diff options
Diffstat (limited to 'src/plugins/acl')
-rw-r--r-- | src/plugins/acl/dataplane_node.c | 37 | ||||
-rw-r--r-- | src/plugins/acl/fa_node.h | 15 | ||||
-rw-r--r-- | src/plugins/acl/hash_lookup.c | 51 | ||||
-rw-r--r-- | src/plugins/acl/public_inlines.h | 84 | ||||
-rw-r--r-- | src/plugins/acl/sess_mgmt_node.c | 32 | ||||
-rw-r--r-- | src/plugins/acl/session_inlines.h | 34 |
6 files changed, 156 insertions, 97 deletions
diff --git a/src/plugins/acl/dataplane_node.c b/src/plugins/acl/dataplane_node.c index f1ed4c28b99..dead2ec131e 100644 --- a/src/plugins/acl/dataplane_node.c +++ b/src/plugins/acl/dataplane_node.c @@ -414,19 +414,30 @@ format_fa_5tuple (u8 * s, va_list * args) { fa_5tuple_t *p5t = va_arg (*args, fa_5tuple_t *); - return format (s, "lc_index %d (lsb16 of sw_if_index %d) l3 %s%s %U -> %U" - " l4 proto %d l4_valid %d port %d -> %d tcp flags (%s) %02x rsvd %x", - p5t->pkt.lc_index, p5t->l4.lsb_of_sw_if_index, - p5t->pkt.is_ip6 ? "ip6" : "ip4", - p5t->pkt.is_nonfirst_fragment ? " non-initial fragment" : "", - format_ip46_address, &p5t->addr[0], - p5t->pkt.is_ip6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4, - format_ip46_address, &p5t->addr[1], - p5t->pkt.is_ip6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4, - p5t->l4.proto, p5t->pkt.l4_valid, p5t->l4.port[0], - p5t->l4.port[1], - p5t->pkt.tcp_flags_valid ? "valid" : "invalid", - p5t->pkt.tcp_flags, p5t->pkt.flags_reserved); + if (p5t->pkt.is_ip6) + return format (s, "lc_index %d (lsb16 of sw_if_index %d) l3 %s%s %U -> %U" + " l4 proto %d l4_valid %d port %d -> %d tcp flags (%s) %02x rsvd %x", + p5t->pkt.lc_index, p5t->l4.lsb_of_sw_if_index, + "ip6", + p5t-> + pkt.is_nonfirst_fragment ? " non-initial fragment" : "", + format_ip6_address, &p5t->ip6_addr[0], format_ip6_address, + &p5t->ip6_addr[1], p5t->l4.proto, p5t->pkt.l4_valid, + p5t->l4.port[0], p5t->l4.port[1], + p5t->pkt.tcp_flags_valid ? "valid" : "invalid", + p5t->pkt.tcp_flags, p5t->pkt.flags_reserved); + else + return format (s, "lc_index %d (lsb16 of sw_if_index %d) l3 %s%s %U -> %U" + " l4 proto %d l4_valid %d port %d -> %d tcp flags (%s) %02x rsvd %x", + p5t->pkt.lc_index, p5t->l4.lsb_of_sw_if_index, + "ip4", + p5t-> + pkt.is_nonfirst_fragment ? " non-initial fragment" : "", + format_ip4_address, &p5t->ip4_addr[0], format_ip4_address, + &p5t->ip4_addr[1], p5t->l4.proto, p5t->pkt.l4_valid, + p5t->l4.port[0], p5t->l4.port[1], + p5t->pkt.tcp_flags_valid ? "valid" : "invalid", + p5t->pkt.tcp_flags, p5t->pkt.flags_reserved); } u8 * diff --git a/src/plugins/acl/fa_node.h b/src/plugins/acl/fa_node.h index 5c55cb995a1..ba080446613 100644 --- a/src/plugins/acl/fa_node.h +++ b/src/plugins/acl/fa_node.h @@ -54,7 +54,17 @@ typedef union { typedef union { struct { - ip46_address_t addr[2]; + union { + struct { + /* we put the IPv4 addresses + after padding so we can still + use them as (shorter) key together with + L4 info */ + u32 l3_zero_pad[6]; + ip4_address_t ip4_addr[2]; + }; + ip6_address_t ip6_addr[2]; + }; fa_session_l4_key_t l4; /* This field should align with u64 value in bihash_40_8 keyvalue struct */ fa_packet_info_t pkt; @@ -81,7 +91,8 @@ typedef struct { u32 link_next_idx; /* +4 bytes = 16 */ u8 link_list_id; /* +1 bytes = 17 */ u8 deleted; /* +1 bytes = 18 */ - u8 reserved1[6]; /* +6 bytes = 24 */ + u8 is_ip6; /* +1 bytes = 19 */ + u8 reserved1[5]; /* +5 bytes = 24 */ u64 reserved2[5]; /* +5*8 bytes = 64 */ } fa_session_t; diff --git a/src/plugins/acl/hash_lookup.c b/src/plugins/acl/hash_lookup.c index 9a280031fc8..4bcd9050c73 100644 --- a/src/plugins/acl/hash_lookup.c +++ b/src/plugins/acl/hash_lookup.c @@ -514,15 +514,33 @@ hash_acl_reapply(acl_main_t *am, u32 lc_index, int acl_index) } static void -make_address_mask(ip46_address_t *addr, u8 is_ipv6, u8 prefix_len) +make_ip6_address_mask(ip6_address_t *addr, u8 prefix_len) { - if (is_ipv6) { - ip6_address_mask_from_width(&addr->ip6, prefix_len); - } else { - /* FIXME: this may not be correct way */ - ip6_address_mask_from_width(&addr->ip6, prefix_len + 3*32); - ip46_address_mask_ip4(addr); - } + ip6_address_mask_from_width(addr, prefix_len); +} + + +/* Maybe should be moved into the core somewhere */ +always_inline void +ip4_address_mask_from_width (ip4_address_t * a, u32 width) +{ + int i, byte, bit, bitnum; + ASSERT (width <= 32); + memset (a, 0, sizeof (a[0])); + for (i = 0; i < width; i++) + { + bitnum = (7 - (i & 7)); + byte = i / 8; + bit = 1 << bitnum; + a->as_u8[byte] |= bit; + } +} + + +static void +make_ip4_address_mask(ip4_address_t *addr, u8 prefix_len) +{ + ip4_address_mask_from_width(addr, prefix_len); } static u8 @@ -566,11 +584,18 @@ make_mask_and_match_from_rule(fa_5tuple_t *mask, acl_rule_t *r, hash_ace_info_t mask->pkt.is_ip6 = 1; hi->match.pkt.is_ip6 = r->is_ipv6; - - make_address_mask(&mask->addr[0], r->is_ipv6, r->src_prefixlen); - hi->match.addr[0] = r->src; - make_address_mask(&mask->addr[1], r->is_ipv6, r->dst_prefixlen); - hi->match.addr[1] = r->dst; + if (r->is_ipv6) { + make_ip6_address_mask(&mask->ip6_addr[0], r->src_prefixlen); + hi->match.ip6_addr[0] = r->src.ip6; + make_ip6_address_mask(&mask->ip6_addr[1], r->dst_prefixlen); + hi->match.ip6_addr[1] = r->dst.ip6; + } else { + memset(hi->match.l3_zero_pad, 0, sizeof(hi->match.l3_zero_pad)); + make_ip4_address_mask(&mask->ip4_addr[0], r->src_prefixlen); + hi->match.ip4_addr[0] = r->src.ip4; + make_ip4_address_mask(&mask->ip4_addr[1], r->dst_prefixlen); + hi->match.ip4_addr[1] = r->dst.ip4; + } if (r->proto != 0) { mask->l4.proto = ~0; /* L4 proto needs to be matched */ diff --git