A poor man's flow switching or policy based rounting.
An ACL is used to match packets and is associated with a [set of] forwarding paths
that determine how to forward matched packets - collectively this association is a
'policy'.
Policies are then 'attached', in a priority order, to an interface when thaey are
encountered as an input feature. If a packet matches no policies it is forwarded
normally in the IP FIB.
This commit is used to test the "ACL-as-a-service" functionality,
which currently compiles, and the existing traffic ACL tests pass in both hash and linear modes.
Change-Id: I0b274ec9f2e645352fa898b43eb54c457e195964
Signed-off-by: Neale Ranns <nranns@cisco.com>
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Signed-off-by: Ole Troan <ot@cisco.com>
###############################################################################
# Please keep alphabetical order
+PLUGIN_ENABLED(abf)
PLUGIN_ENABLED(acl)
PLUGIN_ENABLED(avf)
PLUGIN_ENABLED(cdp)
vppapitestpluginsdir = ${libdir}/vpp_api_test_plugins
vpppluginsdir = ${libdir}/vpp_plugins
+if ENABLE_ABF_PLUGIN
+include abf.am
+endif
+
if ENABLE_ACL_PLUGIN
include acl.am
endif
--- /dev/null
+# Copyright (c) 2016 Cisco and/or its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+vppplugins_LTLIBRARIES += abf_plugin.la
+
+abf_plugin_la_SOURCES = \
+ abf/abf_policy.c \
+ abf/abf_api.c \
+ abf/abf_itf_attach.c
+
+API_FILES += abf/abf.api
+
+nobase_apiinclude_HEADERS += \
+ abf/abf_all_api_h.h \
+ abf/abf_msg_enum.h \
+ abf/abf.api.h
+
+# vi:syntax=automake
--- /dev/null
+/* Hey Emacs use -*- mode: C -*- */
+/*
+ * Copyright (c) 2016 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/** \file
+ This file defines the vpp control-plane API messages
+ used to control the ABF plugin
+*/
+
+option version = "1.0.0";
+import "vnet/fib/fib_types.api";
+
+/** \brief Get the plugin version
+ @param client_index - opaque cookie to identify the sender
+ @param context - sender context, to match reply w/ request
+*/
+define abf_plugin_get_version
+{
+ u32 client_index;
+ u32 context;
+};
+
+/** \brief Reply to get the plugin version
+ @param context - returned sender context, to match reply w/ request
+ @param major - Incremented every time a known breaking behavior change is introduced
+ @param minor - Incremented with small changes, may be used to avoid buggy versions
+*/
+define abf_plugin_get_version_reply
+{
+ u32 context;
+ u32 major;
+ u32 minor;
+};
+
+/** \brief A description of an ABF policy
+ @param policy_id User chosen Identifier for the policy
+ @param acl_index The ACL that the policy will match against
+ @param n_paths Number of paths
+ @param paths The set of forwarding paths that are being added or removed.
+ */
+typeonly define abf_policy
+{
+ u32 policy_id;
+ u32 acl_index;
+ u8 n_paths;
+ vl_api_fib_path_t paths[n_paths];
+};
+
+/** \brief A description of an ABF policy
+ @param is_add Is this the addition or removal of paths from the policy
+ If the policy does not exist it is created. If the last path
+ Is being removed, the policy is deleted
+ @param policy The policy
+ */
+autoreply define abf_policy_add_del
+{
+ u32 client_index;
+ u32 context;
+ u8 is_add;
+ vl_api_abf_policy_t policy;
+};
+
+/** \brief Policy description returned in the dump
+ */
+define abf_policy_details
+{
+ u32 context;
+ vl_api_abf_policy_t policy;
+};
+
+/** \brief Dump all ABF policies
+ */
+define abf_policy_dump
+{
+ u32 client_index;
+ u32 context;
+};
+
+/** \brief A description of a policy attachment to an interface
+ @param The policy ID to attach
+ @param sw_if_index The interface to attach to
+ @param priority The priority of the attachment, w.r.t. to other attachments
+ on this interface. lower value is 'better'
+ @param is_ipv6 Does this attachment apply to IPv6 packets (or IPv4)
+*/
+typeonly define abf_itf_attach
+{
+ u32 policy_id;
+ u32 sw_if_index;
+ u32 priority;
+ u8 is_ipv6;
+};
+
+/** \brief Add or delete a policy attachment to an interface
+ */
+autoreply define abf_itf_attach_add_del
+{
+ u32 client_index;
+ u32 context;
+ u8 is_add;
+ vl_api_abf_itf_attach_t attach;
+};
+
+/** \brief Attachment details from a dump
+ */
+define abf_itf_attach_details
+{
+ u32 context;
+ vl_api_abf_itf_attach_t attach;
+};
+
+/** \brief Dump all the policy attachments
+ */
+define abf_itf_attach_dump
+{
+ u32 client_index;
+ u32 context;
+};
+
--- /dev/null
+/*
+ * Copyright (c) 2017 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/* Include the generated file, see BUILT_SOURCES in Makefile.am */
+#include <abf/abf.api.h>
--- /dev/null
+/*
+ * Copyright (c) 2016 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stddef.h>
+
+#include <vnet/vnet.h>
+#include <vnet/plugin/plugin.h>
+#include <abf/abf_policy.h>
+#include <abf/abf_itf_attach.h>
+#include <vnet/mpls/mpls_types.h>
+#include <vnet/fib/fib_path_list.h>
+#include <vnet/fib/fib_api.h>
+
+#include <vpp/app/version.h>
+
+#include <vlibapi/api.h>
+#include <vlibmemory/api.h>
+
+/* define message IDs */
+#include <abf/abf_msg_enum.h>
+
+/* define message structures */
+#define vl_typedefs
+#include <abf/abf_all_api_h.h>
+#undef vl_typedefs
+
+/* define generated endian-swappers */
+#define vl_endianfun
+#include <abf/abf_all_api_h.h>
+#undef vl_endianfun
+
+/* instantiate all the print functions we know about */
+#define vl_print(handle, ...) vlib_cli_output (handle, __VA_ARGS__)
+#define vl_printfun
+#include <abf/abf_all_api_h.h>
+#undef vl_printfun
+
+/* Get the API version number */
+#define vl_api_version(n,v) static u32 api_version=(v);
+#include <abf/abf_all_api_h.h>
+#undef vl_api_version
+
+/**
+ * Base message ID fot the plugin
+ */
+static u32 abf_base_msg_id;
+
+#include <vlibapi/api_helper_macros.h>
+
+/* List of message types that this plugin understands */
+
+#define foreach_abf_plugin_api_msg \
+_(ABF_PLUGIN_GET_VERSION, abf_plugin_get_version) \
+_(ABF_POLICY_ADD_DEL, abf_policy_add_del) \
+_(ABF_POLICY_DUMP, abf_policy_dump) \
+_(ABF_ITF_ATTACH_ADD_DEL, abf_itf_attach_add_del) \
+_(ABF_ITF_ATTACH_DUMP, abf_itf_attach_dump)
+
+static void
+vl_api_abf_plugin_get_version_t_handler (vl_api_abf_plugin_get_version_t * mp)
+{
+ vl_api_abf_plugin_get_version_reply_t *rmp;
+ int msg_size = sizeof (*rmp);
+ unix_shared_memory_queue_t *q;
+
+ q = vl_api_client_index_to_input_queue (mp->client_index);
+ if (q == 0)
+ {
+ return;
+ }
+
+ rmp = vl_msg_api_alloc (msg_size);
+ memset (rmp, 0, msg_size);
+ rmp->_vl_msg_id =
+ ntohs (VL_API_ABF_PLUGIN_GET_VERSION_REPLY + abf_base_msg_id);
+ rmp->context = mp->context;
+ rmp->major = htonl (ABF_PLUGIN_VERSION_MAJOR);
+ rmp->minor = htonl (ABF_PLUGIN_VERSION_MINOR);
+
+ vl_msg_api_send_shmem (q, (u8 *) & rmp);
+}
+
+static void
+vl_api_abf_policy_add_del_t_handler (vl_api_abf_policy_add_del_t * mp)
+{
+ vl_api_abf_policy_add_del_reply_t *rmp;
+ fib_route_path_t *paths = NULL, *path;
+ int rv = 0;
+ u8 pi;
+
+ vec_validate (paths, mp->policy.n_paths - 1);
+
+ for (pi = 0; pi < mp->policy.n_paths; pi++)
+ {
+ path = &paths[pi];
+ rv = fib_path_api_parse (&mp->policy.paths[pi], path);
+
+ if (0 != rv)
+ {
+ goto done;
+ }
+ }
+
+ if (mp->is_add)
+ {
+ abf_policy_update (ntohl (mp->policy.policy_id),
+ ntohl (mp->policy.acl_index), paths);
+ }
+ else
+ {
+ abf_policy_delete (ntohl (mp->policy.policy_id), paths);
+ }
+done:
+ vec_free (paths);
+
+ REPLY_MACRO (VL_API_ABF_POLICY_ADD_DEL_REPLY + abf_base_msg_id);
+}
+
+static void
+vl_api_abf_itf_attach_add_del_t_handler (vl_api_abf_itf_attach_add_del_t * mp)
+{
+ vl_api_abf_itf_attach_add_del_reply_t *rmp;
+ fib_protocol_t fproto = (mp->attach.is_ipv6 ?
