summaryrefslogtreecommitdiffstats
path: root/src/plugins/gbp
diff options
context:
space:
mode:
Diffstat (limited to 'src/plugins/gbp')
-rw-r--r--src/plugins/gbp/gbp_policy_dpo.c70
-rw-r--r--src/plugins/gbp/gbp_policy_node.c72
2 files changed, 126 insertions, 16 deletions
diff --git a/src/plugins/gbp/gbp_policy_dpo.c b/src/plugins/gbp/gbp_policy_dpo.c
index c3a51a46236..a6194df6836 100644
--- a/src/plugins/gbp/gbp_policy_dpo.c
+++ b/src/plugins/gbp/gbp_policy_dpo.c
@@ -217,12 +217,26 @@ gbp_policy_dpo_module_init (vlib_main_t * vm)
VLIB_INIT_FUNCTION (gbp_policy_dpo_module_init);
#endif /* CLIB_MARCH_VARIANT */
+typedef enum
+{
+#define _(sym,str) GBP_POLICY_DPO_ERROR_##sym,
+ foreach_gbp_policy_error
+#undef _
+ GBP_POLICY_N_ERROR,
+} gbp_policy_dpo_error_t;
+
+static char *gbp_policy_dpo_error_strings[] = {
+#define _(sym,string) string,
+ foreach_gbp_policy_error
+#undef _
+};
+
typedef struct gbp_policy_dpo_trace_t_
{
u32 sclass;
u32 dclass;
u32 acl_index;
- u32 a_bit;
+ u32 flags;
u32 action;
} gbp_policy_dpo_trace_t;
@@ -255,11 +269,14 @@ gbp_policy_dpo_inline (vlib_main_t * vm,
vlib_frame_t * from_frame, u8 is_ip6)
{
gbp_main_t *gm = &gbp_main;
- u32 n_left_from, next_index, *from, *to_next;
+ u32 n_left_from, next_index, *from, *to_next, thread_index;
+ u32 n_allow_intra, n_allow_a_bit;
gbp_rule_t *gu;
from = vlib_frame_vector_args (from_frame);
n_left_from = from_frame->n_vectors;
+ n_allow_intra = n_allow_a_bit = 0;
+ thread_index = vm->thread_index;
next_index = node->cached_next_index;
@@ -307,6 +324,7 @@ gbp_policy_dpo_inline (vlib_main_t * vm,
{
next0 = gpd0->gpd_dpo.dpoi_next_node;
key0.as_u32 = ~0;
+ n_allow_a_bit++;
goto trace;
}
@@ -322,6 +340,7 @@ gbp_policy_dpo_inline (vlib_main_t * vm,
*/
next0 = gpd0->gpd_dpo.dpoi_next_node;
vnet_buffer2 (b0)->gbp.flags |= VXLAN_GBP_GPFLAGS_A;
+ n_allow_intra++;
action0 = 0;
}
else
@@ -365,13 +384,35 @@ gbp_policy_dpo_inline (vlib_main_t * vm,
next0 = gpd0->gpd_dpo.dpoi_next_node;
break;
case GBP_RULE_DENY:
- next0 = 0;
+ next0 = GBP_POLICY_DROP;
break;
case GBP_RULE_REDIRECT:
next0 = gbp_rule_l3_redirect (gu, b0, is_ip6);
break;
}
}
+ if (next0 == GBP_POLICY_DROP)
+ {
+ vlib_increment_combined_counter
+ (&gbp_contract_drop_counters,
+ thread_index,
+ gci0, 1, vlib_buffer_length_in_chain (vm, b0));
+ b0->error =
+ node->errors[GBP_POLICY_DPO_ERROR_DROP_CONTRACT];
+ }
+ else
+ {
+ vlib_increment_combined_counter
+ (&gbp_contract_permit_counters,
+ thread_index,
+ gci0, 1, vlib_buffer_length_in_chain (vm, b0));
+ }
+
+ }
+ else
+ {
+ b0->error =
+ node->errors[GBP_POLICY_DPO_ERROR_DROP_NO_CONTRACT];
}
}
}
@@ -392,7 +433,7 @@ gbp_policy_dpo_inline (vlib_main_t * vm,
tr->sclass = key0.gck_src;
tr->dclass = key0.gck_dst;
tr->acl_index = (gc0 ? gc0->gc_acl_index : ~0);
