#include <vnet/api_errno.h> /* for API error numbers */
#include <vnet/fib/fib_table.h> /* for FIB table and entry creation */
#include <vnet/fib/fib_entry.h> /* for FIB table and entry creation */
+#include <vnet/fib/fib_urpf_list.h> /* for FIB uRPF check */
#include <vnet/fib/ip4_fib.h>
#include <vnet/dpo/load_balance.h>
#include <vnet/dpo/classify_dpo.h>
+/**
+ * @file
+ * @brief IPv4 Forwarding.
+ *
+ * This file contains the source code for IPv4 forwarding.
+ */
+
void
ip4_forward_next_trace (vlib_main_t * vm,
vlib_node_runtime_t * node,
hash_c0 = vnet_buffer (p0)->ip.flow_hash =
ip4_compute_flow_hash (ip0, flow_hash_config0);
}
- if (PREDICT_FALSE(lb0->lb_n_buckets > 1))
+ if (PREDICT_FALSE(lb1->lb_n_buckets > 1))
{
flow_hash_config1 = lb1->lb_hash_config;
hash_c1 = vnet_buffer (p1)->ip.flow_hash =
}
}
}
-
+
while (n_left_from > 0 && n_left_to_next > 0)
{
vlib_buffer_t * p0;
{
flow_hash_config0 = lb0->lb_hash_config;
- hash_c0 = vnet_buffer (p0)->ip.flow_hash =
+ hash_c0 = vnet_buffer (p0)->ip.flow_hash =
ip4_compute_flow_hash (ip0, flow_hash_config0);
}
next0 = dpo0->dpoi_next_node;
vnet_buffer (p0)->ip.adj_index[VLIB_TX] = dpo0->dpoi_index;
- vlib_increment_combined_counter
+ vlib_increment_combined_counter
(cm, cpu_index, lbi0, 1,
vlib_buffer_length_in_chain (vm, p0));
vlib_get_next_frame (vm, node, next,
to_next, n_left_to_next);
-
+
while (n_left_from > 0 && n_left_to_next > 0)
{
ip_lookup_next_t next0;
hc0 = lb0->lb_hash_config;
vnet_buffer(p0)->ip.flow_hash = ip4_compute_flow_hash(ip0, hc0);
- dpo0 = load_balance_get_bucket_i(lb0,
+ dpo0 = load_balance_get_bucket_i(lb0,
vnet_buffer(p0)->ip.flow_hash &
(lb0->lb_n_buckets_minus_1));
next0 = dpo0->dpoi_next_node;
vnet_buffer (p0)->ip.adj_index[VLIB_TX] = dpo0->dpoi_index;
- vlib_increment_combined_counter
+ vlib_increment_combined_counter
(cm, cpu_index, lbi0, 1,
vlib_buffer_length_in_chain (vm, p0));
ip_interface_address_t * ia = 0;
ip4_address_t * result = 0;
- foreach_ip_interface_address (lm, ia, sw_if_index,
+ foreach_ip_interface_address (lm, ia, sw_if_index,
1 /* honor unnumbered */,
({
ip4_address_t * a = ip_interface_address_get_address (lm, ia);
/* When adding an address check that it does not conflict
with an existing address. */
ip_interface_address_t * ia;
- foreach_ip_interface_address (&im->lookup_main, ia, sw_if_index,
+ foreach_ip_interface_address (&im->lookup_main, ia, sw_if_index,
0 /* honor unnumbered */,
({
ip4_address_t * x = ip_interface_address_get_address (&im->lookup_main, ia);
&if_address_index);
if (error)
goto done;
-
+
ip4_sw_interface_enable_disable(sw_if_index, !is_del);
if (is_del)
else
ip4_add_interface_routes (sw_if_index,
im, ip4_af.fib_index,
- pool_elt_at_index
+ pool_elt_at_index
(lm->if_address_pool, if_address_index));
/* If pool did not grow/shrink: add duplicate address. */
}
/* Built-in ip4 unicast rx feature path definition */
+VNET_IP4_UNICAST_FEATURE_INIT (ip4_flow_classify, static) = {
+ .node_name = "ip4-flow-classify",
+ .runs_before = ORDER_CONSTRAINTS {"ip4-inacl", 0},
+ .feature_index = &ip4_main.ip4_unicast_rx_feature_flow_classify,
+};
+
VNET_IP4_UNICAST_FEATURE_INIT (ip4_inacl, static) = {
- .node_name = "ip4-inacl",
+ .node_name = "ip4-inacl",
.runs_before = ORDER_CONSTRAINTS {"ip4-source-check-via-rx", 0},
.feature_index = &ip4_main.ip4_unicast_rx_feature_check_access,
};
VNET_IP4_UNICAST_FEATURE_INIT (ip4_source_check_1, static) = {
.node_name = "ip4-source-check-via-rx",
.runs_before = ORDER_CONSTRAINTS {"ip4-source-check-via-any", 0},
- .feature_index =
+ .feature_index =
&ip4_main.ip4_unicast_rx_feature_source_reachable_via_rx,
};
VNET_IP4_UNICAST_FEATURE_INIT (ip4_source_check_2, static) = {
.node_name = "ip4-source-check-via-any",
.runs_before = ORDER_CONSTRAINTS {"ip4-policer-classify", 0},
- .feature_index =
+ .feature_index =
&ip4_main.ip4_unicast_rx_feature_source_reachable_via_any,
};
.feature_index = &ip4_main.ip4_multicast_rx_feature_drop,
};
-static char * rx_feature_start_nodes[] =
+static char * rx_feature_start_nodes[] =
{ "ip4-input", "ip4-input-no-checksum"};
-static char * tx_feature_start_nodes[] =
-{ "ip4-rewrite-transit"};
+static char * tx_feature_start_nodes[] =
+{
+ "ip4-rewrite-transit",
+ "ip4-midchain",
+};
/* Source and port-range check ip4 tx feature path definition */
