Age | Commit message (Collapse) | Author | Files | Lines |
|
Adding acl with incorrect arguments like 1.1.1.1/24 (instead of 1.1.1.0/24)
don't cause a disaster, but doesn't match either, as some might expect.
Add an explicit sanity check which returns an error.
Type: fix
Change-Id: Id1601f4b9c9887d3e7e70aac419d1f1de0c0e012
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
The stats-segment validation/clear logic for acl counters was wrong,
fix it. Also add the code to the unittests to cover that case,
add a vat command to enable/disable counters, clean up
the unnecessary endian conversion and remove the stray clib_warning()
Change-Id: I421297a92e4aeb885c468c72a97cec25981df615
Type: fix
Ticket: VPP-1744
Fixes: f995c7122ba0d024b17bc3232e8edd18d5e25088
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
(cherry picked from commit 4c945dacb9ff9da731301feb26b1edb4ac00e8bd)
|
|
implement per-acl-number counters in the stats segment.
They are created during the ACL creation,
the counters are incremented in the dataplane using
the new inline function with the extra parameter being
the packet size. Counting in shared segment adds
a noticeable overhead, so add also an API to
turn the counters on.
Type: feature
Change-Id: I8af7b0c31a3d986b68089eb52452aed45df66c7b
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Some users tend to call registration routine long before they need
that service - which triggers an immediate initialization of
the ACL heap, which is rather big. This commit defers this process
by keeping the registrations in the global heap.
Change-Id: I5825871bd836851942b55184b6ee2657c7a9cc33
Type: fix
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
- Make plugin descriptions more consistent
so the output of "show plugin" can be
used in the wiki.
Change-Id: I4c6feb11e7dcc5a4cf0848eed37f1d3b035c7dda
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
|
|
Some API action handlers called vl_msg_ai_send_shmem()
directly. That breaks Unix domain socket API transport.
A couple (bond / vhost) also tried to send a sw_interface_event
directly, but did not send the message to all that had
registred interest. That scheme never worked correctly.
Refactored and improved the interface event code.
Change-Id: Idb90edfd8703c6ae593b36b4eeb4d3ed7da5c808
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Long time ago, the linear array of rules in the ACL structure was not
a vector. Now it is, so get rid of the extraneous "count" member.
Do so in a manner that would ease potential the MP-safe manipulation of
ACL rules in the future.
Change-Id: Ib9c0731e4f21723c9ec4d7f00c3e5ead8e1e97bd
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Change-Id: I2f81ec95de55ad2355f82550451ad825c228e5cd
Signed-off-by: Khers <s3m2e1.6star@gmail.com>
|
|
memory sizes [VPP-1502]
In a couple of places vec_add1()-style was repeatedly called in a loop for
smallish vectors where the number of additions was known in advance.
With a test with large number of ACEs these numbers contribute to heap
fragmentation noticeably.
Minimize the number of allocations by preallocating the known size and
then resetting the length accordingly, and then calling vec_add1()
Also unify the parsing of the memory-related startup config parameters.
Change-Id: If8fba344eb1dee8f865ffe7b396ca3b6bd9dc1d0
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
I was expecting "%4d" format string to exhibit the same behavior as
the one in C standard library, but rather than specifying _minimal_
width and expanding as necessary, it actually truncates the output.
Changing that to "%9d" should take care of pushing this surprising
difference in behavior into the domain of impossible.
Change-Id: Ia687137ca765bf9c1575af998ff11314010e81ad
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Change-Id: Ied34720ca5a6e6e717eea4e86003e854031b6eab
Signed-off-by: Dave Barach <dave@barachs.net>
|
|
for plumbing
This makes ACL plugin use the new feature arcs, which slightly increases performance.
Since for ethertype whitelisting we were using the L2 classifier, to retain
the functionality, make a simple node doing that, and plug it into non-ip
L2 feature arc whenever needed.
Change-Id: I3add377a6c790117dd3fd056e5615cb4c4438cf4
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
This commit adds explicit signaling from a non-owning thread to the owning thread
to restart the session timer as necessary.
