From 669d07dc016757b856e1014a415996cf9f0ebc58 Mon Sep 17 00:00:00 2001 From: Andrew Yourtchenko Date: Fri, 17 Nov 2017 14:38:18 +0100 Subject: [PATCH] ACL based forwarding A poor man's flow switching or policy based rounting. An ACL is used to match packets and is associated with a [set of] forwarding paths that determine how to forward matched packets - collectively this association is a 'policy'. Policies are then 'attached', in a priority order, to an interface when thaey are encountered as an input feature. If a packet matches no policies it is forwarded normally in the IP FIB. This commit is used to test the "ACL-as-a-service" functionality, which currently compiles, and the existing traffic ACL tests pass in both hash and linear modes. Change-Id: I0b274ec9f2e645352fa898b43eb54c457e195964 Signed-off-by: Neale Ranns Signed-off-by: Andrew Yourtchenko Signed-off-by: Ole Troan --- src/configure.ac | 1 + src/plugins/Makefile.am | 4 + src/plugins/abf.am | 28 ++ src/plugins/abf/abf.api | 131 +++++++ src/plugins/abf/abf_all_api_h.h | 16 + src/plugins/abf/abf_api.c | 327 +++++++++++++++++ src/plugins/abf/abf_error.def | 19 + src/plugins/abf/abf_itf_attach.c | 758 +++++++++++++++++++++++++++++++++++++++ src/plugins/abf/abf_itf_attach.h | 104 ++++++ src/plugins/abf/abf_msg_enum.h | 28 ++ src/plugins/abf/abf_policy.c | 464 ++++++++++++++++++++++++ src/plugins/abf/abf_policy.h | 118 ++++++ src/tools/vppapigen/vppapigen.py | 2 +- test/test_abf.py | 338 +++++++++++++++++ test/vpp_papi_provider.py | 20 ++ test/vpp_udp_encap.py | 1 + 16 files changed, 2358 insertions(+), 1 deletion(-) create mode 100644 src/plugins/abf.am create mode 100644 src/plugins/abf/abf.api create mode 100644 src/plugins/abf/abf_all_api_h.h create mode 100644 src/plugins/abf/abf_api.c create mode 100644 src/plugins/abf/abf_error.def create mode 100644 src/plugins/abf/abf_itf_attach.c create mode 100644 src/plugins/abf/abf_itf_attach.h create mode 100644 src/plugins/abf/abf_msg_enum.h create mode 100644 src/plugins/abf/abf_policy.c create mode 100644 src/plugins/abf/abf_policy.h create mode 100644 test/test_abf.py diff --git a/src/configure.ac b/src/configure.ac index 4a4cde4419c..e408afcb056 100644 --- a/src/configure.ac +++ b/src/configure.ac @@ -218,6 +218,7 @@ AC_SUBST(AR_FLAGS) ############################################################################### # Please keep alphabetical order +PLUGIN_ENABLED(abf) PLUGIN_ENABLED(acl) PLUGIN_ENABLED(avf) PLUGIN_ENABLED(cdp) diff --git a/src/plugins/Makefile.am b/src/plugins/Makefile.am index d87d74f8402..825021d69c3 100644 --- a/src/plugins/Makefile.am +++ b/src/plugins/Makefile.am @@ -30,6 +30,10 @@ nobase_include_HEADERS = vppapitestpluginsdir = ${libdir}/vpp_api_test_plugins vpppluginsdir = ${libdir}/vpp_plugins +if ENABLE_ABF_PLUGIN +include abf.am +endif + if ENABLE_ACL_PLUGIN include acl.am endif diff --git a/src/plugins/abf.am b/src/plugins/abf.am new file mode 100644 index 00000000000..6aef71441f3 --- /dev/null +++ b/src/plugins/abf.am @@ -0,0 +1,28 @@ +# Copyright (c) 2016 Cisco and/or its affiliates. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +vppplugins_LTLIBRARIES += abf_plugin.la + +abf_plugin_la_SOURCES = \ + abf/abf_policy.c \ + abf/abf_api.c \ + abf/abf_itf_attach.c + +API_FILES += abf/abf.api + +nobase_apiinclude_HEADERS += \ + abf/abf_all_api_h.h \ + abf/abf_msg_enum.h \ + abf/abf.api.h + +# vi:syntax=automake diff --git a/src/plugins/abf/abf.api b/src/plugins/abf/abf.api new file mode 100644 index 00000000000..6716dce562f --- /dev/null +++ b/src/plugins/abf/abf.api @@ -0,0 +1,131 @@ +/* Hey Emacs use -*- mode: C -*- */ +/* + * Copyright (c) 2016 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/** \file + This file defines the vpp control-plane API messages + used to control the ABF plugin +*/ + +option version = "1.0.0"; +import "vnet/fib/fib_types.api"; + +/** \brief Get the plugin version + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request +*/ +define abf_plugin_get_version +{ + u32 client_index; + u32 context; +}; + +/** \brief Reply to get the plugin version + @param context - returned sender context, to match reply w/ request + @param major - Incremented every time a known breaking behavior change is introduced + @param minor - Incremented with small changes, may be used to avoid buggy versions +*/ +define abf_plugin_get_version_reply +{ + u32 context; + u32 major; + u32 minor; +}; + +/** \brief A description of an ABF policy + @param policy_id User chosen Identifier for the policy + @param acl_index The ACL that the policy will match against + @param n_paths Number of paths + @param paths The set of forwarding paths that are being added or removed. + */ +typeonly define abf_policy +{ + u32 policy_id; + u32 acl_index; + u8 n_paths; + vl_api_fib_path_t paths[n_paths]; +}; + +/** \brief A description of an ABF policy + @param is_add Is this the addition or removal of paths from the policy + If the policy does not exist it is created. If the last path + Is being removed, the policy is deleted + @param policy The policy + */ +autoreply define abf_policy_add_del +{ + u32 client_index; + u32 context; + u8 is_add; + vl_api_abf_policy_t policy; +}; + +/** \brief Policy description returned in the dump + */ +define abf_policy_details +{ + u32 context; + vl_api_abf_policy_t policy; +}; + +/** \brief Dump all ABF policies + */ +define abf_policy_dump +{ + u32 client_index; + u32 context; +}; + +/** \brief A description of a policy attachment to an interface + @param The policy ID to attach + @param sw_if_index The interface to attach to + @param priority The priority of the attachment, w.r.t. to other attachments + on this interface. lower value is 'better' + @param is_ipv6 Does this attachment apply to IPv6 packets (or IPv4) +*/ +typeonly define abf_itf_attach +{ + u32 policy_id; + u32 sw_if_index; + u32 priority; + u8 is_ipv6; +}; + +/** \brief Add or delete a policy attachment to an interface + */ +autoreply define abf_itf_attach_add_del +{ + u32 client_index; + u32 context; + u8 is_add; + vl_api_abf_itf_attach_t attach; +}; + +/** \brief Attachment details from a dump + */ +define abf_itf_attach_details +{ + u32 context; + vl_api_abf_itf_attach_t attach; +}; + +/** \brief Dump all the policy attachments + */ +define abf_itf_attach_dump +{ + u32 client_index; + u32 context; +}; + diff --git a/src/plugins/abf/abf_all_api_h.h b/src/plugins/abf/abf_all_api_h.h new file mode 100644 index 00000000000..146896491ee --- /dev/null +++ b/src/plugins/abf/abf_all_api_h.h @@ -0,0 +1,16 @@ +/* + * Copyright (c) 2017 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +/* Include the generated file, see BUILT_SOURCES in Makefile.am */ +#include diff --git a/src/plugins/abf/abf_api.c b/src/plugins/abf/abf_api.c new file mode 100644 index 00000000000..55f43e626ad --- /dev/null +++ b/src/plugins/abf/abf_api.c @@ -0,0 +1,327 @@ +/* + * Copyright (c) 2016 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include + +#include +#include +#include +#include +#include +#include +#include + +#include + +#include +#include + +/* define message IDs */ +#include + +/* define message structures */ +#define vl_typedefs +#include +#undef vl_typedefs + +/* define generated endian-swappers */ +#define vl_endianfun +#include +#undef vl_endianfun + +/* instantiate all the print functions we know about */ +#define vl_print(handle, ...) vlib_cli_output (handle, __VA_ARGS__) +#define vl_printfun +#include +#undef vl_printfun + +/* Get the API version number */ +#define vl_api_version(n,v) static u32 api_version=(v); +#include +#undef vl_api_version + +/** + * Base message ID fot the plugin + */ +static u32 abf_base_msg_id; + +#include + +/* List of message types that this plugin understands */ + +#define foreach_abf_plugin_api_msg \ +_(ABF_PLUGIN_GET_VERSION, abf_plugin_get_version) \ +_(ABF_POLICY_ADD_DEL, abf_policy_add_del) \ +_(ABF_POLICY_DUMP, abf_policy_dump) \ +_(ABF_ITF_ATTACH_ADD_DEL, abf_itf_attach_add_del) \ +_(ABF_ITF_ATTACH_DUMP, abf_itf_attach_dump) + +static void +vl_api_abf_plugin_get_version_t_handler (vl_api_abf_plugin_get_version_t * mp) +{ + vl_api_abf_plugin_get_version_reply_t *rmp; + int msg_size = sizeof (*rmp); + unix_shared_memory_queue_t *q; + + q = vl_api_client_index_to_input_queue (mp->client_index); + if (q == 0) + { + return; + } + + rmp = vl_msg_api_alloc (msg_size); + memset (rmp, 0, msg_size); + rmp->_vl_msg_id = + ntohs (VL_API_ABF_PLUGIN_GET_VERSION_REPLY + abf_base_msg_id); + rmp->context = mp->context; + rmp->major = htonl (ABF_PLUGIN_VERSION_MAJOR); + rmp->minor = htonl (ABF_PLUGIN_VERSION_MINOR); + + vl_msg_api_send_shmem (q, (u8 *) & rmp); +} + +static void +vl_api_abf_policy_add_del_t_handler (vl_api_abf_policy_add_del_t * mp) +{ + vl_api_abf_policy_add_del_reply_t *rmp; + fib_route_path_t *paths = NULL, *path; + int rv = 0; + u8 pi; + + vec_validate (paths, mp->policy.n_paths - 1); + + for (pi = 0; pi < mp->policy.n_paths; pi++) + { + path = &paths[pi]; + rv = fib_path_api_parse (&mp->policy.paths[pi], path); + + if (0 != rv) + { + goto done; + } + } + + if (mp->is_add) + { + abf_policy_update (ntohl (mp->policy.policy_id), + ntohl (mp->policy.acl_index), paths); + } + else + { + abf_policy_delete (ntohl (mp->policy.policy_id), paths); + } +done: + vec_free (paths); + + REPLY_MACRO (VL_API_ABF_POLICY_ADD_DEL_REPLY + abf_base_msg_id); +} + +static void +vl_api_abf_itf_attach_add_del_t_handler (vl_api_abf_itf_attach_add_del_t * mp) +{ + vl_api_abf_itf_attach_add_del_reply_t *rmp; + fib_protocol_t fproto = (mp->attach.is_ipv6 ? + FIB_PROTOCOL_IP6 : FIB_PROTOCOL_IP4); + int rv = 0; + + if (mp->is_add) + { + abf_itf_attach (fproto, + ntohl (mp->attach.policy_id), + ntohl (mp->attach.priority), + ntohl (mp->attach.sw_if_index)); + } + else + { + abf_itf_detach (fproto, + ntohl (mp->attach.policy_id), + ntohl (mp->attach.sw_if_index)); + } + + REPLY_MACRO (VL_API_ABF_ITF_ATTACH_ADD_DEL_REPLY + abf_base_msg_id); +} + +typedef struct abf_dump_walk_ctx_t_ +{ + unix_shared_memory_queue_t *q; + u32 context; +} abf_dump_walk_ctx_t; + +static int +abf_policy_send_details (u32 api, void *args) +{ + fib_route_path_encode_t *api_rpaths = NULL, *api_rpath; + vl_api_abf_policy_details_t *mp; + abf_dump_walk_ctx_t *ctx; + vl_api_fib_path_t *fp; + size_t msg_size; + abf_policy_t *ap; + u8 n_paths; + + ctx = args; + ap = abf_policy_get (api); + n_paths = fib_path_list_get_n_paths (ap->ap_pl); + msg_size = sizeof (*mp) + sizeof (mp->policy.paths[0]) * n_paths; + + mp = vl_msg_api_alloc (msg_size); + memset (mp, 0, msg_size); + mp->_vl_msg_id = ntohs (VL_API_ABF_POLICY_DETAILS + abf_base_msg_id); + + /* fill in the message */ + mp->context = ctx->context; + mp->policy.n_paths = n_paths; + mp->policy.acl_index = htonl (ap->ap_acl); + mp->policy.policy_id = htonl (ap->ap_id); + + fib_path_list_walk (ap->ap_pl, fib_path_encode, &api_rpaths); + + fp = mp->policy.paths; + vec_foreach (api_rpath, api_rpaths) + { + fib_api_path_encode (api_rpath, fp); + fp++; + } + + vl_msg_api_send_shmem (ctx->q, (u8 *) & mp); + + return (1); +} + +static void +vl_api_abf_policy_dump_t_handler (vl_api_abf_policy_dump_t * mp) +{ + unix_shared_memory_queue_t *q; + + q = vl_api_client_index_to_input_queue (mp->client_index); + if (q == 0) + { + return; + } + + abf_dump_walk_ctx_t ctx = { + .q = q, + .context = mp->context, + }; + + abf_policy_walk (abf_policy_send_details, &ctx); +} + +static int +abf_itf_attach_send_details (u32 aiai, void *args) +{ + vl_api_abf_itf_attach_details_t *mp; + abf_dump_walk_ctx_t *ctx; + abf_itf_attach_t *aia; + abf_policy_t *ap; + + ctx = args; + aia = abf_itf_attach_get (aiai); + ap = abf_policy_get (aia->aia_abf); + + mp = vl_msg_api_alloc (sizeof (*mp)); + mp->_vl_msg_id = ntohs (VL_API_ABF_ITF_ATTACH_DETAILS + abf_base_msg_id); + + mp->context = ctx->context; + mp->attach.policy_id = htonl (ap->ap_id); + mp->attach.sw_if_index = htonl (aia->aia_sw_if_index); + mp->attach.priority = htonl (aia->aia_prio); + mp->attach.is_ipv6 = (aia->aia_proto == FIB_PROTOCOL_IP6); + + vl_msg_api_send_shmem (ctx->q, (u8 *) & mp); + + return (1); +} + +static void +vl_api_abf_itf_attach_dump_t_handler (vl_api_abf_itf_attach_dump_t * mp) +{ + unix_shared_memory_queue_t *q; + + q = vl_api_client_index_to_input_queue (mp->client_index); + if (q == 0) + { + return; + } + + abf_dump_walk_ctx_t ctx = { + .q = q, + .context = mp->context, + }; + + abf_itf_attach_walk (abf_itf_attach_send_details, &ctx); +} + +#define vl_msg_name_crc_list +#include +#undef vl_msg_name_crc_list + +/* Set up the API message handling tables */ +static clib_error_t * +abf_plugin_api_hookup (vlib_main_t * vm) +{ +#define _(N,n) \ + vl_msg_api_set_handlers((VL_API_##N + abf_base_msg_id), \ + #n, \ + vl_api_##n##_t_handler, \ + vl_noop_handler, \ + vl_api_##n##_t_endian, \ + vl_api_##n##_t_print, \ + sizeof(vl_api_##n##_t), 1); + foreach_abf_plugin_api_msg; +#undef _ + + return 0; +} + +static void +setup_message_id_table (api_main_t * apim) +{ +#define _(id,n,crc) \ + vl_msg_api_add_msg_name_crc (apim, #n "_" #crc, id + abf_base_msg_id); + foreach_vl_msg_name_crc_abf; +#undef _ +} + +static clib_error_t * +abf_api_init (vlib_main_t * vm) +{ + clib_error_t *error = 0; + + u8 *name = format (0, "abf_%08x%c", api_version, 0); + + /* Ask for a correctly-sized block of API message decode slots */ + abf_base_msg_id = vl_msg_api_get_msg_ids ((char *) name, + VL_MSG_FIRST_AVAILABLE); + + error = abf_plugin_api_hookup (vm); + + /* Add our API messages to the global name_crc hash table */ + setup_message_id_table (&api_main); + + vec_free (name); + + return error; +} + +VLIB_INIT_FUNCTION (abf_api_init); + + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ diff --git a/src/plugins/abf/abf_error.def b/src/plugins/abf/abf_error.def new file mode 100644 index 00000000000..71e798beb71 --- /dev/null +++ b/src/plugins/abf/abf_error.def @@ -0,0 +1,19 @@ +/* + * abf_error.def: ABF errors + * + * Copyright (c) 2012 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +abf_error (NONE, "no match") +abf_error (MATCHED, "matched") diff --git a/src/plugins/abf/abf_itf_attach.c b/src/plugins/abf/abf_itf_attach.c new file mode 100644 index 00000000000..2e30db9d12f --- /dev/null +++ b/src/plugins/abf/abf_itf_attach.c @@ -0,0 +1,758 @@ +/* + * Copyright (c) 2017 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include +#include +#include + +/** + * Forward declarations; + */ +extern vlib_node_registration_t abf_ip4_node; +extern vlib_node_registration_t abf_ip6_node; + +/** + * FIB node registered type for the bonds + */ +static fib_node_type_t abf_itf_attach_fib_node_type; + +/** + * Pool of ABF interface attachment objects + */ +abf_itf_attach_t *abf_itf_attach_pool; + +/** + * A per interface vector of attached policies. used in the data-plane + */ +static u32 **abf_per_itf[FIB_PROTOCOL_MAX]; + +/** + * Per interface values of ACL lookup context IDs. used in the data-plane + */ +static u32 *abf_alctx_per_itf[FIB_PROTOCOL_MAX]; + +/** + * ABF ACL module user id returned during the initialization + */ +static u32 abf_acl_user_id; + +/** + * A DB of attachments; key={abf_index,sw_if_index} + */ +static uword *abf_itf_attach_db; + +static u64 +abf_itf_attach_mk_key (u32 abf_index, u32 sw_if_index) +{ + u64 key; + + key = abf_index; + key = key << 32; + key |= sw_if_index; + + return (key); +} + +static abf_itf_attach_t * +abf_itf_attach_db_find (u32 abf_index, u32 sw_if_index) +{ + uword *p; + u64 key; + + key = abf_itf_attach_mk_key (abf_index, sw_if_index); + + p = hash_get (abf_itf_attach_db, key); + + if (NULL != p) + return (pool_elt_at_index (abf_itf_attach_pool, p[0])); + + return (NULL); +} + +static void +abf_itf_attach_db_add (u32 abf_index, u32 sw_if_index, abf_itf_attach_t * aia) +{ + u64 key; + + key = abf_itf_attach_mk_key (abf_index, sw_if_index); + + hash_set (abf_itf_attach_db, key, aia - abf_itf_attach_pool); +} + +static void +abf_itf_attach_db_del (u32 abf_index, u32 sw_if_index) +{ + u64 key; + + key = abf_itf_attach_mk_key (abf_index, sw_if_index); + + hash_unset (abf_itf_attach_db, key); +} + +static void +abf_itf_attach_stack (abf_itf_attach_t * aia) +{ + /* + * stack the DPO on the forwarding contributed by the path-list + */ + dpo_id_t via_dpo = DPO_INVALID; + abf_policy_t *ap; + + ap = abf_policy_get (aia->aia_abf); + + fib_path_list_contribute_forwarding (ap->ap_pl, + (FIB_PROTOCOL_IP4 == aia->aia_proto ? + FIB_FORW_CHAIN_TYPE_UNICAST_IP4 : + FIB_FORW_CHAIN_TYPE_UNICAST_IP6), + FIB_PATH_LIST_FWD_FLAG_COLLAPSE, + &via_dpo); + + dpo_stack_from_node ((FIB_PROTOCOL_IP4 == aia->aia_proto ? + abf_ip4_node.index : + abf_ip6_node.index), &aia->aia_dpo, &via_dpo); + dpo_reset (&via_dpo); +} + +static int +abf_cmp_attach_for_sort (void *v1, void *v2) +{ + const abf_itf_attach_t *aia1; + const abf_itf_attach_t *aia2; + + aia1 = abf_itf_attach_get (*(u32 *) v1); + aia2 = abf_itf_attach_get (*(u32 *) v2); + + return (aia1->aia_prio - aia2->aia_prio); +} + +void +abf_setup_acl_lc (fib_protocol_t fproto, u32 sw_if_index) +{ + u32 *acl_vec = 0; + u32 *aiai; + abf_itf_attach_t *aia; + + if (~0 == abf_alctx_per_itf[fproto][sw_if_index]) + return; + + vec_foreach (aiai, abf_per_itf[fproto][sw_if_index]) + { + aia = abf_itf_attach_get (*aiai); + vec_add1 (acl_vec, aia->aia_acl); + } + acl_plugin_set_acl_vec_for_context (abf_alctx_per_itf[fproto][sw_if_index], + acl_vec); + vec_free (acl_vec); +} + +int +abf_itf_attach (fib_protocol_t fproto, + u32 policy_id, u32 priority, u32 sw_if_index) +{ + abf_itf_attach_t *aia; + abf_policy_t *ap; + u32 api, aiai; + + api = abf_policy_find (policy_id); + + ASSERT (INDEX_INVALID != api); + ap = abf_policy_get (api); + + /* + * check this is not a duplicate + */ + aia = abf_itf_attach_db_find (policy_id, sw_if_index); + + if (NULL != aia) + return (VNET_API_ERROR_ENTRY_ALREADY_EXISTS); + + /* + * construt a new attachemnt object + */ + pool_get (abf_itf_attach_pool, aia); + + fib_node_init (&aia->aia_node, abf_itf_attach_fib_node_type); + aia->aia_prio = priority; + aia->aia_proto = fproto; + aia->aia_acl = ap->ap_acl; + aia->aia_abf = api; + aia->aia_sw_if_index = sw_if_index; + aiai = aia - abf_itf_attach_pool; + abf_itf_attach_db_add (policy_id, sw_if_index, aia); + + /* + * stack the DPO on the forwarding contributed by the path-list + */ + abf_itf_attach_stack (aia); + + /* + * Insert the policy on the interfaces list. + */ + vec_validate_init_empty (abf_per_itf[fproto], sw_if_index, NULL); + vec_add1 (abf_per_itf[fproto][sw_if_index], aia - abf_itf_attach_pool); + if (1 == vec_len (abf_per_itf[fproto][sw_if_index])) + { + /* + * when enabling the first ABF polciy on the interface + * we need to enable the interface input feature + */ + vnet_feature_enable_disable ((FIB_PROTOCOL_IP4 == fproto ? + "ip4-unicast" : + "ip6-unicast"), + (FIB_PROTOCOL_IP4 == fproto ? + "abf-input-ip4" : + "abf-input-ip6"), + sw_if_index, 1, NULL, 0); + + /* if this is the first ABF policy, we need to acquire an ACL lookup context */ + vec_validate_init_empty (abf_alctx_per_itf[fproto], sw_if_index, ~0); + abf_alctx_per_itf[fproto][sw_if_index] = + acl_plugin_get_lookup_context_index (abf_acl_user_id, sw_if_index, 0); + } + else + { + vec_sort_with_function (abf_per_itf[fproto][sw_if_index], + abf_cmp_attach_for_sort); + } + + /* Prepare and set the list of ACLs for lookup within the context */ + abf_setup_acl_lc (fproto, sw_if_index); + + /* + * become a child of the ABF poilcy so we are notified when + * its forwarding changes. + */ + aia->aia_sibling = fib_node_child_add (abf_policy_fib_node_type, + api, + abf_itf_attach_fib_node_type, aiai); + + return (0); +} + +int +abf_itf_detach (fib_protocol_t fproto, u32 policy_id, u32 sw_if_index) +{ + abf_itf_attach_t *aia; + u32 index; + + /* + * check this is a valid attahment + */ + aia = abf_itf_attach_db_find (policy_id, sw_if_index); + + if (NULL == aia) + return (VNET_API_ERROR_ENTRY_ALREADY_EXISTS); + + /* + * first remove from the interface's vecotr + */ + ASSERT (abf_per_itf[fproto]); + ASSERT (abf_per_itf[fproto][sw_if_index]); + + index = vec_search (abf_per_itf[fproto][sw_if_index], + aia - abf_itf_attach_pool); + + ASSERT (index != ~0); + vec_del1 (abf_per_itf[fproto][sw_if_index], index); + + if (0 == vec_len (abf_per_itf[fproto][sw_if_index])) + { + /* + * when deleting the last ABF polciy on the interface + * we need to disable the interface input feature + */ + vnet_feature_enable_disable ((FIB_PROTOCOL_IP4 == fproto ? + "ip4-unicast" : + "ip6-unicast"), + (FIB_PROTOCOL_IP4 == fproto ? + "abf-input-ip4" : + "abf-input-ip6"), + sw_if_index, 0, NULL, 0); + + /* Return the lookup context, invalidate its id in our records */ + acl_plugin_put_lookup_context_index (abf_alctx_per_itf[fproto] + [sw_if_index]); + abf_alctx_per_itf[fproto][sw_if_index] = ~0; + } + else + { + vec_sort_with_function (abf_per_itf[fproto][sw_if_index], + abf_cmp_attach_for_sort); + } + + /* Prepare and set the list of ACLs for lookup within the context */ + abf_setup_acl_lc (fproto, sw_if_index); + + /* + * remove the dependency on the policy + */ + fib_node_child_remove (abf_policy_fib_node_type, + aia->aia_abf, aia->aia_sibling); + + /* + * remove the attahcment from the DB + */ + abf_itf_attach_db_del (policy_id, sw_if_index); + + /* + * release our locks on FIB forwarding data + */ + dpo_reset (&aia->aia_dpo); + + /* + * return the object + */ + pool_put (abf_itf_attach_pool, aia); + + return (0); +} + +static u8 * +format_abf_intf_attach (u8 * s, va_list * args) +{ + abf_itf_attach_t *aia = va_arg (*args, abf_itf_attach_t *); + abf_policy_t *ap; + + ap = abf_policy_get (aia->aia_abf); + s = format (s, "abf-interface-attach: policy:%d prioity:%d", + ap->ap_id, aia->aia_prio); + s = format (s, "\n %U", format_dpo_id, &aia->aia_dpo, 2); + + return (s); +} + +static clib_error_t * +abf_itf_attach_cmd (vlib_main_t * vm, + unformat_input_t * input, vlib_cli_command_t * cmd) +{ + u32 policy_id, sw_if_index; + fib_protocol_t fproto; + u32 is_del, priority; + vnet_main_t *vnm; + + is_del = 0; + sw_if_index = policy_id = ~0; + vnm = vnet_get_main (); + fproto = FIB_PROTOCOL_MAX; + priority = 0; + + while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT) + { + if (unformat (input, "del")) + is_del = 1; + else if (unformat (input, "add")) + is_del = 0; + else if (unformat (input, "ip4")) + fproto = FIB_PROTOCOL_IP4; + else if (unformat (input, "ip6")) + fproto = FIB_PROTOCOL_IP6; + else if (unformat (input, "policy %d", &policy_id)) + ; + else if (unformat (input, "priority %d", &priority)) + ; + else if (unformat (input, "%U", + unformat_vnet_sw_interface, vnm, &sw_if_index)) + ; + else + return (clib_error_return (0, "unknown input '%U'", + format_unformat_error, input)); + } + + if (~0 == policy_id) + { + return (clib_error_return (0, "invalid policy ID:%d", policy_id)); + } + if (~0 == sw_if_index) + { + return (clib_error_return (0, "invalid interface name")); + } + if (FIB_PROTOCOL_MAX == fproto) + { + return (clib_error_return (0, "Specify either ip4 or ip6")); + } + + if (~0 == abf_policy_find (policy_id)) + return (clib_error_return (0, "invalid policy ID:%d", policy_id)); + + if (is_del) + abf_itf_detach (fproto, policy_id, sw_if_index); + else + abf_itf_attach (fproto, policy_id, priority, sw_if_index); + + return (NULL); +} + +/* *INDENT-OFF* */ +/** + * Attach an ABF policy to an interface. + */ +VLIB_CLI_COMMAND (abf_itf_attach_cmd_node, static) = { + .path = "abf attach", + .function = abf_itf_attach_cmd, + .short_help = "abf attach [del] policy ", + // this is not MP safe +}; +/* *INDENT-ON* */ + +static clib_error_t * +abf_show_attach_cmd (vlib_main_t * vm, + unformat_input_t * input, vlib_cli_command_t * cmd) +{ + const abf_itf_attach_t *aia; + u32 sw_if_index, *aiai; + fib_protocol_t fproto; + vnet_main_t *vnm; + + sw_if_index = ~0; + vnm = vnet_get_main (); + + while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT) + { + if (unformat (input, "%U", + unformat_vnet_sw_interface, vnm, &sw_if_index)) + ; + else + return (clib_error_return (0, "unknown input '%U'", + format_unformat_error, input)); + } + + if (~0 == sw_if_index) + { + vlib_cli_output (vm, "specify an interface"); + } + + /* *INDENT-OFF* */ + FOR_EACH_FIB_IP_PROTOCOL(fproto) + { + if (sw_if_index < vec_len(abf_per_itf[fproto])) + { + if (vec_len(abf_per_itf[fproto][sw_if_index])) + vlib_cli_output(vm, "%U:", format_fib_protocol, fproto); + + vec_foreach(aiai, abf_per_itf[fproto][sw_if_index]) + { + aia = pool_elt_at_index(abf_itf_attach_pool, *aiai); + vlib_cli_output(vm, " %U", format_abf_intf_attach, aia); + } + } + } + /* *INDENT-ON* */ + return (NULL); +} + +/* *INDENT-OFF* */ +VLIB_CLI_COMMAND (abf_show_attach_cmd_node, static) = { + .path = "show abf attach", + .function = abf_show_attach_cmd, + .short_help = "show abf attach ", + .is_mp_safe = 1, +}; +/* *INDENT-ON* */ + +void +abf_itf_attach_walk (abf_itf_attach_walk_cb_t cb, void *ctx) +{ + u32 aii; + + /* *INDENT-OFF* */ + pool_foreach_index(aii, abf_itf_attach_pool, + ({ + if (!cb(aii, ctx)) + break; + })); + /* *INDENT-ON* */ +} + +typedef enum abf_next_t_ +{ + ABF_NEXT_DROP, + ABF_N_NEXT, +} abf_next_t; + +typedef struct abf_input_trace_t_ +{ + abf_next_t next; + index_t index; +} abf_input_trace_t; + +typedef enum +{ +#define abf_error(n,s) ABF_ERROR_##n, +#include "abf_error.def" +#undef abf_error + ABF_N_ERROR, +} abf_error_t; + +always_inline uword +abf_input_inline (vlib_main_t * vm, + vlib_node_runtime_t * node, + vlib_frame_t * frame, fib_protocol_t fproto) +{ + u32 n_left_from, *from, *to_next, next_index, matches; + + from = vlib_frame_vector_args (frame); + n_left_from = frame->n_vectors; + next_index = node->cached_next_index; + matches = 0; + + while (n_left_from > 0) + { + u32 n_left_to_next; + + vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next); + + while (n_left_from > 0 && n_left_to_next > 0) + { + const u32 *attachments0; + const abf_itf_attach_t *aia0; + abf_next_t next0 = ABF_NEXT_DROP; + vlib_buffer_t *b0; + u32 bi0, sw_if_index0; + fa_5tuple_opaque_t fa_5tuple0; + u32 match_acl_index = ~0; + u32 match_acl_pos = ~0; + u32 match_rule_index = ~0; + u32 trace_bitmap = 0; + u8 action; + + bi0 = from[0]; + to_next[0] = bi0; + from += 1; + to_next += 1; + n_left_from -= 1; + n_left_to_next -= 1; + + b0 = vlib_get_buffer (vm, bi0); + sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX]; + + ASSERT (vec_len (abf_per_itf[fproto]) > sw_if_index0); + attachments0 = abf_per_itf[fproto][sw_if_index0]; + + ASSERT (vec_len (abf_alctx_per_itf[fproto]) > sw_if_index0); + /* + * check if any of the policies attached to this interface matches. + */ + u32 lc_index = abf_alctx_per_itf[fproto][sw_if_index0]; + + acl_plugin_fill_5tuple (lc_index, b0, (FIB_PROTOCOL_IP6 == fproto), + 1, 0, &fa_5tuple0); + + if (acl_plugin_match_5tuple + (lc_index, &fa_5tuple0, (FIB_PROTOCOL_IP6 == fproto), &action, + &match_acl_pos, &match_acl_index, &match_rule_index, + &trace_bitmap)) + { + /* + * match: + * follow the DPO chain + */ + aia0 = abf_itf_attach_get (attachments0[match_acl_pos]); + + next0 = aia0->aia_dpo.dpoi_next_node; + vnet_buffer (b0)->ip.adj_index[VLIB_TX] = + aia0->aia_dpo.dpoi_index; + matches++; + } + else + { + /* + * miss: + * move on down the feature arc + */ + vnet_feature_next (sw_if_index0, &next0, b0); + } + + if (PREDICT_FALSE (b0->flags & VLIB_BUFFER_IS_TRACED)) + { + abf_input_trace_t *tr; + + tr = vlib_add_trace (vm, node, b0, sizeof (*tr)); + tr->next = next0; + tr->index = vnet_buffer (b0)->ip.adj_index[VLIB_TX]; + } + + /* verify speculative enqueue, maybe switch current next frame */ + vlib_validate_buffer_enqueue_x1 (vm, node, next_index, + to_next, n_left_to_next, bi0, + next0); + } + + vlib_put_next_frame (vm, node, next_index, n_left_to_next); + } + + vlib_node_increment_counter (vm, + (fproto = FIB_PROTOCOL_IP6 ? + abf_ip4_node.index : + abf_ip6_node.index), + ABF_ERROR_MATCHED, matches); + + return frame->n_vectors; +} + +static uword +abf_input_ip4 (vlib_main_t * vm, + vlib_node_runtime_t * node, vlib_frame_t * frame) +{ + return abf_input_inline (vm, node, frame, FIB_PROTOCOL_IP4); +} + +static uword +abf_input_ip6 (vlib_main_t * vm, + vlib_node_runtime_t * node, vlib_frame_t * frame) +{ + return abf_input_inline (vm, node, frame, FIB_PROTOCOL_IP6); +} + +static u8 * +format_abf_input_trace (u8 * s, va_list * args) +{ + CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *); + CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *); + abf_input_trace_t *t = va_arg (*args, abf_input_trace_t *); + + s = format (s, " next %d index %d", t->next, t->index); + return s; +} + +static char *abf_error_strings[] = { +#define abf_error(n,s) s, +#include "abf_error.def" +#undef abf_error +}; + +/* *INDENT-OFF* */ +VLIB_REGISTER_NODE (abf_ip4_node) = +{ + .function = abf_input_ip4, + .name = "abf-input-ip4", + .vector_size = sizeof (u32), + .format_trace = format_abf_input_trace, + .type = VLIB_NODE_TYPE_INTERNAL, + .n_errors = ABF_N_ERROR, + .error_strings = abf_error_strings, + .n_next_nodes = ABF_N_NEXT, + .next_nodes = + { + [ABF_NEXT_DROP] = "error-drop", + } +}; + +VLIB_REGISTER_NODE (abf_ip6_node) = +{ + .function = abf_input_ip6, + .name = "abf-input-ip6", + .vector_size = sizeof (u32), + .format_trace = format_abf_input_trace, + .type = VLIB_NODE_TYPE_INTERNAL, + .n_errors = 0, + .n_next_nodes = ABF_N_NEXT, + + .next_nodes = + { + [ABF_NEXT_DROP] = "error-drop", + } +}; + +VNET_FEATURE_INIT (abf_ip4_feat, static) = +{ + .arc_name = "ip4-unicast", + .node_name = "abf-input-ip4", + .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"), +}; + +VNET_FEATURE_INIT (abf_ip6_feat, static) = +{ + .arc_name = "ip6-unicast", + .node_name = "abf-input-ip6", + .runs_after = VNET_FEATURES ("acl-plugin-in-ip6-fa"), +}; +/* *INDENT-ON* */ + +static fib_node_t * +abf_itf_attach_get_node (fib_node_index_t index) +{ + abf_itf_attach_t *aia = abf_itf_attach_get (index); + return (&(aia->aia_node)); +} + +static abf_itf_attach_t * +abf_itf_attach_get_from_node (fib_node_t * node) +{ + return ((abf_itf_attach_t *) (((char *) node) - + STRUCT_OFFSET_OF (abf_itf_attach_t, + aia_node))); +} + +static void +abf_itf_attach_last_lock_gone (fib_node_t * node) +{ + /* + * ABF interface attachments are leaves on the graph. + * we do not manage locks from children. + */ +} + +/* + * abf_itf_attach_back_walk_notify + * + * A back walk has reached this BIER fmask + */ +static fib_node_back_walk_rc_t +abf_itf_attach_back_walk_notify (fib_node_t * node, + fib_node_back_walk_ctx_t * ctx) +{ + /* + * re-stack the fmask on the n-eos of the via + */ + abf_itf_attach_t *aia = abf_itf_attach_get_from_node (node); + + abf_itf_attach_stack (aia); + + return (FIB_NODE_BACK_WALK_CONTINUE); +} + +/* + * The BIER fmask's graph node virtual function table + */ +static const fib_node_vft_t abf_itf_attach_vft = { + .fnv_get = abf_itf_attach_get_node, + .fnv_last_lock = abf_itf_attach_last_lock_gone, + .fnv_back_walk = abf_itf_attach_back_walk_notify, +}; + +static clib_error_t * +abf_itf_bond_init (vlib_main_t * vm) +{ + abf_itf_attach_fib_node_type = + fib_node_register_new_type (&abf_itf_attach_vft); + clib_error_t *acl_init_res = acl_plugin_exports_init (); + if (acl_init_res) + return (acl_init_res); + + abf_acl_user_id = + acl_plugin_register_user_module ("abp plugin", "sw_if_index", NULL); + + return (NULL); +} + +VLIB_INIT_FUNCTION (abf_itf_bond_init); + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ diff --git a/src/plugins/abf/abf_itf_attach.h b/src/plugins/abf/abf_itf_attach.h new file mode 100644 index 00000000000..4cb7dddf481 --- /dev/null +++ b/src/plugins/abf/abf_itf_attach.h @@ -0,0 +1,104 @@ +/* + * Copyright (c) 2017 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef __ABF_ITF_ATTACH_H__ +#define __ABF_ITF_ATTACH_H__ + +#include +#include + +/** + * Attachment data for an ABF policy to an interface + */ +typedef struct abf_itf_attach_t_ +{ + CLIB_CACHE_LINE_ALIGN_MARK (marker); + /** + * The ACL and DPO are cached for fast DP access + */ + /** + * ACL index to match + */ + u32 aia_acl; + + /** + * The DPO actually used for forwarding + */ + dpo_id_t aia_dpo; + + /** + * Linkage into the FIB graph + */ + fib_node_t aia_node; + + /** + * The VPP index of the ABF policy + */ + u32 aia_abf; + + /** + * Sibling index on the policy's path list + */ + u32 aia_sibling; + + /** + * The protocol for the attachment. i.e. the protocol + * of the packets that are being forwarded + */ + fib_protocol_t aia_proto; + + /** + * The interface for the attachment + */ + u32 aia_sw_if_index; + + /** + * The priority of this policy for attachment. + * The lower the value the higher the priority. + * The higher priority policies are matched first. + */ + u32 aia_prio; +} abf_itf_attach_t; + +/** + * Pool of ABF interface attachment objects + */ +extern abf_itf_attach_t *abf_itf_attach_pool; + +static inline abf_itf_attach_t * +abf_itf_attach_get (u32 index) +{ + return (pool_elt_at_index (abf_itf_attach_pool, index)); +} + +extern int abf_itf_attach (fib_protocol_t fproto, + u32 policy_id, u32 priority, u32 sw_if_index); + +extern int abf_itf_detach (fib_protocol_t fproto, + u32 policy_id, u32 sw_if_index); + +typedef int (*abf_itf_attach_walk_cb_t) (index_t aii, void *ctx0); + +extern void abf_itf_attach_walk (abf_itf_attach_walk_cb_t cb, void *ctx); + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ + +#endif diff --git a/src/plugins/abf/abf_msg_enum.h b/src/plugins/abf/abf_msg_enum.h new file mode 100644 index 00000000000..5c06eb5ad0c --- /dev/null +++ b/src/plugins/abf/abf_msg_enum.h @@ -0,0 +1,28 @@ +/* + * Copyright (c) 2016 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#ifndef included_abf_msg_enum_h +#define included_abf_msg_enum_h + +#include + +#define vl_msg_id(n,h) n, +typedef enum { +#include + /* We'll want to know how many messages IDs we need... */ + VL_MSG_FIRST_AVAILABLE, +} vl_msg_id_t; +#undef vl_msg_id + +#endif diff --git a/src/plugins/abf/abf_policy.c b/src/plugins/abf/abf_policy.c new file mode 100644 index 00000000000..a0c4ac8adb3 --- /dev/null +++ b/src/plugins/abf/abf_policy.c @@ -0,0 +1,464 @@ +/* + * Copyright (c) 2017 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include + +#include +#include +#include +#include +#include + +/** + * FIB node type the attachment is registered + */ +fib_node_type_t abf_policy_fib_node_type; + +/** + * Pool of ABF objects + */ +static abf_policy_t *abf_policy_pool; + +/** + * DB of ABF policy objects + * - policy ID to index conversion. + */ +static uword *abf_policy_db; + + +abf_policy_t * +abf_policy_get (u32 index) +{ + return (pool_elt_at_index (abf_policy_pool, index)); +} + +static u32 +abf_policy_get_index (const abf_policy_t * abf) +{ + return (abf - abf_policy_pool); +} + +static abf_policy_t * +abf_policy_find_i (u32 policy_id) +{ + u32 api; + + api = abf_policy_find (policy_id); + + if (INDEX_INVALID != api) + return (abf_policy_get (api)); + + return (NULL); +} + +u32 +abf_policy_find (u32 policy_id) +{ + uword *p; + + p = hash_get (abf_policy_db, policy_id); + + if (NULL != p) + return (p[0]); + + return (INDEX_INVALID); +} + + +void +abf_policy_update (u32 policy_id, + u32 acl_index, const fib_route_path_t * rpaths) +{ + abf_policy_t *ap; + u32 api; + + api = abf_policy_find (policy_id); + + if (INDEX_INVALID == api) + { + /* + * create a new policy + */ + pool_get (abf_policy_pool, ap); + + api = ap - abf_policy_pool; + fib_node_init (&ap->ap_node, abf_policy_fib_node_type); + ap->ap_acl = acl_index; + ap->ap_id = policy_id; + ap->ap_pl = fib_path_list_create ((FIB_PATH_LIST_FLAG_SHARED | + FIB_PATH_LIST_FLAG_NO_URPF), rpaths); + + /* + * become a child of the path list so we get poked when + * the forwarding changes. + */ + ap->ap_sibling = fib_path_list_child_add (ap->ap_pl, + abf_policy_fib_node_type, + api); + + /* + * add this new policy to the DB + */ + hash_set (abf_policy_db, policy_id, api); + + /* + * take a lock on behalf of the CLI/API creation + */ + fib_node_lock (&ap->ap_node); + } + else + { + /* + * update an existing policy. + * - add the path to the path-list and swap our ancestory + * - backwalk to poke all attachments to update + */ + fib_node_index_t old_pl; + + ap = abf_policy_get (api); + old_pl = ap->ap_pl; + + if (FIB_NODE_INDEX_INVALID != old_pl) + { + ap->ap_pl = fib_path_list_copy_and_path_add (old_pl, + (FIB_PATH_LIST_FLAG_SHARED + | + FIB_PATH_LIST_FLAG_NO_URPF), + rpaths); + fib_path_list_child_remove (old_pl, ap->ap_sibling); + } + else + { + ap->ap_pl = fib_path_list_create ((FIB_PATH_LIST_FLAG_SHARED | + FIB_PATH_LIST_FLAG_NO_URPF), + rpaths); + } + + ap->ap_sibling = fib_path_list_child_add (ap->ap_pl, + abf_policy_fib_node_type, + api); + + fib_node_back_walk_ctx_t ctx = { + .fnbw_reason = FIB_NODE_BW_REASON_FLAG_EVALUATE, + }; + + fib_walk_sync (abf_policy_fib_node_type, api, &ctx); + } +} + +static void +abf_policy_destroy (abf_policy_t * ap) +{ + /* + * this ABF should not be a sibling on the path list, since + * that was removed when the API config went + */ + ASSERT (ap->ap_sibling == ~0); + ASSERT (ap->ap_pl == FIB_NODE_INDEX_INVALID); + + hash_unset (abf_policy_db, ap->ap_id); + pool_put (abf_policy_pool, ap); +} + +int +abf_policy_delete (u32 policy_id, const fib_route_path_t * rpaths) +{ + abf_policy_t *ap; + u32 api; + + api = abf_policy_find (policy_id); + + if (INDEX_INVALID == api) + { + /* + * no such policy + */ + return (-1); + } + else + { + /* + * update an existing policy. + * - add the path to the path-list and swap our ancestory + * - backwalk to poke all attachments to update + */ + fib_node_index_t old_pl; + + ap = abf_policy_get (api); + old_pl = ap->ap_pl; + + ap->ap_pl = + fib_path_list_copy_and_path_remove (ap->ap_pl, + (FIB_PATH_LIST_FLAG_SHARED | + FIB_PATH_LIST_FLAG_NO_URPF), + rpaths); + + fib_path_list_child_remove (old_pl, ap->ap_sibling); + ap->ap_sibling = ~0; + + if (FIB_NODE_INDEX_INVALID == ap->ap_pl) + { + /* + * no more paths on this policy. It's toast + * remove the CLI/API's lock + */ + fib_node_unlock (&ap->ap_node); + } + else + { + ap->ap_sibling = fib_path_list_child_add (ap->ap_pl, + abf_policy_fib_node_type, + api); + + fib_node_back_walk_ctx_t ctx = { + .fnbw_reason = FIB_NODE_BW_REASON_FLAG_EVALUATE, + }; + + fib_walk_sync (abf_policy_fib_node_type, api, &ctx); + } + } + + return (0); +} + +static clib_error_t * +abf_policy_cmd (vlib_main_t * vm, + unformat_input_t * main_input, vlib_cli_command_t * cmd) +{ + unformat_input_t _line_input, *line_input = &_line_input; + u32 acl_index, policy_id; + fib_route_path_t *rpaths = NULL, rpath; + u32 is_del; + + is_del = 0; + acl_index = INDEX_INVALID; + policy_id = INDEX_INVALID; + + /* Get a line of input. */ + if (!unformat_user (main_input, unformat_line_input, line_input)) + return 0; + + while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT) + { + if (unformat (line_input, "acl %d", &acl_index)) + ; + else if (unformat (line_input, "id %d", &policy_id)) + ; + else if (unformat (line_input, "del")) + is_del = 1; + else if (unformat (line_input, "add")) + is_del = 0; + else if (unformat (line_input, "via %U", + unformat_fib_route_path, &rpath)) + vec_add1 (rpaths, rpath); + else + return (clib_error_return (0, "unknown input '%U'", + format_unformat_error, line_input)); + } + + if (INDEX_INVALID == policy_id) + { + vlib_cli_output (vm, "Specify a Policy ID"); + return 0; + } + + if (!is_del) + { + if (INDEX_INVALID == acl_index) + { + vlib_cli_output (vm, "ACL index must be set"); + return 0; + } + + abf_policy_update (policy_id, acl_index, rpaths); + } + else + { + abf_policy_delete (policy_id, rpaths); + } + + unformat_free (line_input); + return (NULL); +} + +/* *INDENT-OFF* */ +/** + * Create an ABF policy. + */ +VLIB_CLI_COMMAND (abf_policy_cmd_node, static) = { + .path = "abf policy", + .function = abf_policy_cmd, + .short_help = "abf policy [add|del] id acl via ...", + .is_mp_safe = 1, +}; +/* *INDENT-ON* */ + +static u8 * +format_abf (u8 * s, va_list * args) +{ + abf_policy_t *ap = va_arg (*args, abf_policy_t *); + + s = format (s, "abf:[%d]: policy:%d acl:%d", + ap - abf_policy_pool, ap->ap_id, ap->ap_acl); + s = format (s, "\n "); + if (FIB_NODE_INDEX_INVALID == ap->ap_pl) + { + s = format (s, "no forwarding"); + } + else + { + s = fib_path_list_format (ap->ap_pl, s); + } + + return (s); +} + +void +abf_policy_walk (abf_policy_walk_cb_t cb, void *ctx) +{ + u32 api; + + /* *INDENT-OFF* */ + pool_foreach_index(api, abf_policy_pool, + ({ + if (!cb(api, ctx)) + break; + })); + /* *INDENT-ON* */ +} + +static clib_error_t * +abf_show_policy_cmd (vlib_main_t * vm, + unformat_input_t * input, vlib_cli_command_t * cmd) +{ + u32 policy_id; + abf_policy_t *ap; + + policy_id = INDEX_INVALID; + + while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT) + { + if (unformat (input, "%d", &policy_id)) + ; + else + return (clib_error_return (0, "unknown input '%U'", + format_unformat_error, input)); + } + + if (INDEX_INVALID == policy_id) + { + /* *INDENT-OFF* */ + pool_foreach(ap, abf_policy_pool, + ({ + vlib_cli_output(vm, "%U", format_abf, ap); + })); + /* *INDENT-ON* */ + } + else + { + ap = abf_policy_find_i (policy_id); + + if (NULL != ap) + vlib_cli_output (vm, "%U", format_abf, ap); + else + vlib_cli_output (vm, "Invalid policy ID:%d", policy_id); + } + + return (NULL); +} + +/* *INDENT-OFF* */ +VLIB_CLI_COMMAND (abf_policy_show_policy_cmd_node, static) = { + .path = "show abf policy", + .function = abf_show_policy_cmd, + .short_help = "show abf policy ", + .is_mp_safe = 