snort: feature support on interface output

author Sivaprasad Tummala <Sivaprasad.Tummala@intel.com>

Fri, 21 Jan 2022 21:39:18 +0000 (03:09 +0530)

committer Damjan Marion <dmarion@me.com>

Sun, 30 Jan 2022 15:20:38 +0000 (15:20 +0000)
author Sivaprasad Tummala <Sivaprasad.Tummala@intel.com>
Fri, 21 Jan 2022 21:39:18 +0000 (03:09 +0530)
committer Damjan Marion <dmarion@me.com>
Sun, 30 Jan 2022 15:20:38 +0000 (15:20 +0000)
diff --git a/src/plugins/snort/cli.c b/src/plugins/snort/cli.c

index cbb33c7..08740f4 100644 (file)
--- a/src/plugins/snort/cli.c
+++ b/src/plugins/snort/cli.c
@@ -85,6 +85,7 @@ snort_attach_command_fn (vlib_main_t *vm, unformat_input_t *input,
    clib_error_t *err = 0;
    u8 *name = 0;
    u32 sw_if_index = ~0;
+  snort_attach_dir_t dir = SNORT_INOUT;
  
    /* Get a line of input. */
    if (!unformat_user (input, unformat_line_input, line_input))
@@ -97,6 +98,12 @@ snort_attach_command_fn (vlib_main_t *vm, unformat_input_t *input,
         ;
        else if (unformat (line_input, "instance %s", &name))
         ;
+      else if (unformat (line_input, "input"))
+       dir = SNORT_INPUT;
+      else if (unformat (line_input, "output"))
+       dir = SNORT_OUTPUT;
+      else if (unformat (line_input, "inout"))
+       dir = SNORT_INOUT;
        else
         {
           err = clib_error_return (0, "unknown input `%U'",
@@ -117,7 +124,8 @@ snort_attach_command_fn (vlib_main_t *vm, unformat_input_t *input,
        goto done;
      }
  
-  err = snort_interface_enable_disable (vm, (char *) name, sw_if_index, 1);
+  err =
+    snort_interface_enable_disable (vm, (char *) name, sw_if_index, 1, dir);
  
  done:
    vec_free (name);
@@ -127,7 +135,8 @@ done:
  
  VLIB_CLI_COMMAND (snort_attach_command, static) = {
    .path = "snort attach",
-  .short_help = "snort attach instance <name> interface <if-name>",
+  .short_help = "snort attach instance <name> interface <if-name> "
+               "[input|ouput|inout]",
    .function = snort_attach_command_fn,
  };
  
@@ -163,7 +172,7 @@ snort_detach_command_fn (vlib_main_t *vm, unformat_input_t *input,
        goto done;
      }
  
-  err = snort_interface_enable_disable (vm, 0, sw_if_index, 0);
+  err = snort_interface_enable_disable (vm, 0, sw_if_index, 0, SNORT_INOUT);
  
  done:
    unformat_free (line_input);
diff --git a/src/plugins/snort/enqueue.c b/src/plugins/snort/enqueue.c

index 3f44e80..147d3a4 100644 (file)
--- a/src/plugins/snort/enqueue.c
+++ b/src/plugins/snort/enqueue.c
@@ -75,9 +75,16 @@ snort_enq_node_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
  
    while (n_left)
      {
+      u64 fa_data;
        u32 instance_index, next_index, n;
-      instance_index =
-       *(u32 *) vnet_feature_next_with_data (&next_index, b[0], sizeof (u32));
+      u32 l3_offset;
+
+      fa_data =
+       *(u64 *) vnet_feature_next_with_data (&next_index, b[0], sizeof (u64));
+
+      instance_index = (u32) (fa_data & 0xffffffff);
+      l3_offset =
+       (fa_data >> 32) ? vnet_buffer (b[0])->ip.save_rewrite_length : 0;
        si = vec_elt_at_index (sm->instances, instance_index);
  
        /* if client isn't connected skip enqueue and take default action */
@@ -108,7 +115,7 @@ snort_enq_node_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
           /* fill descriptor */
           d->buffer_pool = b[0]->buffer_pool_index;
           d->length = b[0]->current_length;
-         d->offset = (u8 *) b[0]->data + b[0]->current_data -
+         d->offset = (u8 *) b[0]->data + b[0]->current_data + l3_offset -
                       sm->buffer_pool_base_addrs[d->buffer_pool];
           d->address_space_id = vnet_buffer (b[0])->sw_if_index[VLIB_RX];
         }
diff --git a/src/plugins/snort/main.c b/src/plugins/snort/main.c

index 6b7e49a..39c13a8 100644 (file)
--- a/src/plugins/snort/main.c
+++ b/src/plugins/snort/main.c
@@ -409,12 +409,14 @@ done:
  