VNET_IP4_TX_FEATURE_INIT (ip4_source_and_port_range_check_tx, static) = {
feature_start_nodes = tx_feature_start_nodes;
feature_start_len = ARRAY_LEN(tx_feature_start_nodes);
}
-
- if ((error = ip_feature_init_cast (vm, cm, vcm,
+
+ if ((error = vnet_feature_arc_init (vm, vcm,
feature_start_nodes,
feature_start_len,
- cast,
- VNET_L3_PACKET_TYPE_IP4)))
+ im->next_feature[cast],
+ &im->feature_nodes[cast])))
return error;
}
feature_index = im->ip4_tx_feature_interface_output;
if (is_add)
- ci = vnet_config_add_feature (vm, vcm,
+ ci = vnet_config_add_feature (vm, vcm,
ci,
feature_index,
/* config data */ 0,
if (i < 32)
m = pow2_mask (i) << (32 - i);
- else
+ else
m = ~0;
im->fib_masks[i] = clib_host_to_net_u32 (m);
}
typedef struct {
/* Adjacency taken. */
- u32 adj_index;
+ u32 dpo_index;
u32 flow_hash;
u32 fib_index;
uword indent = format_get_indent (s);
s = format (s, "fib %d dpo-idx %d flow hash: 0x%08x",
- t->fib_index, t->adj_index, t->flow_hash);
+ t->fib_index, t->dpo_index, t->flow_hash);
s = format (s, "\n%U%U",
format_white_space, indent,
format_ip4_header, t->packet_data, sizeof (t->packet_data));
vnet_main_t * vnm = vnet_get_main();
uword indent = format_get_indent (s);
- s = format (s, "tx_sw_if_index %d adj-idx %d : %U flow hash: 0x%08x",
- t->fib_index, t->adj_index, format_ip_adjacency,
- vnm, t->adj_index, FORMAT_IP_ADJACENCY_NONE,
+ s = format (s, "tx_sw_if_index %d dpo-idx %d : %U flow hash: 0x%08x",
+ t->fib_index, t->dpo_index, format_ip_adjacency,
+ t->dpo_index, FORMAT_IP_ADJACENCY_NONE,
t->flow_hash);
s = format (s, "\n%U%U",
format_white_space, indent,
format_ip_adjacency_packet_data,
- vnm, t->adj_index,
+ vnm, t->dpo_index,
t->packet_data, sizeof (t->packet_data));
return s;
}
n_left = frame->n_vectors;
from = vlib_frame_vector_args (frame);
-
+
while (n_left >= 4)
{
u32 bi0, bi1;
if (b0->flags & VLIB_BUFFER_IS_TRACED)
{
t0 = vlib_add_trace (vm, node, b0, sizeof (t0[0]));
- t0->adj_index = vnet_buffer (b0)->ip.adj_index[which_adj_index];
+ t0->dpo_index = vnet_buffer (b0)->ip.adj_index[which_adj_index];
t0->flow_hash = vnet_buffer (b0)->ip.flow_hash;
t0->fib_index = (vnet_buffer(b0)->sw_if_index[VLIB_TX] != (u32)~0) ?
vnet_buffer(b0)->sw_if_index[VLIB_TX] :
if (b1->flags & VLIB_BUFFER_IS_TRACED)
{
t1 = vlib_add_trace (vm, node, b1, sizeof (t1[0]));
- t1->adj_index = vnet_buffer (b1)->ip.adj_index[which_adj_index];
+ t1->dpo_index = vnet_buffer (b1)->ip.adj_index[which_adj_index];
t1->flow_hash = vnet_buffer (b1)->ip.flow_hash;
t1->fib_index = (vnet_buffer(b1)->sw_if_index[VLIB_TX] != (u32)~0) ?
vnet_buffer(b1)->sw_if_index[VLIB_TX] :
if (b0->flags & VLIB_BUFFER_IS_TRACED)
{
t0 = vlib_add_trace (vm, node, b0, sizeof (t0[0]));
- t0->adj_index = vnet_buffer (b0)->ip.adj_index[which_adj_index];
+ t0->dpo_index = vnet_buffer (b0)->ip.adj_index[which_adj_index];
t0->flow_hash = vnet_buffer (b0)->ip.flow_hash;
t0->fib_index = (vnet_buffer(b0)->sw_if_index[VLIB_TX] != (u32)~0) ?
vnet_buffer(b0)->sw_if_index[VLIB_TX] :
u32 n_this_buffer, n_bytes_left;
u16 sum16;
void * data_this_buffer;
-
+
/* Initialize checksum with ip header. */
ip_header_length = ip4_header_bytes (ip0);
payload_length_host_byte_order = clib_net_to_host_u16 (ip0->length) - ip_header_length;
from = vlib_frame_vector_args (frame);
n_left_from = frame->n_vectors;
next_index = node->cached_next_index;
-
+
if (node->flags & VLIB_NODE_FLAG_TRACE)
ip4_forward_next_trace (vm, node, frame, VLIB_TX);
u8 error0, is_udp0, is_tcp_udp0, good_tcp_udp0, proto0;
u8 error1, is_udp1, is_tcp_udp1, good_tcp_udp1, proto1;
u8 enqueue_code;
-
+
pi0 = to_next[0] = from[0];
pi1 = to_next[1] = from[1];
from += 2;
n_left_from -= 2;
to_next += 2;
n_left_to_next -= 2;
-
+
p0 = vlib_get_buffer (vm, pi0);
p1 = vlib_get_buffer (vm, pi1);
ip0 = vlib_buffer_get_current (p0);
ip1 = vlib_buffer_get_current (p1);
- fib_index0 = vec_elt (im->fib_index_by_sw_if_index,
+ fib_index0 = vec_elt (im->fib_index_by_sw_if_index,
vnet_buffer(p0)->sw_if_index[VLIB_RX]);
- fib_index1 = vec_elt (im->fib_index_by_sw_if_index,
+ fib_index1 = vec_elt (im->fib_index_by_sw_if_index,
vnet_buffer(p1)->sw_if_index[VLIB_RX]);
mtrie0 = &ip4_fib_get (fib_index0)->mtrie;
dpo0 = load_balance_get_bucket_i(lb0, 0);
dpo1 = load_balance_get_bucket_i(lb1, 0);
- /*
+ /*
* Must have a route to source otherwise we drop the packet.