1, +}; +/* *INDENT-ON* */ + +static fib_node_t * +abf_policy_get_node (fib_node_index_t index) +{ + abf_policy_t *ap = abf_policy_get (index); + return (&(ap->ap_node)); +} + +static abf_policy_t * +abf_policy_get_from_node (fib_node_t * node) +{ + return ((abf_policy_t *) (((char *) node) - + STRUCT_OFFSET_OF (abf_policy_t, ap_node))); +} + +static void +abf_policy_last_lock_gone (fib_node_t * node) +{ + abf_policy_destroy (abf_policy_get_from_node (node)); +} + +/* + * A back walk has reached this ABF policy + */ +static fib_node_back_walk_rc_t +abf_policy_back_walk_notify (fib_node_t * node, + fib_node_back_walk_ctx_t * ctx) +{ + /* + * re-stack the fmask on the n-eos of the via + */ + abf_policy_t *abf = abf_policy_get_from_node (node); + + /* + * propagate further up the graph. + * we can do this synchronously since the fan out is small. + */ + fib_walk_sync (abf_policy_fib_node_type, abf_policy_get_index (abf), ctx); + + return (FIB_NODE_BACK_WALK_CONTINUE); +} + +/* + * The BIER fmask's graph node virtual function table + */ +static const fib_node_vft_t abf_policy_vft = { + .fnv_get = abf_policy_get_node, + .fnv_last_lock = abf_policy_last_lock_gone, + .fnv_back_walk = abf_policy_back_walk_notify, +}; + +static clib_error_t * +abf_policy_init (vlib_main_t * vm) +{ + abf_policy_fib_node_type = fib_node_register_new_type (&abf_policy_vft); + + return (NULL); +} + +VLIB_INIT_FUNCTION (abf_policy_init); + +/* *INDENT-OFF* */ +VLIB_PLUGIN_REGISTER () = { + .version = VPP_BUILD_VER, + .description = "ACL based Forwarding", +}; +/* *INDENT-ON* */ + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ diff --git a/src/plugins/abf/abf_policy.h b/src/plugins/abf/abf_policy.h new file mode 100644 index 00000000000..71fa1a61afd --- /dev/null +++ b/src/plugins/abf/abf_policy.h @@ -0,0 +1,118 @@ +/* + * Copyright (c) 2017 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef __ABF_H__ +#define __ABF_H__ + +#include + +#define ABF_PLUGIN_VERSION_MAJOR 1 +#define ABF_PLUGIN_VERSION_MINOR 0 + +/** + * An ACL based Forwading 'policy'. + * This comprises the ACL index to match against and the forwarding + * path to take if the match is successfull. + * + * ABF policies are then 'attached' to interfaces. An input feature + * will run through the list of policies a match will divert the packet, + * if all miss then we continues down the interface's feature arc + */ +typedef struct abf_policy_t_ +{ + /** + * Linkage into the FIB graph + */ + fib_node_t ap_node; + + /** + * ACL index to match + */ + u32 ap_acl; + + /** + * The path-list describing how to forward in case of a match + */ + fib_node_index_t ap_pl; + + /** + * Sibling index on the path-list + */ + u32 ap_sibling; + + /** + * The policy ID - as configured by the client + */ + u32 ap_id; +} abf_policy_t; + +/** + * Get an ABF object from its VPP index + */ +extern abf_policy_t *abf_policy_get (index_t index); + +/** + * Find a ABF object from the client's policy ID + * + * @param policy_id Client's defined policy ID + * @return VPP's object index + */ +extern index_t abf_policy_find (u32 policy_id); + +/** + * The FIB node type for ABF policies + */ +extern fib_node_type_t abf_policy_fib_node_type; + +/** + * Create or update an ABF Policy + * + * @param policy_id User defined Policy ID + * @param acl_index The ACL the policy with match on + * @param rpaths The set of paths to add to the forwarding set + */ +extern void abf_policy_update (u32 policy_id, + u32 acl_index, + const fib_route_path_t * rpaths); + +/** + * Delete paths from an ABF Policy. If no more paths exist, the policy + * is deleted. + * + * @param policy_id User defined Policy ID + * @param rpaths The set of paths to forward remove + */ +extern int abf_policy_delete (u32 policy_id, const fib_route_path_t * rpaths); + +/** + * Callback function invoked during a walk of all policies + */ +typedef int (*abf_policy_walk_cb_t) (index_t index, void *ctx); + +/** + * Walk/visit each of the ABF policies + */ +extern void abf_policy_walk (abf_policy_walk_cb_t cb, void *ctx); + + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ + +#endif diff --git a/src/tools/vppapigen/vppapigen.py b/src/tools/vppapigen/vppapigen.py index 9db11284b0a..2e8d80f9d0c 100755 --- a/src/tools/vppapigen/vppapigen.py +++ b/src/tools/vppapigen/vppapigen.py @@ -655,7 +655,7 @@ class VPPAPI(object): imported_objs = [] for o in objs: if isinstance(o, Import): - return objs + self.process_imports(o.result, True) + return self.process_imports(o.result, True) + objs if in_import: if isinstance(o, Define) and o.typeonly: imported_objs.append(o) diff --git a/test/test_abf.py b/test/test_abf.py new file mode 100644 index 00000000000..ce53e53fc98 --- /dev/null +++ b/test/test_abf.py @@ -0,0 +1,338 @@ +#!/usr/bin/env python + +from framework import VppTestCase, VppTestRunner +from vpp_udp_encap import * +from vpp_ip_route import VppIpRoute, VppRoutePath, VppIpTable, DpoProto + +from scapy.packet import Raw +from scapy.layers.l2 import Ether, ARP +from scapy.layers.inet import IP, UDP +from scapy.layers.inet6 import IPv6 +from scapy.contrib.mpls import MPLS + +from vpp_object import * +from socket import inet_pton, inet_ntop, AF_INET, AF_INET6 + + +def find_abf_policy(test, id): + policies = test.vapi.abf_policy_dump() + for p in policies: + if id == p.policy.policy_id: + return True + return False + + +def find_abf_itf_attach(test, id, sw_if_index): + attachs = test.vapi.abf_itf_attach_dump() + for a in attachs: + if id == a.attach.policy_id and \ + sw_if_index == a.attach.sw_if_index: + return True + return False + + +class VppAbfPolicy(VppObject): + + def __init__(self, + test, + policy_id, + acl, + paths): + self._test = test + self.policy_id = policy_id + self.acl = acl + self.paths = paths + + def encode_paths(self): + br_paths = [] + for p in self.paths: + lstack = [] + for l in p.nh_labels: + if type(l) == VppMplsLabel: + lstack.append(l.encode()) + else: + lstack.append({'label': l, 'ttl': 255}) + n_labels = len(lstack) + while (len(lstack) < 16): + lstack.append({}) + br_paths.append({'next_hop': p.nh_addr, + 'weight': 1, + 'afi': p.proto, + 'sw_if_index': 0xffffffff, + 'preference': 0, + 'table_id': p.nh_table_id, + 'next_hop_id': p.next_hop_id, + 'is_udp_encap': p.is_udp_encap, + 'n_labels': n_labels, + 'label_stack': lstack}) + return br_paths + + def add_vpp_config(self): + self._test.vapi.abf_policy_add_del( + 1, + {'policy_id': self.policy_id, + 'acl_index': self.acl.acl_index, + 'n_paths': len(self.paths), + 'paths': self.encode_paths()}) + self._test.registry.register(self, self._test.logger) + + def remove_vpp_config(self): + self._test.vapi.abf_policy_add_del( + 0, + {'policy_id': self.policy_id, + 'acl_index': self.acl.acl_index, + 'n_paths': len(self.paths), + 'paths': self.encode_paths()}) + + def query_vpp_config(self): + return find_abf_policy(self._test, self.policy_id) + + def __str__(self): + return self.object_id() + + def