aboutsummaryrefslogtreecommitdiffstats
path: root/src/plugins/acl/acl.h
AgeCommit message (Collapse)AuthorFilesLines
2018-06-02acl-plugin: multicore: session management fixesAndrew Yourtchenko1-1/+21
- implement a 1us purgatory for the session structures by adding a special connection list, where all connections about to be deleted go. - add per-list-head timeouts updated upon the list enqueue/dequeue for connection idle management - add a "unused" session list with list ID#0, which should never be used unless there is a logic error. Use this ID to initialize the sessions. - improve the maintainability of the session linked list structures by using symbolic bogus index name instead of ~0 - change the ordering of session creations - first reverse, then local. To minimize the potential for two workers competing for the same session in the corner case of the two packets on different workers creating the same logical session - reduce the maximum session count to keep the memory usage the same - add extra log/debug/trace to session cleaning logic - be more aggressive with cleaning up sessions - wind up the interrupts from the workers to themselves if there is more work to do Change-Id: I3aa1c91a925a08e83793467cb15bda178c21e426 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-05-04Harmonize vec/pool_get_aligned object sizes and alignment requestsDave Barach1-0/+6
Object sizes must evenly divide alignment requests, or vice versa. Otherwise, only the first object will be aligned as requested. Three choices: add CLIB_CACHE_LINE_ALIGN_MARK(align_me) at the end of structures, manually pad to an even divisor or multiple of the alignment request, or use plain vectors/pools. static assert for enforcement. Change-Id: I41aa6ff1a58267301d32aaf4b9cd24678ac1c147 Signed-off-by: Dave Barach <dbarach@cisco.com>
2018-04-11acl-plugin: VPP-1230: fix the "undefined symbol" error for acl_main when ↵Andrew Yourtchenko1-0/+7
using the inline functions The acl_main struct, which is defined in the acl_plugin, is not visible when the ACL plugin inline code is being compiled within the context of other plugins. Fix that by using the global pointer variable, which exists in both the ACL plugin context and is set in the context of the external plugins using ACL plugin. Change-Id: Iaa74dd8cf36ff5442a06a25c5c968722116bddf8 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit 1286a15a6e60f80b0e1b349f876de8fa38c71368)
2018-03-30acl-plugin: implement an optional session reclassification when ACL is ↵Andrew Yourtchenko1-0/+9
(re-)applied There were several discussions in which users would expect the sessions to be deleted if the new policy after the change does not permit them. There is no right or wrong answer to this question - it is a policy decision. This patch implements an idea to approach this. It uses a per-interface-per-direction counter to designate a "policy epoch" - a period of unchanging rulesets. The moment one removes or adds an ACL applied to an interface, this counter increments. The newly created connections inherit the current policy epoch in a given direction. Likewise, this counter increments if anyone updates an ACL applied to an interface. There is also a new (so far hidden) CLI "set acl-plugin reclassify-sessions [0|1]" (with default being 0) which allows to enable the checking of the existing sessions against the current policy epoch in a given direction. The session is not verified unless there is traffic hitting that session *in the direction of the policy creation* - if the epoch has changed, the session is deleted and within the same processing cycle is evaluated against the ACL rule base and recreated - thus, it should allow traffic-driven session state refresh without affecting the connectivity for the existing sessions. If the packet is coming in the direction opposite to which the session was initially created, the state adjustment is never done, because doing so generically is not really possible without diving too deep into the special cases, which may or may not work. Change-Id: I9e90426492d4bd474b5e89ea8dfb75a7c9de2646 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-03-27acl-plugin: autosize the ACL plugin heap and fix the heap size types and parsingAndrew Yourtchenko1-4/+2
- autosize the ACL plugin heap size based on the number of workers - for manual heap size setting, use the proper types (uword), and proper format/unformat functions (unformat_memory_size) Change-Id: I7c46134e949862a0abc9087d7232402fc5a95ad8 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-03-23acl-plugin: improvements in 'show acl-plugin macip acl' CLIAndrew Yourtchenko1-0/+3
- allow to optionally specify the specific MACIP ACL index: 'show acl-plugin macip acl [index N]' - after showing the MACIP ACL, show the sw_if_index of interface(s) where it is applied. Also, add some executions of this debug commands to the MACIP test case for easy verification. Change-Id: I56cf8272abc20b1b2581b60d528d27a70d186b18 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-03-23acl-plugin: set ACL heap within the exported functions that might alloc memoryAndrew Yourtchenko1-0/+2
The functions which get called by other plugins need to set the acl plugin heap, such that the other plugins do not have to think about it. Change-Id: I673073f17116ffe444c163bf3dff40821d0c2686 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-03-22Revert "acl-plugin: improvement on 'show acl-plugin' CLI"Damjan Marion1-3/+0
This reverts commit 378ac0533e5ac8c3121d8f66ba61a8548e55282f. Change-Id: If34b1c964453adb0e4c44e3eab4f6e306bd9c9e9 Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-03-22acl-plugin: implement ACL lookup contexts for "ACL as a service" use by ↵Andrew Yourtchenko1-0/+24
other plugins This code implements the functionality required for other plugins wishing to perform ACL lookups in the contexts of their choice, rather than only in the context of the interface in/out. The lookups are the stateless ACLs - there is no concept of "direction" within the context, hence no concept of "connection" either. The plugins need to include the The file acl_lookup_context.md has more info. Change-Id: I91ba97428cc92b24d1517e808dc2fd8e56ea2f8d Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-03-21acl-plugin: improvement on 'show acl-plugin' CLISteve Shin1-0/+3
- Show interface on which given MACIP ACL is applied - index is added for show acl-plugin macip acl: ex) show acl-plugin macip acl [index N] Change-Id: I3e888c8e3267060fe157dfc1bbe3e65371bd858a Signed-off-by: Steve Shin <jonshin@cisco.com>
2018-02-08acl-plugin: add whitelisted ethertype mode (VPP-1163)Andrew Yourtchenko1-0/+6
Currently, ACL plugin largely does not care about the ethertypes other than 0x0800 (IPv4) and 0x86dd (IPv6), the only exception being 0x0806 (ARP), which is dealt with by the MACIP ACLs. The other ethertypes in L2 mode are just let through. This adds a new API message acl_interface_set_etype_whitelist, which allows to flip the mode of a given interface into "ethertype whitelist mode": the caller of this message must supply the two lists (inbound and outbound) of the ethertypes that are to be permitted, the rest of the ethertypes are dropped. The whitelisting for a given interface and direction takes effect only when a policy ACL is also applied. This operates on the same classifier node as the one used for dispatching the policy ACL, thus, if one wishes for most of the reasonable IPv4 deployments to continue to operate within the whitelist mode, they must permit ARP ethertype (0x0806) The empty list for a given direction resets the processing to allow the unknown ethertypes. So, if one wants to just permit the IPv4 and IPv6 and nothing else, one can add their ethertypes to the whitelist. Add the "show acl-plugin interface" corresponding outputs about the whitelists, vat command, and unittests. Change-Id: I4659978c801f36d554b6615e56e424b77876662c Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-02-08acl-plugin: VPP-1088: add support for egress filter in macip ACLsAndrew Yourtchenko1-0/+4
This is the second patch, using the new functionality from the change 10002 in order to implement the egress filtering on the MACIP ACLs. This adds an action "2" which means "add also egress filtering rules for this MACIP ACL. The reason for having the two choices is that the egress filtering really takes care of a fairly corner case scenario, and I am not convinced that always adding the performance cost of the egress lookup check is worth it. Also, of course, not breaking the existing implementations is a nice plus, too. Change-Id: I3d7883ed45b1cdf98d7303771bcc75951dff38f0 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-02-08acl-plugin: an elog-based tracing implementation for troubleshooting the ↵Andrew Yourtchenko1-0/+2
