Age | Commit message (Collapse) | Author | Files | Lines |
|
Type: fix
DBGvpp# set acl-plugin acl src 1::1/128 dst 2::/64
DBGvpp# sh acl-plugin acl
acl-index 0 count 1 tag {cli}
0: ipv4 permit src 1.1.1.1/32 dst 1.1.1.2/32 proto 0 sport 0-65535 dport 0-65535
acl-index 1 count 1 tag {cli}
0: ipv6 permit src 1::1/128 dst 2::/64 proto 0 sport 0-65535 dport 0-65535
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Ibb8e20dd4ec2792f423a61eefe7398175e45a577
|
|
Sending the bogus acl_add_replace message with count=~0 will result in
an overflow of "expected_len" field which is a u32, thus the message
will pass the validation when it should not.
Solution - make the expected_len a u64 to avoid overflow.
The bug was found while experimenting with libfuzzer as part of
https://gerrit.fd.io/r/c/vpp/+/31763
Type: fix
Change-Id: I4a866d48f2418148236f1b1d77c487b869c7c43d
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Type: fix
In order to build VPP as a package for an embedded Yocto-based
distribution, this patch replaces the use of the glibc internal
__bswap_64 function with the VPP function clib_net_to_host_u64, which is
provided by vppinfra.
Change-Id: I3ecc8525861dc3441bce2b51aa4c80f9a62d3051
Signed-off-by: Nathan Moos <nmoos@cisco.com>
|
|
tag is expected to be a null-terminated C-string
Type: fix
Change-Id: I633719068c37eac395cc30a6a314c00848e9cdca
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
- tag is expected to be 64-bytes
- when specifying tag on cli, a vector is allocated. Make sure it is
freed
Type: fix
Change-Id: Id1741fe406819ca9f71edb081d4483f52cae547d
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: refactor
Change-Id: I077110e1a422722e20aa546a6f3224c06ab0cde5
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: refactor
Change-Id: Ie67dc579e88132ddb1ee4a34cb69f96920101772
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
VAT2: A completely auto-generated replacement of VAT.
Reads input message in JSON from stdin and outputs received messages in JSON.
A VAT2 plugin is automatically built for a .api file.
There no longer a need for a separate _test.c.
Example:
vat2 show_version {}
{
"_msgname": "show_version_reply",
"retval": 0,
"program": "vpe",
"version": "21.01-rc0~411-gf6eb348a6",
"build_date": "2020-11-19T09:49:25",
"build_directory": "/vpp/autogen3"
}
vat2 sw_interface_dump '{"sw_if_index": -1,
"name_filter_valid": 0,
"name_filter": ""}'
[{
"_msgname": "sw_interface_details",
"sw_if_index": 0,
"sup_sw_if_index": 0,
"l2_address": "00:00:00:00:00:00",
"flags": "Invalid ENUM",
"type": "IF_API_TYPE_HARDWARE",
"link_duplex": "LINK_DUPLEX_API_UNKNOWN",
"link_speed": 0,
"link_mtu": 0,
"mtu": [0, 0, 0, 0],
"sub_id": 0,
"sub_number_of_tags": 0,
"sub_outer_vlan_id": 0,
"sub_inner_vlan_id": 0,
"sub_if_flags": "Invalid ENUM",
"vtr_op": 0,
"vtr_push_dot1q": 0,
"vtr_tag1": 0,
"vtr_tag2": 0,
"outer_tag": 0,
"b_dmac": "00:00:00:00:00:00",
"b_smac": "00:00:00:00:00:00",
"b_vlanid": 0,
"i_sid": 0,
"interface_name": "local0",
"interface_dev_type": "local",
"tag": ""
}]
This is the first phase and vat2 is not integrated in packaging yet.
Type: feature
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: Ib45ddeafb180ea7da8c5dc274a9274d7a4edc876
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Custom ACL-plugin heap was useful in early stages,
but it interferes with other infra optimizations.
Remove it and use global heap.
Change-Id: I2300548f1d1798dec27bc5a2a41cf37f9fcda95d
Type: improvement
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
The "ACL as a service" lookup infra is shared, so a global heap must
be used.
Type: fix
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Change-Id: I86894254b737392c1968b6a581b5a37590376428
|
|
Type: fix
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: I026f0d8385b538e543bae0c1f7e56e49e4713ba1
|
|
Use consistent API types.
Type: fix
Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
Change-Id: I09fa6c1b6917936351bd376b56c414ce24488095
Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
|
|
This reverts commit aad1ee149403994194cf37cef4530b042ba7df3a.
