aboutsummaryrefslogtreecommitdiffstats
path: root/src/plugins/acl
AgeCommit message (Collapse)AuthorFilesLines
2017-09-08ACL-plugin MACIP ACLs testsPavel Kotucek1-2/+16
Change-Id: Ie40c837358454cfe9475cb2c14fdf20b24fa6602 Signed-off-by: Pavel Kotucek <pkotucek@cisco.com>
2017-09-08acl-plugin: add hitcount to applied hash-acl entriesAndrew Yourtchenko3-4/+10
Add a counter incremented upon the ACL check, so it is easier to see which kind of traffic is being checked by the policy, add the corresponding output to the debug CLI "show acl-plugin tables" command. Change-Id: Id811dddf204e63eeceabfcc509e3e9c5aae1dbc8 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-09-07acl-plugin: match index set to first portrange element if non-first ↵Andrew Yourtchenko1-5/+1
portrange matches on the same hash key (VPP-937) Multiple portranges that land on the same hash key will always report the match on the first portrange - even when the subsequent portranges have matched. Test escape, so make a corresponding test case and fix the code so it passes. (the commit on stable/1707 has erroneously mentioned VPP-938 jira ticket) Change-Id: Idbeb8a122252ead2468f5f9dbaf72cf0e8bb78f1 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit fb088f0a201270e949469c915c529d75ad13353e) Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-08-25acl-plugin: warning printed when acl_add_replace already applied ACLs ↵Andrew Yourtchenko4-17/+49
(complete the fix for VPP-935) The fix for VPP-935 missed the case that hash_acl_add() and hash_acl_delete() may be called during the replacement of the existing applied ACL, as a result the "applied" logic needs to be replicated for the hash acls separately, since it is a lower layer. Change-Id: I7dcb2b120fcbdceb5e59acb5029f9eb77bd0f240 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit ce9714032d36d18abe72981552219dff871ff392)
2017-08-22acl-plugin: Recreate the bihash_40_8.h in the proper placeAndrew Yourtchenko4-87/+4
Change-Id: I30a3df53bc5fe5ab991a657918eb502bd2913440 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-08-18Fix vpp crash when adding macip aclPavel Kotucek1-1/+1
When adding at least two different types of MACIP acl vpp crash. Change-Id: Ibbc76b94015311945be081fe0d8af71cf0672332 Signed-off-by: Pavel Kotucek <pkotucek@cisco.com>
2017-08-18Fix small issues in ACL apiPavel Kotucek1-3/+11
Enable IP address without prefix length, if not given use max (32/128) Parse correctly type of acl (ipv4). Change-Id: I3d5d6b45037c9e0f95d2d112ae584f006c6cb4d1 Signed-off-by: Pavel Kotucek <pkotucek@cisco.com>
2017-08-18acl-plugin: time out the sessions created by main thread too (VPP-948)Andrew Yourtchenko4-13/+28
In multithread setup the main thread may send packets, which may pass through the node with permit+reflect action. This creates the connection in lists for thread0, however in multithread there are no interupt handlers there. Ensure we are not spending too much time spinning in a tight cycle by suspending the main cleaner thread until the current iteration of interrupts is processed. Change-Id: Idb7346737757ee9a67b5d3e549bc9ad9aab22e89 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit c1ff53f25d04ec1cc31844abd38014e91e398b5f)
2017-08-15acl-plugin: don't attempt to delete the ACLs on interface deletion if ACL ↵Andrew Yourtchenko1-0/+4
plugin heap is not initialized With the addition of the own heap, the delete routines called from interface deletion callback may attempt to initialize the ACL plugin heap. This is obviously not a desirable condition - so, return early from the callback if the ACL plugin heap has not been initialized yet - there is for sure nothing to clean up. Change-Id: I08a6ae725294016ff5824189ade91c288e2c473b Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-08-11acl-plugin: add the debug CLI to show macip ACLs and where they are applied ↵Andrew Yourtchenko1-0/+76
(VPP-936) When looking at resource utilisation, it is useful to understand the interactions between the acl-plugin and the rest of VPP. MACIP ACLs till now could only be dumped via API, which is tricky when debugging. Add the CLIs to see the MACIP ACLs and where they are applied. Change-Id: I3211901589e3dcff751697831c1cd0e19dcab1da Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit f2cfcf676e67a7ea80ce20a69826210eb97acba5)
2017-08-10acl-plugin: hash lookup bitmask not cleared when ACL is unapplied from ↵Andrew Yourtchenko3-4/+31
interface (VPP-935) The logic in hash ACL bitmask update was using the vector of ACLs applied to the interface to rebuild the hash lookup mask. However, in transient cases (like doing group manipulation with hash ACLs), that will not hold true. Thus, make a local copy of for which ACL indices the hash_acl_apply was called previously, and maintain that one local to the hash_lookup.c file logic. Change-Id: I30187d68febce8bba2ab6ffbb1eee13b5c96a44b Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit 1de7d7044434196610190011ebb431f054701259)
2017-08-10acl-plugin: avoid crash in multithreaded setup adding/deleting ACLs with ↵Andrew Yourtchenko3-0/+83
traffic (VPP-910/VPP-929) The commit fixing the VPP-910 and separating the memory operations into separate heaps has missed setting the MHEAP_FLAG_THREAD_SAFE, which quite obviously caused the issues in the multithread setup. Fix that. Also, add the debug CLIs "set acl-plugin heap {main|hash} {validate|trace} {1|0}" to toggle the memory instrumentation, in case we ever need it in the future. Change-Id: I8bd4f7978613f5ea75a030cfb90674dac34ae7bf Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit e6423bef32ca2ffcfcd7a092eb4673badd53ea4c)
2017-08-10acl-plugin: all TCP sessions treated as transient (VPP-932)Andrew Yourtchenko1-3/+6
The packet that was creating the session was not tracked, consequently the TCP flags seen within the session record never got the value for the session to get treated as being in the established state. Test-escape, so add the TCP tests which test the three phases of the TCP session life and make them all pass. Change-Id: Ib048bc30c809a7f03be2de7e8361c2c281270348 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit 754370f1b55d4102d21dd94676f2bda3170c7df0)
2017-08-08acl-plugin: fix a misplaced return (VPP-910)Andrew Yourtchenko1-1/+1
It was uncaught by make test because the corresponding tests are not there yet - part of 17.10 deliverables Change-Id: I55456f1874ce5665a06ee411c7abf37cd19ed814 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit 58013b73509521789608f24a79a00177797ff9b1)
2017-08-08MAC IP ACL interface list dump (as an alternative to the get/reply)Neale Ranns2-1/+90
Change-Id: I2e71aef1aa745e85ad3234b0b708cdc50f335a75 Signed-off-by: Neale Ranns <neale.ranns@cisco.com>
2017-08-08acl-plugin: rework the optimization 7383, fortify acl-plugin memory behavior ↵Andrew Yourtchenko5-150/+289
(VPP-910) The further prolonged testing from testbed that reported VPP-910 has uncovered a couple of deeper issues with optimization from 7384, and the usage of subscripts rather than vec_elt_at_index() allowed to hide a couple of further errors in the code. Also, the current acl-plugin behavior of using the global heap for its dynamic data is problematic - it makes the troubleshooting much harder by potentially spreading the problem around. Based on this experience, this commits makes a few changes to fix the issues seen, also improving the serviceability of the acl-plugin code for the future: - Use separate mheaps for any ACL-related control plane operations and separate for the hash lookup datastructures, to compartmentalize any memory-related issues for the ACL plugin. - Ensure vec_elt_at_index() usage throughout the hash_lookup.c file. - Use vectors rather than raw memory for storing the "ordinary" ACL rules. - Rework the optimization from 7384 to use a separate tail pointer rather than overloading the "prev" field. - Make get_session_ptr() more conservative and adjust is_valid_session_ptr accordingly Change-Id: Ifda85193f361de5ed3782a4acd39622bd33c5830 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit bd9c5ffe39e9ce61db95d74d150e07d738f24da1)
2017-08-03acl-plugin: multicore: CSIT c100k 2-core stateful ACL test does not pass ↵Andrew Yourtchenko4-41/+106
(VPP-912) Fix several threading-related issues uncovered by the CSIT scale/performance test: - make the per-interface add/del counters per-thread - preallocate the per-worker session pools rather than attempting to resize them within the datapath - move the bihash initialization to the moment of ACL being applied rather than later during the connection creation - adjust the connection cleaning logic to not require the signaling from workers to main thread - make the connection lists check in the main thread robust against workers updating the list heads at the same time - add more information to "show acl-plugin sessions" to aid in debugging Change-Id: If82ef715e4993614df11db5e9afa7fa6b522d9bc Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit 8e4222fc7e23a478b021930ade3cb7d20938e398)
2017-07-23Improve L2 Input/Output Feature Infrastructure and UsageJohn Lo1-6/+1
Simplify L2 output feature infra to unify with L2 input feature infra using the newly improved feature bitmap mechanism. Updated all L2 features to use the more efficient infra functions. Change-Id: If8f463826b0af0717129befe92a27ea8cfc40449 Signed-off-by: John Lo <loj@cisco.com>
2017-07-20acl-plugin: assertion failed at hash_lookup.c:226 when modifying ACLs ↵Andrew Yourtchenko1-0/+11
applied as part of many (VPP-910) change 7385 has added the code which has the first ACE's "prev" entry within the linked list of shadowed ACEs pointing to the last ACE, in order to avoid the frequent linear list traversal. That change was not complete and did not update this "prev" entry whenever the last ACE was deleted. As a result the changes within the applied ACLs which caused the calls to hash_acl_unapply/hash_acl_apply may result in hitting assert which does the sanity check. The solution is to add the missing update logic. Change-Id: I9cbe9a7c68b92fa3a22a8efd11b679667d38f186 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit 45fe7399152f5ca511ba0b03fee3d5a3dffd1897)
2017-07-04acl-plugin: VPP-897: applying of large number of ACEs is slowAndrew Yourtchenko2-20/+45
When applying ACEs, in the new hash-based scheme, for each ACE the lookup in the hash table is done, and either that ACE is added to the end of the existing list if there is a match, or a new list is created if there is no match. Usually ACEs do not overlap, so this operation is fast, however, the fragment-permit entries in case of a large number of ACLs create a huge list which needs to be traversed for every other ACE being added, slowing down the process dramatically. The solution is to add an explicit flag to denote the first element of the chain, and use the "prev" index of that element to point to the tail element. The "next" field of the last element is still ~0 and if we touch that one, we do the linear search to find the first one, but that is a relatively infrequent operation. Change-Id: I352a3becd7854cf39aae65f0950afad7d18a70aa Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit 204cf74aed51ca07933df7c606754abb4b26fd82)
2017-07-04acl-plugin: fix acl plugin test failing sporadically (VPP-898)Andrew Yourtchenko1-0/+5
The "acl_plugin" tests has one of the tests sporadically fail with the following traceback: r.reply.decode().rstrip('\x00') UnicodeDecodeError: 'ascii' codec can't decode byte 0xd8 in position 20666: ordinal not in range(128) This occurs in the newly added "show acl-plugin table" debug CLI. This CLI has only the numeric outputs, so the conclusion is that it is the incorrect termination (trailing zero) that might be most probably causing it. The other acl-plugins show commands also lack the zero-termination termination, so fix all of them. The particularity of this command vs. the other acl-plugin debug CLIs is that the accumulator is freed and allocated multiple times, this might explain the issue is not seen with them. Change-Id: I87b5c0d6152fbebcae9c7d0ce97155c1ae6666db Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit be055bd719559fc79d8a4c06479497c4c0bfae93)
2017-06-22acl-plugin: clean up the code enabling/disabling acl-plugin processing on ↵Andrew Yourtchenko2-4/+18
interface Multiple subsequent calls to vnet_feature_enable_disable() to enable the feature cause the feature to be inserted into the processing graph multiple times in a row. This might be argued to be a bug in that function, but enabling already enabled feature is suboptimal anyway, so avoid that. The existing tests already catch this issue whenever the ASSERT() part of this patch was added. Change-Id: Ia2c06f7dc87bbe05795c2c7b7d19ea06270ce150 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-06-21acl-plugin: the second and subsequent ACEs incorrect endianness when ↵Andrew Yourtchenko1-4/+22
custom-dump and in VAT (VPP-885) Add the missing function to convert the entire array of rules in the respective _endian functions, rather than just the first rule. Change-Id: Ic057f27ff7ec20150595efca1a48b74e5850f52b Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-06-21acl-plugin: CLI to clear all sessionsAndrew Yourtchenko2-8/+38
It is useful to have the CLI to clear the existing sessions. There was a work-in-progress CLI but it did not work properly. Fix it and split into a separate "clear acl-plugin sessions", and add a unit test into the extended connection-oriented tests. Change-Id: I55889165ebcee139841fdac88747390903a05394 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-06-21acl-plugin: use ethernet_buffer_header_size() to determine the size of the ↵Andrew Yourtchenko1-1/+1
ethernet header When extracting the 5-tuple, use the ethernet_buffer_header_size() so we can correctly handle the case of subinterfaces, etc. Change-Id: Ied73fde98d6b313e9eeab2aff4f22daa50a6cbbf Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-06-21acl-plugin: fix coverity issue 170476Andrew Yourtchenko1-2/+1
Remove the unnecessary variable assignment which coverity detected. Change-Id: I66ac20a8495400ac59192ddb72f16c95f6b4d03c Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-06-21acl-plugin: fix coverity issue 166801Andrew Yourtchenko1-1/+1
A typo resulted in a value being overwritten and flagged as unused, fix the typo. Change-Id: I512ba94321afb80d12c71ebbb0eec42d9fa6f299 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-06-21acl-plugin: fix coverity error 171135Andrew Yourtchenko1-0/+2
The code path which sets the sw_if_index aimed to restrict the output did not set the flag to trigger that output. Change-Id: I0a1a3977fdddbce9a276960df43fed745d099ca0 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-06-21acl-plugin: vat: acl_interface_list_dump confusing/incorrect output in case ↵Andrew Yourtchenko1-2/+2
n_input == 0 The logic to print the line " output " is wrong for the case of n_input == 0, and the applied ACLs are printed as if they were applied on input. One may still figure out the truth by looking at the n_input value above, but it is confusing. Change-Id: I7b4a4d548e569994678dd1e139eb829456548b88 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-06-19acl-plugin: bihash-based ACL lookupAndrew Yourtchenko9-10/+1571
Add a bihash-based ACL lookup mechanism and make it a new default. This changes the time required to lookup a 5-tuple match from O(total_N_entries) to O(total_N_mask_types), where "mask type" is an overall mask on the 5-tuple required to represent an ACE. For testing/comparison there is a temporary debug CLI "set acl-plugin use-hash-acl-matching {0|1}", which, when set to 0, makes the plugin use the "old" linear lookup, and when set to 1, makes it use the hash-based lookup. Based on the discussions on vpp-dev mailing list, prevent assigning the ACL index to an interface, when the ACL with that index is not defined, also prevent deleting an ACL if that ACL is applied. Also, for the easier debugging of the state, there are new debug CLI commands to see the ACL plugin state at several layers: "show acl-plugin acl [index N]" - show a high-level ACL representation, used for the linear lookup and as a base for building the hashtable-based lookup. Also shows if a given ACL is applied somewhere. "show acl-plugin interface [sw_if_index N]" - show which interfaces have which ACL(s) applied. "show acl-plugin tables" - a lower-level debug command used to see the state of all of the related data structures at once. There are specifiers possible, which make for a more focused and maybe augmented output: "show acl-plugin tables acl [index N]" show the "bitmask-ready" representations of the ACLs, we well as the mask types and their associated indices. "show acl-plutin tables mask" show the derived mask types and their indices only. "show acl-plugin tables applied [sw_if_index N]" show the table of all of the ACEs applied for a given sw_if_index or all interfaces. "show acl-plugin tables hash [verbose N]" show the 48x8 bihash used for the ACL lookup. Change-Id: I89fff051424cb44bcb189e3cee04c1b8f76efc28 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-06-15acl-plugin: store sessions in a single hash table instead of a per-interfaceAndrew Yourtchenko4-22/+39
A bihash-per-interface is convenient, but turns out tricky difficult from the maintenance standpoint with the large number of interfaces. This patch makes the sessions reside in a single hash table for all the interfaces, adding the lower 16 bit of sw_if_index as part of the key into the previously unused space. There is a tradeoff, that a session with an identical 5-tuple and the same sw_if_index modulo 65536 will match on either of the interfaces. The probability of that is deemed sufficiently small to not worry about it. In case it still happens before the heat death of the universe, there is a clib_warning and the colliding packet will be dropped, at which point we will need to bump the hash key size by another u64, but rather not pay the cost of doing that right now. Change-Id: I2747839cfcceda73e597cbcafbe1e377fb8f1889 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-06-14acl-plugin: shrink the L2 classifier tables used for traffic redirectAndrew Yourtchenko1-17/+17
The previous iteration of the code used the L2 classifier tables for session storage, as a result, the table allocations were pretty big. The new ACL plugin datapath uses the tables just as a redirection mechanism, without adding any entries. Thus, the tables can be much smaller. Change-Id: Ieec4a5abf0abda6e513ab4e675f912f14d47e671 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-06-09acl-plugin: wrap a verbose debug message in the appropriate conditionalAndrew Yourtchenko1-0/+2
Change-Id: Ibd57cb617642e42d4c4d64f186479702b8a81900 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-06-08acl-plugin: remove clib_warnings on plugin initAndrew Yourtchenko1-3/+0
Change-Id: Ic3c9a914a588824b8abd6668961f731432083c4f Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-06-07acl-plugin: add a plugin-specific control-ping message api and make the test ↵Andrew Yourtchenko4-1/+75
code use it This fixes the undesirable pause in the dump commands in case there is nothing to dump. Change-Id: I0554556c9e442038aa2a1ed8c88234f21f7fe9b9 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-06-07acl-plugin: make the ACL plugin multicore-capableAndrew Yourtchenko5-207/+912
Add the logic to be able to use stateful ACLs in a multithreaded setup. Change-Id: I3b0cfa6ca4ea8f46f61648611c3e97b00c3376b6 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-06-07acl-plugin: fix coverity error in acl_test.cAndrew Yourtchenko1-2/+2
Attempting to supply within a VAT CLI to add the ACLs a rule count override with no rules to add would result in null pointer dereference as we attempt to copy those rules to the message. Add the check to avoid copy if the source pointer is null (i.e. if there are no rules to copy from). This commit fixes coverity errors 166797 and 166792. Change-Id: Icabe060d961ba07dc41f63b8e17fca12ff82aa29 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-05-18acl-plugin: reject the too-short variable-length messages from clients (VPP-839)Andrew Yourtchenko1-3/+42
Prior to commit bfd9227e6da567e0e19e026afe94cd4c0b65f725, there was no clean way to check the lower-level message length as supplied by the client, so there was no option but to trust that the client does the right thing and allocates memory correctly. The absence of checks makes it hard for a misbehaving client to spot the problem - because everything "appears" to work correctly for the specific erroneous message exchange. This commit ensures the message received is at least as big as we expect, and complains loudly if it is not. Change-Id: I806eaac7c7f1ab3c64cb2bfa6939ce27da9a2b44 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-05-15acl-plugin: unapply the ACLs if interface is being deletedAndrew Yourtchenko1-0/+4
(HC2VPP-137 is the client behavior triggering this) If the user does not unapply the ACLs off the interface, but deletes the interface, the subsequent reuse of the sw_if_index might find itself with the datapath hooked up for ACL processing even though there is no ACL configured. The fix is to unapply any ACLs in the callback which is called upon the sw_if_index addition/deletion. Change-Id: Icea413d7fbf1ef891844a4818626e1b34fe79cbf Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit 4c72e629e5ace392390a9d6109594254525064f7)
2017-05-15Add a missing byte-swap call in ACL intf dump.Jon Loeliger1-1/+1
Change-Id: I87495d95dc6c5a36ff6d2ae05203e22e43403bf6 Signed-off-by: Jon Loeliger <jdl@netgate.com>
2017-05-10Add crc32c inline function, allows compilation on 32-bit systemsDamjan Marion1-7/+2
32-bit code still can use crc32c instructions, but it operates on 32 registers Change-Id: I9bb6b0b59635d6ea6a753584676ebcf59c8f6584 Signed-off-by: Damjan Marion <damarion@cisco.com>
2017-05-07Avoid active connection prevent timeout of idle conns after itAndrew Yourtchenko2-10/+12
Fix a logic error related to timing out of the connections following the active one. To avoid this class of issue in the future, create corresponding testcases, as well as some trivial sanity testcases for both IPv4 and IPv6. Since these tests are timing-dependent and take up time, mark them as extended tests. Change-Id: I2c72bad5efda7db8aa9cb05801fe47928dc47927 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-04-25"autoreply" flag: autogenerate standard xxx_reply_t messagesDave Barach1-55/+5
Change-Id: I72298aaae7d172082ece3a8edea4217c11b28d79 Signed-off-by: Dave Barach <dave@barachs.net>
2017-04-20Clean up old datapath code in ACL plugin.Andrew Yourtchenko12-2074/+18
Change-Id: I3d64d5ced38a68f3fa208be00c49d20c4e6d4d0e Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-04-18ACL-plugin does not match UDP next-header, VPP-687Pavel Kotucek1-1/+1
Change-Id: Ide4f9bd6158fb64d069540fb43f4e593e39d6ff3 Signed-off-by: Pavel Kotucek <pkotucek@cisco.com>
2017-04-12acl-plugin: missing "deny" parameter in APIPavel Kotucek1-0/+5
Change-Id: Ie2ab844ad27b5ddb552bad9b19e7029cf91e4071 Signed-off-by: Pavel Kotucek <pkotucek@cisco.com>
2017-04-06acl-plugin: make the IPv4/IPv6 non-first fragment handling in line with ACL ↵Andrew Yourtchenko4-13/+77
(VPP-682) This fixes the previously-implicit "drop all non-first fragments" behavior to be more in line with security rules: a non-first fragment is treated for the purposes of matching the ACL as a packet with the port match succeeding. This allows to change the behavior to permit the fragmented packets for the default "permit specific rules" ruleset, but also gives the flexibility to block the non-initial fragments by inserting into the begining a bogus rule which would deny the L4 traffic. Also, add a knob which allows to potentially turn this behavior off in case of a dire need (and revert to dropping all non-initial fragments), via a debug CLI. Change-Id: I546b372b65ff2157d9c68b1d32f9e644f1dd71b4 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit 9fc0c26c6b28fd6c8b8142ea52f52eafa7e8c7ac)
2017-04-05acl-plugin: fix pretty-printing in "api trace custom-dump" (VPP-683)Andrew Yourtchenko5-316/+388
Change-Id: Id15b401223aabe7dacb7566c871ebefc17fbb1fc Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit 7fd3f513c7df198c45204eba0a3e9a3abe509593)
2017-03-30acl-plugin: cleaner node bugfixes (VPP-675)Andrew Yourtchenko3-51/+75
- use the counters in a private struct rather than node error counters - ensure the timer for the non-idle connections is restarted - fix the deletion of conn at the current tail the list Change-Id: I632f63574d2ced95fb75c5e7fb588c78fb3cce1c Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit 097051a3bd1f63a177c0728f15375afd84a68918)
2017-03-22vlib: add description field in plugin registrationDamjan Marion1-0/+1
Change-Id: I88b322a5d602f3d6d3310e971479180a89430e0e Signed-off-by: Damjan Marion <damarion@cisco.com>