X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fvnet%2Fip%2Fip_in_out_acl.c;h=d8d6d768e93c66fb7caa1357b619c2de19f4c936;hb=ab4d9174d890bff4c07b44957a20eacb33c88172;hp=2ed571a0ce07f135d9937ccc077559f918068e26;hpb=849b474dc4d94570a2df0cee8c7e2504e21c8b6e;p=vpp.git diff --git a/src/vnet/ip/ip_in_out_acl.c b/src/vnet/ip/ip_in_out_acl.c index 2ed571a0ce0..d8d6d768e93 100644 --- a/src/vnet/ip/ip_in_out_acl.c +++ b/src/vnet/ip/ip_in_out_acl.c @@ -32,11 +32,26 @@ format_ip_in_out_acl_trace (u8 * s, u32 is_output, va_list * args) CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *); CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *); ip_in_out_acl_trace_t *t = va_arg (*args, ip_in_out_acl_trace_t *); - - s = format (s, "%s: sw_if_index %d, next_index %d, table %d, offset %d", - is_output ? "OUTACL" : "INACL", - t->sw_if_index, t->next_index, t->table_index, t->offset); - return s; + const vnet_classify_main_t *vcm = &vnet_classify_main; + const u32 indent = format_get_indent (s); + vnet_classify_table_t *table; + vnet_classify_entry_t *e; + + s = + format (s, "%s: sw_if_index %d, next_index %d, table_index %d, offset %d", + is_output ? "OUTACL" : "INACL", t->sw_if_index, t->next_index, + t->table_index, t->offset); + + if (pool_is_free_index (vcm->tables, t->table_index)) + return format (s, "\n%Uno table", format_white_space, indent + 4); + + if (~0 == t->offset) + return format (s, "\n%Uno match", format_white_space, indent + 4); + + table = vnet_classify_table_get (t->table_index); + e = vnet_classify_get_entry (table, t->offset); + return format (s, "\n%U%U", format_white_space, indent + 4, + format_classify_entry, table, e); } static u8 * @@ -97,16 +112,14 @@ static char *ip_outacl_error_strings[] = { }; static_always_inline void -ip_in_out_acl_inline_trace (vlib_main_t *vm, vlib_node_runtime_t *node, - vlib_frame_t *frame, vlib_buffer_t **b, u16 *next, - u32 n_left, u32 *hits__, u32 *misses__, - u32 *chain_hits__, const vlib_error_t error_none, - const vlib_error_t error_deny, - const vlib_error_t error_miss, - vnet_classify_table_t *tables, - const u32 *table_index_by_sw_if_index, - vnet_config_main_t *cm, const vlib_rx_or_tx_t way, - const int is_output, const int do_trace) +ip_in_out_acl_inline_trace ( + vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame, + vlib_buffer_t **b, u16 *next, u32 n_left, u32 *hits__, u32 *misses__, + u32 *chain_hits__, const vlib_error_t error_none, + const vlib_error_t error_deny, const vlib_error_t error_miss, + vnet_classify_table_t *tables, const u32 *table_index_by_sw_if_index, + u32 *fib_index_by_sw_if_index, vnet_config_main_t *cm, + const vlib_rx_or_tx_t way, const int is_output, const int do_trace) { f64 now = vlib_time_now (vm); u32 hits = 0; @@ -117,7 +130,7 @@ ip_in_out_acl_inline_trace (vlib_main_t *vm, vlib_node_runtime_t *node, u32 sw_if_index[4]; u32 table_index[4]; vnet_classify_table_t *t[4] = { 0, 0 }; - u64 hash[4]; + u32 hash[4]; /* calculate hashes for