Reason for revert: Verify failure. Doesn't build.
Type: fix
Change-Id: I91b1b26ac43edde4853e4561a0083d0b3a06efee
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Use consistent API types.
Type: fix
Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
Change-Id: If90d753f129312400c4c3669bb86289d0c3e0d99
Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
|
|
Type: improvement
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: I172d3d907f324d8cb21e73aa08ef66da029ed365
|
|
The mheap allocator has been turned off for several releases. This
commit removes the cmake config parameter, parallel support for
dlmalloc and mheap, and the mheap allocator itself.
Type: refactor
Signed-off-by: Dave Barach <dave@barachs.net>
Change-Id: I104f88a1f06e47e90e5f7fb3e11cd1ca66467903
|
|
Type: style
and add some indent offs.
Change-Id: I31cf3ab9ff9b64d2cd1f2034dcedd4a9c453efb4
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: refactor
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: I5701b7d6d5e1423fb0004f7e48815cd672f81e4d
|
|
Adding acl with incorrect arguments like 1.1.1.1/24 (instead of 1.1.1.0/24)
don't cause a disaster, but doesn't match either, as some might expect.
Add an explicit sanity check which returns an error.
Type: fix
Change-Id: Id1601f4b9c9887d3e7e70aac419d1f1de0c0e012
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
The stats-segment validation/clear logic for acl counters was wrong,
fix it. Also add the code to the unittests to cover that case,
add a vat command to enable/disable counters, clean up
the unnecessary endian conversion and remove the stray clib_warning()
Change-Id: I421297a92e4aeb885c468c72a97cec25981df615
Type: fix
Ticket: VPP-1744
Fixes: f995c7122ba0d024b17bc3232e8edd18d5e25088
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
(cherry picked from commit 4c945dacb9ff9da731301feb26b1edb4ac00e8bd)
|
|
implement per-acl-number counters in the stats segment.
They are created during the ACL creation,
the counters are incremented in the dataplane using
the new inline function with the extra parameter being
the packet size. Counting in shared segment adds
a noticeable overhead, so add also an API to
turn the counters on.
Type: feature
Change-Id: I8af7b0c31a3d986b68089eb52452aed45df66c7b
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Some users tend to call registration routine long before they need
that service - which triggers an immediate initialization of
the ACL heap, which is rather big. This commit defers this process
by keeping the registrations in the global heap.
Change-Id: I5825871bd836851942b55184b6ee2657c7a9cc33
Type: fix
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
- Make plugin descriptions more consistent
so the output of "show plugin" can be
used in the wiki.
Change-Id: I4c6feb11e7dcc5a4cf0848eed37f1d3b035c7dda
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
|
|
Some API action handlers called vl_msg_ai_send_shmem()
directly. That breaks Unix domain socket API transport.
A couple (bond / vhost) also tried to send a sw_interface_event
directly, but did not send the message to all that had
registred interest. That scheme never worked correctly.
Refactored and improved the interface event code.
Change-Id: Idb90edfd8703c6ae593b36b4eeb4d3ed7da5c808
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Long time ago, the linear array of rules in the ACL structure was not
a vector. Now it is, so get rid of the extraneous "count" member.
Do so in a manner that would ease potential the MP-safe manipulation of
ACL rules in the future.
Change-Id: Ib9c0731e4f21723c9ec4d7f00c3e5ead8e1e97bd
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Change-Id: I2f81ec95de55ad2355f82550451ad825c228e5cd
Signed-off-by: Khers <s3m2e1.6star@gmail.com>
|
|
memory sizes [VPP-1502]
In a couple of places vec_add1()-style was repeatedly called in a loop for
smallish vectors where the number of additions was known in advance.
With a test with large number of ACEs these numbers contribute to heap
fragmentation noticeably.
Minimize the number of allocations by preallocating the known size and
then resetting the length accordingly, and then calling vec_add1()
Also unify the parsing of the memory-related startup config parameters.
Change-Id: If8fba344eb1dee8f865ffe7b396ca3b6bd9dc1d0
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
I was expecting "%4d" format string to exhibit the same behavior as
the one in C standard library, but rather than specifying _minimal_
width and expanding as necessary, it actually truncates the output.
Changing that to "%9d" should take care of pushing this surprising
difference in behavior into the domain of impossible.
