2 * l2_efp_filter.c : layer 2 egress EFP Filter processing
4 * Copyright (c) 2013 Cisco and/or its affiliates.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
18 #include <vlib/vlib.h>
19 #include <vnet/vnet.h>
20 #include <vnet/ethernet/ethernet.h>
21 #include <vnet/ethernet/packet.h>
22 #include <vnet/l2/feat_bitmap.h>
23 #include <vnet/l2/l2_output.h>
24 #include <vnet/ethernet/ethernet.h>
26 #include <vppinfra/error.h>
27 #include <vppinfra/cache.h>
31 // Next nodes for features and output interfaces
32 l2_output_next_nodes_st next_nodes;
34 /* convenience variables */
35 vlib_main_t * vlib_main;
36 vnet_main_t * vnet_main;
37 } l2_efp_filter_main_t;
41 /* per-pkt trace data */
44 u8 raw[12]; // raw data (vlans)
46 } l2_efp_filter_trace_t;
48 /* packet trace format function */
49 static u8 * format_l2_efp_filter_trace (u8 * s, va_list * args)
51 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
52 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
53 l2_efp_filter_trace_t * t = va_arg (*args, l2_efp_filter_trace_t *);
55 s = format (s, "l2-output-vtr: sw_if_index %d dst %U src %U data "
56 "%02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x",
58 format_ethernet_address, t->dst,
59 format_ethernet_address, t->src,
60 t->raw[0], t->raw[1], t->raw[2], t->raw[3], t->raw[4], t->raw[5],
61 t->raw[6], t->raw[7], t->raw[8], t->raw[9], t->raw[10], t->raw[11]);
65 l2_efp_filter_main_t l2_efp_filter_main;
67 static vlib_node_registration_t l2_efp_filter_node;
69 #define foreach_l2_efp_filter_error \
70 _(L2_EFP_FILTER, "L2 EFP filter packets") \
71 _(DROP, "L2 EFP filter post-rewrite drops")
74 #define _(sym,str) L2_EFP_FILTER_ERROR_##sym,
75 foreach_l2_efp_filter_error
77 L2_EFP_FILTER_N_ERROR,
78 } l2_efp_filter_error_t;
80 static char * l2_efp_filter_error_strings[] = {
81 #define _(sym,string) string,
82 foreach_l2_efp_filter_error
87 L2_EFP_FILTER_NEXT_DROP,
89 } l2_efp_filter_next_t;
92 // Extract fields from the packet that will be used in interface classification
93 static_always_inline void
94 extract_keys (vnet_main_t * vnet_main,
97 u32 * port_sw_if_index0,
98 u16 * first_ethertype0,
103 ethernet_header_t * e0;
104 ethernet_vlan_header_t * h0;
108 *port_sw_if_index0 = vnet_get_sup_sw_interface (vnet_main, sw_if_index0)->sw_if_index;
110 e0 = vlib_buffer_get_current (b0);
111 h0 = (ethernet_vlan_header_t *)(e0+1);
113 *first_ethertype0 = clib_net_to_host_u16(e0->type);
114 *outer_id0 = clib_net_to_host_u16 (h0[0].priority_cfi_and_id);
115 *inner_id0 = clib_net_to_host_u16 (h0[1].priority_cfi_and_id);
117 tag_len = vnet_buffer(b0)->l2.l2_len - sizeof(ethernet_header_t);
118 tag_num = tag_len / sizeof(ethernet_vlan_header_t);
119 *match_flags0 = eth_create_valid_subint_match_flags (tag_num);
123 * EFP filtering is a basic switch feature which prevents an interface from
124 * transmitting a packet that doesn't match the interface's ingress match
125 * criteria. The check has two parts, one performed before egress vlan tag
126 * rewrite and one after.
128 * The pre-rewrite check insures the packet matches what an ingress packet looks
129 * like after going through the interface's ingress tag rewrite operation. Only
130 * pushed tags are compared. So:
131 * - if the ingress vlan tag rewrite pushes no tags (or is not enabled),
132 * any packet passes the filter
133 * - if the ingress vlan tag rewrite pushes one tag,
134 * the packet must have at least one tag, and the outer tag must match the pushed tag
135 * - if the ingress vlan tag rewrite pushes two tags,
136 * the packet must have at least two tags, and the outer two tags must match the pushed tags
138 * The pre-rewrite check is performed in the l2-output node.