+ FIB_PROTOCOL_IP6 : FIB_PROTOCOL_IP4);
+ int rv = 0;
+
+ if (mp->is_add)
+ {
+ abf_itf_attach (fproto,
+ ntohl (mp->attach.policy_id),
+ ntohl (mp->attach.priority),
+ ntohl (mp->attach.sw_if_index));
+ }
+ else
+ {
+ abf_itf_detach (fproto,
+ ntohl (mp->attach.policy_id),
+ ntohl (mp->attach.sw_if_index));
+ }
+
+ REPLY_MACRO (VL_API_ABF_ITF_ATTACH_ADD_DEL_REPLY + abf_base_msg_id);
+}
+
+typedef struct abf_dump_walk_ctx_t_
+{
+ unix_shared_memory_queue_t *q;
+ u32 context;
+} abf_dump_walk_ctx_t;
+
+static int
+abf_policy_send_details (u32 api, void *args)
+{
+ fib_route_path_encode_t *api_rpaths = NULL, *api_rpath;
+ vl_api_abf_policy_details_t *mp;
+ abf_dump_walk_ctx_t *ctx;
+ vl_api_fib_path_t *fp;
+ size_t msg_size;
+ abf_policy_t *ap;
+ u8 n_paths;
+
+ ctx = args;
+ ap = abf_policy_get (api);
+ n_paths = fib_path_list_get_n_paths (ap->ap_pl);
+ msg_size = sizeof (*mp) + sizeof (mp->policy.paths[0]) * n_paths;
+
+ mp = vl_msg_api_alloc (msg_size);
+ memset (mp, 0, msg_size);
+ mp->_vl_msg_id = ntohs (VL_API_ABF_POLICY_DETAILS + abf_base_msg_id);
+
+ /* fill in the message */
+ mp->context = ctx->context;
+ mp->policy.n_paths = n_paths;
+ mp->policy.acl_index = htonl (ap->ap_acl);
+ mp->policy.policy_id = htonl (ap->ap_id);
+
+ fib_path_list_walk (ap->ap_pl, fib_path_encode, &api_rpaths);
+
+ fp = mp->policy.paths;
+ vec_foreach (api_rpath, api_rpaths)
+ {
+ fib_api_path_encode (api_rpath, fp);
+ fp++;
+ }
+
+ vl_msg_api_send_shmem (ctx->q, (u8 *) & mp);
+
+ return (1);
+}
+
+static void
+vl_api_abf_policy_dump_t_handler (vl_api_abf_policy_dump_t * mp)
+{
+ unix_shared_memory_queue_t *q;
+
+ q = vl_api_client_index_to_input_queue (mp->client_index);
+ if (q == 0)
+ {
+ return;
+ }
+
+ abf_dump_walk_ctx_t ctx = {
+ .q = q,
+ .context = mp->context,
+ };
+
+ abf_policy_walk (abf_policy_send_details, &ctx);
+}
+
+static int
+abf_itf_attach_send_details (u32 aiai, void *args)
+{
+ vl_api_abf_itf_attach_details_t *mp;
+ abf_dump_walk_ctx_t *ctx;
+ abf_itf_attach_t *aia;
+ abf_policy_t *ap;
+
+ ctx = args;
+ aia = abf_itf_attach_get (aiai);
+ ap = abf_policy_get (aia->aia_abf);
+
+ mp = vl_msg_api_alloc (sizeof (*mp));
+ mp->_vl_msg_id = ntohs (VL_API_ABF_ITF_ATTACH_DETAILS + abf_base_msg_id);
+
+ mp->context = ctx->context;
+ mp->attach.policy_id = htonl (ap->ap_id);
+ mp->attach.sw_if_index = htonl (aia->aia_sw_if_index);
+ mp->attach.priority = htonl (aia->aia_prio);
+ mp->attach.is_ipv6 = (aia->aia_proto == FIB_PROTOCOL_IP6);
+
+ vl_msg_api_send_shmem (ctx->q, (u8 *) & mp);
+
+ return (1);
+}
+
+static void
+vl_api_abf_itf_attach_dump_t_handler (vl_api_abf_itf_attach_dump_t * mp)
+{
+ unix_shared_memory_queue_t *q;
+
+ q = vl_api_client_index_to_input_queue (mp->client_index);
+ if (q == 0)
+ {
+ return;
+ }
+
+ abf_dump_walk_ctx_t ctx = {
+ .q = q,
+ .context = mp->context,
+ };
+
+ abf_itf_attach_walk (abf_itf_attach_send_details, &ctx);
+}
+
+#define vl_msg_name_crc_list
+#include <abf/abf_all_api_h.h>
+#undef vl_msg_name_crc_list
+
+/* Set up the API message handling tables */
+static clib_error_t *
+abf_plugin_api_hookup (vlib_main_t * vm)
+{
+#define _(N,n) \
+ vl_msg_api_set_handlers((VL_API_##N + abf_base_msg_id), \
+ #n, \
+ vl_api_##n##_t_handler, \
+ vl_noop_handler, \
+ vl_api_##n##_t_endian, \
+ vl_api_##n##_t_print, \
+ sizeof(vl_api_##n##_t), 1);
+ foreach_abf_plugin_api_msg;
+#undef _
+
+ return 0;
+}
+
+static void
+setup_message_id_table (api_main_t * apim)
+{
+#define _(id,n,crc) \
+ vl_msg_api_add_msg_name_crc (apim, #n "_" #crc, id + abf_base_msg_id);
+ foreach_vl_msg_name_crc_abf;
+#undef _
+}
+
+static clib_error_t *
+abf_api_init (vlib_main_t * vm)
+{
+ clib_error_t *error = 0;
+
+ u8 *name = format (0, "abf_%08x%c", api_version, 0);
+
+ /* Ask for a correctly-sized block of API message decode slots */
+ abf_base_msg_id = vl_msg_api_get_msg_ids ((char *) name,
+ VL_MSG_FIRST_AVAILABLE);
+
+ error = abf_plugin_api_hookup (vm);
+
+ /* Add our API messages to the global name_crc hash table */
+ setup_message_id_table (&api_main);
+
+ vec_free (name);
+
+ return error;
+}
+
+VLIB_INIT_FUNCTION (abf_api_init);
+
+
+/*
+ * fd.io coding-style-patch-verification: ON
+ *
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */
--- /dev/null
+/*
+ * abf_error.def: ABF errors
+ *
+ * Copyright (c) 2012 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+abf_error (NONE, "no match")
+abf_error (MATCHED, "matched")
--- /dev/null
+/*
+ * Copyright (c) 2017 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <plugins/abf/abf_itf_attach.h>
+#include <vnet/fib/fib_path_list.h>
+#include <plugins/acl/exports.h>
+
+/**
+ * Forward declarations;
+ */
+extern vlib_node_registration_t abf_ip4_node;
+extern vlib_node_registration_t abf_ip6_node;
+
+/**
+ * FIB node registered type for the bonds
+ */
+static fib_node_type_t abf_itf_attach_fib_node_type;
+
+/**
+ * Pool of ABF interface attachment objects
+ */
+abf_itf_attach_t *abf_itf_attach_pool;
+
+/**
+ * A per interface vector of attached policies. used in the data-plane
+ */
+static u32 **abf_per_itf[FIB_PROTOCOL_MAX];
+
+/**
+ * Per interface values of ACL lookup context IDs. used in the data-plane
+ */
+static u32 *abf_alctx_per_itf[FIB_PROTOCOL_MAX];
+
+/**
+ * ABF ACL module user id returned during the initialization
+ */
+static u32 abf_acl_user_id;
+
+/**
+ * A DB of attachments; key={abf_index,sw_if_index}
+ */
+static uword *abf_itf_attach_db;
+
+static u64
+abf_itf_attach_mk_key (u32 abf_index, u32 sw_if_index)
+{
+ u64 key;
+
+ key = abf_index;
+ key = key << 32;
+ key |= sw_if_index;
+
+ return (key);
+}
+
+static abf_itf_attach_t *
+abf_itf_attach_db_find (u32 abf_index, u32 sw_if_index)
+{
+ uword *p;
+ u64 key;
+
+ key = abf_itf_attach_mk_key (abf_index, sw_if_index);
+
+ p = hash_get (abf_itf_attach_db, key);
+
+ if (NULL != p)
+ return (pool_elt_at_index (abf_itf_attach_pool, p[0]));
+
+ return (NULL);
+}
+
+static void
+abf_itf_attach_db_add (u32 abf_index, u32 sw_if_index, abf_itf_attach_t * aia)
+{
+ u64 key;
+
+ key = abf_itf_attach_mk_key (abf_index, sw_if_index);
+
+ hash_set (abf_itf_attach_db, key, aia - abf_itf_attach_pool);
+}
+
+static void
+abf_itf_attach_db_del (u32 abf_index, u32 sw_if_index)
+{
+ u64 key;
+
+ key = abf_itf_attach_mk_key (abf_index, sw_if_index);
+
+ hash_unset (abf_itf_attach_db, key);
+}
+
+static void
+abf_itf_attach_stack (abf_itf_attach_t * aia)
+{
+ /*
+ * stack the DPO on the forwarding contributed by the path-list
+ */
+ dpo_id_t via_dpo = DPO_INVALID;
+ abf_policy_t *ap;
+
+ ap = abf_policy_get (aia->aia_abf);
+
+ fib_path_list_contribute_forwarding (ap->ap_pl,
+ (FIB_PROTOCOL_IP4 == aia->aia_proto ?
