summaryrefslogtreecommitdiffstats
path: root/src/plugins/acl
diff options
context:
space:
mode:
Diffstat (limited to 'src/plugins/acl')
-rw-r--r--src/plugins/acl/acl.c7
-rw-r--r--src/plugins/acl/dataplane_node.c758
-rw-r--r--src/plugins/acl/fa_node.c1614
-rw-r--r--src/plugins/acl/sess_mgmt_node.c806
-rw-r--r--src/plugins/acl/session_inlines.h426
5 files changed, 1997 insertions, 1614 deletions
diff --git a/src/plugins/acl/acl.c b/src/plugins/acl/acl.c
index f7156847241..65785cc0f5a 100644
--- a/src/plugins/acl/acl.c
+++ b/src/plugins/acl/acl.c
@@ -59,6 +59,13 @@ acl_main_t *p_acl_main = &acl_main;
#define REPLY_MSG_ID_BASE am->msg_id_base
#include <vlibapi/api_helper_macros.h>
+/*
+ * The code for the bihash, used by the session management.
+ */
+#include <vppinfra/bihash_40_8.h>
+#include <vppinfra/bihash_template.h>
+#include <vppinfra/bihash_template.c>
+
/* List of message types that this plugin understands */
#define foreach_acl_plugin_api_msg \
diff --git a/src/plugins/acl/dataplane_node.c b/src/plugins/acl/dataplane_node.c
new file mode 100644
index 00000000000..98e966189d8
--- /dev/null
+++ b/src/plugins/acl/dataplane_node.c
@@ -0,0 +1,758 @@
+/*
+ * Copyright (c) 2016-2018 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <stddef.h>
+#include <netinet/in.h>
+
+#include <vlib/vlib.h>
+#include <vnet/vnet.h>
+#include <vnet/pg/pg.h>
+#include <vppinfra/error.h>
+
+
+#include <acl/acl.h>
+#include <vnet/ip/icmp46_packet.h>
+
+#include <plugins/acl/fa_node.h>
+#include <plugins/acl/acl.h>
+#include <plugins/acl/lookup_context.h>
+#include <plugins/acl/public_inlines.h>
+#include <plugins/acl/session_inlines.h>
+
+#include <vppinfra/bihash_40_8.h>
+#include <vppinfra/bihash_template.h>
+
+typedef struct
+{
+ u32 next_index;
+ u32 sw_if_index;
+ u32 lc_index;
+ u32 match_acl_in_index;
+ u32 match_rule_index;
+ u64 packet_info[6];
+ u32 trace_bitmap;
+ u8 action;
+} acl_fa_trace_t;
+
+/* *INDENT-OFF* */
+#define foreach_acl_fa_error \
+_(ACL_DROP, "ACL deny packets") \
+_(ACL_PERMIT, "ACL permit packets") \
+_(ACL_NEW_SESSION, "new sessions added") \
+_(ACL_EXIST_SESSION, "existing session packets") \
+_(ACL_CHECK, "checked packets") \
+_(ACL_RESTART_SESSION_TIMER, "restart session timer") \
+_(ACL_TOO_MANY_SESSIONS, "too many sessions to add new") \
+/* end of errors */
+
+typedef enum
+{
+#define _(sym,str) ACL_FA_ERROR_##sym,
+ foreach_acl_fa_error
+#undef _
+ ACL_FA_N_ERROR,
+} acl_fa_error_t;
+
+/* *INDENT-ON* */
+
+
+always_inline uword
+acl_fa_node_fn (vlib_main_t * vm,
+ vlib_node_runtime_t * node, vlib_frame_t * frame, int is_ip6,
+ int is_input, int is_l2_path, u32 * l2_feat_next_node_index,
+ vlib_node_registration_t * acl_fa_node)
+{
+ u32 n_left_from, *from, *to_next;
+ acl_fa_next_t next_index;
+ u32 pkts_acl_checked = 0;
+ u32 pkts_new_session = 0;
+ u32 pkts_exist_session = 0;
+ u32 pkts_acl_permit = 0;
+ u32 pkts_restart_session_timer = 0;
+ u32 trace_bitmap = 0;
+ acl_main_t *am = &acl_main;
+ fa_5tuple_t fa_5tuple, kv_sess;
+ clib_bihash_kv_40_8_t value_sess;
+ vlib_node_runtime_t *error_node;
+ u64 now = clib_cpu_time_now ();
+ uword thread_index = os_get_thread_index ();
+ acl_fa_per_worker_data_t *pw = &am->per_worker_data[thread_index];
+
+ from = vlib_frame_vector_args (frame);
+ n_left_from = frame->n_vectors;
+ next_index = node->cached_next_index;
+
+ error_node = vlib_node_get_runtime (vm, acl_fa_node->index);
+
+ while (n_left_from > 0)
+ {
+ u32 n_left_to_next;
+
+ vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
+
+ while (n_left_from > 0 && n_left_to_next > 0)
+ {
+ u32 bi0;
+ vlib_buffer_t *b0;
+ u32 next0 = 0;
+ u8 action = 0;
+ u32 sw_if_index0;
+ u32 lc_index0;
+ int acl_check_needed = 1;
+ u32 match_acl_in_index = ~0;
+ u32 match_acl_pos = ~0;
+ u32 match_rule_index = ~0;
+ u8 error0 = 0;
+ u32 valid_new_sess;
+
+ /* speculatively enqueue b0 to the current next frame */
+ bi0 = from[0];
+ to_next[0] = bi0;
+ from += 1;
+ to_next += 1;
+ n_left_from -= 1;
+ n_left_to_next -= 1;
+
+ b0 = vlib_get_buffer (vm, bi0);
+
+ if (is_input)
+ sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
+ else
+ sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_TX];
+
+ if (is_input)
+ lc_index0 = am->input_lc_index_by_sw_if_index[sw_if_index0];
+ else
+ lc_index0 = am->output_lc_index_by_sw_if_index[sw_if_index0];
+
+ u32 **p_epoch_vec =
+ is_input ? &am->input_policy_epoch_by_sw_if_index :
+ &am->output_policy_epoch_by_sw_if_index;
+ u16 current_policy_epoch =
+ sw_if_index0 < vec_len (*p_epoch_vec) ? vec_elt (*p_epoch_vec,
+ sw_if_index0)
+ : (is_input * FA_POLICY_EPOCH_IS_INPUT);
+ /*
+ * Extract the L3/L4 matching info into a 5-tuple structure,
+ * then create a session key whose layout is independent on forward or reverse
+ * direction of the packet.
+ */
+
+ acl_plugin_fill_5tuple_inline (lc_index0, b0, is_ip6, is_input,
+ is_l2_path,
+ (fa_5tuple_opaque_t *) & fa_5tuple);
+ fa_5tuple.l4.lsb_of_sw_if_index = sw_if_index0 & 0xffff;
+ valid_new_sess =
+ acl_make_5tuple_session_key (am, is_input, is_ip6, sw_if_index0,
+ &fa_5tuple, &kv_sess);
+ // XXDEL fa_5tuple.pkt.is_input = is_input;
+ fa_5tuple.pkt.mask_type_index_lsb = ~0;
+#ifdef FA_NODE_VERBOSE_DEBUG
+ clib_warning
+ ("ACL_FA_NODE_DBG: session 5-tuple %016llx %016llx %016llx %016llx %016llx %016llx",
+ kv_sess.kv.key[0], kv_sess.kv.key[1], kv_sess.kv.key[2],
+ kv_sess.kv.key[3], kv_sess.kv.key[4], kv_sess.kv.value);
+ clib_warning
+ ("ACL_FA_NODE_DBG: packet 5-tuple %016llx %016llx %016llx %016llx %016llx %016llx",
+ fa_5tuple.kv.key[0], fa_5tuple.kv.key[1], fa_5tuple.kv.key[2],
+ fa_5tuple.kv.key[3], fa_5tuple.kv.key[4], fa_5tuple.kv.value);
+#endif
+
+ /* Try to match an existing session first */
+
+ if (acl_fa_ifc_has_sessions (am, sw_if_index0))
+ {
+ if (acl_fa_find_session
+ (am, sw_if_index0, &kv_sess, &value_sess))
+ {
+ trace_bitmap |= 0x80000000;
+ error0 = ACL_FA_ERROR_ACL_EXIST_SESSION;
+ fa_full_session_id_t f_sess_id;
+
+ f_sess_id.as_u64 = value_sess.value;
+ ASSERT (f_sess_id.thread_index < vec_len (vlib_mains));
+
+ fa_session_t *sess =
+ get_session_ptr (am, f_sess_id.thread_index,
+ f_sess_id.session_index);
+ int old_timeout_type =
+ fa_session_get_timeout_type (am, sess);
+ action =
+ acl_fa_track_session (am, is_input, sw_if_index0, now,
+ sess, &fa_5tuple);
+ /* expose the session id to the tracer */
+ match_rule_index = f_sess_id.session_index;
+ int new_timeout_type =
+ fa_session_get_timeout_type (am, sess);
+ acl_check_needed = 0;
+ pkts_exist_session += 1;
+ /* Tracking might have changed the session timeout type, e.g. from transient to established */
+ if (PREDICT_FALSE (old_timeout_type != new_timeout_type))
+ {
+ acl_fa_restart_timer_for_session (am, now, f_sess_id);
+ pkts_restart_session_timer++;
+ trace_bitmap |=
+ 0x00010000 + ((0xff & old_timeout_type) << 8) +
+ (0xff & new_timeout_type);
+ }
+ /*
+ * I estimate the likelihood to be very low - the VPP needs
+ * to have >64K interfaces to start with and then on
+ * exactly 64K indices apart needs to be exactly the same
+ * 5-tuple... Anyway, since this probability is nonzero -
+ * print an error and drop the unlucky packet.
+ * If this shows up in real world, we would need to bump
+ * the hash key length.
+ */
+ if (PREDICT_FALSE (sess->sw_if_index != sw_if_index0))
+ {
+ clib_warning
+ ("BUG: session LSB16(sw_if_index) and 5-tuple collision!");
+ acl_check_needed = 0;
+ action = 0;
+ }
+ if (PREDICT_FALSE (am->reclassify_sessions))
+ {
+ /* if the MSB of policy epoch matches but not the LSB means it is a stale session */
+ if ((0 ==
+ ((current_policy_epoch ^
+ f_sess_id.intf_policy_epoch) &
+ FA_POLICY_EPOCH_IS_INPUT))
+ && (current_policy_epoch !=
+ f_sess_id.intf_policy_epoch))
+ {
+ /* delete session and increment the counter */
+ vec_validate
+ (pw->fa_session_epoch_change_by_sw_if_index,
+ sw_if_index0);
+ vec_elt (pw->fa_session_epoch_change_by_sw_if_index,
+ sw_if_index0)++;
+ if (acl_fa_conn_list_delete_session (am, f_sess_id))
+ {
+ /* delete the session only if we were able to unlink it */
+ acl_fa_delete_session (am, sw_if_index0,
+ f_sess_id);
+ }
+ acl_check_needed = 1;
+ trace_bitmap |= 0x40000000;
+ }
+ }
+ }
+ }
+
+ if (acl_check_needed)
+ {
+ action = 0; /* deny by default */
+ acl_plugin_match_5tuple_inline (lc_index0,
+ (fa_5tuple_opaque_t *) &
+ fa_5tuple, is_ip6, &action,
+ &match_acl_pos,
+ &match_acl_in_index,
+ &match_rule_index,
+ &trace_bitmap);
+ error0 = action;
+ if (1 == action)
+ pkts_acl_permit += 1;
+ if (2 == action)
+ {
+ if (!acl_fa_can_add_session (am, is_input, sw_if_index0))
+ acl_fa_try_recycle_session (am, is_input, thread_index,
+ sw_if_index0);
+
+ if (acl_fa_can_add_session (am, is_input, sw_if_index0))
+ {
+ if (PREDICT_TRUE (valid_new_sess))
+ {
+ fa_session_t *sess =
+ acl_fa_add_session (am, is_input,
+ sw_if_index0,
+ now, &kv_sess,
+ current_policy_epoch);
+ acl_fa_track_session (am, is_input, sw_if_index0,
+ now, sess, &fa_5tuple);
+ pkts_new_session += 1;
+ }
+ else
+ {
+ /*
+ * ICMP packets with non-icmp_valid_new type will be
+ * forwared without being dropped.
+ */
+ action = 1;
+ pkts_acl_permit += 1;
+ }
+ }
+ else
+ {
+ action = 0;
+ error0 = ACL_FA_ERROR_ACL_TOO_MANY_SESSIONS;
+ }
+ }
+ }
+
+
+
+ if (action > 0)
+ {
+ if (is_l2_path)
+ next0 = vnet_l2_feature_next (b0, l2_feat_next_node_index, 0);
+ else
+ vnet_feature_next (sw_if_index0, &next0, b0);
+ }
+#ifdef FA_NODE_VERBOSE_DEBUG
+ clib_warning
+ ("ACL_FA_NODE_DBG: sw_if_index %d lc_index %d action %d acl_index %d rule_index %d",
+ sw_if_index0, lc_index0, action, match_acl_in_index,
+ match_rule_index);
+#endif
+
+ if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
+ && (b0->flags & VLIB_BUFFER_IS_TRACED)))
+ {
+ acl_fa_trace_t *t = vlib_add_trace (vm, node, b0, sizeof (*t));
+ t->sw_if_index = sw_if_index0;
+ t->lc_index = lc_index0;
+ t->next_index = next0;
+ t->match_acl_in_index = match_acl_in_index;
+ t->match_rule_index = match_rule_index;
+ t->packet_info[0] = fa_5tuple.kv.key[0];
+ t->packet_info[1] = fa_5tuple.kv.key[1];
+ t->packet_info[2] = fa_5tuple.kv.key[2];
+ t->packet_info[3] = fa_5tuple.kv.key[3];
+ t->packet_info[4] = fa_5tuple.kv.key[4];
+ t->packet_info[5] = fa_5tuple.kv.value;
+ t->action = action;
+ t->trace_bitmap = trace_bitmap;
+ }
+
+ next0 = next0 < node->n_next_nodes ? next0 : 0;
+ if (0 == next0)
+ b0->error = error_node->errors[error0];
+
+ pkts_acl_checked += 1;
+
+ /* verify speculative enqueue, maybe switch current next frame */
+ vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
+ to_next, n_left_to_next, bi0,
+ next0);
+ }
+
+ vlib_put_next_frame (vm, node, next_index, n_left_to_next);
+ }
+
+ vlib_node_increment_counter (vm, acl_fa_node->index,
+ ACL_FA_ERROR_ACL_CHECK, pkts_acl_checked);
+ vlib_node_increment_counter (vm, acl_fa_node->index,
+ ACL_FA_ERROR_ACL_PERMIT, pkts_acl_permit);
+ vlib_node_increment_counter (vm, acl_fa_node->index,
+ ACL_FA_ERROR_ACL_NEW_SESSION,
+ pkts_new_session);
+ vlib_node_increment_counter (vm, acl_fa_node->index,
+ ACL_FA_ERROR_ACL_EXIST_SESSION,
+ pkts_exist_session);
+ vlib_node_increment_counter (vm, acl_fa_node->index,
+ ACL_FA_ERROR_ACL_RESTART_SESSION_TIMER,
+ pkts_restart_session_timer);
+ return frame->n_vectors;
+}
+
+vlib_node_function_t __clib_weak acl_in_ip4_l2_node_fn_avx512;
+vlib_node_function_t __clib_weak acl_in_ip4_l2_node_fn_avx2;
+
+vlib_node_function_t __clib_weak acl_out_ip4_l2_node_fn_avx512;
+vlib_node_function_t __clib_weak acl_out_ip4_l2_node_fn_avx2;
+
+vlib_node_function_t __clib_weak acl_in_ip6_l2_node_fn_avx512;
+vlib_node_function_t __clib_weak acl_in_ip6_l2_node_fn_avx2;
+
+vlib_node_function_t __clib_weak acl_out_ip6_l2_node_fn_avx512;
+vlib_node_function_t __clib_weak acl_out_ip6_l2_node_fn_avx2;