140 * The post-rewrite check insures the packet matches what an ingress packet looks
141 * like before going through the interface's ingress tag rewrite operation. It verifies
142 * that such a packet arriving on the wire at this port would be classified as arriving
143 * an input interface equal to the packet's output interface. This can be done by running
144 * the output packet's vlan tags and output port through the interface classification,
145 * and checking if the resulting interface matches the output interface.
147 * The post-rewrite check is performed here.
151 l2_efp_filter_node_fn (vlib_main_t * vm,
152 vlib_node_runtime_t * node,
153 vlib_frame_t * frame)
155 u32 n_left_from, * from, * to_next;
156 l2_efp_filter_next_t next_index;
157 l2_efp_filter_main_t * msm = &l2_efp_filter_main;
158 vlib_node_t *n = vlib_get_node (vm, l2_efp_filter_node.index);
159 u32 node_counter_base_index = n->error_heap_index;
160 vlib_error_main_t * em = &vm->error_main;
161 u32 cached_sw_if_index = ~0;
162 u32 cached_next_index = ~0;
164 /* invalidate cache to begin with */
165 cached_sw_if_index = ~0;
167 from = vlib_frame_vector_args (frame);
168 n_left_from = frame->n_vectors; /* number of packets to process */
169 next_index = node->cached_next_index;
171 while (n_left_from > 0)
175 /* get space to enqueue frame to graph node "next_index" */
176 vlib_get_next_frame (vm, node, next_index,
177 to_next, n_left_to_next);
179 while (n_left_from >= 6 && n_left_to_next >= 2)
182 vlib_buffer_t * b0, * b1;
184 u32 sw_if_index0, sw_if_index1;
185 u32 feature_bitmap0, feature_bitmap1;
186 u16 first_ethertype0, first_ethertype1;
187 u16 outer_id0, inner_id0, outer_id1, inner_id1;
188 u32 match_flags0, match_flags1;
189 u32 port_sw_if_index0, subint_sw_if_index0, port_sw_if_index1, subint_sw_if_index1;
190 vnet_hw_interface_t * hi0, * hi1;
191 main_intf_t * main_intf0, * main_intf1;
192 vlan_intf_t * vlan_intf0, * vlan_intf1;
193 qinq_intf_t * qinq_intf0, * qinq_intf1;
195 __attribute__((unused)) u32 matched0, matched1;
198 /* Prefetch next iteration. */
200 vlib_buffer_t * p2, * p3, * p4, * p5;
201 __attribute__((unused)) u32 sw_if_index2, sw_if_index3;
203 p2 = vlib_get_buffer (vm, from[2]);
204 p3 = vlib_get_buffer (vm, from[3]);
205 p4 = vlib_get_buffer (vm, from[4]);
206 p5 = vlib_get_buffer (vm, from[5]);
208 // Prefetch the buffer header and packet for the N+2 loop iteration
209 vlib_prefetch_buffer_header (p4, LOAD);
210 vlib_prefetch_buffer_header (p5, LOAD);
212 CLIB_PREFETCH (p4->data, CLIB_CACHE_LINE_BYTES, STORE);
213 CLIB_PREFETCH (p5->data, CLIB_CACHE_LINE_BYTES, STORE);
215 // Prefetch the input config for the N+1 loop iteration
216 // This depends on the buffer header above
217 sw_if_index2 = vnet_buffer(p2)->sw_if_index[VLIB_TX];
218 sw_if_index3 = vnet_buffer(p3)->sw_if_index[VLIB_TX];
219 //TODO CLIB_PREFETCH (vec_elt_at_index(l2output_main.configs, sw_if_index2), CLIB_CACHE_LINE_BYTES, LOAD);
220 //TODO CLIB_PREFETCH (vec_elt_at_index(l2output_main.configs, sw_if_index3), CLIB_CACHE_LINE_BYTES, LOAD);
223 /* speculatively enqueue b0 and b1 to the current next frame */
224 /* bi is "buffer index", b is pointer to the buffer */