* ip4 broadcasts are accepted, e.g. to make dhcp client work
+ *
+ * The checks are:
+ * - the source is a recieve => it's from us => bogus, do this
+ * first since it sets a different error code.
+ * - uRPF check for any route to source - accept if passes.
+ * - allow packets destined to the broadcast address from unknown sources
*/
- error0 = (error0 == IP4_ERROR_UNKNOWN_PROTOCOL
- && dpo0->dpoi_type != DPO_ADJACENCY
- && dpo0->dpoi_type != DPO_ADJACENCY_INCOMPLETE
- && dpo0->dpoi_type != DPO_RECEIVE
- && dpo0->dpoi_type != DPO_DROP
- && dpo0->dpoi_type != DPO_ADJACENCY_GLEAN
- && ip0->dst_address.as_u32 != 0xFFFFFFFF
+ error0 = ((error0 == IP4_ERROR_UNKNOWN_PROTOCOL &&
+ dpo0->dpoi_type == DPO_RECEIVE) ?
+ IP4_ERROR_SPOOFED_LOCAL_PACKETS :
+ error0);
+ error0 = ((error0 == IP4_ERROR_UNKNOWN_PROTOCOL &&
+ !fib_urpf_check_size(lb0->lb_urpf) &&
+ ip0->dst_address.as_u32 != 0xFFFFFFFF)
? IP4_ERROR_SRC_LOOKUP_MISS
: error0);
- error0 = (dpo0->dpoi_type == DPO_RECEIVE ?
- IP4_ERROR_SPOOFED_LOCAL_PACKETS :
- error0);
- error1 = (error1 == IP4_ERROR_UNKNOWN_PROTOCOL
- && dpo1->dpoi_type != DPO_ADJACENCY
- && dpo1->dpoi_type != DPO_ADJACENCY_INCOMPLETE
- && dpo1->dpoi_type != DPO_RECEIVE
- && dpo1->dpoi_type != DPO_DROP
- && dpo1->dpoi_type != DPO_ADJACENCY_GLEAN
- && ip1->dst_address.as_u32 != 0xFFFFFFFF
+ error1 = ((error1 == IP4_ERROR_UNKNOWN_PROTOCOL &&
+ dpo1->dpoi_type == DPO_RECEIVE) ?
+ IP4_ERROR_SPOOFED_LOCAL_PACKETS :
+ error1);
+ error1 = ((error1 == IP4_ERROR_UNKNOWN_PROTOCOL &&
+ !fib_urpf_check_size(lb1->lb_urpf) &&
+ ip1->dst_address.as_u32 != 0xFFFFFFFF)
? IP4_ERROR_SRC_LOOKUP_MISS
: error1);
- error1 = (dpo0->dpoi_type == DPO_RECEIVE ?
- IP4_ERROR_SPOOFED_LOCAL_PACKETS :
- error1);
next0 = lm->local_next_by_ip_protocol[proto0];
next1 = lm->local_next_by_ip_protocol[proto1];
n_left_from -= 1;
to_next += 1;
n_left_to_next -= 1;
-
+
p0 = vlib_get_buffer (vm, pi0);
ip0 = vlib_buffer_get_current (p0);
- fib_index0 = vec_elt (im->fib_index_by_sw_if_index,
+ fib_index0 = vec_elt (im->fib_index_by_sw_if_index,
vnet_buffer(p0)->sw_if_index[VLIB_RX]);
mtrie0 = &ip4_fib_get (fib_index0)->mtrie;
vnet_buffer (p0)->ip.adj_index[VLIB_RX] =
dpo0->dpoi_index;
- /* Must have a route to source otherwise we drop the packet. */
- error0 = (error0 == IP4_ERROR_UNKNOWN_PROTOCOL
- && dpo0->dpoi_type != DPO_ADJACENCY
- && dpo0->dpoi_type != DPO_ADJACENCY_INCOMPLETE
- && dpo0->dpoi_type != DPO_RECEIVE
- && dpo0->dpoi_type != DPO_DROP
- && dpo0->dpoi_type != DPO_ADJACENCY_GLEAN
- && ip0->dst_address.as_u32 != 0xFFFFFFFF
+ error0 = ((error0 == IP4_ERROR_UNKNOWN_PROTOCOL &&
+ dpo0->dpoi_type == DPO_RECEIVE) ?
+ IP4_ERROR_SPOOFED_LOCAL_PACKETS :
+ error0);
+ error0 = ((error0 == IP4_ERROR_UNKNOWN_PROTOCOL &&
+ !fib_urpf_check_size(lb0->lb_urpf) &&
+ ip0->dst_address.as_u32 != 0xFFFFFFFF)
? IP4_ERROR_SRC_LOOKUP_MISS
: error0);
- /* Packet originated from a local address => spoofing */
- error0 = (dpo0->dpoi_type == DPO_RECEIVE ?
- IP4_ERROR_SPOOFED_LOCAL_PACKETS :
- error0);
next0 = lm->local_next_by_ip_protocol[proto0];
n_left_to_next -= 1;
}
}
-
+
vlib_put_next_frame (vm, node, next_index, n_left_to_next);
}
+/*?