+
+vlib_node_function_t __clib_weak acl_in_ip4_fa_node_fn_avx512;
+vlib_node_function_t __clib_weak acl_in_ip4_fa_node_fn_avx2;
+
+vlib_node_function_t __clib_weak acl_out_ip4_fa_node_fn_avx512;
+vlib_node_function_t __clib_weak acl_out_ip4_fa_node_fn_avx2;
+
+vlib_node_function_t __clib_weak acl_in_ip6_fa_node_fn_avx512;
+vlib_node_function_t __clib_weak acl_in_ip6_fa_node_fn_avx2;
+
+vlib_node_function_t __clib_weak acl_out_ip6_fa_node_fn_avx512;
+vlib_node_function_t __clib_weak acl_out_ip6_fa_node_fn_avx2;
+
+
+vlib_node_registration_t acl_in_l2_ip6_node;
+uword CLIB_CPU_OPTIMIZED
+CLIB_MULTIARCH_FN (acl_in_ip6_l2_node_fn) (vlib_main_t * vm,
+ vlib_node_runtime_t * node,
+ vlib_frame_t * frame)
+{
+ acl_main_t *am = &acl_main;
+ return acl_fa_node_fn (vm, node, frame, 1, 1, 1,
+ am->fa_acl_in_ip6_l2_node_feat_next_node_index,
+ &acl_in_l2_ip6_node);
+}
+
+vlib_node_registration_t acl_in_l2_ip4_node;
+uword CLIB_CPU_OPTIMIZED
+CLIB_MULTIARCH_FN (acl_in_ip4_l2_node_fn) (vlib_main_t * vm,
+ vlib_node_runtime_t * node,
+ vlib_frame_t * frame)
+{
+ acl_main_t *am = &acl_main;
+ return acl_fa_node_fn (vm, node, frame, 0, 1, 1,
+ am->fa_acl_in_ip4_l2_node_feat_next_node_index,
+ &acl_in_l2_ip4_node);
+}
+
+vlib_node_registration_t acl_out_l2_ip6_node;
+uword CLIB_CPU_OPTIMIZED
+CLIB_MULTIARCH_FN (acl_out_ip6_l2_node_fn) (vlib_main_t * vm,
+ vlib_node_runtime_t * node,
+ vlib_frame_t * frame)
+{
+ acl_main_t *am = &acl_main;
+ return acl_fa_node_fn (vm, node, frame, 1, 0, 1,
+ am->fa_acl_out_ip6_l2_node_feat_next_node_index,
+ &acl_out_l2_ip6_node);
+}
+
+vlib_node_registration_t acl_out_l2_ip4_node;
+uword CLIB_CPU_OPTIMIZED
+CLIB_MULTIARCH_FN (acl_out_ip4_l2_node_fn) (vlib_main_t * vm,
+ vlib_node_runtime_t * node,
+ vlib_frame_t * frame)
+{
+ acl_main_t *am = &acl_main;
+ return acl_fa_node_fn (vm, node, frame, 0, 0, 1,
+ am->fa_acl_out_ip4_l2_node_feat_next_node_index,
+ &acl_out_l2_ip4_node);
+}
+
+/**** L3 processing path nodes ****/
+
+vlib_node_registration_t acl_in_fa_ip6_node;
+uword CLIB_CPU_OPTIMIZED
+CLIB_MULTIARCH_FN (acl_in_ip6_fa_node_fn) (vlib_main_t * vm,
+ vlib_node_runtime_t * node,
+ vlib_frame_t * frame)
+{
+ return acl_fa_node_fn (vm, node, frame, 1, 1, 0, 0, &acl_in_fa_ip6_node);
+}
+
+vlib_node_registration_t acl_in_fa_ip4_node;
+uword CLIB_CPU_OPTIMIZED
+CLIB_MULTIARCH_FN (acl_in_ip4_fa_node_fn) (vlib_main_t * vm,
+ vlib_node_runtime_t * node,
+ vlib_frame_t * frame)
+{
+ return acl_fa_node_fn (vm, node, frame, 0, 1, 0, 0, &acl_in_fa_ip4_node);
+}
+
+vlib_node_registration_t acl_out_fa_ip6_node;
+uword CLIB_CPU_OPTIMIZED
+CLIB_MULTIARCH_FN (acl_out_ip6_fa_node_fn) (vlib_main_t * vm,
+ vlib_node_runtime_t * node,
+ vlib_frame_t * frame)
+{
+ return acl_fa_node_fn (vm, node, frame, 1, 0, 0, 0, &acl_out_fa_ip6_node);
+}
+
+vlib_node_registration_t acl_out_fa_ip4_node;
+uword CLIB_CPU_OPTIMIZED
+CLIB_MULTIARCH_FN (acl_out_ip4_fa_node_fn) (vlib_main_t * vm,
+ vlib_node_runtime_t * node,
+ vlib_frame_t * frame)
+{
+ return acl_fa_node_fn (vm, node, frame, 0, 0, 0, 0, &acl_out_fa_ip4_node);
+}
+
+
+
+#if __x86_64__
+static void __clib_constructor
+acl_plugin_multiarch_select (void)
+{
+ if (acl_in_ip4_l2_node_fn_avx512 && clib_cpu_supports_avx512f ())
+ acl_in_l2_ip4_node.function = acl_in_ip4_l2_node_fn_avx512;
+ else if (acl_in_ip4_l2_node_fn_avx2 && clib_cpu_supports_avx2 ())
+ acl_in_l2_ip4_node.function = acl_in_ip4_l2_node_fn_avx2;
+
+ if (acl_out_ip4_l2_node_fn_avx512 && clib_cpu_supports_avx512f ())
+ acl_out_l2_ip4_node.function = acl_out_ip4_l2_node_fn_avx512;
+ else if (acl_out_ip4_l2_node_fn_avx2 && clib_cpu_supports_avx2 ())
+ acl_out_l2_ip4_node.function = acl_out_ip4_l2_node_fn_avx2;
+
+ if (acl_in_ip6_l2_node_fn_avx512 && clib_cpu_supports_avx512f ())
+ acl_in_l2_ip6_node.function = acl_in_ip6_l2_node_fn_avx512;
+ else if (acl_in_ip6_l2_node_fn_avx2 && clib_cpu_supports_avx2 ())
+ acl_in_l2_ip6_node.function = acl_in_ip6_l2_node_fn_avx2;
+
+ if (acl_out_ip6_l2_node_fn_avx512 && clib_cpu_supports_avx512f ())
+ acl_out_l2_ip6_node.function = acl_out_ip6_l2_node_fn_avx512;
+ else if (acl_out_ip6_l2_node_fn_avx2 && clib_cpu_supports_avx2 ())
+ acl_out_l2_ip6_node.function = acl_out_ip6_l2_node_fn_avx2;
+
+ if (acl_in_ip4_fa_node_fn_avx512 && clib_cpu_supports_avx512f ())
+ acl_in_fa_ip4_node.function = acl_in_ip4_fa_node_fn_avx512;
+ else if (acl_in_ip4_fa_node_fn_avx2 && clib_cpu_supports_avx2 ())
+ acl_in_fa_ip4_node.function = acl_in_ip4_fa_node_fn_avx2;
+
+ if (acl_out_ip4_fa_node_fn_avx512 && clib_cpu_supports_avx512f ())
+ acl_out_fa_ip4_node.function = acl_out_ip4_fa_node_fn_avx512;
+ else if (acl_out_ip4_fa_node_fn_avx2 && clib_cpu_supports_avx2 ())
+ acl_out_fa_ip4_node.function = acl_out_ip4_fa_node_fn_avx2;
+
+ if (acl_in_ip6_fa_node_fn_avx512 && clib_cpu_supports_avx512f ())
+ acl_in_fa_ip6_node.function = acl_in_ip6_fa_node_fn_avx512;
+ else if (acl_in_ip6_fa_node_fn_avx2 && clib_cpu_supports_avx2 ())
+ acl_in_fa_ip6_node.function = acl_in_ip6_fa_node_fn_avx2;
+
+ if (acl_out_ip6_fa_node_fn_avx512 && clib_cpu_supports_avx512f ())
+ acl_out_fa_ip6_node.function = acl_out_ip6_fa_node_fn_avx512;
+ else if (acl_out_ip6_fa_node_fn_avx2 && clib_cpu_supports_avx2 ())
+ acl_out_fa_ip6_node.function = acl_out_ip6_fa_node_fn_avx2;
+
+}
+#endif
+
+
+
+#ifndef CLIB_MULTIARCH_VARIANT
+static u8 *
+format_fa_5tuple (u8 * s, va_list * args)
+{
+ fa_5tuple_t *p5t = va_arg (*args, fa_5tuple_t *);
+
+ return format (s, "lc_index %d (lsb16 of sw_if_index %d) l3 %s%s %U -> %U"
+ " l4 proto %d l4_valid %d port %d -> %d tcp flags (%s) %02x rsvd %x",
+ p5t->pkt.lc_index, p5t->l4.lsb_of_sw_if_index,
+ p5t->pkt.is_ip6 ? "ip6" : "ip4",
+ p5t->pkt.is_nonfirst_fragment ? " non-initial fragment" : "",
+ format_ip46_address, &p5t->addr[0],
+ p5t->pkt.is_ip6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4,
+ format_ip46_address, &p5t->addr[1],
+ p5t->pkt.is_ip6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4,
+ p5t->l4.proto, p5t->pkt.l4_valid, p5t->l4.port[0],
+ p5t->l4.port[1],
+ p5t->pkt.tcp_flags_valid ? "valid" : "invalid",
+ p5t->pkt.tcp_flags, p5t->pkt.flags_reserved);
+}
+
+u8 *
+format_acl_plugin_5tuple (u8 * s, va_list * args)
+{
+ return format_fa_5tuple (s, args);
+}
+
+/* packet trace format function */
+u8 *
+format_acl_plugin_trace (u8 * s, va_list * args)
+{
+ CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
+ CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
+ acl_fa_trace_t *t = va_arg (*args, acl_fa_trace_t *);
+
+ s =
+ format (s,
+ "acl-plugin: lc_index: %d, sw_if_index %d, next index %d, action: %d, match: acl %d rule %d trace_bits %08x\n"
+ " pkt info %016llx %016llx %016llx %016llx %016llx %016llx",
+ t->lc_index, t->sw_if_index, t->next_index, t->action,
+ t->match_acl_in_index, t->match_rule_index, t->trace_bitmap,
+ t->packet_info[0], t->packet_info[1], t->packet_info[2],
+ t->packet_info[3], t->packet_info[4], t->packet_info[5]);
+
+ /* Now also print out the packet_info in a form usable by humans */
+ s = format (s, "\n %U", format_fa_5tuple, t->packet_info);
+ return s;
+}
+
+
+/* *INDENT-OFF* */
+
+static char *acl_fa_error_strings[] = {
+#define _(sym,string) string,
+ foreach_acl_fa_error
+#undef _
+};
+
+VLIB_REGISTER_NODE (acl_in_l2_ip6_node) =
+{
+ .function = acl_in_ip6_l2_node_fn,
+ .name = "acl-plugin-in-ip6-l2",
+ .vector_size = sizeof (u32),
+ .format_trace = format_acl_plugin_trace,
+ .type = VLIB_NODE_TYPE_INTERNAL,
+ .n_errors = ARRAY_LEN (acl_fa_error_strings),
+ .error_strings = acl_fa_error_strings,
+ .n_next_nodes = ACL_FA_N_NEXT,
+ .next_nodes =
+ {
+ [ACL_FA_ERROR_DROP] = "error-drop",
+ }
+};
+
+VLIB_REGISTER_NODE (acl_in_l2_ip4_node) =
+{
+ .function = acl_in_ip4_l2_node_fn,
+ .name = "acl-plugin-in-ip4-l2",
+ .vector_size = sizeof (u32),
+ .format_trace = format_acl_plugin_trace,
+ .type = VLIB_NODE_TYPE_INTERNAL,
+ .n_errors = ARRAY_LEN (acl_fa_error_strings),
+ .error_strings = acl_fa_error_strings,
+ .n_next_nodes = ACL_FA_N_NEXT,
+ .next_nodes =
+ {
+ [ACL_FA_ERROR_DROP] = "error-drop",
+ }
+};
+
+VLIB_REGISTER_NODE (acl_out_l2_ip6_node) =
+{
+ .function = acl_out_ip6_l2_node_fn,
+ .name = "acl-plugin-out-ip6-l2",
+ .vector_size = sizeof (u32),
+ .format_trace = format_acl_plugin_trace,
+ .type = VLIB_NODE_TYPE_INTERNAL,
+ .n_errors = ARRAY_LEN (acl_fa_error_strings),
+ .error_strings = acl_fa_error_strings,
+ .n_next_nodes = ACL_FA_N_NEXT,
+ .next_nodes =
+ {
+ [ACL_FA_ERROR_DROP] = "error-drop",
+ }
+};
+
+VLIB_REGISTER_NODE (acl_out_l2_ip4_node) =
+{
+ .function = acl_out_ip4_l2_node_fn,
+ .name = "acl-plugin-out-ip4-l2",
+ .vector_size = sizeof (u32),
+ .format_trace = format_acl_plugin_trace,
+ .type = VLIB_NODE_TYPE_INTERNAL,
+ .n_errors = ARRAY_LEN (acl_fa_error_strings),
+ .error_strings = acl_fa_error_strings,
+ .n_next_nodes = ACL_FA_N_NEXT,
+ .next_nodes =
+ {
+ [ACL_FA_ERROR_DROP] = "error-drop",
+ }
+};
+
+
+VLIB_REGISTER_NODE (acl_in_fa_ip6_node) =
+{
+ .function = acl_in_ip6_fa_node_fn,
+ .name = "acl-plugin-in-ip6-fa",
+ .vector_size = sizeof (u32),
+ .format_trace = format_acl_plugin_trace,
+ .type = VLIB_NODE_TYPE_INTERNAL,
+ .n_errors = ARRAY_LEN (acl_fa_error_strings),
+ .error_strings = acl_fa_error_strings,
+ .n_next_nodes = ACL_FA_N_NEXT,
+ .next_nodes =
+ {
+ [ACL_FA_ERROR_DROP] = "error-drop",
+ }
+};
+
+VNET_FEATURE_INIT (acl_in_ip6_fa_feature, static) =
+{
+ .arc_name = "ip6-unicast",
+ .node_name = "acl-plugin-in-ip6-fa",
+ .runs_before = VNET_FEATURES ("ip6-flow-classify"),
+};
+
+VLIB_REGISTER_NODE (acl_in_fa_ip4_node) =
+{
+ .function = acl_in_ip4_fa_node_fn,
+ .name = "acl-plugin-in-ip4-fa",
+ .vector_size = sizeof (u32),
+ .format_trace = format_acl_plugin_trace,
+ .type = VLIB_NODE_TYPE_INTERNAL,
+ .n_errors = ARRAY_LEN (acl_fa_error_strings),
+ .error_strings = acl_fa_error_strings,
+ .n_next_nodes = ACL_FA_N_NEXT,
+ .next_nodes =
+ {
+ [ACL_FA_ERROR_DROP] = "error-drop",
+ }
+};
+
+VNET_FEATURE_INIT (acl_in_ip4_fa_feature, static) =
+{
+ .arc_name = "ip4-unicast",
+ .node_name = "acl-plugin-in-ip4-fa",
+ .runs_before = VNET_FEATURES ("ip4-flow-classify"),
+};
+
+
+VLIB_REGISTER_NODE (acl_out_fa_ip6_node) =
+{
+ .function = acl_out_ip6_fa_node_fn,
+ .name = "acl-plugin-out-ip6-fa",
+ .vector_size = sizeof (u32),
+ .format_trace = format_acl_plugin_trace,
+ .type = VLIB_NODE_TYPE_INTERNAL,
+ .n_errors = ARRAY_LEN (acl_fa_error_strings),
+ .error_strings = acl_fa_error_strings,
+ .n_next_nodes = ACL_FA_N_NEXT,
+ .next_nodes =
+ {
+ [ACL_FA_ERROR_DROP] = "error-drop",
+ }
+};
+
+VNET_FEATURE_INIT (acl_out_ip6_fa_feature, static) =
+{
+ .arc_name = "ip6-output",
+ .node_name = "acl-plugin-out-ip6-fa",
+ .runs_before = VNET_FEATURES ("interface-output"),
+};
+
+VLIB_REGISTER_NODE (acl_out_fa_ip4_node) =
+{
+ .function = acl_out_ip4_fa_node_fn,
+ .name = "acl-plugin-out-ip4-fa",
+ .vector_size = sizeof (u32),
+ .format_trace = format_acl_plugin_trace,
+ .type = VLIB_NODE_TYPE_INTERNAL,
+ .n_errors = ARRAY_LEN (acl_fa_error_strings),
+ .error_strings = acl_fa_error_strings,
+ .n_next_nodes = ACL_FA_N_NEXT,
+ /* edit / add dispositions here */
+ .next_nodes =
+ {
+ [ACL_FA_ERROR_DROP] = "error-drop",
+ }
+};
+
+VNET_FEATURE_INIT (acl_out_ip4_fa_feature, static) =
+{
+ .arc_name = "ip4-output",
+ .node_name = "acl-plugin-out-ip4-fa",
+ .runs_before = VNET_FEATURES ("interface-output"),
+};
+#endif
+
+/* *INDENT-ON* */
+
+/*
+ * fd.io coding-style-patch-verification: ON
+ *
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */
diff --git a/src/plugins/acl/fa_node.c b/src/plugins/acl/fa_node.c
deleted file mode 100644
index a36a581532b..00000000000
--- a/src/plugins/acl/fa_node.c
+++ /dev/null
@@ -1,1614 +0,0 @@
-/*
- * Copyright (c) 2016 Cisco and/or its affiliates.