Consequently, we now can sweep the session lists at their respective timeouts,
rather than sweeping all the lists at the pace of the shortest timeout value,
just taking care to wake up if the session requeue to a different list results
in needing to wake up earlier.
Change-Id: Ifc8c500f6988748f4cd3dc184dd7824321aaaaca
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Change-Id: I085615fde1f966490f30ed5d32017b8b088cfd59
Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
|
|
Change-Id: I63c36644c9d93f2c3ec6606ca0205b407499de4e
Signed-off-by: Eyal Bari <ebari@cisco.com>
|
|
Configure w/ --enable-dlmalloc, see .../build-data/platforms/vpp.mk
src/vppinfra/dlmalloc.[ch] are slightly modified versions of the
well-known Doug Lea malloc. Main advantage: dlmalloc mspaces have no
inherent size limit.
Change-Id: I19b3f43f3c65bcfb82c1a265a97922d01912446e
Signed-off-by: Dave Barach <dave@barachs.net>
|
|
Slightly refactored from the initial implementation of the TupleMerge [1]
algorithm by Valerio Bruschi (valerio.bruschi@telecom-paristech.fr)
[1] James Daly, Eric Torng "TupleMerge: Building Online Packet Classifiers
by Omitting Bits", In Proc. IEEE ICCCN 2017, pp. 1-10
Also add startup parameters to turn on/off the algorithm ("use tuple merge 1/0"),
and a startup parameter to be able to tweak the split threshold
("tuple merge split threshold N"), the default value of the split threshold
is 39 as per paper, but some more tuning might be necessary to find the best
value.
This change, alongside with the optimizations which avoid extra lookups,
significantly reduces the slowdown on the ClassBench generated ACLs, which
are supposed to resemble realistic ACLs seen in use in the field.
Change-Id: I9713e4673970e9a62d4d9e9718365293375fab7b
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
in more than one C file
Including the exports.h from multiple .c files belonging to a single plugin results in an error.
Rework the approach to require the table of function pointers to be filled in by
the initialization function.
Since the inline functions are compiled in the "caller" context,
there is no knowledge about the acl_main structure used by the ACL
plugin. To help with that, the signature of inline functions is slightly
different, taking the p_acl_main pointer as the first parameter.
That pointer is filled into the .p_acl_main field of the method
table during the initialization - since the calling of non-inline variants
would have required filling the method table, this should give
minimal headaches during the use and switch between the two methods.
Change-Id: Icb70695efa23579c46c716944838766cebc8573e
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
- implement a 1us purgatory for the session structures
by adding a special connection list, where all connections
about to be deleted go.
- add per-list-head timeouts updated upon the list enqueue/dequeue
for connection idle management
- add a "unused" session list with list ID#0, which should
never be used unless there is a logic error. Use this ID
to initialize the sessions.
- improve the maintainability of the session linked list
structures by using symbolic bogus index name instead of ~0
- change the ordering of session creations - first reverse, then
local. To minimize the potential for two workers competing for
the same session in the corner case of the two packets
on different workers creating the same logical session
- reduce the maximum session count to keep the memory usage the same
- add extra log/debug/trace to session cleaning logic
- be more aggressive with cleaning up sessions - wind up the
interrupts from the workers to themselves if there is more
work to do
Change-Id: I3aa1c91a925a08e83793467cb15bda178c21e426
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
This commit splits the functions from fa_node.c
into the pure dataplane node functions (which are multiarch-compiled),
session management node functions (which are compiled only once),
and session find/add/delete functions which are split out into the inlines.
As part of the refactoring:
- get rid of BV() macros in the affected chunk of code,
rather use the explicit bihash function names.
- add the magic trailer to the new files to
ensure make checkstyle watches them.
- move the bihash_template.c include for 40_8 bihash into acl.c
Change-Id: I4d781e9ec4307ea84e92af93c09470ea2bd0c375
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
It is a relatively rarely used low level command for code that didn't change,
but due to infra changes it did not survive. Having it working may be very
useful for corner-case debugging. So, fix it for working with
the acl-as-a-service infra.