+ * Display the set of protocols handled by the local IPv4 stack.
+ *
+ * @cliexpar
+ * Example of how to display local protocol table:
+ * @cliexstart{show ip local}
+ * Protocols handled by ip4_local
+ * 1
+ * 17
+ * 47
+ * @cliexend
+?*/
+/* *INDENT-OFF* */
VLIB_CLI_COMMAND (show_ip_local, static) = {
.path = "show ip local",
.function = show_ip_local_command_fn,
- .short_help = "Show ip local protocol table",
+ .short_help = "show ip local",
};
+/* *INDENT-ON* */
always_inline uword
ip4_arp_inline (vlib_main_t * vm,
uword n_left_from, n_left_to_next_drop, next_index;
static f64 time_last_seed_change = -1e100;
static u32 hash_seeds[3];
- static uword hash_bitmap[256 / BITS (uword)];
+ static uword hash_bitmap[256 / BITS (uword)];
f64 time_now;
if (node->flags & VLIB_NODE_FLAG_TRACE)
/*
* this is the Glean case, so we are ARPing for the
- * packet's destination
+ * packet's destination
*/
a0 = hash_seeds[0];
b0 = hash_seeds[1];
p0->error = node->errors[drop0 ? IP4_ARP_ERROR_DROP : IP4_ARP_ERROR_REQUEST_SENT];
+ /*
+ * the adj has been updated to a rewrite but the node the DPO that got
+ * us here hasn't - yet. no big deal. we'll drop while we wait.
+ */
+ if (IP_LOOKUP_NEXT_REWRITE == adj0->lookup_next_index)
+ continue;
+
if (drop0)
continue;
- /*
+ /*
* Can happen if the control-plane is programming tables
* with traffic flowing; at least that's today's lame excuse.
*/
clib_error_t * arp_notrace_init (vlib_main_t * vm)
{
- vlib_node_runtime_t *rt =
+ vlib_node_runtime_t *rt =
vlib_node_get_runtime (vm, ip4_arp_node.index);
/* don't trace ARP request packets */
if (!(si->flags & VNET_SW_INTERFACE_FLAG_ADMIN_UP))
{
return clib_error_return (0, "%U: interface %U down",
- format_ip4_address, dst,
- format_vnet_sw_if_index_name, vnm,
+ format_ip4_address, dst,
+ format_vnet_sw_if_index_name, vnm,
sw_if_index);
}
if (! src)
{
vnm->api_errno = VNET_API_ERROR_NO_MATCHING_INTERFACE;
- return clib_error_return
+ return clib_error_return
(0, "no matching interface address for destination %U (interface %U)",
format_ip4_address, dst,
format_vnet_sw_if_index_name, vnm, sw_if_index);
ip4_rewrite_inline (vlib_main_t * vm,
vlib_node_runtime_t * node,
vlib_frame_t * frame,
- int rewrite_for_locally_received_packets)
+ int rewrite_for_locally_received_packets,
+ int is_midchain)
{
ip_lookup_main_t * lm = &ip4_main.lookup_main;
u32 * from = vlib_frame_vector_args (frame);
n_left_from = frame->n_vectors;
next_index = node->cached_next_index;
u32 cpu_index = os_get_cpu_number();
-
+
while (n_left_from > 0)
{
vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
n_left_from -= 2;
to_next += 2;
n_left_to_next -= 2;
-
+
p0 = vlib_get_buffer (vm, pi0);
p1 = vlib_get_buffer (vm, pi1);
/* Rewrite packet header and updates lengths. */
adj0 = ip_get_adjacency (lm, adj_index0);
adj1 = ip_get_adjacency (lm, adj_index1);
-
+
if (rewrite_for_locally_received_packets)
{
if (PREDICT_FALSE(adj0->lookup_next_index
if (rewrite_for_locally_received_packets)
next1 = next1 && next1_override ? next1_override : next1;
- /*
+ /*
* We've already accounted for an ethernet_header_t elsewhere
*/
if (PREDICT_FALSE (rw_len0 > sizeof(ethernet_header_t)))
- vlib_increment_combined_counter
+ vlib_increment_combined_counter
(&adjacency_counters,
- cpu_index, adj_index0,
+ cpu_index, adj_index0,
/* packet increment */ 0,
/* byte increment */ rw_len0-sizeof(ethernet_header_t));
if (PREDICT_FALSE (rw_len1 > sizeof(ethernet_header_t)))
- vlib_increment_combined_counter
+ vlib_increment_combined_counter
(&adjacency_counters,
- cpu_index, adj_index1,
+ cpu_index, adj_index1,
/* packet increment */ 0,
/* byte increment */ rw_len1-sizeof(ethernet_header_t));
vnet_buffer (p0)->sw_if_index[VLIB_TX] =
tx_sw_if_index0;
- if (PREDICT_FALSE
- (clib_bitmap_get (lm->tx_sw_if_has_ip_output_features,
+ if (PREDICT_FALSE
+ (clib_bitmap_get (lm->tx_sw_if_has_ip_output_features,
tx_sw_if_index0)))
{
- p0->current_config_index =
- vec_elt (cm->config_index_by_sw_if_index,
+ p0->current_config_index =
+ vec_elt (cm->config_index_by_sw_if_index,
tx_sw_if_index0);
vnet_get_config_data (&cm->config_main,
&p0->current_config_index,
vnet_buffer (p1)->sw_if_index[VLIB_TX] =
tx_sw_if_index1;
- if (PREDICT_FALSE
- (clib_bitmap_get (lm->tx_sw_if_has_ip_output_features,
+ if (PREDICT_FALSE
+ (clib_bitmap_get (lm->tx_sw_if_has_ip_output_features,
tx_sw_if_index1)))
{
- p1->current_config_index =
- vec_elt (cm->config_index_by_sw_if_index,
+ p1->current_config_index =
+ vec_elt (cm->config_index_by_sw_if_index,
tx_sw_if_index1);
vnet_get_config_data (&cm->config_main,
&p1->current_config_index,
vnet_rewrite_two_headers (adj0[0], adj1[0],
ip0, ip1,
sizeof (ethernet_header_t));
-
+
+ if (is_midchain)
+ {
+ adj0->sub_type.midchain.fixup_func(vm, adj0, p0);
+ adj1->sub_type.midchain.fixup_func(vm, adj1, p1);
+ }
+
vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
to_next, n_left_to_next,
pi0, pi1, next0, next1);
ASSERT(adj_index0);
adj0 = ip_get_adjacency (lm, adj_index0);
-
+
ip0 = vlib_buffer_get_current (p0);
error0 = IP4_ERROR_NONE;
if (rewrite_for_locally_received_packets)
{
- /*
+ /*
* We have to override the next_index in ARP adjacencies,
* because they're set up for ip4-arp, not this node...
