summaryrefslogtreecommitdiffstats
path: root/src/plugins/acl/acl.h
diff options
context:
space:
mode:
authorAndrew Yourtchenko <ayourtch@gmail.com>2017-03-21 10:31:55 +0100
committerOle Trøan <otroan@employees.org>2017-03-21 17:36:24 +0000
commitd2a59bed1e6b368a46608fd8ff631b770af8805f (patch)
tree5beda9aba7bd19f552e91f040016c329ad5fe88b /src/plugins/acl/acl.h
parent4868ff65eddfd694a1485d6c6c355f9a8ca9011d (diff)
ACL plugin 1.2
L3 path support, L2+L3 unified processing node, skip IPv6 EH support. Change-Id: Iac37a466ba1c035e5c2997b03c0743bfec5c9a08 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Diffstat (limited to 'src/plugins/acl/acl.h')
-rw-r--r--src/plugins/acl/acl.h122
1 files changed, 119 insertions, 3 deletions
diff --git a/src/plugins/acl/acl.h b/src/plugins/acl/acl.h
index 0252ff388d8..47523636d48 100644
--- a/src/plugins/acl/acl.h
+++ b/src/plugins/acl/acl.h
@@ -22,10 +22,13 @@
#include <vppinfra/hash.h>
#include <vppinfra/error.h>
+#include <vppinfra/bitmap.h>
#include <vppinfra/elog.h>
+#include "bihash_40_8.h"
+#include "fa_node.h"
#define ACL_PLUGIN_VERSION_MAJOR 1
-#define ACL_PLUGIN_VERSION_MINOR 1
+#define ACL_PLUGIN_VERSION_MINOR 2
extern vlib_node_registration_t acl_in_node;
extern vlib_node_registration_t acl_out_node;
@@ -33,6 +36,14 @@ extern vlib_node_registration_t acl_out_node;
void input_acl_packet_match(u32 sw_if_index, vlib_buffer_t * b0, u32 *nextp, u32 *acl_match_p, u32 *rule_match_p, u32 *trace_bitmap);
void output_acl_packet_match(u32 sw_if_index, vlib_buffer_t * b0, u32 *nextp, u32 *acl_match_p, u32 *rule_match_p, u32 *trace_bitmap);
+enum acl_timeout_e {
+ ACL_TIMEOUT_UDP_IDLE = 0,
+ ACL_TIMEOUT_TCP_IDLE,
+ ACL_TIMEOUT_TCP_TRANSIENT,
+ ACL_N_TIMEOUTS
+};
+
+
enum address_e { IP4, IP6 };
typedef struct
{
@@ -118,8 +129,8 @@ typedef struct {
u32 *macip_acl_by_sw_if_index;
/* next indices for our nodes in the l2-classify tables */
- u32 l2_input_classify_next_acl;
- u32 l2_output_classify_next_acl;
+ u32 l2_input_classify_next_acl_old;
+ u32 l2_output_classify_next_acl_old;
/* next node indices for feature bitmap */
u32 acl_in_node_feat_next_node_index[32];
@@ -133,12 +144,117 @@ typedef struct {
u32 acl_out_ip6_match_next[256];
u32 n_match_actions;
+ /* bitmaps when set the processing is enabled on the interface */
+ uword *fa_in_acl_on_sw_if_index;
+ uword *fa_out_acl_on_sw_if_index;
+ /* bitmap, when set the hash is initialized */
+ uword *fa_sessions_on_sw_if_index;
+ clib_bihash_40_8_t *fa_sessions_by_sw_if_index;
+ /* pool for FA session data. See fa_node.h */
+ fa_session_t *fa_sessions_pool;
+ /* The process node which is responsible to deleting the sessions */
+ u32 fa_cleaner_node_index;
+ /* FA session timeouts, in seconds */
+ u32 session_timeout_sec[ACL_N_TIMEOUTS];
+ /* session add/delete counters */