b[0] & b[1] */ if (n_left >= 2) @@ -149,16 +162,16 @@ ip_in_out_acl_inline_trace (vlib_main_t *vm, vlib_node_runtime_t *node, if (is_output) { /* Save the rewrite length, since we are using the l2_classify struct */ - vnet_buffer (b[0])->l2_classify.pad.l2_len = + vnet_buffer (b[0])->l2.l2_len = vnet_buffer (b[0])->ip.save_rewrite_length; /* advance the match pointer so the matching happens on IP header */ - h[2] += vnet_buffer (b[0])->l2_classify.pad.l2_len; + h[2] += vnet_buffer (b[0])->l2.l2_len; /* Save the rewrite length, since we are using the l2_classify struct */ - vnet_buffer (b[1])->l2_classify.pad.l2_len = + vnet_buffer (b[1])->l2.l2_len = vnet_buffer (b[1])->ip.save_rewrite_length; /* advance the match pointer so the matching happens on IP header */ - h[3] += vnet_buffer (b[1])->l2_classify.pad.l2_len; + h[3] += vnet_buffer (b[1])->l2.l2_len; } hash[2] = vnet_classify_hash_packet_inline (t[2], (u8 *) h[2]); @@ -239,16 +252,16 @@ ip_in_out_acl_inline_trace (vlib_main_t *vm, vlib_node_runtime_t *node, if (is_output) { /* Save the rewrite length, since we are using the l2_classify struct */ - vnet_buffer (b[2])->l2_classify.pad.l2_len = + vnet_buffer (b[2])->l2.l2_len = vnet_buffer (b[2])->ip.save_rewrite_length; /* advance the match pointer so the matching happens on IP header */ - h[2] += vnet_buffer (b[2])->l2_classify.pad.l2_len; + h[2] += vnet_buffer (b[2])->l2.l2_len; /* Save the rewrite length, since we are using the l2_classify struct */ - vnet_buffer (b[3])->l2_classify.pad.l2_len = + vnet_buffer (b[3])->l2.l2_len = vnet_buffer (b[3])->ip.save_rewrite_length; /* advance the match pointer so the matching happens on IP header */ - h[3] += vnet_buffer (b[3])->l2_classify.pad.l2_len; + h[3] += vnet_buffer (b[3])->l2.l2_len; } hash[2] = vnet_classify_hash_packet_inline (t[2], (u8 *) h[2]); @@ -301,8 +314,13 @@ ip_in_out_acl_inline_trace (vlib_main_t *vm, vlib_node_runtime_t *node, e[0]->action == CLASSIFY_ACTION_SET_IP6_FIB_INDEX) vnet_buffer (b[0])->sw_if_index[VLIB_TX] = e[0]->metadata; else if (e[0]->action == CLASSIFY_ACTION_SET_METADATA) - vnet_buffer (b[0])->ip.adj_index[VLIB_TX] = - e[0]->metadata; + { + vnet_buffer (b[0])->ip.adj_index[VLIB_TX] = + e[0]->metadata; + /* For source check in case we skip the lookup node */ + ip_lookup_set_buffer_fib_index (fib_index_by_sw_if_index, + b[0]); + } } } else @@ -333,7 +351,7 @@ ip_in_out_acl_inline_trace (vlib_main_t *vm, vlib_node_runtime_t *node, /* advance the match pointer so the matching happens on IP header */ if (is_output) - h[0] += vnet_buffer (b[0])->l2_classify.pad.l2_len; + h[0] += vnet_buffer (b[0])->l2.l2_len; hash[0] = vnet_classify_hash_packet_inline (t[0], (u8 *) h[0]); @@ -364,8 +382,14 @@ ip_in_out_acl_inline_trace (vlib_main_t *vm, vlib_node_runtime_t *node, e[0]->metadata; else if (e[0]->action == CLASSIFY_ACTION_SET_METADATA) - vnet_buffer (b[0])->ip.adj_index[VLIB_TX] = - e[0]->metadata; + { + vnet_buffer (b[0])->ip.adj_index[VLIB_TX] = + e[0]->metadata; + /* For