*/
}
/* Guess we are only writing on simple Ethernet header. */
- vnet_rewrite_one_header (adj0[0], ip0,
+ vnet_rewrite_one_header (adj0[0], ip0,
sizeof (ethernet_header_t));
-
+
/* Update packet buffer attributes/set output interface. */
rw_len0 = adj0[0].rewrite_header.data_bytes;
vnet_buffer(p0)->ip.save_rewrite_length = rw_len0;
-
+
if (PREDICT_FALSE (rw_len0 > sizeof(ethernet_header_t)))
- vlib_increment_combined_counter
+ vlib_increment_combined_counter
(&adjacency_counters,
- cpu_index, adj_index0,
+ cpu_index, adj_index0,
/* packet increment */ 0,
/* byte increment */ rw_len0-sizeof(ethernet_header_t));
-
+
/* Check MTU of outgoing interface. */
- error0 = (vlib_buffer_length_in_chain (vm, p0)
+ error0 = (vlib_buffer_length_in_chain (vm, p0)
> adj0[0].rewrite_header.max_l3_packet_bytes
? IP4_ERROR_MTU_EXCEEDED
: error0);
vnet_buffer (p0)->sw_if_index[VLIB_TX] = tx_sw_if_index0;
next0 = adj0[0].rewrite_header.next_index;
- if (PREDICT_FALSE
- (clib_bitmap_get (lm->tx_sw_if_has_ip_output_features,
+ if (is_midchain)
+ {
+ adj0->sub_type.midchain.fixup_func(vm, adj0, p0);
+ }
+
+ if (PREDICT_FALSE
+ (clib_bitmap_get (lm->tx_sw_if_has_ip_output_features,
tx_sw_if_index0)))
{
- p0->current_config_index =
- vec_elt (cm->config_index_by_sw_if_index,
+ p0->current_config_index =
+ vec_elt (cm->config_index_by_sw_if_index,
tx_sw_if_index0);
vnet_get_config_data (&cm->config_main,
&p0->current_config_index,
n_left_from -= 1;
to_next += 1;
n_left_to_next -= 1;
-
+
vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
to_next, n_left_to_next,
pi0, next0);
}
-
+
vlib_put_next_frame (vm, node, next_index, n_left_to_next);
}
- the rewrite adjacency index
- <code>adj->lookup_next_index</code>
- Must be IP_LOOKUP_NEXT_REWRITE or IP_LOOKUP_NEXT_ARP, otherwise
- the packet will be dropped.
+ the packet will be dropped.
- <code>adj->rewrite_header</code>
- Rewrite string length, rewrite string, next_index
<em>Next Indices:</em>
- <code> adj->rewrite_header.next_index </code>
- or @c error-drop
+ or @c error-drop
*/
static uword
ip4_rewrite_transit (vlib_main_t * vm,
vlib_frame_t * frame)
{
return ip4_rewrite_inline (vm, node, frame,
- /* rewrite_for_locally_received_packets */ 0);
+ /* rewrite_for_locally_received_packets */ 0, 0);
}
/** @brief IPv4 local rewrite node.
- the rewrite adjacency index
- <code>adj->lookup_next_index</code>
- Must be IP_LOOKUP_NEXT_REWRITE or IP_LOOKUP_NEXT_ARP, otherwise
- the packet will be dropped.
+ the packet will be dropped.
- <code>adj->rewrite_header</code>
- Rewrite string length, rewrite string, next_index
<em>Next Indices:</em>
- <code> adj->rewrite_header.next_index </code>
- or @c error-drop
+ or @c error-drop
*/
static uword
vlib_frame_t * frame)
{
return ip4_rewrite_inline (vm, node, frame,
- /* rewrite_for_locally_received_packets */ 1);
+ /* rewrite_for_locally_received_packets */ 1, 0);
}
static uword
vlib_frame_t * frame)
{
return ip4_rewrite_inline (vm, node, frame,
- /* rewrite_for_locally_received_packets */ 0);
+ /* rewrite_for_locally_received_packets */ 0, 1);
}
VLIB_REGISTER_NODE (ip4_rewrite_node) = {
.format_trace = format_ip4_forward_next_trace,
- .n_next_nodes = 2,
- .next_nodes = {
- [IP4_REWRITE_NEXT_DROP] = "error-drop",
- [IP4_REWRITE_NEXT_ARP] = "ip4-arp",
- },
+ .sibling_of = "ip4-rewrite-transit",
};
VLIB_NODE_FUNCTION_MULTIARCH (ip4_midchain_node, ip4_midchain)
}
/*?
- * Place the indicated interface into the supplied VRF
- *
- * @cliexpar
- * @cliexstart{set interface ip table}
+ * Place the indicated interface into the supplied IPv4 FIB table (also known
+ * as a VRF). If the FIB table does not exist, this command creates it. To
+ * display the current IPv4 FIB table, use the command '<em>show ip fib</em>'.