+ u64 *fa_session_adds_by_sw_if_index;
+ u64 *fa_session_dels_by_sw_if_index;
+
+ /* L2 datapath glue */
+
+ /* active next indices within L2 classifiers - switch old/new path */
+ u32 l2_input_classify_next_acl_ip4;
+ u32 l2_input_classify_next_acl_ip6;
+ u32 l2_output_classify_next_acl_ip4;
+ u32 l2_output_classify_next_acl_ip6;
+ /* saved next indices within L2 classifiers for ip4/ip6 fa L2 nodes */
+ u32 fa_l2_input_classify_next_acl_ip4;
+ u32 fa_l2_input_classify_next_acl_ip6;
+ u32 fa_l2_output_classify_next_acl_ip4;
+ u32 fa_l2_output_classify_next_acl_ip6;
+ /* next node indices for L2 dispatch */
+ u32 fa_acl_in_ip4_l2_node_feat_next_node_index[32];
+ u32 fa_acl_in_ip6_l2_node_feat_next_node_index[32];
+ u32 fa_acl_out_ip4_l2_node_feat_next_node_index[32];
+ u32 fa_acl_out_ip6_l2_node_feat_next_node_index[32];
+
+ /* EH values that we can skip over */
+ uword *fa_ipv6_known_eh_bitmap;
+
+ /* conn table per-interface conn table parameters */
+ u32 fa_conn_table_hash_num_buckets;
+ uword fa_conn_table_hash_memory_size;
+ u64 fa_conn_table_max_entries;
+
+ /*
+ * If the cleaner has to delete more than this number
+ * of connections, it halves the sleep time.
+ */
+
+#define ACL_FA_DEFAULT_MAX_DELETED_SESSIONS_PER_INTERVAL 100
+ u64 fa_max_deleted_sessions_per_interval;
+
+ /*
+ * If the cleaner deletes less than these connections,
+ * it increases the wait time by the "increment"
+ */
+
+#define ACL_FA_DEFAULT_MIN_DELETED_SESSIONS_PER_INTERVAL 1
+ u64 fa_min_deleted_sessions_per_interval;
+
+#define ACL_FA_DEFAULT_CLEANER_WAIT_TIME_INCREMENT 0.1
+ f64 fa_cleaner_wait_time_increment;
+
+ u64 fa_current_cleaner_timer_wait_interval;
+ u32 fa_conn_list_head[ACL_N_TIMEOUTS];
+ u32 fa_conn_list_tail[ACL_N_TIMEOUTS];
+
/* convenience */
vlib_main_t * vlib_main;
vnet_main_t * vnet_main;
} acl_main_t;
+#define foreach_acl_eh \
+ _(HOPBYHOP , 0 , "IPv6ExtHdrHopByHop") \
+ _(ROUTING , 43 , "IPv6ExtHdrRouting") \
+ _(DESTOPT , 60 , "IPv6ExtHdrDestOpt") \
+ _(MOBILITY , 135, "Mobility Header") \
+ _(HIP , 139, "Experimental use Host Identity Protocol") \
+ _(SHIM6 , 140, "Shim6 Protocol") \
+ _(EXP1 , 253, "Use for experimentation and testing") \
+ _(EXP2 , 254, "Use for experimentation and testing")
+
+/*
+
+ "No Next Header" is not a header.
+ Also, Fragment header needs special processing.
+
+ _(NONEXT , 59 , "NoNextHdr") \
+ _(FRAGMENT , 44 , "IPv6ExtHdrFragment") \
+
+
+ESP is hiding its internal format, so no point in trying to go past it.
+
+ _(ESP , 50 , "EncapsulatingSecurityPayload") \
+
+
+AH has a special treatment of its length, it is in 32-bit words, not 64-bit words like the rest.
+
+ _(AUTH , 51 , "Authentication Header") \
+
+
+*/
+
+
+ typedef enum {
+ #define _(N, v, s) ACL_EH_##N = v,
+ foreach_acl_eh
+ #undef _
+ } acl_eh_t;
+
+
+
extern acl_main_t acl_main;