summaryrefslogtreecommitdiffstats
path: root/src/plugins/acl/fa_node.c
AgeCommit message (Collapse)AuthorFilesLines
2018-04-13acl-plugin: VPP-1239: acl-as-a-service does not match IPv6 packets, works ↵Andrew Yourtchenko1-2/+0
only in lookup context 0 In process of extracting the matching out of the ACL plugin internals, a couple of pieces setting the miscellaneout fields in the 5tuple structure did not make it, so they are initialized to zeroes. Move the assignments to the right place to make both traffic acls and acl-as-a-service working. Change-Id: I66a7540a13b05113b599f0541999a18fad60385d Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit d3b96ef0d75889f09dc51efb89e5123cdbe7ffe8)
2018-03-30acl-plugin: implement an optional session reclassification when ACL is ↵Andrew Yourtchenko1-2/+23
(re-)applied There were several discussions in which users would expect the sessions to be deleted if the new policy after the change does not permit them. There is no right or wrong answer to this question - it is a policy decision. This patch implements an idea to approach this. It uses a per-interface-per-direction counter to designate a "policy epoch" - a period of unchanging rulesets. The moment one removes or adds an ACL applied to an interface, this counter increments. The newly created connections inherit the current policy epoch in a given direction. Likewise, this counter increments if anyone updates an ACL applied to an interface. There is also a new (so far hidden) CLI "set acl-plugin reclassify-sessions [0|1]" (with default being 0) which allows to enable the checking of the existing sessions against the current policy epoch in a given direction. The session is not verified unless there is traffic hitting that session *in the direction of the policy creation* - if the epoch has changed, the session is deleted and within the same processing cycle is evaluated against the ACL rule base and recreated - thus, it should allow traffic-driven session state refresh without affecting the connectivity for the existing sessions. If the packet is coming in the direction opposite to which the session was initially created, the state adjustment is never done, because doing so generically is not really possible without diving too deep into the special cases, which may or may not work. Change-Id: I9e90426492d4bd474b5e89ea8dfb75a7c9de2646 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-03-22acl-plugin: implement ACL lookup contexts for "ACL as a service" use by ↵Andrew Yourtchenko1-439/+41
other plugins This code implements the functionality required for other plugins wishing to perform ACL lookups in the contexts of their choice, rather than only in the context of the interface in/out. The lookups are the stateless ACLs - there is no concept of "direction" within the context, hence no concept of "connection" either. The plugins need to include the The file acl_lookup_context.md has more info. Change-Id: I91ba97428cc92b24d1517e808dc2fd8e56ea2f8d Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-02-08acl-plugin: an elog-based tracing implementation for troubleshooting the ↵Andrew Yourtchenko1-32/+19
conn cleaner threads interactions This replaces some of the early-stage commented-out printf()s with an elog-based debug collector. It is aimed to be "better than nothing" initial implementation to be available in the field. It will be refined/updated based on use. This initial code is focused on the main/worker threads interactions, hence uses just the worker tracks. This code adds a developer debug CLI "set acl-plugin session table event-trace 1", which allows to gather the events pertaining to connection cleaning. The CLI is deliberately not part of the online help, as the express declaration that the semantics/trace levels, etc. are subject to change without notice. Change-Id: I3536309f737b73e50639cd5780822dcde667fc2c Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-02-07acl-plugin: multicore: send the interrupts to thread0 tooAndrew Yourtchenko1-1/+1
The thread0 in some configurations can handle the traffic. Some of the previous fixes accomodated for that, but the interrupt sending for connection clearing was not adapted to that, resulting in a deadlock during clearing of all connections... Change-Id: I32b4c7bac09c91c22b796baab843bdaf41f7045c Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-02-06Reflexive ACL support on ICMPSteve Shin1-25/+113