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at:
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-#include <stddef.h>
-#include <netinet/in.h>
-
-#include <vlib/vlib.h>
-#include <vnet/vnet.h>
-#include <vnet/pg/pg.h>
-#include <vppinfra/error.h>
-
-
-#include <acl/acl.h>
-#include <vnet/ip/icmp46_packet.h>
-
-#include <plugins/acl/fa_node.h>
-#include <plugins/acl/acl.h>
-#include <plugins/acl/lookup_context.h>
-#include <plugins/acl/public_inlines.h>
-
-#include <vppinfra/bihash_40_8.h>
-#include <vppinfra/bihash_template.h>
-#include <vppinfra/bihash_template.c>
-
-typedef struct
-{
- u32 next_index;
- u32 sw_if_index;
- u32 lc_index;
- u32 match_acl_in_index;
- u32 match_rule_index;
- u64 packet_info[6];
- u32 trace_bitmap;
- u8 action;
-} acl_fa_trace_t;
-
-/* ICMPv4 invert type for stateful ACL */
-static const u8 icmp4_invmap[] = {
- [ICMP4_echo_reply] = ICMP4_echo_request + 1,
- [ICMP4_timestamp_reply] = ICMP4_timestamp_request + 1,
- [ICMP4_information_reply] = ICMP4_information_request + 1,
- [ICMP4_address_mask_reply] = ICMP4_address_mask_request + 1
-};
-
-/* Supported ICMPv4 messages for session creation */
-static const u8 icmp4_valid_new[] = {
- [ICMP4_echo_request] = 1,
- [ICMP4_timestamp_request] = 1,
- [ICMP4_information_request] = 1,
- [ICMP4_address_mask_request] = 1
-};
-
-/* ICMPv6 invert type for stateful ACL */
-static const u8 icmp6_invmap[] = {
- [ICMP6_echo_reply - 128] = ICMP6_echo_request + 1,
- [ICMP6_node_information_response - 128] = ICMP6_node_information_request + 1
-};
-
-/* Supported ICMPv6 messages for session creation */
-static const u8 icmp6_valid_new[] = {
- [ICMP6_echo_request - 128] = 1,
- [ICMP6_node_information_request - 128] = 1
-};
-
-/* IP4 and IP6 protocol numbers of ICMP */
-static u8 icmp_protos[] = { IP_PROTOCOL_ICMP, IP_PROTOCOL_ICMP6 };
-
-static u8 *
-format_fa_5tuple (u8 * s, va_list * args)
-{
- fa_5tuple_t *p5t = va_arg (*args, fa_5tuple_t *);
-
- return format(s, "lc_index %d (lsb16 of sw_if_index %d) l3 %s%s %U -> %U"
- " l4 proto %d l4_valid %d port %d -> %d tcp flags (%s) %02x rsvd %x",
- p5t->pkt.lc_index, p5t->l4.lsb_of_sw_if_index, p5t->pkt.is_ip6 ? "ip6" : "ip4",
- p5t->pkt.is_nonfirst_fragment ? " non-initial fragment" : "",
- format_ip46_address, &p5t->addr[0], p5t->pkt.is_ip6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4,
- format_ip46_address, &p5t->addr[1], p5t->pkt.is_ip6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4,
- p5t->l4.proto, p5t->pkt.l4_valid,
- p5t->l4.port[0], p5t->l4.port[1],
- p5t->pkt.tcp_flags_valid ? "valid": "invalid",
- p5t->pkt.tcp_flags,
- p5t->pkt.flags_reserved);
-}
-
-u8 *
-format_acl_plugin_5tuple (u8 * s, va_list * args)
-{
- return format_fa_5tuple(s, args);
-}
-
-/* packet trace format function */
-static u8 *
-format_acl_fa_trace (u8 * s, va_list * args)
-{
- CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
- CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
- acl_fa_trace_t *t = va_arg (*args, acl_fa_trace_t *);
-
- s =
- format (s,
- "acl-plugin: lc_index: %d, sw_if_index %d, next index %d, action: %d, match: acl %d rule %d trace_bits %08x\n"
- " pkt info %016llx %016llx %016llx %016llx %016llx %016llx",
- t->lc_index, t->sw_if_index, t->next_index, t->action, t->match_acl_in_index,
- t->match_rule_index, t->trace_bitmap,
- t->packet_info[0], t->packet_info[1], t->packet_info[2],
- t->packet_info[3], t->packet_info[4], t->packet_info[5]);
-
- /* Now also print out the packet_info in a form usable by humans */
- s = format (s, "\n %U", format_fa_5tuple, t->packet_info);
- return s;
-}
-
-/* *INDENT-OFF* */
-#define foreach_acl_fa_error \
-_(ACL_DROP, "ACL deny packets") \
-_(ACL_PERMIT, "ACL permit packets") \
-_(ACL_NEW_SESSION, "new sessions added") \
-_(ACL_EXIST_SESSION, "existing session packets") \
-_(ACL_CHECK, "checked packets") \
-_(ACL_RESTART_SESSION_TIMER, "restart session timer") \
-_(ACL_TOO_MANY_SESSIONS, "too many sessions to add new") \
-/* end of errors */
-
-typedef enum
-{
-#define _(sym,str) ACL_FA_ERROR_##sym,
- foreach_acl_fa_error
-#undef _
- ACL_FA_N_ERROR,
-} acl_fa_error_t;
-
-static char *acl_fa_error_strings[] = {
-#define _(sym,string) string,
- foreach_acl_fa_error
-#undef _
-};
-/* *INDENT-ON* */
-
-static int
-acl_fa_ifc_has_sessions (acl_main_t * am, int sw_if_index0)
-{
- return am->fa_sessions_hash_is_initialized;
-}
-
-static int
-acl_fa_ifc_has_in_acl (acl_main_t * am, int sw_if_index0)
-{
- int it_has = clib_bitmap_get (am->fa_in_acl_on_sw_if_index, sw_if_index0);
- return it_has;
-}
-
-static int
-acl_fa_ifc_has_out_acl (acl_main_t * am, int sw_if_index0)
-{
- int it_has = clib_bitmap_get (am->fa_out_acl_on_sw_if_index, sw_if_index0);
- return it_has;
-}
-
-/* Session keys match the packets received, and mirror the packets sent */
-static u32
-acl_make_5tuple_session_key (acl_main_t * am, int is_input, int is_ip6,
- u32 sw_if_index, fa_5tuple_t * p5tuple_pkt,
- fa_5tuple_t * p5tuple_sess)
-{
- int src_index = is_input ? 0 : 1;
- int dst_index = is_input ? 1 : 0;
- u32 valid_new_sess = 1;
- p5tuple_sess->addr[src_index] = p5tuple_pkt->addr[0];
- p5tuple_sess->addr[dst_index] = p5tuple_pkt->addr[1];
- p5tuple_sess->l4.as_u64 = p5tuple_pkt->l4.as_u64;
-
- if (PREDICT_TRUE(p5tuple_pkt->l4.proto != icmp_protos[is_ip6]))
- {
- p5tuple_sess->l4.port[src_index] = p5tuple_pkt->l4.port[0];
- p5tuple_sess->l4.port[dst_index] = p5tuple_pkt->l4.port[1];
- }
- else
- {
- static const u8 * icmp_invmap[] = { icmp4_invmap, icmp6_invmap };
- static const u8 * icmp_valid_new[] = { icmp4_valid_new, icmp6_valid_new };
- static const u8 icmp_invmap_size[] = { sizeof(icmp4_invmap),
- sizeof(icmp6_invmap) };
- static const u8 icmp_valid_new_size[] = { sizeof(icmp4_valid_new),
- sizeof(icmp6_valid_new) };
- int type = is_ip6 ? p5tuple_pkt->l4.port[0]-128: p5tuple_pkt->l4.port[0];
-
- p5tuple_sess->l4.port[0] = p5tuple_pkt->l4.port[0];
- p5tuple_sess->l4.port[1] = p5tuple_pkt->l4.port[1];
-
- /*
- * Invert ICMP type for valid icmp_invmap messages:
- * 1) input node with outbound ACL interface
- * 2) output node with inbound ACL interface
- *
- */
- if ((is_input && acl_fa_ifc_has_out_acl(am, sw_if_index)) ||
- (!is_input && acl_fa_ifc_has_in_acl(am, sw_if_index)))
- {
- if (type >= 0 &&
- type <= icmp_invmap_size[is_ip6] &&
- icmp_invmap[is_ip6][type])
- {
- p5tuple_sess->l4.port[0] = icmp_invmap[is_ip6][type] - 1;
- }
- }
-
- /*
- * ONLY ICMP messages defined in icmp4_valid_new/icmp6_valid_new table
- * are allowed to create stateful ACL.
- * The other messages will be forwarded without creating a reflexive ACL.
- */
- if (type < 0 ||
- type > icmp_valid_new_size[is_ip6] ||
- !icmp_valid_new[is_ip6][type])
- {
- valid_new_sess = 0;
- }
- }
-
- return valid_new_sess;
-}
-
-
-static int
-fa_session_get_timeout_type (acl_main_t * am, fa_session_t * sess)
-{
- /* seen both SYNs and ACKs but not FINs means we are in establshed state */
- u16 masked_flags =
- sess->tcp_flags_seen.as_u16 & ((TCP_FLAGS_RSTFINACKSYN << 8) +
- TCP_FLAGS_RSTFINACKSYN);
- switch (sess->info.l4.proto)
- {
- case IPPROTO_TCP:
- if (((TCP_FLAGS_ACKSYN << 8) + TCP_FLAGS_ACKSYN) == masked_flags)
- {
- return ACL_TIMEOUT_TCP_IDLE;
- }
- else
- {
- return ACL_TIMEOUT_TCP_TRANSIENT;
- }
- break;
- case IPPROTO_UDP:
- return ACL_TIMEOUT_UDP_IDLE;
- break;
- default:
- return ACL_TIMEOUT_UDP_IDLE;
- }
-}
-
-
-static u64
-fa_session_get_shortest_timeout(acl_main_t * am)
-{
- int timeout_type;
- u64 timeout = ~0LL;
- for(timeout_type = 0; timeout_type < ACL_N_TIMEOUTS; timeout_type++) {
- if (timeout > am->session_timeout_sec[timeout_type]) {
- timeout = am->session_timeout_sec[timeout_type];
- }
- }
- return timeout;
-}
-
-/*
- * Get the timeout of the session in a list since its enqueue time.
- */
-
-static u64
-fa_session_get_list_timeout (acl_main_t * am, fa_session_t * sess)
-{
- u64 timeout = am->vlib_main->clib_time.clocks_per_second;
- /*
- * we have the shortest possible timeout type in all the lists
- * (see README-multicore for the rationale)
- */
- timeout *= fa_session_get_shortest_timeout(am);
- return timeout;
-}
-
-/*
- * Get the idle timeout of a session.
- */
-
-static u64
-fa_session_get_timeout (acl_main_t * am, fa_session_t * sess)
-{
- u64 timeout = am->vlib_main->clib_time.clocks_per_second;
- int timeout_type = fa_session_get_timeout_type (am, sess);
- timeout *= am->session_timeout_sec[timeout_type];
- return timeout;
-}
-
-static void
-acl_fa_verify_init_sessions (acl_main_t * am)
-{
- if (!am->fa_sessions_hash_is_initialized) {
- u16 wk;
- /* Allocate the per-worker sessions pools */
- for (wk = 0; wk < vec_len (am->per_worker_data); wk++) {
- acl_fa_per_worker_data_t *pw = &am->per_worker_data[wk];
-
- /*
- * // In lieu of trying to preallocate the pool and its free bitmap, rather use pool_init_fixed
- * pool_alloc_aligned(pw->fa_sessions_pool, am->fa_conn_table_max_entries, CLIB_CACHE_LINE_BYTES);
- * clib_bitmap_validate(pool_header(pw->fa_sessions_pool)->free_bitmap, am->fa_conn_table_max_entries);
- */
- pool_init_fixed(pw->fa_sessions_pool, am->fa_conn_table_max_entries);
- }
-
- /* ... and the interface session hash table */
- BV (clib_bihash_init) (&am->fa_sessions_hash,
- "ACL plugin FA session bihash",
- am->fa_conn_table_hash_num_buckets,
- am->fa_conn_table_hash_memory_size);
- am->fa_sessions_hash_is_initialized = 1;
- }
-}
-
-static inline fa_session_t *get_session_ptr(acl_main_t *am, u16 thread_index, u32 session_index)
-{
- acl_fa_per_worker_data_t *pw = &am->per_worker_data[thread_index];
- fa_session_t *sess = pool_is_free_index (pw->fa_sessions_pool, session_index) ? 0 : pool_elt_at_index(pw->fa_sessions_pool, session_index);
- return sess;
-}
-
-static inline int is_valid_session_ptr(acl_main_t *am, u16 thread_index, fa_session_t *sess)
-{
- acl_fa_per_worker_data_t *pw = &am->per_worker_data[thread_index];
- return ((sess != 0) && ((sess - pw->fa_sessions_pool) < pool_len(pw->fa_sessions_pool)));
-}
-
-static void
-acl_fa_conn_list_add_session (acl_main_t * am, fa_full_session_id_t sess_id, u64 now)
-{
- fa_session_t *sess = get_session_ptr(am, sess_id.thread_index, sess_id.session_index);
- u8 list_id = fa_session_get_timeout_type(am, sess);
- uword thread_index = os_get_thread_index ();
- acl_fa_per_worker_data_t *pw = &am->per_worker_data[thread_index];
- /* the retrieved session thread index must be necessarily the same as the one in the key */
- ASSERT (sess->thread_index == sess_id.thread_index);
- /* the retrieved session thread index must be the same as current thread */
- ASSERT (sess->thread_index == thread_index);
- sess->link_enqueue_time = now;
- sess->link_list_id = list_id;
- sess->link_next_idx = ~0;
- sess->link_prev_idx = pw->fa_conn_list_tail[list_id];
- if (~0 != pw->fa_conn_list_tail[list_id]) {
- fa_session_t *prev_sess = get_session_ptr(am, thread_index, pw->fa_conn_list_tail[list_id]);
- prev_sess->link_next_idx = sess_id.session_index;
- /* We should never try to link with a session on another thread */
- ASSERT(prev_sess->thread_index == sess->thread_index);
- }
- pw->fa_conn_list_tail[list_id] = sess_id.session_index;
-
-#ifdef FA_NODE_VERBOSE_DEBUG
- clib_warning("FA-SESSION-DEBUG: add session id %d on thread %d sw_if_index %d", sess_id.session_index, thread_index, sess->sw_if_index);
-#endif
- pw->serviced_sw_if_index_bitmap = clib_bitmap_set(pw->serviced_sw_if_index_bitmap, sess->sw_if_index, 1);
-
- if (~0 == pw->fa_conn_list_head[list_id]) {
- pw->fa_conn_list_head[list_id] = sess_id.session_index;
- }
-}
-
-static int
-acl_fa_conn_list_delete_session (acl_main_t *am, fa_full_session_id_t sess_id)
-{
- uword thread_index = os_get_thread_index ();
- acl_fa_per_worker_data_t *pw = &am->per_worker_data[thread_index];
- if (thread_index != sess_id.thread_index) {
- /* If another thread attempts to delete the session, fail it. */
-#ifdef FA_NODE_VERBOSE_DEBUG
- clib_warning("thread id in key %d != curr thread index, not deleting");
-#endif
- return 0;
- }
- fa_session_t *sess = get_session_ptr(am, sess_id.thread_index, sess_id.session_index);
- /* we should never try to delete the session with another thread index */
- ASSERT(sess->thread_index == thread_index);
- if (~0 != sess->link_prev_idx) {
- fa_session_t *prev_sess = get_session_ptr(am, thread_index, sess->link_prev_idx);
- /* the previous session must be in the same list as this one */
- ASSERT(prev_sess->link_list_id == sess->link_list_id);
- prev_sess->link_next_idx = sess->link_next_idx;
- }
- if (~0 != sess->link_next_idx) {
- fa_session_t *next_sess = get_session_ptr(am, thread_index, sess->link_next_idx);
- /* The next session must be in the same list as the one we are deleting */
- ASSERT(next_sess->link_list_id == sess->link_list_id);
- next_sess->link_prev_idx = sess->link_prev_idx;
- }
- if (pw->fa_conn_list_head[sess->link_list_id] == sess_id.session_index) {
- pw->fa_conn_list_head[sess->link_list_id] = sess->link_next_idx;
- }
- if (pw->fa_conn_list_tail[sess->link_list_id] == sess_id.session_index) {
- pw->fa_conn_list_tail[sess->link_list_id] = sess->link_prev_idx;
- }
- return 1;
-}
-
-static int
-acl_fa_restart_timer_for_session (acl_main_t * am, u64 now, fa_full_session_id_t sess_id)
-{
- if (acl_fa_conn_list_delete_session(am, sess_id)) {
- acl_fa_conn_list_add_session(am, sess_id, now);
- return 1;
- } else {
- /*
- * Our thread does not own this connection, so we can not delete
- * The session. To avoid the complicated signaling, we simply
- * pick the list waiting time to be the shortest of the timeouts.
- * This way we do not have to do anything special, and let
- * the regular requeue check take care of everything.
- */
- return 0;
- }
-}
-
-
-static u8
-acl_fa_track_session (acl_main_t * am, int is_input, u32 sw_if_index, u64 now,
- fa_session_t * sess, fa_5tuple_t * pkt_5tuple)
-{
- sess->last_active_time = now;
- if (pkt_5tuple->pkt.tcp_flags_valid)
- {
- sess->tcp_flags_seen.as_u8[is_input] |= pkt_5tuple->pkt.tcp_flags;
- }
- return 3;
-}
-
-
-static void
-acl_fa_delete_session (acl_main_t * am, u32 sw_if_index, fa_full_session_id_t sess_id)
-{
- void *oldheap = clib_mem_set_heap(am->acl_mheap);
- fa_session_t *sess = get_session_ptr(am, sess_id.thread_index, sess_id.session_index);
- ASSERT(sess->thread_index == os_get_thread_index ());
- BV (clib_bihash_add_del) (&am->fa_sessions_hash,
- &sess->info.kv, 0);
- acl_fa_per_worker_data_t *pw = &am->per_worker_data[sess_id.thread_index];
- pool_put_index (pw->fa_sessions_pool, sess_id.session_index);
- /* Deleting from timer structures not needed,
- as the caller must have dealt with the timers. */
- vec_validate (pw->fa_session_dels_by_sw_if_index, sw_if_index);
- clib_mem_set_heap (oldheap);
- pw->fa_session_dels_by_sw_if_index[sw_if_index]++;
- clib_smp_atomic_add(&am->fa_session_total_dels, 1);
-}
-
-static int
-acl_fa_can_add_session (acl_main_t * am, int is_input, u32 sw_if_index)
-{
- u64 curr_sess_count;
- curr_sess_count = am->fa_session_total_adds - am->fa_session_total_dels;
- return (curr_sess_count < am->fa_conn_table_max_entries);
-}
-
-static u64
-acl_fa_get_list_head_expiry_time(acl_main_t *am, acl_fa_per_worker_data_t *pw, u64 now, u16 thread_index, int timeout_type)
-{
- fa_session_t *sess = get_session_ptr(am, thread_index, pw->fa_conn_list_head[timeout_type]);
- /*
- * We can not check just the index here because inbetween the worker thread might
- * dequeue the connection from the head just as we are about to check it.
- */
- if (!is_valid_session_ptr(am, thread_index, sess)) {
- return ~0LL; // infinity.
- } else {
- u64 timeout_time =
- sess->link_enqueue_time + fa_session_get_list_timeout (am, sess);
- return timeout_time;
- }
-}
-
-static int
-acl_fa_conn_time_to_check (acl_main_t *am, acl_fa_per_worker_data_t *pw, u64 now, u16 thread_index, u32 session_index)
-{
- fa_session_t *sess = get_session_ptr(am, thread_index, session_index);
- u64 timeout_time =
- sess->link_enqueue_time + fa_session_get_list_timeout (am, sess);
- return (timeout_time < now) || (sess->link_enqueue_time <= pw->swipe_end_time);
-}
-
-/*
- * see if there are sessions ready to be checked,
- * do the maintenance (requeue or delete), and
- * return the total number of sessions reclaimed.