+ FIB_FORW_CHAIN_TYPE_UNICAST_IP4 :
+ FIB_FORW_CHAIN_TYPE_UNICAST_IP6),
+ FIB_PATH_LIST_FWD_FLAG_COLLAPSE,
+ &via_dpo);
+
+ dpo_stack_from_node ((FIB_PROTOCOL_IP4 == aia->aia_proto ?
+ abf_ip4_node.index :
+ abf_ip6_node.index), &aia->aia_dpo, &via_dpo);
+ dpo_reset (&via_dpo);
+}
+
+static int
+abf_cmp_attach_for_sort (void *v1, void *v2)
+{
+ const abf_itf_attach_t *aia1;
+ const abf_itf_attach_t *aia2;
+
+ aia1 = abf_itf_attach_get (*(u32 *) v1);
+ aia2 = abf_itf_attach_get (*(u32 *) v2);
+
+ return (aia1->aia_prio - aia2->aia_prio);
+}
+
+void
+abf_setup_acl_lc (fib_protocol_t fproto, u32 sw_if_index)
+{
+ u32 *acl_vec = 0;
+ u32 *aiai;
+ abf_itf_attach_t *aia;
+
+ if (~0 == abf_alctx_per_itf[fproto][sw_if_index])
+ return;
+
+ vec_foreach (aiai, abf_per_itf[fproto][sw_if_index])
+ {
+ aia = abf_itf_attach_get (*aiai);
+ vec_add1 (acl_vec, aia->aia_acl);
+ }
+ acl_plugin_set_acl_vec_for_context (abf_alctx_per_itf[fproto][sw_if_index],
+ acl_vec);
+ vec_free (acl_vec);
+}
+
+int
+abf_itf_attach (fib_protocol_t fproto,
+ u32 policy_id, u32 priority, u32 sw_if_index)
+{
+ abf_itf_attach_t *aia;
+ abf_policy_t *ap;
+ u32 api, aiai;
+
+ api = abf_policy_find (policy_id);
+
+ ASSERT (INDEX_INVALID != api);
+ ap = abf_policy_get (api);
+
+ /*
+ * check this is not a duplicate
+ */
+ aia = abf_itf_attach_db_find (policy_id, sw_if_index);
+
+ if (NULL != aia)
+ return (VNET_API_ERROR_ENTRY_ALREADY_EXISTS);
+
+ /*
+ * construt a new attachemnt object
+ */
+ pool_get (abf_itf_attach_pool, aia);
+
+ fib_node_init (&aia->aia_node, abf_itf_attach_fib_node_type);
+ aia->aia_prio = priority;
+ aia->aia_proto = fproto;
+ aia->aia_acl = ap->ap_acl;
+ aia->aia_abf = api;
+ aia->aia_sw_if_index = sw_if_index;
+ aiai = aia - abf_itf_attach_pool;
+ abf_itf_attach_db_add (policy_id, sw_if_index, aia);
+
+ /*
+ * stack the DPO on the forwarding contributed by the path-list
+ */
+ abf_itf_attach_stack (aia);
+
+ /*
+ * Insert the policy on the interfaces list.
+ */
+ vec_validate_init_empty (abf_per_itf[fproto], sw_if_index, NULL);
+ vec_add1 (abf_per_itf[fproto][sw_if_index], aia - abf_itf_attach_pool);
+ if (1 == vec_len (abf_per_itf[fproto][sw_if_index]))
+ {
+ /*
+ * when enabling the first ABF polciy on the interface
+ * we need to enable the interface input feature
+ */
+ vnet_feature_enable_disable ((FIB_PROTOCOL_IP4 == fproto ?
+ "ip4-unicast" :
+ "ip6-unicast"),
+ (FIB_PROTOCOL_IP4 == fproto ?
+ "abf-input-ip4" :
+ "abf-input-ip6"),
+ sw_if_index, 1, NULL, 0);
+
+ /* if this is the first ABF policy, we need to acquire an ACL lookup context */
+ vec_validate_init_empty (abf_alctx_per_itf[fproto], sw_if_index, ~0);
+ abf_alctx_per_itf[fproto][sw_if_index] =
+ acl_plugin_get_lookup_context_index (abf_acl_user_id, sw_if_index, 0);
+ }
+ else
+ {
+ vec_sort_with_function (abf_per_itf[fproto][sw_if_index],
+ abf_cmp_attach_for_sort);
+ }
+
+ /* Prepare and set the list of ACLs for lookup within the context */
+ abf_setup_acl_lc (fproto, sw_if_index);
+
+ /*
+ * become a child of the ABF poilcy so we are notified when
+ * its forwarding changes.
+ */
+ aia->aia_sibling = fib_node_child_add (abf_policy_fib_node_type,
+ api,
+ abf_itf_attach_fib_node_type, aiai);
+
+ return (0);
+}
+
+int
+abf_itf_detach (fib_protocol_t fproto, u32 policy_id, u32 sw_if_index)
+{
+ abf_itf_attach_t *aia;
+ u32 index;
+
+ /*
+ * check this is a valid attahment
+ */
+ aia = abf_itf_attach_db_find (policy_id, sw_if_index);
+
+ if (NULL == aia)
+ return (VNET_API_ERROR_ENTRY_ALREADY_EXISTS);
+
+ /*
+ * first remove from the interface's vecotr
+ */
+ ASSERT (abf_per_itf[fproto]);
+ ASSERT (abf_per_itf[fproto][sw_if_index]);
+
+ index = vec_search (abf_per_itf[fproto][sw_if_index],
+ aia - abf_itf_attach_pool);
+
+ ASSERT (index != ~0);
+ vec_del1 (abf_per_itf[fproto][sw_if_index], index);
+
+ if (0 == vec_len (abf_per_itf[fproto][sw_if_index]))
+ {
+ /*
+ * when deleting the last ABF polciy on the interface
+ * we need to disable the interface input feature
+ */
+ vnet_feature_enable_disable ((FIB_PROTOCOL_IP4 == fproto ?
+ "ip4-unicast" :
+ "ip6-unicast"),
+ (FIB_PROTOCOL_IP4 == fproto ?
