#include <vnet/vxlan-gbp/vxlan_gbp.h>
#include <plugins/gbp/gbp.h>
+#include <plugins/gbp/gbp_policy.h>
#include <plugins/gbp/gbp_policy_dpo.h>
#include <plugins/gbp/gbp_recirc.h>
+#include <plugins/gbp/gbp_contract.h>
#ifndef CLIB_MARCH_VARIANT
/**
VLIB_INIT_FUNCTION (gbp_policy_dpo_module_init);
#endif /* CLIB_MARCH_VARIANT */
-typedef enum
-{
-#define _(sym,str) GBP_POLICY_DPO_ERROR_##sym,
- foreach_gbp_policy_error
-#undef _
- GBP_POLICY_N_ERROR,
-} gbp_policy_dpo_error_t;
-
-static char *gbp_policy_dpo_error_strings[] = {
-#define _(sym,string) string,
- foreach_gbp_policy_error
-#undef _
-};
-
-typedef struct gbp_policy_dpo_trace_t_
-{
- gbp_scope_t scope;
- sclass_t sclass;
- sclass_t dclass;
- u32 acl_index;
- u32 flags;
- u32 action;
- u32 gci;
-} gbp_policy_dpo_trace_t;
-
typedef enum
{
GBP_POLICY_DROP,
vlib_frame_t * from_frame, u8 is_ip6)
{
gbp_main_t *gm = &gbp_main;
- u32 n_left_from, next_index, *from, *to_next, thread_index;
+ u32 n_left_from, next_index, *from, *to_next;
u32 n_allow_intra, n_allow_a_bit, n_allow_sclass_1;
- gbp_rule_t *gu;
from = vlib_frame_vector_args (from_frame);
n_left_from = from_frame->n_vectors;
n_allow_intra = n_allow_a_bit = n_allow_sclass_1 = 0;
- thread_index = vm->thread_index;
next_index = node->cached_next_index;
while (n_left_from > 0 && n_left_to_next > 0)
{
const gbp_policy_dpo_t *gpd0;
+ gbp_rule_action_t action0;
+ gbp_contract_error_t err0;
u32 bi0, next0;
gbp_contract_key_t key0;
- gbp_contract_t *gc0;
vlib_buffer_t *b0;
- index_t gci0;
- u8 action0;
+ gbp_rule_t *rule0;
- action0 = 0;
bi0 = from[0];
to_next[0] = bi0;
from += 1;
b0 = vlib_get_buffer (vm, bi0);
- gc0 = NULL;
gpd0 = gbp_policy_dpo_get (vnet_buffer (b0)->ip.adj_index[VLIB_TX]);
vnet_buffer (b0)->ip.adj_index[VLIB_TX] = gpd0->gpd_dpo.dpoi_index;
goto trace;
}
+ /* zero out the key to ensure the pad space is clear */
key0.as_u64 = 0;
- key0.gck_scope = gpd0->gpd_scope;
key0.gck_src = vnet_buffer2 (b0)->gbp.sclass;
- key0.gck_dst = gpd0->gpd_sclass;
- if (SCLASS_INVALID != key0.gck_src)
- {
- if (PREDICT_FALSE (key0.gck_src == key0.gck_dst))
- {
- /*
- * intra-epg allowed
- */
- next0 = gpd0->gpd_dpo.dpoi_next_node;
- vnet_buffer2 (b0)->gbp.flags |= VXLAN_GBP_GPFLAGS_A;
- n_allow_intra++;
- action0 = 0;
- }
- else if (PREDICT_FALSE (key0.gck_src == 1 || key0.gck_dst == 1))
- {
- /*
- * sclass or dclass 1 allowed
- */
- next0 = gpd0->gpd_dpo.dpoi_next_node;
- vnet_buffer2 (b0)->gbp.flags |= VXLAN_GBP_GPFLAGS_A;
- n_allow_sclass_1++;
- action0 = 0;
- }
- else
- {
- gci0 = gbp_contract_find (&key0);
-
- if (INDEX_INVALID != gci0)
- {
- fa_5tuple_opaque_t pkt_5tuple0;
- u32 acl_pos_p0, acl_match_p0;
- u32 rule_match_p0, trace_bitmap0;
- /*
- * tests against the ACL
- */
- gc0 = gbp_contract_get (gci0);
- acl_plugin_fill_5tuple_inline (gm->
- acl_plugin.p_acl_main,
- gc0->gc_lc_index, b0,
- is_ip6,
- /* is_input */ 1,
- /* is_l2_path */ 0,
- &pkt_5tuple0);
- acl_plugin_match_5tuple_inline (gm->
- acl_plugin.p_acl_main,
- gc0->gc_lc_index,
- &pkt_5tuple0, is_ip6,
- &action0, &acl_pos_p0,
- &acl_match_p0,
- &rule_match_p0,
- &trace_bitmap0);
-
- if (action0 > 0)
- {
- vnet_buffer2 (b0)->gbp.flags |= VXLAN_GBP_GPFLAGS_A;
- gu = gbp_rule_get (gc0->gc_rules[rule_match_p0]);
- action0 = gu->gu_action;
-
- switch (gu->gu_action)
- {
- case GBP_RULE_PERMIT:
- next0 = gpd0->gpd_dpo.dpoi_next_node;
- break;
- case GBP_RULE_DENY:
- next0 = GBP_POLICY_DROP;
- break;
- case GBP_RULE_REDIRECT:
- next0 = gbp_rule_l3_redirect (gu, b0, is_ip6);
- break;
- }
- }
- if (next0 == GBP_POLICY_DROP)
- {
- vlib_increment_combined_counter
- (&gbp_contract_drop_counters,
- thread_index,
- gci0, 1, vlib_buffer_length_in_chain (vm, b0));
- b0->error =
- node->errors[GBP_POLICY_DPO_ERROR_DROP_CONTRACT];