object_id(self): + return ("abf-policy-%d" % self.policy_id) + + +class VppAbfAttach(VppObject): + + def __init__(self, + test, + policy_id, + sw_if_index, + priority, + is_ipv6=0): + self._test = test + self.policy_id = policy_id + self.sw_if_index = sw_if_index + self.priority = priority + self.is_ipv6 = is_ipv6 + + def add_vpp_config(self): + self._test.vapi.abf_itf_attach_add_del( + 1, + {'policy_id': self.policy_id, + 'sw_if_index': self.sw_if_index, + 'priority': self.priority, + 'is_ipv6': self.is_ipv6}) + self._test.registry.register(self, self._test.logger) + + def remove_vpp_config(self): + self._test.vapi.abf_itf_attach_add_del( + 0, + {'policy_id': self.policy_id, + 'sw_if_index': self.sw_if_index, + 'priority': self.priority, + 'is_ipv6': self.is_ipv6}) + + def query_vpp_config(self): + return find_abf_itf_attach(self._test, + self.policy_id, + self.sw_if_index) + + def __str__(self): + return self.object_id() + + def object_id(self): + return ("abf-attach-%d-%d" % (self.policy_id, self.sw_if_index)) + + +class TestAbf(VppTestCase): + """ ABF Test Case """ + + def setUp(self): + super(TestAbf, self).setUp() + + self.create_pg_interfaces(range(4)) + + for i in self.pg_interfaces: + i.admin_up() + i.config_ip4() + i.resolve_arp() + i.config_ip6() + i.resolve_ndp() + + def tearDown(self): + for i in self.pg_interfaces: + i.unconfig_ip4() + i.unconfig_ip6() + i.ip6_disable() + i.admin_down() + super(TestAbf, self).tearDown() + + def test_abf4(self): + """ IPv4 ACL Based Forwarding + """ + + # + # We are not testing the various matching capabilities + # of ACLs, that's done elsewhere. Here ware are testing + # the application of ACLs to a forwarding path to achieve + # ABF + # So we construct just a few ACLs to ensure the ABF policies + # are correclty constructed and used. And a few path types + # to test the API path decoding. + # + + # + # Rule 1 + # + rule_1 = ({'is_permit': 1, + 'is_ipv6': 0, + 'proto': 17, + 'srcport_or_icmptype_first': 1234, + 'srcport_or_icmptype_last': 1234, + 'src_ip_prefix_len': 32, + 'src_ip_addr': inet_pton(AF_INET, "1.1.1.1"), + 'dstport_or_icmpcode_first': 1234, + 'dstport_or_icmpcode_last': 1234, + 'dst_ip_prefix_len': 32, + 'dst_ip_addr': inet_pton(AF_INET, "1.1.1.2")}) + acl_1 = self.vapi.acl_add_replace(acl_index=4294967295, r=[rule_1]) + + # + # ABF policy for ACL 1 - path via interface 1 + # + abf_1 = VppAbfPolicy(self, 10, acl_1, + [VppRoutePath(self.pg1.remote_ip4, + self.pg1.sw_if_index)]) + abf_1.add_vpp_config() + + # + # Attach the policy to input interface Pg0 + # + attach_1 = VppAbfAttach(self, 10, self.pg0.sw_if_index, 50) + attach_1.add_vpp_config() + + # + # fire in packet matching the ACL src,dst. If it's forwarded + # then the ABF was successful, since default routing will drop it + # + p_1 = (Ether(src=self.pg0.remote_mac, + dst=self.pg0.local_mac) / + IP(src="1.1.1.1", dst="1.1.1.2") / + UDP(sport=1234, dport=1234) / + Raw('\xa5' * 100)) + self.send_and_expect(self.pg0, p_1*65, self.pg1) + + # + # Attach a 'better' priority policy to the same interface + # + abf_2 = VppAbfPolicy(self, 11, acl_1, + [VppRoutePath(self.pg2.remote_ip4, + self.pg2.sw_if_index)]) + abf_2.add_vpp_config() + attach_2 = VppAbfAttach(self, 11, self.pg0.sw_if_index, 40) + attach_2.add_vpp_config() + + self.send_and_expect(self.pg0, p_1*65, self.pg2) + + # + # Attach a policy with priority in the middle + # + abf_3 = VppAbfPolicy(self, 12, acl_1, + [VppRoutePath(self.pg3.remote_ip4, + self.pg3.sw_if_index)]) + abf_3.add_vpp_config() + attach_3 = VppAbfAttach(self, 12, self.pg0.sw_if_index, 45) + attach_3.add_vpp_config() + + self.send_and_expect(self.pg0, p_1*65, self.pg2) + + # + # remove the best priority + # + attach_2.remove_vpp_config() + self.send_and_expect(self.pg0, p_1*65, self.pg3) + + # + # Attach one of the same policies to Pg1 + # + attach_4 = VppAbfAttach(self, 12, self.pg1.sw_if_index, 45) + attach_4.add_vpp_config() + + p_2 = (Ether(src=self.pg1.remote_mac, + dst=self.pg1.local_mac) / + IP(src="1.1.1.1", dst="1.1.1.2") / + UDP(sport=1234, dport=1234) / + Raw('\xa5' * 100)) + self.send_and_expect(self.pg1, p_2 * 65, self.pg3) + + # + # detach the policy from PG1, now expect traffic to be dropped + # + attach_4.remove_vpp_config() + + self.send_and_assert_no_replies(self.pg1, p_2 * 65, "Detached") + + def test_abf6(self): + """ IPv6 ACL Based Forwarding + """ + + # + # Simple test for matching IPv6 packets + # + + # + # Rule 1 + # + rule_1 = ({'is_permit': 1, + 'is_ipv6': 1, + 'proto': 17, + 'srcport_or_icmptype_first': 1234, + 'srcport_or_icmptype_last': 1234, + 'src_ip_prefix_len': 128, + 'src_ip_addr': inet_pton(AF_INET6, "2001::2"), + 'dstport_or_icmpcode_first': 1234, + 'dstport_or_icmpcode_last': 1234, + 'dst_ip_prefix_len': 128, + 'dst_ip_addr': inet_pton(AF_INET6, "2001::1")}) + acl_1 = self.vapi.acl_add_replace(acl_index=4294967295, + r=[rule_1]) + + # + # ABF policy for ACL 1 - path via interface 1 + # + abf_1 = VppAbfPolicy(self, 10, acl_1, + [VppRoutePath("3001::1", + 0xffffffff, + proto=DpoProto.DPO_PROTO_IP6)]) + abf_1.add_vpp_config() + + attach_1 = VppAbfAttach(self, 10, self.pg0.sw_if_index, + 45, is_ipv6=True) + attach_1.add_vpp_config() + + # + # a packet matching the rule + # + p = (Ether(src=self.pg0.remote_mac, + dst=self.pg0.local_mac) / + IPv6(src="2001::2", dst="2001::1") / + UDP(sport=1234, dport=1234) / + Raw('\xa5' * 100)) + + # + # packets are dropped because there is no route to the policy's + # next hop + # + self.send_and_assert_no_replies(self.pg1, p * 65, "no route") + + # + # add a route resolving the next-hop + # + route = VppIpRoute(self, "3001::1", 32, + [VppRoutePath(self.pg1.remote_ip6, + self.pg1.sw_if_index, + proto=DpoProto.DPO_PROTO_IP6)], + is_ip6=1) + route.add_vpp_config() + + # + # now expect packets forwarded. + # + self.send_and_expect(self.pg0, p * 65, self.pg1) + + +if __name__ == '__main__': + unittest.main(testRunner=VppTestRunner) diff --git a/test/vpp_papi_provider.py b/test/vpp_papi_provider.py index c55f6676c30..6804b4cfe4a 100644 --- a/test/vpp_papi_provider.py +++ b/test/vpp_papi_provider.py @@ -3532,3 +3532,23 @@ class VppPapiProvider(object): """ return self.api(self.papi.sw_interface_vhost_user_dump, {}) + + def abf_policy_add_del(self, is_add, policy): + return self.api( + self.papi.abf_policy_add_del, + {'is_add': is_add, + 'policy': policy}) + + def abf_itf_attach_add_del(self, is_add, attach): + return self.api( + self.papi.abf_itf_attach_add_del, + {'is_add': is_add, + 'attach': attach}) + + def abf_policy_dump(self): + return self.api( + self.papi.abf_policy_dump, {}) + + def abf_itf_attach_dump(self): + return self.api( + self.papi.abf_itf_attach_dump, {}) diff --git a/test/vpp_udp_encap.py b/test/vpp_udp_encap.py index 56d23cc45dc..d4daa7430b3 100644 --- a/test/vpp_udp_encap.py +++ b/test/vpp_udp_encap.py @@ -1,3 +1,4 @@ +#!/usr/bin/env python """ UDP encap objects """ -- 2.16.6