+ "abf-input-ip4" :
+ "abf-input-ip6"),
+ sw_if_index, 0, NULL, 0);
+
+ /* Return the lookup context, invalidate its id in our records */
+ acl_plugin_put_lookup_context_index (abf_alctx_per_itf[fproto]
+ [sw_if_index]);
+ abf_alctx_per_itf[fproto][sw_if_index] = ~0;
+ }
+ else
+ {
+ vec_sort_with_function (abf_per_itf[fproto][sw_if_index],
+ abf_cmp_attach_for_sort);
+ }
+
+ /* Prepare and set the list of ACLs for lookup within the context */
+ abf_setup_acl_lc (fproto, sw_if_index);
+
+ /*
+ * remove the dependency on the policy
+ */
+ fib_node_child_remove (abf_policy_fib_node_type,
+ aia->aia_abf, aia->aia_sibling);
+
+ /*
+ * remove the attahcment from the DB
+ */
+ abf_itf_attach_db_del (policy_id, sw_if_index);
+
+ /*
+ * release our locks on FIB forwarding data
+ */
+ dpo_reset (&aia->aia_dpo);
+
+ /*
+ * return the object
+ */
+ pool_put (abf_itf_attach_pool, aia);
+
+ return (0);
+}
+
+static u8 *
+format_abf_intf_attach (u8 * s, va_list * args)
+{
+ abf_itf_attach_t *aia = va_arg (*args, abf_itf_attach_t *);
+ abf_policy_t *ap;
+
+ ap = abf_policy_get (aia->aia_abf);
+ s = format (s, "abf-interface-attach: policy:%d prioity:%d",
+ ap->ap_id, aia->aia_prio);
+ s = format (s, "\n %U", format_dpo_id, &aia->aia_dpo, 2);
+
+ return (s);
+}
+
+static clib_error_t *
+abf_itf_attach_cmd (vlib_main_t * vm,
+ unformat_input_t * input, vlib_cli_command_t * cmd)
+{
+ u32 policy_id, sw_if_index;
+ fib_protocol_t fproto;
+ u32 is_del, priority;
+ vnet_main_t *vnm;
+
+ is_del = 0;
+ sw_if_index = policy_id = ~0;
+ vnm = vnet_get_main ();
+ fproto = FIB_PROTOCOL_MAX;
+ priority = 0;
+
+ while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
+ {
+ if (unformat (input, "del"))
+ is_del = 1;
+ else if (unformat (input, "add"))
+ is_del = 0;
+ else if (unformat (input, "ip4"))
+ fproto = FIB_PROTOCOL_IP4;
+ else if (unformat (input, "ip6"))
+ fproto = FIB_PROTOCOL_IP6;
+ else if (unformat (input, "policy %d", &policy_id))
+ ;
+ else if (unformat (input, "priority %d", &priority))
+ ;
+ else if (unformat (input, "%U",
+ unformat_vnet_sw_interface, vnm, &sw_if_index))
+ ;
+ else
+ return (clib_error_return (0, "unknown input '%U'",
+ format_unformat_error, input));
+ }
+
+ if (~0 == policy_id)
+ {
+ return (clib_error_return (0, "invalid policy ID:%d", policy_id));
+ }
+ if (~0 == sw_if_index)
+ {
+ return (clib_error_return (0, "invalid interface name"));
+ }
+ if (FIB_PROTOCOL_MAX == fproto)
+ {
+ return (clib_error_return (0, "Specify either ip4 or ip6"));
+ }
+
+ if (~0 == abf_policy_find (policy_id))
+ return (clib_error_return (0, "invalid policy ID:%d", policy_id));
+
+ if (is_del)
+ abf_itf_detach (fproto, policy_id, sw_if_index);
+ else
+ abf_itf_attach (fproto, policy_id, priority, sw_if_index);
+
+ return (NULL);
+}
+
+/* *INDENT-OFF* */
+/**
+ * Attach an ABF policy to an interface.
+ */
+VLIB_CLI_COMMAND (abf_itf_attach_cmd_node, static) = {
+ .path = "abf attach",
+ .function = abf_itf_attach_cmd,
+ .short_help = "abf attach <ip4|ip6> [del] policy <value> <interface>",
+ // this is not MP safe
+};
+/* *INDENT-ON* */
+
+static clib_error_t *
+abf_show_attach_cmd (vlib_main_t * vm,
+ unformat_input_t * input, vlib_cli_command_t * cmd)
+{
+ const abf_itf_attach_t *aia;
+ u32 sw_if_index, *aiai;
+ fib_protocol_t fproto;
+ vnet_main_t *vnm;
+
+ sw_if_index = ~0;
+ vnm = vnet_get_main ();
+
+ while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
+ {
+ if (unformat (input, "%U",
+ unformat_vnet_sw_interface, vnm, &sw_if_index))
+ ;
+ else
+ return (clib_error_return (0, "unknown input '%U'",
+ format_unformat_error, input));
+ }
+
+ if (~0 == sw_if_index)
+ {
+ vlib_cli_output (vm, "specify an interface");
+ }
+
+ /* *INDENT-OFF* */
+ FOR_EACH_FIB_IP_PROTOCOL(fproto)
+ {
+ if (sw_if_index < vec_len(abf_per_itf[fproto]))
+ {
+ if (vec_len(abf_per_itf[fproto][sw_if_index]))
+ vlib_cli_output(vm, "%U:", format_fib_protocol, fproto);
+
+ vec_foreach(aiai, abf_per_itf[fproto][sw_if_index])
+ {
+ aia = pool_elt_at_index(abf_itf_attach_pool, *aiai);
+ vlib_cli_output(vm, " %U", format_abf_intf_attach, aia);
+ }
+ }
+ }
+ /* *INDENT-ON* */
+ return (NULL);
+}
+
+/* *INDENT-OFF* */
+VLIB_CLI_COMMAND (abf_show_attach_cmd_node, static) = {
+ .path = "show abf attach",
+ .function = abf_show_attach_cmd,
+ .short_help = "show abf attach <interface>",
+ .is_mp_safe = 1,
+};
+/* *INDENT-ON* */
+
+void
+abf_itf_attach_walk (abf_itf_attach_walk_cb_t cb, void *ctx)
+{
+ u32 aii;
+
+ /* *INDENT-OFF* */
+ pool_foreach_index(aii, abf_itf_attach_pool,
+ ({
+ if (!cb(aii, ctx))
+ break;
+ }));
+ /* *INDENT-ON* */
+}
+
+typedef enum abf_next_t_
+{
+ ABF_NEXT_DROP,
+ ABF_N_NEXT,
+} abf_next_t;
+
+typedef struct abf_input_trace_t_
+{
+ abf_next_t next;
+ index_t index;
+} abf_input_trace_t;
+
+typedef enum
+{
+#define abf_error(n,s) ABF_ERROR_##n,
+#include "abf_error.def"
+#undef abf_error
+ ABF_N_ERROR,
+} abf_error_t;
+
+always_inline uword
+abf_input_inline (vlib_main_t * vm,
+ vlib_node_runtime_t * node,
+ vlib_frame_t * frame, fib_protocol_t fproto)
+{
+ u32 n_left_from, *from, *to_next, next_index, matches;
+
+ from = vlib_frame_vector_args (frame);
+ n_left_from = frame->n_vectors;
+ next_index = node->cached_next_index;
+ matches = 0;
+
+ while (n_left_from > 0)
+ {
+ u32 n_left_to_next;
+
+ vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
+
+ while (n_left_from > 0 && n_left_to_next > 0)
+ {
+ const u32 *attachments0;
+ const abf_itf_attach_t *aia0;
+ abf_next_t next0 = ABF_NEXT_DROP;
+ vlib_buffer_t *b0;
+ u32 bi0, sw_if_index0;
+ fa_5tuple_opaque_t fa_5tuple0;
+ u32 match_acl_index = ~0;
+ u32 match_acl_pos = ~0;
+ u32 match_rule_index = ~0;
+ u32 trace_bitmap = 0;
+ u8 action;
+
+ bi0 = from[0];
+ to_next[0] = bi0;
+ from += 1;
+ to_next += 1;
+ n_left_from -= 1;
+ n_left_to_next -= 1;
+
+ b0 = vlib_get_buffer (vm, bi0);
+ sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
+
+ ASSERT (vec_len (abf_per_itf[fproto]) > sw_if_index0);
+ attachments0 = abf_per_itf[fproto][sw_if_index0];
+
+ ASSERT (vec_len (abf_alctx_per_itf[fproto]) > sw_if_index0);
+ /*
+ * check if any of the policies attached to this interface matches.
+ */
+ u32 lc_index = abf_alctx_per_itf[fproto][sw_if_index0];
+
+ acl_plugin_fill_5tuple (lc_index, b0, (FIB_PROTOCOL_IP6 == fproto),
+ 1, 0, &fa_5tuple0);
+
+ if (acl_plugin_match_5tuple
+ (lc_index, &fa_5tuple0, (FIB_PROTOCOL_IP6 == fproto), &action,
+ &match_acl_pos, &match_acl_index, &match_rule_index,
+ &trace_bitmap))
+ {
+ /*
+ * match:
+ * follow the DPO chain
+ */
+ aia0 = abf_itf_attach_get (attachments0[match_acl_pos]);
+
+ next0 = aia0->aia_dpo.dpoi_next_node;
+ vnet_buffer (b0)->ip.adj_index[VLIB_TX] =
+ aia0->aia_dpo.dpoi_index;
+ matches++;
+ }
+ else
+ {
+ /*
+ * miss:
+ * move on down the feature arc
+ */
+ vnet_feature_next (sw_if_index0, &next0, b0);
+ }
+
+ if (PREDICT_FALSE (b0->flags & VLIB_BUFFER_IS_TRACED))
+ {
+ abf_input_trace_t *tr;
+
+ tr = vlib_add_trace (vm, node, b0, sizeof (*tr));
+ tr->next = next0;
+ tr->index = vnet_buffer (b0)->ip.adj_index[VLIB_TX];
+ }
+
+ /* verify speculative enqueue, maybe switch current next frame */
+ vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
+ to_next, n_left_to_next, bi0,
+ next0);
+ }
+
+ vlib_put_next_frame (vm, node, next_index, n_left_to_next);
+ }
+
+ vlib_node_increment_counter (vm,
+ (fproto = FIB_PROTOCOL_IP6 ?