Change-Id: Ia687137ca765bf9c1575af998ff11314010e81ad
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Change-Id: Ied34720ca5a6e6e717eea4e86003e854031b6eab
Signed-off-by: Dave Barach <dave@barachs.net>
|
|
for plumbing
This makes ACL plugin use the new feature arcs, which slightly increases performance.
Since for ethertype whitelisting we were using the L2 classifier, to retain
the functionality, make a simple node doing that, and plug it into non-ip
L2 feature arc whenever needed.
Change-Id: I3add377a6c790117dd3fd056e5615cb4c4438cf4
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
This commit adds explicit signaling from a non-owning thread to the owning thread
to restart the session timer as necessary.
Consequently, we now can sweep the session lists at their respective timeouts,
rather than sweeping all the lists at the pace of the shortest timeout value,
just taking care to wake up if the session requeue to a different list results
in needing to wake up earlier.
Change-Id: Ifc8c500f6988748f4cd3dc184dd7824321aaaaca
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Change-Id: I085615fde1f966490f30ed5d32017b8b088cfd59
Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
|
|
Change-Id: I63c36644c9d93f2c3ec6606ca0205b407499de4e
Signed-off-by: Eyal Bari <ebari@cisco.com>
|
|
Configure w/ --enable-dlmalloc, see .../build-data/platforms/vpp.mk
src/vppinfra/dlmalloc.[ch] are slightly modified versions of the
well-known Doug Lea malloc. Main advantage: dlmalloc mspaces have no
inherent size limit.
Change-Id: I19b3f43f3c65bcfb82c1a265a97922d01912446e
Signed-off-by: Dave Barach <dave@barachs.net>
|
|
Slightly refactored from the initial implementation of the TupleMerge [1]
algorithm by Valerio Bruschi (valerio.bruschi@telecom-paristech.fr)
[1] James Daly, Eric Torng "TupleMerge: Building Online Packet Classifiers
by Omitting Bits", In Proc. IEEE ICCCN 2017, pp. 1-10
Also add startup parameters to turn on/off the algorithm ("use tuple merge 1/0"),
and a startup parameter to be able to tweak the split threshold
("tuple merge split threshold N"), the default value of the split threshold
is 39 as per paper, but some more tuning might be necessary to find the best
value.
This change, alongside with the optimizations which avoid extra lookups,
significantly reduces the slowdown on the ClassBench generated ACLs, which
are supposed to resemble realistic ACLs seen in use in the field.
Change-Id: I9713e4673970e9a62d4d9e9718365293375fab7b
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
in more than one C file
Including the exports.h from multiple .c files belonging to a single plugin results in an error.
Rework the approach to require the table of function pointers to be filled in by
the initialization function.
Since the inline functions are compiled in the "caller" context,
there is no knowledge about the acl_main structure used by the ACL
plugin. To help with that, the signature of inline functions is slightly
different, taking the p_acl_main pointer as the first parameter.
That pointer is filled into the .p_acl_main field of the method
table during the initialization - since the calling of non-inline variants
would have required filling the method table, this should give
minimal headaches during the use and switch between the two methods.
Change-Id: Icb70695efa23579c46c716944838766cebc8573e
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
- implement a 1us purgatory for the session structures
by adding a special connection list, where all connections
about to be deleted go.
- add per-list-head timeouts updated upon the list enqueue/dequeue
for connection idle management
- add a "unused" session list with list ID#0, which should
never be used unless there is a logic error. Use this ID
to initialize the sessions.
- improve the maintainability of the session linked list
structures by using symbolic bogus index name instead of ~0
- change the ordering of session creations - first reverse, then
local. To minimize the potential for two workers competing for
the same session in the corner case of the two packets
on different workers creating the same logical session
- reduce the maximum session count to keep the memory usage the same
- add extra log/debug/trace to session cleaning logic
- be more aggressive with cleaning up sessions - wind up the
interrupts from the workers to themselves if there is more
work to do
Change-Id: I3aa1c91a925a08e83793467cb15bda178c21e426
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
This commit splits the functions from fa_node.c
into the pure dataplane node functions (which are multiarch-compiled),
session management node functions (which are compiled only once),
and session find/add/delete functions which are split out into the inlines.
As part of the refactoring:
- get rid of BV() macros in the affected chunk of code,
rather use the explicit bihash function names.
- add the magic trailer to the new files to
ensure make checkstyle watches them.
