aboutsummaryrefslogtreecommitdiffstats
path: root/src/plugins/acl/fa_node.c
AgeCommit message (Collapse)AuthorFilesLines
2017-06-09acl-plugin: wrap a verbose debug message in the appropriate conditionalAndrew Yourtchenko1-0/+2
Change-Id: Ibd57cb617642e42d4c4d64f186479702b8a81900 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-06-07acl-plugin: make the ACL plugin multicore-capableAndrew Yourtchenko1-187/+459
Add the logic to be able to use stateful ACLs in a multithreaded setup. Change-Id: I3b0cfa6ca4ea8f46f61648611c3e97b00c3376b6 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-05-07Avoid active connection prevent timeout of idle conns after itAndrew Yourtchenko1-9/+10
Fix a logic error related to timing out of the connections following the active one. To avoid this class of issue in the future, create corresponding testcases, as well as some trivial sanity testcases for both IPv4 and IPv6. Since these tests are timing-dependent and take up time, mark them as extended tests. Change-Id: I2c72bad5efda7db8aa9cb05801fe47928dc47927 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-04-18ACL-plugin does not match UDP next-header, VPP-687Pavel Kotucek1-1/+1
Change-Id: Ide4f9bd6158fb64d069540fb43f4e593e39d6ff3 Signed-off-by: Pavel Kotucek <pkotucek@cisco.com>
2017-04-06acl-plugin: make the IPv4/IPv6 non-first fragment handling in line with ACL ↵Andrew Yourtchenko1-9/+61
(VPP-682) This fixes the previously-implicit "drop all non-first fragments" behavior to be more in line with security rules: a non-first fragment is treated for the purposes of matching the ACL as a packet with the port match succeeding. This allows to change the behavior to permit the fragmented packets for the default "permit specific rules" ruleset, but also gives the flexibility to block the non-initial fragments by inserting into the begining a bogus rule which would deny the L4 traffic. Also, add a knob which allows to potentially turn this behavior off in case of a dire need (and revert to dropping all non-initial fragments), via a debug CLI. Change-Id: I546b372b65ff2157d9c68b1d32f9e644f1dd71b4 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit 9fc0c26c6b28fd6c8b8142ea52f52eafa7e8c7ac)
2017-03-30acl-plugin: cleaner node bugfixes (VPP-675)Andrew Yourtchenko1-51/+46
- use the counters in a private struct rather than node error counters - ensure the timer for the non-idle connections is restarted - fix the deletion of conn at the current tail the list Change-Id: I632f63574d2ced95fb75c5e7fb588c78fb3cce1c Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit 097051a3bd1f63a177c0728f15375afd84a68918)
2017-03-21ACL plugin 1.2Andrew Yourtchenko1-0/+1444
L3 path support, L2+L3 unified processing node, skip IPv6 EH support. Change-Id: Iac37a466ba1c035e5c2997b03c0743bfec5c9a08 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>