diff options
author | Andrew Yourtchenko <ayourtch@gmail.com> | 2017-03-21 10:31:55 +0100 |
---|---|---|
committer | Ole Trøan <otroan@employees.org> | 2017-03-21 17:36:24 +0000 |
commit | d2a59bed1e6b368a46608fd8ff631b770af8805f (patch) | |
tree | 5beda9aba7bd19f552e91f040016c329ad5fe88b /src/plugins/acl/acl.h | |
parent | 4868ff65eddfd694a1485d6c6c355f9a8ca9011d (diff) |
ACL plugin 1.2
L3 path support, L2+L3 unified processing node, skip IPv6 EH support.
Change-Id: Iac37a466ba1c035e5c2997b03c0743bfec5c9a08
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Diffstat (limited to 'src/plugins/acl/acl.h')
-rw-r--r-- | src/plugins/acl/acl.h | 122 |
1 files changed, 119 insertions, 3 deletions
diff --git a/src/plugins/acl/acl.h b/src/plugins/acl/acl.h index 0252ff388d8..47523636d48 100644 --- a/src/plugins/acl/acl.h +++ b/src/plugins/acl/acl.h @@ -22,10 +22,13 @@ #include <vppinfra/hash.h> #include <vppinfra/error.h> +#include <vppinfra/bitmap.h> #include <vppinfra/elog.h> +#include "bihash_40_8.h" +#include "fa_node.h" #define ACL_PLUGIN_VERSION_MAJOR 1 -#define ACL_PLUGIN_VERSION_MINOR 1 +#define ACL_PLUGIN_VERSION_MINOR 2 extern vlib_node_registration_t acl_in_node; extern vlib_node_registration_t acl_out_node; @@ -33,6 +36,14 @@ extern vlib_node_registration_t acl_out_node; void input_acl_packet_match(u32 sw_if_index, vlib_buffer_t * b0, u32 *nextp, u32 *acl_match_p, u32 *rule_match_p, u32 *trace_bitmap); void output_acl_packet_match(u32 sw_if_index, vlib_buffer_t * b0, u32 *nextp, u32 *acl_match_p, u32 *rule_match_p, u32 *trace_bitmap); +enum acl_timeout_e { + ACL_TIMEOUT_UDP_IDLE = 0, + ACL_TIMEOUT_TCP_IDLE, + ACL_TIMEOUT_TCP_TRANSIENT, + ACL_N_TIMEOUTS +}; + + enum address_e { IP4, IP6 }; typedef struct { @@ -118,8 +129,8 @@ typedef struct { u32 *macip_acl_by_sw_if_index; /* next indices for our nodes in the l2-classify tables */ - u32 l2_input_classify_next_acl; - u32 l2_output_classify_next_acl; + u32 l2_input_classify_next_acl_old; + u32 l2_output_classify_next_acl_old; /* next node indices for feature bitmap */ u32 acl_in_node_feat_next_node_index[32]; @@ -133,12 +144,117 @@ typedef struct { u32 acl_out_ip6_match_next[256]; u32 n_match_actions; + /* bitmaps when set the processing is enabled on the interface */ + uword *fa_in_acl_on_sw_if_index; + uword *fa_out_acl_on_sw_if_index; + /* bitmap, when set the hash is initialized */ + uword *fa_sessions_on_sw_if_index; + clib_bihash_40_8_t *fa_sessions_by_sw_if_index; + /* pool for FA session data. See fa_node.h */ + fa_session_t *fa_sessions_pool; + /* The process node which is responsible to deleting the sessions */ + u32 fa_cleaner_node_index; + /* FA session timeouts, in seconds */ + u32 session_timeout_sec[ACL_N_TIMEOUTS]; + /* session add/delete counters */ + u64 *fa_session_adds_by_sw_if_index; + u64 *fa_session_dels_by_sw_if_index; + + /* L2 datapath glue */ + + /* active next indices within L2 classifiers - switch old/new path */ + u32 l2_input_classify_next_acl_ip4; + u32 l2_input_classify_next_acl_ip6; + u32 l2_output_classify_next_acl_ip4; + u32 l2_output_classify_next_acl_ip6; + /* saved next indices within L2 classifiers for ip4/ip6 fa L2 nodes */ + u32 fa_l2_input_classify_next_acl_ip4; + u32 fa_l2_input_classify_next_acl_ip6; + u32 fa_l2_output_classify_next_acl_ip4; + u32 fa_l2_output_classify_next_acl_ip6; + /* next node indices for L2 dispatch */ + u32 fa_acl_in_ip4_l2_node_feat_next_node_index[32]; + u32 fa_acl_in_ip6_l2_node_feat_next_node_index[32]; + u32 fa_acl_out_ip4_l2_node_feat_next_node_index[32]; + u32 fa_acl_out_ip6_l2_node_feat_next_node_index[32]; + + /* EH values that we can skip over */ + uword *fa_ipv6_known_eh_bitmap; + + /* conn table per-interface conn table parameters */ + u32 fa_conn_table_hash_num_buckets; + uword fa_conn_table_hash_memory_size; + u64 fa_conn_table_max_entries; + + /* + * If the cleaner has to delete more than this number + * of connections, it halves the sleep time. + */ + +#define ACL_FA_DEFAULT_MAX_DELETED_SESSIONS_PER_INTERVAL 100 + u64 fa_max_deleted_sessions_per_interval; + + /* + * If the cleaner deletes less than these connections, + * it increases the wait time by the "increment" + */ + +#define ACL_FA_DEFAULT_MIN_DELETED_SESSIONS_PER_INTERVAL 1 + u64 fa_min_deleted_sessions_per_interval; + +#define ACL_FA_DEFAULT_CLEANER_WAIT_TIME_INCREMENT 0.1 + f64 fa_cleaner_wait_time_increment; + + u64 fa_current_cleaner_timer_wait_interval; + u32 fa_conn_list_head[ACL_N_TIMEOUTS]; + u32 fa_conn_list_tail[ACL_N_TIMEOUTS]; + /* convenience */ vlib_main_t * vlib_main; vnet_main_t * vnet_main; } acl_main_t; +#define foreach_acl_eh \ + _(HOPBYHOP , 0 , "IPv6ExtHdrHopByHop") \ + _(ROUTING , 43 , "IPv6ExtHdrRouting") \ + _(DESTOPT , 60 , "IPv6ExtHdrDestOpt") \ + _(MOBILITY , 135, "Mobility Header") \ + _(HIP , 139, "Experimental use Host Identity Protocol") \ + _(SHIM6 , 140, "Shim6 Protocol") \ + _(EXP1 , 253, "Use for experimentation and testing") \ + _(EXP2 , 254, "Use for experimentation and testing") + +/* + + "No Next Header" is not a header. + Also, Fragment header needs special processing. + + _(NONEXT , 59 , "NoNextHdr") \ + _(FRAGMENT , 44 , "IPv6ExtHdrFragment") \ + + +ESP is hiding its internal format, so no point in trying to go past it. + + _(ESP , 50 , "EncapsulatingSecurityPayload") \ + + +AH has a special treatment of its length, it is in 32-bit words, not 64-bit words like the rest. + + _(AUTH , 51 , "Authentication Header") \ + + +*/ + + + typedef enum { + #define _(N, v, s) ACL_EH_##N = v, + foreach_acl_eh + #undef _ + } acl_eh_t; + + + extern acl_main_t acl_main; |