diff options
| author |   Andrew Yourtchenko <ayourtch@gmail.com> | 2018-05-24 16:53:27 +0200 |
|---|---|---|
| committer |   Damjan Marion <dmarion.lists@gmail.com> | 2018-05-26 16:56:02 +0000 |
| commit | a34c08c8c5a505e55178a9a8ef5391224d5460a5 (patch) | |
| tree | 961461e2a4261dcea81b21e2eddfb026c3d01b8e /src/plugins/acl/public_inlines.h | |
| parent | c6f186b23d00685b3e9f132ba79a5cb44f0a44c0 (diff) | |
acl-plugin: create forward and return sessions in lieu of making a special per-packet session key
Using a separate session key has proven to be tricky for the following reasons:
- it's a lot of storage to have what looks to be nearly identical to 5tuple,
just maybe with some fields swapped
- shuffling the fields from 5tuple adds to memory pressure
- the fact that the fields do not coincide with the packet memory
means for any staged processing we need to use up a lot of memory
Thus, just add two entries into the bihash table pointing to
the same session entry, so we could match the packets from either
direction.
With this we have the key layout of L3 info (which takes up
the majority of space for IPv6 case) the same as in the packet,
thus, opening up the possibility for other optimizations.
Not having to create and store a separate session key
should also give us a small performance win in itself.
Also, add the routine to show the session bihash in a better
way than a bunch of numbers.
Alas, the memory usage in the bihash obviously doubles.
Change-Id: I8fd2ed4714ad7fc447c4fa224d209bc0b736b371
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Diffstat (limited to 'src/plugins/acl/public_inlines.h')
| -rw-r--r-- | src/plugins/acl/public_inlines.h | 24 |
1 files changed, 9 insertions, 15 deletions
diff --git a/src/plugins/acl/public_inlines.h b/src/plugins/acl/public_inlines.h index a2b8fc96d3c..3e6c95ad6d9 100644 --- a/src/plugins/acl/public_inlines.h +++ b/src/plugins/acl/public_inlines.h @@ -192,7 +192,7 @@ acl_fill_5tuple (acl_main_t * am, vlib_buffer_t * b0, int is_ip6, int l3_offset; int l4_offset; u16 ports[2]; - u16 proto; + u8 proto; if (is_l2_path) { @@ -307,6 +307,8 @@ acl_fill_5tuple (acl_main_t * am, vlib_buffer_t * b0, int is_ip6, } p5tuple_pkt->l4.proto = proto; + p5tuple_pkt->l4.is_input = is_input; + if (PREDICT_TRUE (offset_within_packet (b0, l4_offset))) { p5tuple_pkt->pkt.l4_valid = 1; @@ -322,6 +324,7 @@ acl_fill_5tuple (acl_main_t * am, vlib_buffer_t * b0, int is_ip6, *(u8 *) get_ptr_to_offset (b0, l4_offset + offsetof (icmp46_header_t, code)); + p5tuple_pkt->l4.is_slowpath = 1; } else if ((IP_PROTOCOL_TCP == proto) || (IP_PROTOCOL_UDP == proto)) { @@ -338,21 +341,12 @@ acl_fill_5tuple (acl_main_t * am, vlib_buffer_t * b0, int is_ip6, l4_offset + offsetof (tcp_header_t, flags)); p5tuple_pkt->pkt.tcp_flags_valid = (proto == IP_PROTOCOL_TCP); + p5tuple_pkt->l4.is_slowpath = 0; } - /* - * FIXME: rather than the above conditional, here could - * be a nice generic mechanism to extract two L4 values: - * - * have a per-protocol array of 4 elements like this: - * u8 offset; to take the byte from, off L4 header - * u8 mask; to mask it with, before storing - * - * this way we can describe UDP, TCP and ICMP[46] semantics, - * and add a sort of FPM-type behavior for other protocols. - * - * Of course, is it faster ? and is it needed ? - * - */ + else + { + p5tuple_pkt->l4.is_slowpath = 1; + } } } |