aboutsummaryrefslogtreecommitdiffstats
path: root/src/plugins/abf/abf_itf_attach.c
diff options
context:
space:
mode:
authorAndrew Yourtchenko <ayourtch@gmail.com>2017-11-17 14:38:18 +0100
committerDamjan Marion <dmarion.lists@gmail.com>2018-04-17 18:25:05 +0000
commit669d07dc016757b856e1014a415996cf9f0ebc58 (patch)
treebd86de6e168fd66563f3f81aa971403c0409bbe9 /src/plugins/abf/abf_itf_attach.c
parent2926eca95138577be8d88eb8d6a442d93f182309 (diff)
ACL based forwarding
A poor man's flow switching or policy based rounting. An ACL is used to match packets and is associated with a [set of] forwarding paths that determine how to forward matched packets - collectively this association is a 'policy'. Policies are then 'attached', in a priority order, to an interface when thaey are encountered as an input feature. If a packet matches no policies it is forwarded normally in the IP FIB. This commit is used to test the "ACL-as-a-service" functionality, which currently compiles, and the existing traffic ACL tests pass in both hash and linear modes. Change-Id: I0b274ec9f2e645352fa898b43eb54c457e195964 Signed-off-by: Neale Ranns <nranns@cisco.com> Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> Signed-off-by: Ole Troan <ot@cisco.com>
Diffstat (limited to 'src/plugins/abf/abf_itf_attach.c')
-rw-r--r--src/plugins/abf/abf_itf_attach.c758
1 files changed, 758 insertions, 0 deletions
diff --git a/src/plugins/abf/abf_itf_attach.c b/src/plugins/abf/abf_itf_attach.c
new file mode 100644
index 00000000000..2e30db9d12f
--- /dev/null
+++ b/src/plugins/abf/abf_itf_attach.c
@@ -0,0 +1,758 @@
+/*
+ * Copyright (c) 2017 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <plugins/abf/abf_itf_attach.h>
+#include <vnet/fib/fib_path_list.h>
+#include <plugins/acl/exports.h>
+
+/**
+ * Forward declarations;
+ */
+extern vlib_node_registration_t abf_ip4_node;
+extern vlib_node_registration_t abf_ip6_node;
+
+/**
+ * FIB node registered type for the bonds
+ */
+static fib_node_type_t abf_itf_attach_fib_node_type;
+
+/**
+ * Pool of ABF interface attachment objects
+ */
+abf_itf_attach_t *abf_itf_attach_pool;
+
+/**
+ * A per interface vector of attached policies. used in the data-plane
+ */
+static u32 **abf_per_itf[FIB_PROTOCOL_MAX];
+
+/**
+ * Per interface values of ACL lookup context IDs. used in the data-plane
+ */
+static u32 *abf_alctx_per_itf[FIB_PROTOCOL_MAX];
+
+/**
+ * ABF ACL module user id returned during the initialization
+ */
+static u32 abf_acl_user_id;
+
+/**
+ * A DB of attachments; key={abf_index,sw_if_index}
+ */
+static uword *abf_itf_attach_db;
+
+static u64
+abf_itf_attach_mk_key (u32 abf_index, u32 sw_if_index)
+{
+ u64 key;
+
+ key = abf_index;
+ key = key << 32;
+ key |= sw_if_index;
+
+ return (key);
+}
+
+static abf_itf_attach_t *
+abf_itf_attach_db_find (u32 abf_index, u32 sw_if_index)
+{
+ uword *p;
+ u64 key;
+
+ key = abf_itf_attach_mk_key (abf_index, sw_if_index);
+
+ p = hash_get (abf_itf_attach_db, key);
+
+ if (NULL != p)
+ return (pool_elt_at_index (abf_itf_attach_pool, p[0]));
+
+ return (NULL);
+}
+
+static void
+abf_itf_attach_db_add (u32 abf_index, u32 sw_if_index, abf_itf_attach_t * aia)
+{
+ u64 key;
+
+ key = abf_itf_attach_mk_key (abf_index, sw_if_index);
+
+ hash_set (abf_itf_attach_db, key, aia - abf_itf_attach_pool);
+}
+
+static void
+abf_itf_attach_db_del (u32 abf_index, u32 sw_if_index)
+{
+ u64 key;
+
+ key = abf_itf_attach_mk_key (abf_index, sw_if_index);
+
+ hash_unset (abf_itf_attach_db, key);
+}
+
+static void
+abf_itf_attach_stack (abf_itf_attach_t * aia)
+{
+ /*
+ * stack the DPO on the forwarding contributed by the path-list
+ */
+ dpo_id_t via_dpo = DPO_INVALID;
+ abf_policy_t *ap;
+
+ ap = abf_policy_get (aia->aia_abf);
+
+ fib_path_list_contribute_forwarding (ap->ap_pl,
+ (FIB_PROTOCOL_IP4 == aia->aia_proto ?