+ * FIB table will only be displayed if a route has been added to the table, or
+ * an IP Address is assigned to an interface in the table (which adds a route
+ * automatically).
*
- * vpp# set interface ip table GigabitEthernet2/0/0 2
+ * @note IP addresses added after setting the interface IP table end up in
+ * the indicated FIB table. If the IP address is added prior to adding the
+ * interface to the FIB table, it will NOT be part of the FIB table. Predictable
+ * but potentially counter-intuitive results occur if you provision interface
+ * addresses in multiple FIBs. Upon RX, packets will be processed in the last
+ * IP table ID provisioned. It might be marginally useful to evade source RPF
+ * drops to put an interface address into multiple FIBs.
*
- * Interface addresses added after setting the interface IP table end up in the indicated VRF table.
- * Predictable but potentially counter-intuitive results occur if you provision interface addresses in multiple FIBs.
- * Upon RX, packets will be processed in the last IP table ID provisioned.
- * It might be marginally useful to evade source RPF drops to put an interface address into multiple FIBs.
- * @cliexend
+ * @cliexpar
+ * Example of how to add an interface to an IPv4 FIB table (where 2 is the table-id):
+ * @cliexcmd{set interface ip table GigabitEthernet2/0/0 2}
?*/
+/* *INDENT-OFF* */
VLIB_CLI_COMMAND (set_interface_ip_table_command, static) = {
.path = "set interface ip table",
.function = add_del_interface_table,
- .short_help = "Add/delete FIB table id for interface",
+ .short_help = "set interface ip table <interface> <table-id>",
};
+/* *INDENT-ON* */
static uword
ASSERT (lb1->lb_n_buckets > 0);
ASSERT (is_pow2 (lb1->lb_n_buckets));
- vnet_buffer (p0)->ip.flow_hash = ip4_compute_flow_hash
+ vnet_buffer (p0)->ip.flow_hash = ip4_compute_flow_hash
(ip0, lb0->lb_hash_config);
-
- vnet_buffer (p1)->ip.flow_hash = ip4_compute_flow_hash
+
+ vnet_buffer (p1)->ip.flow_hash = ip4_compute_flow_hash
(ip1, lb1->lb_hash_config);
dpo0 = load_balance_get_bucket_i(lb0,
vnet_buffer (p1)->ip.adj_index[VLIB_TX] = dpo1->dpoi_index;
if (1) /* $$$$$$ HACK FIXME */
- vlib_increment_combined_counter
+ vlib_increment_combined_counter
(cm, cpu_index, lb_index0, 1,
vlib_buffer_length_in_chain (vm, p0));
if (1) /* $$$$$$ HACK FIXME */
- vlib_increment_combined_counter
+ vlib_increment_combined_counter
(cm, cpu_index, lb_index1, 1,
vlib_buffer_length_in_chain (vm, p1));
}
}
}
-
+
while (n_left_from > 0 && n_left_to_next > 0)
{
vlib_buffer_t * p0;
ip0 = vlib_buffer_get_current (p0);
- fib_index0 = vec_elt (im->fib_index_by_sw_if_index,
+ fib_index0 = vec_elt (im->fib_index_by_sw_if_index,
vnet_buffer (p0)->sw_if_index[VLIB_RX]);
fib_index0 = (vnet_buffer(p0)->sw_if_index[VLIB_TX] == (u32)~0) ?
fib_index0 : vnet_buffer(p0)->sw_if_index[VLIB_TX];
-
+
lb_index0 = ip4_fib_table_lookup_lb (ip4_fib_get(fib_index0),
&ip0->dst_address);
ASSERT (lb0->lb_n_buckets > 0);
ASSERT (is_pow2 (lb0->lb_n_buckets));
- vnet_buffer (p0)->ip.flow_hash = ip4_compute_flow_hash
+ vnet_buffer (p0)->ip.flow_hash = ip4_compute_flow_hash
(ip0, lb0->lb_hash_config);
dpo0 = load_balance_get_bucket_i(lb0,
vnet_buffer (p0)->ip.adj_index[VLIB_TX] = dpo0->dpoi_index;
if (1) /* $$$$$$ HACK FIXME */
- vlib_increment_combined_counter
+ vlib_increment_combined_counter
(cm, cpu_index, lb_index0, 1,
vlib_buffer_length_in_chain (vm, p0));
ip4_fib_mtrie_t * mtrie0;
ip4_fib_mtrie_leaf_t leaf0;
u32 lbi0;
-
+
mtrie0 = &ip4_fib_get (fib_index0)->mtrie;
leaf0 = IP4_FIB_MTRIE_LEAF_ROOT;
leaf0 = ip4_fib_mtrie_lookup_step (mtrie0, leaf0, a, 1);
leaf0 = ip4_fib_mtrie_lookup_step (mtrie0, leaf0, a, 2);
leaf0 = ip4_fib_mtrie_lookup_step (mtrie0, leaf0, a, 3);
-
+
/* Handle default route. */
leaf0 = (leaf0 == IP4_FIB_MTRIE_LEAF_EMPTY ? mtrie0->default_leaf : leaf0);
-
+
lbi0 = ip4_fib_mtrie_leaf_get_adj_index (leaf0);
-
+
return lbi0 == ip4_fib_table_lookup_lb (ip4_fib_get(fib_index0), a);
}
-
+
static clib_error_t *
test_lookup_command_fn (vlib_main_t * vm,
unformat_input_t * input,
vlib_cli_command_t * cmd)
{
+ ip4_fib_t *fib;
u32 table_id = 0;
f64 count = 1;
u32 n;
while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT) {
if (unformat (input, "table %d", &table_id))
- ;
+ {
+ /* Make sure the entry exists. */
+ fib = ip4_fib_get(table_id);
+ if ((fib) && (fib->index != table_id))
+ return clib_error_return (0, "<fib-index> %d does not exist",
+ table_id);
+ }
else if (unformat (input, "count %f", &count))
;
if (!ip4_lookup_validate (&ip4_base_address, table_id))
errors++;
- ip4_base_address.as_u32 =
- clib_host_to_net_u32 (1 +
+ ip4_base_address.as_u32 =
+ clib_host_to_net_u32 (1 +
clib_net_to_host_u32 (ip4_base_address.as_u32));
}
- if (errors)
+ if (errors)
vlib_cli_output (vm, "%llu errors out of %d lookups\n", errors, n);
else
vlib_cli_output (vm, "No errors in %d lookups\n", n);
return 0;
}
+/*?