source check in case we skip the lookup + * node */ + ip_lookup_set_buffer_fib_index ( + fib_index_by_sw_if_index, b[0]); + } } break; } @@ -397,8 +421,13 @@ ip_in_out_acl_inline_trace (vlib_main_t *vm, vlib_node_runtime_t *node, e[1]->action == CLASSIFY_ACTION_SET_IP6_FIB_INDEX) vnet_buffer (b[1])->sw_if_index[VLIB_TX] = e[1]->metadata; else if (e[1]->action == CLASSIFY_ACTION_SET_METADATA) - vnet_buffer (b[1])->ip.adj_index[VLIB_TX] = - e[1]->metadata; + { + vnet_buffer (b[1])->ip.adj_index[VLIB_TX] = + e[1]->metadata; + /* For source check in case we skip the lookup node */ + ip_lookup_set_buffer_fib_index (fib_index_by_sw_if_index, + b[1]); + } } } else @@ -429,7 +458,7 @@ ip_in_out_acl_inline_trace (vlib_main_t *vm, vlib_node_runtime_t *node, /* advance the match pointer so the matching happens on IP header */ if (is_output) - h[1] += vnet_buffer (b[1])->l2_classify.pad.l2_len; + h[1] += vnet_buffer (b[1])->l2.l2_len; hash[1] = vnet_classify_hash_packet_inline (t[1], (u8 *) h[1]); @@ -460,8 +489,14 @@ ip_in_out_acl_inline_trace (vlib_main_t *vm, vlib_node_runtime_t *node, e[1]->metadata; else if (e[1]->action == CLASSIFY_ACTION_SET_METADATA) - vnet_buffer (b[1])->ip.adj_index[VLIB_TX] = - e[1]->metadata; + { + vnet_buffer (b[1])->ip.adj_index[VLIB_TX] = + e[1]->metadata; + /* For source check in case we skip the lookup + * node */ + ip_lookup_set_buffer_fib_index ( + fib_index_by_sw_if_index, b[1]); + } } break; } @@ -476,7 +511,7 @@ ip_in_out_acl_inline_trace (vlib_main_t *vm, vlib_node_runtime_t *node, _t->sw_if_index = ~0 == way ? 0 : vnet_buffer (b[0])->sw_if_index[way]; _t->next_index = _next[0]; - _t->table_index = t[0] ? t[0] - tables : ~0; + _t->table_index = table_index[0]; _t->offset = (e[0] && t[0]) ? vnet_classify_get_offset (t[0], e[0]) : ~0; } @@ -488,7 +523,7 @@ ip_in_out_acl_inline_trace (vlib_main_t *vm, vlib_node_runtime_t *node, _t->sw_if_index = ~0 == way ? 0 : vnet_buffer (b[1])->sw_if_index[way]; _t->next_index = _next[1]; - _t->table_index = t[1] ? t[1] - tables : ~0; + _t->table_index = table_index[1]; _t->offset = (e[1] && t[1]) ? vnet_classify_get_offset (t[1], e[1]) : ~0; } @@ -522,7 +557,7 @@ ip_in_out_acl_inline_trace (vlib_main_t *vm, vlib_node_runtime_t *node, vnet_classify_table_t *t0 = 0; vnet_classify_entry_t *e0 = 0; u32 next0 = ACL_NEXT_INDEX_DENY; - u64 hash0; + u32 hash0; sw_if_index0 = ~0 == way ? 0 : vnet_buffer (b[0])->sw_if_index[way]; table_index0 = table_index_by_sw_if_index[sw_if_index0]; @@ -538,10 +573,10 @@ ip_in_out_acl_inline_trace (vlib_main_t *vm, vlib_node_runtime_t *node, if (is_output) { /* Save the rewrite length, since we are using the l2_classify struct */ - vnet_buffer (b[0])->l2_classify.pad.l2_len = + vnet_buffer (b[0])->l2.l2_len = vnet_buffer (b[0])->ip.save_rewrite_length; /* advance the match pointer so the matching happens on IP header */ - h0 += vnet_buffer (b[0])->l2_classify.pad.l2_len; + h0 += vnet_buffer (b[0])->l2.l2_len; } vnet_buffer (b[0])->l2_classify.hash = @@ -567,7 +602,7 @@ ip_in_out_acl_inline_trace (vlib_main_t *vm, vlib_node_runtime_t *node, /* advance the match pointer so the matching happens on IP header */ if (is_output) - h0 += vnet_buffer (b[0])->l2_classify.pad.l2_len; + h0 += vnet_buffer (b[0])->l2.l2_len; e0 = vnet_classify_find_entry_inline (t0, (u8 *) h0, hash0, now); if (e0) @@ -589,7 +624,12 @@ ip_in_out_acl_inline_trace (vlib_main_t *vm, vlib_node_runtime_t *node, e0->action == CLASSIFY_ACTION_SET_IP6_FIB_INDEX) vnet_buffer (b[0])->sw_if_index[VLIB_TX] = e0->metadata; else if (e0->action == CLASSIFY_ACTION_SET_METADATA) - vnet_buffer (b[0])->ip.adj_index[VLIB_TX] = e0->metadata; + { + vnet_buffer (b[0])->ip.adj_index[VLIB_TX] = e0->metadata; + /* For source check in case we skip the lookup node */ + ip_lookup_set_buffer_fib_index (fib_index_by_sw_if_index, + b[0]); + } } } else @@ -620,7 +660,7 @@ ip_in_out_acl_inline_trace (vlib_main_t *vm, vlib_node_runtime_t *node, /* advance the match pointer so the matching happens on IP header */ if (is_output) - h0 += vnet_buffer (b[0])->l2_classify.pad.l2_len; + h0 += vnet_buffer (b[0])->l2.l2_len; hash0 = vnet_classify_hash_packet_inline (t0, (u8 *) h0); e0 = vnet_classify_find_entry_inline @@ -647,8 +687,14 @@ ip_in_out_acl_inline_trace (vlib_main_t *vm, vlib_node_runtime_t *node, vnet_buffer (b[0])->sw_if_index[VLIB_TX] = e0->metadata; else if (e0->action == CLASSIFY_ACTION_SET_METADATA) - vnet_buffer (b[0])->ip.adj_index[VLIB_TX] = - e0->metadata; + { + vnet_buffer (b[0])->ip.adj_index[VLIB_TX] = + e0->metadata; + /* For source check in case we skip the lookup + * node */ + ip_lookup_set_buffer_fib_index ( + fib_index_by_sw_if_index, b[0]); + } } break; } @@ -663,7 +709,7 @@ ip_in_out_acl_inline_trace (vlib_main_t *vm, vlib_node_runtime_t *node, t->sw_if_index = ~0 == way ? 0 : vnet_buffer (b[0])->sw_if_index[way]; t->next_index = next0; - t->table_index = t0 - tables; + t->table_index = table_index0; t->offset = (e0 && t0) ? vnet_classify_get_offset (t0, e0) : ~0; } @@ -689,6 +735,7 @@ ip_in_out_acl_inline_trace (vlib_main_t *vm, vlib_node_runtime_t *node, static_always_inline uword ip_in_out_acl_inline (vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame, const in_out_acl_table_id_t tid, + u32 *fib_index_by_sw_if_index, const vlib_node_registration_t *parent_error_node, const u32 error_none_index, const u32 error_deny_index, const u32 error_miss_index, const vlib_rx_or_tx_t way, @@ -715,7 +762,8 @@ ip_in_out_acl_inline (vlib_main_t *vm, vlib_node_runtime_t *node, ip_in_out_acl_inline_trace ( \ vm, node, frame, bufs, nexts, frame->n_vectors, &hits, &misses, \ &chain_hits, error_deny, error_miss, error_none, tables, \ - table_index_by_sw_if_index, cm, way, is_output, do_trace) + table_index_by_sw_if_index, fib_index_by_sw_if_index, cm, way, is_output, \ + do_trace) if (PREDICT_FALSE (node->flags & VLIB_NODE_FLAG_TRACE)) ip_in_out_acl_inline_trace__ (1 /* do_trace */); @@ -741,27 +789,28 @@ VLIB_NODE_FN (ip4_inacl_node) (vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame) { return ip_in_out_acl_inline ( - vm, node, frame, IN_OUT_ACL_TABLE_IP4, &ip4_input_node, IP4_ERROR_NONE, - IP4_ERROR_INACL_SESSION_DENY, IP4_ERROR_INACL_TABLE_MISS, VLIB_RX, - 0 /* is_output */); + vm, node, frame, IN_OUT_ACL_TABLE_IP4, ip4_main.fib_index_by_sw_if_index, + &ip4_input_node, IP4_ERROR_NONE, IP4_ERROR_INACL_SESSION_DENY, + IP4_ERROR_INACL_TABLE_MISS, VLIB_RX, 0 /* is_output */); } VLIB_NODE_FN (ip4_punt_acl_node) (vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame) { return ip_in_out_acl_inline ( - vm, node, frame, IN_OUT_ACL_TABLE_IP4_PUNT, &ip4_input_node, - IP4_ERROR_NONE, IP4_ERROR_INACL_SESSION_DENY, IP4_ERROR_INACL_TABLE_MISS, - ~0 /* way */, 0 /* is_output */); + vm, node, frame, IN_OUT_ACL_TABLE_IP4_PUNT, + ip4_main.fib_index_by_sw_if_index, &ip4_input_node, IP4_ERROR_NONE, + IP4_ERROR_INACL_SESSION_DENY, IP4_ERROR_INACL_TABLE_MISS, ~0 /* way */, + 0 /* is_output */); } VLIB_NODE_FN (ip4_outacl_node) (vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame) { return ip_in_out_acl_inline ( - vm, node, frame, IN_OUT_ACL_TABLE_IP4, &ip4_input_node, IP4_ERROR_NONE, - IP4_ERROR_INACL_SESSION_DENY, IP4_ERROR_INACL_TABLE_MISS, VLIB_TX, - 1 /* is_output */); + vm, node, frame, IN_OUT_ACL_TABLE_IP4, NULL, &ip4_input_node, + IP4_ERROR_NONE, IP4_ERROR_INACL_SESSION_DENY, IP4_ERROR_INACL_TABLE_MISS, + VLIB_TX, 1 /* is_output */); } /* *INDENT-OFF* */ @@ -815,27 +864,28 @@ VLIB_NODE_FN (ip6_inacl_node) (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame) { return ip_in_out_acl_inline ( - vm, node, frame, IN_OUT_ACL_TABLE_IP6, &ip6_input_node, IP6_ERROR_NONE, - IP6_ERROR_INACL_SESSION_DENY, IP6_ERROR_INACL_TABLE_MISS, VLIB_RX, - 0 /* is_output */); + vm, node, frame, IN_OUT_ACL_TABLE_IP6, ip6_main.fib_index_by_sw_if_index, + &ip6_input_node, IP6_ERROR_NONE, IP6_ERROR_INACL_SESSION_DENY, + IP6_ERROR_INACL_TABLE_MISS, VLIB_RX, 0 /* is_output */); } VLIB_NODE_FN (ip6_punt_acl_node) (vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame) { return ip_in_out_acl_inline ( - vm, node, frame, IN_OUT_ACL_TABLE_IP6_PUNT, &ip6_input_node, - IP6_ERROR_NONE, IP6_ERROR_INACL_SESSION_DENY, IP6_ERROR_INACL_TABLE_MISS, - ~0 /* way */, 0 /* is_output */); + vm, node, frame, IN_OUT_ACL_TABLE_IP6_PUNT, + ip4_main.fib_index_by_sw_if_index, &ip6_input_node, IP6_ERROR_NONE, + IP6_ERROR_INACL_SESSION_DENY, IP6_ERROR_INACL_TABLE_MISS, ~0 /* way */, + 0 /* is_output */); } VLIB_NODE_FN (ip6_outacl_node) (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame) { return ip_in_out_acl_inline ( - vm, node, frame, IN_OUT_ACL_TABLE_IP6, &ip6_input_node, IP6_ERROR_NONE, - IP6_ERROR_INACL_SESSION_DENY, IP6_ERROR_INACL_TABLE_MISS, VLIB_TX, - 1 /* is_output */); + vm, node, frame, IN_OUT_ACL_TABLE_IP6, NULL, &ip6_input_node, + IP6_ERROR_NONE, IP6_ERROR_INACL_SESSION_DENY, IP6_ERROR_INACL_TABLE_MISS, + VLIB_TX, 1 /* is_output */); } /* *INDENT-OFF* */