diff options
author | Andrew Yourtchenko <ayourtch@gmail.com> | 2018-03-28 14:33:48 +0200 |
---|---|---|
committer | Damjan Marion <dmarion.lists@gmail.com> | 2018-03-30 20:48:01 +0000 |
commit | 17ddc0fee1bc20d0da84dd70bb579c8844a48ef4 (patch) | |
tree | 1b7444cfc8a6ff4fad13a5fed69d8503ae8cf7af /src/plugins/acl/fa_node.h | |
parent | 6091d230e3786c635eea3513d73af45081a5770c (diff) |
acl-plugin: implement an optional session reclassification when ACL is (re-)applied
There were several discussions in which users would expect the sessions to be deleted
if the new policy after the change does not permit them.
There is no right or wrong answer to this question - it is a policy decision.
This patch implements an idea to approach this. It uses a per-interface-per-direction counter to designate
a "policy epoch" - a period of unchanging rulesets. The moment one removes or adds an ACL applied to
an interface, this counter increments.
The newly created connections inherit the current policy epoch in a given direction.
Likewise, this counter increments if anyone updates an ACL applied to an interface.
There is also a new (so far hidden) CLI "set acl-plugin reclassify-sessions [0|1]"
(with default being 0) which allows to enable the checking of the existing sessions
against the current policy epoch in a given direction.
The session is not verified unless there is traffic hitting that session
*in the direction of the policy creation* - if the epoch has changed,
the session is deleted and within the same processing cycle is evaluated
against the ACL rule base and recreated - thus, it should allow traffic-driven
session state refresh without affecting the connectivity for the existing sessions.
If the packet is coming in the direction opposite to which the session was initially
created, the state adjustment is never done, because doing so generically
is not really possible without diving too deep into the special cases,
which may or may not work.
Change-Id: I9e90426492d4bd474b5e89ea8dfb75a7c9de2646
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Diffstat (limited to 'src/plugins/acl/fa_node.h')
-rw-r--r-- | src/plugins/acl/fa_node.h | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/src/plugins/acl/fa_node.h b/src/plugins/acl/fa_node.h index dc4f87f0eb1..263cf1431e6 100644 --- a/src/plugins/acl/fa_node.h +++ b/src/plugins/acl/fa_node.h @@ -76,6 +76,10 @@ typedef struct { u64 reserved2[5]; /* +5*8 bytes = 64 */ } fa_session_t; +#define FA_POLICY_EPOCH_MASK 0x7fff +/* input policy epochs have the MSB set */ +#define FA_POLICY_EPOCH_IS_INPUT 0x8000 + /* This structure is used to fill in the u64 value in the per-sw-if-index hash table */ @@ -85,7 +89,7 @@ typedef struct { struct { u32 session_index; u16 thread_index; - u16 reserved0; + u16 intf_policy_epoch; }; }; } fa_full_session_id_t; @@ -117,6 +121,8 @@ typedef struct { /* adds and deletes per-worker-per-interface */ u64 *fa_session_dels_by_sw_if_index; u64 *fa_session_adds_by_sw_if_index; + /* sessions deleted due to epoch change */ + u64 *fa_session_epoch_change_by_sw_if_index; /* Vector of expired connections retrieved from lists */ u32 *expired; /* the earliest next expiry time */ |