+ * Perform a lookup of an IPv4 Address (or range of addresses) in the
+ * given FIB table to determine if there is a conflict with the
+ * adjacency table. The fib-id can be determined by using the
+ * '<em>show ip fib</em>' command. If fib-id is not entered, default value
+ * of 0 is used.
+ *
+ * @todo This command uses fib-id, other commands use table-id (not
+ * just a name, they are different indexes). Would like to change this
+ * to table-id for consistency.
+ *
+ * @cliexpar
+ * Example of how to run the test lookup command:
+ * @cliexstart{test lookup 172.16.1.1 table 1 count 2}
+ * No errors in 2 lookups
+ * @cliexend
+?*/
+/* *INDENT-OFF* */
VLIB_CLI_COMMAND (lookup_test_command, static) = {
.path = "test lookup",
- .short_help = "test lookup",
+ .short_help = "test lookup <ipv4-addr> [table <fib-id>] [count <nn>]",
.function = test_lookup_command_fn,
};
+/* *INDENT-ON* */
int vnet_set_ip4_flow_hash (u32 table_id, u32 flow_hash_config)
{
fib->flow_hash_config = flow_hash_config;
return 0;
}
-
+
static clib_error_t *
set_ip_flow_hash_command_fn (vlib_main_t * vm,
unformat_input_t * input,
#undef _
else break;
}
-
+
if (matched == 0)
return clib_error_return (0, "unknown input `%U'",
format_unformat_error, input);
-
+
rv = vnet_set_ip4_flow_hash (table_id, flow_hash_config);
switch (rv)
{
case 0:
break;
-
+
case VNET_API_ERROR_NO_SUCH_FIB:
return clib_error_return (0, "no such FIB table %d", table_id);
-
+
default:
clib_warning ("BUG: illegal flow hash config 0x%x", flow_hash_config);
break;
}
-
+
return 0;
}
-
+
+/*?
+ * Configure the set of IPv4 fields used by the flow hash.
+ *
+ * @cliexpar
+ * Example of how to set the flow hash on a given table:
+ * @cliexcmd{set ip flow-hash table 7 dst sport dport proto}
+ * Example of display the configured flow hash:
+ * @cliexstart{show ip fib}
+ * ipv4-VRF:0, fib_index 0, flow hash: src dst sport dport proto
+ * 0.0.0.0/0
+ * unicast-ip4-chain
+ * [@0]: dpo-load-balance: [index:0 buckets:1 uRPF:0 to:[0:0]]
+ * [0] [@0]: dpo-drop ip6
+ * 0.0.0.0/32
+ * unicast-ip4-chain
+ * [@0]: dpo-load-balance: [index:1 buckets:1 uRPF:1 to:[0:0]]
+ * [0] [@0]: dpo-drop ip6
+ * 224.0.0.0/8
+ * unicast-ip4-chain
+ * [@0]: dpo-load-balance: [index:3 buckets:1 uRPF:3 to:[0:0]]
+ * [0] [@0]: dpo-drop ip6
+ * 6.0.1.2/32
+ * unicast-ip4-chain
+ * [@0]: dpo-load-balance: [index:30 buckets:1 uRPF:29 to:[0:0]]
+ * [0] [@3]: arp-ipv4: via 6.0.0.1 af_packet0
+ * 7.0.0.1/32
+ * unicast-ip4-chain
+ * [@0]: dpo-load-balance: [index:31 buckets:4 uRPF:30 to:[0:0]]
+ * [0] [@3]: arp-ipv4: via 6.0.0.2 af_packet0
+ * [1] [@3]: arp-ipv4: via 6.0.0.2 af_packet0
+ * [2] [@3]: arp-ipv4: via 6.0.0.2 af_packet0
+ * [3] [@3]: arp-ipv4: via 6.0.0.1 af_packet0
+ * 240.0.0.0/8
+ * unicast-ip4-chain
+ * [@0]: dpo-load-balance: [index:2 buckets:1 uRPF:2 to:[0:0]]
+ * [0] [@0]: dpo-drop ip6
+ * 255.255.255.255/32
+ * unicast-ip4-chain
+ * [@0]: dpo-load-balance: [index:4 buckets:1 uRPF:4 to:[0:0]]
+ * [0] [@0]: dpo-drop ip6
+ * ipv4-VRF:7, fib_index 1, flow hash: dst sport dport proto
+ * 0.0.0.0/0
+ * unicast-ip4-chain
+ * [@0]: dpo-load-balance: [index:12 buckets:1 uRPF:11 to:[0:0]]
+ * [0] [@0]: dpo-drop ip6
+ * 0.0.0.0/32
+ * unicast-ip4-chain
+ * [@0]: dpo-load-balance: [index:13 buckets:1 uRPF:12 to:[0:0]]
+ * [0] [@0]: dpo-drop ip6
+ * 172.16.1.0/24
+ * unicast-ip4-chain
+ * [@0]: dpo-load-balance: [index:17 buckets:1 uRPF:16 to:[0:0]]
+ * [0] [@4]: ipv4-glean: af_packet0
+ * 172.16.1.1/32
+ * unicast-ip4-chain
+ * [@0]: dpo-load-balance: [index:18 buckets:1 uRPF:17 to:[1:84]]
+ * [0] [@2]: dpo-receive: 172.16.1.1 on af_packet0
+ * 172.16.1.2/32
+ * unicast-ip4-chain
+ * [@0]: dpo-load-balance: [index:21 buckets:1 uRPF:20 to:[0:0]]
