acl_plugin_la_SOURCES = \
acl/acl.c \
- acl/node_in.c \
- acl/node_out.c \
acl/fa_node.c \
- acl/l2sess.c \
- acl/l2sess_node.c \
acl/l2sess.h \
acl/manual_fns.h \
acl/acl_plugin.api.h
#include <vnet/vnet.h>
#include <vnet/plugin/plugin.h>
#include <acl/acl.h>
-#include <acl/l2sess.h>
#include <vnet/l2/l2_classify.h>
#include <vnet/classify/input_acl.h>
#include <acl/acl_all_api_h.h>
#undef vl_api_version
-#include "node_in.h"
-#include "node_out.h"
#include "fa_node.h"
acl_main_t acl_main;
}
-static void *
-get_ptr_to_offset (vlib_buffer_t * b0, int offset)
-{
- u8 *p = vlib_buffer_get_current (b0) + offset;
- return p;
-}
-
-static u8
-acl_get_l4_proto (vlib_buffer_t * b0, int node_is_ip6)
-{
- u8 proto;
- int proto_offset;
- if (node_is_ip6)
- {
- proto_offset = 20;
- }
- else
- {
- proto_offset = 23;
- }
- proto = *((u8 *) vlib_buffer_get_current (b0) + proto_offset);
- return proto;
-}
-
-static int
-acl_match_addr (ip46_address_t * addr1, ip46_address_t * addr2, int prefixlen,
- int is_ip6)
-{
- if (prefixlen == 0)
- {
- /* match any always succeeds */
- return 1;
- }
- if (is_ip6)
- {
- if (memcmp (addr1, addr2, prefixlen / 8))
- {
- /* If the starting full bytes do not match, no point in bittwidling the thumbs further */
- return 0;
- }
- if (prefixlen % 8)
- {
- u8 b1 = *((u8 *) addr1 + 1 + prefixlen / 8);
- u8 b2 = *((u8 *) addr2 + 1 + prefixlen / 8);
- u8 mask0 = (0xff - ((1 << (8 - (prefixlen % 8))) - 1));
- return (b1 & mask0) == b2;
- }
- else
- {
- /* The prefix fits into integer number of bytes, so nothing left to do */
- return 1;
- }
- }
- else
- {
- uint32_t a1 = ntohl (addr1->ip4.as_u32);
- uint32_t a2 = ntohl (addr2->ip4.as_u32);
- uint32_t mask0 = 0xffffffff - ((1 << (32 - prefixlen)) - 1);
- return (a1 & mask0) == a2;
- }
-}
-
-static int
-acl_match_port (u16 port, u16 port_first, u16 port_last, int is_ip6)
-{
- return ((port >= port_first) && (port <= port_last));
-}
-
-static int
-acl_packet_match (acl_main_t * am, u32 acl_index, vlib_buffer_t * b0,
- u8 * r_action, int *r_is_ip6, u32 * r_acl_match_p,
- u32 * r_rule_match_p, u32 * trace_bitmap)
-{
- ethernet_header_t *h0;
- u16 type0;
-
- ip46_address_t src, dst;
- int is_ip6;
- int is_ip4;
- u8 proto;
- u16 src_port = 0;
- u16 dst_port = 0;
- u8 tcp_flags = 0;
- int i;
- acl_list_t *a;
- acl_rule_t *r;
-
- h0 = vlib_buffer_get_current (b0);
- type0 = clib_net_to_host_u16 (h0->type);
- is_ip4 = (type0 == ETHERNET_TYPE_IP4);
- is_ip6 = (type0 == ETHERNET_TYPE_IP6);
-
- if (!(is_ip4 || is_ip6))
- {
- return 0;
- }
- /* The bunch of hardcoded offsets here is intentional to get rid of them
- ASAP, when getting to a faster matching code */
- if (is_ip4)
- {
- clib_memcpy (&src.ip4, get_ptr_to_offset (b0, 26), 4);
- clib_memcpy (&dst.ip4, get_ptr_to_offset (b0, 30), 4);
- proto = acl_get_l4_proto (b0, 0);
- if (1 == proto)
- {
- *trace_bitmap |= 0x00000001;
- /* type */
- src_port = ((u16) (*(u8 *) get_ptr_to_offset (b0, 34)));
- /* code */
- dst_port = ((u16) (*(u8 *) get_ptr_to_offset (b0, 35)));
- } else {
- /* assume TCP/UDP */
- src_port = ntohs ((u16) (*(u16 *) get_ptr_to_offset (b0, 34)));
- dst_port = ntohs ((u16) (*(u16 *) get_ptr_to_offset (b0, 36)));
- /* UDP gets ability to check on an oddball data byte as a bonus */
- tcp_flags = *(u8 *) get_ptr_to_offset (b0, 14 + 20 + 13);
- }
- }
- else /* is_ipv6 implicitly */
- {
- clib_memcpy (&src, get_ptr_to_offset (b0, 22), 16);
- clib_memcpy (&dst, get_ptr_to_offset (b0, 38), 16);
- proto = acl_get_l4_proto (b0, 1);
- if (58 == proto)
- {
- *trace_bitmap |= 0x00000002;
- /* type */
- src_port = (u16) (*(u8 *) get_ptr_to_offset (b0, 54));
- /* code */
- dst_port = (u16) (*(u8 *) get_ptr_to_offset (b0, 55));
- }
- else
- {
- /* assume TCP/UDP */
- src_port = ntohs ((u16) (*(u16 *) get_ptr_to_offset (b0, 54)));
- dst_port = ntohs ((u16) (*(u16 *) get_ptr_to_offset (b0, 56)));
- tcp_flags = *(u8 *) get_ptr_to_offset (b0, 14 + 40 + 13);
- }
- }
- if (pool_is_free_index (am->acls, acl_index))
- {
- if (r_acl_match_p)
- *r_acl_match_p = acl_index;
- if (r_rule_match_p)
- *r_rule_match_p = -1;
- /* the ACL does not exist but is used for policy. Block traffic. */
- return 0;
- }
- a = am->acls + acl_index;
- for (i = 0; i < a->count; i++)
- {
- r = a->rules + i;
- if (is_ip6 != r->is_ipv6)
- {
- continue;
- }
- if (!acl_match_addr (&dst, &r->dst, r->dst_prefixlen, is_ip6))
- continue;
- if (!acl_match_addr (&src, &r->src, r->src_prefixlen, is_ip6))
- continue;
- if (r->proto)
- {
- if (proto != r->proto)
- continue;
- if (!acl_match_port
- (src_port, r->src_port_or_type_first, r->src_port_or_type_last,
- is_ip6))
- continue;
- if (!acl_match_port
- (dst_port, r->dst_port_or_code_first, r->dst_port_or_code_last,
- is_ip6))
- continue;
- /* No need for check of proto == TCP, since in other rules both fields should be zero, so this match will succeed */
- if ((tcp_flags & r->tcp_flags_mask) != r->tcp_flags_value)
- continue;
- }
- /* everything matches! */
- *r_action = r->is_permit;
- *r_is_ip6 = is_ip6;
- if (r_acl_match_p)
- *r_acl_match_p = acl_index;
- if (r_rule_match_p)
- *r_rule_match_p = i;
- return 1;
- }
- return 0;
-}
-
-void
-input_acl_packet_match (u32 sw_if_index, vlib_buffer_t * b0, u32 * nextp,
- u32 * acl_match_p, u32 * rule_match_p,
- u32 * trace_bitmap)
-{
- acl_main_t *am = &acl_main;
- uint8_t action = 0;
- int is_ip6 = 0;
- int i;
- vec_validate (am->input_acl_vec_by_sw_if_index, sw_if_index);
- for (i = 0; i < vec_len (am->input_acl_vec_by_sw_if_index[sw_if_index]);
- i++)
- {
- if (acl_packet_match
- (am, am->input_acl_vec_by_sw_if_index[sw_if_index][i], b0, &action,
- &is_ip6, acl_match_p, rule_match_p, trace_bitmap))
- {
- if (is_ip6)
- {
- *nextp = am->acl_in_ip6_match_next[action];
- }
- else
- {
- *nextp = am->acl_in_ip4_match_next[action];
- }
- return;
- }
- }
- if (vec_len (am->input_acl_vec_by_sw_if_index[sw_if_index]) > 0)
- {
- /* If there are ACLs and none matched, deny by default */
- *nextp = 0;
- }
-
-}
-
-void
-output_acl_packet_match (u32 sw_if_index, vlib_buffer_t * b0, u32 * nextp,
- u32 * acl_match_p, u32 * rule_match_p,
- u32 * trace_bitmap)
-{
- acl_main_t *am = &acl_main;
- uint8_t action = 0;
- int is_ip6 = 0;
- int i;
- vec_validate (am->output_acl_vec_by_sw_if_index, sw_if_index);
- for (i = 0; i < vec_len (am->output_acl_vec_by_sw_if_index[sw_if_index]);
- i++)
- {
- if (acl_packet_match
- (am, am->output_acl_vec_by_sw_if_index[sw_if_index][i], b0, &action,
- &is_ip6, acl_match_p, rule_match_p, trace_bitmap))
- {
- if (is_ip6)
- {
- *nextp = am->acl_out_ip6_match_next[action];
- }
- else
- {
- *nextp = am->acl_out_ip4_match_next[action];
- }
- return;
- }
- }
- if (vec_len (am->output_acl_vec_by_sw_if_index[sw_if_index]) > 0)
- {
- /* If there are ACLs and none matched, deny by default */
- *nextp = 0;
- }
-}
-
typedef struct
{
u8 is_ipv6;
#undef _
}
-u32
-register_match_action_nexts (u32 next_in_ip4, u32 next_in_ip6,
- u32 next_out_ip4, u32 next_out_ip6)
-{
- acl_main_t *am = &acl_main;
- if (am->n_match_actions == 255)
- {
- return ~0;
- }
- u32 act = am->n_match_actions;
- am->n_match_actions++;
- am->acl_in_ip4_match_next[act] = next_in_ip4;
- am->acl_in_ip6_match_next[act] = next_in_ip6;
- am->acl_out_ip4_match_next[act] = next_out_ip4;
- am->acl_out_ip6_match_next[act] = next_out_ip6;
- return act;
-}
-
-void
-acl_setup_nodes (void)
-{
- vlib_main_t *vm = vlib_get_main ();
- acl_main_t *am = &acl_main;