  clib_error_t *
  snort_interface_enable_disable (vlib_main_t *vm, char *instance_name,
-                               u32 sw_if_index, int is_enable)
+                               u32 sw_if_index, int is_enable,
+                               snort_attach_dir_t snort_dir)
  {
    snort_main_t *sm = &snort_main;
    vnet_main_t *vnm = vnet_get_main ();
    snort_instance_t *si;
    clib_error_t *err = 0;
+  u64 fa_data;
    u32 index;
  
    if (is_enable)
@@ -440,8 +442,18 @@ snort_interface_enable_disable (vlib_main_t *vm, char *instance_name,
         }
  
        index = sm->instance_by_sw_if_index[sw_if_index] = si->index;
-      vnet_feature_enable_disable ("ip4-unicast", "snort-enq", sw_if_index, 1,
-                                  &index, sizeof (index));
+      if (snort_dir & SNORT_INPUT)
+       {
+         fa_data = (u64) index;
+         vnet_feature_enable_disable ("ip4-unicast", "snort-enq", sw_if_index,
+                                      1, &fa_data, sizeof (fa_data));
+       }
+      if (snort_dir & SNORT_OUTPUT)
+       {
+         fa_data = (1LL << 32 | index);
+         vnet_feature_enable_disable ("ip4-output", "snort-enq", sw_if_index,
+                                      1, &fa_data, sizeof (fa_data));
+       }
      }
    else
      {
@@ -459,8 +471,18 @@ snort_interface_enable_disable (vlib_main_t *vm, char *instance_name,
        si = vec_elt_at_index (sm->instances, index);
  
        sm->instance_by_sw_if_index[sw_if_index] = ~0;
-      vnet_feature_enable_disable ("ip4-unicast", "snort-enq", sw_if_index, 0,
-                                  &index, sizeof (index));
+      if (snort_dir & SNORT_INPUT)
+       {
+         fa_data = (u64) index;
+         vnet_feature_enable_disable ("ip4-unicast", "snort-enq", sw_if_index,
+                                      0, &fa_data, sizeof (fa_data));
+       }
+      if (snort_dir & SNORT_OUTPUT)
+       {
+         fa_data = (1LL << 32 | index);
+         vnet_feature_enable_disable ("ip4-output", "snort-enq", sw_if_index,
+                                      0, &fa_data, sizeof (fa_data));
+       }
      }
  
  done:
@@ -527,3 +549,9 @@ VNET_FEATURE_INIT (snort_enq, static) = {
    .node_name = "snort-enq",
    .runs_before = VNET_FEATURES ("ip4-lookup"),
  };
+
+VNET_FEATURE_INIT (snort_enq_out, static) = {
+  .arc_name = "ip4-output",
+  .node_name = "snort-enq",
+  .runs_before = VNET_FEATURES ("interface-output"),
+};
diff --git a/src/plugins/snort/snort.h b/src/plugins/snort/snort.h

index d069fa0..79299aa 100644 (file)
--- a/src/plugins/snort/snort.h
+++ b/src/plugins/snort/snort.h
@@ -90,6 +90,13 @@ typedef enum
    SNORT_ENQ_N_NEXT_NODES,
  } snort_enq_next_t;
  
+typedef enum
+{
+  SNORT_INPUT = 1,
+  SNORT_OUTPUT = 2,
+  SNORT_INOUT = 3
+} snort_attach_dir_t;
+
  #define SNORT_ENQ_NEXT_NODES                                                  \
    {                                                                           \
      [SNORT_ENQ_NEXT_DROP] = "error-drop",                                     \
@@ -100,7 +107,8 @@ clib_error_t *snort_instance_create (vlib_main_t *vm, char *name,
                                      u8 log2_queue_sz, u8 drop_on_disconnect);
  clib_error_t *snort_interface_enable_disable (vlib_main_t *vm,
                                               char *instance_name,
-                                             u32 sw_if_index, int is_enable);
+                                             u32 sw_if_index, int is_enable,
+                                             snort_attach_dir_t dir);
  clib_error_t *snort_set_node_mode (vlib_main_t *vm, u32 mode);
  
  always_inline void
author	Sivaprasad Tummala <Sivaprasad.Tummala@intel.com>
	Fri, 21 Jan 2022 21:39:18 +0000 (03:09 +0530)
committer	Damjan Marion <dmarion@me.com>
	Sun, 30 Jan 2022 15:20:38 +0000 (15:20 +0000)
src/plugins/snort/cli.c		patch \| blob \| history
src/plugins/snort/enqueue.c		patch \| blob \| history
src/plugins/snort/main.c		patch \| blob \| history
src/plugins/snort/snort.h		patch \| blob \| history