Change-Id: I11b60e0c78591cc340b043ec240f0311ea1eb2f9
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
(cherry picked from commit 18bde8a579960aa46f43ffbe5c2905774bd81a35)
|
|
Change-Id: I994649761fe2e66e12ae0e49a84fb1d0a966ddfb
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
using the inline functions
The acl_main struct, which is defined in the acl_plugin, is not visible when
the ACL plugin inline code is being compiled within the context of other plugins.
Fix that by using the global pointer variable, which exists in both the ACL plugin
context and is set in the context of the external plugins using ACL plugin.
Change-Id: Iaa74dd8cf36ff5442a06a25c5c968722116bddf8
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
(cherry picked from commit 1286a15a6e60f80b0e1b349f876de8fa38c71368)
|
|
(re-)applied
There were several discussions in which users would expect the sessions to be deleted
if the new policy after the change does not permit them.
There is no right or wrong answer to this question - it is a policy decision.
This patch implements an idea to approach this. It uses a per-interface-per-direction counter to designate
a "policy epoch" - a period of unchanging rulesets. The moment one removes or adds an ACL applied to
an interface, this counter increments.
The newly created connections inherit the current policy epoch in a given direction.
Likewise, this counter increments if anyone updates an ACL applied to an interface.
There is also a new (so far hidden) CLI "set acl-plugin reclassify-sessions [0|1]"
(with default being 0) which allows to enable the checking of the existing sessions
against the current policy epoch in a given direction.
The session is not verified unless there is traffic hitting that session
*in the direction of the policy creation* - if the epoch has changed,
the session is deleted and within the same processing cycle is evaluated
against the ACL rule base and recreated - thus, it should allow traffic-driven
session state refresh without affecting the connectivity for the existing sessions.
If the packet is coming in the direction opposite to which the session was initially
created, the state adjustment is never done, because doing so generically
is not really possible without diving too deep into the special cases,
which may or may not work.
Change-Id: I9e90426492d4bd474b5e89ea8dfb75a7c9de2646
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
- autosize the ACL plugin heap size based on the number of workers
- for manual heap size setting, use the proper types (uword),
and proper format/unformat functions (unformat_memory_size)
Change-Id: I7c46134e949862a0abc9087d7232402fc5a95ad8
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
until it is needed
Registering ACL plugin user module within the "ACL as a service" infra during the plugin init
causes an unnecesary ACL heap allocation and prevents the changing of the ACL heap size
from the startup config.
Defer this registration until just before it is needed - i.e. when applying an ACL to
an interface.
Change-Id: Ied79967596b3b76d6630f136c998e59f8cdad962
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
- allow to optionally specify the specific MACIP ACL index:
'show acl-plugin macip acl [index N]'
- after showing the MACIP ACL, show the sw_if_index of
interface(s) where it is applied.
Also, add some executions of this debug commands
to the MACIP test case for easy verification.
Change-Id: I56cf8272abc20b1b2581b60d528d27a70d186b18
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
The functions which get called by other plugins need to set the acl plugin heap,
such that the other plugins do not have to think about it.
Change-Id: I673073f17116ffe444c163bf3dff40821d0c2686
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
This reverts commit 378ac0533e5ac8c3121d8f66ba61a8548e55282f.
Change-Id: If34b1c964453adb0e4c44e3eab4f6e306bd9c9e9
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
other plugins
This code implements the functionality required for other plugins wishing
to perform ACL lookups in the contexts of their choice, rather than only
in the context of the interface in/out.
The lookups are the stateless ACLs - there is no concept of "direction"
within the context, hence no concept of "connection" either.
The plugins need to include the
The file acl_lookup_context.md has more info.