- }
- else
- {
- vlib_increment_combined_counter
- (&gbp_contract_permit_counters,
- thread_index,
- gci0, 1, vlib_buffer_length_in_chain (vm, b0));
- }
-
- }
- else
- {
- b0->error =
- node->errors[GBP_POLICY_DPO_ERROR_DROP_NO_CONTRACT];
- }
- }
- }
- else
+ if (SCLASS_INVALID == key0.gck_src)
{
/*
* the src EPG is not set when the packet arrives on an EPG
* uplink interface and we do not need to apply policy
*/
next0 = gpd0->gpd_dpo.dpoi_next_node;
+ goto trace;
}
- trace:
- if (PREDICT_FALSE (b0->flags & VLIB_BUFFER_IS_TRACED))
- {
- gbp_policy_dpo_trace_t *tr;
- tr = vlib_add_trace (vm, node, b0, sizeof (*tr));
- tr->scope = key0.gck_scope;
- tr->sclass = key0.gck_src;
- tr->dclass = key0.gck_dst;
- tr->acl_index = (gc0 ? gc0->gc_acl_index : ~0);
- tr->flags = vnet_buffer2 (b0)->gbp.flags;
- tr->action = action0;
- tr->gci = (gc0 ? gc0 - gbp_contract_pool : INDEX_INVALID);
+ key0.gck_scope = gpd0->gpd_scope;
+ key0.gck_dst = gpd0->gpd_sclass;
+ action0 =
+ gbp_contract_apply (vm, gm, &key0, b0, &rule0, &n_allow_intra,
+ &n_allow_sclass_1, &err0,
+ is_ip6 ? GBP_CONTRACT_APPLY_IP6 :
+ GBP_CONTRACT_APPLY_IP4);
+ switch (action0)
+ {
+ case GBP_RULE_PERMIT:
+ next0 = gpd0->gpd_dpo.dpoi_next_node;
+ vnet_buffer2 (b0)->gbp.flags |= VXLAN_GBP_GPFLAGS_A;
+ break;
+ case GBP_RULE_REDIRECT:
+ next0 = gbp_rule_l3_redirect (rule0, b0, is_ip6);
+ vnet_buffer2 (b0)->gbp.flags |= VXLAN_GBP_GPFLAGS_A;
+ break;
+ case GBP_RULE_DENY:
+ next0 = GBP_POLICY_DROP;
+ b0->error = node->errors[err0];
+ break;
}
+ trace:
+ gbp_policy_trace (vm, node, b0, &key0, (next0 != GBP_POLICY_DROP));
+
vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next,
n_left_to_next, bi0, next0);
}
}
vlib_node_increment_counter (vm, node->node_index,
- GBP_POLICY_DPO_ERROR_ALLOW_INTRA,
- n_allow_intra);
+ GBP_CONTRACT_ERROR_ALLOW_INTRA, n_allow_intra);
vlib_node_increment_counter (vm, node->node_index,
- GBP_POLICY_DPO_ERROR_ALLOW_A_BIT,
- n_allow_a_bit);
+ GBP_CONTRACT_ERROR_ALLOW_A_BIT, n_allow_a_bit);
vlib_node_increment_counter (vm, node->node_index,
- GBP_POLICY_DPO_ERROR_ALLOW_SCLASS_1,
+ GBP_CONTRACT_ERROR_ALLOW_SCLASS_1,
n_allow_sclass_1);
return from_frame->n_vectors;
}
-static u8 *
-format_gbp_policy_dpo_trace (u8 * s, va_list * args)
-{
- CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
- CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
- gbp_policy_dpo_trace_t *t = va_arg (*args, gbp_policy_dpo_trace_t *);
-
- s =
- format (s,
- "scope:%d sclass:%d dclass:%d gci:%d acl-index:%d flags:%U action:%d",
- t->scope, t->sclass, t->dclass, t->gci, t->acl_index,
- format_vxlan_gbp_header_gpflags, t->flags, t->action);
-
- return s;
-}
-
VLIB_NODE_FN (ip4_gbp_policy_dpo_node) (vlib_main_t * vm,
vlib_node_runtime_t * node,
vlib_frame_t * from_frame)
VLIB_REGISTER_NODE (ip4_gbp_policy_dpo_node) = {
.name = "ip4-gbp-policy-dpo",
.vector_size = sizeof (u32),
- .format_trace = format_gbp_policy_dpo_trace,
+ .format_trace = format_gbp_policy_trace,
- .n_errors = ARRAY_LEN(gbp_policy_dpo_error_strings),
- .error_strings = gbp_policy_dpo_error_strings,
+ .n_errors = ARRAY_LEN(gbp_contract_error_strings),
+ .error_strings = gbp_contract_error_strings,
.n_next_nodes = GBP_POLICY_N_NEXT,
.next_nodes =
VLIB_REGISTER_NODE (ip6_gbp_policy_dpo_node) = {
.name = "ip6-gbp-policy-dpo",
.vector_size = sizeof (u32),
- .format_trace = format_gbp_policy_dpo_trace,
+ .format_trace = format_gbp_policy_trace,
- .n_errors = ARRAY_LEN(gbp_policy_dpo_error_strings),
- .error_strings = gbp_policy_dpo_error_strings,
+ .n_errors = ARRAY_LEN(gbp_contract_error_strings),
+ .error_strings = gbp_contract_error_strings,
.n_next_nodes = GBP_POLICY_N_NEXT,
.next_nodes =
Code Review / vpp.git / blobdiff