- vlib_node_t *n;
-
- n = vlib_get_node_by_name (vm, (u8 *) "l2-input-classify");
- am->l2_input_classify_next_acl_old =
- vlib_node_add_next_with_slot (vm, n->index, acl_in_node.index, ~0);
- n = vlib_get_node_by_name (vm, (u8 *) "l2-output-classify");
- am->l2_output_classify_next_acl_old =
- vlib_node_add_next_with_slot (vm, n->index, acl_out_node.index, ~0);
-
- feat_bitmap_init_next_nodes (vm, acl_in_node.index, L2INPUT_N_FEAT,
- l2input_get_feat_names (),
- am->acl_in_node_feat_next_node_index);
-
- feat_bitmap_init_next_nodes (vm, acl_out_node.index, L2OUTPUT_N_FEAT,
- l2output_get_feat_names (),
- am->acl_out_node_feat_next_node_index);
-
- memset (&am->acl_in_ip4_match_next[0], 0,
- sizeof (am->acl_in_ip4_match_next));
- memset (&am->acl_in_ip6_match_next[0], 0,
- sizeof (am->acl_in_ip6_match_next));
- memset (&am->acl_out_ip4_match_next[0], 0,
- sizeof (am->acl_out_ip4_match_next));
- memset (&am->acl_out_ip6_match_next[0], 0,
- sizeof (am->acl_out_ip6_match_next));
- am->n_match_actions = 0;
-
- am->l2_input_classify_next_acl_ip4 = am->l2_input_classify_next_acl_old;
- am->l2_input_classify_next_acl_ip6 = am->l2_input_classify_next_acl_old;
- am->l2_output_classify_next_acl_ip4 = am->l2_output_classify_next_acl_old;
- am->l2_output_classify_next_acl_ip6 = am->l2_output_classify_next_acl_old;
-
- register_match_action_nexts (0, 0, 0, 0); /* drop */
- register_match_action_nexts (~0, ~0, ~0, ~0); /* permit */
- register_match_action_nexts (ACL_IN_L2S_INPUT_IP4_ADD, ACL_IN_L2S_INPUT_IP6_ADD, ACL_OUT_L2S_OUTPUT_IP4_ADD, ACL_OUT_L2S_OUTPUT_IP6_ADD); /* permit + create session */
-}
-
-void
+static void
acl_setup_fa_nodes (void)
{
vlib_main_t *vm = vlib_get_main ();
n6 = vlib_get_node_by_name (vm, (u8 *) "acl-plugin-in-ip6-l2");
- am->fa_l2_input_classify_next_acl_ip4 =
+ am->l2_input_classify_next_acl_ip4 =
vlib_node_add_next_with_slot (vm, n->index, n4->index, ~0);
- am->fa_l2_input_classify_next_acl_ip6 =
+ am->l2_input_classify_next_acl_ip6 =
vlib_node_add_next_with_slot (vm, n->index, n6->index, ~0);
feat_bitmap_init_next_nodes (vm, n4->index, L2INPUT_N_FEAT,
n4 = vlib_get_node_by_name (vm, (u8 *) "acl-plugin-out-ip4-l2");
n6 = vlib_get_node_by_name (vm, (u8 *) "acl-plugin-out-ip6-l2");
- am->fa_l2_output_classify_next_acl_ip4 =
+ am->l2_output_classify_next_acl_ip4 =
vlib_node_add_next_with_slot (vm, n->index, n4->index, ~0);
- am->fa_l2_output_classify_next_acl_ip6 =
+ am->l2_output_classify_next_acl_ip6 =
vlib_node_add_next_with_slot (vm, n->index, n6->index, ~0);
feat_bitmap_init_next_nodes (vm, n4->index, L2OUTPUT_N_FEAT,
feat_bitmap_init_next_nodes (vm, n6->index, L2OUTPUT_N_FEAT,
l2output_get_feat_names (),
am->fa_acl_out_ip6_l2_node_feat_next_node_index);
-
- am->l2_input_classify_next_acl_ip4 = am->fa_l2_input_classify_next_acl_ip4;
- am->l2_input_classify_next_acl_ip6 = am->fa_l2_input_classify_next_acl_ip6;
- am->l2_output_classify_next_acl_ip4 = am->fa_l2_output_classify_next_acl_ip4;
- am->l2_output_classify_next_acl_ip6 = am->fa_l2_output_classify_next_acl_ip6;
-
}
-void
+static void
acl_set_timeout_sec(int timeout_type, u32 value)
{
acl_main_t *am = &acl_main;
- l2sess_main_t *sm = &l2sess_main;
clib_time_t *ct = &am->vlib_main->clib_time;
if (timeout_type < ACL_N_TIMEOUTS) {
clib_warning("Unknown timeout type %d", timeout_type);
return;
}
-
- switch(timeout_type) {
- case ACL_TIMEOUT_UDP_IDLE:
- sm->udp_session_idle_timeout = (u64)(((f64)value)/ct->seconds_per_clock);
- break;
- case ACL_TIMEOUT_TCP_IDLE:
- sm->tcp_session_idle_timeout = (u64)(((f64)value)/ct->seconds_per_clock);
- break;
- case ACL_TIMEOUT_TCP_TRANSIENT:
- sm->tcp_session_transient_timeout = (u64)(((f64)value)/ct->seconds_per_clock);
- break;
- default:
- clib_warning("Unknown timeout type %d", timeout_type);
- }
+ am->session_timeout[timeout_type] = (u64)(((f64)value)/ct->seconds_per_clock);
}
-void
+static void
acl_set_session_max_entries(u32 value)
{
acl_main_t *am = &acl_main;
am->fa_conn_table_max_entries = value;
}
-int
+static int
acl_set_skip_ipv6_eh(u32 eh, u32 value)
{
acl_main_t *am = &acl_main;
uword memory_size = 0;
acl_main_t *am = &acl_main;
- /* The new datapath is the default. This command exists out of precaution and for comparing the two */
- if (unformat (input, "l2-datapath")) {
- if (unformat(input, "old")) {
- am->l2_input_classify_next_acl_ip4 = am->l2_input_classify_next_acl_old;
- am->l2_input_classify_next_acl_ip6 = am->l2_input_classify_next_acl_old;
- am->l2_output_classify_next_acl_ip4 = am->l2_output_classify_next_acl_old;
- am->l2_output_classify_next_acl_ip6 = am->l2_output_classify_next_acl_old;
- goto done;
- }
- if (unformat(input, "new")) {
- am->l2_input_classify_next_acl_ip4 = am->fa_l2_input_classify_next_acl_ip4;
- am->l2_input_classify_next_acl_ip6 = am->fa_l2_input_classify_next_acl_ip6;
- am->l2_output_classify_next_acl_ip4 = am->fa_l2_output_classify_next_acl_ip4;
- am->l2_output_classify_next_acl_ip6 = am->fa_l2_output_classify_next_acl_ip6;
- goto done;
- }
- goto done;
- }
if (unformat (input, "skip-ipv6-extension-header %u %u", &eh_val, &val)) {
if(!acl_set_skip_ipv6_eh(eh_val, val)) {
error = clib_error_return(0, "expecting eh=0..255, value=0..1");
VL_MSG_FIRST_AVAILABLE);
error = acl_plugin_api_hookup (vm);
- acl_setup_nodes ();
/* Add our API messages to the global name_crc hash table */
setup_message_id_table (am, &api_main);
#define ACL_PLUGIN_VERSION_MAJOR 1
#define ACL_PLUGIN_VERSION_MINOR 2
+#define UDP_SESSION_IDLE_TIMEOUT_SEC 600
+#define TCP_SESSION_IDLE_TIMEOUT_SEC (3600*24)
+#define TCP_SESSION_TRANSIENT_TIMEOUT_SEC 120
+
extern vlib_node_registration_t acl_in_node;
extern vlib_node_registration_t acl_out_node;
/* MACIP (input) ACLs associated with the interfaces */
u32 *macip_acl_by_sw_if_index;
- /* next indices for our nodes in the l2-classify tables */
- u32 l2_input_classify_next_acl_old;
- u32 l2_output_classify_next_acl_old;
-
- /* next node indices for feature bitmap */
- u32 acl_in_node_feat_next_node_index[32];
- u32 acl_out_node_feat_next_node_index[32];
-
- /* ACL match actions (must be coherent across in/out ACLs to next indices (can differ) */
-
- u32 acl_in_ip4_match_next[256];
- u32 acl_in_ip6_match_next[256];
- u32 acl_out_ip4_match_next[256];
- u32 acl_out_ip6_match_next[256];
- u32 n_match_actions;
-
/* bitmaps when set the processing is enabled on the interface */
uword *fa_in_acl_on_sw_if_index;
uword *fa_out_acl_on_sw_if_index;
/* L2 datapath glue */
- /* active next indices within L2 classifiers - switch old/new path */
+ /* next indices within L2 classifiers for ip4/ip6 fa L2 nodes */
u32 l2_input_classify_next_acl_ip4;
u32 l2_input_classify_next_acl_ip6;
u32 l2_output_classify_next_acl_ip4;
u32 l2_output_classify_next_acl_ip6;
- /* saved next indices within L2 classifiers for ip4/ip6 fa L2 nodes */
- u32 fa_l2_input_classify_next_acl_ip4;
- u32 fa_l2_input_classify_next_acl_ip6;
- u32 fa_l2_output_classify_next_acl_ip4;
- u32 fa_l2_output_classify_next_acl_ip6;
/* next node indices for L2 dispatch */
u32 fa_acl_in_ip4_l2_node_feat_next_node_index[32];
u32 fa_acl_in_ip6_l2_node_feat_next_node_index[32];
u32 fa_conn_list_head[ACL_N_TIMEOUTS];
u32 fa_conn_list_tail[ACL_N_TIMEOUTS];
+ /* Configured session timeout */
+ u64 session_timeout[ACL_N_TIMEOUTS];
+
+
/* Counters for the cleaner thread */
#define foreach_fa_cleaner_counter \
+++ /dev/null
-/*
- * Copyright (c) 2016 Cisco and/or its affiliates.