+ abf_ip4_node.index :
+ abf_ip6_node.index),
+ ABF_ERROR_MATCHED, matches);
+
+ return frame->n_vectors;
+}
+
+static uword
+abf_input_ip4 (vlib_main_t * vm,
+ vlib_node_runtime_t * node, vlib_frame_t * frame)
+{
+ return abf_input_inline (vm, node, frame, FIB_PROTOCOL_IP4);
+}
+
+static uword
+abf_input_ip6 (vlib_main_t * vm,
+ vlib_node_runtime_t * node, vlib_frame_t * frame)
+{
+ return abf_input_inline (vm, node, frame, FIB_PROTOCOL_IP6);
+}
+
+static u8 *
+format_abf_input_trace (u8 * s, va_list * args)
+{
+ CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
+ CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
+ abf_input_trace_t *t = va_arg (*args, abf_input_trace_t *);
+
+ s = format (s, " next %d index %d", t->next, t->index);
+ return s;
+}
+
+static char *abf_error_strings[] = {
+#define abf_error(n,s) s,
+#include "abf_error.def"
+#undef abf_error
+};
+
+/* *INDENT-OFF* */
+VLIB_REGISTER_NODE (abf_ip4_node) =
+{
+ .function = abf_input_ip4,
+ .name = "abf-input-ip4",
+ .vector_size = sizeof (u32),
+ .format_trace = format_abf_input_trace,
+ .type = VLIB_NODE_TYPE_INTERNAL,
+ .n_errors = ABF_N_ERROR,
+ .error_strings = abf_error_strings,
+ .n_next_nodes = ABF_N_NEXT,
+ .next_nodes =
+ {
+ [ABF_NEXT_DROP] = "error-drop",
+ }
+};
+
+VLIB_REGISTER_NODE (abf_ip6_node) =
+{
+ .function = abf_input_ip6,
+ .name = "abf-input-ip6",
+ .vector_size = sizeof (u32),
+ .format_trace = format_abf_input_trace,
+ .type = VLIB_NODE_TYPE_INTERNAL,
+ .n_errors = 0,
+ .n_next_nodes = ABF_N_NEXT,
+
+ .next_nodes =
+ {
+ [ABF_NEXT_DROP] = "error-drop",
+ }
+};
+
+VNET_FEATURE_INIT (abf_ip4_feat, static) =
+{
+ .arc_name = "ip4-unicast",
+ .node_name = "abf-input-ip4",
+ .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
+};
+
+VNET_FEATURE_INIT (abf_ip6_feat, static) =
+{
+ .arc_name = "ip6-unicast",
+ .node_name = "abf-input-ip6",
+ .runs_after = VNET_FEATURES ("acl-plugin-in-ip6-fa"),
+};
+/* *INDENT-ON* */
+
+static fib_node_t *
+abf_itf_attach_get_node (fib_node_index_t index)
+{
+ abf_itf_attach_t *aia = abf_itf_attach_get (index);
+ return (&(aia->aia_node));
+}
+
+static abf_itf_attach_t *
+abf_itf_attach_get_from_node (fib_node_t * node)
+{
+ return ((abf_itf_attach_t *) (((char *) node) -
+ STRUCT_OFFSET_OF (abf_itf_attach_t,
+ aia_node)));
+}
+
+static void
+abf_itf_attach_last_lock_gone (fib_node_t * node)
+{
+ /*
+ * ABF interface attachments are leaves on the graph.
+ * we do not manage locks from children.
+ */
+}
+
+/*
+ * abf_itf_attach_back_walk_notify
+ *
+ * A back walk has reached this BIER fmask
+ */
+static fib_node_back_walk_rc_t
+abf_itf_attach_back_walk_notify (fib_node_t * node,
+ fib_node_back_walk_ctx_t * ctx)
+{
+ /*
+ * re-stack the fmask on the n-eos of the via
+ */
+ abf_itf_attach_t *aia = abf_itf_attach_get_from_node (node);
+
+ abf_itf_attach_stack (aia);
+
+ return (FIB_NODE_BACK_WALK_CONTINUE);
+}
+
+/*
+ * The BIER fmask's graph node virtual function table
+ */
+static const fib_node_vft_t abf_itf_attach_vft = {
+ .fnv_get = abf_itf_attach_get_node,
+ .fnv_last_lock = abf_itf_attach_last_lock_gone,
+ .fnv_back_walk = abf_itf_attach_back_walk_notify,
+};
+
+static clib_error_t *
+abf_itf_bond_init (vlib_main_t * vm)
+{
+ abf_itf_attach_fib_node_type =
+ fib_node_register_new_type (&abf_itf_attach_vft);
+ clib_error_t *acl_init_res = acl_plugin_exports_init ();
+ if (acl_init_res)
+ return (acl_init_res);
+
+ abf_acl_user_id =
+ acl_plugin_register_user_module ("abp plugin", "sw_if_index", NULL);
+
+ return (NULL);
+}
+
+VLIB_INIT_FUNCTION (abf_itf_bond_init);
+
+/*
+ * fd.io coding-style-patch-verification: ON
+ *
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */
--- /dev/null
+/*
+ * Copyright (c) 2017 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef __ABF_ITF_ATTACH_H__
+#define __ABF_ITF_ATTACH_H__
+
+#include <plugins/abf/abf_policy.h>
+#include <vnet/fib/fib_path_list.h>
+
+/**
+ * Attachment data for an ABF policy to an interface
+ */
+typedef struct abf_itf_attach_t_
+{
+ CLIB_CACHE_LINE_ALIGN_MARK (marker);
+ /**
+ * The ACL and DPO are cached for fast DP access
+ */
+ /**
+ * ACL index to match
+ */
+ u32 aia_acl;
+
+ /**
+ * The DPO actually used for forwarding
+ */
+ dpo_id_t aia_dpo;
+
+ /**
+ * Linkage into the FIB graph
+ */
+ fib_node_t aia_node;
+
+ /**
+ * The VPP index of the ABF policy
+ */
+ u32 aia_abf;
+
+ /**
+ * Sibling index on the policy's path list
+ */
+ u32 aia_sibling;
+
+ /**
+ * The protocol for the attachment. i.e. the protocol
+ * of the packets that are being forwarded
+ */
+ fib_protocol_t aia_proto;
+
+ /**
+ * The interface for the attachment
+ */
+ u32 aia_sw_if_index;
+
+ /**
+ * The priority of this policy for attachment.
+ * The lower the value the higher the priority.
+ * The higher priority policies are matched first.
+ */
+ u32 aia_prio;
+} abf_itf_attach_t;
+
+/**
+ * Pool of ABF interface attachment objects
+ */
+extern abf_itf_attach_t *abf_itf_attach_pool;
+
+static inline abf_itf_attach_t *
+abf_itf_attach_get (u32 index)
+{
+ return (pool_elt_at_index (abf_itf_attach_pool, index));
+}
+
+extern int abf_itf_attach (fib_protocol_t fproto,
+ u32 policy_id, u32 priority, u32 sw_if_index);
+
+extern int abf_itf_detach (fib_protocol_t fproto,
+ u32 policy_id, u32 sw_if_index);
+
+typedef int (*abf_itf_attach_walk_cb_t) (index_t aii, void *ctx0);
+
+extern void abf_itf_attach_walk (abf_itf_attach_walk_cb_t cb, void *ctx);
+
+/*
+ * fd.io coding-style-patch-verification: ON
+ *
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */
+
+#endif
--- /dev/null
+/*
+ * Copyright (c) 2016 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef included_abf_msg_enum_h
+#define included_abf_msg_enum_h
+
+#include <vppinfra/byte_order.h>
+
+#define vl_msg_id(n,h) n,
+typedef enum {
+#include <abf/abf_all_api_h.h>
+ /* We'll want to know how many messages IDs we need... */
+ VL_MSG_FIRST_AVAILABLE,
+} vl_msg_id_t;
+#undef vl_msg_id
+
+#endif
--- /dev/null
+/*
+ * Copyright (c) 2017 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <plugins/abf/abf_policy.h>
+
+#include <vlib/vlib.h>
+#include <vnet/plugin/plugin.h>
+#include <vpp/app/version.h>
+#include <vnet/fib/fib_path_list.h>
+#include <vnet/fib/fib_walk.h>
+
+/**
+ * FIB node type the attachment is registered
+ */
+fib_node_type_t abf_policy_fib_node_type;
+
+/**
+ * Pool of ABF objects
+ */
+static abf_policy_t *abf_policy_pool;
+
+/**
+ * DB of ABF policy objects
+ * - policy ID to index conversion.
+ */
+static uword *abf_policy_db;
+
+
+abf_policy_t *
+abf_policy_get (u32 index)
+{
+ return (pool_elt_at_index (abf_policy_pool, index));
+}
+
+static u32
+abf_policy_get_index (const abf_policy_t * abf)
+{
+ return (abf - abf_policy_pool);
+}
+
+static abf_policy_t *
+abf_policy_find_i (u32 policy_id)
+{
+ u32 api;
+
+ api = abf_policy_find (policy_id);
+
+ if (INDEX_INVALID != api)
+ return (abf_policy_get (api));
+
+ return (NULL);
+}
+
+u32
+abf_policy_find (u32 policy_id)
+{
+ uword *p;
+
+ p = hash_get (abf_policy_db, policy_id);
+
+ if (NULL != p)
+ return (p[0]);
+
+ return (INDEX_INVALID);
+}
+
+
+void
+abf_policy_update (u32 policy_id,
+ u32 acl_index, const fib_route_path_t * rpaths)
+{
+ abf_policy_t *ap;
+ u32 api;
+
+ api = abf_policy_find (policy_id);
+
+ if (INDEX_INVALID == api)
+ {
+ /*
+ * create a new policy
+ */
+ pool_get (abf_policy_pool, ap);
+
+ api = ap - abf_policy_pool;
+ fib_node_init (&ap->ap_node, abf_policy_fib_node_type);
+ ap->ap_acl = acl_index;
+ ap->ap_id = policy_id;
+ ap->ap_pl = fib_path_list_create ((FIB_PATH_LIST_FLAG_SHARED |
+ FIB_PATH_LIST_FLAG_NO_URPF), rpaths);
+
+ /*
+ * become a child of the path list so we get poked when
+ * the forwarding changes.
+ */
+ ap->ap_sibling = fib_path_list_child_add (ap->ap_pl,
+ abf_policy_fib_node_type,
+ api);
+
+ /*
+ * add this new policy to the DB
+ */
+ hash_set (abf_policy_db, policy_id, api);
+
+ /*
+ * take a lock on behalf of the CLI/API creation
+ */
+ fib_node_lock (&ap->ap_node);
+ }
+ else
+ {
+ /*
+ * update an existing policy.
+ * - add the path to the path-list and swap our ancestory
+ * - backwalk to poke all attachments to update
+ */
+ fib_node_index_t old_pl;
+
+ ap = abf_policy_get (api);
+ old_pl = ap->ap_pl;
+
+ if (FIB_NODE_INDEX_INVALID != old_pl)
+ {
+ ap->ap_pl = fib_path_list_copy_and_path_add (old_pl,
+ (FIB_PATH_LIST_FLAG_SHARED
+ |
+ FIB_PATH_LIST_FLAG_NO_URPF),
+ rpaths);
+ fib_path_list_child_remove (old_pl, ap->ap_sibling);
+ }
+ else
+ {
+ ap->ap_pl = fib_path_list_create ((FIB_PATH_LIST_FLAG_SHARED |
+ FIB_PATH_LIST_FLAG_NO_URPF),
+ rpaths);
+ }
+
+ ap->ap_sibling = fib_path_list_child_add (ap->ap_pl,
+ abf_policy_fib_node_type,
+ api);
+
+ fib_node_back_walk_ctx_t ctx = {
+ .fnbw_reason = FIB_NODE_BW_REASON_FLAG_EVALUATE,
+ };
+
+ fib_walk_sync (abf_policy_fib_node_type, api, &ctx);
+ }
+}
+
+static void
+abf_policy_destroy (abf_policy_t * ap)
+{
+ /*
+ * this ABF should not be a sibling on the path list, since
+ * that was removed when the API config went
+ */
+ ASSERT (ap->ap_sibling == ~0);
+ ASSERT (ap->ap_pl == FIB_NODE_INDEX_INVALID);
+
+ hash_unset (abf_policy_db, ap->ap_id);
+ pool_put (abf_policy_pool, ap);
+}
+
+int
+abf_policy_delete (u32 policy_id, const fib_route_path_t * rpaths)
+{
+ abf_policy_t *ap;
+ u32 api;
+
+ api = abf_policy_find (policy_id);
+
+ if (INDEX_INVALID == api)
+ {
+ /*
+ * no such policy
+ */
+ return (-1);
+ }
+ else
+ {
+ /*
+ * update an existing policy.
+ * - add the path to the path-list and swap our ancestory
+ * - backwalk to poke all attachments to update
+ */
+ fib_node_index_t old_pl;
+
+ ap = abf_policy_get (api);
+ old_pl = ap->ap_pl;
+
+ ap->ap_pl =
+ fib_path_list_copy_and_path_remove (ap->ap_pl,
+ (FIB_PATH_LIST_FLAG_SHARED |
+ FIB_PATH_LIST_FLAG_NO_URPF),
+ rpaths);
+
+ fib_path_list_child_remove (old_pl, ap->ap_sibling);
+ ap->ap_sibling = ~0;
+
+ if (FIB_NODE_INDEX_INVALID == ap->ap_pl)
+ {
+ /*
+ * no more paths on this policy. It's toast
+ * remove the CLI/API's lock
+ */
+ fib_node_unlock (&ap->ap_node);
+ }
+ else
+ {
+ ap->ap_sibling = fib_path_list_child_add (ap->ap_pl,
+ abf_policy_fib_node_type,
+ api);
+
+ fib_node_back_walk_ctx_t ctx = {
+ .fnbw_reason = FIB_NODE_BW_REASON_FLAG_EVALUATE,
+ };
+
+ fib_walk_sync (abf_policy_fib_node_type, api, &ctx);
+ }
+ }
+
+ return (0);
+}
+
+static clib_error_t *
+abf_policy_cmd (vlib_main_t * vm,
+ unformat_input_t * main_input, vlib_cli_command_t * cmd)
+{
+ unformat_input_t _line_input, *line_input = &_line_input;
+ u32 acl_index, policy_id;
+ fib_route_path_t *rpaths = NULL, rpath;
+ u32 is_del;
+
+ is_del = 0;
+ acl_index = INDEX_INVALID;
+ policy_id = INDEX_INVALID;
+
+ /* Get a line of input. */
+ if (!unformat_user (main_input, unformat_line_input, line_input))
+ return 0;
+
+ while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
+ {
+ if (unformat (line_input, "acl %d", &acl_index))
+ ;
+ else if (unformat (line_input, "id %d", &policy_id))
+ ;
+ else if (unformat (line_input, "del"))
+ is_del = 1;
+ else if (unformat (line_input, "add"))
+ is_del = 0;
+ else if (unformat (line_input, "via %U",
+ unformat_fib_route_path, &rpath))
+ vec_add1 (rpaths, rpath);
+ else
+ return (clib_error_return (0, "unknown input '%U'",
+ format_unformat_error, line_input));
+ }
+
+ if (INDEX_INVALID == policy_id)
+ {
+ vlib_cli_output (vm, "Specify a Policy ID");
+ return 0;
+ }
+
+ if (!is_del)
+ {
+ if (INDEX_INVALID == acl_index)
+ {
+ vlib_cli_output (vm, "ACL index must be set");
+ return 0;
+ }
+
+ abf_policy_update (policy_id, acl_index, rpaths);
+ }
+ else
+ {
+ abf_policy_delete (policy_id, rpaths);
+ }
+
+ unformat_free (line_input);
+ return (NULL);
+}
+
+/* *INDENT-OFF* */
+/**
+ * Create an ABF policy.
+ */
+VLIB_CLI_COMMAND (abf_policy_cmd_node, static) = {
+ .path = "abf policy",
+ .function = abf_policy_cmd,
+ .short_help = "abf policy [add|del] id <index> acl <index> via ...",
+ .is_mp_safe = 1,
+};
+/* *INDENT-ON* */
+
+static u8 *
+format_abf (u8 * s, va_list * args)
+{
+ abf_policy_t *ap = va_arg (*args, abf_policy_t *);
+
+ s = format (s, "abf:[%d]: policy:%d acl:%d",
+ ap - abf_policy_pool, ap->ap_id, ap->ap_acl);
+ s = format (s, "\n ");
+ if (FIB_NODE_INDEX_INVALID == ap->ap_pl)
+ {
+ s = format (s, "no forwarding");
+ }
+ else
+ {
+ s = fib_path_list_format (ap->ap_pl, s);
+ }
+
+ return (s);
+}
+
+void
+abf_policy_walk (abf_policy_walk_cb_t cb, void *ctx)
+{
+ u32 api;
+
+ /* *INDENT-OFF* */
+ pool_foreach_index(api, abf_policy_pool,
+ ({
+ if (!cb(api, ctx))
+ break;
+ }));
+ /* *INDENT-ON* */
+}
+
+static clib_error_t *
+abf_show_policy_cmd (vlib_main_t * vm,
+ unformat_input_t * input, vlib_cli_command_t * cmd)
+{
+ u32 policy_id;
+ abf_policy_t *ap;
+
+ policy_id = INDEX_INVALID;
+
+ while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
+ {
+ if (unformat (input, "%d", &policy_id))
+ ;
+ else
+ return (clib_error_return (0, "unknown input '%U'",
+ format_unformat_error, input));
+ }
+
+ if (INDEX_INVALID == policy_id)
+ {
+ /* *INDENT-OFF* */
+ pool_foreach(ap, abf_policy_pool,
+ ({
+ vlib_cli_output(vm, "%U", format_abf, ap);
+ }));
+ /* *INDENT-ON* */
+ }
+ else
+ {
+ ap = abf_policy_find_i (policy_id);
+
+ if (NULL != ap)
+ vlib_cli_output (vm, "%U", format_abf, ap);
+ else
+ vlib_cli_output (vm, "Invalid policy ID:%d", policy_id);
+ }
+
+ return (NULL);
+}
+
+/* *INDENT-OFF* */
+VLIB_CLI_COMMAND (abf_policy_show_policy_cmd_node, static) = {
+ .path = "show abf policy",
+ .function = abf_show_policy_cmd,
+ .short_help = "show abf policy <value>",
+ .is_mp_safe = 1,
+};
+/* *INDENT-ON* */
+
+static fib_node_t *
+abf_policy_get_node (fib_node_index_t index)
+{
+ abf_policy_t *ap = abf_policy_get (index);
+ return (&(ap->ap_node));
+}
+
+static abf_policy_t *
+abf_policy_get_from_node (fib_node_t * node)
+{
+ return ((abf_policy_t *) (((char *) node) -
+ STRUCT_OFFSET_OF (abf_policy_t, ap_node)));
+}
+
+static void
+abf_policy_last_lock_gone (fib_node_t * node)
+{
+ abf_policy_destroy (abf_policy_get_from_node (node));
+}
+
+/*
+ * A back walk has reached this ABF policy
+ */
+static fib_node_back_walk_rc_t
+abf_policy_back_walk_notify (fib_node_t * node,
+ fib_node_back_walk_ctx_t * ctx)
+{
+ /*
+ * re-stack the fmask on the n-eos of the via
+ */
+ abf_policy_t *abf = abf_policy_get_from_node (node);
+
+ /*
+ * propagate further up the graph.
