X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fplugins%2Facl%2Facl.c;h=cdfe0682e8de737e50974af757328f9e97dc1134;hb=cada5a92faaf1dd2887df5ca200195011d2a0b8d;hp=80ef56613d4900ce7674e9334e111dd5169203bc;hpb=ef5dd4f2aec6df1b58aa8d07493acf486eccf802;p=vpp.git diff --git a/src/plugins/acl/acl.c b/src/plugins/acl/acl.c index 80ef56613d4..cdfe0682e8d 100644 --- a/src/plugins/acl/acl.c +++ b/src/plugins/acl/acl.c @@ -71,6 +71,7 @@ _(ACL_INTERFACE_SET_ACL_LIST, acl_interface_set_acl_list) \ _(ACL_DUMP, acl_dump) \ _(ACL_INTERFACE_LIST_DUMP, acl_interface_list_dump) \ _(MACIP_ACL_ADD, macip_acl_add) \ +_(MACIP_ACL_ADD_REPLACE, macip_acl_add_replace) \ _(MACIP_ACL_DEL, macip_acl_del) \ _(MACIP_ACL_INTERFACE_ADD_DEL, macip_acl_interface_add_del) \ _(MACIP_ACL_DUMP, macip_acl_dump) \ @@ -90,7 +91,7 @@ static void * acl_set_heap(acl_main_t *am) { if (0 == am->acl_mheap) { - am->acl_mheap = mheap_alloc (0 /* use VM */ , 2 << 29); + am->acl_mheap = mheap_alloc (0 /* use VM */ , am->acl_mheap_size); mheap_t *h = mheap_header (am->acl_mheap); h->flags |= MHEAP_FLAG_THREAD_SAFE; } @@ -949,8 +950,22 @@ macip_find_match_type (macip_match_type_t * mv, u8 * mac_mask, u8 prefix_len, static int match_type_metric (macip_match_type_t * m) { - /* FIXME: count the ones in the MAC mask as well, check how well this heuristic works in real life */ - return m->prefix_len + m->is_ipv6 + 10 * m->count; + unsigned int mac_bits_set = 0; + unsigned int mac_byte; + int i; + for (i=0; i<6; i++) + { + mac_byte = m->mac_mask[i]; + for (; mac_byte; mac_byte >>= 1) + mac_bits_set += mac_byte & 1; + } + /* + * Attempt to place the more specific and the more used rules on top. + * There are obvious caveat corner cases to this, but they do not + * seem to be sensible in real world (e.g. specific IPv4 with wildcard MAC + * going with a wildcard IPv4 with a specific MAC). + */ + return m->prefix_len + mac_bits_set + m->is_ipv6 + 10 * m->count; } static int @@ -994,7 +1009,7 @@ macip_create_classify_tables (acl_main_t * am, u32 macip_acl_index) match_type_index = vec_len (mvec); vec_validate (mvec, match_type_index); memcpy (mvec[match_type_index].mac_mask, - a->rules[match_type_index].src_mac_mask, 6); + a->rules[i].src_mac_mask, 6); mvec[match_type_index].prefix_len = a->rules[i].src_prefixlen; mvec[match_type_index].is_ipv6 = a->rules[i].is_ipv6; mvec[match_type_index].table_index = ~0; @@ -1144,6 +1159,18 @@ macip_acl_add_list (u32 count, vl_api_macip_acl_rule_t rules[], macip_acl_rule_t *r; macip_acl_rule_t *acl_new_rules = 0; int i; + + if (*acl_list_index != ~0) + { + /* They supplied some number, let's see if this MACIP ACL exists */ + if (pool_is_free_index (am->macip_acls, *acl_list_index)) + { + /* tried to replace a non-existent ACL, no point doing anything */ + clib_warning("acl-plugin-error: Trying to replace nonexistent MACIP ACL %d (tag %s)", *acl_list_index, tag); + return -1; + } + } + if (0 == count) { clib_warning("acl-plugin-warning: Trying to create empty MACIP ACL (tag %s)", tag); } @@ -1166,11 +1193,23 @@ macip_acl_add_list (u32 count, vl_api_macip_acl_rule_t rules[], r->src_prefixlen = rules[i].src_ip_prefix_len; } - /* Get ACL index */ - pool_get_aligned (am->macip_acls, a, CLIB_CACHE_LINE_BYTES); - memset (a, 0, sizeof (*a)); - /* Will return the newly allocated ACL index */ - *acl_list_index = a - am->macip_acls; + if (~0 == *acl_list_index) + { + /* Get ACL index */ + pool_get_aligned (am->macip_acls, a, CLIB_CACHE_LINE_BYTES); + memset (a, 0, sizeof (*a)); + /* Will return the newly allocated ACL index */ + *acl_list_index = a - am->macip_acls; + } + else + { + a = &am->macip_acls[*acl_list_index]; + if (a->rules) + { + vec_free (a->rules); + } + macip_destroy_classify_tables (am, *acl_list_index); + } a->rules = acl_new_rules; a->count = count; @@ -1619,6 +1658,30 @@ vl_api_macip_acl_add_t_handler (vl_api_macip_acl_add_t * mp) /* *INDENT-ON* */ } +static void +vl_api_macip_acl_add_replace_t_handler (vl_api_macip_acl_add_replace_t * mp) +{ + vl_api_macip_acl_add_replace_reply_t *rmp; + acl_main_t *am = &acl_main; + int rv; + u32 acl_list_index = ntohl (mp->acl_index); + u32 acl_count = ntohl (mp->count); + u32 expected_len = sizeof(*mp) + acl_count*sizeof(mp->r[0]); + + if (verify_message_len(mp, expected_len, "macip_acl_add_replace")) { + rv = macip_acl_add_list (acl_count, mp->r, &acl_list_index, mp->tag); + } else { + rv = VNET_API_ERROR_INVALID_VALUE; + } + + /* *INDENT-OFF* */ + REPLY_MACRO2(VL_API_MACIP_ACL_ADD_REPLACE_REPLY, + ({ + rmp->acl_index = htonl(acl_list_index); + })); + /* *INDENT-ON* */ +} + static void vl_api_macip_acl_del_t_handler (vl_api_macip_acl_del_t * mp) { @@ -1945,6 +2008,10 @@ static clib_error_t * acl_sw_interface_add_del (vnet_main_t * vnm, u32 sw_if_index, u32 is_add) { acl_main_t *am = &acl_main; + if (0 == am->acl_mheap) { + /* ACL heap is not initialized, so definitely nothing to do. */ + return 0; + } if (0 == is_add) { vlib_process_signal_event (am->vlib_main, am->fa_cleaner_node_index, ACL_FA_CLEANER_DELETE_BY_SW_IF_INDEX, sw_if_index); @@ -2091,6 +2158,75 @@ done: return error; } +static u8 * +my_format_mac_address (u8 * s, va_list * args) +{ + u8 *a = va_arg (*args, u8 *); + return format (s, "%02x:%02x:%02x:%02x:%02x:%02x", + a[0], a[1], a[2], a[3], a[4], a[5]); +} + +static inline u8 * +my_macip_acl_rule_t_pretty_format (u8 *out, va_list *args) +{ + macip_acl_rule_t *a = va_arg (*args, macip_acl_rule_t *); + + out = format(out, "%s action %d ip %U/%d mac %U mask %U", + a->is_ipv6 ? "ipv6" : "ipv4", a->is_permit, + format_ip46_address, &a->src_ip_addr, IP46_TYPE_ANY, + a->src_prefixlen, + my_format_mac_address, a->src_mac, + my_format_mac_address, a->src_mac_mask); + return(out); +} + +static void +macip_acl_print(acl_main_t *am, u32 macip_acl_index) +{ + vlib_main_t * vm = am->vlib_main; + int i; + + /* Don't try to print someone else's memory */ + if (macip_acl_index > vec_len(am->macip_acls)) + return; + + macip_acl_list_t *a = vec_elt_at_index(am->macip_acls, macip_acl_index); + int free_pool_slot = pool_is_free_index(am->macip_acls, macip_acl_index); + + vlib_cli_output(vm, "MACIP acl_index: %d, count: %d (true len %d) tag {%s} is free pool slot: %d\n", + macip_acl_index, a->count, vec_len(a->rules), a->tag, free_pool_slot); + vlib_cli_output(vm, " ip4_table_index %d, ip6_table_index %d, l2_table_index %d\n", + a->ip4_table_index, a->ip6_table_index, a->l2_table_index); + for(i=0; irules); i++) + vlib_cli_output(vm, " rule %d: %U\n", i, my_macip_acl_rule_t_pretty_format, + vec_elt_at_index(a->rules, i)); + +} + +static clib_error_t * +acl_show_aclplugin_macip_fn (vlib_main_t * vm, + unformat_input_t * input, + vlib_cli_command_t * cmd) +{ + clib_error_t *error = 0; + acl_main_t *am = &acl_main; + int i; + if (unformat (input, "interface")) + { + for(i=0; i < vec_len(am->macip_acl_by_sw_if_index); i++) + { + vlib_cli_output(vm, " sw_if_index %d: %d\n", i, vec_elt(am->macip_acl_by_sw_if_index, i)); + } + } + else if (unformat (input, "acl")) + { + for(i=0; i < vec_len(am->macip_acls); i++) + macip_acl_print(am, i); + } + return error; +} + + static clib_error_t * acl_show_aclplugin_fn (vlib_main_t * vm, unformat_input_t * input, @@ -2169,6 +2305,7 @@ acl_show_aclplugin_fn (vlib_main_t * vm, out0 = format(out0, " interrupt is pending: %d\n", pw->interrupt_is_pending); out0 = format(out0, " interrupt is needed: %d\n", pw->interrupt_is_needed); out0 = format(out0, " interrupt is unwanted: %d\n", pw->interrupt_is_unwanted); + out0 = format(out0, " interrupt generation: %d\n", pw->interrupt_generation); } out0 = format(out0, "\n\nConn cleaner thread counters:\n"); #define _(cnt, desc) out0 = format(out0, " %20lu: %s\n", am->cnt, desc); @@ -2176,6 +2313,7 @@ acl_show_aclplugin_fn (vlib_main_t * vm, #undef _ vec_terminate_c_string(out0); vlib_cli_output(vm, "\n\n%s\n\n", out0); + vlib_cli_output(vm, "Interrupt generation: %d\n", am->fa_interrupt_generation); vlib_cli_output(vm, "Sessions per interval: min %lu max %lu increment: %f ms current: %f ms", am->fa_min_deleted_sessions_per_interval, am->fa_max_deleted_sessions_per_interval, am->fa_cleaner_wait_time_increment * 1000.0, ((f64)am->fa_current_cleaner_timer_wait_interval) * 1000.0/(f64)vm->clib_time.clocks_per_second); @@ -2346,6 +2484,8 @@ acl_show_aclplugin_fn (vlib_main_t * vm, } hash_acl_info_t *ha = &am->hash_acl_infos[i]; out0 = format(out0, "acl-index %u bitmask-ready layout\n", i); + out0 = format(out0, " applied inbound on sw_if_index list: %U\n", format_vec32, ha->inbound_sw_if_index_list, "%d"); + out0 = format(out0, " applied outbound on sw_if_index list: %U\n", format_vec32, ha->outbound_sw_if_index_list, "%d"); out0 = format(out0, " mask type index bitmap: %U\n", format_bitmap_hex, ha->mask_type_index_bitmap); for(j=0; jrules); j++) { hash_ace_info_t *pa = &ha->rules[j]; @@ -2377,28 +2517,30 @@ acl_show_aclplugin_fn (vlib_main_t * vm, if (swi < vec_len(am->input_applied_hash_acl_info_by_sw_if_index)) { applied_hash_acl_info_t *pal = &am->input_applied_hash_acl_info_by_sw_if_index[swi]; out0 = format(out0, " input lookup mask_type_index_bitmap: %U\n", format_bitmap_hex, pal->mask_type_index_bitmap); + out0 = format(out0, " input applied acls: %U\n", format_vec32, pal->applied_acls, "%d"); } if (swi < vec_len(am->input_hash_entry_vec_by_sw_if_index)) { out0 = format(out0, " input lookup applied entries:\n"); for(j=0; jinput_hash_entry_vec_by_sw_if_index[swi]); j++) { applied_hash_ace_entry_t *pae = &am->input_hash_entry_vec_by_sw_if_index[swi][j]; - out0 = format(out0, " %4d: acl %d rule %d action %d bitmask-ready rule %d next %d prev %d tail %d\n", + out0 = format(out0, " %4d: acl %d rule %d action %d bitmask-ready rule %d next %d prev %d tail %d hitcount %lld\n", j, pae->acl_index, pae->ace_index, pae->action, pae->hash_ace_info_index, - pae->next_applied_entry_index, pae->prev_applied_entry_index, pae->tail_applied_entry_index); + pae->next_applied_entry_index, pae->prev_applied_entry_index, pae->tail_applied_entry_index, pae->hitcount); } } if (swi < vec_len(am->output_applied_hash_acl_info_by_sw_if_index)) { applied_hash_acl_info_t *pal = &am->output_applied_hash_acl_info_by_sw_if_index[swi]; out0 = format(out0, " output lookup mask_type_index_bitmap: %U\n", format_bitmap_hex, pal->mask_type_index_bitmap); + out0 = format(out0, " output applied acls: %U\n", format_vec32, pal->applied_acls, "%d"); } if (swi < vec_len(am->output_hash_entry_vec_by_sw_if_index)) { out0 = format(out0, " output lookup applied entries:\n"); for(j=0; joutput_hash_entry_vec_by_sw_if_index[swi]); j++) { applied_hash_ace_entry_t *pae = &am->output_hash_entry_vec_by_sw_if_index[swi][j]; - out0 = format(out0, " %4d: acl %d rule %d action %d bitmask-ready rule %d next %d prev %d tail %d\n", + out0 = format(out0, " %4d: acl %d rule %d action %d bitmask-ready rule %d next %d prev %d tail %d hitcount %lld\n", j, pae->acl_index, pae->ace_index, pae->action, pae->hash_ace_info_index, - pae->next_applied_entry_index, pae->prev_applied_entry_index, pae->tail_applied_entry_index); + pae->next_applied_entry_index, pae->prev_applied_entry_index, pae->tail_applied_entry_index, pae->hitcount); } } @@ -2440,6 +2582,13 @@ VLIB_CLI_COMMAND (aclplugin_show_command, static) = { .function = acl_show_aclplugin_fn, }; +VLIB_CLI_COMMAND (aclplugin_show_macip_command, static) = { + .path = "show acl-plugin macip", + .short_help = "show acl-plugin macip {acl|interface}", + .function = acl_show_aclplugin_macip_fn, +}; + + VLIB_CLI_COMMAND (aclplugin_clear_command, static) = { .path = "clear acl-plugin sessions", .short_help = "clear acl-plugin sessions", @@ -2447,7 +2596,47 @@ VLIB_CLI_COMMAND (aclplugin_clear_command, static) = { }; /* *INDENT-ON* */ - +static clib_error_t * +acl_plugin_config (vlib_main_t * vm, unformat_input_t * input) +{ + acl_main_t *am = &acl_main; + u32 conn_table_hash_buckets; + u32 conn_table_hash_memory_size; + u32 conn_table_max_entries; + u32 main_heap_size; + u32 hash_heap_size; + u32 hash_lookup_hash_buckets; + u32 hash_lookup_hash_memory; + + while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT) + { + if (unformat (input, "connection hash buckets %d", &conn_table_hash_buckets)) + am->fa_conn_table_hash_num_buckets = conn_table_hash_buckets; + else if (unformat (input, "connection hash memory %d", + &conn_table_hash_memory_size)) + am->fa_conn_table_hash_memory_size = conn_table_hash_memory_size; + else if (unformat (input, "connection count max %d", + &conn_table_max_entries)) + am->fa_conn_table_max_entries = conn_table_max_entries; + else if (unformat (input, "main heap size %d", + &main_heap_size)) + am->acl_mheap_size = main_heap_size; + else if (unformat (input, "hash lookup heap size %d", + &hash_heap_size)) + am->hash_lookup_mheap_size = hash_heap_size; + else if (unformat (input, "hash lookup hash buckets %d", + &hash_lookup_hash_buckets)) + am->hash_lookup_hash_buckets = hash_lookup_hash_buckets; + else if (unformat (input, "hash lookup hash memory %d", + &hash_lookup_hash_memory)) + am->hash_lookup_hash_memory = hash_lookup_hash_memory; + else + return clib_error_return (0, "unknown input '%U'", + format_unformat_error, input); + } + return 0; +} +VLIB_CONFIG_FUNCTION (acl_plugin_config, "acl-plugin"); static clib_error_t * acl_init (vlib_main_t * vm) @@ -2473,6 +2662,12 @@ acl_init (vlib_main_t * vm) acl_setup_fa_nodes(); + am->acl_mheap_size = ACL_FA_DEFAULT_HEAP_SIZE; + am->hash_lookup_mheap_size = ACL_PLUGIN_HASH_LOOKUP_HEAP_SIZE; + + am->hash_lookup_hash_buckets = ACL_PLUGIN_HASH_LOOKUP_HASH_BUCKETS; + am->hash_lookup_hash_memory = ACL_PLUGIN_HASH_LOOKUP_HASH_MEMORY; + am->session_timeout_sec[ACL_TIMEOUT_TCP_TRANSIENT] = TCP_SESSION_TRANSIENT_TIMEOUT_SEC; am->session_timeout_sec[ACL_TIMEOUT_TCP_IDLE] = TCP_SESSION_IDLE_TIMEOUT_SEC; am->session_timeout_sec[ACL_TIMEOUT_UDP_IDLE] = UDP_SESSION_IDLE_TIMEOUT_SEC;