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at:
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-/*
- *------------------------------------------------------------------
- * l2sess.c - simple MAC-swap API / debug CLI handling
- *------------------------------------------------------------------
- */
-
-#include <vnet/vnet.h>
-#include <vnet/plugin/plugin.h>
-#include <acl/l2sess.h>
-
-#include <vlibapi/api.h>
-#include <vlibmemory/api.h>
-#include <vlibsocket/api.h>
-#include <vppinfra/timing_wheel.h>
-
-#include <vnet/l2/l2_output.h>
-#include <vnet/l2/l2_input.h>
-
-void
-l2sess_init_next_features (vlib_main_t * vm, l2sess_main_t * sm)
-{
-#define _(node_name, node_var, is_out, is_ip6, is_track) \
- if (is_out) \
- feat_bitmap_init_next_nodes(vm, node_var.index, L2OUTPUT_N_FEAT, \
- l2output_get_feat_names (), \
- sm->node_var ## _feat_next_node_index); \
- else \
- feat_bitmap_init_next_nodes(vm, node_var.index, L2INPUT_N_FEAT, \
- l2input_get_feat_names (), \
- sm->node_var ## _feat_next_node_index);
-
- foreach_l2sess_node
-#undef _
-}
-
-void
-l2sess_add_our_next_nodes (vlib_main_t * vm, l2sess_main_t * sm,
- u8 * prev_node_name, int add_output_nodes)
-{
- vlib_node_t *n;
- n = vlib_get_node_by_name (vm, prev_node_name);
-#define _(node_name, node_var, is_out, is_ip6, is_track) \
- if (is_out == add_output_nodes) { \
- u32 idx = vlib_node_add_next_with_slot(vm, n->index, node_var.index, ~0); \
- if (is_track) { \
- sm->next_slot_track_node_by_is_ip6_is_out[is_ip6][is_out] = idx; \
- } \
- }
- foreach_l2sess_node
-#undef _
-}
-
-void
-l2sess_setup_nodes (void)
-{
- vlib_main_t *vm = vlib_get_main ();
- l2sess_main_t *sm = &l2sess_main;
-
- l2sess_init_next_features (vm, sm);
-
- l2sess_add_our_next_nodes (vm, sm, (u8 *) "l2-input-classify", 0);
- l2sess_add_our_next_nodes (vm, sm, (u8 *) "l2-output-classify", 1);
-
-}
-
-static char *
-get_l4_proto_str (int is_ip6, uint8_t l4_proto)
-{
- switch (l4_proto)
- {
- case 6:
- return "tcp";
- case 17:
- return "udp";
- case 1:
- return "icmp";
- case 58:
- return "icmp6";
- default:
- return "<?l4-unknown?>";
- }
-}
-
-static clib_error_t *
-l2sess_show_command_fn (vlib_main_t * vm,
- unformat_input_t * input, vlib_cli_command_t * cmd)
-{
- l2sess_main_t *sm = &l2sess_main;
- clib_time_t *ct = &vm->clib_time;
- l2s_session_t *s;
- u64 now = clib_cpu_time_now ();
-
- vlib_cli_output (vm, "Timing wheel info: \n%U", format_timing_wheel,
- &sm->timing_wheel, 255);
-
- pool_foreach (s, sm->sessions, (
- {
- f64 ctime =
- (now -
- s->create_time) * ct->seconds_per_clock;
- f64 atime0 =
- (now -
- s->side[0].active_time) *
- ct->seconds_per_clock;
- f64 atime1 =
- (now -
- s->side[1].active_time) *
- ct->seconds_per_clock;
-/*
- f64 ctime = (s->create_time - vm->cpu_time_main_loop_start) * ct->seconds_per_clock;
- f64 atime0 = (s->side[0].active_time - vm->cpu_time_main_loop_start) * ct->seconds_per_clock;
- f64 atime1 = (s->side[1].active_time - vm->cpu_time_main_loop_start) * ct->seconds_per_clock;
-*/
- u8 * out0 =
- format (0,
- "%5d: create time: %U pkts/bytes/active time: [ %ld %ld %U : %ld %ld %U ]\n",
- (s - sm->sessions),
- format_time_interval, "h:m:s:u",
- ctime, s->side[0].n_packets,
- s->side[0].n_bytes,
- format_time_interval, "h:m:s:u",
- atime0, s->side[1].n_packets,
- s->side[1].n_bytes,
- format_time_interval, "h:m:s:u",
- atime1); u8 * out1 = 0;
- if (s->is_ip6)
- {
- out1 =
- format (0, "%s %U :%u <-> %U :%u",
- get_l4_proto_str (s->is_ip6,
- s->l4_proto),
- format_ip6_address,
- &s->side[0].addr.ip6,
- s->side[0].port,
- format_ip6_address,
- &s->side[1].addr.ip6,
- s->side[1].port);}
- else
- {
- out1 =
- format (0, "%s %U :%u <-> %U :%u",
- get_l4_proto_str (s->is_ip6,
- s->l4_proto),
- format_ip4_address,
- &s->side[0].addr.ip4,
- s->side[0].port,
- format_ip4_address,
- &s->side[1].addr.ip4,
- s->side[1].port);}
- vlib_cli_output (vm, "%s %s", out0,
- out1); vec_free (out0);
- vec_free (out1);}
- ));
- return 0;
-}
-
-static clib_error_t *
-l2sess_show_count_command_fn (vlib_main_t * vm,
- unformat_input_t * input,
- vlib_cli_command_t * cmd)
-{
- l2sess_main_t *sm = &l2sess_main;
-
- vlib_cli_output (vm, "Timing wheel info: \n%U", format_timing_wheel,
- &sm->timing_wheel, 255);
- vlib_cli_output (vm, "session pool len: %d, pool elts: %d",
- pool_len (sm->sessions), pool_elts (sm->sessions));
- vlib_cli_output (vm,
- "attempted to delete sessions which were already free: %d",
- sm->counter_attempted_delete_free_session);
- return 0;
-}
-
-
-/* *INDENT-OFF* */
-VLIB_CLI_COMMAND (l2sess_show_command, static) = {
- .path = "show l2sess",
- .short_help = "show l2sess",
- .function = l2sess_show_command_fn,
-};
-
-VLIB_CLI_COMMAND (l2sess_show_count_command, static) = {
- .path = "show l2sess count",
- .short_help = "show l2sess count",
- .function = l2sess_show_count_command_fn,
-};
-/* *INDENT-OFF* */
-
-static inline u64
-time_sec_to_clock( clib_time_t *ct, f64 sec)
-{
- return (u64)(((f64)sec)/ct->seconds_per_clock);
-}
-
-static clib_error_t * l2sess_init (vlib_main_t * vm)
-{
- l2sess_main_t * sm = &l2sess_main;
- clib_error_t * error = 0;
- u64 cpu_time_now = clib_cpu_time_now();
-
-
- clib_time_t *ct = &vm->clib_time;
- sm->udp_session_idle_timeout = time_sec_to_clock(ct, UDP_SESSION_IDLE_TIMEOUT_SEC);
- sm->tcp_session_idle_timeout = time_sec_to_clock(ct, TCP_SESSION_IDLE_TIMEOUT_SEC);
- sm->tcp_session_transient_timeout = time_sec_to_clock(ct, TCP_SESSION_TRANSIENT_TIMEOUT_SEC);
-
- /* The min sched time of 10e-1 causes erroneous behavior... */
- sm->timing_wheel.min_sched_time = 10e-2;
- sm->timing_wheel.max_sched_time = 3600.0*48.0;
- timing_wheel_init (&sm->timing_wheel, cpu_time_now, vm->clib_time.clocks_per_second);
- sm->timer_wheel_next_expiring_time = 0;
- sm->timer_wheel_tick = time_sec_to_clock(ct, sm->timing_wheel.min_sched_time);
- /* Pre-allocate expired nodes. */
- vec_alloc (sm->data_from_advancing_timing_wheel, 32);
-
- l2sess_setup_nodes();
- l2output_init_output_node_vec (&sm->output_next_nodes.output_node_index_vec);
-
- return error;
-}
-
-VLIB_INIT_FUNCTION (l2sess_init);
-
-
+++ /dev/null
-/*
- * Copyright (c) 2016 Cisco and/or its affiliates.