+ * we can do this synchronously since the fan out is small.
+ */
+ fib_walk_sync (abf_policy_fib_node_type, abf_policy_get_index (abf), ctx);
+
+ return (FIB_NODE_BACK_WALK_CONTINUE);
+}
+
+/*
+ * The BIER fmask's graph node virtual function table
+ */
+static const fib_node_vft_t abf_policy_vft = {
+ .fnv_get = abf_policy_get_node,
+ .fnv_last_lock = abf_policy_last_lock_gone,
+ .fnv_back_walk = abf_policy_back_walk_notify,
+};
+
+static clib_error_t *
+abf_policy_init (vlib_main_t * vm)
+{
+ abf_policy_fib_node_type = fib_node_register_new_type (&abf_policy_vft);
+
+ return (NULL);
+}
+
+VLIB_INIT_FUNCTION (abf_policy_init);
+
+/* *INDENT-OFF* */
+VLIB_PLUGIN_REGISTER () = {
+ .version = VPP_BUILD_VER,
+ .description = "ACL based Forwarding",
+};
+/* *INDENT-ON* */
+
+/*
+ * fd.io coding-style-patch-verification: ON
+ *
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */
--- /dev/null
+/*
+ * Copyright (c) 2017 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef __ABF_H__
+#define __ABF_H__
+
+#include <vnet/fib/fib_node.h>
+
+#define ABF_PLUGIN_VERSION_MAJOR 1
+#define ABF_PLUGIN_VERSION_MINOR 0
+
+/**
+ * An ACL based Forwading 'policy'.
+ * This comprises the ACL index to match against and the forwarding
+ * path to take if the match is successfull.
+ *
+ * ABF policies are then 'attached' to interfaces. An input feature
+ * will run through the list of policies a match will divert the packet,
+ * if all miss then we continues down the interface's feature arc
+ */
+typedef struct abf_policy_t_
+{
+ /**
+ * Linkage into the FIB graph
+ */
+ fib_node_t ap_node;
+
+ /**
+ * ACL index to match
+ */
+ u32 ap_acl;
+
+ /**
+ * The path-list describing how to forward in case of a match
+ */
+ fib_node_index_t ap_pl;
+
+ /**
+ * Sibling index on the path-list
+ */
+ u32 ap_sibling;
+
+ /**
+ * The policy ID - as configured by the client
+ */
+ u32 ap_id;
+} abf_policy_t;
+
+/**
+ * Get an ABF object from its VPP index
+ */
+extern abf_policy_t *abf_policy_get (index_t index);
+
+/**
+ * Find a ABF object from the client's policy ID
+ *
+ * @param policy_id Client's defined policy ID
+ * @return VPP's object index
+ */
+extern index_t abf_policy_find (u32 policy_id);
+
+/**
+ * The FIB node type for ABF policies
+ */
+extern fib_node_type_t abf_policy_fib_node_type;
+
+/**
+ * Create or update an ABF Policy
+ *
+ * @param policy_id User defined Policy ID
+ * @param acl_index The ACL the policy with match on
+ * @param rpaths The set of paths to add to the forwarding set
+ */
+extern void abf_policy_update (u32 policy_id,
+ u32 acl_index,
+ const fib_route_path_t * rpaths);
+
+/**
+ * Delete paths from an ABF Policy. If no more paths exist, the policy
+ * is deleted.
+ *
+ * @param policy_id User defined Policy ID
+ * @param rpaths The set of paths to forward remove
+ */
+extern int abf_policy_delete (u32 policy_id, const fib_route_path_t * rpaths);
+
+/**
+ * Callback function invoked during a walk of all policies
+ */
+typedef int (*abf_policy_walk_cb_t) (index_t index, void *ctx);
+
+/**
+ * Walk/visit each of the ABF policies
+ */
+extern void abf_policy_walk (abf_policy_walk_cb_t cb, void *ctx);
+
+
+/*
+ * fd.io coding-style-patch-verification: ON
+ *
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */
+
+#endif
imported_objs = []
for o in objs:
if isinstance(o, Import):
- return objs + self.process_imports(o.result, True)
+ return self.process_imports(o.result, True) + objs
if in_import:
if isinstance(o, Define) and o.typeonly:
imported_objs.append(o)
--- /dev/null
+#!/usr/bin/env python
+
+from framework import VppTestCase, VppTestRunner
+from vpp_udp_encap import *
+from vpp_ip_route import VppIpRoute, VppRoutePath, VppIpTable, DpoProto
+
+from scapy.packet import Raw
+from scapy.layers.l2 import Ether, ARP
+from scapy.layers.inet import IP, UDP
+from scapy.layers.inet6 import IPv6
+from scapy.contrib.mpls import MPLS
+
+from vpp_object import *
+from socket import inet_pton, inet_ntop, AF_INET, AF_INET6
+
+
+def find_abf_policy(test, id):
+ policies = test.vapi.abf_policy_dump()
+ for p in policies:
+ if id == p.policy.policy_id:
+ return True
+ return False
+
+
+def find_abf_itf_attach(test, id, sw_if_index):
+ attachs = test.vapi.abf_itf_attach_dump()
+ for a in attachs:
+ if id == a.attach.policy_id and \
+ sw_if_index == a.attach.sw_if_index:
+ return True
+ return False
+
+
+class VppAbfPolicy(VppObject):
+
+ def __init__(self,
+ test,
+ policy_id,
+ acl,
+ paths):
+ self._test = test
+ self.policy_id = policy_id
+ self.acl = acl
+ self.paths = paths
+
+ def encode_paths(self):
+ br_paths = []
+ for p in self.paths:
+ lstack = []
+ for l in p.nh_labels:
+ if type(l) == VppMplsLabel:
+ lstack.append(l.encode())
+ else:
+ lstack.append({'label': l, 'ttl': 255})
+ n_labels = len(lstack)
+ while (len(lstack) < 16):
+ lstack.append({})
+ br_paths.append({'next_hop': p.nh_addr,
+ 'weight': 1,
+ 'afi': p.proto,
+ 'sw_if_index': 0xffffffff,
+ 'preference': 0,
+ 'table_id': p.nh_table_id,
+ 'next_hop_id': p.next_hop_id,
+ 'is_udp_encap': p.is_udp_encap,
+ 'n_labels': n_labels,
+ 'label_stack': lstack})
+ return br_paths
+
+ def add_vpp_config(self):
+ self._test.vapi.abf_policy_add_del(
+ 1,
+ {'policy_id': self.policy_id,
+ 'acl_index': self.acl.acl_index,
+ 'n_paths': len(self.paths),
+ 'paths': self.encode_paths()})
+ self._test.registry.register(self, self._test.logger)
+
+ def remove_vpp_config(self):
+ self._test.vapi.abf_policy_add_del(
+ 0,
+ {'policy_id': self.policy_id,
+ 'acl_index': self.acl.acl_index,
+ 'n_paths': len(self.paths),
+ 'paths': self.encode_paths()})
+
+ def query_vpp_config(self):
+ return find_abf_policy(self._test, self.policy_id)
+
+ def __str__(self):
+ return self.object_id()
+
+ def object_id(self):
+ return ("abf-policy-%d" % self.policy_id)
+
+
+class VppAbfAttach(VppObject):
+
+ def __init__(self,
+ test,
+ policy_id,
+ sw_if_index,
+ priority,
+ is_ipv6=0):
+ self._test = test
+ self.policy_id = policy_id
+ self.sw_if_index = sw_if_index
+ self.priority = priority
+ self.is_ipv6 = is_ipv6
+
+ def add_vpp_config(self):
+ self._test.vapi.abf_itf_attach_add_del(
+ 1,
+ {'policy_id': self.policy_id,
+ 'sw_if_index': self.sw_if_index,
+ 'priority': self.priority,
+ 'is_ipv6': self.is_ipv6})
+ self._test.registry.register(self, self._test.logger)
+
+ def remove_vpp_config(self):
+ self._test.vapi.abf_itf_attach_add_del(
+ 0,
+ {'policy_id': self.policy_id,
+ 'sw_if_index': self.sw_if_index,
+ 'priority': self.priority,
+ 'is_ipv6': self.is_ipv6})
+
+ def query_vpp_config(self):
+ return find_abf_itf_attach(self._test,
+ self.policy_id,
+ self.sw_if_index)
+
+ def __str__(self):
+ return self.object_id()
+
+ def object_id(self):
+ return ("abf-attach-%d-%d" % (self.policy_id, self.sw_if_index))
+
+
+class TestAbf(VppTestCase):
+ """ ABF Test Case """
+
+ def setUp(self):
+ super(TestAbf, self).setUp()
+
+ self.create_pg_interfaces(range(4))
+
+ for i in self.pg_interfaces:
+ i.admin_up()
+ i.config_ip4()
+ i.resolve_arp()
+ i.config_ip6()
+ i.resolve_ndp()
+
+ def tearDown(self):
+ for i in self.pg_interfaces:
+ i.unconfig_ip4()
+ i.unconfig_ip6()
+ i.ip6_disable()
+ i.admin_down()
+ super(TestAbf, self).tearDown()
+
+ def test_abf4(self):
+ """ IPv4 ACL Based Forwarding
+ """
+
+ #
+ # We are not testing the various matching capabilities
+ # of ACLs, that's done elsewhere. Here ware are testing
+ # the application of ACLs to a forwarding path to achieve
+ # ABF
+ # So we construct just a few ACLs to ensure the ABF policies
+ # are correclty constructed and used. And a few path types
+ # to test the API path decoding.