Normally session keys are generated by mirroring the packets sent. ICMP message type should be used and inverted for the stateful ACL. Supported ICMP messages with this patch: - ICMPv4: Echo/Timestamp/Information/Address Mask requests - ICMPv6: Echo request/Node Information Queury The invmap & valid_new tables can be modified to make any other ICMP messages to be reflexive ACL. Change-Id: Ia47b08b79fe0a5b1f7a995af78de3763d275dbd9 Signed-off-by: Steve Shin <jonshin@cisco.com>
2018-01-16acl-plugin: multicore: use pool_init_fixed for per-worker preallocated poolsAndrew Yourtchenko1-1/+7
One worker thread may be processing the packets for session owned by another worker thread. During session access the validity of the pool index is checked - however, the free bitmap pointer might change just at that moment, potentially resulting in a crash. Thus, use the pool_init_fixed() when initializing the per-worker pools, so that the free bitmaps are as well staying in their place. Change-Id: I5796e6b62fdc1efd4299124a388b84a7c0dc19cd Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-12-20acl-plugin: add a debug CLI to print 5-tuple structure in human readable ↵Andrew Yourtchenko1-0/+6
format from hex representation Even though the trace now prints the hex as well as human readable format for acl plugin, it can be handy to have a separate function which allows to decode the hex. So add this debug CLI. Change-Id: I1db133a043374817ea9e94ae3736b8a98630669d Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-11-17acl-plugin: use ip.save_rewrite_length to calculate IP header offset on L3 ↵Andrew Yourtchenko1-3/+11
egress path L3 egress path does not set the ethernet flags reflecting the count of VLANs, but rather has the offset explicitly, so use that. Change-Id: Id3f6562dcd52ca24137c305f1a1c88c1f125da78 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-11-16acl-plugin: also print human-friendly format of 5tuple in packet traceAndrew Yourtchenko1-0/+22
The original version printed just a few u64s, which is useful for directly working on the code, but not when figuring out what is possibly a config or environment-related issue. So, add printing the 5-tuple struct in a way that is usable by an operator. Change-Id: I84cc3a239cdaff05ed31c3458cea198e38b58e03 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-10-13acl-plugin: display "::" for INADDR6_ANY on ACL outputSteve Shin1-2/+4
INADDR6_ANY should be displayed as "::" instead of "0.0.0.0"(ipv4 format). Change-Id: I24ec7b6febbfeca5db7ff894f455ecb73d954334 Signed-off-by: Steve Shin <jonshin@cisco.com>
2017-08-22acl-plugin: Recreate the bihash_40_8.h in the proper placeAndrew Yourtchenko1-1/+1
Change-Id: I30a3df53bc5fe5ab991a657918eb502bd2913440 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-08-18acl-plugin: time out the sessions created by main thread too (VPP-948)Andrew Yourtchenko1-13/+20
In multithread setup the main thread may send packets, which may pass through the node with permit+reflect action. This creates the connection in lists for thread0, however in multithread there are no interupt handlers there. Ensure we are not spending too much time spinning in a tight cycle by suspending the main cleaner thread until the current iteration of interrupts is processed. Change-Id: Idb7346737757ee9a67b5d3e549bc9ad9aab22e89 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit c1ff53f25d04ec1cc31844abd38014e91e398b5f)
2017-08-10acl-plugin: all TCP sessions treated as transient (VPP-932)Andrew Yourtchenko1-3/+6
The packet that was creating the session was not tracked, consequently the TCP flags seen within the session record never got the value for the session to get treated as being in the established state. Test-escape, so add the TCP tests which test the three phases of the TCP session life and make them all pass. Change-Id: Ib048bc30c809a7f03be2de7e8361c2c281270348 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit 754370f1b55d4102d21dd94676f2bda3170c7df0)
2017-08-08acl-plugin: rework the optimization 7383, fortify acl-plugin memory behavior ↵Andrew Yourtchenko1-2/+14
(VPP-910) The further prolonged testing from testbed that reported VPP-910 has uncovered a couple of deeper issues with optimization from 7384, and the usage of subscripts rather than vec_elt_at_index() allowed to hide a couple of further errors in the code. Also, the current acl-plugin behavior of using the global heap for its dynamic data is problematic - it makes the troubleshooting much harder by potentially spreading the problem around. Based on this experience, this commits makes a few changes to fix the issues seen, also improving the serviceability of the acl-plugin code for the future: - Use separate mheaps for any ACL-related control plane operations and separate for the hash lookup datastructures, to compartmentalize any memory-related issues for the ACL plugin. - Ensure vec_elt_at_index() usage throughout the hash_lookup.c file. - Use vectors rather than raw memory for storing the "ordinary" ACL rules. - Rework the optimization from 7384 to use a separate tail pointer rather than overloading the "prev" field. - Make get_session_ptr() more conservative and adjust is_valid_session_ptr accordingly Change-Id: Ifda85193f361de5ed3782a4acd39622bd33c5830 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit bd9c5ffe39e9ce61db95d74d150e07d738f24da1)
2017-08-03acl-plugin: multicore: CSIT c100k 2-core stateful ACL test does not pass ↵Andrew Yourtchenko1-28/+59
(VPP-912) Fix several threading-related issues uncovered by the CSIT scale/performance test: - make the per-interface add/del counters per-thread - preallocate the per-worker session pools rather than attempting to resize them within the datapath - move the bihash initialization to the moment of ACL being applied rather than later during the connection creation - adjust the connection cleaning logic to not require the signaling from workers to main thread - make the connection lists check in the main thread robust against workers updating the list heads at the same time - add more information to "show acl-plugin sessions" to aid in debugging Change-Id: If82ef715e4993614df11db5e9afa7fa6b522d9bc Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit 8e4222fc7e23a478b021930ade3cb7d20938e398)
2017-07-23Improve L2 Input/Output Feature Infrastructure and UsageJohn Lo1-6/+1
Simplify L2 output feature infra to unify with L2 input feature infra using the newly improved feature bitmap mechanism. Updated all L2 features to use the more efficient infra functions. Change-Id: If8f463826b0af0717129befe92a27ea8cfc40449 Signed-off-by: John Lo <loj@cisco.com>
2017-06-22acl-plugin: clean up the code enabling/disabling acl-plugin processing on ↵Andrew Yourtchenko1-0/+2
interface Multiple subsequent calls to vnet_feature_enable_disable() to enable the feature cause the feature to be inserted into the processing graph multiple times in a row. This might be argued to be a bug in that function, but enabling already enabled feature is suboptimal anyway, so avoid that. The existing tests already catch this issue whenever the ASSERT() part of this patch was added. Change-Id: Ia2c06f7dc87bbe05795c2c7b7d19ea06270ce150 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-06-21acl-plugin: CLI to clear all sessionsAndrew Yourtchenko1-2/+21
It is useful to have the CLI to clear the existing sessions. There was a work-in-progress CLI but it did not work properly. Fix it and split into a separate "clear acl-plugin sessions", and add a unit test into the extended connection-oriented tests. Change-Id: I55889165ebcee139841fdac88747390903a05394 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-06-21acl-plugin: use ethernet_buffer_header_size() to determine the size of the ↵Andrew Yourtchenko1-1/+1
ethernet header When extracting the 5-tuple, use the ethernet_buffer_header_size() so we can correctly handle the case of subinterfaces, etc. Change-Id: Ied73fde98d6b313e9eeab2aff4f22daa50a6cbbf Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-06-21acl-plugin: fix coverity issue 170476Andrew Yourtchenko1-2/+1
Remove the unnecessary variable assignment which coverity detected. Change-Id: I66ac20a8495400ac59192ddb72f16c95f6b4d03c Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-06-19acl-plugin: bihash-based ACL lookupAndrew Yourtchenko1-4/+35
Add a bihash-based ACL lookup mechanism and make it a new default. This changes the time required to lookup a 5-tuple match from O(total_N_entries) to O(total_N_mask_types), where "mask type" is an overall mask on the 5-tuple required to represent an ACE. For testing/comparison there is a temporary debug CLI "set acl-plugin use-hash-acl-matching {0|1}", which, when set to 0, makes the plugin use the "old" linear lookup, and when set to 1, makes it use the hash-based lookup. Based on the discussions on vpp-dev mailing list, prevent assigning the ACL index to an interface, when the ACL with that index is not defined, also prevent deleting an ACL if that ACL is applied. Also, for the easier debugging of the state, there are new debug CLI commands to see the ACL plugin state at several layers: "show acl-plugin acl [index N]" - show a high-level ACL representation, used for the linear lookup and as a base for building the hashtable-based lookup. Also shows if a given ACL is applied somewhere. "show acl-plugin interface [sw_if_index N]" - show which interfaces have which ACL(s) applied. "show acl-plugin tables" - a lower-level debug command used to see the state of all of the related data structures at once. There are specifiers possible, which make for a more focused and maybe augmented output: "show acl-plugin tables acl [index N]" show the "bitmask-ready" representations of the ACLs, we well as the mask types and their associated indices. "show acl-plutin tables mask" show the derived mask types and their indices only. "show acl-plugin tables applied [sw_if_index N]" show the table of all of the ACEs applied for a given sw_if_index or all interfaces. "show acl-plugin tables hash [verbose N]" show the 48x8 bihash used for the ACL lookup. Change-Id: I89fff051424cb44bcb189e3cee04c1b8f76efc28 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-06-15acl-plugin: store sessions in a single hash table instead of a per-interfaceAndrew Yourtchenko1-18/+27
A bihash-per-interface is convenient, but turns out tricky difficult from the maintenance standpoint with the large number of interfaces. This patch makes the sessions reside in a single hash table for all the interfaces, adding the lower 16 bit of sw_if_index as part of the key into the previously unused space. There is a tradeoff, that a session with an identical 5-tuple and the same sw_if_index modulo 65536 will match on either of the interfaces. The probability of that is deemed sufficiently small to not worry about it. In case it still happens before the heat death of the universe, there is a clib_warning and the colliding packet will be dropped, at which point we will need to bump the hash key size by another u64, but rather not pay the cost of doing that right now. Change-Id: I2747839cfcceda73e597cbcafbe1e377fb8f1889 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-06-09acl-plugin: wrap a verbose debug message in the appropriate conditionalAndrew Yourtchenko1-0/+2
Change-Id: Ibd57cb617642e42d4c4d64f186479702b8a81900 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-06-07acl-plugin: make the ACL plugin multicore-capableAndrew Yourtchenko1-187/+459
Add the logic to be able to use stateful ACLs in a multithreaded setup. Change-Id: I3b0cfa6ca4ea8f46f61648611c3e97b00c3376b6 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-05-07Avoid active connection prevent timeout of idle conns after itAndrew Yourtchenko1-9/+10
Fix a logic error related to timing out of the connections following the active one. To avoid this class of issue in the future, create corresponding testcases, as well as some trivial sanity testcases for both IPv4 and IPv6. Since these tests are timing-dependent and take up time, mark them as extended tests. Change-Id: I2c72bad5efda7db8aa9cb05801fe47928dc47927 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-04-18ACL-plugin does not match UDP next-header, VPP-687Pavel Kotucek1-1/+1
Change-Id: Ide4f9bd6158fb64d069540fb43f4e593e39d6ff3 Signed-off-by: Pavel Kotucek <pkotucek@cisco.com>
2017-04-06acl-plugin: make the IPv4/IPv6 non-first fragment handling in line with ACL ↵Andrew Yourtchenko1-9/+61
(VPP-682) This fixes the previously-implicit "drop all non-first fragments" behavior to be more in line with security rules: a non-first fragment is treated for the purposes of matching the ACL as a packet with the port match succeeding. This allows to change the behavior to permit the fragmented packets for the default "permit specific rules" ruleset, but also gives the flexibility to block the non-initial fragments by inserting into the begining a bogus rule which would deny the L4 traffic. Also, add a knob which allows to potentially turn this behavior off in case of a dire need (and revert to dropping all non-initial fragments), via a debug CLI. Change-Id: I546b372b65ff2157d9c68b1d32f9e644f1dd71b4 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit 9fc0c26c6b28fd6c8b8142ea52f52eafa7e8c7ac)
2017-03-30acl-plugin: cleaner node bugfixes (VPP-675)Andrew Yourtchenko1-51/+46
- use the counters in a private struct rather than node error counters - ensure the timer for the non-idle connections is restarted - fix the deletion of conn at the current tail the list Change-Id: I632f63574d2ced95fb75c5e7fb588c78fb3cce1c Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit 097051a3bd1f63a177c0728f15375afd84a68918)
2017-03-21ACL plugin 1.2Andrew Yourtchenko1-0/+1444
L3 path support, L2+L3 unified processing node, skip IPv6 EH support. Change-Id: Iac37a466ba1c035e5c2997b03c0743bfec5c9a08 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>