- */
-static int
-acl_fa_check_idle_sessions(acl_main_t *am, u16 thread_index, u64 now)
-{
- acl_fa_per_worker_data_t *pw = &am->per_worker_data[thread_index];
- fa_full_session_id_t fsid;
- fsid.thread_index = thread_index;
- int total_expired = 0;
-
- {
- u8 tt = 0;
- for(tt = 0; tt < ACL_N_TIMEOUTS; tt++) {
- while((vec_len(pw->expired) < am->fa_max_deleted_sessions_per_interval)
- && (~0 != pw->fa_conn_list_head[tt])
- && (acl_fa_conn_time_to_check(am, pw, now, thread_index,
- pw->fa_conn_list_head[tt]))) {
- fsid.session_index = pw->fa_conn_list_head[tt];
- elog_acl_maybe_trace_X2(am, "acl_fa_check_idle_sessions: expire session %d on thread %d", "i4i4", (u32)fsid.session_index, (u32)thread_index);
- vec_add1(pw->expired, fsid.session_index);
- acl_fa_conn_list_delete_session(am, fsid);
- }
- }
- }
-
- u32 *psid = NULL;
- vec_foreach (psid, pw->expired)
- {
- fsid.session_index = *psid;
- if (!pool_is_free_index (pw->fa_sessions_pool, fsid.session_index))
- {
- fa_session_t *sess = get_session_ptr(am, thread_index, fsid.session_index);
- u32 sw_if_index = sess->sw_if_index;
- u64 sess_timeout_time =
- sess->last_active_time + fa_session_get_timeout (am, sess);
- if ((now < sess_timeout_time) && (0 == clib_bitmap_get(pw->pending_clear_sw_if_index_bitmap, sw_if_index)))
- {
-#ifdef FA_NODE_VERBOSE_DEBUG
- clib_warning ("ACL_FA_NODE_CLEAN: Restarting timer for session %d, sw_if_index %d",
- (int) fsid.session_index, sess->sw_if_index);
-#endif
- /* There was activity on the session, so the idle timeout
- has not passed. Enqueue for another time period. */
-
- acl_fa_conn_list_add_session(am, fsid, now);
- pw->cnt_session_timer_restarted++;
- }
- else
- {
-#ifdef FA_NODE_VERBOSE_DEBUG
- clib_warning ("ACL_FA_NODE_CLEAN: Deleting session %d, sw_if_index %d",
- (int) fsid.session_index, sess->sw_if_index);
-#endif
- acl_fa_delete_session (am, sw_if_index, fsid);
- pw->cnt_deleted_sessions++;
- }
- }
- else
- {
- pw->cnt_already_deleted_sessions++;
- }
- }
- total_expired = vec_len(pw->expired);
- /* zero out the vector which we have acted on */
- if (pw->expired)
- _vec_len (pw->expired) = 0;
- /* if we were advancing and reached the end
- * (no more sessions to recycle), reset the fast-forward timestamp */
-
- if (pw->swipe_end_time && 0 == total_expired)
- pw->swipe_end_time = 0;
- return (total_expired);
-}
-
-always_inline void
-acl_fa_try_recycle_session (acl_main_t * am, int is_input, u16 thread_index, u32 sw_if_index)
-{
- /* try to recycle a TCP transient session */
- acl_fa_per_worker_data_t *pw = &am->per_worker_data[thread_index];
- u8 timeout_type = ACL_TIMEOUT_TCP_TRANSIENT;
- fa_full_session_id_t sess_id;
- sess_id.session_index = pw->fa_conn_list_head[timeout_type];
- if (~0 != sess_id.session_index) {
- sess_id.thread_index = thread_index;
- acl_fa_conn_list_delete_session(am, sess_id);
- acl_fa_delete_session(am, sw_if_index, sess_id);
- }
-}
-
-static fa_session_t *
-acl_fa_add_session (acl_main_t * am, int is_input, u32 sw_if_index, u64 now,
- fa_5tuple_t * p5tuple, u16 current_policy_epoch)
-{
- clib_bihash_kv_40_8_t *pkv = &p5tuple->kv;
- clib_bihash_kv_40_8_t kv;
- fa_full_session_id_t f_sess_id;
- uword thread_index = os_get_thread_index();
- void *oldheap = clib_mem_set_heap(am->acl_mheap);
- acl_fa_per_worker_data_t *pw = &am->per_worker_data[thread_index];
-
- f_sess_id.thread_index = thread_index;
- fa_session_t *sess;
-
- pool_get_aligned (pw->fa_sessions_pool, sess, CLIB_CACHE_LINE_BYTES);
- f_sess_id.session_index = sess - pw->fa_sessions_pool;
- f_sess_id.intf_policy_epoch = current_policy_epoch;
-
- kv.key[0] = pkv->key[0];
- kv.key[1] = pkv->key[1];
- kv.key[2] = pkv->key[2];
- kv.key[3] = pkv->key[3];
- kv.key[4] = pkv->key[4];
- kv.value = f_sess_id.as_u64;
-
- memcpy (sess, pkv, sizeof (pkv->key));
- sess->last_active_time = now;
- sess->sw_if_index = sw_if_index;
- sess->tcp_flags_seen.as_u16 = 0;
- sess->thread_index = thread_index;
- sess->link_list_id = ~0;
- sess->link_prev_idx = ~0;
- sess->link_next_idx = ~0;
-
-
-
- ASSERT(am->fa_sessions_hash_is_initialized == 1);
- BV (clib_bihash_add_del) (&am->fa_sessions_hash,
- &kv, 1);
- acl_fa_conn_list_add_session(am, f_sess_id, now);
-
- vec_validate (pw->fa_session_adds_by_sw_if_index, sw_if_index);
- clib_mem_set_heap (oldheap);
- pw->fa_session_adds_by_sw_if_index[sw_if_index]++;
- clib_smp_atomic_add(&am->fa_session_total_adds, 1);
- return sess;
-}
-
-static int
-acl_fa_find_session (acl_main_t * am, u32 sw_if_index0, fa_5tuple_t * p5tuple,
- clib_bihash_kv_40_8_t * pvalue_sess)
-{
- return (clib_bihash_search_40_8 (&am->fa_sessions_hash, &p5tuple->kv, pvalue_sess) == 0);
-}
-
-
-always_inline uword
-acl_fa_node_fn (vlib_main_t * vm,
- vlib_node_runtime_t * node, vlib_frame_t * frame, int is_ip6,
- int is_input, int is_l2_path, u32 * l2_feat_next_node_index,
- vlib_node_registration_t * acl_fa_node)
-{
- u32 n_left_from, *from, *to_next;
- acl_fa_next_t next_index;
- u32 pkts_acl_checked = 0;
- u32 pkts_new_session = 0;
- u32 pkts_exist_session = 0;
- u32 pkts_acl_permit = 0;
- u32 pkts_restart_session_timer = 0;
- u32 trace_bitmap = 0;
- acl_main_t *am = &acl_main;
- fa_5tuple_t fa_5tuple, kv_sess;
- clib_bihash_kv_40_8_t value_sess;
- vlib_node_runtime_t *error_node;
- u64 now = clib_cpu_time_now ();
- uword thread_index = os_get_thread_index ();
- acl_fa_per_worker_data_t *pw = &am->per_worker_data[thread_index];
-
- from = vlib_frame_vector_args (frame);
- n_left_from = frame->n_vectors;
- next_index = node->cached_next_index;
-
- error_node = vlib_node_get_runtime (vm, acl_fa_node->index);
-
- while (n_left_from > 0)
- {
- u32 n_left_to_next;
-
- vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
-
- while (n_left_from > 0 && n_left_to_next > 0)
- {
- u32 bi0;
- vlib_buffer_t *b0;
- u32 next0 = 0;
- u8 action = 0;
- u32 sw_if_index0;
- u32 lc_index0;
- int acl_check_needed = 1;
- u32 match_acl_in_index = ~0;
- u32 match_acl_pos = ~0;
- u32 match_rule_index = ~0;
- u8 error0 = 0;
- u32 valid_new_sess;
-
- /* speculatively enqueue b0 to the current next frame */
- bi0 = from[0];
- to_next[0] = bi0;
- from += 1;
- to_next += 1;
- n_left_from -= 1;
- n_left_to_next -= 1;
-
- b0 = vlib_get_buffer (vm, bi0);
-
- if (is_input)
- sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
- else
- sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_TX];
-
- if (is_input)
- lc_index0 = am->input_lc_index_by_sw_if_index[sw_if_index0];
- else
- lc_index0 = am->output_lc_index_by_sw_if_index[sw_if_index0];
-
- u32 **p_epoch_vec = is_input ? &am->input_policy_epoch_by_sw_if_index
- : &am->output_policy_epoch_by_sw_if_index;
- u16 current_policy_epoch = sw_if_index0 < vec_len(*p_epoch_vec) ? vec_elt(*p_epoch_vec, sw_if_index0) : (is_input * FA_POLICY_EPOCH_IS_INPUT);
- /*
- * Extract the L3/L4 matching info into a 5-tuple structure,
- * then create a session key whose layout is independent on forward or reverse
- * direction of the packet.
- */
-
- acl_plugin_fill_5tuple_inline (lc_index0, b0, is_ip6, is_input, is_l2_path, (fa_5tuple_opaque_t *)&fa_5tuple);
- fa_5tuple.l4.lsb_of_sw_if_index = sw_if_index0 & 0xffff;
- valid_new_sess = acl_make_5tuple_session_key (am, is_input, is_ip6, sw_if_index0, &fa_5tuple, &kv_sess);
- // XXDEL fa_5tuple.pkt.is_input = is_input;
- fa_5tuple.pkt.mask_type_index_lsb = ~0;
-#ifdef FA_NODE_VERBOSE_DEBUG
- clib_warning
- ("ACL_FA_NODE_DBG: session 5-tuple %016llx %016llx %016llx %016llx %016llx %016llx",
- kv_sess.kv.key[0], kv_sess.kv.key[1], kv_sess.kv.key[2],
- kv_sess.kv.key[3], kv_sess.kv.key[4], kv_sess.kv.value);
- clib_warning
- ("ACL_FA_NODE_DBG: packet 5-tuple %016llx %016llx %016llx %016llx %016llx %016llx",
- fa_5tuple.kv.key[0], fa_5tuple.kv.key[1], fa_5tuple.kv.key[2],
- fa_5tuple.kv.key[3], fa_5tuple.kv.key[4], fa_5tuple.kv.value);
-#endif
-
- /* Try to match an existing session first */
-
- if (acl_fa_ifc_has_sessions (am, sw_if_index0))
- {
- if (acl_fa_find_session
- (am, sw_if_index0, &kv_sess, &value_sess))
- {
- trace_bitmap |= 0x80000000;
- error0 = ACL_FA_ERROR_ACL_EXIST_SESSION;
- fa_full_session_id_t f_sess_id;
-
- f_sess_id.as_u64 = value_sess.value;
- ASSERT(f_sess_id.thread_index < vec_len(vlib_mains));
-
- fa_session_t *sess = get_session_ptr(am, f_sess_id.thread_index, f_sess_id.session_index);
- int old_timeout_type =
- fa_session_get_timeout_type (am, sess);
- action =
- acl_fa_track_session (am, is_input, sw_if_index0, now,
- sess, &fa_5tuple);
- /* expose the session id to the tracer */
- match_rule_index = f_sess_id.session_index;
- int new_timeout_type =
- fa_session_get_timeout_type (am, sess);
- acl_check_needed = 0;
- pkts_exist_session += 1;
- /* Tracking might have changed the session timeout type, e.g. from transient to established */
- if (PREDICT_FALSE (old_timeout_type != new_timeout_type))
- {
- acl_fa_restart_timer_for_session (am, now, f_sess_id);
- pkts_restart_session_timer++;
- trace_bitmap |=
- 0x00010000 + ((0xff & old_timeout_type) << 8) +
- (0xff & new_timeout_type);
- }
- /*
- * I estimate the likelihood to be very low - the VPP needs
- * to have >64K interfaces to start with and then on
- * exactly 64K indices apart needs to be exactly the same
- * 5-tuple... Anyway, since this probability is nonzero -
- * print an error and drop the unlucky packet.
- * If this shows up in real world, we would need to bump
- * the hash key length.
- */
- if (PREDICT_FALSE(sess->sw_if_index != sw_if_index0)) {
- clib_warning("BUG: session LSB16(sw_if_index) and 5-tuple collision!");
- acl_check_needed = 0;
- action = 0;
- }
- if (PREDICT_FALSE(am->reclassify_sessions)) {
- /* if the MSB of policy epoch matches but not the LSB means it is a stale session */
- if ( (0 == ((current_policy_epoch ^ f_sess_id.intf_policy_epoch) & FA_POLICY_EPOCH_IS_INPUT))
- && (current_policy_epoch != f_sess_id.intf_policy_epoch) ) {
- /* delete session and increment the counter */
- vec_validate (pw->fa_session_epoch_change_by_sw_if_index, sw_if_index0);
- vec_elt (pw->fa_session_epoch_change_by_sw_if_index, sw_if_index0)++;
- if(acl_fa_conn_list_delete_session(am, f_sess_id)) {
- /* delete the session only if we were able to unlink it */
- acl_fa_delete_session (am, sw_if_index0, f_sess_id);
- }
- acl_check_needed = 1;
- trace_bitmap |= 0x40000000;
- }
- }
- }
- }
-
- if (acl_check_needed)
- {
- action = 0; /* deny by default */
- acl_plugin_match_5tuple_inline (lc_index0, (fa_5tuple_opaque_t *)&fa_5tuple,
- is_ip6, &action, &match_acl_pos, &match_acl_in_index,
- &match_rule_index, &trace_bitmap);
- error0 = action;
- if (1 == action)
- pkts_acl_permit += 1;
- if (2 == action)
- {
- if (!acl_fa_can_add_session (am, is_input, sw_if_index0))
- acl_fa_try_recycle_session (am, is_input, thread_index, sw_if_index0);
-
- if (acl_fa_can_add_session (am, is_input, sw_if_index0))
- {
- if (PREDICT_TRUE (valid_new_sess)) {
- fa_session_t *sess = acl_fa_add_session (am, is_input,
- sw_if_index0,
- now, &kv_sess, current_policy_epoch);
- acl_fa_track_session (am, is_input, sw_if_index0, now,
- sess, &fa_5tuple);
- pkts_new_session += 1;
- } else {
- /*
- * ICMP packets with non-icmp_valid_new type will be
- * forwared without being dropped.
- */
- action = 1;
- pkts_acl_permit += 1;
- }
- }
- else
- {
- action = 0;
- error0 = ACL_FA_ERROR_ACL_TOO_MANY_SESSIONS;
- }
- }
- }
-
-
-
- if (action > 0)
- {
- if (is_l2_path)
- next0 = vnet_l2_feature_next (b0, l2_feat_next_node_index, 0);
- else
- vnet_feature_next (sw_if_index0, &next0, b0);
- }
-#ifdef FA_NODE_VERBOSE_DEBUG
- clib_warning("ACL_FA_NODE_DBG: sw_if_index %d lc_index %d action %d acl_index %d rule_index %d", sw_if_index0, lc_index0, action, match_acl_in_index, match_rule_index);
-#endif
-
- if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
- && (b0->flags & VLIB_BUFFER_IS_TRACED)))
- {
- acl_fa_trace_t *t = vlib_add_trace (vm, node, b0, sizeof (*t));
- t->sw_if_index = sw_if_index0;
- t->lc_index = lc_index0;
- t->next_index = next0;
- t->match_acl_in_index = match_acl_in_index;
- t->match_rule_index = match_rule_index;
- t->packet_info[0] = fa_5tuple.kv.key[0];
- t->packet_info[1] = fa_5tuple.kv.key[1];
- t->packet_info[2] = fa_5tuple.kv.key[2];
- t->packet_info[3] = fa_5tuple.kv.key[3];
- t->packet_info[4] = fa_5tuple.kv.key[4];
- t->packet_info[5] = fa_5tuple.kv.value;
- t->action = action;
- t->trace_bitmap = trace_bitmap;
- }
-
- next0 = next0 < node->n_next_nodes ? next0 : 0;
- if (0 == next0)
- b0->error = error_node->errors[error0];
-
- pkts_acl_checked += 1;
-
- /* verify speculative enqueue, maybe switch current next frame */
- vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
- to_next, n_left_to_next, bi0,
- next0);
- }
-
- vlib_put_next_frame (vm, node, next_index, n_left_to_next);
- }
-
- vlib_node_increment_counter (vm, acl_fa_node->index,
- ACL_FA_ERROR_ACL_CHECK, pkts_acl_checked);
- vlib_node_increment_counter (vm, acl_fa_node->index,
- ACL_FA_ERROR_ACL_PERMIT, pkts_acl_permit);
- vlib_node_increment_counter (vm, acl_fa_node->index,
- ACL_FA_ERROR_ACL_NEW_SESSION,
- pkts_new_session);
- vlib_node_increment_counter (vm, acl_fa_node->index,
- ACL_FA_ERROR_ACL_EXIST_SESSION,
- pkts_exist_session);
- vlib_node_increment_counter (vm, acl_fa_node->index,
- ACL_FA_ERROR_ACL_RESTART_SESSION_TIMER,
- pkts_restart_session_timer);
- return frame->n_vectors;
-}
-
-
-vlib_node_registration_t acl_in_l2_ip6_node;
-static uword
-acl_in_ip6_l2_node_fn (vlib_main_t * vm,
- vlib_node_runtime_t * node, vlib_frame_t * frame)
-{
- acl_main_t *am = &acl_main;
- return acl_fa_node_fn (vm, node, frame, 1, 1, 1,
- am->fa_acl_in_ip6_l2_node_feat_next_node_index,
- &acl_in_l2_ip6_node);
-}
-
-vlib_node_registration_t acl_in_l2_ip4_node;
-static uword
-acl_in_ip4_l2_node_fn (vlib_main_t * vm,
- vlib_node_runtime_t * node, vlib_frame_t * frame)
-{
- acl_main_t *am = &acl_main;
- return acl_fa_node_fn (vm, node, frame, 0, 1, 1,
- am->fa_acl_in_ip4_l2_node_feat_next_node_index,
- &acl_in_l2_ip4_node);
-}
-
-vlib_node_registration_t acl_out_l2_ip6_node;
-static uword
-acl_out_ip6_l2_node_fn (vlib_main_t * vm,
- vlib_node_runtime_t * node, vlib_frame_t * frame)
-{
- acl_main_t *am = &acl_main;
- return acl_fa_node_fn (vm, node, frame, 1, 0, 1,
- am->fa_acl_out_ip6_l2_node_feat_next_node_index,
- &acl_out_l2_ip6_node);
-}
-
-vlib_node_registration_t acl_out_l2_ip4_node;
-static uword
-acl_out_ip4_l2_node_fn (vlib_main_t * vm,
- vlib_node_runtime_t * node, vlib_frame_t * frame)
-{
- acl_main_t *am = &acl_main;
- return acl_fa_node_fn (vm, node, frame, 0, 0, 1,
- am->fa_acl_out_ip4_l2_node_feat_next_node_index,
- &acl_out_l2_ip4_node);
-}
-
-
-/**** L3 processing path nodes ****/
-
-
-vlib_node_registration_t acl_in_fa_ip6_node;
-static uword
-acl_in_ip6_fa_node_fn (vlib_main_t * vm,
- vlib_node_runtime_t * node, vlib_frame_t * frame)
-{
- return acl_fa_node_fn (vm, node, frame, 1, 1, 0, 0, &acl_in_fa_ip6_node);
-}
-
-vlib_node_registration_t acl_in_fa_ip4_node;
-static uword
-acl_in_ip4_fa_node_fn (vlib_main_t * vm,
- vlib_node_runtime_t * node, vlib_frame_t * frame)
-{
- return acl_fa_node_fn (vm, node, frame, 0, 1, 0, 0, &acl_in_fa_ip4_node);
-}
-
-vlib_node_registration_t acl_out_fa_ip6_node;
-static uword
-acl_out_ip6_fa_node_fn (vlib_main_t * vm,
- vlib_node_runtime_t * node, vlib_frame_t * frame)
-{
- return acl_fa_node_fn (vm, node, frame, 1, 0, 0, 0, &acl_out_fa_ip6_node);
-}
-
-vlib_node_registration_t acl_out_fa_ip4_node;
-static uword
-acl_out_ip4_fa_node_fn (vlib_main_t * vm,
- vlib_node_runtime_t * node, vlib_frame_t * frame)
-{
- return acl_fa_node_fn (vm, node, frame, 0, 0, 0, 0, &acl_out_fa_ip4_node);
-}
-
-/*
- * This process ensures the connection cleanup happens every so often
- * even in absence of traffic, as well as provides general orchestration
- * for requests like connection deletion on a given sw_if_index.
- */
-
-
-/* *INDENT-OFF* */
-#define foreach_acl_fa_cleaner_error \
-_(UNKNOWN_EVENT, "unknown event received") \
-/* end of errors */
-
-typedef enum
-{
-#define _(sym,str) ACL_FA_CLEANER_ERROR_##sym,
- foreach_acl_fa_cleaner_error
-#undef _
- ACL_FA_CLEANER_N_ERROR,
-} acl_fa_cleaner_error_t;
-
-static char *acl_fa_cleaner_error_strings[] = {
-#define _(sym,string) string,
- foreach_acl_fa_cleaner_error
-#undef _
-};
-
-/* *INDENT-ON* */
-
-static vlib_node_registration_t acl_fa_session_cleaner_process_node;
-static vlib_node_registration_t acl_fa_worker_session_cleaner_process_node;
-
-/*
- * Per-worker thread interrupt-driven cleaner thread
- * to clean idle connections if there are no packets
- */
-static uword
-acl_fa_worker_conn_cleaner_process(vlib_main_t * vm,
- vlib_node_runtime_t * rt, vlib_frame_t * f)
-{
- acl_main_t *am = &acl_main;
- u64 now = clib_cpu_time_now ();
- u16 thread_index = os_get_thread_index ();
- acl_fa_per_worker_data_t *pw = &am->per_worker_data[thread_index];
- int num_expired;
- elog_acl_maybe_trace_X1(am, "acl_fa_worker_conn_cleaner interrupt: now %lu", "i8", now);
- /* allow another interrupt to be queued */
- pw->interrupt_is_pending = 0;
- if (pw->clear_in_process) {
- if (0 == pw->swipe_end_time) {
- /*
- * Someone has just set the flag to start clearing.
- * we do this by combing through the connections up to a "time T"
- * which is now, and requeueing everything except the expired
- * connections and those matching the interface(s) being cleared.
- */
-
- /*
- * first filter the sw_if_index bitmap that they want from us, by
- * a bitmap of sw_if_index for which we actually have connections.
- */
- if ((pw->pending_clear_sw_if_index_bitmap == 0)
- || (pw->serviced_sw_if_index_bitmap == 0)) {
- elog_acl_maybe_trace_X1(am, "acl_fa_worker_conn_cleaner: now %lu, someone tried to call clear but one of the bitmaps are empty", "i8", now);
- clib_bitmap_zero(pw->pending_clear_sw_if_index_bitmap);
- } else {
-#ifdef FA_NODE_VERBOSE_DEBUG
- clib_warning("WORKER-CLEAR: (before and) swiping sw-if-index bitmap: %U, my serviced bitmap %U",
- format_bitmap_hex, pw->pending_clear_sw_if_index_bitmap,
- format_bitmap_hex, pw->serviced_sw_if_index_bitmap);
-#endif
- pw->pending_clear_sw_if_index_bitmap = clib_bitmap_and(pw->pending_clear_sw_if_index_bitmap,
- pw->serviced_sw_if_index_bitmap);
- }
-
- if (clib_bitmap_is_zero(pw->pending_clear_sw_if_index_bitmap)) {
- /* if the cross-section is a zero vector, no need to do anything. */
- elog_acl_maybe_trace_X1(am, "acl_fa_worker_conn_cleaner: now %lu, clearing done, nothing to do", "i8", now);
- pw->clear_in_process = 0;
- } else {
-#ifdef FA_NODE_VERBOSE_DEBUG
- clib_warning("WORKER-CLEAR: swiping sw-if-index bitmap: %U, my serviced bitmap %U",
- format_bitmap_hex, pw->pending_clear_sw_if_index_bitmap,
- format_bitmap_hex, pw->serviced_sw_if_index_bitmap);
-#endif
- elog_acl_maybe_trace_X1(am, "acl_fa_worker_conn_cleaner: swiping until %lu", "i8", now);
- /* swipe through the connection lists until enqueue timestamps become above "now" */
- pw->swipe_end_time = now;
- }
- }
- }
- num_expired = acl_fa_check_idle_sessions(am, thread_index, now);
- // clib_warning("WORKER-CLEAR: checked %d sessions (clear_in_progress: %d)", num_expired, pw->clear_in_process);
- elog_acl_maybe_trace_X2(am, "acl_fa_worker_conn_cleaner: checked %d sessions (clear_in_process: %d)", "i4i4", (u32)num_expired, (u32)pw->clear_in_process);
- if (pw->clear_in_process) {
- if (0 == num_expired) {
- /* we were clearing but we could not process any more connections. time to stop. */
- clib_bitmap_zero(pw->pending_clear_sw_if_index_bitmap);
- pw->clear_in_process = 0;
- elog_acl_maybe_trace_X1(am, "acl_fa_worker_conn_cleaner: now %lu, clearing done - all done", "i8", now);
- } else {
- elog_acl_maybe_trace_X1(am, "acl_fa_worker_conn_cleaner: now %lu, more work to do - requesting interrupt", "i8", now);
- /* should continue clearing.. So could they please sent an interrupt again? */
- pw->interrupt_is_needed = 1;
- }
- } else {
- if (num_expired >= am->fa_max_deleted_sessions_per_interval) {
- /* there was too much work, we should get an interrupt ASAP */
- pw->interrupt_is_needed = 1;
- pw->interrupt_is_unwanted = 0;
- } else if (num_expired <= am->fa_min_deleted_sessions_per_interval) {
- /* signal that they should trigger us less */
- pw->interrupt_is_needed = 0;
- pw->interrupt_is_unwanted = 1;
- } else {
- /* the current rate of interrupts is ok */
- pw->interrupt_is_needed = 0;
- pw->interrupt_is_unwanted = 0;
- }
- elog_acl_maybe_trace_X3(am, "acl_fa_worker_conn_cleaner: now %lu, interrupt needed: %u, interrupt unwanted: %u", "i8i4i4", now, ((u32)pw->interrupt_is_needed), ((u32)pw->interrupt_is_unwanted));
- }
- pw->interrupt_generation = am->fa_interrupt_generation;
- return 0;
-}
-
-static void
-send_one_worker_interrupt (vlib_main_t * vm, acl_main_t *am, int thread_index)
-{
- acl_fa_per_worker_data_t *pw = &am->per_worker_data[thread_index];
- if (!pw->interrupt_is_pending) {
- pw->interrupt_is_pending = 1;
- vlib_node_set_interrupt_pending (vlib_mains[thread_index],
- acl_fa_worker_session_cleaner_process_node.index);
- elog_acl_maybe_trace_X1(am, "send_one_worker_interrupt: send interrupt to worker %d", "i4", ((u32)thread_index));
- /* if the interrupt was requested, mark that done. */
- /* pw->interrupt_is_needed = 0; */
- }
-}
-
-static void
-send_interrupts_to_workers (vlib_main_t * vm, acl_main_t *am)
-{
- int i;
- /* Can't use vec_len(am->per_worker_data) since the threads might not have come up yet; */
- int n_threads = vec_len(vlib_mains);
- for (i = 0; i < n_threads; i++) {
- send_one_worker_interrupt(vm, am, i);
- }
-}
-
-/* centralized process to drive per-worker cleaners */
-static uword
-acl_fa_session_cleaner_process (vlib_main_t * vm, vlib_node_runtime_t * rt,
- vlib_frame_t * f)
-{
- acl_main_t *am = &acl_main;
- u64 now;
- f64 cpu_cps = vm->clib_time.clocks_per_second;
- u64 next_expire;
- /* We should check if there are connections to clean up - at least twice a second */
- u64 max_timer_wait_interval = cpu_cps / 2;
- uword event_type, *event_data = 0;
- acl_fa_per_worker_data_t *pw0;
-
- am->fa_current_cleaner_timer_wait_interval = max_timer_wait_interval;
- am->fa_cleaner_node_index = acl_fa_session_cleaner_process_node.index;
- am->fa_interrupt_generation = 1;
- while (1)
- {
- now = clib_cpu_time_now ();
- next_expire = now + am->fa_current_cleaner_timer_wait_interval;
- int has_pending_conns = 0;
- u16 ti;
- u8 tt;
-
- /*
- * walk over all per-thread list heads of different timeouts,
- * and see if there are any connections pending.
- * If there aren't - we do not need to wake up until the
- * worker code signals that it has added a connection.
- *
- * Also, while we are at it, calculate the earliest we need to wake up.
- */
- for(ti = 0; ti < vec_len(vlib_mains); ti++) {
- if (ti >= vec_len(am->per_worker_data)) {
- continue;
- }
- acl_fa_per_worker_data_t *pw = &am->per_worker_data[ti];
- for(tt = 0; tt < vec_len(pw->fa_conn_list_head); tt++) {
- u64 head_expiry = acl_fa_get_list_head_expiry_time(am, pw, now, ti, tt);
- if ((head_expiry < next_expire) && !pw->interrupt_is_pending) {
- elog_acl_maybe_trace_X3(am, "acl_fa_session_cleaner_process: now %lu, worker: %d tt: %d", "i8i2i2", now, ti, tt);
- elog_acl_maybe_trace_X2(am, "acl_fa_session_cleaner_process: head expiry: %lu, is earlier than curr next expire: %lu", "i8i8", head_expiry, next_expire);
- next_expire = head_expiry;
- }
- if (~0 != pw->fa_conn_list_head[tt]) {
- has_pending_conns = 1;
- }
- }
- }
-
- /* If no pending connections and no ACL applied then no point in timing out */
- if (!has_pending_conns && (0 == am->fa_total_enabled_count))
- {
- am->fa_cleaner_cnt_wait_without_timeout++;
- elog_acl_maybe_trace_X1(am, "acl_conn_cleaner: now %lu entering wait without timeout", "i8", now);
- (void) vlib_process_wait_for_event (vm);
- event_type = vlib_process_get_events (vm, &event_data);
- }
- else
- {
- f64 timeout = ((i64) next_expire - (i64) now) / cpu_cps;
- if (timeout <= 0)
- {
- /* skip waiting altogether */
- event_type = ~0;
- }
- else
- {
- am->fa_cleaner_cnt_wait_with_timeout++;
- elog_acl_maybe_trace_X2(am, "acl_conn_cleaner: now %lu entering wait with timeout %.6f sec", "i8f8", now, timeout);
- (void) vlib_process_wait_for_event_or_clock (vm, timeout);
- event_type = vlib_process_get_events (vm, &event_data);
- }
- }
-
- switch (event_type)
- {
- case ~0:
- /* nothing to do */
- break;
- case ACL_FA_CLEANER_RESCHEDULE:
- /* Nothing to do. */
- break;
- case ACL_FA_CLEANER_DELETE_BY_SW_IF_INDEX:
- {
- uword *clear_sw_if_index_bitmap = 0;
- uword *sw_if_index0;
- int clear_all = 0;
- now = clib_cpu_time_now ();
- elog_acl_maybe_trace_X1(am, "acl_fa_session_cleaner_process: now %lu, received ACL_FA_CLEANER_DELETE_BY_SW_IF_INDEX", "i8", now);
- vec_foreach (sw_if_index0, event_data)
- {
- am->fa_cleaner_cnt_delete_by_sw_index++;
- elog_acl_maybe_trace_X1(am, "acl_fa_session_cleaner_process: ACL_FA_CLEANER_DELETE_BY_SW_IF_INDEX %d", "i4", *sw_if_index0);
- if (*sw_if_index0 == ~0)
- {
- clear_all = 1;
- }
- else
- {
- if (!pool_is_free_index (am->vnet_main->interface_main.sw_interfaces, *sw_if_index0))
- {
- clear_sw_if_index_bitmap = clib_bitmap_set(clear_sw_if_index_bitmap, *sw_if_index0, 1);
- }
- }
- }
-#ifdef FA_NODE_VERBOSE_DEBUG
- clib_warning("ACL_FA_CLEANER_DELETE_BY_SW_IF_INDEX bitmap: %U", format_bitmap_hex, clear_sw_if_index_bitmap);
-#endif
- vec_foreach(pw0, am->per_worker_data) {
- CLIB_MEMORY_BARRIER ();
- while (pw0->clear_in_process) {
- CLIB_MEMORY_BARRIER ();
- elog_acl_maybe_trace_X1(am, "ACL_FA_NODE_CLEAN: waiting previous cleaning cycle to finish on %d", "i4", (u32)(pw0 - am->per_worker_data));
- vlib_process_suspend(vm, 0.0001);
- if (pw0->interrupt_is_needed) {
- send_one_worker_interrupt(vm, am, (pw0 - am->per_worker_data));
- }
- }
- if (pw0->clear_in_process) {
- clib_warning("ERROR-BUG! Could not initiate cleaning on worker because another cleanup in progress");
- } else {
- if (clear_all)
- {
- /* if we need to clear all, then just clear the interfaces that we are servicing */
- pw0->pending_clear_sw_if_index_bitmap = clib_bitmap_dup(pw0->serviced_sw_if_index_bitmap);
- }
- else
- {
- pw0->pending_clear_sw_if_index_bitmap = clib_bitmap_dup(clear_sw_if_index_bitmap);
- }
- pw0->clear_in_process = 1;
- }
- }
- /* send some interrupts so they can start working */
- send_interrupts_to_workers(vm, am);
-
- /* now wait till they all complete */
-#ifdef FA_NODE_VERBOSE_DEBUG
- clib_warning("CLEANER mains len: %d per-worker len: %d", vec_len(vlib_mains), vec_len(am->per_worker_data));
-#endif
- vec_foreach(pw0, am->per_worker_data) {
- CLIB_MEMORY_BARRIER ();
- while (pw0->clear_in_process) {
- CLIB_MEMORY_BARRIER ();
- elog_acl_maybe_trace_X1(am, "ACL_FA_NODE_CLEAN: waiting for my cleaning cycle to finish on %d", "i4", (u32)(pw0 - am->per_worker_data));
- vlib_process_suspend(vm, 0.0001);
- if (pw0->interrupt_is_needed) {
- send_one_worker_interrupt(vm, am, (pw0 - am->per_worker_data));
- }
- }
- }
-#ifdef FA_NODE_VERBOSE_DEBUG
- clib_warning("ACL_FA_NODE_CLEAN: cleaning done");
-#endif
- clib_bitmap_free(clear_sw_if_index_bitmap);
- }
- break;
- default:
-#ifdef FA_NODE_VERBOSE_DEBUG
- clib_warning ("ACL plugin connection cleaner: unknown event %u",
- event_type);
-#endif
- vlib_node_increment_counter (vm,
- acl_fa_session_cleaner_process_node.
- index,
- ACL_FA_CLEANER_ERROR_UNKNOWN_EVENT, 1);
- am->fa_cleaner_cnt_unknown_event++;
- break;
- }
-
- send_interrupts_to_workers(vm, am);
-
- if (event_data)
- _vec_len (event_data) = 0;
-
- /*
- * If the interrupts were not processed yet, ensure we wait a bit,
- * but up to a point.
- */
- int need_more_wait = 0;
- int max_wait_cycles = 100;
- do {
- need_more_wait = 0;
- vec_foreach(pw0, am->per_worker_data) {
- if (pw0->interrupt_generation != am->fa_interrupt_generation) {
- need_more_wait = 1;
- }
- }
- if (need_more_wait) {
- vlib_process_suspend(vm, 0.0001);
- }
- } while (need_more_wait && (--max_wait_cycles > 0));
-
- int interrupts_needed = 0;
- int interrupts_unwanted = 0;
-
- vec_foreach(pw0, am->per_worker_data) {
- if (pw0->interrupt_is_needed) {
- interrupts_needed++;
- /* the per-worker value is reset when sending the interrupt */
- }
- if (pw0->interrupt_is_unwanted) {
- interrupts_unwanted++;
- pw0->interrupt_is_unwanted = 0;
- }
- }
- if (interrupts_needed) {
- /* they need more interrupts, do less waiting around next time */
- am->fa_current_cleaner_timer_wait_interval /= 2;
- /* never go into zero-wait either though - we need to give the space to others */
- am->fa_current_cleaner_timer_wait_interval += 1;
- } else if (interrupts_unwanted) {
- /* slowly increase the amount of sleep up to a limit */
- if (am->fa_current_cleaner_timer_wait_interval < max_timer_wait_interval)
- am->fa_current_cleaner_timer_wait_interval += cpu_cps * am->fa_cleaner_wait_time_increment;
- }
- am->fa_cleaner_cnt_event_cycles++;
- am->fa_interrupt_generation++;
- }
- /* NOT REACHED */
- return 0;
-}
-
-
-void
-acl_fa_enable_disable (u32 sw_if_index, int is_input, int enable_disable)
-{
- acl_main_t *am = &acl_main;
- if (enable_disable) {
- acl_fa_verify_init_sessions(am);
- am->fa_total_enabled_count++;
- void *oldheap = clib_mem_set_heap (am->vlib_main->heap_base);
- vlib_process_signal_event (am->vlib_main, am->fa_cleaner_node_index,
- ACL_FA_CLEANER_RESCHEDULE, 0);
- clib_mem_set_heap (oldheap);
- } else {
- am->fa_total_enabled_count--;
- }
-
- if (is_input)
- {
- ASSERT(clib_bitmap_get(am->fa_in_acl_on_sw_if_index, sw_if_index) != enable_disable);
- void *oldheap = clib_mem_set_heap (am->vlib_main->heap_base);
- vnet_feature_enable_disable ("ip4-unicast", "acl-plugin-in-ip4-fa",
- sw_if_index, enable_disable, 0, 0);
- vnet_feature_enable_disable ("ip6-unicast", "acl-plugin-in-ip6-fa",
- sw_if_index, enable_disable, 0, 0);
- clib_mem_set_heap (oldheap);
- am->fa_in_acl_on_sw_if_index =
- clib_bitmap_set (am->fa_in_acl_on_sw_if_index, sw_if_index,
- enable_disable);
- }
- else
- {
- ASSERT(clib_bitmap_get(am->fa_out_acl_on_sw_if_index, sw_if_index) != enable_disable);
- void *oldheap = clib_mem_set_heap (am->vlib_main->heap_base);
- vnet_feature_enable_disable ("ip4-output", "acl-plugin-out-ip4-fa",
- sw_if_index, enable_disable, 0, 0);
- vnet_feature_enable_disable ("ip6-output", "acl-plugin-out-ip6-fa",
- sw_if_index, enable_disable, 0, 0);
- clib_mem_set_heap (oldheap);
- am->fa_out_acl_on_sw_if_index =
- clib_bitmap_set (am->fa_out_acl_on_sw_if_index, sw_if_index,
- enable_disable);
- }
- if ((!enable_disable) && (!acl_fa_ifc_has_in_acl (am, sw_if_index))
- && (!acl_fa_ifc_has_out_acl (am, sw_if_index)))
- {
-#ifdef FA_NODE_VERBOSE_DEBUG
- clib_warning("ENABLE-DISABLE: clean the connections on interface %d", sw_if_index);
-#endif
- void *oldheap = clib_mem_set_heap (am->vlib_main->heap_base);
- vlib_process_signal_event (am->vlib_main, am->fa_cleaner_node_index,
- ACL_FA_CLEANER_DELETE_BY_SW_IF_INDEX,
- sw_if_index);
- clib_mem_set_heap (oldheap);
- }
-}
-
-void
-show_fa_sessions_hash(vlib_main_t * vm, u32 verbose)
-{
- acl_main_t *am = &acl_main;
- if (am->fa_sessions_hash_is_initialized) {
- vlib_cli_output(vm, "\nSession lookup hash table:\n%U\n\n",
- BV (format_bihash), &am->fa_sessions_hash, verbose);
- } else {
- vlib_cli_output(vm, "\nSession lookup hash table is not allocated.\n\n");
- }
-}
-
-
-/* *INDENT-OFF* */
-
-VLIB_REGISTER_NODE (acl_fa_worker_session_cleaner_process_node, static) = {
- .function = acl_fa_worker_conn_cleaner_process,
- .name = "acl-plugin-fa-worker-cleaner-process",
- .type = VLIB_NODE_TYPE_INPUT,
- .state = VLIB_NODE_STATE_INTERRUPT,
-};
-
-VLIB_REGISTER_NODE (acl_fa_session_cleaner_process_node, static) = {
- .function = acl_fa_session_cleaner_process,
- .type = VLIB_NODE_TYPE_PROCESS,
- .name = "acl-plugin-fa-cleaner-process",
- .n_errors = ARRAY_LEN (acl_fa_cleaner_error_strings),
- .error_strings = acl_fa_cleaner_error_strings,
- .n_next_nodes = 0,
- .next_nodes = {},
-};
-
-
-VLIB_REGISTER_NODE (acl_in_l2_ip6_node) =
-{
- .function = acl_in_ip6_l2_node_fn,
- .name = "acl-plugin-in-ip6-l2",
- .vector_size = sizeof (u32),
- .format_trace = format_acl_fa_trace,
- .type = VLIB_NODE_TYPE_INTERNAL,
- .n_errors = ARRAY_LEN (acl_fa_error_strings),
- .error_strings = acl_fa_error_strings,
- .n_next_nodes = ACL_FA_N_NEXT,
- .next_nodes =
- {
- [ACL_FA_ERROR_DROP] = "error-drop",
- }
-};
-
-VLIB_REGISTER_NODE (acl_in_l2_ip4_node) =
-{
- .function = acl_in_ip4_l2_node_fn,
- .name = "acl-plugin-in-ip4-l2",
- .vector_size = sizeof (u32),
- .format_trace = format_acl_fa_trace,
- .type = VLIB_NODE_TYPE_INTERNAL,
- .n_errors = ARRAY_LEN (acl_fa_error_strings),
- .error_strings = acl_fa_error_strings,
- .n_next_nodes = ACL_FA_N_NEXT,
- .next_nodes =
- {
- [ACL_FA_ERROR_DROP] = "error-drop",
- }
-};
-
-VLIB_REGISTER_NODE (acl_out_l2_ip6_node) =
-{
- .function = acl_out_ip6_l2_node_fn,
- .name = "acl-plugin-out-ip6-l2",
- .vector_size = sizeof (u32),
- .format_trace = format_acl_fa_trace,
- .type = VLIB_NODE_TYPE_INTERNAL,
- .n_errors = ARRAY_LEN (acl_fa_error_strings),
- .error_strings = acl_fa_error_strings,
- .n_next_nodes = ACL_FA_N_NEXT,
- .next_nodes =
- {
- [ACL_FA_ERROR_DROP] = "error-drop",
- }
-};
-
-VLIB_REGISTER_NODE (acl_out_l2_ip4_node) =
-{
- .function = acl_out_ip4_l2_node_fn,
- .name = "acl-plugin-out-ip4-l2",
- .vector_size = sizeof (u32),
- .format_trace = format_acl_fa_trace,
- .type = VLIB_NODE_TYPE_INTERNAL,
- .n_errors = ARRAY_LEN (acl_fa_error_strings),
- .error_strings = acl_fa_error_strings,
- .n_next_nodes = ACL_FA_N_NEXT,
- .next_nodes =
- {
- [ACL_FA_ERROR_DROP] = "error-drop",
- }
-};
-
-
-VLIB_REGISTER_NODE (acl_in_fa_ip6_node) =
-{
- .function = acl_in_ip6_fa_node_fn,
- .name = "acl-plugin-in-ip6-fa",
- .vector_size = sizeof (u32),
- .format_trace = format_acl_fa_trace,
- .type = VLIB_NODE_TYPE_INTERNAL,
- .n_errors = ARRAY_LEN (acl_fa_error_strings),
- .error_strings = acl_fa_error_strings,
- .n_next_nodes = ACL_FA_N_NEXT,
- .next_nodes =
- {
- [ACL_FA_ERROR_DROP] = "error-drop",
- }
-};
-
-VNET_FEATURE_INIT (acl_in_ip6_fa_feature, static) =
-{
- .arc_name = "ip6-unicast",
- .node_name = "acl-plugin-in-ip6-fa",
- .runs_before = VNET_FEATURES ("ip6-flow-classify"),
-};
-
-VLIB_REGISTER_NODE (acl_in_fa_ip4_node) =
-{
- .function = acl_in_ip4_fa_node_fn,
- .name = "acl-plugin-in-ip4-fa",
- .vector_size = sizeof (u32),
- .format_trace = format_acl_fa_trace,
- .type = VLIB_NODE_TYPE_INTERNAL,
- .n_errors = ARRAY_LEN (acl_fa_error_strings),
- .error_strings = acl_fa_error_strings,
- .n_next_nodes = ACL_FA_N_NEXT,
- .next_nodes =
- {
- [ACL_FA_ERROR_DROP] = "error-drop",
- }
-};
-
-VNET_FEATURE_INIT (acl_in_ip4_fa_feature, static) =
-{
- .arc_name = "ip4-unicast",
- .node_name = "acl-plugin-in-ip4-fa",
- .runs_before = VNET_FEATURES ("ip4-flow-classify"),
-};
-
-
-VLIB_REGISTER_NODE (acl_out_fa_ip6_node) =
-{
- .function = acl_out_ip6_fa_node_fn,
- .name = "acl-plugin-out-ip6-fa",
- .vector_size = sizeof (u32),
- .format_trace = format_acl_fa_trace,
- .type = VLIB_NODE_TYPE_INTERNAL,
- .n_errors = ARRAY_LEN (acl_fa_error_strings),
- .error_strings = acl_fa_error_strings,
- .n_next_nodes = ACL_FA_N_NEXT,
- .next_nodes =
- {
- [ACL_FA_ERROR_DROP] = "error-drop",
- }
-};
-
-VNET_FEATURE_INIT (acl_out_ip6_fa_feature, static) =
-{
- .arc_name = "ip6-output",
- .node_name = "acl-plugin-out-ip6-fa",
- .runs_before = VNET_FEATURES ("interface-output"),
-};
-
-VLIB_REGISTER_NODE (acl_out_fa_ip4_node) =
-{
- .function = acl_out_ip4_fa_node_fn,
- .name = "acl-plugin-out-ip4-fa",
- .vector_size = sizeof (u32),
- .format_trace = format_acl_fa_trace,
- .type = VLIB_NODE_TYPE_INTERNAL,
- .n_errors = ARRAY_LEN (acl_fa_error_strings),
- .error_strings = acl_fa_error_strings,
- .n_next_nodes = ACL_FA_N_NEXT,
- /* edit / add dispositions here */
- .next_nodes =
- {
- [ACL_FA_ERROR_DROP] = "error-drop",
- }
-};
-
-VNET_FEATURE_INIT (acl_out_ip4_fa_feature, static) =
-{
- .arc_name = "ip4-output",
- .node_name = "acl-plugin-out-ip4-fa",
- .runs_before = VNET_FEATURES ("interface-output"),
-};
-
-
-/* *INDENT-ON* */
diff --git a/src/plugins/acl/sess_mgmt_node.c b/src/plugins/acl/sess_mgmt_node.c
new file mode 100644
index 00000000000..b4faf554612
--- /dev/null
+++ b/src/plugins/acl/sess_mgmt_node.c
@@ -0,0 +1,806 @@
+/*
+ * Copyright (c) 2016-2018 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <stddef.h>
+#include <netinet/in.h>
+
+#include <vlib/vlib.h>
+#include <vnet/vnet.h>
+#include <vnet/pg/pg.h>
+#include <vppinfra/error.h>
+
+
+#include <acl/acl.h>
+#include <vnet/ip/icmp46_packet.h>
+
+#include <plugins/acl/fa_node.h>
+#include <plugins/acl/acl.h>
+#include <plugins/acl/lookup_context.h>
+#include <plugins/acl/public_inlines.h>
+#include <plugins/acl/session_inlines.h>
+
+// #include <vppinfra/bihash_40_8.h>
+
+
+static u64
+fa_session_get_shortest_timeout (acl_main_t * am)
+{
+ int timeout_type;
+ u64 timeout = ~0LL;
+ for (timeout_type = 0; timeout_type < ACL_N_TIMEOUTS; timeout_type++)
+ {
+ if (timeout > am->session_timeout_sec[timeout_type])
+ {
+ timeout = am->session_timeout_sec[timeout_type];
+ }
+ }
+ return timeout;
+}
+
+static void
+acl_fa_verify_init_sessions (acl_main_t * am)
+{
+ if (!am->fa_sessions_hash_is_initialized)
+ {
+ u16 wk;
+ /* Allocate the per-worker sessions pools */
+ for (wk = 0; wk < vec_len (am->per_worker_data); wk++)
+ {
+ acl_fa_per_worker_data_t *pw = &am->per_worker_data[wk];
+
+ /*
+ * // In lieu of trying to preallocate the pool and its free bitmap, rather use pool_init_fixed
+ * pool_alloc_aligned(pw->fa_sessions_pool, am->fa_conn_table_max_entries, CLIB_CACHE_LINE_BYTES);
+ * clib_bitmap_validate(pool_header(pw->fa_sessions_pool)->free_bitmap, am->fa_conn_table_max_entries);
+ */
+ pool_init_fixed (pw->fa_sessions_pool,
+ am->fa_conn_table_max_entries);
+ }
+
+ /* ... and the interface session hash table */
+ clib_bihash_init_40_8 (&am->fa_sessions_hash,
+ "ACL plugin FA session bihash",
+ am->fa_conn_table_hash_num_buckets,
+ am->fa_conn_table_hash_memory_size);
+ am->fa_sessions_hash_is_initialized = 1;
+ }
+}
+
+
+/*
+ * Get the timeout of the session in a list since its enqueue time.
+ */
+
+static u64
+fa_session_get_list_timeout (acl_main_t * am, fa_session_t * sess)
+{
+ u64 timeout = am->vlib_main->clib_time.clocks_per_second;
+ /*
+ * we have the shortest possible timeout type in all the lists
+ * (see README-multicore for the rationale)
+ */
+ timeout *= fa_session_get_shortest_timeout (am);
+ return timeout;
+}
+
+static u64
+acl_fa_get_list_head_expiry_time (acl_main_t * am,
+ acl_fa_per_worker_data_t * pw, u64 now,
+ u16 thread_index, int timeout_type)
+{
+ fa_session_t *sess =
+ get_session_ptr (am, thread_index, pw->fa_conn_list_head[timeout_type]);
+ /*
+ * We can not check just the index here because inbetween the worker thread might
+ * dequeue the connection from the head just as we are about to check it.
+ */
+ if (!is_valid_session_ptr (am, thread_index, sess))
+ {
+ return ~0LL; // infinity.
+ }
+ else
+ {
+ u64 timeout_time =
+ sess->link_enqueue_time + fa_session_get_list_timeout (am, sess);
+ return timeout_time;
+ }
+}
+
+static int
+acl_fa_conn_time_to_check (acl_main_t * am, acl_fa_per_worker_data_t * pw,
+ u64 now, u16 thread_index, u32 session_index)
+{
+ fa_session_t *sess = get_session_ptr (am, thread_index, session_index);
+ u64 timeout_time =
+ sess->link_enqueue_time + fa_session_get_list_timeout (am, sess);
+ return (timeout_time < now)
+ || (sess->link_enqueue_time <= pw->swipe_end_time);
+}
+
+/*
+ * see if there are sessions ready to be checked,
+ * do the maintenance (requeue or delete), and
+ * return the total number of sessions reclaimed.
+ */
+static int
+acl_fa_check_idle_sessions (acl_main_t * am, u16 thread_index, u64 now)
+{
+ acl_fa_per_worker_data_t *pw = &am->per_worker_data[thread_index];
+ fa_full_session_id_t fsid;
+ fsid.thread_index = thread_index;
+ int total_expired = 0;
+
+ {
+ u8 tt = 0;
+ for (tt = 0; tt < ACL_N_TIMEOUTS; tt++)
+ {
+ while ((vec_len (pw->expired) <
+ am->fa_max_deleted_sessions_per_interval)
+ && (~0 != pw->fa_conn_list_head[tt])
+ &&
+ (acl_fa_conn_time_to_check
+ (am, pw, now, thread_index, pw->fa_conn_list_head[tt])))
+ {
+ fsid.session_index = pw->fa_conn_list_head[tt];
+ elog_acl_maybe_trace_X2 (am,
+ "acl_fa_check_idle_sessions: expire session %d on thread %d",
+ "i4i4", (u32) fsid.session_index,
+ (u32) thread_index);
+ vec_add1 (pw->expired, fsid.session_index);
+ acl_fa_conn_list_delete_session (am, fsid);
+ }
+ }
+ }
+
+ u32 *psid = NULL;
+ vec_foreach (psid, pw->expired)
+ {
+ fsid.session_index = *psid;
+ if (!pool_is_free_index (pw->fa_sessions_pool, fsid.session_index))
+ {
+ fa_session_t *sess =
+ get_session_ptr (am, thread_index, fsid.session_index);
+ u32 sw_if_index = sess->sw_if_index;
+ u64 sess_timeout_time =
+ sess->last_active_time + fa_session_get_timeout (am, sess);
+ if ((now < sess_timeout_time)
+ && (0 ==
+ clib_bitmap_get (pw->pending_clear_sw_if_index_bitmap,
+ sw_if_index)))
+ {
+#ifdef FA_NODE_VERBOSE_DEBUG
+ clib_warning
+ ("ACL_FA_NODE_CLEAN: Restarting timer for session %d, sw_if_index %d",
+ (int) fsid.session_index, sess->sw_if_index);
+#endif
+ /* There was activity on the session, so the idle timeout
+ has not passed. Enqueue for another time period. */
+
+ acl_fa_conn_list_add_session (am, fsid, now);
+ pw->cnt_session_timer_restarted++;
+ }
+ else
+ {
+#ifdef FA_NODE_VERBOSE_DEBUG
+ clib_warning
+ ("ACL_FA_NODE_CLEAN: Deleting session %d, sw_if_index %d",
+ (int) fsid.session_index, sess->sw_if_index);
+#endif
+ acl_fa_delete_session (am, sw_if_index, fsid);
+ pw->cnt_deleted_sessions++;
+ }
+ }
+ else
+ {
+ pw->cnt_already_deleted_sessions++;
+ }
+ }
+ total_expired = vec_len (pw->expired);
+ /* zero out the vector which we have acted on */
+ if (pw->expired)
+ _vec_len (pw->expired) = 0;
+ /* if we were advancing and reached the end
+ * (no more sessions to recycle), reset the fast-forward timestamp */
+
+ if (pw->swipe_end_time && 0 == total_expired)
+ pw->swipe_end_time = 0;
+ return (total_expired);
+}
+
+/*
+ * This process ensures the connection cleanup happens every so often
+ * even in absence of traffic, as well as provides general orchestration
+ * for requests like connection deletion on a given sw_if_index.
+ */
+
+
+/* *INDENT-OFF* */
+#define foreach_acl_fa_cleaner_error \
+_(UNKNOWN_EVENT, "unknown event received") \
+/* end of errors */
+
+typedef enum
+{
+#define _(sym,str) ACL_FA_CLEANER_ERROR_##sym,
+ foreach_acl_fa_cleaner_error
+#undef _
+ ACL_FA_CLEANER_N_ERROR,
+} acl_fa_cleaner_error_t;
+
+static char *acl_fa_cleaner_error_strings[] = {
+#define _(sym,string) string,
+ foreach_acl_fa_cleaner_error
+#undef _
+};
+
+/* *INDENT-ON* */
+
+static vlib_node_registration_t acl_fa_session_cleaner_process_node;
+static vlib_node_registration_t acl_fa_worker_session_cleaner_process_node;
+
+/*
+ * Per-worker thread interrupt-driven cleaner thread
+ * to clean idle connections if there are no packets
+ */
+static uword
+acl_fa_worker_conn_cleaner_process (vlib_main_t * vm,
+ vlib_node_runtime_t * rt,
+ vlib_frame_t * f)
+{
+ acl_main_t *am = &acl_main;
+ u64 now = clib_cpu_time_now ();
+ u16 thread_index = os_get_thread_index ();
+ acl_fa_per_worker_data_t *pw = &am->per_worker_data[thread_index];
+ int num_expired;
+ elog_acl_maybe_trace_X1 (am,
+ "acl_fa_worker_conn_cleaner interrupt: now %lu",
+ "i8", now);
+ /* allow another interrupt to be queued */
+ pw->interrupt_is_pending = 0;
+ if (pw->clear_in_process)
+ {
+ if (0 == pw->swipe_end_time)
+ {
+ /*
+ * Someone has just set the flag to start clearing.
+ * we do this by combing through the connections up to a "time T"
+ * which is now, and requeueing everything except the expired
+ * connections and those matching the interface(s) being cleared.
+ */
+
+ /*
+ * first filter the sw_if_index bitmap that they want from us, by
+ * a bitmap of sw_if_index for which we actually have connections.
+ */
+ if ((pw->pending_clear_sw_if_index_bitmap == 0)
+ || (pw->serviced_sw_if_index_bitmap == 0))
+ {
+ elog_acl_maybe_trace_X1 (am,
+ "acl_fa_worker_conn_cleaner: now %lu, someone tried to call clear but one of the bitmaps are empty",
+ "i8", now);
+ clib_bitmap_zero (pw->pending_clear_sw_if_index_bitmap);
+ }
+ else
+ {
+#ifdef FA_NODE_VERBOSE_DEBUG
+ clib_warning
+ ("WORKER-CLEAR: (before and) swiping sw-if-index bitmap: %U, my serviced bitmap %U",
+ format_bitmap_hex, pw->pending_clear_sw_if_index_bitmap,
+ format_bitmap_hex, pw->serviced_sw_if_index_bitmap);
+#endif
+ pw->pending_clear_sw_if_index_bitmap =
+ clib_bitmap_and (pw->pending_clear_sw_if_index_bitmap,
+ pw->serviced_sw_if_index_bitmap);
+ }
+
+ if (clib_bitmap_is_zero (pw->pending_clear_sw_if_index_bitmap))
+ {
+ /* if the cross-section is a zero vector, no need to do anything. */
+ elog_acl_maybe_trace_X1 (am,
+ "acl_fa_worker_conn_cleaner: now %lu, clearing done, nothing to do",
+ "i8", now);
+ pw->clear_in_process = 0;
+ }
+ else
+ {
+#ifdef FA_NODE_VERBOSE_DEBUG
+ clib_warning
+ ("WORKER-CLEAR: swiping sw-if-index bitmap: %U, my serviced bitmap %U",
+ format_bitmap_hex, pw->pending_clear_sw_if_index_bitmap,
+ format_bitmap_hex, pw->serviced_sw_if_index_bitmap);
+#endif
+ elog_acl_maybe_trace_X1 (am,
+ "acl_fa_worker_conn_cleaner: swiping until %lu",
+ "i8", now);
+ /* swipe through the connection lists until enqueue timestamps become above "now" */
+ pw->swipe_end_time = now;
+ }
+ }
+ }
+ num_expired = acl_fa_check_idle_sessions (am, thread_index, now);
+ // clib_warning("WORKER-CLEAR: checked %d sessions (clear_in_progress: %d)", num_expired, pw->clear_in_process);
+ elog_acl_maybe_trace_X2 (am,
+ "acl_fa_worker_conn_cleaner: checked %d sessions (clear_in_process: %d)",
+ "i4i4", (u32) num_expired,
+ (u32) pw->clear_in_process);
+ if (pw->clear_in_process)
+ {
+ if (0 == num_expired)
+ {
+ /* we were clearing but we could not process any more connections. time to stop. */
+ clib_bitmap_zero (pw->pending_clear_sw_if_index_bitmap);
+ pw->clear_in_process = 0;
+ elog_acl_maybe_trace_X1 (am,
+ "acl_fa_worker_conn_cleaner: now %lu, clearing done - all done",
+ "i8", now);
+ }
+ else
+ {
+ elog_acl_maybe_trace_X1 (am,
+ "acl_fa_worker_conn_cleaner: now %lu, more work to do - requesting interrupt",
+ "i8", now);
+ /* should continue clearing.. So could they please sent an interrupt again? */
+ pw->interrupt_is_needed = 1;
+ }
+ }
+ else
+ {
+ if (num_expired >= am->fa_max_deleted_sessions_per_interval)
+ {
+ /* there was too much work, we should get an interrupt ASAP */
+ pw->interrupt_is_needed = 1;
+ pw->interrupt_is_unwanted = 0;
+ }
+ else if (num_expired <= am->fa_min_deleted_sessions_per_interval)
+ {
+ /* signal that they should trigger us less */
+ pw->interrupt_is_needed = 0;
+ pw->interrupt_is_unwanted = 1;
+ }
+ else
+ {
+ /* the current rate of interrupts is ok */
+ pw->interrupt_is_needed = 0;
+ pw->interrupt_is_unwanted = 0;
+ }
+ elog_acl_maybe_trace_X3 (am,
+ "acl_fa_worker_conn_cleaner: now %lu, interrupt needed: %u, interrupt unwanted: %u",
+ "i8i4i4", now, ((u32) pw->interrupt_is_needed),
+ ((u32) pw->interrupt_is_unwanted));
+ }
+ pw->interrupt_generation = am->fa_interrupt_generation;
+ return 0;
+}
+
+static void
+send_one_worker_interrupt (vlib_main_t * vm, acl_main_t * am,
+ int thread_index)
+{
+ acl_fa_per_worker_data_t *pw = &am->per_worker_data[thread_index];
+ if (!pw->interrupt_is_pending)
+ {
+ pw->interrupt_is_pending = 1;
+ vlib_node_set_interrupt_pending (vlib_mains[thread_index],
+ acl_fa_worker_session_cleaner_process_node.index);
+ elog_acl_maybe_trace_X1 (am,
+ "send_one_worker_interrupt: send interrupt to worker %d",
+ "i4", ((u32) thread_index));
+ /* if the interrupt was requested, mark that done. */
+ /* pw->interrupt_is_needed = 0; */
+ }
+}
+
+static void
+send_interrupts_to_workers (vlib_main_t * vm, acl_main_t * am)
+{
+ int i;
+ /* Can't use vec_len(am->per_worker_data) since the threads might not have come up yet; */
+ int n_threads = vec_len (vlib_mains);
+ for (i = 0; i < n_threads; i++)
+ {
+ send_one_worker_interrupt (vm, am, i);
+ }
+}
+
+/* centralized process to drive per-worker cleaners */
+static uword
+acl_fa_session_cleaner_process (vlib_main_t * vm, vlib_node_runtime_t * rt,
+ vlib_frame_t * f)
+{
+ acl_main_t *am = &acl_main;
+ u64 now;
+ f64 cpu_cps = vm->clib_time.clocks_per_second;
+ u64 next_expire;
+ /* We should check if there are connections to clean up - at least twice a second */
+ u64 max_timer_wait_interval = cpu_cps / 2;
+ uword event_type, *event_data = 0;
+ acl_fa_per_worker_data_t *pw0;
+
+ am->fa_current_cleaner_timer_wait_interval = max_timer_wait_interval;
+ am->fa_cleaner_node_index = acl_fa_session_cleaner_process_node.index;
+ am->fa_interrupt_generation = 1;
+ while (1)
+ {
+ now = clib_cpu_time_now ();
+ next_expire = now + am->fa_current_cleaner_timer_wait_interval;
+ int has_pending_conns = 0;
+ u16 ti;
+ u8 tt;
+
+ /*
+ * walk over all per-thread list heads of different timeouts,
+ * and see if there are any connections pending.
+ * If there aren't - we do not need to wake up until the
+ * worker code signals that it has added a connection.
+ *
+ * Also, while we are at it, calculate the earliest we need to wake up.
+ */
+ for (ti = 0; ti < vec_len (vlib_mains); ti++)
+ {
+ if (ti >= vec_len (am->per_worker_data))
+ {
+ continue;
+ }
+ acl_fa_per_worker_data_t *pw = &am->per_worker_data[ti];
+ for (tt = 0; tt < vec_len (pw->fa_conn_list_head); tt++)
+ {
+ u64 head_expiry =
+ acl_fa_get_list_head_expiry_time (am, pw, now, ti, tt);
+ if ((head_expiry < next_expire) && !pw->interrupt_is_pending)
+ {
+ elog_acl_maybe_trace_X3 (am,
+ "acl_fa_session_cleaner_process: now %lu, worker: %d tt: %d",
+ "i8i2i2", now, ti, tt);
+ elog_acl_maybe_trace_X2 (am,
+ "acl_fa_session_cleaner_process: head expiry: %lu, is earlier than curr next expire: %lu",
+ "i8i8", head_expiry, next_expire);
+ next_expire = head_expiry;
+ }
+ if (~0 != pw->fa_conn_list_head[tt])
+ {
+ has_pending_conns = 1;
+ }
+ }
+ }
+
+ /* If no pending connections and no ACL applied then no point in timing out */
+ if (!has_pending_conns && (0 == am->fa_total_enabled_count))
+ {
+ am->fa_cleaner_cnt_wait_without_timeout++;
+ elog_acl_maybe_trace_X1 (am,
+ "acl_conn_cleaner: now %lu entering wait without timeout",
+ "i8", now);
+ (void) vlib_process_wait_for_event (vm);
+ event_type = vlib_process_get_events (vm, &event_data);
+ }
+ else
+ {
+ f64 timeout = ((i64) next_expire - (i64) now) / cpu_cps;
+ if (timeout <= 0)
+ {
+ /* skip waiting altogether */
+ event_type = ~0;
+ }
+ else
+ {
+ am->fa_cleaner_cnt_wait_with_timeout++;
+ elog_acl_maybe_trace_X2 (am,
+ "acl_conn_cleaner: now %lu entering wait with timeout %.6f sec",
+ "i8f8", now, timeout);
+ (void) vlib_process_wait_for_event_or_clock (vm, timeout);
+ event_type = vlib_process_get_events (vm, &event_data);
+ }
+ }
+
+ switch (event_type)
+ {
+ case ~0:
+ /* nothing to do */
+ break;
+ case ACL_FA_CLEANER_RESCHEDULE:
+ /* Nothing to do. */
+ break;
+ case ACL_FA_CLEANER_DELETE_BY_SW_IF_INDEX:
+ {
+ uword *clear_sw_if_index_bitmap = 0;
+ uword *sw_if_index0;
+ int clear_all = 0;
+ now = clib_cpu_time_now ();
+ elog_acl_maybe_trace_X1 (am,
+ "acl_fa_session_cleaner_process: now %lu, received ACL_FA_CLEANER_DELETE_BY_SW_IF_INDEX",
+ "i8", now);
+ vec_foreach (sw_if_index0, event_data)
+ {
+ am->fa_cleaner_cnt_delete_by_sw_index++;
+ elog_acl_maybe_trace_X1 (am,
+ "acl_fa_session_cleaner_process: ACL_FA_CLEANER_DELETE_BY_SW_IF_INDEX %d",
+ "i4", *sw_if_index0);
+ if (*sw_if_index0 == ~0)
+ {
+ clear_all = 1;
+ }
+ else
+ {
+ if (!pool_is_free_index
+ (am->vnet_main->interface_main.sw_interfaces,
+ *sw_if_index0))
+ {
+ clear_sw_if_index_bitmap =
+ clib_bitmap_set (clear_sw_if_index_bitmap,
+ *sw_if_index0, 1);
+ }
+ }
+ }
+#ifdef FA_NODE_VERBOSE_DEBUG
+ clib_warning ("ACL_FA_CLEANER_DELETE_BY_SW_IF_INDEX bitmap: %U",
+ format_bitmap_hex, clear_sw_if_index_bitmap);
+#endif
+ vec_foreach (pw0, am->per_worker_data)
+ {
+ CLIB_MEMORY_BARRIER ();
+ while (pw0->clear_in_process)
+ {
+ CLIB_MEMORY_BARRIER ();
+ elog_acl_maybe_trace_X1 (am,
+ "ACL_FA_NODE_CLEAN: waiting previous cleaning cycle to finish on %d",
+ "i4",
+ (u32) (pw0 - am->per_worker_data));
+ vlib_process_suspend (vm, 0.0001);
+ if (pw0->interrupt_is_needed)
+ {
+ send_one_worker_interrupt (vm, am,
+ (pw0 - am->per_worker_data));
+ }
+ }
+ if (pw0->clear_in_process)
+ {
+ clib_warning
+ ("ERROR-BUG! Could not initiate cleaning on worker because another cleanup in progress");
+ }
+ else
+ {
+ if (clear_all)
+ {
+ /* if we need to clear all, then just clear the interfaces that we are servicing */
+ pw0->pending_clear_sw_if_index_bitmap =
+ clib_bitmap_dup (pw0->serviced_sw_if_index_bitmap);
+ }
+ else
+ {
+ pw0->pending_clear_sw_if_index_bitmap =
+ clib_bitmap_dup (clear_sw_if_index_bitmap);
+ }
+ pw0->clear_in_process = 1;
+ }
+ }
+ /* send some interrupts so they can start working */
+ send_interrupts_to_workers (vm, am);
+
+ /* now wait till they all complete */
+#ifdef FA_NODE_VERBOSE_DEBUG
+ clib_warning ("CLEANER mains len: %d per-worker len: %d",
+ vec_len (vlib_mains),
+ vec_len (am->per_worker_data));
+#endif
+ vec_foreach (pw0, am->per_worker_data)
+ {
+ CLIB_MEMORY_BARRIER ();
+ while (pw0->clear_in_process)
+ {
+ CLIB_MEMORY_BARRIER ();
+ elog_acl_maybe_trace_X1 (am,
+ "ACL_FA_NODE_CLEAN: waiting for my cleaning cycle to finish on %d",
+ "i4",
+ (u32) (pw0 - am->per_worker_data));
+ vlib_process_suspend (vm, 0.0001);
+ if (pw0->interrupt_is_needed)
+ {
+ send_one_worker_interrupt (vm, am,
+ (pw0 - am->per_worker_data));
+ }
+ }
+ }
+#ifdef FA_NODE_VERBOSE_DEBUG
+ clib_warning ("ACL_FA_NODE_CLEAN: cleaning done");
+#endif
+ clib_bitmap_free (clear_sw_if_index_bitmap);
+ }
+ break;
+ default:
+#ifdef FA_NODE_VERBOSE_DEBUG
+ clib_warning ("ACL plugin connection cleaner: unknown event %u",
+ event_type);
+#endif
+ vlib_node_increment_counter (vm,
+ acl_fa_session_cleaner_process_node.
+ index,
+ ACL_FA_CLEANER_ERROR_UNKNOWN_EVENT, 1);
+ am->fa_cleaner_cnt_unknown_event++;
+ break;
+ }
+
+ send_interrupts_to_workers (vm, am);
+
+ if (event_data)
+ _vec_len (event_data) = 0;
+
+ /*
+ * If the interrupts were not processed yet, ensure we wait a bit,
+ * but up to a point.
+ */
+ int need_more_wait = 0;
+ int max_wait_cycles = 100;
+ do
+ {
+ need_more_wait = 0;
+ vec_foreach (pw0, am->per_worker_data)
+ {
+ if (pw0->interrupt_generation != am->fa_interrupt_generation)
+ {
+ need_more_wait = 1;
+ }
+ }
+ if (need_more_wait)
+ {
+ vlib_process_suspend (vm, 0.0001);
+ }
+ }
+ while (need_more_wait && (--max_wait_cycles > 0));
+
+ int interrupts_needed = 0;
+ int interrupts_unwanted = 0;
+
+ vec_foreach (pw0, am->per_worker_data)
+ {
+ if (pw0->interrupt_is_needed)
+ {
+ interrupts_needed++;
+ /* the per-worker value is reset when sending the interrupt */
+ }
+ if (pw0->interrupt_is_unwanted)
+ {
+ interrupts_unwanted++;
+ pw0->interrupt_is_unwanted = 0;
+ }
+ }
+ if (interrupts_needed)
+ {
+ /* they need more interrupts, do less waiting around next time */
+ am->fa_current_cleaner_timer_wait_interval /= 2;
+ /* never go into zero-wait either though - we need to give the space to others */
+ am->fa_current_cleaner_timer_wait_interval += 1;
+ }
+ else if (interrupts_unwanted)
+ {
+ /* slowly increase the amount of sleep up to a limit */
+ if (am->fa_current_cleaner_timer_wait_interval <
+ max_timer_wait_interval)
+ am->fa_current_cleaner_timer_wait_interval +=
+ cpu_cps * am->fa_cleaner_wait_time_increment;
+ }
+ am->fa_cleaner_cnt_event_cycles++;
+ am->fa_interrupt_generation++;
+ }
+ /* NOT REACHED */
+ return 0;
+}
+
+
+void
+acl_fa_enable_disable (u32 sw_if_index, int is_input, int enable_disable)
+{
+ acl_main_t *am = &acl_main;
+ if (enable_disable)
+ {
+ acl_fa_verify_init_sessions (am);
+ am->fa_total_enabled_count++;
+ void *oldheap = clib_mem_set_heap (am->vlib_main->heap_base);
+ vlib_process_signal_event (am->vlib_main, am->fa_cleaner_node_index,
+ ACL_FA_CLEANER_RESCHEDULE, 0);
+ clib_mem_set_heap (oldheap);
+ }
+ else
+ {
+ am->fa_total_enabled_count--;
+ }
+
+ if (is_input)
+ {
+ ASSERT (clib_bitmap_get (am->fa_in_acl_on_sw_if_index, sw_if_index) !=
+ enable_disable);
+ void *oldheap = clib_mem_set_heap (am->vlib_main->heap_base);
+ vnet_feature_enable_disable ("ip4-unicast", "acl-plugin-in-ip4-fa",
+ sw_if_index, enable_disable, 0, 0);
+ vnet_feature_enable_disable ("ip6-unicast", "acl-plugin-in-ip6-fa",
+ sw_if_index, enable_disable, 0, 0);
+ clib_mem_set_heap (oldheap);
+ am->fa_in_acl_on_sw_if_index =
+ clib_bitmap_set (am->fa_in_acl_on_sw_if_index, sw_if_index,
+ enable_disable);
+ }
+ else
+ {
+ ASSERT (clib_bitmap_get (am->fa_out_acl_on_sw_if_index, sw_if_index) !=
+ enable_disable);
+ void *oldheap = clib_mem_set_heap (am->vlib_main->heap_base);
+ vnet_feature_enable_disable ("ip4-output", "acl-plugin-out-ip4-fa",
+ sw_if_index, enable_disable, 0, 0);
+ vnet_feature_enable_disable ("ip6-output", "acl-plugin-out-ip6-fa",
+ sw_if_index, enable_disable, 0, 0);
+ clib_mem_set_heap (oldheap);
+ am->fa_out_acl_on_sw_if_index =
+ clib_bitmap_set (am->fa_out_acl_on_sw_if_index, sw_if_index,
+ enable_disable);
+ }
+ if ((!enable_disable) && (!acl_fa_ifc_has_in_acl (am, sw_if_index))
+ && (!acl_fa_ifc_has_out_acl (am, sw_if_index)))
+ {
+#ifdef FA_NODE_VERBOSE_DEBUG
+ clib_warning ("ENABLE-DISABLE: clean the connections on interface %d",
+ sw_if_index);
+#endif
+ void *oldheap = clib_mem_set_heap (am->vlib_main->heap_base);
+ vlib_process_signal_event (am->vlib_main, am->fa_cleaner_node_index,
+ ACL_FA_CLEANER_DELETE_BY_SW_IF_INDEX,
+ sw_if_index);
+ clib_mem_set_heap (oldheap);
+ }
+}
+
+void
+show_fa_sessions_hash (vlib_main_t * vm, u32 verbose)
+{
+ acl_main_t *am = &acl_main;
+ if (am->fa_sessions_hash_is_initialized)
+ {
+ vlib_cli_output (vm, "\nSession lookup hash table:\n%U\n\n",
+ format_bihash_40_8, &am->fa_sessions_hash, verbose);
+ }
+ else
+ {
+ vlib_cli_output (vm,
+ "\nSession lookup hash table is not allocated.\n\n");
+ }
+}
+
+
+/* *INDENT-OFF* */
+
+VLIB_REGISTER_NODE (acl_fa_worker_session_cleaner_process_node, static) = {
+ .function = acl_fa_worker_conn_cleaner_process,
+ .name = "acl-plugin-fa-worker-cleaner-process",
+ .type = VLIB_NODE_TYPE_INPUT,
+ .state = VLIB_NODE_STATE_INTERRUPT,
+};
+
+VLIB_REGISTER_NODE (acl_fa_session_cleaner_process_node, static) = {
+ .function = acl_fa_session_cleaner_process,
+ .type = VLIB_NODE_TYPE_PROCESS,
+ .name = "acl-plugin-fa-cleaner-process",
+ .n_errors = ARRAY_LEN (acl_fa_cleaner_error_strings),
+ .error_strings = acl_fa_cleaner_error_strings,
+ .n_next_nodes = 0,
+ .next_nodes = {},
+};
+
+
+/* *INDENT-ON* */
+
+/*
+ * fd.io coding-style-patch-verification: ON
+ *
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */
diff --git a/src/plugins/acl/session_inlines.h b/src/plugins/acl/session_inlines.h
new file mode 100644
index 00000000000..e75582b647b
--- /dev/null
+++ b/src/plugins/acl/session_inlines.h
@@ -0,0 +1,426 @@
+/*
+ * Copyright (c) 2016 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+/* ICMPv4 invert type for stateful ACL */
+static const u8 icmp4_invmap[] = {
+ [ICMP4_echo_reply] = ICMP4_echo_request + 1,
+ [ICMP4_timestamp_reply] = ICMP4_timestamp_request + 1,
+ [ICMP4_information_reply] = ICMP4_information_request + 1,
+ [ICMP4_address_mask_reply] = ICMP4_address_mask_request + 1
+};
+
+/* Supported ICMPv4 messages for session creation */
+static const u8 icmp4_valid_new[] = {
+ [ICMP4_echo_request] = 1,
+ [ICMP4_timestamp_request] = 1,
+ [ICMP4_information_request] = 1,
+ [ICMP4_address_mask_request] = 1
+};
+
+/* ICMPv6 invert type for stateful ACL */
+static const u8 icmp6_invmap[] = {
+ [ICMP6_echo_reply - 128] = ICMP6_echo_request + 1,
+ [ICMP6_node_information_response - 128] = ICMP6_node_information_request + 1
+};
+
+/* Supported ICMPv6 messages for session creation */
+static const u8 icmp6_valid_new[] = {
+ [ICMP6_echo_request - 128] = 1,
+ [ICMP6_node_information_request - 128] = 1
+};
+
+/* IP4 and IP6 protocol numbers of ICMP */
+static u8 icmp_protos[] = { IP_PROTOCOL_ICMP, IP_PROTOCOL_ICMP6 };
+
+
+
+always_inline int
+acl_fa_ifc_has_sessions (acl_main_t * am, int sw_if_index0)
+{
+ return am->fa_sessions_hash_is_initialized;
+}
+
+always_inline int
+acl_fa_ifc_has_in_acl (acl_main_t * am, int sw_if_index0)
+{
+ int it_has = clib_bitmap_get (am->fa_in_acl_on_sw_if_index, sw_if_index0);
+ return it_has;
+}
+
+always_inline int
+acl_fa_ifc_has_out_acl (acl_main_t * am, int sw_if_index0)
+{
+ int it_has = clib_bitmap_get (am->fa_out_acl_on_sw_if_index, sw_if_index0);
+ return it_has;
+}
+
+/* Session keys match the packets received, and mirror the packets sent */
+always_inline u32
+acl_make_5tuple_session_key (acl_main_t * am, int is_input, int is_ip6,
+ u32 sw_if_index, fa_5tuple_t * p5tuple_pkt,
+ fa_5tuple_t * p5tuple_sess)
+{
+ int src_index = is_input ? 0 : 1;
+ int dst_index = is_input ? 1 : 0;
+ u32 valid_new_sess = 1;
+ p5tuple_sess->addr[src_index] = p5tuple_pkt->addr[0];
+ p5tuple_sess->addr[dst_index] = p5tuple_pkt->addr[1];
+ p5tuple_sess->l4.as_u64 = p5tuple_pkt->l4.as_u64;
+
+ if (PREDICT_TRUE (p5tuple_pkt->l4.proto != icmp_protos[is_ip6]))
+ {
+ p5tuple_sess->l4.port[src_index] = p5tuple_pkt->l4.port[0];
+ p5tuple_sess->l4.port[dst_index] = p5tuple_pkt->l4.port[1];
+ }
+ else
+ {
+ static const u8 *icmp_invmap[] = { icmp4_invmap, icmp6_invmap };
+ static const u8 *icmp_valid_new[] =
+ { icmp4_valid_new, icmp6_valid_new };
+ static const u8 icmp_invmap_size[] = { sizeof (icmp4_invmap),
+ sizeof (icmp6_invmap)
+ };
+ static const u8 icmp_valid_new_size[] = { sizeof (icmp4_valid_new),
+ sizeof (icmp6_valid_new)
+ };
+ int type =
+ is_ip6 ? p5tuple_pkt->l4.port[0] - 128 : p5tuple_pkt->l4.port[0];
+
+ p5tuple_sess->l4.port[0] = p5tuple_pkt->l4.port[0];
+ p5tuple_sess->l4.port[1] = p5tuple_pkt->l4.port[1];
+
+ /*
+ * Invert ICMP type for valid icmp_invmap messages:
+ * 1) input node with outbound ACL interface
+ * 2) output node with inbound ACL interface
+ *
+ */
+ if ((is_input && acl_fa_ifc_has_out_acl (am, sw_if_index)) ||
+ (!is_input && acl_fa_ifc_has_in_acl (am, sw_if_index)))
+ {
+ if (type >= 0 &&
+ type <= icmp_invmap_size[is_ip6] && icmp_invmap[is_ip6][type])
+ {
+ p5tuple_sess->l4.port[0] = icmp_invmap[is_ip6][type] - 1;
+ }
+ }
+
+ /*
+ * ONLY ICMP messages defined in icmp4_valid_new/icmp6_valid_new table
+ * are allowed to create stateful ACL.
+ * The other messages will be forwarded without creating a reflexive ACL.
+ */
+ if (type < 0 ||
+ type > icmp_valid_new_size[is_ip6] || !icmp_valid_new[is_ip6][type])
+ {
+ valid_new_sess = 0;
+ }
+ }
+
+ return valid_new_sess;
+}
+
+always_inline int
+fa_session_get_timeout_type (acl_main_t * am, fa_session_t * sess)
+{
+ /* seen both SYNs and ACKs but not FINs means we are in establshed state */
+ u16 masked_flags =
+ sess->tcp_flags_seen.as_u16 & ((TCP_FLAGS_RSTFINACKSYN << 8) +
+ TCP_FLAGS_RSTFINACKSYN);
+ switch (sess->info.l4.proto)
+ {
+ case IPPROTO_TCP:
+ if (((TCP_FLAGS_ACKSYN << 8) + TCP_FLAGS_ACKSYN) == masked_flags)
+ {
+ return ACL_TIMEOUT_TCP_IDLE;
+ }
+ else
+ {
+ return ACL_TIMEOUT_TCP_TRANSIENT;
+ }
+ break;
+ case IPPROTO_UDP:
+ return ACL_TIMEOUT_UDP_IDLE;
+ break;
+ default:
+ return ACL_TIMEOUT_UDP_IDLE;
+ }
+}
+
+/*
+ * Get the idle timeout of a session.
+ */
+
+always_inline u64
+fa_session_get_timeout (acl_main_t * am, fa_session_t * sess)
+{
+ u64 timeout = am->vlib_main->clib_time.clocks_per_second;
+ int timeout_type = fa_session_get_timeout_type (am, sess);
+ timeout *= am->session_timeout_sec[timeout_type];
+ return timeout;
+}
+
+
+
+always_inline fa_session_t *
+get_session_ptr (acl_main_t * am, u16 thread_index, u32 session_index)
+{
+ acl_fa_per_worker_data_t *pw = &am->per_worker_data[thread_index];
+ fa_session_t *sess = pool_is_free_index (pw->fa_sessions_pool,
+ session_index) ? 0 :
+ pool_elt_at_index (pw->fa_sessions_pool,
+ session_index);
+ return sess;
+}
+
+always_inline int
+is_valid_session_ptr (acl_main_t * am, u16 thread_index, fa_session_t * sess)
+{
+ acl_fa_per_worker_data_t *pw = &am->per_worker_data[thread_index];
+ return ((sess != 0)
+ && ((sess - pw->fa_sessions_pool) <
+ pool_len (pw->fa_sessions_pool)));
+}
+
+always_inline void
+acl_fa_conn_list_add_session (acl_main_t * am, fa_full_session_id_t sess_id,
+ u64 now)
+{
+ fa_session_t *sess =
+ get_session_ptr (am, sess_id.thread_index, sess_id.session_index);
+ u8 list_id = fa_session_get_timeout_type (am, sess);
+ uword thread_index = os_get_thread_index ();
+ acl_fa_per_worker_data_t *pw = &am->per_worker_data[thread_index];
+ /* the retrieved session thread index must be necessarily the same as the one in the key */
+ ASSERT (sess->thread_index == sess_id.thread_index);
+ /* the retrieved session thread index must be the same as current thread */
+ ASSERT (sess->thread_index == thread_index);
+ sess->link_enqueue_time = now;
+ sess->link_list_id = list_id;
+ sess->link_next_idx = ~0;
+ sess->link_prev_idx = pw->fa_conn_list_tail[list_id];
+ if (~0 != pw->fa_conn_list_tail[list_id])
+ {
+ fa_session_t *prev_sess =
+ get_session_ptr (am, thread_index, pw->fa_conn_list_tail[list_id]);
+ prev_sess->link_next_idx = sess_id.session_index;
+ /* We should never try to link with a session on another thread */
+ ASSERT (prev_sess->thread_index == sess->thread_index);
+ }
+ pw->fa_conn_list_tail[list_id] = sess_id.session_index;
+
+#ifdef FA_NODE_VERBOSE_DEBUG
+ clib_warning
+ ("FA-SESSION-DEBUG: add session id %d on thread %d sw_if_index %d",
+ sess_id.session_index, thread_index, sess->sw_if_index);
+#endif
+ pw->serviced_sw_if_index_bitmap =
+ clib_bitmap_set (pw->serviced_sw_if_index_bitmap, sess->sw_if_index, 1);
+
+ if (~0 == pw->fa_conn_list_head[list_id])
+ {
+ pw->fa_conn_list_head[list_id] = sess_id.session_index;
+ }
+}
+
+static int
+acl_fa_conn_list_delete_session (acl_main_t * am,
+ fa_full_session_id_t sess_id)
+{
+ uword thread_index = os_get_thread_index ();
+ acl_fa_per_worker_data_t *pw = &am->per_worker_data[thread_index];
+ if (thread_index != sess_id.thread_index)
+ {
+ /* If another thread attempts to delete the session, fail it. */
+#ifdef FA_NODE_VERBOSE_DEBUG
+ clib_warning ("thread id in key %d != curr thread index, not deleting");
+#endif
+ return 0;
+ }
+ fa_session_t *sess =
+ get_session_ptr (am, sess_id.thread_index, sess_id.session_index);
+ /* we should never try to delete the session with another thread index */
+ ASSERT (sess->thread_index == thread_index);
+ if (~0 != sess->link_prev_idx)
+ {
+ fa_session_t *prev_sess =
+ get_session_ptr (am, thread_index, sess->link_prev_idx);
+ /* the previous session must be in the same list as this one */
+ ASSERT (prev_sess->link_list_id == sess->link_list_id);
+ prev_sess->link_next_idx = sess->link_next_idx;
+ }
+ if (~0 != sess->link_next_idx)
+ {
+ fa_session_t *next_sess =
+ get_session_ptr (am, thread_index, sess->link_next_idx);
+ /* The next session must be in the same list as the one we are deleting */
+ ASSERT (next_sess->link_list_id == sess->link_list_id);
+ next_sess->link_prev_idx = sess->link_prev_idx;
+ }
+ if (pw->fa_conn_list_head[sess->link_list_id] == sess_id.session_index)
+ {
+ pw->fa_conn_list_head[sess->link_list_id] = sess->link_next_idx;
+ }
+ if (pw->fa_conn_list_tail[sess->link_list_id] == sess_id.session_index)
+ {
+ pw->fa_conn_list_tail[sess->link_list_id] = sess->link_prev_idx;
+ }
+ return 1;
+}
+
+always_inline int
+acl_fa_restart_timer_for_session (acl_main_t * am, u64 now,
+ fa_full_session_id_t sess_id)
+{
+ if (acl_fa_conn_list_delete_session (am, sess_id))
+ {
+ acl_fa_conn_list_add_session (am, sess_id, now);
+ return 1;
+ }
+ else
+ {
+ /*
+ * Our thread does not own this connection, so we can not delete
+ * The session. To avoid the complicated signaling, we simply
+ * pick the list waiting time to be the shortest of the timeouts.
+ * This way we do not have to do anything special, and let
+ * the regular requeue check take care of everything.
+ */
+ return 0;
+ }
+}
+
+
+always_inline u8
+acl_fa_track_session (acl_main_t * am, int is_input, u32 sw_if_index, u64 now,
+ fa_session_t * sess, fa_5tuple_t * pkt_5tuple)
+{
+ sess->last_active_time = now;
+ if (pkt_5tuple->pkt.tcp_flags_valid)
+ {
+ sess->tcp_flags_seen.as_u8[is_input] |= pkt_5tuple->pkt.tcp_flags;
+ }
+ return 3;
+}
+
+
+always_inline void
+acl_fa_delete_session (acl_main_t * am, u32 sw_if_index,
+ fa_full_session_id_t sess_id)
+{
+ void *oldheap = clib_mem_set_heap (am->acl_mheap);
+ fa_session_t *sess =
+ get_session_ptr (am, sess_id.thread_index, sess_id.session_index);
+ ASSERT (sess->thread_index == os_get_thread_index ());
+ clib_bihash_add_del_40_8 (&am->fa_sessions_hash, &sess->info.kv, 0);
+ acl_fa_per_worker_data_t *pw = &am->per_worker_data[sess_id.thread_index];
+ pool_put_index (pw->fa_sessions_pool, sess_id.session_index);
+ /* Deleting from timer structures not needed,
+ as the caller must have dealt with the timers. */
+ vec_validate (pw->fa_session_dels_by_sw_if_index, sw_if_index);
+ clib_mem_set_heap (oldheap);
+ pw->fa_session_dels_by_sw_if_index[sw_if_index]++;
+ clib_smp_atomic_add (&am->fa_session_total_dels, 1);
+}
+
+always_inline int
+acl_fa_can_add_session (acl_main_t * am, int is_input, u32 sw_if_index)
+{
+ u64 curr_sess_count;
+ curr_sess_count = am->fa_session_total_adds - am->fa_session_total_dels;
+ return (curr_sess_count < am->fa_conn_table_max_entries);
+}
+
+
+always_inline void
+acl_fa_try_recycle_session (acl_main_t * am, int is_input, u16 thread_index,
+ u32 sw_if_index)
+{
+ /* try to recycle a TCP transient session */
+ acl_fa_per_worker_data_t *pw = &am->per_worker_data[thread_index];
+ u8 timeout_type = ACL_TIMEOUT_TCP_TRANSIENT;
+ fa_full_session_id_t sess_id;
+ sess_id.session_index = pw->fa_conn_list_head[timeout_type];
+ if (~0 != sess_id.session_index)
+ {
+ sess_id.thread_index = thread_index;
+ acl_fa_conn_list_delete_session (am, sess_id);
+ acl_fa_delete_session (am, sw_if_index, sess_id);
+ }
+}
+
+always_inline fa_session_t *
+acl_fa_add_session (acl_main_t * am, int is_input, u32 sw_if_index, u64 now,
+ fa_5tuple_t * p5tuple, u16 current_policy_epoch)
+{
+ clib_bihash_kv_40_8_t *pkv = &p5tuple->kv;
+ clib_bihash_kv_40_8_t kv;
+ fa_full_session_id_t f_sess_id;
+ uword thread_index = os_get_thread_index ();
+ void *oldheap = clib_mem_set_heap (am->acl_mheap);
+ acl_fa_per_worker_data_t *pw = &am->per_worker_data[thread_index];
+
+ f_sess_id.thread_index = thread_index;
+ fa_session_t *sess;
+
+ pool_get_aligned (pw->fa_sessions_pool, sess, CLIB_CACHE_LINE_BYTES);
+ f_sess_id.session_index = sess - pw->fa_sessions_pool;
+ f_sess_id.intf_policy_epoch = current_policy_epoch;
+
+ kv.key[0] = pkv->key[0];
+ kv.key[1] = pkv->key[1];
+ kv.key[2] = pkv->key[2];
+ kv.key[3] = pkv->key[3];
+ kv.key[4] = pkv->key[4];
+ kv.value = f_sess_id.as_u64;
+
+ memcpy (sess, pkv, sizeof (pkv->key));
+ sess->last_active_time = now;
+ sess->sw_if_index = sw_if_index;
+ sess->tcp_flags_seen.as_u16 = 0;
+ sess->thread_index = thread_index;
+ sess->link_list_id = ~0;
+ sess->link_prev_idx = ~0;
+ sess->link_next_idx = ~0;
+
+
+
+ ASSERT (am->fa_sessions_hash_is_initialized == 1);
+ clib_bihash_add_del_40_8 (&am->fa_sessions_hash, &kv, 1);
+ acl_fa_conn_list_add_session (am, f_sess_id, now);
+
+ vec_validate (pw->fa_session_adds_by_sw_if_index, sw_if_index);
+ clib_mem_set_heap (oldheap);
+ pw->fa_session_adds_by_sw_if_index[sw_if_index]++;
+ clib_smp_atomic_add (&am->fa_session_total_adds, 1);
+ return sess;
+}
+
+always_inline int
+acl_fa_find_session (acl_main_t * am, u32 sw_if_index0, fa_5tuple_t * p5tuple,
+ clib_bihash_kv_40_8_t * pvalue_sess)
+{
+ return (clib_bihash_search_40_8
+ (&am->fa_sessions_hash, &p5tuple->kv, pvalue_sess) == 0);
+}
+
+/*
+ * fd.io coding-style-patch-verification: ON
+ *
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */