#include <stdint.h>
#include <vlib/unix/plugin.h>
-#include <plugins/acl/acl.h>
-#include <plugins/acl/fa_node.h>
-#include <plugins/acl/hash_lookup_private.h>
+#include "acl.h"
+#include "fa_node.h"
+#include "hash_lookup_private.h"
-#include <plugins/acl/exported_types.h>
+#include "exported_types.h"
#define LOAD_SYMBOL_FROM_PLUGIN_TO(p, s, st) \
({ \
return (offset <= (b0->current_length - 8));
}
+always_inline int
+offset_beyond_packet (vlib_buffer_t * b0, int offset)
+{
+ /* For the purposes of this code, "within" means we have at least 8 bytes after it */
+ return (offset > (b0->current_length - 8));
+}
+
always_inline void
acl_fill_5tuple_l3_data (acl_main_t * am, vlib_buffer_t * b0, int is_ip6,
{
if (is_ip6)
{
- clib_memcpy (&p5tuple_pkt->ip6_addr,
- get_ptr_to_offset (b0,
- offsetof (ip6_header_t,
- src_address) + l3_offset),
- sizeof (p5tuple_pkt->ip6_addr));
+ ip6_header_t *ip6 = vlib_buffer_get_current (b0) + l3_offset;
+ p5tuple_pkt->ip6_addr[0] = ip6->src_address;
+ p5tuple_pkt->ip6_addr[1] = ip6->dst_address;
}
else
{
- memset(p5tuple_pkt->l3_zero_pad, 0, sizeof(p5tuple_pkt->l3_zero_pad));
- clib_memcpy (&p5tuple_pkt->ip4_addr,
- get_ptr_to_offset (b0,
- offsetof (ip4_header_t,
- src_address) + l3_offset),
- sizeof (p5tuple_pkt->ip4_addr));
+ int ii;
+ for(ii=0; ii<6; ii++) {
+ p5tuple_pkt->l3_zero_pad[ii] = 0;
+ }
+ ip4_header_t *ip4 = vlib_buffer_get_current (b0) + l3_offset;
+ p5tuple_pkt->ip4_addr[0] = ip4->src_address;
+ p5tuple_pkt->ip4_addr[1] = ip4->dst_address;
}
}
static u8 icmp_protos_v4v6[] = { IP_PROTOCOL_ICMP, IP_PROTOCOL_ICMP6 };
int l4_offset;
- u16 ports[2];
+ u16 ports[2] = { 0 };
u8 proto;
- fa_session_l4_key_t tmp_l4 = { .lsb_of_sw_if_index = sw_if_index0 & 0xffff };
+ u8 tmp_l4_flags = 0;
fa_packet_info_t tmp_pkt = { .is_ip6 = is_ip6, .mask_type_index_lsb = ~0 };
if (is_ip6)
{
- proto =
- *(u8 *) get_ptr_to_offset (b0,
- offsetof (ip6_header_t,
- protocol) + l3_offset);
+ ip6_header_t *ip6 = vlib_buffer_get_current (b0) + l3_offset;
+ proto = ip6->protocol;
+
l4_offset = l3_offset + sizeof (ip6_header_t);
-#ifdef FA_NODE_VERBOSE_DEBUG
- clib_warning ("ACL_FA_NODE_DBG: proto: %d, l4_offset: %d", proto,
- l4_offset);
-#endif
+
/* IP6 EH handling is here, increment l4_offset if needs to, update the proto */
int need_skip_eh = clib_bitmap_get (am->fa_ipv6_known_eh_bitmap, proto);
if (PREDICT_FALSE (need_skip_eh))
if (PREDICT_FALSE(ACL_EH_FRAGMENT == proto))
{
proto = *(u8 *) get_ptr_to_offset (b0, l4_offset);
- u16 frag_offset;
- clib_memcpy (&frag_offset, get_ptr_to_offset (b0, 2 + l4_offset), sizeof(frag_offset));
+ u16 frag_offset = *(u16 *) get_ptr_to_offset (b0, 2 + l4_offset);
frag_offset = clib_net_to_host_u16(frag_offset) >> 3;
if (frag_offset)
{
proto = *(u8 *) get_ptr_to_offset (b0, l4_offset);
