROR_ACL_EXIST_SESSION,
820 vlib_node_increment_counter (vm, node->node_index,
821 ACL_FA_ERROR_ACL_NEW_SESSION,
823 vlib_node_increment_counter (vm, node->node_index,
824 ACL_FA_ERROR_ACL_PERMIT, pkts_acl_permit);
825 return frame->n_vectors;
829 acl_fa_outer_node_fn (vlib_main_t * vm,
830 vlib_node_runtime_t * node, vlib_frame_t * frame,
831 int is_ip6, int is_input, int is_l2_path,
832 int do_stateful_datapath)
834 acl_main_t *am = &acl_main;
836 acl_fa_node_common_prepare_fn (vm, node, frame, is_ip6, is_input,
837 is_l2_path, do_stateful_datapath);
839 if (am->reclassify_sessions)
841 if (PREDICT_FALSE (node->flags & VLIB_NODE_FLAG_TRACE))
842 return acl_fa_inner_node_fn (vm, node, frame, is_ip6, is_input,
843 is_l2_path, do_stateful_datapath,
845 1 /* reclassify */ );
847 return acl_fa_inner_node_fn (vm, node, frame, is_ip6, is_input,
848 is_l2_path, do_stateful_datapath, 0,
849 1 /* reclassify */ );
853 if (PREDICT_FALSE (node->flags & VLIB_NODE_FLAG_TRACE))
854 return acl_fa_inner_node_fn (vm, node, frame, is_ip6, is_input,
855 is_l2_path, do_stateful_datapath,
859 return acl_fa_inner_node_fn (vm, node, frame, is_ip6, is_input,
860 is_l2_path, do_stateful_datapath, 0, 0);
865 acl_fa_node_fn (vlib_main_t * vm,
866 vlib_node_runtime_t * node, vlib_frame_t * frame, int is_ip6,
867 int is_input, int is_l2_path)
869 /* select the reclassify/no-reclassify version of the datapath */
870 acl_main_t *am = &acl_main;
872 if (am->fa_sessions_hash_is_initialized)
873 return acl_fa_outer_node_fn (vm, node, frame, is_ip6, is_input,
876 return acl_fa_outer_node_fn (vm, node, frame, is_ip6, is_input,
882 format_fa_5tuple (u8 * s, va_list * args)
884 fa_5tuple_t *p5t = va_arg (*args, fa_5tuple_t *);
887 void *format_address_func;
890 p5t->pkt.is_nonfirst_fragment ? " non-initial fragment" : "";
895 format_address_func = format_ip6_address;
896 paddr0 = &p5t->ip6_addr[0];
897 paddr1 = &p5t->ip6_addr[1];
902 format_address_func = format_ip4_address;
903 paddr0 = &p5t->ip4_addr[0];
904 paddr1 = &p5t->ip4_addr[1];
908 format (s, "lc_index %d l3 %s%s ", p5t->pkt.lc_index, ip_af, ip_frag_txt);
910 format (s, "%U -> %U ", format_address_func, paddr0, format_address_func,
912 s = format (s, "%U ", format_fa_session_l4_key, &p5t->l4);
913 s = format (s, "tcp flags (%s) %02x rsvd %x",
914 p5t->pkt.tcp_flags_valid ? "valid" : "invalid",
915 p5t->pkt.tcp_flags, p5t->pkt.flags_reserved);
919 #ifndef CLIB_MARCH_VARIANT
921 format_acl_plugin_5tuple (u8 * s, va_list * args)
923 return format_fa_5tuple (s, args);
927 /* packet trace format function */
929 format_acl_plugin_trace (u8 * s, va_list * args)
931 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
932 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
933 acl_fa_trace_t *t = va_arg (*args, acl_fa_trace_t *);
937 "acl-plugin: lc_index: %d, sw_if_index %d, next index %d, action: %d, match: acl %d rule %d trace_bits %08x\n"
938 " pkt info %016llx %016llx %016llx %016llx %016llx %016llx",
939 t->lc_index, t->sw_if_index, t->next_index, t->action,
940 t->match_acl_in_index, t->match_rule_index, t->trace_bitmap,
941 t->packet_info[0], t->packet_info[1], t->packet_info[2],
