X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fplugins%2Facl%2Facl.c;h=b6e491cf8977e717b0d342a50d87070cc6b3bf78;hb=bdc0e6b7204ea0211d4f7881497e4306586fb9ef;hp=90b369e329635df390f732e4147ed01d74b5ba24;hpb=17ddc0fee1bc20d0da84dd70bb579c8844a48ef4;p=vpp.git

diff --git a/src/plugins/acl/acl.c b/src/plugins/acl/acl.c
index 90b369e3296..b6e491cf897 100644
--- a/src/plugins/acl/acl.c
+++ b/src/plugins/acl/acl.c
@@ -58,6 +58,13 @@ acl_main_t acl_main;
 #define REPLY_MSG_ID_BASE am->msg_id_base
 #include <vlibapi/api_helper_macros.h>
 
+/*
+ * The code for the bihash, used by the session management.
+ */
+#include <vppinfra/bihash_40_8.h>
+#include <vppinfra/bihash_template.h>
+#include <vppinfra/bihash_template.c>
+
 /* List of message types that this plugin understands */
 
 #define foreach_acl_plugin_api_msg		\
@@ -87,6 +94,9 @@ VLIB_PLUGIN_REGISTER () = {
 };
 /* *INDENT-ON* */
 
+/* methods exported from ACL-as-a-service */
+static acl_plugin_methods_t acl_plugin;
+
 /* Format vec16. */
 u8 *
 format_vec16 (u8 * s, va_list * va)
@@ -103,19 +113,6 @@ format_vec16 (u8 * s, va_list * va)
   return s;
 }
 
-
-
-u8
-acl_plugin_acl_exists (u32 acl_index)
-{
-  acl_main_t *am = &acl_main;
-
-  if (pool_is_free_index (am->acls, acl_index))
-    return 0;
-
-  return 1;
-}
-
 static void *
 acl_set_heap (acl_main_t * am)
 {
@@ -142,15 +139,16 @@ acl_set_heap (acl_main_t * am)
 	  clib_warning ("ACL heap size requested: %lld, max possible %lld",
 			am->acl_mheap_size, max_possible);
 	}
-      am->acl_mheap = mheap_alloc (0 /* use VM */ , am->acl_mheap_size);
+
+      am->acl_mheap = mheap_alloc_with_lock (0 /* use VM */ ,
+					     am->acl_mheap_size,
+					     1 /* locked */ );
       if (0 == am->acl_mheap)
 	{
 	  clib_error
 	    ("ACL plugin failed to allocate main heap of %U bytes, abort",
 	     format_memory_size, am->acl_mheap_size);
 	}
-      mheap_t *h = mheap_header (am->acl_mheap);
-      h->flags |= MHEAP_FLAG_THREAD_SAFE;
     }
   void *oldheap = clib_mem_set_heap (am->acl_mheap);
   return oldheap;
@@ -167,6 +165,7 @@ void
 acl_plugin_acl_set_validate_heap (acl_main_t * am, int on)
 {
   clib_mem_set_heap (acl_set_heap (am));
+#if USE_DLMALLOC == 0
   mheap_t *h = mheap_header (am->acl_mheap);
   if (on)
     {
@@ -179,12 +178,14 @@ acl_plugin_acl_set_validate_heap (acl_main_t * am, int on)
       h->flags &= ~MHEAP_FLAG_VALIDATE;
       h->flags |= MHEAP_FLAG_SMALL_OBJECT_CACHE;
     }
+#endif
 }
 
 void
 acl_plugin_acl_set_trace_heap (acl_main_t * am, int on)
 {
   clib_mem_set_heap (acl_set_heap (am));
+#if USE_DLMALLOC == 0
   mheap_t *h = mheap_header (am->acl_mheap);
   if (on)
     {
@@ -194,6 +195,7 @@ acl_plugin_acl_set_trace_heap (acl_main_t * am, int on)
     {
       h->flags &= ~MHEAP_FLAG_TRACE;
     }
+#endif
 }
 
 static void
@@ -470,7 +472,7 @@ acl_del_list (u32 acl_list_index)
     return VNET_API_ERROR_ACL_IN_USE_INBOUND;
   if (acl_is_used_by (acl_list_index, am->output_sw_if_index_vec_by_acl))
     return VNET_API_ERROR_ACL_IN_USE_OUTBOUND;
-  /* lookup contexts cover other cases, not just inbound/oubound, so check that */
+  /* lookup contexts cover other cases, not just inbound/outbound, so check that */
   if (acl_is_used_by (acl_list_index, am->lc_index_vec_by_acl))
     return VNET_API_ERROR_ACL_IN_USE_BY_LOOKUP_CONTEXT;
 
@@ -1341,21 +1343,20 @@ acl_interface_set_inout_acl_list (acl_main_t * am, u32 sw_if_index,
 	{
 	  if (~0 == am->interface_acl_user_id)
 	    am->interface_acl_user_id =
-	      acl_plugin_register_user_module ("interface ACL", "sw_if_index",
+	      acl_plugin.register_user_module ("interface ACL", "sw_if_index",
 					       "is_input");
 	  lc_index =
-	    acl_plugin_get_lookup_context_index (am->interface_acl_user_id,
+	    acl_plugin.get_lookup_context_index (am->interface_acl_user_id,
 						 sw_if_index, is_input);
-	  ASSERT (lc_index >= 0);
 	  (*pinout_lc_index_by_sw_if_index)[sw_if_index] = lc_index;
 	}
-      acl_plugin_set_acl_vec_for_context (lc_index, vec_acl_list_index);
+      acl_plugin.set_acl_vec_for_context (lc_index, vec_acl_list_index);
     }
   else
     {
       if (~0 != (*pinout_lc_index_by_sw_if_index)[sw_if_index])
 	{
-	  acl_plugin_put_lookup_context_index ((*pinout_lc_index_by_sw_if_index)[sw_if_index]);
+	  acl_plugin.put_lookup_context_index ((*pinout_lc_index_by_sw_if_index)[sw_if_index]);
 	  (*pinout_lc_index_by_sw_if_index)[sw_if_index] = ~0;
 	}
     }
@@ -1417,7 +1418,7 @@ acl_interface_add_del_inout_acl (u32 sw_if_index, u8 is_add, u8 is_input,
     }
   else
     {
-      if (sw_if_index > vec_len (*pinout_acl_vec_by_sw_if_index))
+      if (sw_if_index >= vec_len (*pinout_acl_vec_by_sw_if_index))
 	{
 	  rv = VNET_API_ERROR_NO_SUCH_ENTRY;
 	  goto done;
@@ -2238,7 +2239,7 @@ macip_acl_add_list (u32 count, vl_api_macip_acl_rule_t rules[],
   a->count = count;
   memcpy (a->tag, tag, sizeof (a->tag));
 
-  /* Create and populate the classifer tables */
+  /* Create and populate the classifier tables */
   macip_create_classify_tables (am, *acl_list_index);
   clib_mem_set_heap (oldheap);
   /* If the ACL was already applied somewhere, reapply the newly created tables */
@@ -3456,7 +3457,7 @@ macip_acl_print (acl_main_t * am, u32 macip_acl_index)
   int i;
 
   /* Don't try to print someone else's memory */
-  if (macip_acl_index > vec_len (am->macip_acls))
+  if (macip_acl_index >= vec_len (am->macip_acls))
     return;
 
   macip_acl_list_t *a = vec_elt_at_index (am->macip_acls, macip_acl_index);
@@ -3772,13 +3773,22 @@ acl_plugin_show_sessions (acl_main_t * am,
   u16 wk;
   vnet_interface_main_t *im = &am->vnet_main->interface_main;
   vnet_sw_interface_t *swif;
+  u64 now = clib_cpu_time_now ();
+  u64 clocks_per_second = am->vlib_main->clib_time.clocks_per_second;
 
   {
     u64 n_adds = am->fa_session_total_adds;
     u64 n_dels = am->fa_session_total_dels;
+    u64 n_deact = am->fa_session_total_deactivations;
     vlib_cli_output (vm, "Sessions total: add %lu - del %lu = %lu", n_adds,
 		     n_dels, n_adds - n_dels);
+    vlib_cli_output (vm, "Sessions active: add %lu - deact %lu = %lu", n_adds,
+		     n_deact, n_adds - n_deact);
+    vlib_cli_output (vm, "Sessions being purged: deact %lu - del %lu = %lu",
+		     n_deact, n_dels, n_deact - n_dels);
   }
+  vlib_cli_output (vm, "now: %lu clocks per second: %lu", now,
+		   clocks_per_second);
   vlib_cli_output (vm, "\n\nPer-thread data:");
   for (wk = 0; wk < vec_len (am->per_worker_data); wk++)
     {
@@ -3936,7 +3946,7 @@ acl_show_aclplugin_tables_fn (vlib_main_t * vm,
   clib_error_t *error = 0;
 
   u32 acl_index = ~0;
-  u32 sw_if_index = ~0;
+  u32 lc_index = ~0;
   int show_acl_hash_info = 0;
   int show_applied_info = 0;
   int show_mask_type = 0;
@@ -3953,7 +3963,7 @@ acl_show_aclplugin_tables_fn (vlib_main_t * vm,
   else if (unformat (input, "applied"))
     {
       show_applied_info = 1;
-      unformat (input, "sw_if_index %u", &sw_if_index);
+      unformat (input, "lc_index %u", &lc_index);
     }
   else if (unformat (input, "mask"))
     {
@@ -3980,7 +3990,7 @@ acl_show_aclplugin_tables_fn (vlib_main_t * vm,
   if (show_acl_hash_info)
     acl_plugin_show_tables_acl_hash_info (acl_index);
   if (show_applied_info)
-    acl_plugin_show_tables_applied_info (sw_if_index);
+    acl_plugin_show_tables_applied_info (lc_index);
   if (show_bihash)
     acl_plugin_show_tables_bihash (show_bihash_verbose);
 
@@ -4049,7 +4059,7 @@ VLIB_CLI_COMMAND (aclplugin_show_sessions_command, static) = {
 
 VLIB_CLI_COMMAND (aclplugin_show_tables_command, static) = {
     .path = "show acl-plugin tables",
-    .short_help = "show acl-plugin tables [ acl [index N] | applied [ sw_if_index N ] | mask | hash [verbose N] ]",
+    .short_help = "show acl-plugin tables [ acl [index N] | applied [ lc_index N ] | mask | hash [verbose N] ]",
     .function = acl_show_aclplugin_tables_fn,
 };
 
@@ -4084,6 +4094,8 @@ acl_plugin_config (vlib_main_t * vm, unformat_input_t * input)
   u32 hash_lookup_hash_buckets;
   u32 hash_lookup_hash_memory;
   u32 reclassify_sessions;
+  u32 use_tuple_merge;
+  u32 tuple_merge_split_threshold;
 
   while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
     {
@@ -4112,6 +4124,14 @@ acl_plugin_config (vlib_main_t * vm, unformat_input_t * input)
       else if (unformat (input, "hash lookup hash memory %d",
 			 &hash_lookup_hash_memory))
 	am->hash_lookup_hash_memory = hash_lookup_hash_memory;
+      else if (unformat (input, "use tuple merge %d", &use_tuple_merge))
+	am->use_tuple_merge = use_tuple_merge;
+      else
+	if (unformat
+	    (input, "tuple merge split threshold %d",
+	     &tuple_merge_split_threshold))
+	am->tuple_merge_split_threshold = tuple_merge_split_threshold;
+
       else if (unformat (input, "reclassify sessions %d",
 			 &reclassify_sessions))
 	am->reclassify_sessions = reclassify_sessions;
@@ -4133,6 +4153,7 @@ acl_init (vlib_main_t * vm)
   memset (am, 0, sizeof (*am));
   am->vlib_main = vm;
   am->vnet_main = vnet_get_main ();
+  am->log_default = vlib_log_register_class ("acl_plugin", 0);
 
   u8 *name = format (0, "acl_%08x%c", api_version, 0);
 
@@ -4147,6 +4168,14 @@ acl_init (vlib_main_t * vm)
 
   vec_free (name);
 
+  if (error)
+    return error;
+
+  error = acl_plugin_exports_init (&acl_plugin);
+
+  if (error)
+    return error;
+
   acl_setup_fa_nodes ();
 
   am->acl_mheap_size = 0;	/* auto size when initializing */
@@ -4169,30 +4198,33 @@ acl_init (vlib_main_t * vm)
   am->fa_conn_table_max_entries = ACL_FA_CONN_TABLE_DEFAULT_MAX_ENTRIES;
   am->reclassify_sessions = 0;
   vlib_thread_main_t *tm = vlib_get_thread_main ();
+
+  am->fa_min_deleted_sessions_per_interval =
+    ACL_FA_DEFAULT_MIN_DELETED_SESSIONS_PER_INTERVAL;
+  am->fa_max_deleted_sessions_per_interval =
+    ACL_FA_DEFAULT_MAX_DELETED_SESSIONS_PER_INTERVAL;
+  am->fa_cleaner_wait_time_increment =
+    ACL_FA_DEFAULT_CLEANER_WAIT_TIME_INCREMENT;
+
   vec_validate (am->per_worker_data, tm->n_vlib_mains - 1);
   {
     u16 wk;
-    u8 tt;
     for (wk = 0; wk < vec_len (am->per_worker_data); wk++)
       {
 	acl_fa_per_worker_data_t *pw = &am->per_worker_data[wk];
-	vec_validate (pw->fa_conn_list_head, ACL_N_TIMEOUTS - 1);
-	vec_validate (pw->fa_conn_list_tail, ACL_N_TIMEOUTS - 1);
-	for (tt = 0; tt < ACL_N_TIMEOUTS; tt++)
-	  {
-	    pw->fa_conn_list_head[tt] = ~0;
-	    pw->fa_conn_list_tail[tt] = ~0;
-	  }
+	vec_validate (pw->expired,
+		      ACL_N_TIMEOUTS *
+		      am->fa_max_deleted_sessions_per_interval);
+	_vec_len (pw->expired) = 0;
+	vec_validate_init_empty (pw->fa_conn_list_head, ACL_N_TIMEOUTS - 1,
+				 FA_SESSION_BOGUS_INDEX);
+	vec_validate_init_empty (pw->fa_conn_list_tail, ACL_N_TIMEOUTS - 1,
+				 FA_SESSION_BOGUS_INDEX);
+	vec_validate_init_empty (pw->fa_conn_list_head_expiry_time,
+				 ACL_N_TIMEOUTS - 1, ~0ULL);
       }
   }
 
-  am->fa_min_deleted_sessions_per_interval =
-    ACL_FA_DEFAULT_MIN_DELETED_SESSIONS_PER_INTERVAL;
-  am->fa_max_deleted_sessions_per_interval =
-    ACL_FA_DEFAULT_MAX_DELETED_SESSIONS_PER_INTERVAL;
-  am->fa_cleaner_wait_time_increment =
-    ACL_FA_DEFAULT_CLEANER_WAIT_TIME_INCREMENT;
-
   am->fa_cleaner_cnt_delete_by_sw_index = 0;
   am->fa_cleaner_cnt_delete_by_sw_index_ok = 0;
   am->fa_cleaner_cnt_unknown_event = 0;
@@ -4207,6 +4239,10 @@ acl_init (vlib_main_t * vm)
 
   /* use the new fancy hash-based matching */
   am->use_hash_acl_matching = 1;
+  /* use tuplemerge by default */
+  am->use_tuple_merge = 1;
+  /* Set the default threshold */
+  am->tuple_merge_split_threshold = TM_SPLIT_THRESHOLD;
 
   am->interface_acl_user_id = ~0;	/* defer till the first use */