X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fplugins%2Facl%2Facl.c;h=b6e491cf8977e717b0d342a50d87070cc6b3bf78;hb=bdc0e6b7;hp=365d85217600acf70609c0eeb693393218ad8ffd;hpb=f3639d00aa1ccb37987dc90f974540a5c70187de;p=vpp.git diff --git a/src/plugins/acl/acl.c b/src/plugins/acl/acl.c index 365d8521760..b6e491cf897 100644 --- a/src/plugins/acl/acl.c +++ b/src/plugins/acl/acl.c @@ -58,6 +58,13 @@ acl_main_t acl_main; #define REPLY_MSG_ID_BASE am->msg_id_base #include +/* + * The code for the bihash, used by the session management. + */ +#include +#include +#include + /* List of message types that this plugin understands */ #define foreach_acl_plugin_api_msg \ @@ -87,6 +94,9 @@ VLIB_PLUGIN_REGISTER () = { }; /* *INDENT-ON* */ +/* methods exported from ACL-as-a-service */ +static acl_plugin_methods_t acl_plugin; + /* Format vec16. */ u8 * format_vec16 (u8 * s, va_list * va) @@ -103,36 +113,59 @@ format_vec16 (u8 * s, va_list * va) return s; } - - -u8 -acl_plugin_acl_exists (u32 acl_index) -{ - acl_main_t *am = &acl_main; - - if (pool_is_free_index (am->acls, acl_index)) - return 0; - - return 1; -} - static void * acl_set_heap (acl_main_t * am) { if (0 == am->acl_mheap) { - am->acl_mheap = mheap_alloc (0 /* use VM */ , am->acl_mheap_size); - mheap_t *h = mheap_header (am->acl_mheap); - h->flags |= MHEAP_FLAG_THREAD_SAFE; + if (0 == am->acl_mheap_size) + { + vlib_thread_main_t *tm = vlib_get_thread_main (); + u64 per_worker_slack = 1000000LL; + u64 per_worker_size = + per_worker_slack + + ((u64) am->fa_conn_table_max_entries) * sizeof (fa_session_t); + u64 per_worker_size_with_slack = per_worker_slack + per_worker_size; + u64 main_slack = 2000000LL; + u64 bihash_size = (u64) am->fa_conn_table_hash_memory_size; + + am->acl_mheap_size = + per_worker_size_with_slack * tm->n_vlib_mains + bihash_size + + main_slack; + } + u64 max_possible = ((uword) ~ 0); + if (am->acl_mheap_size > max_possible) + { + clib_warning ("ACL heap size requested: %lld, max possible %lld", + am->acl_mheap_size, max_possible); + } + + am->acl_mheap = mheap_alloc_with_lock (0 /* use VM */ , + am->acl_mheap_size, + 1 /* locked */ ); + if (0 == am->acl_mheap) + { + clib_error + ("ACL plugin failed to allocate main heap of %U bytes, abort", + format_memory_size, am->acl_mheap_size); + } } void *oldheap = clib_mem_set_heap (am->acl_mheap); return oldheap; } +void * +acl_plugin_set_heap () +{ + acl_main_t *am = &acl_main; + return acl_set_heap (am); +} + void acl_plugin_acl_set_validate_heap (acl_main_t * am, int on) { clib_mem_set_heap (acl_set_heap (am)); +#if USE_DLMALLOC == 0 mheap_t *h = mheap_header (am->acl_mheap); if (on) { @@ -145,12 +178,14 @@ acl_plugin_acl_set_validate_heap (acl_main_t * am, int on) h->flags &= ~MHEAP_FLAG_VALIDATE; h->flags |= MHEAP_FLAG_SMALL_OBJECT_CACHE; } +#endif } void acl_plugin_acl_set_trace_heap (acl_main_t * am, int on) { clib_mem_set_heap (acl_set_heap (am)); +#if USE_DLMALLOC == 0 mheap_t *h = mheap_header (am->acl_mheap); if (on) { @@ -160,6 +195,7 @@ acl_plugin_acl_set_trace_heap (acl_main_t * am, int on) { h->flags &= ~MHEAP_FLAG_TRACE; } +#endif } static void @@ -271,6 +307,45 @@ warning_acl_print_acl (vlib_main_t * vm, acl_main_t * am, int acl_index) acl_print_acl_x (print_clib_warning_and_reset, vm, am, acl_index); } +static void +increment_policy_epoch (acl_main_t * am, u32 sw_if_index, int is_input) +{ + + u32 **ppolicy_epoch_by_swi = + is_input ? &am->input_policy_epoch_by_sw_if_index : + &am->output_policy_epoch_by_sw_if_index; + vec_validate (*ppolicy_epoch_by_swi, sw_if_index); + + u32 *p_epoch = vec_elt_at_index ((*ppolicy_epoch_by_swi), sw_if_index); + *p_epoch = + ((1 + *p_epoch) & FA_POLICY_EPOCH_MASK) + + (is_input * FA_POLICY_EPOCH_IS_INPUT); +} + +static void +try_increment_acl_policy_epoch (acl_main_t * am, u32 acl_num, int is_input) +{ + u32 ***p_swi_vec_by_acl = is_input ? &am->input_sw_if_index_vec_by_acl + : &am->output_sw_if_index_vec_by_acl; + if (acl_num < vec_len (*p_swi_vec_by_acl)) + { + u32 *p_swi; + vec_foreach (p_swi, (*p_swi_vec_by_acl)[acl_num]) + { + increment_policy_epoch (am, *p_swi, is_input); + } + + } +} + +static void +policy_notify_acl_change (acl_main_t * am, u32 acl_num) +{ + try_increment_acl_policy_epoch (am, acl_num, 0); + try_increment_acl_policy_epoch (am, acl_num, 1); +} + + static int acl_add_list (u32 count, vl_api_acl_rule_t rules[], @@ -358,6 +433,12 @@ acl_add_list (u32 count, vl_api_acl_rule_t rules[], memcpy (a->tag, tag, sizeof (a->tag)); if (am->trace_acl > 255) warning_acl_print_acl (am->vlib_main, am, *acl_list_index); + if (am->reclassify_sessions) + { + /* a change in an ACLs if they are applied may mean a new policy epoch */ + policy_notify_acl_change (am, *acl_list_index); + } + /* notify the lookup contexts about the ACL changes */ acl_plugin_lookup_context_notify_acl_change (*acl_list_index); clib_mem_set_heap (oldheap); @@ -391,7 +472,7 @@ acl_del_list (u32 acl_list_index) return VNET_API_ERROR_ACL_IN_USE_INBOUND; if (acl_is_used_by (acl_list_index, am->output_sw_if_index_vec_by_acl)) return VNET_API_ERROR_ACL_IN_USE_OUTBOUND; - /* lookup contexts cover other cases, not just inbound/oubound, so check that */ + /* lookup contexts cover other cases, not just inbound/outbound, so check that */ if (acl_is_used_by (acl_list_index, am->lc_index_vec_by_acl)) return VNET_API_ERROR_ACL_IN_USE_BY_LOOKUP_CONTEXT; @@ -1234,12 +1315,20 @@ acl_interface_set_inout_acl_list (acl_main_t * am, u32 sw_if_index, (*pinout_acl_vec_by_sw_if_index)[sw_if_index] = vec_dup (vec_acl_list_index); - /* if no commonalities between the ACL# - then we should definitely clear the sessions */ - if (may_clear_sessions && *may_clear_sessions - && !clib_bitmap_is_zero (change_acl_bitmap)) + if (am->reclassify_sessions) + { + /* re-applying ACLs means a new policy epoch */ + increment_policy_epoch (am, sw_if_index, is_input); + } + else { - acl_clear_sessions (am, sw_if_index); - *may_clear_sessions = 0; + /* if no commonalities between the ACL# - then we should definitely clear the sessions */ + if (may_clear_sessions && *may_clear_sessions + && !clib_bitmap_is_zero (change_acl_bitmap)) + { + acl_clear_sessions (am, sw_if_index); + *may_clear_sessions = 0; + } } /* @@ -1252,19 +1341,22 @@ acl_interface_set_inout_acl_list (acl_main_t * am, u32 sw_if_index, u32 lc_index = (*pinout_lc_index_by_sw_if_index)[sw_if_index]; if (~0 == lc_index) { + if (~0 == am->interface_acl_user_id) + am->interface_acl_user_id = + acl_plugin.register_user_module ("interface ACL", "sw_if_index", + "is_input"); lc_index = - acl_plugin_get_lookup_context_index (am->interface_acl_user_id, + acl_plugin.get_lookup_context_index (am->interface_acl_user_id, sw_if_index, is_input); - ASSERT (lc_index >= 0); (*pinout_lc_index_by_sw_if_index)[sw_if_index] = lc_index; } - acl_plugin_set_acl_vec_for_context (lc_index, vec_acl_list_index); + acl_plugin.set_acl_vec_for_context (lc_index, vec_acl_list_index); } else { if (~0 != (*pinout_lc_index_by_sw_if_index)[sw_if_index]) { - acl_plugin_put_lookup_context_index ((*pinout_lc_index_by_sw_if_index)[sw_if_index]); + acl_plugin.put_lookup_context_index ((*pinout_lc_index_by_sw_if_index)[sw_if_index]); (*pinout_lc_index_by_sw_if_index)[sw_if_index] = ~0; } } @@ -1326,7 +1418,7 @@ acl_interface_add_del_inout_acl (u32 sw_if_index, u8 is_add, u8 is_input, } else { - if (sw_if_index > vec_len (*pinout_acl_vec_by_sw_if_index)) + if (sw_if_index >= vec_len (*pinout_acl_vec_by_sw_if_index)) { rv = VNET_API_ERROR_NO_SUCH_ENTRY; goto done; @@ -2147,7 +2239,7 @@ macip_acl_add_list (u32 count, vl_api_macip_acl_rule_t rules[], a->count = count; memcpy (a->tag, tag, sizeof (a->tag)); - /* Create and populate the classifer tables */ + /* Create and populate the classifier tables */ macip_create_classify_tables (am, *acl_list_index); clib_mem_set_heap (oldheap); /* If the ACL was already applied somewhere, reapply the newly created tables */ @@ -2156,8 +2248,12 @@ macip_acl_add_list (u32 count, vl_api_macip_acl_rule_t rules[], return rv; } - -/* No check for validity of sw_if_index - the callers were supposed to validate */ +/* No check that sw_if_index denotes a valid interface - the callers + * were supposed to validate. + * + * That said, if sw_if_index corresponds to an interface that exists at all, + * this function must return errors accordingly if the ACL is not applied. + */ static int macip_acl_interface_del_acl (acl_main_t * am, u32 sw_if_index) @@ -2165,13 +2261,16 @@ macip_acl_interface_del_acl (acl_main_t * am, u32 sw_if_index) int rv; u32 macip_acl_index; macip_acl_list_t *a; - void *oldheap = acl_set_heap (am); - vec_validate_init_empty (am->macip_acl_by_sw_if_index, sw_if_index, ~0); - clib_mem_set_heap (oldheap); + + /* The vector is too short - MACIP ACL is not applied */ + if (sw_if_index >= vec_len (am->macip_acl_by_sw_if_index)) + return VNET_API_ERROR_NO_SUCH_ENTRY; + macip_acl_index = am->macip_acl_by_sw_if_index[sw_if_index]; /* No point in deleting MACIP ACL which is not applied */ if (~0 == macip_acl_index) return VNET_API_ERROR_NO_SUCH_ENTRY; + a = pool_elt_at_index (am->macip_acls, macip_acl_index); /* remove the classifier tables off the interface L2 ACL */ rv = @@ -2183,6 +2282,11 @@ macip_acl_interface_del_acl (acl_main_t * am, u32 sw_if_index) a->out_l2_table_index, 0); /* Unset the MACIP ACL index */ am->macip_acl_by_sw_if_index[sw_if_index] = ~0; + /* macip_acl_interface_add_acl did a vec_add1() to this previously, so [sw_if_index] should be valid */ + u32 index = vec_search (am->sw_if_index_vec_by_macip_acl[macip_acl_index], + sw_if_index); + if (index != ~0) + vec_del1 (am->sw_if_index_vec_by_macip_acl[macip_acl_index], index); return rv; } @@ -2201,6 +2305,8 @@ macip_acl_interface_add_acl (acl_main_t * am, u32 sw_if_index, void *oldheap = acl_set_heap (am); a = pool_elt_at_index (am->macip_acls, macip_acl_index); vec_validate_init_empty (am->macip_acl_by_sw_if_index, sw_if_index, ~0); + vec_validate (am->sw_if_index_vec_by_macip_acl, macip_acl_index); + vec_add1 (am->sw_if_index_vec_by_macip_acl[macip_acl_index], sw_if_index); clib_mem_set_heap (oldheap); /* If there already a MACIP ACL applied, unapply it */ if (~0 != am->macip_acl_by_sw_if_index[sw_if_index]) @@ -3150,6 +3256,11 @@ acl_set_aclplugin_fn (vlib_main_t * vm, am->l4_match_nonfirst_fragment = (val != 0); goto done; } + if (unformat (input, "reclassify-sessions %u", &val)) + { + am->reclassify_sessions = (val != 0); + goto done; + } if (unformat (input, "event-trace")) { if (!unformat (input, "%u", &val)) @@ -3345,12 +3456,8 @@ macip_acl_print (acl_main_t * am, u32 macip_acl_index) vlib_main_t *vm = am->vlib_main; int i; - /* Don't attempt to show the ACLs that do not exist */ - if (pool_is_free_index (am->macip_acls, macip_acl_index)) - return; - /* Don't try to print someone else's memory */ - if (macip_acl_index > vec_len (am->macip_acls)) + if (macip_acl_index >= vec_len (am->macip_acls)) return; macip_acl_list_t *a = vec_elt_at_index (am->macip_acls, macip_acl_index); @@ -3382,8 +3489,31 @@ acl_show_aclplugin_macip_acl_fn (vlib_main_t * vm, clib_error_t *error = 0; acl_main_t *am = &acl_main; int i; + u32 acl_index = ~0; + + (void) unformat (input, "index %u", &acl_index); + for (i = 0; i < vec_len (am->macip_acls); i++) - macip_acl_print (am, i); + { + /* Don't attempt to show the ACLs that do not exist */ + if (pool_is_free_index (am->macip_acls, i)) + continue; + + if ((acl_index != ~0) && (acl_index != i)) + { + continue; + } + + macip_acl_print (am, i); + if (i < vec_len (am->sw_if_index_vec_by_macip_acl)) + { + vlib_cli_output (vm, " applied on sw_if_index(s): %U\n", + format_vec32, + vec_elt (am->sw_if_index_vec_by_macip_acl, i), + "%d"); + } + } + return error; } @@ -3500,6 +3630,15 @@ acl_plugin_show_interface (acl_main_t * am, u32 sw_if_index, int show_acl, continue; vlib_cli_output (vm, "sw_if_index %d:\n", swi); + if (swi < vec_len (am->input_policy_epoch_by_sw_if_index)) + vlib_cli_output (vm, " input policy epoch: %x\n", + vec_elt (am->input_policy_epoch_by_sw_if_index, + swi)); + if (swi < vec_len (am->output_policy_epoch_by_sw_if_index)) + vlib_cli_output (vm, " output policy epoch: %x\n", + vec_elt (am->output_policy_epoch_by_sw_if_index, + swi)); + if (intf_has_etype_whitelist (am, swi, 1)) { @@ -3634,13 +3773,22 @@ acl_plugin_show_sessions (acl_main_t * am, u16 wk; vnet_interface_main_t *im = &am->vnet_main->interface_main; vnet_sw_interface_t *swif; + u64 now = clib_cpu_time_now (); + u64 clocks_per_second = am->vlib_main->clib_time.clocks_per_second; { u64 n_adds = am->fa_session_total_adds; u64 n_dels = am->fa_session_total_dels; + u64 n_deact = am->fa_session_total_deactivations; vlib_cli_output (vm, "Sessions total: add %lu - del %lu = %lu", n_adds, n_dels, n_adds - n_dels); + vlib_cli_output (vm, "Sessions active: add %lu - deact %lu = %lu", n_adds, + n_deact, n_adds - n_deact); + vlib_cli_output (vm, "Sessions being purged: deact %lu - del %lu = %lu", + n_deact, n_dels, n_deact - n_dels); } + vlib_cli_output (vm, "now: %lu clocks per second: %lu", now, + clocks_per_second); vlib_cli_output (vm, "\n\nPer-thread data:"); for (wk = 0; wk < vec_len (am->per_worker_data); wk++) { @@ -3690,13 +3838,21 @@ acl_plugin_show_sessions (acl_main_t * am, ? pw->fa_session_dels_by_sw_if_index [sw_if_index] : 0; + u64 n_epoch_changes = + sw_if_index < + vec_len + (pw->fa_session_epoch_change_by_sw_if_index) + ? + pw->fa_session_epoch_change_by_sw_if_index + [sw_if_index] : 0; vlib_cli_output (vm, - " sw_if_index %d: add %lu - del %lu = %lu", + " sw_if_index %d: add %lu - del %lu = %lu; epoch chg: %lu", sw_if_index, n_adds, n_dels, n_adds - - n_dels); + n_dels, + n_epoch_changes); } )); @@ -3758,6 +3914,7 @@ acl_plugin_show_sessions (acl_main_t * am, am->fa_cleaner_wait_time_increment * 1000.0, ((f64) am->fa_current_cleaner_timer_wait_interval) * 1000.0 / (f64) vm->clib_time.clocks_per_second); + vlib_cli_output (vm, "Reclassify sessions: %d", am->reclassify_sessions); } static clib_error_t * @@ -3789,7 +3946,7 @@ acl_show_aclplugin_tables_fn (vlib_main_t * vm, clib_error_t *error = 0; u32 acl_index = ~0; - u32 sw_if_index = ~0; + u32 lc_index = ~0; int show_acl_hash_info = 0; int show_applied_info = 0; int show_mask_type = 0; @@ -3806,7 +3963,7 @@ acl_show_aclplugin_tables_fn (vlib_main_t * vm, else if (unformat (input, "applied")) { show_applied_info = 1; - unformat (input, "sw_if_index %u", &sw_if_index); + unformat (input, "lc_index %u", &lc_index); } else if (unformat (input, "mask")) { @@ -3833,7 +3990,7 @@ acl_show_aclplugin_tables_fn (vlib_main_t * vm, if (show_acl_hash_info) acl_plugin_show_tables_acl_hash_info (acl_index); if (show_applied_info) - acl_plugin_show_tables_applied_info (sw_if_index); + acl_plugin_show_tables_applied_info (lc_index); if (show_bihash) acl_plugin_show_tables_bihash (show_bihash_verbose); @@ -3902,13 +4059,13 @@ VLIB_CLI_COMMAND (aclplugin_show_sessions_command, static) = { VLIB_CLI_COMMAND (aclplugin_show_tables_command, static) = { .path = "show acl-plugin tables", - .short_help = "show acl-plugin tables [ acl [index N] | applied [ sw_if_index N ] | mask | hash [verbose N] ]", + .short_help = "show acl-plugin tables [ acl [index N] | applied [ lc_index N ] | mask | hash [verbose N] ]", .function = acl_show_aclplugin_tables_fn, }; VLIB_CLI_COMMAND (aclplugin_show_macip_acl_command, static) = { .path = "show acl-plugin macip acl", - .short_help = "show acl-plugin macip acl", + .short_help = "show acl-plugin macip acl [index N]", .function = acl_show_aclplugin_macip_acl_fn, }; @@ -3932,10 +4089,13 @@ acl_plugin_config (vlib_main_t * vm, unformat_input_t * input) u32 conn_table_hash_buckets; u32 conn_table_hash_memory_size; u32 conn_table_max_entries; - u32 main_heap_size; - u32 hash_heap_size; + uword main_heap_size; + uword hash_heap_size; u32 hash_lookup_hash_buckets; u32 hash_lookup_hash_memory; + u32 reclassify_sessions; + u32 use_tuple_merge; + u32 tuple_merge_split_threshold; while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT) { @@ -3948,9 +4108,15 @@ acl_plugin_config (vlib_main_t * vm, unformat_input_t * input) else if (unformat (input, "connection count max %d", &conn_table_max_entries)) am->fa_conn_table_max_entries = conn_table_max_entries; - else if (unformat (input, "main heap size %d", &main_heap_size)) + else + if (unformat + (input, "main heap size %U", unformat_memory_size, + &main_heap_size)) am->acl_mheap_size = main_heap_size; - else if (unformat (input, "hash lookup heap size %d", &hash_heap_size)) + else + if (unformat + (input, "hash lookup heap size %U", unformat_memory_size, + &hash_heap_size)) am->hash_lookup_mheap_size = hash_heap_size; else if (unformat (input, "hash lookup hash buckets %d", &hash_lookup_hash_buckets)) @@ -3958,6 +4124,18 @@ acl_plugin_config (vlib_main_t * vm, unformat_input_t * input) else if (unformat (input, "hash lookup hash memory %d", &hash_lookup_hash_memory)) am->hash_lookup_hash_memory = hash_lookup_hash_memory; + else if (unformat (input, "use tuple merge %d", &use_tuple_merge)) + am->use_tuple_merge = use_tuple_merge; + else + if (unformat + (input, "tuple merge split threshold %d", + &tuple_merge_split_threshold)) + am->tuple_merge_split_threshold = tuple_merge_split_threshold; + + else if (unformat (input, "reclassify sessions %d", + &reclassify_sessions)) + am->reclassify_sessions = reclassify_sessions; + else return clib_error_return (0, "unknown input '%U'", format_unformat_error, input); @@ -3975,6 +4153,7 @@ acl_init (vlib_main_t * vm) memset (am, 0, sizeof (*am)); am->vlib_main = vm; am->vnet_main = vnet_get_main (); + am->log_default = vlib_log_register_class ("acl_plugin", 0); u8 *name = format (0, "acl_%08x%c", api_version, 0); @@ -3989,9 +4168,17 @@ acl_init (vlib_main_t * vm) vec_free (name); + if (error) + return error; + + error = acl_plugin_exports_init (&acl_plugin); + + if (error) + return error; + acl_setup_fa_nodes (); - am->acl_mheap_size = ACL_FA_DEFAULT_HEAP_SIZE; + am->acl_mheap_size = 0; /* auto size when initializing */ am->hash_lookup_mheap_size = ACL_PLUGIN_HASH_LOOKUP_HEAP_SIZE; am->hash_lookup_hash_buckets = ACL_PLUGIN_HASH_LOOKUP_HASH_BUCKETS; @@ -4009,31 +4196,35 @@ acl_init (vlib_main_t * vm) am->fa_conn_table_hash_memory_size = ACL_FA_CONN_TABLE_DEFAULT_HASH_MEMORY_SIZE; am->fa_conn_table_max_entries = ACL_FA_CONN_TABLE_DEFAULT_MAX_ENTRIES; + am->reclassify_sessions = 0; vlib_thread_main_t *tm = vlib_get_thread_main (); + + am->fa_min_deleted_sessions_per_interval = + ACL_FA_DEFAULT_MIN_DELETED_SESSIONS_PER_INTERVAL; + am->fa_max_deleted_sessions_per_interval = + ACL_FA_DEFAULT_MAX_DELETED_SESSIONS_PER_INTERVAL; + am->fa_cleaner_wait_time_increment = + ACL_FA_DEFAULT_CLEANER_WAIT_TIME_INCREMENT; + vec_validate (am->per_worker_data, tm->n_vlib_mains - 1); { u16 wk; - u8 tt; for (wk = 0; wk < vec_len (am->per_worker_data); wk++) { acl_fa_per_worker_data_t *pw = &am->per_worker_data[wk]; - vec_validate (pw->fa_conn_list_head, ACL_N_TIMEOUTS - 1); - vec_validate (pw->fa_conn_list_tail, ACL_N_TIMEOUTS - 1); - for (tt = 0; tt < ACL_N_TIMEOUTS; tt++) - { - pw->fa_conn_list_head[tt] = ~0; - pw->fa_conn_list_tail[tt] = ~0; - } + vec_validate (pw->expired, + ACL_N_TIMEOUTS * + am->fa_max_deleted_sessions_per_interval); + _vec_len (pw->expired) = 0; + vec_validate_init_empty (pw->fa_conn_list_head, ACL_N_TIMEOUTS - 1, + FA_SESSION_BOGUS_INDEX); + vec_validate_init_empty (pw->fa_conn_list_tail, ACL_N_TIMEOUTS - 1, + FA_SESSION_BOGUS_INDEX); + vec_validate_init_empty (pw->fa_conn_list_head_expiry_time, + ACL_N_TIMEOUTS - 1, ~0ULL); } } - am->fa_min_deleted_sessions_per_interval = - ACL_FA_DEFAULT_MIN_DELETED_SESSIONS_PER_INTERVAL; - am->fa_max_deleted_sessions_per_interval = - ACL_FA_DEFAULT_MAX_DELETED_SESSIONS_PER_INTERVAL; - am->fa_cleaner_wait_time_increment = - ACL_FA_DEFAULT_CLEANER_WAIT_TIME_INCREMENT; - am->fa_cleaner_cnt_delete_by_sw_index = 0; am->fa_cleaner_cnt_delete_by_sw_index_ok = 0; am->fa_cleaner_cnt_unknown_event = 0; @@ -4048,10 +4239,12 @@ acl_init (vlib_main_t * vm) /* use the new fancy hash-based matching */ am->use_hash_acl_matching = 1; + /* use tuplemerge by default */ + am->use_tuple_merge = 1; + /* Set the default threshold */ + am->tuple_merge_split_threshold = TM_SPLIT_THRESHOLD; - am->interface_acl_user_id = - acl_plugin_register_user_module ("interface ACL", "sw_if_index", - "is_input"); + am->interface_acl_user_id = ~0; /* defer till the first use */ return error; }