+ * [0] [@5]: ipv4 via 172.16.1.2 af_packet0: IP4: 02:fe:9e:70:7a:2b -> 26:a5:f6:9c:3a:36
+ * 172.16.2.0/24
+ * unicast-ip4-chain
+ * [@0]: dpo-load-balance: [index:19 buckets:1 uRPF:18 to:[0:0]]
+ * [0] [@4]: ipv4-glean: af_packet1
+ * 172.16.2.1/32
+ * unicast-ip4-chain
+ * [@0]: dpo-load-balance: [index:20 buckets:1 uRPF:19 to:[0:0]]
+ * [0] [@2]: dpo-receive: 172.16.2.1 on af_packet1
+ * 224.0.0.0/8
+ * unicast-ip4-chain
+ * [@0]: dpo-load-balance: [index:15 buckets:1 uRPF:14 to:[0:0]]
+ * [0] [@0]: dpo-drop ip6
+ * 240.0.0.0/8
+ * unicast-ip4-chain
+ * [@0]: dpo-load-balance: [index:14 buckets:1 uRPF:13 to:[0:0]]
+ * [0] [@0]: dpo-drop ip6
+ * 255.255.255.255/32
+ * unicast-ip4-chain
+ * [@0]: dpo-load-balance: [index:16 buckets:1 uRPF:15 to:[0:0]]
+ * [0] [@0]: dpo-drop ip6
+ * @cliexend
+?*/
+/* *INDENT-OFF* */
VLIB_CLI_COMMAND (set_ip_flow_hash_command, static) = {
.path = "set ip flow-hash",
- .short_help =
- "set ip table flow-hash table <fib-id> src dst sport dport proto reverse",
+ .short_help =
+ "set ip flow-hash table <table-id> [src] [dst] [sport] [dport] [proto] [reverse]",
.function = set_ip_flow_hash_command_fn,
};
-
-int vnet_set_ip4_classify_intfc (vlib_main_t * vm, u32 sw_if_index,
+/* *INDENT-ON* */
+
+int vnet_set_ip4_classify_intfc (vlib_main_t * vm, u32 sw_if_index,
u32 table_index)
{
vnet_main_t * vnm = vnet_get_main();
ip4_main_t * ipm = &ip4_main;
ip_lookup_main_t * lm = &ipm->lookup_main;
vnet_classify_main_t * cm = &vnet_classify_main;
+ ip4_address_t *if_addr;
if (pool_is_free_index (im->sw_interfaces, sw_if_index))
return VNET_API_ERROR_NO_MATCHING_INTERFACE;
vec_validate (lm->classify_table_index_by_sw_if_index, sw_if_index);
lm->classify_table_index_by_sw_if_index [sw_if_index] = table_index;
+ if_addr = ip4_interface_first_address (ipm, sw_if_index, NULL);
+
+ if (NULL != if_addr)
+ {
+ fib_prefix_t pfx = {
+ .fp_len = 32,
+ .fp_proto = FIB_PROTOCOL_IP4,
+ .fp_addr.ip4 = *if_addr,
+ };
+ u32 fib_index;
+
+ fib_index = fib_table_get_index_for_sw_if_index(FIB_PROTOCOL_IP4,
+ sw_if_index);
+
+
+ if (table_index != (u32) ~0)
+ {
+ dpo_id_t dpo = DPO_NULL;
+
+ dpo_set(&dpo,
+ DPO_CLASSIFY,
+ DPO_PROTO_IP4,
+ classify_dpo_create(FIB_PROTOCOL_IP4,
+ table_index));
+
+ fib_table_entry_special_dpo_add(fib_index,
+ &pfx,
+ FIB_SOURCE_CLASSIFY,
+ FIB_ENTRY_FLAG_NONE,
+ &dpo);
+ dpo_reset(&dpo);
+ }
+ else
+ {
+ fib_table_entry_special_remove(fib_index,
+ &pfx,
+ FIB_SOURCE_CLASSIFY);
+ }
+ }
+
return 0;
}
int table_index_set = 0;
u32 sw_if_index = ~0;
int rv;
-
+
while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT) {
if (unformat (input, "table-index %d", &table_index))
table_index_set = 1;
- else if (unformat (input, "intfc %U", unformat_vnet_sw_interface,
+ else if (unformat (input, "intfc %U", unformat_vnet_sw_interface,
vnet_get_main(), &sw_if_index))
;
else
break;
}
-
+
if (table_index_set == 0)
return clib_error_return (0, "classify table-index must be specified");
return 0;
}
+/*?
+ * Assign a classification table to an interface. The classification
+ * table is created using the '<em>classify table</em>' and '<em>classify session</em>'
+ * commands. Once the table is create, use this command to filter packets
+ * on an interface.
+ *
+ * @cliexpar
+ * Example of how to assign a classification table to an interface:
+ * @cliexcmd{set ip classify intfc GigabitEthernet2/0/0 table-index 1}
+?*/
+/* *INDENT-OFF* */
VLIB_CLI_COMMAND (set_ip_classify_command, static) = {
.path = "set ip classify",
- .short_help =
- "set ip classify intfc <int> table-index <index>",
+ .short_help =
+ "set ip classify intfc <interface> table-index <classify-idx>",
.function = set_ip_classify_command_fn,
};
+/* *INDENT-ON* */
Code Review / vpp.git / blobdiff