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at:
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-#ifndef __included_l2sess_h__
-#define __included_l2sess_h__
-
-#include <vnet/vnet.h>
-#include <vnet/ip/ip.h>
-#include <vnet/ethernet/ethernet.h>
-
-#include <vppinfra/hash.h>
-#include <vppinfra/error.h>
-#include <vppinfra/elog.h>
-#include <vppinfra/timing_wheel.h>
-
-#include <vnet/l2/l2_output.h>
-#include <vnet/l2/l2_input.h>
-
-#define _(node_name, node_var, is_out, is_ip6, is_track)
-#undef _
-#define foreach_l2sess_node \
- _("aclp-l2s-input-ip4-add", l2sess_in_ip4_add, 0, 0, 0) \
- _("aclp-l2s-input-ip6-add", l2sess_in_ip6_add, 0, 1, 0) \
- _("aclp-l2s-output-ip4-add", l2sess_out_ip4_add, 1, 0, 0) \
- _("aclp-l2s-output-ip6-add", l2sess_out_ip6_add, 1, 1, 0) \
- _("aclp-l2s-input-ip4-track", l2sess_in_ip4_track, 0, 0, 1) \
- _("aclp-l2s-input-ip6-track", l2sess_in_ip6_track, 0, 1, 1) \
- _("aclp-l2s-output-ip4-track",l2sess_out_ip4_track, 1, 0, 1) \
- _("aclp-l2s-output-ip6-track", l2sess_out_ip6_track, 1, 1, 1)
-
-#define _(node_name, node_var, is_out, is_ip6, is_track) \
- extern vlib_node_registration_t node_var;
-foreach_l2sess_node
-#undef _
-
-#define TCP_FLAG_FIN 0x01
-#define TCP_FLAG_SYN 0x02
-#define TCP_FLAG_RST 0x04
-#define TCP_FLAG_PUSH 0x08
-#define TCP_FLAG_ACK 0x10
-#define TCP_FLAG_URG 0x20
-#define TCP_FLAG_ECE 0x40
-#define TCP_FLAG_CWR 0x80
-#define TCP_FLAGS_RSTFINACKSYN (TCP_FLAG_RST + TCP_FLAG_FIN + TCP_FLAG_SYN + TCP_FLAG_ACK)
-#define TCP_FLAGS_ACKSYN (TCP_FLAG_SYN + TCP_FLAG_ACK)
-
-typedef struct {
- ip46_address_t addr;
- u64 active_time;
- u64 n_packets;
- u64 n_bytes;
- u16 port;
-} l2s_session_side_t;
-
-enum {
- L2S_SESSION_SIDE_IN = 0,
- L2S_SESSION_SIDE_OUT,
- L2S_N_SESSION_SIDES
-};
-
-typedef struct {
- u64 create_time;
- l2s_session_side_t side[L2S_N_SESSION_SIDES];
- u8 l4_proto;
- u8 is_ip6;
- u16 tcp_flags_seen; /* u16 because of two sides */
-} l2s_session_t;
-
-#define PROD
-#ifdef PROD
-#define UDP_SESSION_IDLE_TIMEOUT_SEC 600
-#define TCP_SESSION_IDLE_TIMEOUT_SEC (3600*24)
-#define TCP_SESSION_TRANSIENT_TIMEOUT_SEC 120
-#else
-#define UDP_SESSION_IDLE_TIMEOUT_SEC 15
-#define TCP_SESSION_IDLE_TIMEOUT_SEC 15
-#define TCP_SESSION_TRANSIENT_TIMEOUT_SEC 5
-#endif
-
-typedef struct {
- /*
- * the next two fields are present for all nodes, but
- * only one of them is used per node - depending
- * on whether the node is an input or output one.
- */
-#define _(node_name, node_var, is_out, is_ip6, is_track) \
- u32 node_var ## _feat_next_node_index[32];
-foreach_l2sess_node
-#undef _
- l2_output_next_nodes_st output_next_nodes;
-
- /* Next indices of the tracker nodes */
- u32 next_slot_track_node_by_is_ip6_is_out[2][2];
-
- /*
- * Pairing of "forward" and "reverse" tables by table index.
- * Each relationship has two entries - for one and the other table,
- * so it is bidirectional.
- */
-
- u32 *fwd_to_rev_by_table_index;
-
- /*
- * The vector of per-interface session pools
- */
-
- l2s_session_t *sessions;
-
- /* The session timeouts */
- u64 tcp_session_transient_timeout;
- u64 tcp_session_idle_timeout;
- u64 udp_session_idle_timeout;
-
- /* Timing wheel to time out the idle sessions */
- timing_wheel_t timing_wheel;
- u32 *data_from_advancing_timing_wheel;
- u64 timer_wheel_next_expiring_time;
- u64 timer_wheel_tick;
-
- /* convenience */
- vlib_main_t * vlib_main;
- vnet_main_t * vnet_main;
-
- /* Counter(s) */
- u64 counter_attempted_delete_free_session;
-} l2sess_main_t;
-
-l2sess_main_t l2sess_main;
-
-/* Just exposed for acl.c */
-
-void
-l2sess_vlib_plugin_register (vlib_main_t * vm, void * hh,
- int from_early_init);
-
-
-#endif /* __included_l2sess_h__ */
+++ /dev/null
-/*
- * Copyright (c) 2016 Cisco and/or its affiliates.
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at:
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-#include <netinet/in.h>
-#include <vlib/vlib.h>
-#include <vnet/vnet.h>
-#include <vnet/pg/pg.h>
-#include <vppinfra/error.h>
-#include <acl/l2sess.h>
-#include <vnet/l2/l2_classify.h>
-
-
-typedef struct
-{
- u32 next_index;
- u32 sw_if_index;
- u32 trace_flags;
- u32 session_tables[2];
- u32 session_nexts[2];
- u8 l4_proto;
-} l2sess_trace_t;
-
-/* packet trace format function */
-
-#define _(node_name, node_var, is_out, is_ip6, is_track) \
-static u8 * format_## node_var ##_trace (u8 * s, va_list * args) \
-{ \
- CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *); \
- CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *); \
- l2sess_trace_t * t = va_arg (*args, l2sess_trace_t *); \
- \
- s = format (s, node_name ": sw_if_index %d, next index %d trace_flags %08x L4 proto %d\n" \
- " tables [ %d, %d ] nexts [ %d, %d ]", \
- t->sw_if_index, t->next_index, t->trace_flags, t->l4_proto, \
- t->session_tables[0], t->session_tables[1], \
- t->session_nexts[0], t->session_nexts[1]); \
- return s; \
-}
-foreach_l2sess_node
-#undef _
-#define foreach_l2sess_error \
-_(SWAPPED, "Mac swap packets processed")
- typedef enum
-{
-#define _(sym,str) L2SESS_ERROR_##sym,
- foreach_l2sess_error
-#undef _
- L2SESS_N_ERROR,
-} l2sess_error_t;
-
-static char *l2sess_error_strings[] = {
-#define _(sym,string) string,
- foreach_l2sess_error
-#undef _
-};
-
-typedef enum
-{
- L2SESS_NEXT_DROP,
- L2SESS_N_NEXT,
-} l2sess_next_t;
-
-u8
-l2sess_get_l4_proto (vlib_buffer_t * b0, int node_is_ip6)
-{
- u8 proto;
- int proto_offset;
- if (node_is_ip6)
- {
- proto_offset = 20;
- }
- else
- {
- proto_offset = 23;
- }
- proto = *((u8 *) vlib_buffer_get_current (b0) + proto_offset);
- return proto;
-}
-
-
-u8
-l2sess_get_tcp_flags (vlib_buffer_t * b0, int node_is_ip6)
-{
- u8 flags;
- int flags_offset;
- if (node_is_ip6)
- {
- flags_offset = 14 + 40 + 13; /* FIXME: no extension headers assumed */
- }
- else
- {
- flags_offset = 14 + 20 + 13;
- }
- flags = *((u8 *) vlib_buffer_get_current (b0) + flags_offset);
- return flags;
-}
-
-static inline int
-l4_tcp_or_udp (u8 proto)
-{
- return ((proto == 6) || (proto == 17));
-}
-
-void
-l2sess_get_session_tables (l2sess_main_t * sm, u32 sw_if_index,
- int node_is_out, int node_is_ip6, u8 l4_proto,
- u32 * session_tables)
-{
-/*
- * Based on the direction, l3 and l4 protocol, fill a u32[2] array:
- * [0] is index for the "direct match" path, [1] is for "mirrored match".
- * Store the indices of the tables to add the session to in session_tables[]
- */
- l2_output_classify_main_t *l2om = &l2_output_classify_main;
- l2_input_classify_main_t *l2im = &l2_input_classify_main;
-
- u32 output_table_index;
- u32 input_table_index;
-
- if (!l4_tcp_or_udp (l4_proto))
- {
- return;
- }
-
- if (node_is_ip6)
- {
- vec_validate_init_empty (l2im->
- classify_table_index_by_sw_if_index
- [L2_INPUT_CLASSIFY_TABLE_IP6], sw_if_index,
- ~0);
- input_table_index =
- l2im->
- classify_table_index_by_sw_if_index[L2_INPUT_CLASSIFY_TABLE_IP6]
- [sw_if_index];
- vec_validate_init_empty (l2om->
- classify_table_index_by_sw_if_index
- [L2_OUTPUT_CLASSIFY_TABLE_IP6], sw_if_index,
- ~0);
- output_table_index =
- l2om->
- classify_table_index_by_sw_if_index[L2_OUTPUT_CLASSIFY_TABLE_IP6]
- [sw_if_index];
- }
- else
- {
- vec_validate_init_empty (l2im->
- classify_table_index_by_sw_if_index
- [L2_INPUT_CLASSIFY_TABLE_IP4], sw_if_index,
- ~0);
- input_table_index =
- l2im->
- classify_table_index_by_sw_if_index[L2_INPUT_CLASSIFY_TABLE_IP4]
- [sw_if_index];
- vec_validate_init_empty (l2om->
- classify_table_index_by_sw_if_index
- [L2_OUTPUT_CLASSIFY_TABLE_IP4], sw_if_index,
- ~0);
- output_table_index =
- l2om->
- classify_table_index_by_sw_if_index[L2_OUTPUT_CLASSIFY_TABLE_IP4]
- [sw_if_index];
- }
-
- if (node_is_out)
- {
- session_tables[0] = output_table_index;
- session_tables[1] = input_table_index;
- }
- else
- {
- session_tables[0] = input_table_index;
- session_tables[1] = output_table_index;
- }
-}
-
-void
-l2sess_get_session_nexts (l2sess_main_t * sm, u32 sw_if_index,
- int node_is_out, int node_is_ip6, u8 l4_proto,
- u32 * session_nexts)
-{
-/*
- * Based on the direction, l3 and l4 protocol, fill a u32[2] array:
- * [0] is the index for the "direct match" path, [1] is for "mirrored match".