+ FIB_FORW_CHAIN_TYPE_UNICAST_IP4 :
+ FIB_FORW_CHAIN_TYPE_UNICAST_IP6),
+ FIB_PATH_LIST_FWD_FLAG_COLLAPSE,
+ &via_dpo);
+
+ dpo_stack_from_node ((FIB_PROTOCOL_IP4 == aia->aia_proto ?
+ abf_ip4_node.index :
+ abf_ip6_node.index), &aia->aia_dpo, &via_dpo);
+ dpo_reset (&via_dpo);
+}
+
+static int
+abf_cmp_attach_for_sort (void *v1, void *v2)
+{
+ const abf_itf_attach_t *aia1;
+ const abf_itf_attach_t *aia2;
+
+ aia1 = abf_itf_attach_get (*(u32 *) v1);
+ aia2 = abf_itf_attach_get (*(u32 *) v2);
+
+ return (aia1->aia_prio - aia2->aia_prio);
+}
+
+void
+abf_setup_acl_lc (fib_protocol_t fproto, u32 sw_if_index)
+{
+ u32 *acl_vec = 0;
+ u32 *aiai;
+ abf_itf_attach_t *aia;
+
+ if (~0 == abf_alctx_per_itf[fproto][sw_if_index])
+ return;
+
+ vec_foreach (aiai, abf_per_itf[fproto][sw_if_index])
+ {
+ aia = abf_itf_attach_get (*aiai);
+ vec_add1 (acl_vec, aia->aia_acl);
+ }
+ acl_plugin_set_acl_vec_for_context (abf_alctx_per_itf[fproto][sw_if_index],
+ acl_vec);
+ vec_free (acl_vec);
+}
+
+int
+abf_itf_attach (fib_protocol_t fproto,
+ u32 policy_id, u32 priority, u32 sw_if_index)
+{
+ abf_itf_attach_t *aia;
+ abf_policy_t *ap;
+ u32 api, aiai;
+
+ api = abf_policy_find (policy_id);
+
+ ASSERT (INDEX_INVALID != api);
+ ap = abf_policy_get (api);
+
+ /*
+ * check this is not a duplicate
+ */
+ aia = abf_itf_attach_db_find (policy_id, sw_if_index);
+
+ if (NULL != aia)
+ return (VNET_API_ERROR_ENTRY_ALREADY_EXISTS);
+
+ /*
+ * construt a new attachemnt object
+ */
+ pool_get (abf_itf_attach_pool, aia);
+
+ fib_node_init (&aia->aia_node, abf_itf_attach_fib_node_type);
+ aia->aia_prio = priority;
+ aia->aia_proto = fproto;
+ aia->aia_acl = ap->ap_acl;
+ aia->aia_abf = api;
+ aia->aia_sw_if_index = sw_if_index;
+ aiai = aia - abf_itf_attach_pool;
+ abf_itf_attach_db_add (policy_id, sw_if_index, aia);
+
+ /*
+ * stack the DPO on the forwarding contributed by the path-list
+ */
+ abf_itf_attach_stack (aia);
+
+ /*
+ * Insert the policy on the interfaces list.
+ */
+ vec_validate_init_empty (abf_per_itf[fproto], sw_if_index, NULL);
+ vec_add1 (abf_per_itf[fproto][sw_if_index], aia - abf_itf_attach_pool);
+ if (1 == vec_len (abf_per_itf[fproto][sw_if_index]))
+ {
+ /*
+ * when enabling the first ABF polciy on the interface
+ * we need to enable the interface input feature
+ */
+ vnet_feature_enable_disable ((FIB_PROTOCOL_IP4 == fproto ?
+ "ip4-unicast" :
+ "ip6-unicast"),
+ (FIB_PROTOCOL_IP4 == fproto ?