Change-Id: I91ba97428cc92b24d1517e808dc2fd8e56ea2f8d
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
- Show interface on which given MACIP ACL is applied
- index is added for show acl-plugin macip acl:
ex) show acl-plugin macip acl [index N]
Change-Id: I3e888c8e3267060fe157dfc1bbe3e65371bd858a
Signed-off-by: Steve Shin <jonshin@cisco.com>
|
|
ARP packets need to be allowed for dot1q interface when MACIP is enabled.
Change-Id: I33dd3cb6c6100c49420d57360a277f65c55ac816
Signed-off-by: Steve Shin <jonshin@cisco.com>
|
|
Change-Id: Ie8b4effbd25e1e26b625d451ec059bac58a5a5a1
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
The gerrit 10434 which added the support for whitelist model on ethertypes,
did not include the support to dump the current state.
This patch fills that gap.
Change-Id: I3222078ccb1839dc366140fa5f6b8999b2926fd2
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Classify table for output node should be cleaned up
after deleting macip ACL.
Change-Id: Ibbc46c8465bec02fe6fa6a8d33a1f06bcf28e9ad
Signed-off-by: Steve Shin <jonshin@cisco.com>
|
|
Currently, ACL plugin largely does not care about the
ethertypes other than 0x0800 (IPv4) and 0x86dd (IPv6),
the only exception being 0x0806 (ARP), which is
dealt with by the MACIP ACLs.
The other ethertypes in L2 mode are just let through.
This adds a new API message acl_interface_set_etype_whitelist,
which allows to flip the mode of a given interface
into "ethertype whitelist mode": the caller of this message
must supply the two lists (inbound and outbound) of the ethertypes
that are to be permitted, the rest of the ethertypes are
dropped.
The whitelisting for a given interface and direction takes
effect only when a policy ACL is also applied.
This operates on the same classifier node as the one used for
dispatching the policy ACL, thus, if one wishes for most of the
reasonable IPv4 deployments to continue to operate within
the whitelist mode, they must permit ARP ethertype (0x0806)
The empty list for a given direction resets the processing
to allow the unknown ethertypes. So, if one wants to just
permit the IPv4 and IPv6 and nothing else, one can add
their ethertypes to the whitelist.
Add the "show acl-plugin interface" corresponding outputs
about the whitelists, vat command, and unittests.
Change-Id: I4659978c801f36d554b6615e56e424b77876662c
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
This is the second patch, using the new functionality from the change 10002
in order to implement the egress filtering on the MACIP ACLs.
This adds an action "2" which means "add also egress filtering rules for this
MACIP ACL.
The reason for having the two choices is that the egress filtering really takes
care of a fairly corner case scenario, and I am not convinced that
always adding the performance cost of the egress lookup check is worth it.
Also, of course, not breaking the existing implementations is a nice plus,
too.
Change-Id: I3d7883ed45b1cdf98d7303771bcc75951dff38f0
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
conn cleaner threads interactions
This replaces some of the early-stage commented-out printf()s with
an elog-based debug collector.
It is aimed to be "better than nothing" initial implementation to be available
in the field. It will be refined/updated based on use. This initial code
is focused on the main/worker threads interactions, hence uses just
the worker tracks.
This code adds a developer debug CLI "set acl-plugin session table event-trace 1",
which allows to gather the events pertaining to connection cleaning.
The CLI is deliberately not part of the online help, as the express
declaration that the semantics/trace levels, etc. are subject to change
without notice.
Change-Id: I3536309f737b73e50639cd5780822dcde667fc2c
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
For implementation of MACIP ACLs enhancement (VPP-1088), an outbound
classifier-based ACL would be needed. There was an existing incomplete
code for outbound ACLs, it looked almost exact copy of input ACLs, minus
the various enhancements, trying to sync that code seemed error-prone
and cumbersome to maintain in the longer run.
This change refactors the input+output ACLs processing into a unified
routine (thus any changes will have effect on both), and also adds
the API to set the output interface ACL, with the same format
and semantics as the existing input one (except working on output
ACL of course).