225 to_next[0] = bi0 = from[0];
226 to_next[1] = bi1 = from[1];
232 b0 = vlib_get_buffer (vm, bi0);
233 b1 = vlib_get_buffer (vm, bi1);
235 /* TX interface handles */
236 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_TX];
237 sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_TX];
240 em->counters[node_counter_base_index + L2_EFP_FILTER_ERROR_L2_EFP_FILTER] += 2;
242 // Remove ourself from the feature bitmap
243 feature_bitmap0 = vnet_buffer(b0)->l2.feature_bitmap & ~L2OUTPUT_FEAT_EFP_FILTER;
244 feature_bitmap1 = vnet_buffer(b1)->l2.feature_bitmap & ~L2OUTPUT_FEAT_EFP_FILTER;
246 // Determine next node
247 l2_output_dispatch (msm->vlib_main,
250 l2_efp_filter_node.index,
258 l2_output_dispatch (msm->vlib_main,
261 l2_efp_filter_node.index,
270 // perform the efp filter check on two packets
272 extract_keys (msm->vnet_main,
281 extract_keys (msm->vnet_main,
290 eth_vlan_table_lookups (ðernet_main,
301 eth_vlan_table_lookups (ðernet_main,
312 matched0 = eth_identify_subint (hi0,
318 &subint_sw_if_index0,
322 matched1 = eth_identify_subint (hi1,
328 &subint_sw_if_index1,
332 if (PREDICT_FALSE (sw_if_index0 != subint_sw_if_index0)) {
334 next0 = L2_EFP_FILTER_NEXT_DROP;
335 b0->error = node->errors[L2_EFP_FILTER_ERROR_DROP];
338 if (PREDICT_FALSE (sw_if_index1 != subint_sw_if_index1)) {
340 next1 = L2_EFP_FILTER_NEXT_DROP;
341 b1->error = node->errors[L2_EFP_FILTER_ERROR_DROP];
344 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE))) {
345 if (b0->flags & VLIB_BUFFER_IS_TRACED) {
346 ethernet_header_t * h0 = vlib_buffer_get_current (b0);
347 l2_efp_filter_trace_t *t =
348 vlib_add_trace (vm, node, b0, sizeof (*t));
349 t->sw_if_index = sw_if_index0;
350 memcpy(t->src, h0->src_address, 6);
351 memcpy(t->dst, h0->dst_address, 6);
352 memcpy(t->raw, &h0->type, sizeof(t->raw));
354 if (b1->flags & VLIB_BUFFER_IS_TRACED) {
355 ethernet_header_t * h1 = vlib_buffer_get_current (b1);
356 l2_efp_filter_trace_t *t =
357 vlib_add_trace (vm, node, b1, sizeof (*t));
358 t->sw_if_index = sw_if_index1;
359 memcpy(t->src, h1->src_address, 6);
360 memcpy(t->dst, h1->dst_address, 6);
361 memcpy(t->raw, &h1->type, sizeof(t->raw));
365 /* verify speculative enqueues, maybe switch current next frame */
366 /* if next0==next1==next_index then nothing special needs to be done */
367 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
368 to_next, n_left_to_next,
369 bi0, bi1, next0, next1);
372 while (n_left_from > 0 && n_left_to_next > 0)
379 u16 first_ethertype0;
380 u16 outer_id0, inner_id0;
382 u32 port_sw_if_index0, subint_sw_if_index0;
383 vnet_hw_interface_t * hi0;
384 main_intf_t * main_intf0;
385 vlan_intf_t * vlan_intf0;
386 qinq_intf_t * qinq_intf0;
388 __attribute__((unused)) u32 matched0;
391 /* speculatively enqueue b0 to the current next frame */
399 b0 = vlib_get_buffer (vm, bi0);
400 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_TX];
403 em->counters[node_counter_base_index + L2_EFP_FILTER_ERROR_L2_EFP_FILTER] += 1;
405 // Remove ourself from the feature bitmap
406 feature_bitmap0 = vnet_buffer(b0)->l2.feature_bitmap & ~L2OUTPUT_FEAT_EFP_FILTER;
408 // Determine next node
409 l2_output_dispatch (msm->vlib_main,
412 l2_efp_filter_node.index,
421 // perform the efp filter check on one packet
423 extract_keys (msm->vnet_main,
432 eth_vlan_table_lookups (ðernet_main,
443 matched0 = eth_identify_subint (hi0,
449 &subint_sw_if_index0,
453 if (PREDICT_FALSE (sw_if_index0 != subint_sw_if_index0)) {
455 next0 = L2_EFP_FILTER_NEXT_DROP;
456 b0->error = node->errors[L2_EFP_FILTER_ERROR_DROP];
459 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
460 && (b0->flags & VLIB_BUFFER_IS_TRACED))) {
461 ethernet_header_t * h0 = vlib_buffer_get_current (b0);
462 l2_efp_filter_trace_t *t =
463 vlib_add_trace (vm, node, b0, sizeof (*t));
464 t->sw_if_index = sw_if_index0;
465 memcpy(t->src, h0->src_address, 6);
466 memcpy(t->dst, h0->dst_address, 6);
467 memcpy(t->raw, &h0->type, sizeof(t->raw));
470 /* verify speculative enqueue, maybe switch current next frame */
471 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
472 to_next, n_left_to_next,
476 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
479 return frame->n_vectors;
483 VLIB_REGISTER_NODE (l2_efp_filter_node,static) = {
484 .function = l2_efp_filter_node_fn,
485 .name = "l2-efp-filter",
486 .vector_size = sizeof (u32),
487 .format_trace = format_l2_efp_filter_trace,
488 .type = VLIB_NODE_TYPE_INTERNAL,
490 .n_errors = ARRAY_LEN(l2_efp_filter_error_strings),
491 .error_strings = l2_efp_filter_error_strings,
493 .n_next_nodes = L2_EFP_FILTER_N_NEXT,
495 /* edit / add dispositions here */
497 [L2_EFP_FILTER_NEXT_DROP] = "error-drop",
501 clib_error_t *l2_efp_filter_init (vlib_main_t *vm)
503 l2_efp_filter_main_t * mp = &l2_efp_filter_main;
506 mp->vnet_main = vnet_get_main();
508 // Initialize the feature next-node indexes
509 feat_bitmap_init_next_nodes(vm,
510 l2_efp_filter_node.index,
512 l2output_get_feat_names(),
513 mp->next_nodes.feat_next_node_index);
515 // Initialize the output node mapping table
516 l2output_init_output_node_vec(&mp->next_nodes.output_node_index_vec);
521 VLIB_INIT_FUNCTION (l2_efp_filter_init);
524 // Enable/disable the EFP Filter check on the subinterface
525 void l2_efp_filter_configure (vnet_main_t * vnet_main,
529 // set the interface flag
530 l2output_intf_bitmap_enable(sw_if_index, L2OUTPUT_FEAT_EFP_FILTER, enable);
534 // set subinterface egress efp filter enable/disable
535 // The CLI format is:
536 // set interface l2 efp-filter <interface> [disable]]
537 static clib_error_t *
538 int_l2_efp_filter (vlib_main_t * vm,
539 unformat_input_t * input,
540 vlib_cli_command_t * cmd)
542 vnet_main_t * vnm = vnet_get_main();
543 clib_error_t * error = 0;
547 if (! unformat_user (input, unformat_vnet_sw_interface, vnm, &sw_if_index))
549 error = clib_error_return (0, "unknown interface `%U'",
550 format_unformat_error, input);
555 if (unformat (input, "disable")) {
559 // enable/disable the feature
560 l2_efp_filter_configure (vnm, sw_if_index, enable);
567 VLIB_CLI_COMMAND (int_l2_efp_filter_cli, static) = {
568 .path = "set interface l2 efp-filter",
569 .short_help = "set interface l2 efp-filter <interface> [disable]",
570 .function = int_l2_efp_filter,
Code Review / vpp.git / blob