summaryrefslogtreecommitdiffstats
path: root/src/plugins/acl
AgeCommit message (Collapse)AuthorFilesLines
2019-11-05misc: Fix python scripts shebang lineRenato Botelho do Couto5-5/+5
Type: fix Since CentOS 8, RPM build script doesn't accept '#!/usr/bin/env python' as a valid shebang line. It requires scripts to explicitly chose between python2 or python3. Change all to use python3 as suggested by Paul Vinciguerra. Depends-On: https://gerrit.fd.io/r/23170 Signed-off-by: Renato Botelho do Couto <renato@netgate.com> Change-Id: Ie72af9f60fd0609e07f05b70f8d96e738b2754d1
2019-10-31acl: add missing square brackets to vat_help option in acl apiJieqiang Wang1-2/+2
Add the missing right square brackets to remove ambiguity in vat_help option for acl_add_replace and macip_acl_add_replace api. Type: fix Change-Id: I2679d8ce163d23a0e513afdfdb87434cbb673c74 Signed-off-by: Jieqiang.Wang <Jieqiang.Wang@arm.com>
2019-10-21acl: l2 classify test support python3Ole Troan1-2/+2
Type: fix Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: I3b2e57e3dcf04ae50724b5909272b083d6003a85
2019-10-17tests: python3 changes for span and aclplugin testsnaramre2-7/+7
Type: fix Change-Id: Ia9f74f951f831cc5c9b5af863db1bb3f7a1a81ff Signed-off-by: snaramre <snaramre@cisco.com>
2019-10-10acl: remove api boilerplateOle Troan5-172/+44
Type: refactor Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: Idc9c508eb0e3d4b0c3908360fb0771012a8e2bc0
2019-10-03acl: fix intermittent test failureAndrew Yourtchenko1-9/+9
ACL tests use random port number in the tests. A port number 6081 causes the decode in scapy to consume some of the Raw payload into GENEVE encoding, which breaks the test. Solution: bring up the lower range of random port to 16384, so that it does not touch any of the well known ports. Type: test Change-Id: I022660d8ec147857924b436f1871b0b5ddcf4c47 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2019-09-27acl: remove api boilerplateOle Troan2-92/+12
Type: refactor Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: I5701b7d6d5e1423fb0004f7e48815cd672f81e4d
2019-09-16api: autogenerate api trace print/endianOle Troan3-1/+55
In addition to the external vppapitrace tool, VPP itself supports dumping of API trace files. In two formats, "custom-dump" and "dump". "dump" gives a human friendly list, and "custom-dump" is meant to give a list of commands that can be fed to VAT. This patch only deals with "dump". Prior to this fix, auto-generation was only done for the basic types. This fix adds support for any type, including lists, and supports pretty-printing of enums, strings, IP addresses, MAC addresses and so on. Usage: api trace dump <api-trace-file> For example Change-Id: I4e485680e6dcfce7489299ae6cf31d835071ac40 ---------- trace 48 ----------- vl_api_sw_interface_set_flags_t: _vl_msg_id: 75 client_index: 0 context: 10 sw_if_index: 1 flags: IF_STATUS_API_FLAG_ADMIN_UP ---------- trace 49 ----------- vl_api_sw_interface_add_del_address_t: _vl_msg_id: 88 client_index: 0 context: 11 sw_if_index: 1 is_add: 1 del_all: 0 prefix: 172.16.1.1/24 ---------- trace 51 ----------- vl_api_cli_inband_t: _vl_msg_id: 819 client_index: 0 context: 13 cmd: packet-generator capture pg0 pcap /tmp/vpp-unittest-TestMAP-YhcmDX/pg0_out.pcap disable ---------- trace 58 ----------- vl_api_ip_neighbor_add_del_t: _vl_msg_id: 199 client_index: 0 context: 20 is_add: 1 neighbor: sw_if_index: 2 flags: IP_API_NEIGHBOR_FLAG_NONE mac_address: 0202.0000.ff02 ip_address: fd01:2::2 Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: I5556d06008de2762e7c2d35a8b0963ae670b3db1 Type: fix Signed-off-by: Ole Troan <ot@cisco.com> Signed-off-by: Ole Troan <ot@cisco.com> Signed-off-by: Ole Troan <ot@cisco.com> Signed-off-by: Ole Troan <ot@cisco.com> Signed-off-by: Ole Troan <ot@cisco.com> Signed-off-by: Ole Troan <ot@cisco.com> Signed-off-by: Ole Troan <ot@cisco.com> Signed-off-by: Ole Troan <ot@cisco.com>
2019-08-28acl: perform a sanity check of ACL rules before creating ACLAndrew Yourtchenko1-0/+81
Adding acl with incorrect arguments like 1.1.1.1/24 (instead of 1.1.1.0/24) don't cause a disaster, but doesn't match either, as some might expect. Add an explicit sanity check which returns an error. Type: fix Change-Id: Id1601f4b9c9887d3e7e70aac419d1f1de0c0e012 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2019-08-22tests: move plugin tests to src/plugins/*/testDave Wallace5-0/+4785
- Relocate plugin tests for 'make test' into src/plugins/*/test so that plugin test cases are co-located with the plugin source code. Type: refactor Signed-off-by: Dave Wallace <dwallacelf@gmail.com> Change-Id: I503e6a43528e14981799b735fa65674155713f67 Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2019-08-20vppapigen: remove support for legacy typedefsPaul Vinciguerra2-57/+2
vppapigen has remapped legacy to typedefs behind the scenes for some time now. - update .api files to use new style typedefs. - issue error on 'typeonly define' in .api files - remove unneeded macros redefining vl_noop_handler Type: refactor Change-Id: I7a8c4a6dafacee6a131f95cd0e9b03a8c60dea8b Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2019-08-16acl: fix stats-segment counters validation on acl updateAndrew Yourtchenko2-8/+46
The stats-segment validation/clear logic for acl counters was wrong, fix it. Also add the code to the unittests to cover that case, add a vat command to enable/disable counters, clean up the unnecessary endian conversion and remove the stray clib_warning() Change-Id: I421297a92e4aeb885c468c72a97cec25981df615 Type: fix Ticket: VPP-1744 Fixes: f995c7122ba0d024b17bc3232e8edd18d5e25088 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit 4c945dacb9ff9da731301feb26b1edb4ac00e8bd)
2019-07-29api acl: breakout acl_types.api for reuse by othersPaul Vinciguerra2-79/+101
Type: refactor Change-Id: I40518ccddcb78e58f7e6a098c27d9ec53e5a1146 Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2019-07-24acl: implement countersAndrew Yourtchenko5-9/+183
implement per-acl-number counters in the stats segment. They are created during the ACL creation, the counters are incremented in the dataplane using the new inline function with the extra parameter being the packet size. Counting in shared segment adds a noticeable overhead, so add also an API to turn the counters on. Type: feature Change-Id: I8af7b0c31a3d986b68089eb52452aed45df66c7b Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2019-07-09acl: perform the ACL-as-a-service user registrations in global heapAndrew Yourtchenko2-10/+14
Some users tend to call registration routine long before they need that service - which triggers an immediate initialization of the ACL heap, which is rather big. This commit defers this process by keeping the registrations in the global heap. Change-Id: I5825871bd836851942b55184b6ee2657c7a9cc33 Type: fix Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2019-07-09vat: unload unused vat pluginsDave Barach1-18/+2
If the corresponding vpp plugin is absent, return a non-zero clib_error_t * from vat_plugin_register ("xxx plugin not loaded"). The vat plugin calls dlclose on the vat plugin, and it disappears. Depending on the plugin configuration, this can reduce the vpp virtual size by several gigabytes. Added a VAT_PLUGIN(<plugin-name>) macro to vat_helper_macros, clean up boilerplate vat_plugin_register() implementations. Fixed a number of non-standard vat_plugin_register methods. Type: refactor Change-Id: Iac908e5af7d5497c78d6aa9c3c51cdae08374045 Signed-off-by: Dave Barach <dave@barachs.net>
2019-05-03plugins: clean up plugin descriptionsDave Wallace1-1/+1
- Make plugin descriptions more consistent so the output of "show plugin" can be used in the wiki. Change-Id: I4c6feb11e7dcc5a4cf0848eed37f1d3b035c7dda Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2019-04-10API: Fix shared memory only action handlers.Ole Troan1-7/+5
Some API action handlers called vl_msg_ai_send_shmem() directly. That breaks Unix domain socket API transport. A couple (bond / vhost) also tried to send a sw_interface_event directly, but did not send the message to all that had registred interest. That scheme never worked correctly. Refactored and improved the interface event code. Change-Id: Idb90edfd8703c6ae593b36b4eeb4d3ed7da5c808 Signed-off-by: Ole Troan <ot@cisco.com>
2019-03-22acl-plugin: get rid of doubly-linked list fields in hash applied ACEsAndrew Yourtchenko2-99/+35
With collision match vector, the doubly-linked list is not needed anymore. Change-Id: Iaf667ebe6ce0bdd78306bec31d3949e6acb8d401 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2019-03-22acl-plugin: tuplemerge: fix a crash during soak test with split partitionAndrew Yourtchenko1-7/+11
Reload the hash-ready ACE vector pointer during the partition split with each iteration, since the ACL# may change. Change-Id: I1b001e06b52ff02ef59ca1d890f8462ca99e6634 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2019-03-22acl-plugin: get rid of a separate "count" field in the linear acl structAndrew Yourtchenko4-18/+18
Long time ago, the linear array of rules in the ACL structure was not a vector. Now it is, so get rid of the extraneous "count" member. Do so in a manner that would ease potential the MP-safe manipulation of ACL rules in the future. Change-Id: Ib9c0731e4f21723c9ec4d7f00c3e5ead8e1e97bd Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2019-02-19acl-plugin: split the dataplane function into two, save 10sec in compile timeAndrew Yourtchenko1-87/+110
Change-Id: I00618f12dfd5ab4a2baf6c8ec1f53b4c7179aed7 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2019-02-14Add -fno-common compile optionBenoît Ganne1-1/+1
-fno-common makes sure we do not have multiple declarations of the same global symbol across compilation units. It helps debug nasty linkage bugs by guaranteeing that all reference to a global symbol use the same underlying object. It also helps avoiding benign mistakes such as declaring enum as global objects instead of types in headers (hence the minor fixes scattered across the source). Change-Id: I55c16406dc54ff8a6860238b90ca990fa6b179f1 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2018-12-11New api in order to get max entries of connection table is added.Khers3-5/+83
Change-Id: I2f81ec95de55ad2355f82550451ad825c228e5cd Signed-off-by: Khers <s3m2e1.6star@gmail.com>
2018-11-23acl-plugin: fix coverity error that the fix related for [VPP-1502] has triggeredAndrew Yourtchenko1-9/+13
Fix the trivial use-before-check copypaste error. There was a more subtle issue with that patch that Coverity didn't notice: namely, vec_validate(v, len-1) is a terrible idea if len happens to be == 0. Fix that. Change-Id: I0fab8b1750e9e9973eefb5d39f35e4c3a13fc66f Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-11-22acl-plugin: optimize hash memory usage + fix the startup config parsing for ↵Andrew Yourtchenko3-7/+33
memory sizes [VPP-1502] In a couple of places vec_add1()-style was repeatedly called in a loop for smallish vectors where the number of additions was known in advance. With a test with large number of ACEs these numbers contribute to heap fragmentation noticeably. Minimize the number of allocations by preallocating the known size and then resetting the length accordingly, and then calling vec_add1() Also unify the parsing of the memory-related startup config parameters. Change-Id: If8fba344eb1dee8f865ffe7b396ca3b6bd9dc1d0 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-11-20acl-plugin: performance optimizations for established connectionsAndrew Yourtchenko3-197/+541
Change-Id: Id5b7429ca7cce10ce8022c9b8a223bd02f6c3b5f Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-11-15acl-plugin: fix coverity error 188909 in unit-test codeAndrew Yourtchenko1-1/+0
The assignment was redundant with a one just a dozen lines above in the case of the ACL loaded being non-empty, so its only apparent purpose in life was make coverity unhappy... Thus fix by deletion. Change-Id: I573308cb9c212bdfdca2551aa381720dbbcb006e Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-11-14Remove c-11 memcpy checks from perf-critical codeDave Barach1-3/+3
Change-Id: Id4f37f5d4a03160572954a416efa1ef9b3d79ad1 Signed-off-by: Dave Barach <dave@barachs.net>
2018-11-05acl-plugin: 5-tuple parse: get rid of memcpy and move to flags vs. bitfieldsAndrew Yourtchenko3-80/+77
Using bitfield struct for 5tuple proved to be fragile from the performance standpoint - the zeroizing of the entire structure and then setting the separate pieces of it triggers increased memory latency. So, move to using flags byte. Also, use the direct object copies rather than memcpy. Change-Id: Iad8faf9de050ff1256e40c950dee212cbd3e5267 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-10-26acl-plugin: fix the node multiarch function selectionAndrew Yourtchenko2-33/+22
Thanks to Damjan for rewriting my previous patch into not-to-be-deprecated soon form! Change-Id: I595a13c44ed07d4c6d60e2aef0f0bd807a76cbba Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-10-25acl-plugin: "show acl-plugin acl" ACE# is truncated to 4 digits in outputAndrew Yourtchenko1-1/+1
I was expecting "%4d" format string to exhibit the same behavior as the one in C standard library, but rather than specifying _minimal_ width and expanding as necessary, it actually truncates the output. Changing that to "%9d" should take care of pushing this surprising difference in behavior into the domain of impossible. Change-Id: Ia687137ca765bf9c1575af998ff11314010e81ad Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-10-24acl-plugin: introduce a format function for l4 session keyAndrew Yourtchenko3-48/+77
Abstracting out the internal format function for L4 session key type makes the other acl plugin format/print functions more maintainable. Change-Id: Ica1302263a42981555462b5338d18d9a9f9c8342 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-10-23c11 safe string handling supportDave Barach4-61/+61
Change-Id: Ied34720ca5a6e6e717eea4e86003e854031b6eab Signed-off-by: Dave Barach <dave@barachs.net>
2018-10-20acl-plugin: use the L2 feature arc infrastructure instead of L2 classifier ↵Andrew Yourtchenko3-699/+304
for plumbing This makes ACL plugin use the new feature arcs, which slightly increases performance. Since for ethertype whitelisting we were using the L2 classifier, to retain the functionality, make a simple node doing that, and plug it into non-ip L2 feature arc whenever needed. Change-Id: I3add377a6c790117dd3fd056e5615cb4c4438cf4 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-10-19vppinfra: add atomic macros for __sync builtinsSirshak Das1-3/+3
This is first part of addition of atomic macros with only macros for __sync builtins. - Based on earlier patch by Damjan (https://gerrit.fd.io/r/#/c/10729/) Additionally - clib_atomic_release macro added and used in the absence of any memory barrier. - clib_atomic_bool_cmp_and_swap added Change-Id: Ie4e48c1e184a652018d1d0d87c4be80ddd180a3b Original-patch-by: Damjan Marion <damarion@cisco.com> Signed-off-by: Sirshak Das <sirshak.das@arm.com> Reviewed-by: Honnappa Nagarahalli <honnappa.nagarahalli@arm.com> Reviewed-by: Ola Liljedahl <ola.liljedahl@arm.com> Reviewed-by: Steve Capper <steve.capper@arm.com>
2018-10-17acl-plugin: tuplemerge: refresh the pointer to hash-readied ACL entries per ↵Andrew Yourtchenko1-0/+2
each collision in split_partition() (VPP-1458) A pointer to hash-ready ACL rules is only set once, which might cause a crash if there are colliding entries from more than one ACL applied. Solution: reload the pointer based on the element being processed. Change-Id: I7a701c2c3b4236d67293159f2a33c4f967168953 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit 84112dd4f98e5a31a8c7340a741f89e77fd03363)
2018-10-10acl-plugin: reduce the syslog level for debug messagesAndrew Yourtchenko1-5/+6
Change-Id: Ie8380cb39424548bf64cb19aee59ec20e29d1e39 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-10-04acl-plugin: tuplemerge: avoid batch-resize of the applied entries vector - ↵Andrew Yourtchenko1-2/+6
VPP-1352 If the number of rules within a given partition exceeds the limit, the split_partition() might get called, in which we calculate the relaxed mask, create a new partition with that mask and attempt to reallocate some entries from the overcrowded partition. The non-TM code was pre-expanding the vector with rules by the number of rules in the new ACL being applied - which caused the split_partition() to iterate over the rules filled with zeroes. Most of the time it is benign, but if a newly created relaxed partition is such that these entries can be "relocated", then the code attempts to do so, which does not end well. Change-Id: I2dbf3ccd29ff97277b21cdb11c4424ff0915c3b7 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-09-26acl-plugin: fix the stateful ICMP handling and add testcasesAndrew Yourtchenko1-39/+40
The stateful ICMP/ICMPv6 handling got broken. Fix that and introduce testcases to catch in the future. Change-Id: Ie602e72d6ac613d64ab0bf6693b6d75afb1a9552 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-09-25acl-plugin: optimize session idle timer checksAndrew Yourtchenko5-32/+93
This commit adds explicit signaling from a non-owning thread to the owning thread to restart the session timer as necessary. Consequently, we now can sweep the session lists at their respective timeouts, rather than sweeping all the lists at the pace of the shortest timeout value, just taking care to wake up if the session requeue to a different list results in needing to wake up earlier. Change-Id: Ifc8c500f6988748f4cd3dc184dd7824321aaaaca Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-09-24Trivial: Clean up some typos.Paul Vinciguerra9-14/+14
Change-Id: I085615fde1f966490f30ed5d32017b8b088cfd59 Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2018-09-14acl-plugin: do not do clib_smp_atomic_add on per-worker countersAndrew Yourtchenko1-2/+2
Just do a regular increment, since we are not contending for these counters. This also makes the tests pass on ARM ThunderX (VPP-1395). Change-Id: I333aaa11d4145d13d322868900bc114df85a020d Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-09-06acl-plugin: VPP-1400: fix crash when removing a session entryAndrew Yourtchenko1-0/+2
bihash deletion operation may in turn do underlying memory operations, so ensure it is using the correct (private) heap. Change-Id: Ibef7ad7f9db6fa83da02316bf7509072ce579bc0 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit f74b4d2b559b1d5697fd625d9c8e0f76ba5a4463)
2018-09-05acl-plugin: VPP-1400: VPP may crash when performing ACL modifications on ↵Andrew Yourtchenko2-61/+91
applied ACLs The partition_split() did not increment the refcount when using a mask type index, thus subsequent modifications potentially resulted in double frees and in the best case immediate crash, in the worst case delayed crash in another place. Introduce the lock_mask_type_index() and call it, move the mask type index related functions closer to the top of the file. Make the assignment of the new mask type indices for the tuplemerge case to use the assign_mask_type_index(). Keep some debugs in case we need to investigate this further at some point. Change-Id: Iae370f5cd92e1fe1442480db34656a8a3442dbc0 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit 1edc406da3d4f6e63de2f278360b5753f55c00df)
2018-09-03acl-plugin: fix the memory leak with colliding entries storageAndrew Yourtchenko1-4/+73
Change-Id: I634971f6376a7ea49de718ade9139e67eeed48e5 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit d039281e11cfc4580fe140e72390c1c48688c722)
2018-08-27cmake: Fix plugins .h includesMohsin Kazmi1-0/+5
Change-Id: I90600d000afb02e8969f3c01bcf9e4b5c10a7d39 Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
2018-08-27cmake: add missing vat pluginsDamjan Marion1-0/+3
Change-Id: Ib61f0299c17c0f021408ab0a44c5b54f55f8a8ec Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-08-25cmake: improve add_vpp_plugin macroDamjan Marion1-2/+5
Change-Id: Iffd5c45ab242a919592a1f686f7f880936b68a1a Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-08-17CMake as an alternative to autotools (experimental)Damjan Marion1-0/+21
Change-Id: Ibc59323e849810531dd0963e85493efad3b86857 Signed-off-by: Damjan Marion <damarion@cisco.com>