WARNING: IP outbound ACL in L3 mode clobbers the ip.* fields
in the vnet_buffer_opaque_t, since the code is using l2_classify.*
The net_buffer (p0)->ip.save_rewrite_length is rescued into
l2_classify.pad.l2_len, and used to rewind the header in case of
drop, so that ipX_drop prints something sensible.
Change-Id: I62f814f1e3650e504474a3a5359edb8a0a8836ed
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
This does not update api client code. In other words, if the client
assumes the transport is shmem based, this patch does not change that.
Furthermore, code that checks queue size, for tail dropping, is not
updated.
Done for the following apis:
Plugins
- acl
- gtpu
- memif
- nat
- pppoe
VNET
- bfd
- bier
- tapv2
- vhost user
- dhcp
- flow
- geneve
- ip
- punt
- ipsec/ipsec-gre
- l2
- l2tp
- lisp-cp/one-cp
- lisp-gpe
- map
- mpls
- policer
- session
- span
- udp
- tap
- vxlan/vxlan-gpe
- interface
VPP
- api/api.c
OAM
- oam_api.c
Stats
- stats.c
Change-Id: I0e33ecefb2bdab0295698c0add948068a5a83345
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
- separate client/server code for both memory and socket apis
- separate memory api code from generic vlib api code
- move unix_shared_memory_fifo to svm and rename to svm_fifo_t
- overall declutter
Change-Id: I90cdd98ff74d0787d58825b914b0f1eafcfa4dc2
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
format from hex representation
Even though the trace now prints the hex as well as human readable format for acl plugin,
it can be handy to have a separate function which allows to decode the hex. So add this debug CLI.
Change-Id: I1db133a043374817ea9e94ae3736b8a98630669d
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
macip_acl_add_replace on an existing MACIP ACL
The classifier tables layout might (and most always will) change during the MACIP ACL modification.
Furthermore, vnet_set_input_acl_intfc() is quite a picky creature - it quietly does nothing
if there is an existing inacl applied, even if the number is different, so a simple "reapply"
does not work. So, cleanly remove inacl, then reapply when the new tables are ready.
Also, fix the testcase which was supposed to test this exact behavior.
Thanks to Jon Loeliger for spotting this issue.
Change-Id: I7e4bd8023d9de7e914448bb4466c1b0ef6940f58
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
dot1q/dot1ad classifier mask
17797[1-3] have been a false positive in the optional debug CLI argument handling,
178891 was triggered by an unnecessary use of memcpy.
Also fix the issue reported by khers (thanks!) - since 178891 was in the same place.
Change-Id: I3a804e2b1d25d74c11fcc389020d2c1fd69902b2
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Change-Id: I2397ada9760d546423e031ad45535ef8801b05e7
Signed-off-by: Jon Loeliger <jdl@netgate.com>
|
|
Added two new errors:
ACL_IN_USE_INBOUND
ACL_IN_USE_OUTBOUND
Update ACL tests to expect new, precise return values.
Change-Id: I644861a18aa5b70cce5f451dd6655641160c7697
Signed-off-by: Jon Loeliger <jdl@netgate.com>
|
|
Change-Id: I92b351895c7efb26533c05512b91ead8ddbfb9c8
Signed-off-by: Pavel Kotucek <pkotucek@cisco.com>
|
|
MACIP ACLs
The classifier tables upper bound of memory was just big enough
to cause the unittests pass most of the time but not always.
Increase the amount of space and run several hundred iterations
of unittests to ensure they always pass.
Change-Id: Ieb7876c6ebdde1f8c5273dbb9b090f12f2c38915
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
format()
The vppctl was getting upset with large chunks of info generated
by repeated format() functions, so convert to use vlib_cli_output instead.
Also, refactor the show functionality into smaller functions,
separate from the input handling.
Change-Id: I5d0db5ac45ce4c1b59cd41526b837412e06b1ce0
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
INADDR6_ANY should be displayed as "::" instead of "0.0.0.0"(ipv4 format).
Change-Id: I24ec7b6febbfeca5db7ff894f455ecb73d954334
Signed-off-by: Steve Shin <jonshin@cisco.com>
|