942 t->packet_info[3], t->packet_info[4], t->packet_info[5]);
944 /* Now also print out the packet_info in a form usable by humans */
945 s = format (s, "\n %U", format_fa_5tuple, t->packet_info);
951 static char *acl_fa_error_strings[] = {
952 #define _(sym,string) string,
957 VLIB_NODE_FN (acl_in_l2_ip6_node) (vlib_main_t * vm,
958 vlib_node_runtime_t * node,
959 vlib_frame_t * frame)
961 return acl_fa_node_fn (vm, node, frame, 1, 1, 1);
964 VLIB_NODE_FN (acl_in_l2_ip4_node) (vlib_main_t * vm,
965 vlib_node_runtime_t * node,
966 vlib_frame_t * frame)
968 return acl_fa_node_fn (vm, node, frame, 0, 1, 1);
971 VLIB_NODE_FN (acl_out_l2_ip6_node) (vlib_main_t * vm,
972 vlib_node_runtime_t * node,
973 vlib_frame_t * frame)
975 return acl_fa_node_fn (vm, node, frame, 1, 0, 1);
978 VLIB_NODE_FN (acl_out_l2_ip4_node) (vlib_main_t * vm,
979 vlib_node_runtime_t * node,
980 vlib_frame_t * frame)
982 return acl_fa_node_fn (vm, node, frame, 0, 0, 1);
985 /**** L3 processing path nodes ****/
987 VLIB_NODE_FN (acl_in_fa_ip6_node) (vlib_main_t * vm,
988 vlib_node_runtime_t * node,
989 vlib_frame_t * frame)
991 return acl_fa_node_fn (vm, node, frame, 1, 1, 0);
994 VLIB_NODE_FN (acl_in_fa_ip4_node) (vlib_main_t * vm,
995 vlib_node_runtime_t * node,
996 vlib_frame_t * frame)
998 return acl_fa_node_fn (vm, node, frame, 0, 1, 0);
1001 VLIB_NODE_FN (acl_out_fa_ip6_node) (vlib_main_t * vm,
1002 vlib_node_runtime_t * node,
1003 vlib_frame_t * frame)
1005 return acl_fa_node_fn (vm, node, frame, 1, 0, 0);
1008 VLIB_NODE_FN (acl_out_fa_ip4_node) (vlib_main_t * vm,
1009 vlib_node_runtime_t * node,
1010 vlib_frame_t * frame)
1012 return acl_fa_node_fn (vm, node, frame, 0, 0, 0);
1015 VLIB_REGISTER_NODE (acl_in_l2_ip6_node) =
1017 .name = "acl-plugin-in-ip6-l2",
1018 .vector_size = sizeof (u32),
1019 .format_trace = format_acl_plugin_trace,
1020 .type = VLIB_NODE_TYPE_INTERNAL,
1021 .n_errors = ARRAY_LEN (acl_fa_error_strings),
1022 .error_strings = acl_fa_error_strings,
1023 .n_next_nodes = ACL_FA_N_NEXT,
1026 [ACL_FA_ERROR_DROP] = "error-drop",
1030 VNET_FEATURE_INIT (acl_in_l2_ip6_fa_feature, static) =
1032 .arc_name = "l2-input-ip6",
1033 .node_name = "acl-plugin-in-ip6-l2",
1034 .runs_before = VNET_FEATURES ("l2-input-feat-arc-end"),
1037 VLIB_REGISTER_NODE (acl_in_l2_ip4_node) =
1039 .name = "acl-plugin-in-ip4-l2",
1040 .vector_size = sizeof (u32),
1041 .format_trace = format_acl_plugin_trace,
1042 .type = VLIB_NODE_TYPE_INTERNAL,
1043 .n_errors = ARRAY_LEN (acl_fa_error_strings),
1044 .error_strings = acl_fa_error_strings,
1045 .n_next_nodes = ACL_FA_N_NEXT,
1048 [ACL_FA_ERROR_DROP] = "error-drop",
1052 VNET_FEATURE_INIT (acl_in_l2_ip4_fa_feature, static) =
1054 .arc_name = "l2-input-ip4",
1055 .node_name = "acl-plugin-in-ip4-l2",
1056 .runs_before = VNET_FEATURES ("l2-input-feat-arc-end"),
1060 VLIB_REGISTER_NODE (acl_out_l2_ip6_node) =
1062 .name = "acl-plugin-out-ip6-l2",
1063 .vector_size = sizeof (u32),
1064 .format_trace = format_acl_plugin_trace,
1065 .type = VLIB_NODE_TYPE_INTERNAL,
1066 .n_errors = ARRAY_LEN (acl_fa_error_strings),
1067 .error_strings = acl_fa_error_strings,
1068 .n_next_nodes = ACL_FA_N_NEXT,
1071 [ACL_FA_ERROR_DROP] = "error-drop",