+ "abf-input-ip4" :
+ "abf-input-ip6"),
+ sw_if_index, 1, NULL, 0);
+
+ /* if this is the first ABF policy, we need to acquire an ACL lookup context */
+ vec_validate_init_empty (abf_alctx_per_itf[fproto], sw_if_index, ~0);
+ abf_alctx_per_itf[fproto][sw_if_index] =
+ acl_plugin_get_lookup_context_index (abf_acl_user_id, sw_if_index, 0);
+ }
+ else
+ {
+ vec_sort_with_function (abf_per_itf[fproto][sw_if_index],
+ abf_cmp_attach_for_sort);
+ }
+
+ /* Prepare and set the list of ACLs for lookup within the context */
+ abf_setup_acl_lc (fproto, sw_if_index);
+
+ /*
+ * become a child of the ABF poilcy so we are notified when
+ * its forwarding changes.
+ */
+ aia->aia_sibling = fib_node_child_add (abf_policy_fib_node_type,
+ api,
+ abf_itf_attach_fib_node_type, aiai);
+
+ return (0);
+}
+
+int
+abf_itf_detach (fib_protocol_t fproto, u32 policy_id, u32 sw_if_index)
+{
+ abf_itf_attach_t *aia;
+ u32 index;
+
+ /*
+ * check this is a valid attahment
+ */
+ aia = abf_itf_attach_db_find (policy_id, sw_if_index);
+
+ if (NULL == aia)
+ return (VNET_API_ERROR_ENTRY_ALREADY_EXISTS);
+
+ /*
+ * first remove from the interface's vecotr
+ */
+ ASSERT (abf_per_itf[fproto]);
+ ASSERT (abf_per_itf[fproto][sw_if_index]);
+
+ index = vec_search (abf_per_itf[fproto][sw_if_index],
+ aia - abf_itf_attach_pool);
+
+ ASSERT (index != ~0);
+ vec_del1 (abf_per_itf[fproto][sw_if_index], index);
+
+ if (0 == vec_len (abf_per_itf[fproto][sw_if_index]))
+ {
+ /*
+ * when deleting the last ABF polciy on the interface
+ * we need to disable the interface input feature
+ */
+ vnet_feature_enable_disable ((FIB_PROTOCOL_IP4 == fproto ?
+ "ip4-unicast" :
+ "ip6-unicast"),
+ (FIB_PROTOCOL_IP4 == fproto ?
+ "abf-input-ip4" :
+ "abf-input-ip6"),
+ sw_if_index, 0, NULL, 0);
+
+ /* Return the lookup context, invalidate its id in our records */
+ acl_plugin_put_lookup_context_index (abf_alctx_per_itf[fproto]
+ [sw_if_index]);
+ abf_alctx_per_itf[fproto][sw_if_index] = ~0;
+ }
+ else
+ {
+ vec_sort_with_function (abf_per_itf[fproto][sw_if_index],
+ abf_cmp_attach_for_sort);
+ }
+
+ /* Prepare and set the list of ACLs for lookup within the context */
+ abf_setup_acl_lc (fproto, sw_if_index);
+
+ /*
+ * remove the dependency on the policy
+ */
+ fib_node_child_remove (abf_policy_fib_node_type,
+ aia->aia_abf, aia->aia_sibling);
+
+ /*
+ * remove the attahcment from the DB
+ */
+ abf_itf_attach_db_del (policy_id, sw_if_index);
+
+ /*
+ * release our locks on FIB forwarding data
+ */
+ dpo_reset (&aia->aia_dpo);
+
+ /*
+ * return the object
+ */
+ pool_put (abf_itf_attach_pool, aia);
+
+ return (0);
+}
+
+static u8 *
+format_abf_intf_attach (u8 * s, va_list * args)
+{
+ abf_itf_attach_t *aia = va_arg (*args, abf_itf_attach_t *);
+ abf_policy_t *ap;
+
+ ap = abf_policy_get (aia->aia_abf);
+ s = format (s, "abf-interface-attach: policy:%d prioity:%d",
+ ap->ap_id, aia->aia_prio);
+ s = format (s, "\n %U", format_dpo_id, &aia->aia_dpo, 2);
+
+ return (s);
+}
+
+static clib_error_t *
+abf_itf_attach_cmd (vlib_main_t * vm,
