Age | Commit message (Collapse) | Author | Files | Lines |
|
Commit 1c7bf5d41737984907e8bad1dc832eb6cb1d6288 added the poisoning
of the newly freed memory in debug builds, exposing a logic
error in mask assignment code - it passed a pointer to
within a pool to a function which might potentially expand the pool.
This resulted in a failure of the test in the debug version.
Fix that by making a local copy of the value before passing
a pointer to it.
Change-Id: I73f3670672c3d86778aad0f944d052d0480cc593
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
This change avoids the long-read-after-short-write, resulting
in a small performance improvement.
Change-Id: Ic01d1fd19182e96100ccaf441d7ab5e5898b9734
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Change-Id: Ifc8b3d30d66c7ade1e3584844ce3f82d42d2fb94
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Change-Id: I63c36644c9d93f2c3ec6606ca0205b407499de4e
Signed-off-by: Eyal Bari <ebari@cisco.com>
|
|
Change-Id: Ieb8b53977fc8484c19780941e232ee072b667de3
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Configure w/ --enable-dlmalloc, see .../build-data/platforms/vpp.mk
src/vppinfra/dlmalloc.[ch] are slightly modified versions of the
well-known Doug Lea malloc. Main advantage: dlmalloc mspaces have no
inherent size limit.
Change-Id: I19b3f43f3c65bcfb82c1a265a97922d01912446e
Signed-off-by: Dave Barach <dave@barachs.net>
|
|
Fix the copypaste-triggered errors in load-from-file ACL test code.
Also, add an explicit exit(1) after clib_error() to convince coverity
that code path is terminal indeed.
Change-Id: I1deedb49144559c9183449005ada0433c24db18a
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Change-Id: Ie899ccbaae4df7cce4ebbba47ed6c3cce5269bdb
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
A small store into a middle of a larger structure that was subsequently
loaded for calculating the bihash key was noticeably impacting the performance.
Change-Id: If7f33e1b66e8b438ba7cc91abc0ca749850c6e45
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Slightly refactored from the initial implementation of the TupleMerge [1]
algorithm by Valerio Bruschi (valerio.bruschi@telecom-paristech.fr)
[1] James Daly, Eric Torng "TupleMerge: Building Online Packet Classifiers
by Omitting Bits", In Proc. IEEE ICCCN 2017, pp. 1-10
Also add startup parameters to turn on/off the algorithm ("use tuple merge 1/0"),
and a startup parameter to be able to tweak the split threshold
("tuple merge split threshold N"), the default value of the split threshold
is 39 as per paper, but some more tuning might be necessary to find the best
value.
This change, alongside with the optimizations which avoid extra lookups,
significantly reduces the slowdown on the ClassBench generated ACLs, which
are supposed to resemble realistic ACLs seen in use in the field.
Change-Id: I9713e4673970e9a62d4d9e9718365293375fab7b
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
- instantiate the per-use mask type entry for a given hash ACE
this prepares to adding tuplemerge where the applied ACE may
have a different mask type due to relaxing of the tuples
- store the vector of the colliding rules for linear lookups
rather than traversing the linked list.
- store the lowest rule index for a given mask type inside
the structure. This allows to skip looking up at the later
mask types if we already matched an entry that is in front
of the very first entry in the new candidate mask type,
thus saving a worthless hash table lookup.
- use a vector of mask type indices rather than bitmap,
in the sorted order (by construction) of ascending
lowest rule index - this allows to terminate the lookups
early.
- adapt the debug cli outputs accordingly to show the data
- propagate the is_ip6 into the inner calls
Change-Id: I7a67b271e66785c6eab738b632b432d5886a0a8a
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Change-Id: I6a3cfcb24f5027ec0f2cd2ec21ea47a01fef331b
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Trying to accomodate fragments as first class citizens
has shown to be more trouble than it's worth. So
fallback to linear ACL search in case it is a fragment
packet. Delete the corresponding code from the hash
matching.
Change-Id: Ic9ecc7c800d575615addb33dcaa89621462e9c7b
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
in more than one C file
Including the exports.h from multiple .c files belonging to a single plugin results in an error.
Rework the approach to require the table of function pointers to be filled in by
the initialization function.