l4_offset += 8 * (1 + (u16) nwords);
}
-#ifdef FA_NODE_VERBOSE_DEBUG
- clib_warning ("ACL_FA_NODE_DBG: new proto: %d, new offset: %d",
- proto, l4_offset);
-#endif
need_skip_eh =
clib_bitmap_get (am->fa_ipv6_known_eh_bitmap, proto);
}
}
else
{
- proto =
- *(u8 *) get_ptr_to_offset (b0,
- offsetof (ip4_header_t,
- protocol) + l3_offset);
- l4_offset = l3_offset + sizeof (ip4_header_t);
- u16 flags_and_fragment_offset;
- clib_memcpy (&flags_and_fragment_offset,
- get_ptr_to_offset (b0,
- offsetof (ip4_header_t,
- flags_and_fragment_offset)) + l3_offset,
- sizeof(flags_and_fragment_offset));
- flags_and_fragment_offset = clib_net_to_host_u16 (flags_and_fragment_offset);
+ ip4_header_t *ip4 = vlib_buffer_get_current (b0) + l3_offset;
+ proto = ip4->protocol;
+ l4_offset = l3_offset + ip4_header_bytes(ip4);
/* non-initial fragments have non-zero offset */
- if ((PREDICT_FALSE(0xfff & flags_and_fragment_offset)))
+ if (PREDICT_FALSE(ip4_get_fragment_offset(ip4)))
{
tmp_pkt.is_nonfirst_fragment = 1;
/* invalidate L4 offset so we don't try to find L4 info */
}
}
- tmp_l4.proto = proto;
- tmp_l4.is_input = is_input;
+ tmp_l4_flags |= is_input ? FA_SK_L4_FLAG_IS_INPUT : 0;
if (PREDICT_TRUE (offset_within_packet (b0, l4_offset)))
{
+ tcp_header_t *tcph = vlib_buffer_get_current (b0) + l4_offset;
+ udp_header_t *udph = vlib_buffer_get_current (b0) + l4_offset;
tmp_pkt.l4_valid = 1;
- if (icmp_protos_v4v6[is_ip6] == proto)
+
+ if (PREDICT_FALSE(icmp_protos_v4v6[is_ip6] == proto))
{
- /* type */
- tmp_l4.port[0] =
- *(u8 *) get_ptr_to_offset (b0,
- l4_offset + offsetof (icmp46_header_t,
- type));
- /* code */
- tmp_l4.port[1] =
- *(u8 *) get_ptr_to_offset (b0,
- l4_offset + offsetof (icmp46_header_t,
- code));
- tmp_l4.is_slowpath = 1;
+ icmp46_header_t *icmph = vlib_buffer_get_current (b0) + l4_offset;
+ ports[0] = icmph->type;
+ ports[1] = icmph->code;
+ /* ICMP needs special handling */
+ tmp_l4_flags |= FA_SK_L4_FLAG_IS_SLOWPATH;
}
- else if ((IP_PROTOCOL_TCP == proto) || (IP_PROTOCOL_UDP == proto))
+ else if (IP_PROTOCOL_TCP == proto)
{
- clib_memcpy (&ports,
- get_ptr_to_offset (b0,
- l4_offset + offsetof (tcp_header_t,
- src_port)),
- sizeof (ports));
- tmp_l4.port[0] = clib_net_to_host_u16 (ports[0]);
- tmp_l4.port[1] = clib_net_to_host_u16 (ports[1]);
-
- tmp_pkt.tcp_flags =
- *(u8 *) get_ptr_to_offset (b0,
- l4_offset + offsetof (tcp_header_t,
- flags));
- tmp_pkt.tcp_flags_valid = (proto == IP_PROTOCOL_TCP);
- tmp_l4.is_slowpath = 0;
+ ports[0] = clib_net_to_host_u16(tcph->src_port);
+ ports[1] = clib_net_to_host_u16(tcph->dst_port);
+ tmp_pkt.tcp_flags = tcph->flags;
+ tmp_pkt.tcp_flags_valid = 1;
}
+ else if (IP_PROTOCOL_UDP == proto)
+ {
+ ports[0] = clib_net_to_host_u16(udph->src_port);
+ ports[1] = clib_net_to_host_u16(udph->dst_port);
+ }
else
{