1075 VNET_FEATURE_INIT (acl_out_l2_ip6_fa_feature, static) =
1077 .arc_name = "l2-output-ip6",
1078 .node_name = "acl-plugin-out-ip6-l2",
1079 .runs_before = VNET_FEATURES ("l2-output-feat-arc-end"),
1083 VLIB_REGISTER_NODE (acl_out_l2_ip4_node) =
1085 .name = "acl-plugin-out-ip4-l2",
1086 .vector_size = sizeof (u32),
1087 .format_trace = format_acl_plugin_trace,
1088 .type = VLIB_NODE_TYPE_INTERNAL,
1089 .n_errors = ARRAY_LEN (acl_fa_error_strings),
1090 .error_strings = acl_fa_error_strings,
1091 .n_next_nodes = ACL_FA_N_NEXT,
1094 [ACL_FA_ERROR_DROP] = "error-drop",
1098 VNET_FEATURE_INIT (acl_out_l2_ip4_fa_feature, static) =
1100 .arc_name = "l2-output-ip4",
1101 .node_name = "acl-plugin-out-ip4-l2",
1102 .runs_before = VNET_FEATURES ("l2-output-feat-arc-end"),
1106 VLIB_REGISTER_NODE (acl_in_fa_ip6_node) =
1108 .name = "acl-plugin-in-ip6-fa",
1109 .vector_size = sizeof (u32),
1110 .format_trace = format_acl_plugin_trace,
1111 .type = VLIB_NODE_TYPE_INTERNAL,
1112 .n_errors = ARRAY_LEN (acl_fa_error_strings),
1113 .error_strings = acl_fa_error_strings,
1114 .n_next_nodes = ACL_FA_N_NEXT,
1117 [ACL_FA_ERROR_DROP] = "error-drop",
1121 VNET_FEATURE_INIT (acl_in_ip6_fa_feature, static) =
1123 .arc_name = "ip6-unicast",
1124 .node_name = "acl-plugin-in-ip6-fa",
1125 .runs_before = VNET_FEATURES ("ip6-flow-classify"),
1128 VLIB_REGISTER_NODE (acl_in_fa_ip4_node) =
1130 .name = "acl-plugin-in-ip4-fa",
1131 .vector_size = sizeof (u32),
1132 .format_trace = format_acl_plugin_trace,
1133 .type = VLIB_NODE_TYPE_INTERNAL,
1134 .n_errors = ARRAY_LEN (acl_fa_error_strings),
1135 .error_strings = acl_fa_error_strings,
1136 .n_next_nodes = ACL_FA_N_NEXT,
1139 [ACL_FA_ERROR_DROP] = "error-drop",
1143 VNET_FEATURE_INIT (acl_in_ip4_fa_feature, static) =
1145 .arc_name = "ip4-unicast",
1146 .node_name = "acl-plugin-in-ip4-fa",
1147 .runs_before = VNET_FEATURES ("ip4-flow-classify"),
1151 VLIB_REGISTER_NODE (acl_out_fa_ip6_node) =
1153 .name = "acl-plugin-out-ip6-fa",
1154 .vector_size = sizeof (u32),
1155 .format_trace = format_acl_plugin_trace,
1156 .type = VLIB_NODE_TYPE_INTERNAL,
1157 .n_errors = ARRAY_LEN (acl_fa_error_strings),
1158 .error_strings = acl_fa_error_strings,
1159 .n_next_nodes = ACL_FA_N_NEXT,
1162 [ACL_FA_ERROR_DROP] = "error-drop",
1166 VNET_FEATURE_INIT (acl_out_ip6_fa_feature, static) =
1168 .arc_name = "ip6-output",
1169 .node_name = "acl-plugin-out-ip6-fa",
1170 .runs_before = VNET_FEATURES ("interface-output"),
1173 VLIB_REGISTER_NODE (acl_out_fa_ip4_node) =
1175 .name = "acl-plugin-out-ip4-fa",
1176 .vector_size = sizeof (u32),
1177 .format_trace = format_acl_plugin_trace,
1178 .type = VLIB_NODE_TYPE_INTERNAL,
1179 .n_errors = ARRAY_LEN (acl_fa_error_strings),
1180 .error_strings = acl_fa_error_strings,
1181 .n_next_nodes = ACL_FA_N_NEXT,
1182 /* edit / add dispositions here */
1185 [ACL_FA_ERROR_DROP] = "error-drop",
1189 VNET_FEATURE_INIT (acl_out_ip4_fa_feature, static) =
1191 .arc_name = "ip4-output",
1192 .node_name = "acl-plugin-out-ip4-fa",
1193 .runs_before = VNET_FEATURES ("interface-output"),
1199 * fd.io coding-style-patch-verification: ON
1202 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob