summaryrefslogtreecommitdiffstats
path: root/src/plugins/acl/acl.c
AgeCommit message (Collapse)AuthorFilesLines
2021-07-15acl: Fix the CLI to accept IPv6 prefixesNeale Ranns1-16/+5
Type: fix DBGvpp# set acl-plugin acl src 1::1/128 dst 2::/64 DBGvpp# sh acl-plugin acl acl-index 0 count 1 tag {cli} 0: ipv4 permit src 1.1.1.1/32 dst 1.1.1.2/32 proto 0 sport 0-65535 dport 0-65535 acl-index 1 count 1 tag {cli} 0: ipv6 permit src 1::1/128 dst 2::/64 proto 0 sport 0-65535 dport 0-65535 Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Ibb8e20dd4ec2792f423a61eefe7398175e45a577
2021-03-25acl: fix the integer overflow bug in API message length validation logicAndrew Yourtchenko1-4/+4
Sending the bogus acl_add_replace message with count=~0 will result in an overflow of "expected_len" field which is a u32, thus the message will pass the validation when it should not. Solution - make the expected_len a u64 to avoid overflow. The bug was found while experimenting with libfuzzer as part of https://gerrit.fd.io/r/c/vpp/+/31763 Type: fix Change-Id: I4a866d48f2418148236f1b1d77c487b869c7c43d Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2021-01-20acl: replace glibc internal __bswap_64 with clibNathan Moos1-1/+2
Type: fix In order to build VPP as a package for an embedded Yocto-based distribution, this patch replaces the use of the glibc internal __bswap_64 function with the VPP function clib_net_to_host_u64, which is provided by vppinfra. Change-Id: I3ecc8525861dc3441bce2b51aa4c80f9a62d3051 Signed-off-by: Nathan Moos <nmoos@cisco.com>
2021-01-11acl: fix tag C-string overflowBenoît Ganne1-5/+14
tag is expected to be a null-terminated C-string Type: fix Change-Id: I633719068c37eac395cc30a6a314c00848e9cdca Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-01-06acl: fix cli tag parsingBenoît Ganne1-1/+5
- tag is expected to be 64-bytes - when specifying tag on cli, a vector is allocated. Make sure it is freed Type: fix Change-Id: Id1741fe406819ca9f71edb081d4483f52cae547d Signed-off-by: Benoît Ganne <bganne@cisco.com>
2020-12-14misc: refactor clib_bitmap_foreach macroDamjan Marion1-2/+2
Type: refactor Change-Id: I077110e1a422722e20aa546a6f3224c06ab0cde5 Signed-off-by: Damjan Marion <damarion@cisco.com>
2020-12-14misc: move to new pool_foreach macrosDamjan Marion1-15/+15
Type: refactor Change-Id: Ie67dc579e88132ddb1ee4a34cb69f96920101772 Signed-off-by: Damjan Marion <damarion@cisco.com>
2020-11-25api: vat2 and json autogeneration for api messagesOle Troan1-14/+39
VAT2: A completely auto-generated replacement of VAT. Reads input message in JSON from stdin and outputs received messages in JSON. A VAT2 plugin is automatically built for a .api file. There no longer a need for a separate _test.c. Example: vat2 show_version {} { "_msgname": "show_version_reply", "retval": 0, "program": "vpe", "version": "21.01-rc0~411-gf6eb348a6", "build_date": "2020-11-19T09:49:25", "build_directory": "/vpp/autogen3" } vat2 sw_interface_dump '{"sw_if_index": -1, "name_filter_valid": 0, "name_filter": ""}' [{ "_msgname": "sw_interface_details", "sw_if_index": 0, "sup_sw_if_index": 0, "l2_address": "00:00:00:00:00:00", "flags": "Invalid ENUM", "type": "IF_API_TYPE_HARDWARE", "link_duplex": "LINK_DUPLEX_API_UNKNOWN", "link_speed": 0, "link_mtu": 0, "mtu": [0, 0, 0, 0], "sub_id": 0, "sub_number_of_tags": 0, "sub_outer_vlan_id": 0, "sub_inner_vlan_id": 0, "sub_if_flags": "Invalid ENUM", "vtr_op": 0, "vtr_push_dot1q": 0, "vtr_tag1": 0, "vtr_tag2": 0, "outer_tag": 0, "b_dmac": "00:00:00:00:00:00", "b_smac": "00:00:00:00:00:00", "b_vlanid": 0, "i_sid": 0, "interface_name": "local0", "interface_dev_type": "local", "tag": "" }] This is the first phase and vat2 is not integrated in packaging yet. Type: feature Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: Ib45ddeafb180ea7da8c5dc274a9274d7a4edc876 Signed-off-by: Ole Troan <ot@cisco.com>
2020-09-21acl: remove custom ACL-plugin heapAndrew Yourtchenko1-149/+12
Custom ACL-plugin heap was useful in early stages, but it interferes with other infra optimizations. Remove it and use global heap. Change-Id: I2300548f1d1798dec27bc5a2a41cf37f9fcda95d Type: improvement Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2020-08-13acl: use the global heap when allocating the lookup contextAndrew Yourtchenko1-0/+3
The "ACL as a service" lookup infra is shared, so a global heap must be used. Type: fix Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> Change-Id: I86894254b737392c1968b6a581b5a37590376428
2020-04-24acl: ACL creation CLI parsing fixNeale Ranns1-2/+4
Type: fix Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I026f0d8385b538e543bae0c1f7e56e49e4713ba1
2020-03-27acl: API cleanupJakub Grajciar1-152/+46
Use consistent API types. Type: fix Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com> Change-Id: I09fa6c1b6917936351bd376b56c414ce24488095 Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
2020-03-26acl: revert acl: api cleanupOle Trøan1-55/+81
This reverts commit aad1ee149403994194cf37cef4530b042ba7df3a. Reason for revert: Verify failure. Doesn't build. Type: fix Change-Id: I91b1b26ac43edde4853e4561a0083d0b3a06efee Signed-off-by: Ole Troan <ot@cisco.com>
2020-03-26acl: API cleanupJakub Grajciar1-81/+55
Use consistent API types. Type: fix Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com> Change-Id: If90d753f129312400c4c3669bb86289d0c3e0d99 Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
2020-03-25acl: Add CLI additionsNeale Ranns1-0/+254
Type: improvement Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I172d3d907f324d8cb21e73aa08ef66da029ed365
2020-02-11vppinfra: remove the historical mheap memory allocatorDave Barach1-25/+0
The mheap allocator has been turned off for several releases. This commit removes the cmake config parameter, parallel support for dlmalloc and mheap, and the mheap allocator itself. Type: refactor Signed-off-by: Dave Barach <dave@barachs.net> Change-Id: I104f88a1f06e47e90e5f7fb3e11cd1ca66467903
2020-01-13acl: Remove unsued typeNeale Ranns1-42/+31
Type: style and add some indent offs. Change-Id: I31cf3ab9ff9b64d2cd1f2034dcedd4a9c453efb4 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-09-27acl: remove api boilerplateOle Troan1-92/+8
Type: refactor Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: I5701b7d6d5e1423fb0004f7e48815cd672f81e4d
2019-08-28acl: perform a sanity check of ACL rules before creating ACLAndrew Yourtchenko1-0/+81
Adding acl with incorrect arguments like 1.1.1.1/24 (instead of 1.1.1.0/24) don't cause a disaster, but doesn't match either, as some might expect. Add an explicit sanity check which returns an error. Type: fix Change-Id: Id1601f4b9c9887d3e7e70aac419d1f1de0c0e012 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2019-08-16acl: fix stats-segment counters validation on acl updateAndrew Yourtchenko1-5/+10
The stats-segment validation/clear logic for acl counters was wrong, fix it. Also add the code to the unittests to cover that case, add a vat command to enable/disable counters, clean up the unnecessary endian conversion and remove the stray clib_warning() Change-Id: I421297a92e4aeb885c468c72a97cec25981df615 Type: fix Ticket: VPP-1744 Fixes: f995c7122ba0d024b17bc3232e8edd18d5e25088 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit 4c945dacb9ff9da731301feb26b1edb4ac00e8bd)
2019-07-24acl: implement countersAndrew Yourtchenko1-1/+65
implement per-acl-number counters in the stats segment. They are created during the ACL creation, the counters are incremented in the dataplane using the new inline function with the extra parameter being the packet size. Counting in shared segment adds a noticeable overhead, so add also an API to turn the counters on. Type: feature Change-Id: I8af7b0c31a3d986b68089eb52452aed45df66c7b Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2019-07-09acl: perform the ACL-as-a-service user registrations in global heapAndrew Yourtchenko1-5/+3
Some users tend to call registration routine long before they need that service - which triggers an immediate initialization of the ACL heap, which is rather big. This commit defers this process by keeping the registrations in the global heap. Change-Id: I5825871bd836851942b55184b6ee2657c7a9cc33 Type: fix Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2019-05-03plugins: clean up plugin descriptionsDave Wallace1-1/+1
- Make plugin descriptions more consistent so the output of "show plugin" can be used in the wiki. Change-Id: I4c6feb11e7dcc5a4cf0848eed37f1d3b035c7dda Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2019-04-10API: Fix shared memory only action handlers.Ole Troan1-7/+5
Some API action handlers called vl_msg_ai_send_shmem() directly. That breaks Unix domain socket API transport. A couple (bond / vhost) also tried to send a sw_interface_event directly, but did not send the message to all that had registred interest. That scheme never worked correctly. Refactored and improved the interface event code. Change-Id: Idb90edfd8703c6ae593b36b4eeb4d3ed7da5c808 Signed-off-by: Ole Troan <ot@cisco.com>
2019-03-22acl-plugin: get rid of a separate "count" field in the linear acl structAndrew Yourtchenko1-8/+9
Long time ago, the linear array of rules in the ACL structure was not a vector. Now it is, so get rid of the extraneous "count" member. Do so in a manner that would ease potential the MP-safe manipulation of ACL rules in the future. Change-Id: Ib9c0731e4f21723c9ec4d7f00c3e5ead8e1e97bd Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-12-11New api in order to get max entries of connection table is added.Khers1-1/+28
Change-Id: I2f81ec95de55ad2355f82550451ad825c228e5cd Signed-off-by: Khers <s3m2e1.6star@gmail.com>
2018-11-22acl-plugin: optimize hash memory usage + fix the startup config parsing for ↵Andrew Yourtchenko1-6/+10
memory sizes [VPP-1502] In a couple of places vec_add1()-style was repeatedly called in a loop for smallish vectors where the number of additions was known in advance. With a test with large number of ACEs these numbers contribute to heap fragmentation noticeably. Minimize the number of allocations by preallocating the known size and then resetting the length accordingly, and then calling vec_add1() Also unify the parsing of the memory-related startup config parameters. Change-Id: If8fba344eb1dee8f865ffe7b396ca3b6bd9dc1d0 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-10-25acl-plugin: "show acl-plugin acl" ACE# is truncated to 4 digits in outputAndrew Yourtchenko1-1/+1
I was expecting "%4d" format string to exhibit the same behavior as the one in C standard library, but rather than specifying _minimal_ width and expanding as necessary, it actually truncates the output. Changing that to "%9d" should take care of pushing this surprising difference in behavior into the domain of impossible. Change-Id: Ia687137ca765bf9c1575af998ff11314010e81ad Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-10-23c11 safe string handling supportDave Barach1-45/+45
Change-Id: Ied34720ca5a6e6e717eea4e86003e854031b6eab Signed-off-by: Dave Barach <dave@barachs.net>
2018-10-20acl-plugin: use the L2 feature arc infrastructure instead of L2 classifier ↵Andrew Yourtchenko1-661/+38
for plumbing This makes ACL plugin use the new feature arcs, which slightly increases performance. Since for ethertype whitelisting we were using the L2 classifier, to retain the functionality, make a simple node doing that, and plug it into non-ip L2 feature arc whenever needed. Change-Id: I3add377a6c790117dd3fd056e5615cb4c4438cf4 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-09-25acl-plugin: optimize session idle timer checksAndrew Yourtchenko1-0/+8
This commit adds explicit signaling from a non-owning thread to the owning thread to restart the session timer as necessary. Consequently, we now can sweep the session lists at their respective timeouts, rather than sweeping all the lists at the pace of the shortest timeout value, just taking care to wake up if the session requeue to a different list results in needing to wake up earlier. Change-Id: Ifc8c500f6988748f4cd3dc184dd7824321aaaaca Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-09-24Trivial: Clean up some typos.Paul Vinciguerra1-2/+2
Change-Id: I085615fde1f966490f30ed5d32017b8b088cfd59 Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2018-07-23fix vector index range checksEyal Bari1-2/+2
Change-Id: I63c36644c9d93f2c3ec6606ca0205b407499de4e Signed-off-by: Eyal Bari <ebari@cisco.com>
2018-07-18Add config option to use dlmalloc instead of mheapDave Barach1-3/+8
Configure w/ --enable-dlmalloc, see .../build-data/platforms/vpp.mk src/vppinfra/dlmalloc.[ch] are slightly modified versions of the well-known Doug Lea malloc. Main advantage: dlmalloc mspaces have no inherent size limit. Change-Id: I19b3f43f3c65bcfb82c1a265a97922d01912446e Signed-off-by: Dave Barach <dave@barachs.net>
2018-06-27acl-plugin: tm: add tuplemerge algorithm for relaxing the hashtable masksAndrew Yourtchenko1-0/+14
Slightly refactored from the initial implementation of the TupleMerge [1] algorithm by Valerio Bruschi (valerio.bruschi@telecom-paristech.fr) [1] James Daly, Eric Torng "TupleMerge: Building Online Packet Classifiers by Omitting Bits", In Proc. IEEE ICCCN 2017, pp. 1-10 Also add startup parameters to turn on/off the algorithm ("use tuple merge 1/0"), and a startup parameter to be able to tweak the split threshold ("tuple merge split threshold N"), the default value of the split threshold is 39 as per paper, but some more tuning might be necessary to find the best value. This change, alongside with the optimizations which avoid extra lookups, significantly reduces the slowdown on the ClassBench generated ACLs, which are supposed to resemble realistic ACLs seen in use in the field. Change-Id: I9713e4673970e9a62d4d9e9718365293375fab7b Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-06-20acl-plugin: acl-as-a-service: VPP-1248: fix the error if exports.h included ↵Andrew Yourtchenko1-18/+15
in more than one C file Including the exports.h from multiple .c files belonging to a single plugin results in an error. Rework the approach to require the table of function pointers to be filled in by the initialization function. Since the inline functions are compiled in the "caller" context, there is no knowledge about the acl_main structure used by the ACL plugin. To help with that, the signature of inline functions is slightly different, taking the p_acl_main pointer as the first parameter. That pointer is filled into the .p_acl_main field of the method table during the initialization - since the calling of non-inline variants would have required filling the method table, this should give minimal headaches during the use and switch between the two methods. Change-Id: Icb70695efa23579c46c716944838766cebc8573e Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-06-02acl-plugin: multicore: session management fixesAndrew Yourtchenko1-15/+28
- implement a 1us purgatory for the session structures by adding a special connection list, where all connections about to be deleted go. - add per-list-head timeouts updated upon the list enqueue/dequeue for connection idle management - add a "unused" session list with list ID#0, which should never be used unless there is a logic error. Use this ID to initialize the sessions. - improve the maintainability of the session linked list structures by using symbolic bogus index name instead of ~0 - change the ordering of session creations - first reverse, then local. To minimize the potential for two workers competing for the same session in the corner case of the two packets on different workers creating the same logical session - reduce the maximum session count to keep the memory usage the same - add extra log/debug/trace to session cleaning logic - be more aggressive with cleaning up sessions - wind up the interrupts from the workers to themselves if there is more work to do Change-Id: I3aa1c91a925a08e83793467cb15bda178c21e426 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-05-22acl-plugin: refactor to introduce multiarch dataplane functionsAndrew Yourtchenko1-0/+7
This commit splits the functions from fa_node.c into the pure dataplane node functions (which are multiarch-compiled), session management node functions (which are compiled only once), and session find/add/delete functions which are split out into the inlines. As part of the refactoring: - get rid of BV() macros in the affected chunk of code, rather use the explicit bihash function names. - add the magic trailer to the new files to ensure make checkstyle watches them. - move the bihash_template.c include for 40_8 bihash into acl.c Change-Id: I4d781e9ec4307ea84e92af93c09470ea2bd0c375 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-04-17acl-plugin: VPP-1241: fix the "show acl-plugin tables applied" outputAndrew Yourtchenko1-4/+4
It is a relatively rarely used low level command for code that didn't change, but due to infra changes it did not survive. Having it working may be very useful for corner-case debugging. So, fix it for working with the acl-as-a-service infra. Change-Id: I11b60e0c78591cc340b043ec240f0311ea1eb2f9 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit 18bde8a579960aa46f43ffbe5c2905774bd81a35)
2018-04-12Fixes for 'make UNATTENDED=yes CC=clang CXX=clang verify'Neale Ranns1-1/+0
Change-Id: I994649761fe2e66e12ae0e49a84fb1d0a966ddfb Signed-off-by: Neale Ranns <nranns@cisco.com>
2018-04-11acl-plugin: VPP-1230: fix the "undefined symbol" error for acl_main when ↵Andrew Yourtchenko1-0/+1
using the inline functions The acl_main struct, which is defined in the acl_plugin, is not visible when the ACL plugin inline code is being compiled within the context of other plugins. Fix that by using the global pointer variable, which exists in both the ACL plugin context and is set in the context of the external plugins using ACL plugin. Change-Id: Iaa74dd8cf36ff5442a06a25c5c968722116bddf8 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit 1286a15a6e60f80b0e1b349f876de8fa38c71368)
2018-03-30acl-plugin: implement an optional session reclassification when ACL is ↵Andrew Yourtchenko1-7/+89
(re-)applied There were several discussions in which users would expect the sessions to be deleted if the new policy after the change does not permit them. There is no right or wrong answer to this question - it is a policy decision. This patch implements an idea to approach this. It uses a per-interface-per-direction counter to designate a "policy epoch" - a period of unchanging rulesets. The moment one removes or adds an ACL applied to an interface, this counter increments. The newly created connections inherit the current policy epoch in a given direction. Likewise, this counter increments if anyone updates an ACL applied to an interface. There is also a new (so far hidden) CLI "set acl-plugin reclassify-sessions [0|1]" (with default being 0) which allows to enable the checking of the existing sessions against the current policy epoch in a given direction. The session is not verified unless there is traffic hitting that session *in the direction of the policy creation* - if the epoch has changed, the session is deleted and within the same processing cycle is evaluated against the ACL rule base and recreated - thus, it should allow traffic-driven session state refresh without affecting the connectivity for the existing sessions. If the packet is coming in the direction opposite to which the session was initially created, the state adjustment is never done, because doing so generically is not really possible without diving too deep into the special cases, which may or may not work. Change-Id: I9e90426492d4bd474b5e89ea8dfb75a7c9de2646 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-03-27acl-plugin: autosize the ACL plugin heap and fix the heap size types and parsingAndrew Yourtchenko1-5/+38
- autosize the ACL plugin heap size based on the number of workers - for manual heap size setting, use the proper types (uword), and proper format/unformat functions (unformat_memory_size) Change-Id: I7c46134e949862a0abc9087d7232402fc5a95ad8 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-03-26acl-plugin: defer the ACL plugin user module registration with ACL lookup ↵Andrew Yourtchenko1-3/+5
until it is needed Registering ACL plugin user module within the "ACL as a service" infra during the plugin init causes an unnecesary ACL heap allocation and prevents the changing of the ACL heap size from the startup config. Defer this registration until just before it is needed - i.e. when applying an ACL to an interface. Change-Id: Ied79967596b3b76d6630f136c998e59f8cdad962 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-03-23acl-plugin: improvements in 'show acl-plugin macip acl' CLIAndrew Yourtchenko1-11/+44
- allow to optionally specify the specific MACIP ACL index: 'show acl-plugin macip acl [index N]' - after showing the MACIP ACL, show the sw_if_index of interface(s) where it is applied. Also, add some executions of this debug commands to the MACIP test case for easy verification. Change-Id: I56cf8272abc20b1b2581b60d528d27a70d186b18 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-03-23acl-plugin: set ACL heap within the exported functions that might alloc memoryAndrew Yourtchenko1-0/+7
The functions which get called by other plugins need to set the acl plugin heap, such that the other plugins do not have to think about it. Change-Id: I673073f17116ffe444c163bf3dff40821d0c2686 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-03-22Revert "acl-plugin: improvement on 'show acl-plugin' CLI"Damjan Marion1-34/+9
This reverts commit 378ac0533e5ac8c3121d8f66ba61a8548e55282f. Change-Id: If34b1c964453adb0e4c44e3eab4f6e306bd9c9e9 Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-03-22acl-plugin: implement ACL lookup contexts for "ACL as a service" use by ↵Andrew Yourtchenko1-459/+424
other plugins This code implements the functionality required for other plugins wishing to perform ACL lookups in the contexts of their choice, rather than only in the context of the interface in/out. The lookups are the stateless ACLs - there is no concept of "direction" within the context, hence no concept of "connection" either. The plugins need to include the The file acl_lookup_context.md has more info. Change-Id: I91ba97428cc92b24d1517e808dc2fd8e56ea2f8d Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-03-21acl-plugin: improvement on 'show acl-plugin' CLISteve Shin1-9/+34
- Show interface on which given MACIP ACL is applied - index is added for show acl-plugin macip acl: ex) show acl-plugin macip acl [index N] Change-Id: I3e888c8e3267060fe157dfc1bbe3e65371bd858a Signed-off-by: Steve Shin <jonshin@cisco.com>
2018-03-20Fix Allow ARP packets for dot1q interface with MACIP enabledSteve Shin1-50/+169
ARP packets need to be allowed for dot1q interface when MACIP is enabled. Change-Id: I33dd3cb6c6100c49420d57360a277f65c55ac816 Signed-off-by: Steve Shin <jonshin@cisco.com>