aboutsummaryrefslogtreecommitdiffstats
path: root/src/vnet/ip/ip_in_out_acl.c
AgeCommit message (Collapse)AuthorFilesLines
2023-02-02ip: fix ip ACL tracesBenoît Ganne1-6/+9
If we match a next table, we must save its index in the trace instead of the index of the 1st table. Type: fix Change-Id: Idd862242e7fc200eb3ab29b17a26131b844af2c0 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2022-06-29classify: use 32 bits hashBenoît Ganne1-16/+16
classify hash used to be stored as u64 in buffer metadata, use 32 bits instead: - on almost all our supported arch (x86 and arm64) we use crc32c intrinsics to compute the final hash: we really get a 32-bits hash - the hash itself is used to compute a 32-bits bucket index by masking upper bits: we always discard the higher 32-bits - this allows to increase the l2 classify buffer metadata padding such as it does not overlap with the ip fib_index metadata anymore. This overlap is an issue when using the 'set metadata' action in the ip ACL node which updates both fields Type: fix Change-Id: I5d35bdae97b96c3cae534e859b63950fb500ff50 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2022-06-10ip: improve ip ACL tracesBenoît Ganne1-8/+23
Type: improvement Change-Id: I85c73cb940d81d0b249eda0d57de135bcd798418 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2022-03-08ip: set fib_index before exiting input ACL nodeArthur de Kerhor1-40/+75
While setting an ACL, a user can specify the adjacency to follow after the input ACL node. Thus, we may skip a lookup and enter directly a local node (ex: ip4_local). To prevent the local source check from failing, we need to specify the fib index. And, we have to do it just before exiting the input ACL node because the l2_classify object is overlapping with the fib_index in the vnet_buffer_opaque_t struct. We could have added a padding to avoid this overlap but there is no place for that in the structure. Type: fix Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com> Change-Id: I383c36e4aec08d181f966f28565aefed950d2a74
2021-11-02ip: fix coverity warningKlement Sekera1-1/+1
Remove unnecessary NULL check of t0, which causes coverity to scream. t0 is always initilised to *something* by doing pool_elt_at_index(). Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I7cf21767c43a24923e490ad40622743c17142fe2
2021-10-06ip: add classifier-based ACLs support on ip puntBenoît Ganne1-234/+184
This feature allows one to add classifier-based ACLs on packets punted from the ip infra, eg. to only whitelist specific sender(s). Type: feature Change-Id: Idab37b188583efbca980038875fc3e540cb2e880 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-07-15misc: replace CLIB_PREFETCH with clib_prefetch_{load,store}Damjan Marion1-2/+2
Type: refactor Change-Id: Id10cbf52e8f2dd809080a228d8fa282308be84ac Signed-off-by: Damjan Marion <damarion@cisco.com>
2020-09-28classify: preformance improvements in classifiersRay Kinsella1-285/+649
Reworked the code to reduce line fill buffer pressure. Improved compiler loop unrolling, over the existing complex hand-unrolling. Updated the code to use vlib_get_buffers & vlib_buffer_enqueue_to_next. Type: improvement Signed-off-by: Ray Kinsella <mdr@ashroe.eu> Change-Id: I7dca7515ba91672eaf50a6eecd13811210cf0006
2019-03-12ip: migrate old MULTIARCH macros to VLIB_NODE_FNFilip Tehlar1-24/+14
Change-Id: Id55ec87724e421d5b722314f9302c6ade7545306 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2018-10-25ACL: Fix next_table_index classifiers consistancyGregory Thiemonge1-5/+17
Fixed consistancy between the first classifier match and the next_table_index classifier matches: - CLASSIFY_ACTION_SET_METADATA was applied only for the first classifier, but it was not applied for the other classifiers - Actions should be performed only for input ACLs - Payload should point at the IP header for output ACLs Change-Id: Ifbd7791756320ae3198520c41902f5e99e3d40b4 Signed-off-by: Gregory Thiemonge <gregory.thiemonge@enea.com>
2018-02-07classifier-based ACL: refactor + add output ACLAndrew Yourtchenko1-0/+589
For implementation of MACIP ACLs enhancement (VPP-1088), an outbound classifier-based ACL would be needed. There was an existing incomplete code for outbound ACLs, it looked almost exact copy of input ACLs, minus the various enhancements, trying to sync that code seemed error-prone and cumbersome to maintain in the longer run. This change refactors the input+output ACLs processing into a unified routine (thus any changes will have effect on both), and also adds the API to set the output interface ACL, with the same format and semantics as the existing input one (except working on output ACL of course). WARNING: IP outbound ACL in L3 mode clobbers the ip.* fields in the vnet_buffer_opaque_t, since the code is using l2_classify.* The net_buffer (p0)->ip.save_rewrite_length is rescued into l2_classify.pad.l2_len, and used to rewind the header in case of drop, so that ipX_drop prints something sensible. Change-Id: I62f814f1e3650e504474a3a5359edb8a0a8836ed Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>