a/src/plugins/acl/public_inlines.h b/src/plugins/acl/public_inlines.h index e7b085271f6..6b464b36b7a 100644 --- a/src/plugins/acl/public_inlines.h +++ b/src/plugins/acl/public_inlines.h @@ -214,11 +214,11 @@ acl_fill_5tuple (acl_main_t * am, vlib_buffer_t * b0, int is_ip6, if (is_ip6) { - clib_memcpy (&p5tuple_pkt->addr, + clib_memcpy (&p5tuple_pkt->ip6_addr, get_ptr_to_offset (b0, offsetof (ip6_header_t, src_address) + l3_offset), - sizeof (p5tuple_pkt->addr)); + sizeof (p5tuple_pkt->ip6_addr)); proto = *(u8 *) get_ptr_to_offset (b0, offsetof (ip6_header_t, @@ -270,18 +270,12 @@ acl_fill_5tuple (acl_main_t * am, vlib_buffer_t * b0, int is_ip6, } else { - ip46_address_mask_ip4(&p5tuple_pkt->addr[0]); - ip46_address_mask_ip4(&p5tuple_pkt->addr[1]); - clib_memcpy (&p5tuple_pkt->addr[0].ip4, + memset(p5tuple_pkt->l3_zero_pad, 0, sizeof(p5tuple_pkt->l3_zero_pad)); + clib_memcpy (&p5tuple_pkt->ip4_addr, get_ptr_to_offset (b0, offsetof (ip4_header_t, src_address) + l3_offset), - sizeof (p5tuple_pkt->addr[0].ip4)); - clib_memcpy (&p5tuple_pkt->addr[1].ip4, - get_ptr_to_offset (b0, - offsetof (ip4_header_t, - dst_address) + l3_offset), - sizeof (p5tuple_pkt->addr[1].ip4)); + sizeof (p5tuple_pkt->ip4_addr)); proto = *(u8 *) get_ptr_to_offset (b0, offsetof (ip4_header_t, @@ -359,16 +353,29 @@ acl_plugin_fill_5tuple_inline (u32 lc_index, vlib_buffer_t * b0, int is_ip6, always_inline int -fa_acl_match_addr (ip46_address_t * addr1, ip46_address_t * addr2, - int prefixlen, int is_ip6) +fa_acl_match_ip4_addr (ip4_address_t * addr1, ip4_address_t * addr2, + int prefixlen) { if (prefixlen == 0) { /* match any always succeeds */ return 1; } - if (is_ip6) + uint32_t a1 = clib_net_to_host_u32 (addr1->as_u32); + uint32_t a2 = clib_net_to_host_u32 (addr2->as_u32); + uint32_t mask0 = 0xffffffff - ((1 << (32 - prefixlen)) - 1); + return (a1 & mask0) == a2; +} + +always_inline int +fa_acl_match_ip6_addr (ip6_address_t * addr1, ip6_address_t * addr2, + int prefixlen) +{ + if (prefixlen == 0) { + /* match any always succeeds */ + return 1; + } if (memcmp (addr1, addr2, prefixlen / 8)) { /* If the starting full bytes do not match, no point in bittwidling the thumbs further */ @@ -386,14 +393,6 @@ fa_acl_match_addr (ip46_address_t * addr1, ip46_address_t * addr2, /* The prefix fits into integer number of bytes, so nothing left to do */ return 1; } - } - else - { - uint32_t a1 = clib_net_to_host_u32 (addr1->ip4.as_u32); - uint32_t a2 = clib_net_to_host_u32 (addr2->ip4.as_u32); - uint32_t mask0 = 0xffffffff - ((1 << (32 - prefixlen)) - 1); - return (a1 & mask0) == a2; - } } always_inline int @@ -424,41 +423,26 @@ single_acl_match_5tuple (acl_main_t * am, u32 acl_index, fa_5tuple_t * pkt_5tupl for (i = 0; i < a->count; i++) { r = a->rules + i; -#ifdef FA_NODE_VERBOSE_DEBUG - clib_warning("ACL_FA_NODE_DBG acl %d rule %d tag %s", acl_index, i, a->tag); -#endif if (is_ip6 != r->is_ipv6) { continue; } - if (!fa_acl_match_addr - (&pkt_5tuple->addr[1], &r->dst, r->dst_prefixlen, is_ip6)) + if (is_ip6) { + if (!fa_acl_match_ip6_addr + (&pkt_5tuple->ip6_addr[1], &r->dst.ip6, r->dst_prefixlen)) continue; - -#ifdef FA_NODE_VERBOSE_DEBUG - clib_warning - ("ACL_FA_NODE_DBG acl %d rule %d pkt dst addr %U match rule addr %U/%d", - acl_index, i, format_ip46_address, &pkt_5tuple->addr[1], - r->is_ipv6 ? IP46_TYPE_IP6: IP46_TYPE_IP4, format_ip46_address, - &r->dst, r->is_ipv6 ? IP46_TYPE_IP6: IP46_TYPE_IP4, - r->dst_prefixlen); -#endif - - if (!fa_acl_match_addr - (&pkt_5tuple->addr[0], &r->src, r->src_prefixlen, is_ip6)) + if (!fa_acl_match_ip6_addr + (&pkt_5tuple->ip6_addr[0], &r->src.ip6, r->src_prefixlen)) + continue; + } else { + if (!fa_acl_match_ip4_addr + (&pkt_5tuple->ip4_addr[1], &r->dst.ip4, r->dst_prefixlen)) + continue; + if (!fa_acl_match_ip4_addr + (&pkt_5tuple->ip4_addr[0], &r->src.ip4, r->src_prefixlen)) continue; + } -#ifdef FA_NODE_VERBOSE_DEBUG - clib_warning - ("ACL_FA_NODE_DBG acl %d rule %d pkt src addr %U match rule addr %U/%d", - acl_index, i, format_ip46_address, &pkt_5tuple->addr[0], - r->is_ipv6 ? IP46_TYPE_IP6: IP46_TYPE_IP4, format_ip46_address, - &r->src, r->is_ipv6 ? IP46_TYPE_IP6: IP46_TYPE_IP4, - r->src_prefixlen); - clib_warning - ("ACL_FA_NODE_DBG acl %d rule %d trying to match pkt proto %d with rule %d", - acl_index, i, pkt_5tuple->l4.proto, r->proto); -#endif if (r->proto) { if (pkt_5tuple->l4.proto != r->proto) diff --git a/src/plugins/acl/sess_mgmt_node.c b/src/plugins/acl/sess_mgmt_node.c index 465111a380f..6c01643aca2 100644 --- a/src/plugins/acl/sess_mgmt_node.c +++ b/src/plugins/acl/sess_mgmt_node.c @@ -53,18 +53,26 @@ format_session_bihash_5tuple (u8 * s, va_list * args) { fa_5tuple_t *p5t = va_arg (*args, fa_5tuple_t *); fa_full_session_id_t *sess = (void *) &p5t->pkt; - - return format (s, "l3 %U -> %U" - " l4 lsb_of_sw_if_index %d proto %d l4_is_input %d l4_slow_path %d l4_reserved0 %d port %d -> %d | sess id %d thread id %d epoch %04x", - format_ip46_address, &p5t->addr[0], - IP46_TYPE_ANY, - format_ip46_address, &p5t->addr[1], - IP46_TYPE_ANY, - p5t->l4.lsb_of_sw_if_index, - p5t->l4.proto, p5t->l4.is_input, p5t->l4.is_slowpath, - p5t->l4.reserved0, p5t->l4.port[0], p5t->l4.port[1], - sess->session_index, sess->thread_index, - sess->intf_policy_epoch); + if (is_ip6_5tuple (p5t)) + return (format (s, "l3 %U -> %U" + " l4 lsb_of_sw_if_index %d proto %d l4_is_input %d l4_slow_path %d l4_reserved0 %d port %d -> %d | sess id %d thread id %d epoch %04x", + format_ip6_address, &p5t->ip6_addr[0], + format_ip6_address, &p5t->ip6_addr[1], + p5t->l4.lsb_of_sw_if_index, + p5t->l4.proto, p5t->l4.is_input, p5t->l4.is_slowpath, + p5t->l4.reserved0, p5t->l4.port[0], p5t->l4.port[1], + sess->session_index, sess->thread_index, + sess->intf_policy_epoch)); + else + return (format (s, "l3 %U -> %U" + " l4 lsb_of_sw_if_index %d proto %d l4_is_input %d l4_slow_path %d l4_reserved0 %d port %d -> %d | sess id %d thread id %d epoch %04x", + format_ip4_address, &p5t->ip4_addr[0], + format_ip4_address, &p5t->ip4_addr[1], + p5t->l4.lsb_of_sw_if_index, + p5t->l4.proto, p5t->l4.is_input, p5t->l4.is_slowpath, + p5t->l4.reserved0, p5t->l4.port[0], p5t->l4.port[1], + sess->session_index, sess->thread_index, + sess->intf_policy_epoch)); } diff --git a/src/plugins/acl/session_inlines.h b/src/plugins/acl/session_inlines.h index 709ecc8cae1..01dface323e 100644 --- a/src/plugins/acl/session_inlines.h +++ b/src/plugins/acl/session_inlines.h @@ -262,6 +262,16 @@ acl_fa_restart_timer_for_session (acl_main_t * am, u64 now, } } +always_inline int +is_ip6_5tuple (fa_5tuple_t * p5t) +{ + return (p5t->l3_zero_pad[0] | p5t-> + l3_zero_pad[1] | p5t->l3_zero_pad[2] | p5t->l3_zero_pad[3] | p5t-> + l3_zero_pad[4] | p5t->l3_zero_pad[5]) != 0; +} + + + always_inline u8 acl_fa_track_session (acl_main_t * am, int is_input, u32 sw_if_index, u64 now, @@ -355,15 +365,24 @@ reverse_l4_u64 (u64 l4, int is_ip6) } always_inline void -reverse_session_add_del (acl_main_t * am, const int is_ip6, +reverse_session_add_del (acl_main_t * am, int is_ip6, clib_bihash_kv_40_8_t * pkv, int is_add) { clib_bihash_kv_40_8_t kv2; - /* the first 4xu64 is two addresses, so just swap them */ - kv2.key[0] = pkv->key[2]; - kv2.key[1] = pkv->key[3]; - kv2.key[2] = pkv->key[0]; - kv2.key[3] = pkv->key[1]; + if (is_ip6) + { + kv2.key[0] = pkv->key[2]; + kv2.key[1] = pkv->key[3]; + kv2.key[2] = pkv->key[0]; + kv2.key[3] = pkv->key[1]; + } + else + { + kv2.key[0] = kv2.key[1] = kv2.key[2] = 0; + kv2.key[3] = + ((pkv->key[3] & 0xffffffff) << 32) | ((pkv->key[3] >> 32) & + 0xffffffff); + } /* the last u64 needs special treatment (ports, etc.) */ kv2.key[4] = reverse_l4_u64 (pkv->key[4], is_ip6); kv2.value = pkv->value; @@ -379,7 +398,7 @@ acl_fa_deactivate_session (acl_main_t * am, u32 sw_if_index, ASSERT (sess->thread_index == os_get_thread_index ()); clib_bihash_add_del_40_8 (&am->fa_sessions_hash, &sess->info.kv, 0); - reverse_session_add_del (am, sess->info.pkt.is_ip6, &sess->info.kv, 0); + reverse_session_add_del (am, sess->is_ip6, &sess->info.kv, 0); sess->deleted = 1; clib_smp_atomic_add (&am->fa_session_total_deactivations, 1); } @@ -513,6 +532,7 @@ acl_fa_add_session (acl_main_t * am, int is_input, int is_ip6, sess->link_prev_idx = FA_SESSION_BOGUS_INDEX; sess->link_next_idx = FA_SESSION_BOGUS_INDEX; sess->deleted = 0; + sess->is_ip6 = is_ip6; acl_fa_conn_list_add_session (am, f_sess_id, now); |