- * Store the match_next_index in session_nexts[] for a new session entry which is being added to session tables.
- */
- u32 input_node_index;
- u32 output_node_index;
-
- if (!l4_tcp_or_udp (l4_proto))
- {
- return;
- }
-
- input_node_index =
- sm->next_slot_track_node_by_is_ip6_is_out[node_is_ip6][0];
- output_node_index =
- sm->next_slot_track_node_by_is_ip6_is_out[node_is_ip6][1];
-
- if (node_is_out)
- {
- session_nexts[0] = output_node_index;
- session_nexts[1] = input_node_index;
- }
- else
- {
- session_nexts[0] = input_node_index;
- session_nexts[1] = output_node_index;
- }
-}
-
-
-static inline void
-swap_bytes (vlib_buffer_t * b0, int off_a, int off_b, int nbytes)
-{
- u8 tmp;
- u8 *pa = vlib_buffer_get_current (b0) + off_a;
- u8 *pb = vlib_buffer_get_current (b0) + off_b;
- while (nbytes--)
- {
- tmp = *pa;
- *pa++ = *pb;
- *pb++ = tmp;
- }
-}
-
-/*
- * This quite pro[bv]ably is a terrible idea performance wise. Moreso doing it twice.
- * Would having a long (ish) chunk of memory work better for this ?
- * We will see when we get to the performance of this.
- */
-void
-l2sess_flip_l3l4_fields (vlib_buffer_t * b0, int node_is_ip6, u8 l4_proto)
-{
- if (!l4_tcp_or_udp (l4_proto))
- {
- return;
- }
- if (node_is_ip6)
- {
- swap_bytes (b0, 22, 38, 16); /* L3 */
- swap_bytes (b0, 54, 56, 2); /* L4 (when no EH!) */
- }
- else
- {
- swap_bytes (b0, 26, 30, 4); /* L3 */
- swap_bytes (b0, 34, 36, 2); /* L4 */
- }
-}
-
-void
-l2sess_add_session (vlib_buffer_t * b0, int node_is_out, int node_is_ip6,
- u32 session_table, u32 session_match_next,
- u32 opaque_index)
-{
- vnet_classify_main_t *cm = &vnet_classify_main;
- u32 action = 0;
- u32 metadata = 0;
-
-#ifdef DEBUG_SESSIONS
- printf ("Adding session to table %d with next %d\n", session_table,
- session_match_next);
-#endif
- vnet_classify_add_del_session (cm, session_table,
- vlib_buffer_get_current (b0),
- session_match_next, opaque_index, 0, action,
- metadata, 1);
-}
-
-
-
-static void *
-get_ptr_to_offset (vlib_buffer_t * b0, int offset)
-{
- u8 *p = vlib_buffer_get_current (b0) + offset;
- return p;
-}
-
-
-/*
- * FIXME: Hardcoded offsets are ugly, although if casting to structs one
- * would need to take care about alignment.. So let's for now be naive and simple.
- */
-
-void
-session_store_ip4_l3l4_info (vlib_buffer_t * b0, l2s_session_t * sess,
- int node_is_out)
-{
- clib_memcpy (&sess->side[1 - node_is_out].addr.ip4,
- get_ptr_to_offset (b0, 26), 4);
- clib_memcpy (&sess->side[node_is_out].addr.ip4, get_ptr_to_offset (b0, 30),
- 4);
- sess->side[1 - node_is_out].port =
- ntohs (*(u16 *) get_ptr_to_offset (b0, 34));
- sess->side[node_is_out].port = ntohs (*(u16 *) get_ptr_to_offset (b0, 36));
-}
-
-void
-session_store_ip6_l3l4_info (vlib_buffer_t * b0, l2s_session_t * sess,
- int node_is_out)
-{
- clib_memcpy (&sess->side[1 - node_is_out].addr.ip6,
- get_ptr_to_offset (b0, 22), 16);
- clib_memcpy (&sess->side[node_is_out].addr.ip4, get_ptr_to_offset (b0, 38),
- 16);
- sess->side[1 - node_is_out].port =
- ntohs (*(u16 *) get_ptr_to_offset (b0, 54));
- sess->side[node_is_out].port = ntohs (*(u16 *) get_ptr_to_offset (b0, 56));
-}
-
-static void
-build_match_from_session (l2sess_main_t * sm, u8 * match,
- l2s_session_t * sess, int is_out)
-{
- if (sess->is_ip6)
- {
- match[20] = sess->l4_proto;
- clib_memcpy (&match[22], &sess->side[1 - is_out].addr.ip6, 16);
- clib_memcpy (&match[38], &sess->side[is_out].addr.ip4, 16);
- *(u16 *) & match[54] = htons (sess->side[1 - is_out].port);
- *(u16 *) & match[56] = htons (sess->side[is_out].port);
- }
- else
- {
- match[23] = sess->l4_proto;
- clib_memcpy (&match[26], &sess->side[1 - is_out].addr.ip6, 4);
- clib_memcpy (&match[30], &sess->side[is_out].addr.ip4, 4);
- *(u16 *) & match[34] = htons (sess->side[1 - is_out].port);
- *(u16 *) & match[36] = htons (sess->side[is_out].port);
- }
-}
-
-static void
-delete_session (l2sess_main_t * sm, u32 sw_if_index, u32 session_index)
-{
- vnet_classify_main_t *cm = &vnet_classify_main;
- u8 match[5 * 16]; /* For building the mock of the packet to delete the classifier session */
- u32 session_tables[2] = { ~0, ~0 };
- l2s_session_t *sess = sm->sessions + session_index;
- if (pool_is_free (sm->sessions, sess))
- {
- sm->counter_attempted_delete_free_session++;
- return;
- }
- l2sess_get_session_tables (sm, sw_if_index, 0, sess->is_ip6, sess->l4_proto,
- session_tables);
- if (session_tables[1] != ~0)
- {
- build_match_from_session (sm, match, sess, 1);
- vnet_classify_add_del_session (cm, session_tables[1], match, 0, 0, 0, 0,
- 0, 0);
- }
- if (session_tables[1] != ~0)
- {
- build_match_from_session (sm, match, sess, 1);
- vnet_classify_add_del_session (cm, session_tables[1], match, 0, 0, 0, 0,
- 0, 0);
- }
- pool_put (sm->sessions, sess);
-}
-
-static void
-udp_session_account_buffer (vlib_buffer_t * b0, l2s_session_t * s,
- int which_side, u64 now)
-{
- l2s_session_side_t *ss = &s->side[which_side];
- ss->active_time = now;
- ss->n_packets++;
- ss->n_bytes += b0->current_data + b0->current_length;
-}
-
-static inline u64
-udp_session_get_timeout (l2sess_main_t * sm, l2s_session_t * sess, u64 now)
-{
- return (sm->udp_session_idle_timeout);
-}
-
-static void
-tcp_session_account_buffer (vlib_buffer_t * b0, l2s_session_t * s,
- int which_side, u64 now)
-{
- l2s_session_side_t *ss = &s->side[which_side];
- ss->active_time = now;
- ss->n_packets++;
- ss->n_bytes += b0->current_data + b0->current_length;
- /* Very very lightweight TCP state tracking: just record which flags were seen */
- s->tcp_flags_seen |=
- l2sess_get_tcp_flags (b0, s->is_ip6) << (8 * which_side);
-}
-
-/*
- * Since we are tracking for the purposes of timing the sessions out,
- * we mostly care about two states: established (maximize the idle timeouts)
- * and transient (halfopen/halfclosed/reset) - we need to have a reasonably short timeout to
- * quickly get rid of sessions but not short enough to violate the TCP specs.
- */
-
-static inline u64
-tcp_session_get_timeout (l2sess_main_t * sm, l2s_session_t * sess, u64 now)
-{
- /* seen both SYNs and ACKs but not FINs means we are in establshed state */
- u16 masked_flags =
- sess->tcp_flags_seen & ((TCP_FLAGS_RSTFINACKSYN << 8) +
- TCP_FLAGS_RSTFINACKSYN);
- if (((TCP_FLAGS_ACKSYN << 8) + TCP_FLAGS_ACKSYN) == masked_flags)
- {
- return (sm->tcp_session_idle_timeout);
- }
- else
- {
- return (sm->tcp_session_transient_timeout);
- }
-}
-
-static inline u64
-session_get_timeout (l2sess_main_t * sm, l2s_session_t * sess, u64 now)
-{
- u64 timeout;
-
- switch (sess->l4_proto)
- {
- case 6:
- timeout = tcp_session_get_timeout (sm, sess, now);
- break;
- case 17:
- timeout = udp_session_get_timeout (sm, sess, now);
- break;
- default:
- timeout = 0;
- }
-
- return timeout;
-}
-
-static inline u64
-get_session_last_active_time(l2s_session_t * sess)
-{
- u64 last_active =
- sess->side[0].active_time >
- sess->side[1].active_time ? sess->side[0].active_time : sess->side[1].
