summaryrefslogtreecommitdiffstats
path: root/src/plugins/acl
diff options
context:
space:
mode:
Diffstat (limited to 'src/plugins/acl')
-rw-r--r--src/plugins/acl/acl.c50
-rw-r--r--src/plugins/acl/acl.h10
-rw-r--r--src/plugins/acl/hash_lookup.c4
3 files changed, 60 insertions, 4 deletions
diff --git a/src/plugins/acl/acl.c b/src/plugins/acl/acl.c
index 611efbb7be6..cdfe0682e8d 100644
--- a/src/plugins/acl/acl.c
+++ b/src/plugins/acl/acl.c
@@ -91,7 +91,7 @@ static void *
acl_set_heap(acl_main_t *am)
{
if (0 == am->acl_mheap) {
- am->acl_mheap = mheap_alloc (0 /* use VM */ , 2 << 29);
+ am->acl_mheap = mheap_alloc (0 /* use VM */ , am->acl_mheap_size);
mheap_t *h = mheap_header (am->acl_mheap);
h->flags |= MHEAP_FLAG_THREAD_SAFE;
}
@@ -2596,7 +2596,47 @@ VLIB_CLI_COMMAND (aclplugin_clear_command, static) = {
};
/* *INDENT-ON* */
-
+static clib_error_t *
+acl_plugin_config (vlib_main_t * vm, unformat_input_t * input)
+{
+ acl_main_t *am = &acl_main;
+ u32 conn_table_hash_buckets;
+ u32 conn_table_hash_memory_size;
+ u32 conn_table_max_entries;
+ u32 main_heap_size;
+ u32 hash_heap_size;
+ u32 hash_lookup_hash_buckets;
+ u32 hash_lookup_hash_memory;
+
+ while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
+ {
+ if (unformat (input, "connection hash buckets %d", &conn_table_hash_buckets))
+ am->fa_conn_table_hash_num_buckets = conn_table_hash_buckets;
+ else if (unformat (input, "connection hash memory %d",
+ &conn_table_hash_memory_size))
+ am->fa_conn_table_hash_memory_size = conn_table_hash_memory_size;
+ else if (unformat (input, "connection count max %d",
+ &conn_table_max_entries))
+ am->fa_conn_table_max_entries = conn_table_max_entries;
+ else if (unformat (input, "main heap size %d",
+ &main_heap_size))
+ am->acl_mheap_size = main_heap_size;
+ else if (unformat (input, "hash lookup heap size %d",
+ &hash_heap_size))
+ am->hash_lookup_mheap_size = hash_heap_size;
+ else if (unformat (input, "hash lookup hash buckets %d",
+ &hash_lookup_hash_buckets))
+ am->hash_lookup_hash_buckets = hash_lookup_hash_buckets;
+ else if (unformat (input, "hash lookup hash memory %d",
+ &hash_lookup_hash_memory))
+ am->hash_lookup_hash_memory = hash_lookup_hash_memory;
+ else
+ return clib_error_return (0, "unknown input '%U'",
+ format_unformat_error, input);
+ }
+ return 0;
+}
+VLIB_CONFIG_FUNCTION (acl_plugin_config, "acl-plugin");
static clib_error_t *
acl_init (vlib_main_t * vm)
@@ -2622,6 +2662,12 @@ acl_init (vlib_main_t * vm)
acl_setup_fa_nodes();
+ am->acl_mheap_size = ACL_FA_DEFAULT_HEAP_SIZE;
+ am->hash_lookup_mheap_size = ACL_PLUGIN_HASH_LOOKUP_HEAP_SIZE;
+
+ am->hash_lookup_hash_buckets = ACL_PLUGIN_HASH_LOOKUP_HASH_BUCKETS;
+ am->hash_lookup_hash_memory = ACL_PLUGIN_HASH_LOOKUP_HASH_MEMORY;
+
am->session_timeout_sec[ACL_TIMEOUT_TCP_TRANSIENT] = TCP_SESSION_TRANSIENT_TIMEOUT_SEC;
am->session_timeout_sec[ACL_TIMEOUT_TCP_IDLE] = TCP_SESSION_IDLE_TIMEOUT_SEC;
am->session_timeout_sec[ACL_TIMEOUT_UDP_IDLE] = UDP_SESSION_IDLE_TIMEOUT_SEC;
diff --git a/src/plugins/acl/acl.h b/src/plugins/acl/acl.h
index 26084a66521..bed22e5fc89 100644
--- a/src/plugins/acl/acl.h
+++ b/src/plugins/acl/acl.h
@@ -37,6 +37,12 @@
#define TCP_SESSION_IDLE_TIMEOUT_SEC (3600*24)
#define TCP_SESSION_TRANSIENT_TIMEOUT_SEC 120
+#define ACL_FA_DEFAULT_HEAP_SIZE (2 << 29)
+
+#define ACL_PLUGIN_HASH_LOOKUP_HEAP_SIZE (2 << 25)
+#define ACL_PLUGIN_HASH_LOOKUP_HASH_BUCKETS 65536
+#define ACL_PLUGIN_HASH_LOOKUP_HASH_MEMORY (2 << 25)
+
extern vlib_node_registration_t acl_in_node;
extern vlib_node_registration_t acl_out_node;
@@ -125,6 +131,7 @@ typedef struct
typedef struct {
/* mheap to hold all the ACL module related allocations, other than hash */
void *acl_mheap;
+ u32 acl_mheap_size;
/* API message ID base */
u16 msg_id_base;
@@ -132,9 +139,12 @@ typedef struct {
acl_list_t *acls; /* Pool of ACLs */
hash_acl_info_t *hash_acl_infos; /* corresponding hash matching housekeeping info */
clib_bihash_48_8_t acl_lookup_hash; /* ACL lookup hash table. */
+ u32 hash_lookup_hash_buckets;
+ u32 hash_lookup_hash_memory;
/* mheap to hold all the miscellaneous allocations related to hash-based lookups */
void *hash_lookup_mheap;
+ u32 hash_lookup_mheap_size;
int acl_lookup_hash_initialized;
applied_hash_ace_entry_t **input_hash_entry_vec_by_sw_if_index;
applied_hash_ace_entry_t **output_hash_entry_vec_by_sw_if_index;
diff --git a/src/plugins/acl/hash_lookup.c b/src/plugins/acl/hash_lookup.c
index 13bc6b4643f..7869027b301 100644
--- a/src/plugins/acl/hash_lookup.c
+++ b/src/plugins/acl/hash_lookup.c
@@ -264,7 +264,7 @@ static void *
hash_acl_set_heap(acl_main_t *am)
{
if (0 == am->hash_lookup_mheap) {
- am->hash_lookup_mheap = mheap_alloc (0 /* use VM */ , 2 << 25);
+ am->hash_lookup_mheap = mheap_alloc (0 /* use VM */ , am->hash_lookup_mheap_size);
mheap_t *h = mheap_header (am->hash_lookup_mheap);
h->flags |= MHEAP_FLAG_THREAD_SAFE;
}
@@ -307,7 +307,7 @@ hash_acl_apply(acl_main_t *am, u32 sw_if_index, u8 is_input, int acl_index)
DBG0("HASH ACL apply: sw_if_index %d is_input %d acl %d", sw_if_index, is_input, acl_index);
if (!am->acl_lookup_hash_initialized) {
BV (clib_bihash_init) (&am->acl_lookup_hash, "ACL plugin rule lookup bihash",
- 65536, 2 << 25);
+ am->hash_lookup_hash_buckets, am->hash_lookup_hash_memory);
am->acl_lookup_hash_initialized = 1;
}