- tmp_l4.is_slowpath = 1;
+ tmp_l4_flags |= FA_SK_L4_FLAG_IS_SLOWPATH;
}
}
p5tuple_pkt->as_u64 = tmp_pkt.as_u64;
+
+ fa_session_l4_key_t tmp_l4 = { .port = { ports[0], ports[1] },
+ .proto = proto,
+ .l4_flags = tmp_l4_flags,
+ .lsb_of_sw_if_index = sw_if_index0 & 0xffff };
+
p5tuple_l4->as_u64 = tmp_l4.as_u64;
}
u32 * r_rule_match_p, u32 * trace_bitmap)
{
int i;
- acl_list_t *a;
acl_rule_t *r;
+ acl_rule_t *acl_rules;
if (pool_is_free_index (am->acls, acl_index))
{
/* the ACL does not exist but is used for policy. Block traffic. */
return 0;
}
- a = am->acls + acl_index;
- for (i = 0; i < a->count; i++)
+ acl_rules = am->acls[acl_index].rules;
+ for (i = 0; i < vec_len(acl_rules); i++)
{
- r = a->rules + i;
+ r = &acl_rules[i];
if (is_ip6 != r->is_ipv6)
{
continue;
*pkey++ = *pmatch++ & *pmask++;
*pkey++ = *pmatch++ & *pmask++;
- kv_key->pkt.mask_type_index_lsb = mask_type_index;
+ /*
+ * The use of temporary variable convinces the compiler
+ * to make a u64 write, avoiding the stall on crc32 operation
+ * just a bit later.
+ */
+ fa_packet_info_t tmp_pkt = kv_key->pkt;
+ tmp_pkt.mask_type_index_lsb = mask_type_index;
+ kv_key->pkt.as_u64 = tmp_pkt.as_u64;
+
int res =
clib_bihash_search_inline_2_48_8 (&am->acl_lookup_hash, &kv, &result);
}
+always_inline int
+acl_plugin_match_5tuple_inline_and_count (void *p_acl_main, u32 lc_index,
+ fa_5tuple_opaque_t * pkt_5tuple,
+ int is_ip6, u8 * r_action,
+ u32 * r_acl_pos_p,
+ u32 * r_acl_match_p,
+ u32 * r_rule_match_p,
+ u32 * trace_bitmap,
+ u32 packet_size)
+{
+ acl_main_t *am = p_acl_main;
+ int ret = 0;
+ fa_5tuple_t * pkt_5tuple_internal = (fa_5tuple_t *)pkt_5tuple;
+ pkt_5tuple_internal->pkt.lc_index = lc_index;
+ if (PREDICT_TRUE(am->use_hash_acl_matching)) {
+ if (PREDICT_FALSE(pkt_5tuple_internal->pkt.is_nonfirst_fragment)) {
+ /*
+ * tuplemerge does not take fragments into account,
+ * and in general making fragments first class citizens has
+ * proved more overhead than it's worth - so just fall back to linear
+ * matching in that case.
+ */
+ ret = linear_multi_acl_match_5tuple(p_acl_main, lc_index, pkt_5tuple_internal, is_ip6, r_action,
+ r_acl_pos_p, r_acl_match_p, r_rule_match_p, trace_bitmap);
+ } else {
+ ret = hash_multi_acl_match_5tuple(p_acl_main, lc_index, pkt_5tuple_internal, is_ip6, r_action,
+ r_acl_pos_p, r_acl_match_p, r_rule_match_p, trace_bitmap);
+ }
+ } else {
+ ret = linear_multi_acl_match_5tuple(p_acl_main, lc_index, pkt_5tuple_internal, is_ip6, r_action,
+ r_acl_pos_p, r_acl_match_p, r_rule_match_p, trace_bitmap);
+ }
+ if (PREDICT_TRUE(ret)) {
+ u16 thread_index = os_get_thread_index ();
+ vlib_increment_combined_counter(am->combined_acl_counters + *r_acl_match_p, thread_index, *r_rule_match_p, 1, packet_size);
+ }
+ return ret;
+}
+
+
+
#endif
Code Review / vpp.git / blobdiff