+ #
+
+ #
+ # Rule 1
+ #
+ rule_1 = ({'is_permit': 1,
+ 'is_ipv6': 0,
+ 'proto': 17,
+ 'srcport_or_icmptype_first': 1234,
+ 'srcport_or_icmptype_last': 1234,
+ 'src_ip_prefix_len': 32,
+ 'src_ip_addr': inet_pton(AF_INET, "1.1.1.1"),
+ 'dstport_or_icmpcode_first': 1234,
+ 'dstport_or_icmpcode_last': 1234,
+ 'dst_ip_prefix_len': 32,
+ 'dst_ip_addr': inet_pton(AF_INET, "1.1.1.2")})
+ acl_1 = self.vapi.acl_add_replace(acl_index=4294967295, r=[rule_1])
+
+ #
+ # ABF policy for ACL 1 - path via interface 1
+ #
+ abf_1 = VppAbfPolicy(self, 10, acl_1,
+ [VppRoutePath(self.pg1.remote_ip4,
+ self.pg1.sw_if_index)])
+ abf_1.add_vpp_config()
+
+ #
+ # Attach the policy to input interface Pg0
+ #
+ attach_1 = VppAbfAttach(self, 10, self.pg0.sw_if_index, 50)
+ attach_1.add_vpp_config()
+
+ #
+ # fire in packet matching the ACL src,dst. If it's forwarded
+ # then the ABF was successful, since default routing will drop it
+ #
+ p_1 = (Ether(src=self.pg0.remote_mac,
+ dst=self.pg0.local_mac) /
+ IP(src="1.1.1.1", dst="1.1.1.2") /
+ UDP(sport=1234, dport=1234) /
+ Raw('\xa5' * 100))
+ self.send_and_expect(self.pg0, p_1*65, self.pg1)
+
+ #
+ # Attach a 'better' priority policy to the same interface
+ #
+ abf_2 = VppAbfPolicy(self, 11, acl_1,
+ [VppRoutePath(self.pg2.remote_ip4,
+ self.pg2.sw_if_index)])
+ abf_2.add_vpp_config()
+ attach_2 = VppAbfAttach(self, 11, self.pg0.sw_if_index, 40)
+ attach_2.add_vpp_config()
+
+ self.send_and_expect(self.pg0, p_1*65, self.pg2)
+
+ #
+ # Attach a policy with priority in the middle
+ #
+ abf_3 = VppAbfPolicy(self, 12, acl_1,
+ [VppRoutePath(self.pg3.remote_ip4,
+ self.pg3.sw_if_index)])
+ abf_3.add_vpp_config()
+ attach_3 = VppAbfAttach(self, 12, self.pg0.sw_if_index, 45)
+ attach_3.add_vpp_config()
+
+ self.send_and_expect(self.pg0, p_1*65, self.pg2)
+
+ #
+ # remove the best priority
+ #
+ attach_2.remove_vpp_config()
+ self.send_and_expect(self.pg0, p_1*65, self.pg3)
+
+ #
+ # Attach one of the same policies to Pg1
+ #
+ attach_4 = VppAbfAttach(self, 12, self.pg1.sw_if_index, 45)
+ attach_4.add_vpp_config()
+
+ p_2 = (Ether(src=self.pg1.remote_mac,
+ dst=self.pg1.local_mac) /
+ IP(src="1.1.1.1", dst="1.1.1.2") /
+ UDP(sport=1234, dport=1234) /
+ Raw('\xa5' * 100))
+ self.send_and_expect(self.pg1, p_2 * 65, self.pg3)
+
+ #
+ # detach the policy from PG1, now expect traffic to be dropped
+ #
+ attach_4.remove_vpp_config()
+
+ self.send_and_assert_no_replies(self.pg1, p_2 * 65, "Detached")
+
+ def test_abf6(self):
+ """ IPv6 ACL Based Forwarding
+ """
+
+ #
+ # Simple test for matching IPv6 packets
+ #
+
+ #
+ # Rule 1
+ #
+ rule_1 = ({'is_permit': 1,
+ 'is_ipv6': 1,
+ 'proto': 17,
+ 'srcport_or_icmptype_first': 1234,
+ 'srcport_or_icmptype_last': 1234,
+ 'src_ip_prefix_len': 128,
+ 'src_ip_addr': inet_pton(AF_INET6, "2001::2"),
+ 'dstport_or_icmpcode_first': 1234,
+ 'dstport_or_icmpcode_last': 1234,
+ 'dst_ip_prefix_len': 128,
+ 'dst_ip_addr': inet_pton(AF_INET6, "2001::1")})
+ acl_1 = self.vapi.acl_add_replace(acl_index=4294967295,
+ r=[rule_1])
+
+ #
+ # ABF policy for ACL 1 - path via interface 1
+ #
+ abf_1 = VppAbfPolicy(self, 10, acl_1,
+ [VppRoutePath("3001::1",
+ 0xffffffff,
+ proto=DpoProto.DPO_PROTO_IP6)])
+ abf_1.add_vpp_config()
+
+ attach_1 = VppAbfAttach(self, 10, self.pg0.sw_if_index,
+ 45, is_ipv6=True)
+ attach_1.add_vpp_config()
+
+ #
+ # a packet matching the rule
+ #
+ p = (Ether(src=self.pg0.remote_mac,
+ dst=self.pg0.local_mac) /
+ IPv6(src="2001::2", dst="2001::1") /
+ UDP(sport=1234, dport=1234) /
+ Raw('\xa5' * 100))
+
+ #
+ # packets are dropped because there is no route to the policy's
+ # next hop
+ #
+ self.send_and_assert_no_replies(self.pg1, p * 65, "no route")
+
+ #
+ # add a route resolving the next-hop
+ #
+ route = VppIpRoute(self, "3001::1", 32,
+ [VppRoutePath(self.pg1.remote_ip6,
+ self.pg1.sw_if_index,
+ proto=DpoProto.DPO_PROTO_IP6)],
+ is_ip6=1)
+ route.add_vpp_config()
+
+ #
+ # now expect packets forwarded.
+ #
+ self.send_and_expect(self.pg0, p * 65, self.pg1)
+
+
+if __name__ == '__main__':
+ unittest.main(testRunner=VppTestRunner)
"""
return self.api(self.papi.sw_interface_vhost_user_dump,
{})
+
+ def abf_policy_add_del(self, is_add, policy):
+ return self.api(
+ self.papi.abf_policy_add_del,
+ {'is_add': is_add,
+ 'policy': policy})
+
+ def abf_itf_attach_add_del(self, is_add, attach):
+ return self.api(
+ self.papi.abf_itf_attach_add_del,
+ {'is_add': is_add,
+ 'attach': attach})
+
+ def abf_policy_dump(self):
+ return self.api(
+ self.papi.abf_policy_dump, {})
+
+ def abf_itf_attach_dump(self):
+ return self.api(
+ self.papi.abf_itf_attach_dump, {})
+#!/usr/bin/env python
"""
UDP encap objects
"""
Code Review / vpp.git / commitdiff