Since the inline functions are compiled in the "caller" context,
there is no knowledge about the acl_main structure used by the ACL
plugin. To help with that, the signature of inline functions is slightly
different, taking the p_acl_main pointer as the first parameter.
That pointer is filled into the .p_acl_main field of the method
table during the initialization - since the calling of non-inline variants
would have required filling the method table, this should give
minimal headaches during the use and switch between the two methods.
Change-Id: Icb70695efa23579c46c716944838766cebc8573e
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
The commit 4bc1796b346efd10f3fb19b176ff089179263a24 had incorrect
calculation of the session lists minimal timeout, resulting
in returned value of 0 which resulted in existing sessions
constantly requeued, taking up the CPU. Fix this calculation.
Change-Id: I9a789739f96a1f01522c68f91b0a02db2417837f
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
optimize stores in the (l4/pkt)
Having two pieces of code - one for now much simpler to recreate L3 info,
one for a more difficult do build L4/pkt metadata allows more
degrees of freedom for optimizations.
Also, construct the metadata in local variables first before
saving it into the memory structure, this fewer memory stores
and they are better aligned, allowing to coalesce with
subsequent reads if needed.
Change-Id: Icb35d933834b14294f875362c9b58db3feb38d99
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
file for testing
Add a command "acl_add_replace_from_file" to VAT which can load a ruleset and
add an ACL with it. There are a few options which augment the ACL being created:
"permit+reflect" or "permit" alter the default action from deny on the ACEs
created.
"append-default-permit" adds an entry in the end with the "permit+reflect"
if the default action has been changed to permit+reflect, or with a simple
permit otherwise.
This command is IPv4-only because the available datasets were IPv4-only.
Change-Id: I26b9f33ecb6b59e051d1d9cbafedbc47e8203392
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Add a new kv_16_8 field into 5tuple union, rename
the existing kv into kv_40_8 for clarity, and
add the compile-time alignment constraints.
Change-Id: I9bfca91f34850a5c89cba590fbfe9b865e63ef94
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
contiguous with L4 data
Using ip46_address_t was convenient from operational point of view but created
some difficulties dealing with IPv4 addresses - the extra 3x of u32 padding
are costly, and the "holes" mean we can not use the smaller key-value
data structures for the lookup.
This commit changes the 5tuple layout for the IPv4 case, such that
the src/dst addresses directly precede the L4 information.
That will allow to treat the same data within 40x8 key-value
structure as a 16x8 key-value structure starting with 24 byte offset.
Change-Id: Ifea8d266ca0b9c931d44440bf6dc62446c1a83ec
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
- implement a 1us purgatory for the session structures
by adding a special connection list, where all connections
about to be deleted go.
- add per-list-head timeouts updated upon the list enqueue/dequeue
for connection idle management
- add a "unused" session list with list ID#0, which should
never be used unless there is a logic error. Use this ID
to initialize the sessions.
- improve the maintainability of the session linked list
structures by using symbolic bogus index name instead of ~0
- change the ordering of session creations - first reverse, then
local. To minimize the potential for two workers competing for
the same session in the corner case of the two packets
on different workers creating the same logical session
- reduce the maximum session count to keep the memory usage the same
- add extra log/debug/trace to session cleaning logic
- be more aggressive with cleaning up sessions - wind up the
interrupts from the workers to themselves if there is more
work to do
Change-Id: I3aa1c91a925a08e83793467cb15bda178c21e426
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Change-Id: Ibab5e27277f618ceb2d543b9d6a1a5f191e7d1db
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
next nodes
Use the new frame-at-once functions vlib_get_buffers() and vlib_buffer_enqueue_to_next()
to calculate the buffer pointers and to dispatch the packets after the processing.
This simplifies the dataplane node processing loop.
Change-Id: I454308f847aac76a199f8dd7490c1e176414bde7
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
clib_bihash_search_40_8 for session lookups
Use inline version rather than calling the function, this gives slightly better performance.
The straighforward diff uncovered an interesting problem: the stateful ACL IPv4 unit tests would fail
for the "make test" but succeed in "make test-debug". Also, they would succeed even in "make test",
if before calling the clib_bihash_search_inline_2_40_8 we would change the code
to store the key in a temporary variable.
Debugging revealed that the generated optimized code is not what one would expect:
the zeroing of the u64s overlaying the memcpy into ipv4 value of ip46_address_t
made the optimizer not notice the latter, and think that those fields should be
always zero in the bihash, thus generating incorrect assembly for the bihash key
comparison for the ipv4 nodes.
Changing the zeroing to be non-overlapping by zeroing only the pad fields resulted
in the optimizer generating the correct code and the tests pass.
Change-Id: Ib0f55cef2b5fe70c931d17ca4dc32a5755d160cd
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
per-packet session key
Using a separate session key has proven to be tricky for the following reasons:
- it's a lot of storage to have what looks to be nearly identical to 5tuple,
just maybe with some fields swapped
- shuffling the fields from 5tuple adds to memory pressure
- the fact that the fields do not coincide with the packet memory
means for any staged processing we need to use up a lot of memory
Thus, just add two entries into the bihash table pointing to
the same session entry, so we could match the packets from either
direction.
With this we have the key layout of L3 info (which takes up
the majority of space for IPv6 case) the same as in the packet,
thus, opening up the possibility for other optimizations.
Not having to create and store a separate session key
should also give us a small performance win in itself.
Also, add the routine to show the session bihash in a better
way than a bunch of numbers.
Alas, the memory usage in the bihash obviously doubles.
Change-Id: I8fd2ed4714ad7fc447c4fa224d209bc0b736b371
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
This commit splits the functions from fa_node.c
into the pure dataplane node functions (which are multiarch-compiled),
session management node functions (which are compiled only once),
and session find/add/delete functions which are split out into the inlines.
As part of the refactoring:
- get rid of BV() macros in the affected chunk of code,
rather use the explicit bihash function names.
- add the magic trailer to the new files to
ensure make checkstyle watches them.
- move the bihash_template.c include for 40_8 bihash into acl.c
Change-Id: I4d781e9ec4307ea84e92af93c09470ea2bd0c375
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Object sizes must evenly divide alignment requests, or vice
versa. Otherwise, only the first object will be aligned as
requested.
Three choices: add CLIB_CACHE_LINE_ALIGN_MARK(align_me) at
the end of structures, manually pad to an even divisor or multiple of
the alignment request, or use plain vectors/pools.
static assert for enforcement.
Change-Id: I41aa6ff1a58267301d32aaf4b9cd24678ac1c147
Signed-off-by: Dave Barach <dbarach@cisco.com>
|
|
It is a relatively rarely used low level command for code that didn't change,
but due to infra changes it did not survive. Having it working may be very
useful for corner-case debugging. So, fix it for working with
the acl-as-a-service infra.
Change-Id: I11b60e0c78591cc340b043ec240f0311ea1eb2f9
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
(cherry picked from commit 18bde8a579960aa46f43ffbe5c2905774bd81a35)
|
|
only in lookup context 0
In process of extracting the matching out of the ACL plugin internals,
a couple of pieces setting the miscellaneout fields in the 5tuple structure
did not make it, so they are initialized to zeroes. Move the assignments
to the right place to make both traffic acls and acl-as-a-service working.
Change-Id: I66a7540a13b05113b599f0541999a18fad60385d
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
(cherry picked from commit d3b96ef0d75889f09dc51efb89e5123cdbe7ffe8)
|
|
Change-Id: I994649761fe2e66e12ae0e49a84fb1d0a966ddfb
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
The users of ACL lookup contexts might not check the data they supply,
so do it on their behalf in this function, and return an error if
an ACL does not exist or if they attempt to apply the same ACL twice.
Change-Id: I89d871e60f267ce643f88574c83baf9cd0a2d7b3
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
(cherry picked from commit e5cbccf35f4d230afafa633abbc88e64ef33d758)
|
|
using the inline functions
The acl_main struct, which is defined in the acl_plugin, is not visible when
the ACL plugin inline code is being compiled within the context of other plugins.
Fix that by using the global pointer variable, which exists in both the ACL plugin
context and is set in the context of the external plugins using ACL plugin.
Change-Id: Iaa74dd8cf36ff5442a06a25c5c968722116bddf8
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
(cherry picked from commit 1286a15a6e60f80b0e1b349f876de8fa38c71368)
|
|
(re-)applied
There were several discussions in which users would expect the sessions to be deleted
if the new policy after the change does not permit them.
There is no right or wrong answer to this question - it is a policy decision.
This patch implements an idea to approach this. It uses a per-interface-per-direction counter to designate
a "policy epoch" - a period of unchanging rulesets. The moment one removes or adds an ACL applied to
an interface, this counter increments.
The newly created connections inherit the current policy epoch in a given direction.
Likewise, this counter increments if anyone updates an ACL applied to an interface.
There is also a new (so far hidden) CLI "set acl-plugin reclassify-sessions [0|1]"
(with default being 0) which allows to enable the checking of the existing sessions
against the current policy epoch in a given direction.
The session is not verified unless there is traffic hitting that session
*in the direction of the policy creation* - if the epoch has changed,
the session is deleted and within the same processing cycle is evaluated
against the ACL rule base and recreated - thus, it should allow traffic-driven
session state refresh without affecting the connectivity for the existing sessions.
If the packet is coming in the direction opposite to which the session was initially
created, the state adjustment is never done, because doing so generically
is not really possible without diving too deep into the special cases,
which may or may not work.
Change-Id: I9e90426492d4bd474b5e89ea8dfb75a7c9de2646
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Coverity has started whining about uint32_t missing in this .h
Change-Id: I57992121c0593d6a0ada35917802d0300cf91259
Signed-off-by: Chris Luke <chrisy@flirble.org>
|
|
- autosize the ACL plugin heap size based on the number of workers
- for manual heap size setting, use the proper types (uword),
and proper format/unformat functions (unformat_memory_size)
Change-Id: I7c46134e949862a0abc9087d7232402fc5a95ad8
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
until it is needed
Registering ACL plugin user module within the "ACL as a service" infra during the plugin init
causes an unnecesary ACL heap allocation and prevents the changing of the ACL heap size
from the startup config.
Defer this registration until just before it is needed - i.e. when applying an ACL to
an interface.
Change-Id: Ied79967596b3b76d6630f136c998e59f8cdad962
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
- allow to optionally specify the specific MACIP ACL index:
'show acl-plugin macip acl [index N]'
- after showing the MACIP ACL, show the sw_if_index of
interface(s) where it is applied.
Also, add some executions of this debug commands
to the MACIP test case for easy verification.
Change-Id: I56cf8272abc20b1b2581b60d528d27a70d186b18
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
The functions which get called by other plugins need to set the acl plugin heap,
such that the other plugins do not have to think about it.
Change-Id: I673073f17116ffe444c163bf3dff40821d0c2686
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
This reverts commit 378ac0533e5ac8c3121d8f66ba61a8548e55282f.
Change-Id: If34b1c964453adb0e4c44e3eab4f6e306bd9c9e9
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
other plugins
This code implements the functionality required for other plugins wishing
to perform ACL lookups in the contexts of their choice, rather than only
in the context of the interface in/out.
The lookups are the stateless ACLs - there is no concept of "direction"
within the context, hence no concept of "connection" either.
The plugins need to include the
The file acl_lookup_context.md has more info.
Change-Id: I91ba97428cc92b24d1517e808dc2fd8e56ea2f8d
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
- Show interface on which given MACIP ACL is applied
- index is added for show acl-plugin macip acl:
ex) show acl-plugin macip acl [index N]
Change-Id: I3e888c8e3267060fe157dfc1bbe3e65371bd858a
Signed-off-by: Steve Shin <jonshin@cisco.com>
|
|
ARP packets need to be allowed for dot1q interface when MACIP is enabled.
Change-Id: I33dd3cb6c6100c49420d57360a277f65c55ac816
Signed-off-by: Steve Shin <jonshin@cisco.com>
|
|
Change-Id: Ie8b4effbd25e1e26b625d451ec059bac58a5a5a1
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
The gerrit 10434 which added the support for whitelist model on ethertypes,
did not include the support to dump the current state.
This patch fills that gap.
Change-Id: I3222078ccb1839dc366140fa5f6b8999b2926fd2
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Classify table for output node should be cleaned up
after deleting macip ACL.
Change-Id: Ibbc46c8465bec02fe6fa6a8d33a1f06bcf28e9ad
Signed-off-by: Steve Shin <jonshin@cisco.com>
|
|
Currently, ACL plugin largely does not care about the
ethertypes other than 0x0800 (IPv4) and 0x86dd (IPv6),
the only exception being 0x0806 (ARP), which is
dealt with by the MACIP ACLs.
The other ethertypes in L2 mode are just let through.
This adds a new API message acl_interface_set_etype_whitelist,
which allows to flip the mode of a given interface
into "ethertype whitelist mode": the caller of this message
must supply the two lists (inbound and outbound) of the ethertypes
that are to be permitted, the rest of the ethertypes are
dropped.
The whitelisting for a given interface and direction takes
effect only when a policy ACL is also applied.
This operates on the same classifier node as the one used for
dispatching the policy ACL, thus, if one wishes for most of the
reasonable IPv4 deployments to continue to operate within
the whitelist mode, they must permit ARP ethertype (0x0806)
The empty list for a given direction resets the processing
to allow the unknown ethertypes. So, if one wants to just
permit the IPv4 and IPv6 and nothing else, one can add
their ethertypes to the whitelist.
Add the "show acl-plugin interface" corresponding outputs
about the whitelists, vat command, and unittests.
Change-Id: I4659978c801f36d554b6615e56e424b77876662c
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
This is the second patch, using the new functionality from the change 10002
in order to implement the egress filtering on the MACIP ACLs.
This adds an action "2" which means "add also egress filtering rules for this
MACIP ACL.
The reason for having the two choices is that the egress filtering really takes
care of a fairly corner case scenario, and I am not convinced that
always adding the performance cost of the egress lookup check is worth it.
Also, of course, not breaking the existing implementations is a nice plus,
too.
Change-Id: I3d7883ed45b1cdf98d7303771bcc75951dff38f0
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
conn cleaner threads interactions
This replaces some of the early-stage commented-out printf()s with
an elog-based debug collector.
It is aimed to be "better than nothing" initial implementation to be available
in the field. It will be refined/updated based on use. This initial code
is focused on the main/worker threads interactions, hence uses just
the worker tracks.
This code adds a developer debug CLI "set acl-plugin session table event-trace 1",
which allows to gather the events pertaining to connection cleaning.
The CLI is deliberately not part of the online help, as the express
declaration that the semantics/trace levels, etc. are subject to change
without notice.
Change-Id: I3536309f737b73e50639cd5780822dcde667fc2c
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
The thread0 in some configurations can handle the traffic.
Some of the previous fixes accomodated for that, but
the interrupt sending for connection clearing
was not adapted to that, resulting in a deadlock
during clearing of all connections...
Change-Id: I32b4c7bac09c91c22b796baab843bdaf41f7045c
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
For implementation of MACIP ACLs enhancement (VPP-1088), an outbound
classifier-based ACL would be needed. There was an existing incomplete
code for outbound ACLs, it looked almost exact copy of input ACLs, minus
the various enhancements, trying to sync that code seemed error-prone
and cumbersome to maintain in the longer run.
This change refactors the input+output ACLs processing into a unified
routine (thus any changes will have effect on both), and also adds
the API to set the output interface ACL, with the same format
and semantics as the existing input one (except working on output
ACL of course).
WARNING: IP outbound ACL in L3 mode clobbers the ip.* fields
in the vnet_buffer_opaque_t, since the code is using l2_classify.*
The net_buffer (p0)->ip.save_rewrite_length is rescued into
l2_classify.pad.l2_len, and used to rewind the header in case of
drop, so that ipX_drop prints something sensible.
Change-Id: I62f814f1e3650e504474a3a5359edb8a0a8836ed
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Normally session keys are generated by mirroring the packets sent.
ICMP message type should be used and inverted for the stateful ACL.
Supported ICMP messages with this patch:
- ICMPv4: Echo/Timestamp/Information/Address Mask requests
- ICMPv6: Echo request/Node Information Queury
The invmap & valid_new tables can be modified to make any other
ICMP messages to be reflexive ACL.
Change-Id: Ia47b08b79fe0a5b1f7a995af78de3763d275dbd9
Signed-off-by: Steve Shin <jonshin@cisco.com>
|