- active_time;
- return last_active;
-}
-
-static int
-session_is_alive (l2sess_main_t * sm, l2s_session_t * sess, u64 now, u64 *last_active_cache)
-{
- u64 last_active = get_session_last_active_time(sess);
- u64 timeout = session_get_timeout (sm, sess, now);
- int is_alive = ((now - last_active) < timeout);
- if (last_active_cache)
- *last_active_cache = last_active;
- return is_alive;
-}
-
-static void
-check_idle_sessions (l2sess_main_t * sm, u32 sw_if_index, u64 now)
-{
- sm->timer_wheel_next_expiring_time = 0;
- sm->data_from_advancing_timing_wheel
- =
- timing_wheel_advance (&sm->timing_wheel, now,
- sm->data_from_advancing_timing_wheel,
- &sm->timer_wheel_next_expiring_time);
-#ifdef DEBUG_SESSIONS_VERBOSE
- {
- clib_time_t *ct = &sm->vlib_main->clib_time;
- f64 ctime;
- ctime = now * ct->seconds_per_clock;
- clib_warning ("Now : %U", format_time_interval, "h:m:s:u", ctime);
- ctime = sm->timer_wheel_next_expiring_time * ct->seconds_per_clock;
- clib_warning ("Next expire: %U", format_time_interval, "h:m:s:u", ctime);
- clib_warning ("Expired items: %d",
- (int) vec_len (sm->data_from_advancing_timing_wheel));
- }
-#endif
-
- sm->timer_wheel_next_expiring_time = now + sm->timer_wheel_tick;
- if (PREDICT_FALSE ( 0 == sm->data_from_advancing_timing_wheel )) {
- return;
- }
-
- if (PREDICT_FALSE (_vec_len (sm->data_from_advancing_timing_wheel) > 0))
- {
- uword i;
- for (i = 0; i < _vec_len (sm->data_from_advancing_timing_wheel); i++)
- {
- u32 session_index = sm->data_from_advancing_timing_wheel[i];
- if (!pool_is_free_index (sm->sessions, session_index))
- {
- l2s_session_t *sess = sm->sessions + session_index;
- u64 last_active;
- if (session_is_alive (sm, sess, now, &last_active))
- {
-#ifdef DEBUG_SESSIONS
- clib_warning ("Restarting timer for session %d", (int) session_index);
-#endif
- /* Pretend we did this in the past, at last_active moment */
- timing_wheel_insert (&sm->timing_wheel,
- last_active + session_get_timeout (sm, sess,
- last_active),
- session_index);
- }
- else
- {
-#ifdef DEBUG_SESSIONS
- clib_warning ("Deleting session %d", (int) session_index);
-#endif
- delete_session (sm, sw_if_index, session_index);
- }
- }
- }
- _vec_len (sm->data_from_advancing_timing_wheel) = 0;
- }
-}
-
-static uword
-l2sess_node_fn (vlib_main_t * vm,
- vlib_node_runtime_t * node, vlib_frame_t * frame,
- int node_is_out, int node_is_ip6, int node_is_track,
- u32 *feat_next_node_index)
-{
- u32 n_left_from, *from, *to_next;
- l2sess_next_t next_index;
- u32 pkts_swapped = 0;
- u32 feature_bitmap0;
- u32 trace_flags0;
-
- l2sess_main_t *sm = &l2sess_main;
-
- from = vlib_frame_vector_args (frame);
- n_left_from = frame->n_vectors;
- next_index = node->cached_next_index;
-
- while (n_left_from > 0)
- {
- u32 n_left_to_next;
-
- vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
-
- /* Only a single loop for now for simplicity */
-
- while (n_left_from > 0 && n_left_to_next > 0)
- {
- u32 bi0;
- vlib_buffer_t *b0;
- u32 next0 = L2SESS_NEXT_DROP;
- u32 sw_if_index0;
- //ethernet_header_t *en0;
-
- /* speculatively enqueue b0 to the current next frame */
- bi0 = from[0];
- to_next[0] = bi0;
- from += 1;
- to_next += 1;
- n_left_from -= 1;
- n_left_to_next -= 1;
-
- b0 = vlib_get_buffer (vm, bi0);
- //en0 = vlib_buffer_get_current (b0);
-
-/*
- * node_is_out : 1 = is output, 0 = is input
- * node_is_ip6 : 1 = is ip6, 0 = is ip4
- * node_is_track : 1 = is a state tracking node, 0 - is a session addition node
- *
- * The below code adjust the behavior according to these parameters.
- */
- {
- u32 session_tables[2] = { ~0, ~0 };
- u32 session_nexts[2] = { ~0, ~0 };
- u8 l4_proto;
- u64 now = clib_cpu_time_now ();
-
- trace_flags0 = 0;
- if (node_is_out)
- {
- sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_TX];
- }
- else
- {
- sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
- }
- /* potentially also remove the nodes here */
- feature_bitmap0 = vnet_buffer (b0)->l2.feature_bitmap;
-
- if (node_is_track)
- {
- u32 sess_index = vnet_buffer (b0)->l2_classify.opaque_index;
- l2s_session_t *sess = sm->sessions + sess_index;
- l4_proto = sess->l4_proto;
-
- if (session_is_alive (sm, sess, now, 0))
- {
- if (6 == l4_proto)
- {
- tcp_session_account_buffer (b0, sess, node_is_out,
- now);
- }
- else
- {
- udp_session_account_buffer (b0, sess, node_is_out,
- now);
- }
- }
- else
- {
- timing_wheel_delete (&sm->timing_wheel, sess_index);
- delete_session (sm, sw_if_index0, sess_index);
- /* FIXME: drop the packet that hit the obsolete node, for now. We really ought to recycle it. */
- next0 = 0;
- }
- }
- else
- {
- /*
- * "-add" node: take l2opaque which arrived to us, and deduce
- * the tables out of that. ~0 means the topmost classifier table
- * applied for this AF on the RX(for input)/TX(for output)) sw_if_index.
- * Also add the mirrored session to the paired table.
- */
- l2s_session_t *sess;
- u32 sess_index;
-
- l4_proto = l2sess_get_l4_proto (b0, node_is_ip6);
-
- pool_get (sm->sessions, sess);
- sess_index = sess - sm->sessions;
- sess->create_time = now;
- sess->side[node_is_out].active_time = now;
- sess->side[1 - node_is_out].active_time = now;
- sess->l4_proto = l4_proto;
- sess->is_ip6 = node_is_ip6;
- if (node_is_ip6)
- {
- session_store_ip6_l3l4_info (b0, sess, node_is_out);
- }
- else
- {
- session_store_ip4_l3l4_info (b0, sess, node_is_out);
- }
-
- l2sess_get_session_tables (sm, sw_if_index0, node_is_out,
- node_is_ip6, l4_proto,
- session_tables);
- l2sess_get_session_nexts (sm, sw_if_index0, node_is_out,
- node_is_ip6, l4_proto,
- session_nexts);
- l2sess_flip_l3l4_fields (b0, node_is_ip6, l4_proto);
- if (session_tables[1] != ~0)
- {
- l2sess_add_session (b0, node_is_out, node_is_ip6,
- session_tables[1], session_nexts[1],
- sess_index);
- }
- l2sess_flip_l3l4_fields (b0, node_is_ip6, l4_proto);
- if (session_tables[0] != ~0)
- {
- l2sess_add_session (b0, node_is_out, node_is_ip6,
- session_tables[0], session_nexts[0],
- sess_index);
- }
- if (6 == sess->l4_proto)
- {
- tcp_session_account_buffer (b0, sess, node_is_out, now);
- }
- else
- {
- udp_session_account_buffer (b0, sess, node_is_out, now);
- }
- timing_wheel_insert (&sm->timing_wheel,
- now + session_get_timeout (sm, sess,
- now),
- sess_index);
- }
-
- if (now >= sm->timer_wheel_next_expiring_time)
- {
- check_idle_sessions (sm, sw_if_index0, now);
- }
-
- next0 = feat_bitmap_get_next_node_index (feat_next_node_index,
- feature_bitmap0);
-
- if (next0 >= node->n_next_nodes)
- {
- trace_flags0 |= 1;
- }
-
- if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
- && (b0->flags & VLIB_BUFFER_IS_TRACED)))
- {
- l2sess_trace_t *t =
- vlib_add_trace (vm, node, b0, sizeof (*t));
- t->sw_if_index = sw_if_index0;
- t->next_index = next0;
- t->trace_flags = trace_flags0;
- t->l4_proto = l4_proto;
- t->session_tables[0] = session_tables[0];
- t->session_tables[1] = session_tables[1];
- t->session_nexts[0] = session_nexts[0];
- t->session_nexts[1] = session_nexts[1];
- }
-
- }
- pkts_swapped += 1;
- if (next0 >= node->n_next_nodes)
- {
- next0 = 0;
- }
-
- /* verify speculative enqueue, maybe switch current next frame */
- vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
- to_next, n_left_to_next,
- bi0, next0);
- }
-
- vlib_put_next_frame (vm, node, next_index, n_left_to_next);
- }
- vlib_node_increment_counter (vm, node->node_index,
- L2SESS_ERROR_SWAPPED, pkts_swapped);
- return frame->n_vectors;
-}
-
-
-#define _(node_name, node_var, is_out, is_ip6, is_track) \
-static uword \
-node_var ## node_fn (vlib_main_t * vm, \
- vlib_node_runtime_t * node, \
- vlib_frame_t * frame) \
-{ \
- l2sess_main_t *sm = &l2sess_main; \
- return l2sess_node_fn(vm, node, frame, \
- is_out, is_ip6, is_track, \
- sm->node_var ## _feat_next_node_index); \
-} \
-VLIB_REGISTER_NODE (node_var) = { \
- .function = node_var ## node_fn, \
- .name = node_name, \
- .vector_size = sizeof (u32), \
- .format_trace = format_ ## node_var ## _trace, \
- .type = VLIB_NODE_TYPE_INTERNAL, \
- \
- .n_errors = ARRAY_LEN(l2sess_error_strings), \
- .error_strings = l2sess_error_strings, \
- \
- .n_next_nodes = L2SESS_N_NEXT, \
- .next_nodes = { \
- [L2SESS_NEXT_DROP] = "error-drop", \
- }, \
-};
-foreach_l2sess_node
-#undef _
+++ /dev/null
-/*
- * Copyright (c) 2016 Cisco and/or its affiliates.
