diff options
| author |   Agathiyan Bragadeesh <agathiyan.bragadeesh2@arm.com> | 2024-11-06 14:33:12 +0000 |
|---|---|---|
| committer |   Damjan Marion <dmarion@0xa5.net> | 2025-01-17 17:27:06 +0000 |
| commit | 102575492c9199259aa5e468f21b46936d7a1ac4 (patch) | |
| tree | f7fbad6cfa602d8a56fd3e68a9d4a4611e062b5d /src/plugins/snort/snort_api.c | |
| parent | b33331925583a83c36aed67521b78e1f3db12a8c (diff) | |
snort: support multiple instances per interface
Implements load balancing between snort instances via flow hash.
New CLI commands have been made to support these changes:
snort attach instance <name1>
[instance <name2> ... ] interface <ifname> [input|output|inout]
snort attach all-instances interface <ifname> [input|output|inout]
snort detach instance <name1> interface <ifname>
snort detach all-instances interface <ifname>
The output of "show snort interfaces" has an extra column to show the
direction of each attachment:
interface instances direction
Ethernet0: snort1 inout
snort2 inout
snort3 inout
Ethernet1: snort1 input
snort3 output
To maintain backwards compatibility for the snort api, the
snort_interface_get api endpoint only returns one of the attached
instances and the snort_interface_detach endpoint detaches all
attached instances.
Type: improvement
Signed-off-by: Agathiyan Bragadeesh <agathiyan.bragadeesh2@arm.com>
Change-Id: I6b7c26c203496d6a1dba244620907f28c04bb478
Diffstat (limited to 'src/plugins/snort/snort_api.c')
| -rw-r--r-- | src/plugins/snort/snort_api.c | 43 |
1 files changed, 31 insertions, 12 deletions
diff --git a/src/plugins/snort/snort_api.c b/src/plugins/snort/snort_api.c index adad0d8763f..4016dfad63f 100644 --- a/src/plugins/snort/snort_api.c +++ b/src/plugins/snort/snort_api.c @@ -185,7 +185,8 @@ vl_api_snort_interface_get_t_handler (vl_api_snort_interface_get_t *mp) snort_main_t *sm = snort_get_main (); vl_api_snort_interface_get_reply_t *rmp; u32 sw_if_index; - u32 *index; + u32 *instances; + u32 index; int rv = 0; sw_if_index = clib_net_to_host_u32 (mp->sw_if_index); @@ -193,7 +194,7 @@ vl_api_snort_interface_get_t_handler (vl_api_snort_interface_get_t *mp) if (sw_if_index == INDEX_INVALID) { /* clang-format off */ - if (vec_len (sm->instance_by_sw_if_index) == 0) + if (vec_len (sm->interfaces) == 0) { REPLY_MACRO2 (VL_API_SNORT_INTERFACE_GET_REPLY, ({ rmp->cursor = ~0; })); return; @@ -201,17 +202,36 @@ vl_api_snort_interface_get_t_handler (vl_api_snort_interface_get_t *mp) REPLY_AND_DETAILS_VEC_MACRO( VL_API_SNORT_INTERFACE_GET_REPLY, - sm->instance_by_sw_if_index, + sm->interfaces, mp, rmp, rv, ({ - index = vec_elt_at_index (sm->instance_by_sw_if_index, cursor); - send_snort_interface_details (cursor, *index, rp, mp->context); + instances = vec_len(sm->interfaces[cursor].input_instance_indices) ? + sm->interfaces[cursor].input_instance_indices : sm->interfaces[cursor].output_instance_indices; + if (vec_len(instances) == 0) + { + index = ~0; + } + else { + index = instances[0]; + } + send_snort_interface_details (cursor, index, rp, mp->context); })) /* clang-format on */ } else { - index = vec_elt_at_index (sm->instance_by_sw_if_index, sw_if_index); - if (snort_get_instance_by_index (index[0])) + instances = + vec_len (sm->interfaces[sw_if_index].input_instance_indices) ? + sm->interfaces[sw_if_index].input_instance_indices : + sm->interfaces[sw_if_index].output_instance_indices; + if (vec_len (instances) == 0) + { + index = ~0; + } + else + { + index = instances[0]; + } + if (snort_get_instance_by_index (index)) { vl_api_registration_t *rp = vl_api_client_index_to_registration (mp->client_index); @@ -221,7 +241,8 @@ vl_api_snort_interface_get_t_handler (vl_api_snort_interface_get_t *mp) return; } - send_snort_interface_details (sw_if_index, *index, rp, mp->context); + send_snort_interface_details (sw_if_index, *instances, rp, + mp->context); } else { @@ -352,11 +373,9 @@ vl_api_snort_interface_detach_t_handler (vl_api_snort_interface_detach_t *mp) vlib_main_t *vm = vlib_get_main (); vl_api_snort_interface_detach_reply_t *rmp; u32 sw_if_index = clib_net_to_host_u32 (mp->sw_if_index); - int rv = VNET_API_ERROR_NO_MATCHING_INTERFACE; + int rv; - if (sw_if_index != INDEX_INVALID) - rv = snort_interface_enable_disable (vm, NULL, sw_if_index, - 0 /* is_enable */, SNORT_INOUT); + rv = snort_interface_disable_all (vm, sw_if_index); REPLY_MACRO (VL_API_SNORT_INTERFACE_DETACH_REPLY); } |