+ unformat_input_t * input, vlib_cli_command_t * cmd)
+{
+ u32 policy_id, sw_if_index;
+ fib_protocol_t fproto;
+ u32 is_del, priority;
+ vnet_main_t *vnm;
+
+ is_del = 0;
+ sw_if_index = policy_id = ~0;
+ vnm = vnet_get_main ();
+ fproto = FIB_PROTOCOL_MAX;
+ priority = 0;
+
+ while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
+ {
+ if (unformat (input, "del"))
+ is_del = 1;
+ else if (unformat (input, "add"))
+ is_del = 0;
+ else if (unformat (input, "ip4"))
+ fproto = FIB_PROTOCOL_IP4;
+ else if (unformat (input, "ip6"))
+ fproto = FIB_PROTOCOL_IP6;
+ else if (unformat (input, "policy %d", &policy_id))
+ ;
+ else if (unformat (input, "priority %d", &priority))
+ ;
+ else if (unformat (input, "%U",
+ unformat_vnet_sw_interface, vnm, &sw_if_index))
+ ;
+ else
+ return (clib_error_return (0, "unknown input '%U'",
+ format_unformat_error, input));
+ }
+
+ if (~0 == policy_id)
+ {
+ return (clib_error_return (0, "invalid policy ID:%d", policy_id));
+ }
+ if (~0 == sw_if_index)
+ {
+ return (clib_error_return (0, "invalid interface name"));
+ }
+ if (FIB_PROTOCOL_MAX == fproto)
+ {
+ return (clib_error_return (0, "Specify either ip4 or ip6"));
+ }
+
+ if (~0 == abf_policy_find (policy_id))
+ return (clib_error_return (0, "invalid policy ID:%d", policy_id));
+
+ if (is_del)
+ abf_itf_detach (fproto, policy_id, sw_if_index);
+ else
+ abf_itf_attach (fproto, policy_id, priority, sw_if_index);
+
+ return (NULL);
+}
+
+/* *INDENT-OFF* */
+/**
+ * Attach an ABF policy to an interface.
+ */
+VLIB_CLI_COMMAND (abf_itf_attach_cmd_node, static) = {
+ .path = "abf attach",
+ .function = abf_itf_attach_cmd,
+ .short_help = "abf attach <ip4|ip6> [del] policy <value> <interface>",
+ // this is not MP safe
+};
+/* *INDENT-ON* */
+
+static clib_error_t *
+abf_show_attach_cmd (vlib_main_t * vm,
+ unformat_input_t * input, vlib_cli_command_t * cmd)
+{
+ const abf_itf_attach_t *aia;
+ u32 sw_if_index, *aiai;
+ fib_protocol_t fproto;
+ vnet_main_t *vnm;
+
+ sw_if_index = ~0;
+ vnm = vnet_get_main ();
+
+ while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
+ {
+ if (unformat (input, "%U",
+ unformat_vnet_sw_interface, vnm, &sw_if_index))
+ ;
+ else
+ return (clib_error_return (0, "unknown input '%U'",
+ format_unformat_error, input));
+ }
+
+ if (~0 == sw_if_index)
+ {
+ vlib_cli_output (vm, "specify an interface");
+ }
+
+ /* *INDENT-OFF* */
+ FOR_EACH_FIB_IP_PROTOCOL(fproto)
+ {
+ if (sw_if_index < vec_len(abf_per_itf[fproto]))
+ {
+ if (vec_len(abf_per_itf[fproto][sw_if_index]))
+ vlib_cli_output(vm, "%U:", format_fib_protocol, fproto);
+
+ vec_foreach(aiai, abf_per_itf[fproto][sw_if_index])
+ {
+ aia = pool_elt_at_index(abf_itf_attach_pool, *aiai);
+ vlib_cli_output(vm, " %U", format_abf_intf_attach, aia);
+ }
+ }
+ }
+ /* *INDENT-ON* */
+ return (NULL);
+}
+
+/* *INDENT-OFF* */
+VLIB_CLI_COMMAND (abf_show_attach_cmd_node, static) = {
+ .path = "show abf attach",
+ .function = abf_show_attach_cmd,
+ .short_help = "show abf attach <interface>",
+ .is_mp_safe = 1,