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at:
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-#include <vlib/vlib.h>
-#include <vnet/vnet.h>
-#include <vnet/pg/pg.h>
-#include <vppinfra/error.h>
-#include <acl/acl.h>
-#include "node_in.h"
-
-typedef struct
-{
- u32 next_index;
- u32 sw_if_index;
- u32 match_acl_index;
- u32 match_rule_index;
- u32 trace_bitmap;
-} acl_in_trace_t;
-
-/* packet trace format function */
-static u8 *
-format_acl_in_trace (u8 * s, va_list * args)
-{
- CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
- CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
- acl_in_trace_t *t = va_arg (*args, acl_in_trace_t *);
-
- s =
- format (s,
- "ACL_IN: sw_if_index %d, next index %d, match: inacl %d rule %d trace_bits %08x",
- t->sw_if_index, t->next_index, t->match_acl_index,
- t->match_rule_index, t->trace_bitmap);
- return s;
-}
-
-vlib_node_registration_t acl_in_node;
-
-#define foreach_acl_in_error \
-_(ACL_CHECK, "InACL check packets processed")
-
-typedef enum
-{
-#define _(sym,str) ACL_IN_ERROR_##sym,
- foreach_acl_in_error
-#undef _
- ACL_IN_N_ERROR,
-} acl_in_error_t;
-
-static char *acl_in_error_strings[] = {
-#define _(sym,string) string,
- foreach_acl_in_error
-#undef _
-};
-
-static uword
-acl_in_node_fn (vlib_main_t * vm,
- vlib_node_runtime_t * node, vlib_frame_t * frame)
-{
- u32 n_left_from, *from, *to_next;
- acl_in_next_t next_index;
- u32 pkts_acl_checked = 0;
- u32 feature_bitmap0;
- u32 trace_bitmap = 0;
- u32 *input_feat_next_node_index =
- acl_main.acl_in_node_feat_next_node_index;
-
- from = vlib_frame_vector_args (frame);
- n_left_from = frame->n_vectors;
- next_index = node->cached_next_index;
-
- while (n_left_from > 0)
- {
- u32 n_left_to_next;
-
- vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
-
- while (n_left_from > 0 && n_left_to_next > 0)
- {
- u32 bi0;
- vlib_buffer_t *b0;
- u32 next0 = ~0;
- u32 sw_if_index0;
- u32 next = ~0;
- u32 match_acl_index = ~0;
- u32 match_rule_index = ~0;
-
- /* speculatively enqueue b0 to the current next frame */
- bi0 = from[0];
- to_next[0] = bi0;
- from += 1;
- to_next += 1;
- n_left_from -= 1;
- n_left_to_next -= 1;
-
- b0 = vlib_get_buffer (vm, bi0);
-
-
- sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
- feature_bitmap0 = vnet_buffer (b0)->l2.feature_bitmap;
-
- input_acl_packet_match (sw_if_index0, b0, &next, &match_acl_index,
- &match_rule_index, &trace_bitmap);
- if (next != ~0)
- {
- next0 = next;
- }
- if (next0 == ~0)
- {
- next0 =
- feat_bitmap_get_next_node_index (input_feat_next_node_index,
- feature_bitmap0);
- }
-
- if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
- && (b0->flags & VLIB_BUFFER_IS_TRACED)))
- {
- acl_in_trace_t *t = vlib_add_trace (vm, node, b0, sizeof (*t));
- t->sw_if_index = sw_if_index0;
- t->next_index = next0;
- t->match_acl_index = match_acl_index;
- t->match_rule_index = match_rule_index;
- t->trace_bitmap = trace_bitmap;
- }
-
- next0 = next0 < node->n_next_nodes ? next0 : 0;
-
- pkts_acl_checked += 1;
-
- /* verify speculative enqueue, maybe switch current next frame */
- vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
- to_next, n_left_to_next,
- bi0, next0);
- }
-
- vlib_put_next_frame (vm, node, next_index, n_left_to_next);
- }
-
- vlib_node_increment_counter (vm, acl_in_node.index,
- ACL_IN_ERROR_ACL_CHECK, pkts_acl_checked);
- return frame->n_vectors;
-}
-
-VLIB_REGISTER_NODE (acl_in_node) =
-{
- .function = acl_in_node_fn,.name = "acl-plugin-in",.vector_size =
- sizeof (u32),.format_trace = format_acl_in_trace,.type =
- VLIB_NODE_TYPE_INTERNAL,.n_errors =
- ARRAY_LEN (acl_in_error_strings),.error_strings =
- acl_in_error_strings,.n_next_nodes = ACL_IN_N_NEXT,
- /* edit / add dispositions here */
- .next_nodes =
- {
- [ACL_IN_ERROR_DROP] = "error-drop",
- [ACL_IN_ETHERNET_INPUT] = "ethernet-input",
- [ACL_IN_L2S_INPUT_IP4_ADD] = "aclp-l2s-input-ip4-add",
- [ACL_IN_L2S_INPUT_IP6_ADD] = "aclp-l2s-input-ip6-add",}
-,};
+++ /dev/null
-#ifndef _NODE_IN_H_
-#define _NODE_IN_H_
-
-typedef enum {
- ACL_IN_ERROR_DROP,
- ACL_IN_ETHERNET_INPUT,
- ACL_IN_L2S_INPUT_IP4_ADD,
- ACL_IN_L2S_INPUT_IP6_ADD,
- ACL_IN_N_NEXT,
-} acl_in_next_t;
-
-#endif
+++ /dev/null
-/*
- * Copyright (c) 2016 Cisco and/or its affiliates.
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at:
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-#include <vlib/vlib.h>
-#include <vnet/vnet.h>
-#include <vnet/pg/pg.h>
-#include <vppinfra/error.h>
-#include <acl/acl.h>
-
-#include "node_out.h"
-
-typedef struct
-{
- u32 next_index;
- u32 sw_if_index;
- u32 match_acl_index;
- u32 match_rule_index;
- u32 trace_bitmap;
-} acl_out_trace_t;
-
-/* packet trace format function */
-static u8 *
-format_acl_out_trace (u8 * s, va_list * args)
-{
- CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
- CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
- acl_out_trace_t *t = va_arg (*args, acl_out_trace_t *);
- s =
- format (s,
- "ACL_OUT: sw_if_index %d, next index %d, match: outacl %d rule %d trace_bits %08x",
- t->sw_if_index, t->next_index, t->match_acl_index,
- t->match_rule_index, t->trace_bitmap);
- return s;
-}
-
-vlib_node_registration_t acl_out_node;
-
-#define foreach_acl_out_error \
-_(ACL_CHECK, "OutACL check packets processed")
-
-typedef enum
-{
-#define _(sym,str) ACL_OUT_ERROR_##sym,
- foreach_acl_out_error
-#undef _
- ACL_OUT_N_ERROR,
-} acl_out_error_t;
-
-static char *acl_out_error_strings[] = {
-#define _(sym,string) string,
- foreach_acl_out_error
-#undef _
-};
-
-static uword
-acl_out_node_fn (vlib_main_t * vm,
- vlib_node_runtime_t * node, vlib_frame_t * frame)
-{
- acl_main_t *am = &acl_main;
- u32 *output_feat_next_node_index =
- am->acl_out_node_feat_next_node_index;
- u32 n_left_from, *from, *to_next;
- acl_out_next_t next_index;
- u32 pkts_acl_checked = 0;
- u32 feature_bitmap0;
- u32 match_acl_index = ~0;
- u32 match_rule_index = ~0;
- u32 trace_bitmap = 0;
-
- from = vlib_frame_vector_args (frame);
- n_left_from = frame->n_vectors;
- next_index = node->cached_next_index;
-
- while (n_left_from > 0)
- {
- u32 n_left_to_next;
-
- vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
-
- while (n_left_from > 0 && n_left_to_next > 0)
- {
- u32 bi0;
- vlib_buffer_t *b0;
- u32 next0 = ~0;
- u32 next = 0;
- u32 sw_if_index0;
-
- /* speculatively enqueue b0 to the current next frame */
- bi0 = from[0];
- to_next[0] = bi0;
- from += 1;
- to_next += 1;
- n_left_from -= 1;
- n_left_to_next -= 1;
-
- b0 = vlib_get_buffer (vm, bi0);
-
-
- sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_TX];
- feature_bitmap0 = vnet_buffer (b0)->l2.feature_bitmap;
-
- output_acl_packet_match (sw_if_index0, b0, &next, &match_acl_index,
- &match_rule_index, &trace_bitmap);
- if (next != ~0)
- {
- next0 = next;
- }
- if (next0 == ~0)
- {
- next0 =
- feat_bitmap_get_next_node_index (output_feat_next_node_index,
- feature_bitmap0);
- }
-
-
-
- if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
- && (b0->flags & VLIB_BUFFER_IS_TRACED)))
- {
- acl_out_trace_t *t = vlib_add_trace (vm, node, b0, sizeof (*t));
- t->sw_if_index = sw_if_index0;
- t->next_index = next0;
- t->match_acl_index = match_acl_index;
- t->match_rule_index = match_rule_index;
- t->trace_bitmap = trace_bitmap;
- }
-
- pkts_acl_checked += 1;
-
- /* verify speculative enqueue, maybe switch current next frame */
- vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
- to_next, n_left_to_next,
- bi0, next0);
- }
-
- vlib_put_next_frame (vm, node, next_index, n_left_to_next);
- }
-
- vlib_node_increment_counter (vm, acl_out_node.index,
- ACL_OUT_ERROR_ACL_CHECK, pkts_acl_checked);
- return frame->n_vectors;
-}
-
-VLIB_REGISTER_NODE (acl_out_node) =
-{
- .function = acl_out_node_fn,.name = "acl-plugin-out",.vector_size =
- sizeof (u32),.format_trace = format_acl_out_trace,.type =
- VLIB_NODE_TYPE_INTERNAL,.n_errors =
- ARRAY_LEN (acl_out_error_strings),.error_strings =
- acl_out_error_strings,.n_next_nodes = ACL_OUT_N_NEXT,
- /* edit / add dispositions here */
- .next_nodes =
- {
- [ACL_OUT_ERROR_DROP] = "error-drop",
- [ACL_OUT_INTERFACE_OUTPUT] = "interface-output",
- [ACL_OUT_L2S_OUTPUT_IP4_ADD] = "aclp-l2s-output-ip4-add",
- [ACL_OUT_L2S_OUTPUT_IP6_ADD] = "aclp-l2s-output-ip6-add",}
-,};
+++ /dev/null
-#ifndef _NODE_OUT_H_
-#define _NODE_OUT_H_
-
-typedef enum {
- ACL_OUT_ERROR_DROP,
- ACL_OUT_INTERFACE_OUTPUT,
- ACL_OUT_L2S_OUTPUT_IP4_ADD,
- ACL_OUT_L2S_OUTPUT_IP6_ADD,
- ACL_OUT_N_NEXT,
-} acl_out_next_t;
-
-#endif
+++ /dev/null
-#!/bin/sh
-#
-# Do all the legwork to run a scapy shell with APIs available for load
-#
-CURR_DIR=`pwd`
-ROOT_DIR=`git rev-parse --show-toplevel`
-cd $ROOT_DIR
-sudo apt-get install -y python-virtualenv
-# uncomment the line below to enable build of plugins and api each time
-# make plugins && make build-vpp-api || exit
-virtualenv virtualenv
-virtualenv/bin/pip install ipaddress
-virtualenv/bin/pip install scapy
-# install the python API into the virtualenv
-cd $ROOT_DIR/vpp-api/python/
-$ROOT_DIR/virtualenv/bin/python setup.py install
-# install the python ACL plugin API into the virtualenv
-ACL_PLUGIN_SETUP_DIR=`find $ROOT_DIR/build-root -name acl-plugin`
-cd $ACL_PLUGIN_SETUP_DIR;
-$ROOT_DIR/virtualenv/bin/python setup.py install
-cd $ROOT_DIR
-# figure out the shared library path and start scapy
-export LD_LIBRARY_PATH=`pwd`/`find . -name "libpneum.so" -exec dirname {} \; | grep lib64 | head -n 1`
-cd $CURR_DIR
-sudo LD_LIBRARY_PATH=$LD_LIBRARY_PATH $ROOT_DIR/virtualenv/bin/python $1 $2 $3 $4 $5 $6 $7 $8 $9
-
-
-
+++ /dev/null
-#!/bin/sh
-#
-# Do all the legwork to run a scapy shell with APIs available for load
-#
-ROOT_DIR=`git rev-parse --show-toplevel`
-cd $ROOT_DIR
-sudo apt-get install -y python-virtualenv
-# uncomment the line below to enable the build of plugins and API each time..
-# make plugins && make build-vpp-api || exit
-virtualenv virtualenv
-virtualenv/bin/pip install ipaddress
-virtualenv/bin/pip install scapy
-# install the python API into the virtualenv
-cd $ROOT_DIR/vpp-api/python/
-$ROOT_DIR/virtualenv/bin/python setup.py install
-# install the python ACL plugin API into the virtualenv
-ACL_PLUGIN_SETUP_DIR=`find $ROOT_DIR/build-root -name acl-plugin`
-cd $ACL_PLUGIN_SETUP_DIR;
-$ROOT_DIR/virtualenv/bin/python setup.py install
-cd $ROOT_DIR
-# figure out the shared library path and start scapy
-export LD_LIBRARY_PATH=`pwd`/`find . -name "libpneum.so" -exec dirname {} \; | grep lib64 | head -n 1`
-sudo LD_LIBRARY_PATH=$LD_LIBRARY_PATH virtualenv/bin/scapy
-
-
-
+++ /dev/null
-from __future__ import print_function
-import unittest, sys, time, threading, struct, logging, os
-import vpp_papi
-# import vpp_papi_plugins.acl
-from ipaddress import *
-papi_event = threading.Event()
-print(vpp_papi.vpe.VL_API_SW_INTERFACE_SET_FLAGS)
-def papi_event_handler(result):
- if result.vl_msg_id == vpp_papi.vpe.VL_API_SW_INTERFACE_SET_FLAGS:
- return
- if result.vl_msg_id == vpp_papi.vpe.VL_API_VNET_INTERFACE_COUNTERS:
- print('Interface counters', result)
- return
- if result.vl_msg_id == vpp_papi.vpe.VL_API_VNET_IP6_FIB_COUNTERS:
- print('IPv6 FIB counters', result)
- papi_event.set()
- return
-
- print('Unknown message id:', result.vl_msg_id)
-
-import glob, subprocess
-class TestAclPlugin(unittest.TestCase):
- @classmethod
- def setUpClass(cls):
- print("Setup")
- @classmethod
- def tearDownClass(cls):
- print("Teardown")
-
- def setUp(self):
- print("Connecting API")
- r = vpp_papi.connect("test_papi")
- self.assertEqual(r, 0)
-
- def tearDown(self):
- r = vpp_papi.disconnect()
- self.assertEqual(r, 0)
-
- #
- # The tests themselves
- #
-
- #
- # Basic request / reply
- #
- def test_show_version(self):
- t = vpp_papi.show_version()
- print('T', t);
- program = t.program.decode().rstrip('\x00')
- self.assertEqual('vpe', program)
-
- def x_test_acl_add(self):
- print("Test ACL add")
- self.assertEqual(1, 1)
-
- #
- # Details / Dump
- #
- def x_test_details_dump(self):
- t = vpp_papi.sw_interface_dump(0, b'')
- print('Dump/details T', t)
-
- #
- # Arrays
- #
- def x_test_arrays(self):
- t = vpp_papi.vnet_get_summary_stats()
- print('Summary stats', t)
- print('Packets:', t.total_pkts[0])
- print('Packets:', t.total_pkts[1])
- #
- # Variable sized arrays and counters
- #
- #@unittest.skip("stats")
- def x_test_want_stats(self):
- pid = 123
- vpp_papi.register_event_callback(papi_event_handler)
- papi_event.clear()
-
- # Need to configure IPv6 to get som IPv6 FIB stats
- t = vpp_papi.create_loopback('')
- print(t)
- self.assertEqual(t.retval, 0)
-
- ifindex = t.sw_if_index
- addr = str(IPv6Address(u'1::1').packed)
- t = vpp_papi.sw_interface_add_del_address(ifindex, 1, 1, 0, 16, addr)
- print(t)
- self.assertEqual(t.retval, 0)
-
- # Check if interface is up
- # XXX: Add new API to query interface state based on ifindex, instead of dump all.
- t = vpp_papi.sw_interface_set_flags(ifindex, 1, 1, 0)
- self.assertEqual(t.retval, 0)
-
- t = vpp_papi.want_stats(True, pid)
-
- print (t)
-
- #
- # Wait for some stats
- #
- self.assertEqual(papi_event.wait(15), True)
- t = vpp_papi.want_stats(False, pid)
- print (t)
-
-
- #
- # Plugins?
- #
-
-if __name__ == '__main__' or __name__ == '__builtin__':
- print("This is main")
- suite = unittest.TestLoader().loadTestsFromTestCase(TestAclPlugin)
- unittest.TextTestRunner(verbosity=2).run(suite)
- #logging.basicConfig(level=logging.DEBUG)
- # unittest.main()
-
self.run_test_ip46_bridged_to_routed_and_back(False, False,
self.WITH_EH)
- # Old datapath group
- def test_8900_ip6_irb_1(self):
- """ ACL plugin set old L2 datapath"""
- if not self.vpp_dead:
- cmd = "set acl-plugin l2-datapath old"
- self.logger.info(self.vapi.ppcli(cmd))
-
- def test_8901_ip6_irb_1(self):
- """ ACL IPv6 routed -> bridged, L2 ACL deny"""
- self.run_test_ip46_routed_to_bridged(True, True, False,
- self.WITHOUT_EH)
-
- def test_8902_ip6_irb_1(self):
- """ ACL IPv6 routed -> bridged, L3 ACL deny"""
- self.run_test_ip46_routed_to_bridged(False, True, False,
- self.WITHOUT_EH)
-
- def test_8903_ip4_irb_1(self):
- """ ACL IPv4 routed -> bridged, L2 ACL deny"""
- self.run_test_ip46_routed_to_bridged(True, False, False,
- self.WITHOUT_EH)
-
- def test_8904_ip4_irb_1(self):
- """ ACL IPv4 routed -> bridged, L3 ACL deny"""
- self.run_test_ip46_routed_to_bridged(False, False, False,
- self.WITHOUT_EH)
-
- def test_8905_ip6_irb_1(self):
- """ ACL IPv6 bridged -> routed, L2 ACL deny """
- self.run_test_ip46_bridged_to_routed(True, True, False,
- self.WITHOUT_EH)
-
- def test_8906_ip6_irb_1(self):
- """ ACL IPv6 bridged -> routed, L3 ACL deny """
- self.run_test_ip46_bridged_to_routed(False, True, False,
- self.WITHOUT_EH)
-
- def test_8907_ip6_irb_1(self):
- """ ACL IPv4 bridged -> routed, L2 ACL deny """
- self.run_test_ip46_bridged_to_routed(True, False, False,
- self.WITHOUT_EH)
-
- def test_8908_ip6_irb_1(self):
- """ ACL IPv4 bridged -> routed, L3 ACL deny """
- self.run_test_ip46_bridged_to_routed(False, False, False,
- self.WITHOUT_EH)
-
-
if __name__ == '__main__':
unittest.main(testRunner=VppTestRunner)
Code Review / vpp.git / commitdiff