conn cleaner threads interactions This replaces some of the early-stage commented-out printf()s with an elog-based debug collector. It is aimed to be "better than nothing" initial implementation to be available in the field. It will be refined/updated based on use. This initial code is focused on the main/worker threads interactions, hence uses just the worker tracks. This code adds a developer debug CLI "set acl-plugin session table event-trace 1", which allows to gather the events pertaining to connection cleaning. The CLI is deliberately not part of the online help, as the express declaration that the semantics/trace levels, etc. are subject to change without notice. Change-Id: I3536309f737b73e50639cd5780822dcde667fc2c Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-11-08ACL plugin support tagged subinterfacesPavel Kotucek1-0/+5
Change-Id: I92b351895c7efb26533c05512b91ead8ddbfb9c8 Signed-off-by: Pavel Kotucek <pkotucek@cisco.com>
2017-09-12acl-plugin: add startup-config section "acl-plugin" and heap/hash parametersAndrew Yourtchenko1-0/+10
This adds the ability to tweak the memory allocation parameters of the ACL plugin from the startup config. It may be useful in the cases involving higher limit of the connections than the default 1M, or the high number of cores. Change-Id: I2b6fb3f61126ff3ee998424b762b6aefe8fb1b8e Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-08-22acl-plugin: Recreate the bihash_40_8.h in the proper placeAndrew Yourtchenko1-1/+2
Change-Id: I30a3df53bc5fe5ab991a657918eb502bd2913440 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-08-18acl-plugin: time out the sessions created by main thread too (VPP-948)Andrew Yourtchenko1-0/+2
In multithread setup the main thread may send packets, which may pass through the node with permit+reflect action. This creates the connection in lists for thread0, however in multithread there are no interupt handlers there. Ensure we are not spending too much time spinning in a tight cycle by suspending the main cleaner thread until the current iteration of interrupts is processed. Change-Id: Idb7346737757ee9a67b5d3e549bc9ad9aab22e89 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit c1ff53f25d04ec1cc31844abd38014e91e398b5f)
2017-08-08acl-plugin: rework the optimization 7383, fortify acl-plugin memory behavior ↵Andrew Yourtchenko1-0/+6
(VPP-910) The further prolonged testing from testbed that reported VPP-910 has uncovered a couple of deeper issues with optimization from 7384, and the usage of subscripts rather than vec_elt_at_index() allowed to hide a couple of further errors in the code. Also, the current acl-plugin behavior of using the global heap for its dynamic data is problematic - it makes the troubleshooting much harder by potentially spreading the problem around. Based on this experience, this commits makes a few changes to fix the issues seen, also improving the serviceability of the acl-plugin code for the future: - Use separate mheaps for any ACL-related control plane operations and separate for the hash lookup datastructures, to compartmentalize any memory-related issues for the ACL plugin. - Ensure vec_elt_at_index() usage throughout the hash_lookup.c file. - Use vectors rather than raw memory for storing the "ordinary" ACL rules. - Rework the optimization from 7384 to use a separate tail pointer rather than overloading the "prev" field. - Make get_session_ptr() more conservative and adjust is_valid_session_ptr accordingly Change-Id: Ifda85193f361de5ed3782a4acd39622bd33c5830 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit bd9c5ffe39e9ce61db95d74d150e07d738f24da1)
2017-08-03acl-plugin: multicore: CSIT c100k 2-core stateful ACL test does not pass ↵Andrew Yourtchenko1-3/+3
(VPP-912) Fix several threading-related issues uncovered by the CSIT scale/performance test: - make the per-interface add/del counters per-thread - preallocate the per-worker session pools rather than attempting to resize them within the datapath - move the bihash initialization to the moment of ACL being applied rather than later during the connection creation - adjust the connection cleaning logic to not require the signaling from workers to main thread - make the connection lists check in the main thread robust against workers updating the list heads at the same time - add more information to "show acl-plugin sessions" to aid in debugging Change-Id: If82ef715e4993614df11db5e9afa7fa6b522d9bc Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit 8e4222fc7e23a478b021930ade3cb7d20938e398)
2017-06-19acl-plugin: bihash-based ACL lookupAndrew Yourtchenko1-0/+30
Add a bihash-based ACL lookup mechanism and make it a new default. This changes the time required to lookup a 5-tuple match from O(total_N_entries) to O(total_N_mask_types), where "mask type" is an overall mask on the 5-tuple required to represent an ACE. For testing/comparison there is a temporary debug CLI "set acl-plugin use-hash-acl-matching {0|1}", which, when set to 0, makes the plugin use the "old" linear lookup, and when set to 1, makes it use the hash-based lookup. Based on the discussions on vpp-dev mailing list, prevent assigning the ACL index to an interface, when the ACL with that index is not defined, also prevent deleting an ACL if that ACL is applied. Also, for the easier debugging of the state, there are new debug CLI commands to see the ACL plugin state at several layers: "show acl-plugin acl [index N]" - show a high-level ACL representation, used for the linear lookup and as a base for building the hashtable-based lookup. Also shows if a given ACL is applied somewhere. "show acl-plugin interface [sw_if_index N]" - show which interfaces have which ACL(s) applied. "show acl-plugin tables" - a lower-level debug command used to see the state of all of the related data structures at once. There are specifiers possible, which make for a more focused and maybe augmented output: "show acl-plugin tables acl [index N]" show the "bitmask-ready" representations of the ACLs, we well as the mask types and their associated indices. "show acl-plutin tables mask" show the derived mask types and their indices only. "show acl-plugin tables applied [sw_if_index N]" show the table of all of the ACEs applied for a given sw_if_index or all interfaces. "show acl-plugin tables hash [verbose N]" show the 48x8 bihash used for the ACL lookup. Change-Id: I89fff051424cb44bcb189e3cee04c1b8f76efc28 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-06-15acl-plugin: store sessions in a single hash table instead of a per-interfaceAndrew Yourtchenko1-3/+6
A bihash-per-interface is convenient, but turns out tricky difficult from the maintenance standpoint with the large number of interfaces. This patch makes the sessions reside in a single hash table for all the interfaces, adding the lower 16 bit of sw_if_index as part of the key into the previously unused space. There is a tradeoff, that a session with an identical 5-tuple and the same sw_if_index modulo 65536 will match on either of the interfaces. The probability of that is deemed sufficiently small to not worry about it. In case it still happens before the heat death of the universe, there is a clib_warning and the colliding packet will be dropped, at which point we will need to bump the hash key size by another u64, but rather not pay the cost of doing that right now. Change-Id: I2747839cfcceda73e597cbcafbe1e377fb8f1889 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-06-07acl-plugin: add a plugin-specific control-ping message api and make the test ↵Andrew Yourtchenko1-1/+1
code use it This fixes the undesirable pause in the dump commands in case there is nothing to dump. Change-Id: I0554556c9e442038aa2a1ed8c88234f21f7fe9b9 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-06-07acl-plugin: make the ACL plugin multicore-capableAndrew Yourtchenko1-7/+4
Add the logic to be able to use stateful ACLs in a multithreaded setup. Change-Id: I3b0cfa6ca4ea8f46f61648611c3e97b00c3376b6 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-04-20Clean up old datapath code in ACL plugin.Andrew Yourtchenko1-22/+9
Change-Id: I3d64d5ced38a68f3fa208be00c49d20c4e6d4d0e Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-04-06acl-plugin: make the IPv4/IPv6 non-first fragment handling in line with ACL ↵Andrew Yourtchenko1-1/+4
(VPP-682) This fixes the previously-implicit "drop all non-first fragments" behavior to be more in line with security rules: a non-first fragment is treated for the purposes of matching the ACL as a packet with the port match succeeding. This allows to change the behavior to permit the fragmented packets for the default "permit specific rules" ruleset, but also gives the flexibility to block the non-initial fragments by inserting into the begining a bogus rule which would deny the L4 traffic. Also, add a knob which allows to potentially turn this behavior off in case of a dire need (and revert to dropping all non-initial fragments), via a debug CLI. Change-Id: I546b372b65ff2157d9c68b1d32f9e644f1dd71b4 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit 9fc0c26c6b28fd6c8b8142ea52f52eafa7e8c7ac)
2017-03-30acl-plugin: cleaner node bugfixes (VPP-675)Andrew Yourtchenko1-0/+16
- use the counters in a private struct rather than node error counters - ensure the timer for the non-idle connections is restarted - fix the deletion of conn at the current tail the list Change-Id: I632f63574d2ced95fb75c5e7fb588c78fb3cce1c Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit 097051a3bd1f63a177c0728f15375afd84a68918)
2017-03-21ACL plugin 1.2Andrew Yourtchenko1-3/+119
L3 path support, L2+L3 unified processing node, skip IPv6 EH support. Change-Id: Iac37a466ba1c035e5c2997b03c0743bfec5c9a08 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-03-03VPP-651: Ensure sw_if_index to node mapping for L2 output path is only done ↵Andrew Yourtchenko1-3/+2
via l2output_main.next_nodes Before this commit, several output features that happen to be the last in the list of features to be executed, send the packets directly to <interfaceName>-output. To do this, they use l2_output_dispatch, which builds a list of sw_if_index to next index mappings. When interfaces are deleted and the new interfaces are created, these mappings become stale, and cause the packets being sent to wrong interface output nodes. This patch (thanks John Lo for the brilliant idea!) adds a feature node "output", whose sole purpose is dispatching the packets to the correct interface output nodes. To do that, it uses the l2output_main.next_nodes, which is already taken care of for the case of the sw_if_index reuse, so this makes the dependent features all work correctly. Since this changes the packet path, for the features that were always the last ones it has triggered a side problem of the output feat_next_node_index not being properly initalized. These two users are l2-output-classify node and the output nodes belonging to the acl-plugin. For the first one the less invasive fix is just to initialize that field. For the acl-plugin nodes, rewrite the affected part of the code to use feat_bitmap_get_next_node_index since this is essentially what the conditional in l2_output_dispatch does, and fix the compiler warnings generated. This fix was first made in stable/1701 under commit e7dcee4027854b0ad076101471afdfff67eb9011. Change-Id: I32e876ab1e1d498cf0854c19c6318dcf59a93805 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-02-03Plugin infrastructure improvementsDamjan Marion1-2/+0
This patch replaces requirement for vlib_plugin_register function in the plugin so file and introduces new macro: VLIB_PLUGIN_REGISTER () = { .version = "version string", .version_required = "requred version", .default_disabled = 1, .early_init = "early_init_function_name", }; Plugin will nor be loaded if .default_disabled is set to 1 unless explicitely enabled in startup.conf. If .verstion_required is set, plugin will not be loaded if there is version mismatch between plugin and vpp. This can be bypassed by setting "skip-version-check" for specific plugin. If .early-init string is present, plugin loader will try to resolve this specific symbol in the plugin namespace and make a function call. Following startup.conf configuration is added: plugins { path /path/to/plugin/directory plugin ila_plugin.so { enable skip-version-check } plugin acl_plugin.so { disable } } Change-Id: I706c691dd34d94ffe9e02b59831af8859a95f061 Signed-off-by: Damjan Marion <damarion@cisco.com>
2017-01-01Move java,lua api and remaining plugins to src/Damjan Marion1-0/+148
Change-Id: I1c3b87e886603678368428ae56a6bd3327cbc90d Signed-off-by: Damjan Marion <damarion@cisco.com>