+};
+/* *INDENT-ON* */
+
+void
+abf_itf_attach_walk (abf_itf_attach_walk_cb_t cb, void *ctx)
+{
+ u32 aii;
+
+ /* *INDENT-OFF* */
+ pool_foreach_index(aii, abf_itf_attach_pool,
+ ({
+ if (!cb(aii, ctx))
+ break;
+ }));
+ /* *INDENT-ON* */
+}
+
+typedef enum abf_next_t_
+{
+ ABF_NEXT_DROP,
+ ABF_N_NEXT,
+} abf_next_t;
+
+typedef struct abf_input_trace_t_
+{
+ abf_next_t next;
+ index_t index;
+} abf_input_trace_t;
+
+typedef enum
+{
+#define abf_error(n,s) ABF_ERROR_##n,
+#include "abf_error.def"
+#undef abf_error
+ ABF_N_ERROR,
+} abf_error_t;
+
+always_inline uword
+abf_input_inline (vlib_main_t * vm,
+ vlib_node_runtime_t * node,
+ vlib_frame_t * frame, fib_protocol_t fproto)
+{
+ u32 n_left_from, *from, *to_next, next_index, matches;
+
+ from = vlib_frame_vector_args (frame);
+ n_left_from = frame->n_vectors;
+ next_index = node->cached_next_index;
+ matches = 0;
+
+ while (n_left_from > 0)
+ {
+ u32 n_left_to_next;
+
+ vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
+
+ while (n_left_from > 0 && n_left_to_next > 0)
+ {
+ const u32 *attachments0;
+ const abf_itf_attach_t *aia0;
+ abf_next_t next0 = ABF_NEXT_DROP;
+ vlib_buffer_t *b0;
+ u32 bi0, sw_if_index0;
+ fa_5tuple_opaque_t fa_5tuple0;
+ u32 match_acl_index = ~0;
+ u32 match_acl_pos = ~0;
+ u32 match_rule_index = ~0;
+ u32 trace_bitmap = 0;
+ u8 action;
+
+ bi0 = from[0];
+ to_next[0] = bi0;
+ from += 1;
+ to_next += 1;
+ n_left_from -= 1;
+ n_left_to_next -= 1;
+
+ b0 = vlib_get_buffer (vm, bi0);
+ sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
+
+ ASSERT (vec_len (abf_per_itf[fproto]) > sw_if_index0);
+ attachments0 = abf_per_itf[fproto][sw_if_index0];
+
+ ASSERT (vec_len (abf_alctx_per_itf[fproto]) > sw_if_index0);
+ /*
+ * check if any of the policies attached to this interface matches.
+ */
+ u32 lc_index = abf_alctx_per_itf[fproto][sw_if_index0];
+
+ acl_plugin_fill_5tuple (lc_index, b0, (FIB_PROTOCOL_IP6 == fproto),
+ 1, 0, &fa_5tuple0);
+
+ if (acl_plugin_match_5tuple
+ (lc_index, &fa_5tuple0, (FIB_PROTOCOL_IP6 == fproto), &action,
+ &match_acl_pos, &match_acl_index, &match_rule_index,
+ &trace_bitmap))
+ {
+ /*
+ * match:
+ * follow the DPO chain
+ */
+ aia0 = abf_itf_attach_get (attachments0[match_acl_pos]);
+
+ next0 = aia0->aia_dpo.dpoi_next_node;
+ vnet_buffer (b0)->ip.adj_index[VLIB_TX] =
+ aia0->aia_dpo.dpoi_index;
+ matches++;
+ }
+ else
+ {
+ /*
+ * miss:
+ * move on down the feature arc
+ */
+ vnet_feature_next (sw_if_index0, &next0, b0);
+ }
+
+ if (PREDICT_FALSE (b0->flags & VLIB_BUFFER_IS_TRACED))
+ {
+ abf_input_trace_t *tr;
+
+ tr = vlib_add_trace (vm, node, b0, sizeof (*tr));
+ tr->next = next0;
+ tr->index = vnet_buffer (b0)->ip.adj_index[VLIB_TX];
+ }
+
+ /* verify speculative enqueue, maybe switch current next frame */
+ vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
+ to_next, n_left_to_next, bi0,
+ next0);
+ }
+
+ vlib_put_next_frame (vm, node, next_index, n_left_to_next);
+ }
+
+ vlib_node_increment_counter (vm,
+ (fproto = FIB_PROTOCOL_IP6 ?