- move the bihash_template.c include for 40_8 bihash into acl.c
Change-Id: I4d781e9ec4307ea84e92af93c09470ea2bd0c375
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
It is a relatively rarely used low level command for code that didn't change,
but due to infra changes it did not survive. Having it working may be very
useful for corner-case debugging. So, fix it for working with
the acl-as-a-service infra.
Change-Id: I11b60e0c78591cc340b043ec240f0311ea1eb2f9
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
(cherry picked from commit 18bde8a579960aa46f43ffbe5c2905774bd81a35)
|
|
Change-Id: I994649761fe2e66e12ae0e49a84fb1d0a966ddfb
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
using the inline functions
The acl_main struct, which is defined in the acl_plugin, is not visible when
the ACL plugin inline code is being compiled within the context of other plugins.
Fix that by using the global pointer variable, which exists in both the ACL plugin
context and is set in the context of the external plugins using ACL plugin.
Change-Id: Iaa74dd8cf36ff5442a06a25c5c968722116bddf8
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
(cherry picked from commit 1286a15a6e60f80b0e1b349f876de8fa38c71368)
|
|
(re-)applied
There were several discussions in which users would expect the sessions to be deleted
if the new policy after the change does not permit them.
There is no right or wrong answer to this question - it is a policy decision.
This patch implements an idea to approach this. It uses a per-interface-per-direction counter to designate
a "policy epoch" - a period of unchanging rulesets. The moment one removes or adds an ACL applied to
an interface, this counter increments.
The newly created connections inherit the current policy epoch in a given direction.
Likewise, this counter increments if anyone updates an ACL applied to an interface.
There is also a new (so far hidden) CLI "set acl-plugin reclassify-sessions [0|1]"
(with default being 0) which allows to enable the checking of the existing sessions
against the current policy epoch in a given direction.
The session is not verified unless there is traffic hitting that session
*in the direction of the policy creation* - if the epoch has changed,
the session is deleted and within the same processing cycle is evaluated
against the ACL rule base and recreated - thus, it should allow traffic-driven
session state refresh without affecting the connectivity for the existing sessions.
If the packet is coming in the direction opposite to which the session was initially
created, the state adjustment is never done, because doing so generically
is not really possible without diving too deep into the special cases,
which may or may not work.
Change-Id: I9e90426492d4bd474b5e89ea8dfb75a7c9de2646
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
- autosize the ACL plugin heap size based on the number of workers
- for manual heap size setting, use the proper types (uword),
and proper format/unformat functions (unformat_memory_size)
Change-Id: I7c46134e949862a0abc9087d7232402fc5a95ad8
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
until it is needed
Registering ACL plugin user module within the "ACL as a service" infra during the plugin init
causes an unnecesary ACL heap allocation and prevents the changing of the ACL heap size
from the startup config.
Defer this registration until just before it is needed - i.e. when applying an ACL to
an interface.
Change-Id: Ied79967596b3b76d6630f136c998e59f8cdad962
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
- allow to optionally specify the specific MACIP ACL index:
'show acl-plugin macip acl [index N]'
- after showing the MACIP ACL, show the sw_if_index of
interface(s) where it is applied.
Also, add some executions of this debug commands
to the MACIP test case for easy verification.
Change-Id: I56cf8272abc20b1b2581b60d528d27a70d186b18
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
The functions which get called by other plugins need to set the acl plugin heap,
such that the other plugins do not have to think about it.
Change-Id: I673073f17116ffe444c163bf3dff40821d0c2686
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
This reverts commit 378ac0533e5ac8c3121d8f66ba61a8548e55282f.
Change-Id: If34b1c964453adb0e4c44e3eab4f6e306bd9c9e9
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
other plugins
This code implements the functionality required for other plugins wishing
to perform ACL lookups in the contexts of their choice, rather than only
in the context of the interface in/out.
The lookups are the stateless ACLs - there is no concept of "direction"
within the context, hence no concept of "connection" either.
The plugins need to include the
The file acl_lookup_context.md has more info.
Change-Id: I91ba97428cc92b24d1517e808dc2fd8e56ea2f8d
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
- Show interface on which given MACIP ACL is applied
- index is added for show acl-plugin macip acl:
ex) show acl-plugin macip acl [index N]
Change-Id: I3e888c8e3267060fe157dfc1bbe3e65371bd858a
Signed-off-by: Steve Shin <jonshin@cisco.com>
|
|
ARP packets need to be allowed for dot1q interface when MACIP is enabled.
Change-Id: I33dd3cb6c6100c49420d57360a277f65c55ac816
Signed-off-by: Steve Shin <jonshin@cisco.com>
|