- tr->a_bit = vnet_buffer2 (b0)->gbp.flags & VXLAN_GBP_GPFLAGS_A;
+ tr->flags = vnet_buffer2 (b0)->gbp.flags;
tr->action = action0;
}
@@ -401,6 +442,14 @@ gbp_policy_dpo_inline (vlib_main_t * vm,
}
vlib_put_next_frame (vm, node, next_index, n_left_to_next);
}
+
+ vlib_node_increment_counter (vm, node->node_index,
+ GBP_POLICY_DPO_ERROR_ALLOW_INTRA,
+ n_allow_intra);
+ vlib_node_increment_counter (vm, node->node_index,
+ GBP_POLICY_DPO_ERROR_ALLOW_A_BIT,
+ n_allow_a_bit);
+
return from_frame->n_vectors;
}
@@ -411,8 +460,9 @@ format_gbp_policy_dpo_trace (u8 * s, va_list * args)
CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
gbp_policy_dpo_trace_t *t = va_arg (*args, gbp_policy_dpo_trace_t *);
- s = format (s, " sclass:%d dclass:%d acl-index:%d a-bit:%d action:%d",
- t->sclass, t->dclass, t->acl_index, t->a_bit, t->action);
+ s = format (s, " sclass:%d dclass:%d acl-index:%d flags:%U action:%d",
+ t->sclass, t->dclass, t->acl_index,
+ format_vxlan_gbp_header_gpflags, t->flags, t->action);
return s;
}
@@ -436,6 +486,10 @@ VLIB_REGISTER_NODE (ip4_gbp_policy_dpo_node) = {
.name = "ip4-gbp-policy-dpo",
.vector_size = sizeof (u32),
.format_trace = format_gbp_policy_dpo_trace,
+
+ .n_errors = ARRAY_LEN(gbp_policy_dpo_error_strings),
+ .error_strings = gbp_policy_dpo_error_strings,
+
.n_next_nodes = GBP_POLICY_N_NEXT,
.next_nodes =
{
@@ -446,6 +500,10 @@ VLIB_REGISTER_NODE (ip6_gbp_policy_dpo_node) = {
.name = "ip6-gbp-policy-dpo",
.vector_size = sizeof (u32),
.format_trace = format_gbp_policy_dpo_trace,
+
+ .n_errors = ARRAY_LEN(gbp_policy_dpo_error_strings),
+ .error_strings = gbp_policy_dpo_error_strings,
+
.n_next_nodes = GBP_POLICY_N_NEXT,
.next_nodes =
{
diff --git a/src/plugins/gbp/gbp_policy_node.c b/src/plugins/gbp/gbp_policy_node.c
index 1f2ac4310e0..8fe1d7f6c0f 100644
--- a/src/plugins/gbp/gbp_policy_node.c
+++ b/src/plugins/gbp/gbp_policy_node.c
@@ -25,15 +25,15 @@
typedef enum
{
-#define _(sym,str) GBP_ERROR_##sym,
- foreach_gbp_policy
+#define _(sym,str) GBP_POLICY_ERROR_##sym,
+ foreach_gbp_policy_error
#undef _
GBP_POLICY_N_ERROR,
} gbp_policy_error_t;
static char *gbp_policy_error_strings[] = {
#define _(sym,string) string,
- foreach_gbp_policy
+ foreach_gbp_policy_error
#undef _
};
@@ -115,11 +115,14 @@ gbp_policy_inline (vlib_main_t * vm,
gbp_main_t *gm = &gbp_main;
gbp_policy_main_t *gpm = &gbp_policy_main;
u32 n_left_from, *from, *to_next;
- u32 next_index;
+ u32 next_index, thread_index;
+ u32 n_allow_intra, n_allow_a_bit;
next_index = 0;
n_left_from = frame->n_vectors;
from = vlib_frame_vector_args (frame);
+ thread_index = vm->thread_index;
+ n_allow_intra = n_allow_a_bit = 0;
while (n_left_from > 0)
{
@@ -172,6 +175,7 @@ gbp_policy_inline (vlib_main_t * vm,
(is_port_based ?
L2OUTPUT_FEAT_GBP_POLICY_PORT :
L2OUTPUT_FEAT_GBP_POLICY_MAC));
+ n_allow_a_bit++;
key0.as_u32 = ~0;
goto trace;
}
@@ -188,9 +192,11 @@ gbp_policy_inline (vlib_main_t * vm,
if (NULL != ge0)
key0.gck_dst = ge0->ge_fwd.gef_sclass;
else
- /* If you cannot determine the destination EP then drop */
- goto trace;
-
+ {
+ /* If you cannot determine the destination EP then drop */
+ b0->error = node->errors[GBP_POLICY_ERROR_DROP_NO_DCLASS];
+ goto trace;
+ }
key0.gck_src = vnet_buffer2 (b0)->gbp.sclass;
if (SCLASS_INVALID != key0.gck_src)
@@ -208,6 +214,7 @@ gbp_policy_inline (vlib_main_t * vm,
L2OUTPUT_FEAT_GBP_POLICY_PORT :
L2OUTPUT_FEAT_GBP_POLICY_MAC));
vnet_buffer2 (b0)->gbp.flags |= VXLAN_GBP_GPFLAGS_A;
+ n_allow_intra++;
}
else
{
@@ -223,6 +230,11 @@ gbp_policy_inline (vlib_main_t * vm,
u16 ether_type0;
const u8 *h0;
+ vlib_prefetch_combined_counter
+ (&gbp_contract_drop_counters, thread_index, gci0);
+ vlib_prefetch_combined_counter
+ (&gbp_contract_permit_counters, thread_index, gci0);
+
action0 = 0;
gc0 = gbp_contract_get (gci0);
l2_len0 = vnet_buffer (b0)->l2.l2_len;
@@ -235,6 +247,14 @@ gbp_policy_inline (vlib_main_t * vm,
/*
* black list model so drop
*/
+ b0->error =
+ node->errors[GBP_POLICY_ERROR_DROP_ETHER_TYPE];
+
+ vlib_increment_combined_counter
+ (&gbp_contract_drop_counters,
+ thread_index,
+ gci0, 1, vlib_buffer_length_in_chain (vm, b0));
+
goto trace;
}
@@ -286,7 +306,7 @@ gbp_policy_inline (vlib_main_t * vm,
L2OUTPUT_FEAT_GBP_POLICY_MAC));
break;
case GBP_RULE_DENY:
- next0 = 0;
+ next0 = GBP_POLICY_NEXT_DROP;
break;
case GBP_RULE_REDIRECT:
next0 = gbp_rule_l2_redirect (gu, b0);
@@ -294,6 +314,27 @@ gbp_policy_inline (vlib_main_t * vm,
}
}
}
+ if (next0 == GBP_POLICY_NEXT_DROP)
+ {
+ vlib_increment_combined_counter
+ (&gbp_contract_drop_counters,
+ thread_index,
+ gci0, 1, vlib_buffer_length_in_chain (vm, b0));
+ b0->error =
+ node->errors[GBP_POLICY_ERROR_DROP_CONTRACT];
+ }
+ else
+ {
+ vlib_increment_combined_counter
+ (&gbp_contract_permit_counters,
+ thread_index,
+ gci0, 1, vlib_buffer_length_in_chain (vm, b0));
+ }
+ }
+ else
+ {
+ b0->error =
+ node->errors[GBP_POLICY_ERROR_DROP_NO_CONTRACT];
}
}
}
@@ -332,6 +373,11 @@ gbp_policy_inline (vlib_main_t * vm,
vlib_put_next_frame (vm, node, next_index, n_left_to_next);
}
+ vlib_node_increment_counter (vm, node->node_index,
+ GBP_POLICY_ERROR_ALLOW_INTRA, n_allow_intra);
+ vlib_node_increment_counter (vm, node->node_index,
+ GBP_POLICY_ERROR_ALLOW_A_BIT, n_allow_a_bit);
+
return frame->n_vectors;
}
@@ -376,7 +422,6 @@ VLIB_REGISTER_NODE (gbp_policy_port_node) = {
.error_strings = gbp_policy_error_strings,
.n_next_nodes = GBP_POLICY_N_NEXT,
-
.next_nodes = {
[GBP_POLICY_NEXT_DROP] = "error-drop",
},
@@ -387,7 +432,14 @@ VLIB_REGISTER_NODE (gbp_policy_mac_node) = {
.vector_size = sizeof (u32),
.format_trace = format_gbp_policy_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
- .sibling_of = "gbp-policy-port",
+
+ .n_errors = ARRAY_LEN(gbp_policy_error_strings),
+ .error_strings = gbp_policy_error_strings,
+
+ .n_next_nodes = GBP_POLICY_N_NEXT,
+ .next_nodes = {
+ [GBP_POLICY_NEXT_DROP] = "error-drop",
+ },
};
/* *INDENT-ON* */