+ abf_ip4_node.index :
+ abf_ip6_node.index),
+ ABF_ERROR_MATCHED, matches);
+
+ return frame->n_vectors;
+}
+
+static uword
+abf_input_ip4 (vlib_main_t * vm,
+ vlib_node_runtime_t * node, vlib_frame_t * frame)
+{
+ return abf_input_inline (vm, node, frame, FIB_PROTOCOL_IP4);
+}
+
+static uword
+abf_input_ip6 (vlib_main_t * vm,
+ vlib_node_runtime_t * node, vlib_frame_t * frame)
+{
+ return abf_input_inline (vm, node, frame, FIB_PROTOCOL_IP6);
+}
+
+static u8 *
+format_abf_input_trace (u8 * s, va_list * args)
+{
+ CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
+ CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
+ abf_input_trace_t *t = va_arg (*args, abf_input_trace_t *);
+
+ s = format (s, " next %d index %d", t->next, t->index);
+ return s;
+}
+
+static char *abf_error_strings[] = {
+#define abf_error(n,s) s,
+#include "abf_error.def"
+#undef abf_error
+};
+
+/* *INDENT-OFF* */
+VLIB_REGISTER_NODE (abf_ip4_node) =
+{
+ .function = abf_input_ip4,
+ .name = "abf-input-ip4",
+ .vector_size = sizeof (u32),
+ .format_trace = format_abf_input_trace,
+ .type = VLIB_NODE_TYPE_INTERNAL,
+ .n_errors = ABF_N_ERROR,
+ .error_strings = abf_error_strings,
+ .n_next_nodes = ABF_N_NEXT,
+ .next_nodes =
+ {
+ [ABF_NEXT_DROP] = "error-drop",
+ }
+};
+
+VLIB_REGISTER_NODE (abf_ip6_node) =
+{
+ .function = abf_input_ip6,
+ .name = "abf-input-ip6",
+ .vector_size = sizeof (u32),
+ .format_trace = format_abf_input_trace,
+ .type = VLIB_NODE_TYPE_INTERNAL,
+ .n_errors = 0,
+ .n_next_nodes = ABF_N_NEXT,
+
+ .next_nodes =
+ {
+ [ABF_NEXT_DROP] = "error-drop",
+ }
+};
+
+VNET_FEATURE_INIT (abf_ip4_feat, static) =
+{
+ .arc_name = "ip4-unicast",
+ .node_name = "abf-input-ip4",
+ .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
+};
+
+VNET_FEATURE_INIT (abf_ip6_feat, static) =
+{
+ .arc_name = "ip6-unicast",
+ .node_name = "abf-input-ip6",
+ .runs_after = VNET_FEATURES ("acl-plugin-in-ip6-fa"),
+};
+/* *INDENT-ON* */
+
+static fib_node_t *
+abf_itf_attach_get_node (fib_node_index_t index)
+{
+ abf_itf_attach_t *aia = abf_itf_attach_get (index);
+ return (&(aia->aia_node));
+}
+
+static abf_itf_attach_t *
+abf_itf_attach_get_from_node (fib_node_t * node)
+{
+ return ((abf_itf_attach_t *) (((char *) node) -
+ STRUCT_OFFSET_OF (abf_itf_attach_t,
+ aia_node)));
+}
+
+static void
+abf_itf_attach_last_lock_gone (fib_node_t * node)
+{
+ /*
+ * ABF interface attachments are leaves on the graph.
+ * we do not manage locks from children.
+ */
+}
+
+/*
+ * abf_itf_attach_back_walk_notify
+ *
+ * A back walk has reached this BIER fmask
+ */
+static fib_node_back_walk_rc_t
+abf_itf_attach_back_walk_notify (fib_node_t * node,
+ fib_node_back_walk_ctx_t * ctx)
+{
+ /*
+ * re-stack the fmask on the n-eos of the via
+ */
+ abf_itf_attach_t *aia = abf_itf_attach_get_from_node (node);
+
+ abf_itf_attach_stack (aia);
+
+ return (FIB_NODE_BACK_WALK_CONTINUE);
+}
+
+/*
+ * The BIER fmask's graph node virtual function table
+ */
+static const fib_node_vft_t abf_itf_attach_vft = {
+ .fnv_get = abf_itf_attach_get_node,
+ .fnv_last_lock = abf_itf_attach_last_lock_gone,
+ .fnv_back_walk = abf_itf_attach_back_walk_notify,
+};
+
+static clib_error_t *
+abf_itf_bond_init (vlib_main_t * vm)
+{
+ abf_itf_attach_fib_node_type =
+ fib_node_register_new_type (&abf_itf_attach_vft);
+ clib_error_t *acl_init_res = acl_plugin_exports_init ();
+ if (acl_init_res)
+ return (acl_init_res);
+
+ abf_acl_user_id =
+ acl_plugin_register_user_module ("abp plugin", "sw_if_index", NULL);
+
+ return (NULL);
+}
+
+VLIB_INIT_FUNCTION (abf_itf_bond_init);
+
+/*
+ * fd.io coding-style-patch-verification: ON
+ *
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */