X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fplugins%2Facl%2Fdataplane_node.c;h=00cad47fb23e607b5d29b19fd667fe1703ca8b95;hb=0e10dd17b66736ac604f8e85ba17c202c893fb28;hp=f1ed4c28b993a88568ca072f08b49a7825a4aabf;hpb=4bc1796b346efd10f3fb19b176ff089179263a24;p=vpp.git diff --git a/src/plugins/acl/dataplane_node.c b/src/plugins/acl/dataplane_node.c index f1ed4c28b99..00cad47fb23 100644 --- a/src/plugins/acl/dataplane_node.c +++ b/src/plugins/acl/dataplane_node.c @@ -66,6 +66,18 @@ typedef enum /* *INDENT-ON* */ +always_inline u16 +get_current_policy_epoch (acl_main_t * am, int is_input, u32 sw_if_index0) +{ + u32 **p_epoch_vec = + is_input ? &am->input_policy_epoch_by_sw_if_index : + &am->output_policy_epoch_by_sw_if_index; + u16 current_policy_epoch = + sw_if_index0 < vec_len (*p_epoch_vec) ? vec_elt (*p_epoch_vec, + sw_if_index0) + : (is_input * FA_POLICY_EPOCH_IS_INPUT); + return current_policy_epoch; +} always_inline uword acl_fa_node_fn (vlib_main_t * vm, @@ -82,7 +94,6 @@ acl_fa_node_fn (vlib_main_t * vm, u32 trace_bitmap = 0; acl_main_t *am = &acl_main; fa_5tuple_t fa_5tuple; - clib_bihash_kv_40_8_t value_sess; vlib_node_runtime_t *error_node; u64 now = clib_cpu_time_now (); uword thread_index = os_get_thread_index (); @@ -125,23 +136,17 @@ acl_fa_node_fn (vlib_main_t * vm, else lc_index0 = am->output_lc_index_by_sw_if_index[sw_if_index0]; - - u32 **p_epoch_vec = - is_input ? &am->input_policy_epoch_by_sw_if_index : - &am->output_policy_epoch_by_sw_if_index; u16 current_policy_epoch = - sw_if_index0 < vec_len (*p_epoch_vec) ? vec_elt (*p_epoch_vec, - sw_if_index0) - : (is_input * FA_POLICY_EPOCH_IS_INPUT); + get_current_policy_epoch (am, is_input, sw_if_index0); + + /* * Extract the L3/L4 matching info into a 5-tuple structure. */ - acl_plugin_fill_5tuple_inline (lc_index0, b[0], is_ip6, is_input, - is_l2_path, - (fa_5tuple_opaque_t *) & fa_5tuple); - fa_5tuple.l4.lsb_of_sw_if_index = sw_if_index0 & 0xffff; - fa_5tuple.pkt.mask_type_index_lsb = ~0; + acl_fill_5tuple (&acl_main, sw_if_index0, b[0], is_ip6, + is_input, is_l2_path, &fa_5tuple); + #ifdef FA_NODE_VERBOSE_DEBUG clib_warning ("ACL_FA_NODE_DBG: packet 5-tuple %016llx %016llx %016llx %016llx %016llx %016llx", @@ -153,14 +158,16 @@ acl_fa_node_fn (vlib_main_t * vm, if (acl_fa_ifc_has_sessions (am, sw_if_index0)) { - if (acl_fa_find_session (am, sw_if_index0, &fa_5tuple, &value_sess) - && (value_sess.value != ~0ULL)) + u64 value_sess = ~0ULL; + if (acl_fa_find_session + (am, is_ip6, sw_if_index0, &fa_5tuple, &value_sess) + && (value_sess != ~0ULL)) { trace_bitmap |= 0x80000000; error0 = ACL_FA_ERROR_ACL_EXIST_SESSION; fa_full_session_id_t f_sess_id; - f_sess_id.as_u64 = value_sess.value; + f_sess_id.as_u64 = value_sess; ASSERT (f_sess_id.thread_index < vec_len (vlib_mains)); fa_session_t *sess = @@ -233,7 +240,7 @@ acl_fa_node_fn (vlib_main_t * vm, if (acl_check_needed) { action = 0; /* deny by default */ - acl_plugin_match_5tuple_inline (lc_index0, + acl_plugin_match_5tuple_inline (&acl_main, lc_index0, (fa_5tuple_opaque_t *) & fa_5tuple, is_ip6, &action, &match_acl_pos, @@ -274,7 +281,7 @@ acl_fa_node_fn (vlib_main_t * vm, if (is_l2_path) next0 = vnet_l2_feature_next (b[0], l2_feat_next_node_index, 0); else - vnet_feature_next (sw_if_index0, &next0, b[0]); + vnet_feature_next (&next0, b[0]); } #ifdef FA_NODE_VERBOSE_DEBUG clib_warning @@ -292,12 +299,12 @@ acl_fa_node_fn (vlib_main_t * vm, t->next_index = next0; t->match_acl_in_index = match_acl_in_index; t->match_rule_index = match_rule_index; - t->packet_info[0] = fa_5tuple.kv.key[0]; - t->packet_info[1] = fa_5tuple.kv.key[1]; - t->packet_info[2] = fa_5tuple.kv.key[2]; - t->packet_info[3] = fa_5tuple.kv.key[3]; - t->packet_info[4] = fa_5tuple.kv.key[4]; - t->packet_info[5] = fa_5tuple.kv.value; + t->packet_info[0] = fa_5tuple.kv_40_8.key[0]; + t->packet_info[1] = fa_5tuple.kv_40_8.key[1]; + t->packet_info[2] = fa_5tuple.kv_40_8.key[2]; + t->packet_info[3] = fa_5tuple.kv_40_8.key[3]; + t->packet_info[4] = fa_5tuple.kv_40_8.key[4]; + t->packet_info[5] = fa_5tuple.kv_40_8.value; t->action = action; t->trace_bitmap = trace_bitmap; } @@ -414,19 +421,30 @@ format_fa_5tuple (u8 * s, va_list * args) { fa_5tuple_t *p5t = va_arg (*args, fa_5tuple_t *); - return format (s, "lc_index %d (lsb16 of sw_if_index %d) l3 %s%s %U -> %U" - " l4 proto %d l4_valid %d port %d -> %d tcp flags (%s) %02x rsvd %x", - p5t->pkt.lc_index, p5t->l4.lsb_of_sw_if_index, - p5t->pkt.is_ip6 ? "ip6" : "ip4", - p5t->pkt.is_nonfirst_fragment ? " non-initial fragment" : "", - format_ip46_address, &p5t->addr[0], - p5t->pkt.is_ip6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4, - format_ip46_address, &p5t->addr[1], - p5t->pkt.is_ip6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4, - p5t->l4.proto, p5t->pkt.l4_valid, p5t->l4.port[0], - p5t->l4.port[1], - p5t->pkt.tcp_flags_valid ? "valid" : "invalid", - p5t->pkt.tcp_flags, p5t->pkt.flags_reserved); + if (p5t->pkt.is_ip6) + return format (s, "lc_index %d (lsb16 of sw_if_index %d) l3 %s%s %U -> %U" + " l4 proto %d l4_valid %d port %d -> %d tcp flags (%s) %02x rsvd %x", + p5t->pkt.lc_index, p5t->l4.lsb_of_sw_if_index, + "ip6", + p5t-> + pkt.is_nonfirst_fragment ? " non-initial fragment" : "", + format_ip6_address, &p5t->ip6_addr[0], format_ip6_address, + &p5t->ip6_addr[1], p5t->l4.proto, p5t->pkt.l4_valid, + p5t->l4.port[0], p5t->l4.port[1], + p5t->pkt.tcp_flags_valid ? "valid" : "invalid", + p5t->pkt.tcp_flags, p5t->pkt.flags_reserved); + else + return format (s, "lc_index %d (lsb16 of sw_if_index %d) l3 %s%s %U -> %U" + " l4 proto %d l4_valid %d port %d -> %d tcp flags (%s) %02x rsvd %x", + p5t->pkt.lc_index, p5t->l4.lsb_of_sw_if_index, + "ip4", + p5t-> + pkt.is_nonfirst_fragment ? " non-initial fragment" : "", + format_ip4_address, &p5t->ip4_addr[0], format_ip4_address, + &p5t->ip4_addr[1], p5t->l4.proto, p5t->pkt.l4_valid, + p5t->l4.port[0], p5t->l4.port[1], + p5t->pkt.tcp_flags_valid ? "valid" : "invalid", + p5t->pkt.tcp_flags, p5t->pkt.flags_reserved); } u8 *