| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
for plumbing
This makes ACL plugin use the new feature arcs, which slightly increases performance.
Since for ethertype whitelisting we were using the L2 classifier, to retain
the functionality, make a simple node doing that, and plug it into non-ip
L2 feature arc whenever needed.
Change-Id: I3add377a6c790117dd3fd056e5615cb4c4438cf4
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
And improve the robustness of the ethertype whitelist test coverage
Change-Id: I64fe3a25208dbc619ae5cd6404f6122e69394a38
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Change-Id: I9d5b5d925fd2c09a1113fc51e433a16d729a241b
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
- Ignore warnings W504 (newline after binary operator) which otherwise
occurs a significant number of times.
- Fix two instances of lines >79 chars.
Change-Id: I8cef56f8afc237187995e638e610c8c0554e2bb5
Signed-off-by: Chris Luke <chrisy@flirble.org>
|
|
There was no test coverage for a scenario of an interface having an
ACL and that interface being deleted. Add a basic sanity test which
applies an ACL to an interface and then deletes that interface.
Change-Id: Ib6462e02cf69f1173125ac2481c608f68eb389ac
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Currently, ACL plugin largely does not care about the
ethertypes other than 0x0800 (IPv4) and 0x86dd (IPv6),
the only exception being 0x0806 (ARP), which is
dealt with by the MACIP ACLs.
The other ethertypes in L2 mode are just let through.
This adds a new API message acl_interface_set_etype_whitelist,
which allows to flip the mode of a given interface
into "ethertype whitelist mode": the caller of this message
must supply the two lists (inbound and outbound) of the ethertypes
that are to be permitted, the rest of the ethertypes are
dropped.
The whitelisting for a given interface and direction takes
effect only when a policy ACL is also applied.
This operates on the same classifier node as the one used for
dispatching the policy ACL, thus, if one wishes for most of the
reasonable IPv4 deployments to continue to operate within
the whitelist mode, they must permit ARP ethertype (0x0806)
The empty list for a given direction resets the processing
to allow the unknown ethertypes. So, if one wants to just
permit the IPv4 and IPv6 and nothing else, one can add
their ethertypes to the whitelist.
Add the "show acl-plugin interface" corresponding outputs
about the whitelists, vat command, and unittests.
Change-Id: I4659978c801f36d554b6615e56e424b77876662c
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Added two new errors:
ACL_IN_USE_INBOUND
ACL_IN_USE_OUTBOUND
Update ACL tests to expect new, precise return values.
Change-Id: I644861a18aa5b70cce5f451dd6655641160c7697
Signed-off-by: Jon Loeliger <jdl@netgate.com>
|
|
Change-Id: I286b61d41cc2b557de3eb8801ff95c643f680acd
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Dynamically calculate the required buffer size to pack into based on
message definition. Also add input parameter length checking.
Change-Id: I7633bec596e4833bb328fbf63a65b866c7985de5
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
The replacement of [] with pool_elt_at_index and subsequent fixing it
was incorrect - it was equivalent to &[], since it returns a pointer to
the element. I've added VPP-993 previously to create a testcase,
so this commit partially fulfills that one as well.
Change-Id: I5b15e3ce48316f0429232aacf885e8f7c63d9522
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Change-Id: I1d3818027b8a1fcb1ec12016e3476b5c22a2d5a5
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
portrange matches on the same hash key (VPP-937)
Multiple portranges that land on the same hash key will always report the match
on the first portrange - even when the subsequent portranges have matched.
Test escape, so make a corresponding test case and fix the code so it passes.
(the commit on stable/1707 has erroneously mentioned VPP-938 jira ticket)
Change-Id: Idbeb8a122252ead2468f5f9dbaf72cf0e8bb78f1
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
(cherry picked from commit fb088f0a201270e949469c915c529d75ad13353e)
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Add a bihash-based ACL lookup mechanism and make it a new default.
This changes the time required to lookup a 5-tuple match
from O(total_N_entries) to O(total_N_mask_types), where
"mask type" is an overall mask on the 5-tuple required
to represent an ACE.
For testing/comparison there is a temporary debug CLI
"set acl-plugin use-hash-acl-matching {0|1}", which,
when set to 0, makes the plugin use the "old" linear lookup,
and when set to 1, makes it use the hash-based lookup.
Based on the discussions on vpp-dev mailing list,
prevent assigning the ACL index to an interface,
when the ACL with that index is not defined,
also prevent deleting an ACL if that ACL is applied.
Also, for the easier debugging of the state, there are
new debug CLI commands to see the ACL plugin state at
several layers:
"show acl-plugin acl [index N]" - show a high-level
ACL representation, used for the linear lookup and
as a base for building the hashtable-based lookup.
Also shows if a given ACL is applied somewhere.
"show acl-plugin interface [sw_if_index N]" - show
which interfaces have which ACL(s) applied.
"show acl-plugin tables" - a lower-level debug command
used to see the state of all of the related data structures
at once. There are specifiers possible, which make
for a more focused and maybe augmented output:
"show acl-plugin tables acl [index N]"
show the "bitmask-ready" representations of the ACLs,
we well as the mask types and their associated indices.
"show acl-plutin tables mask"
show the derived mask types and their indices only.
"show acl-plugin tables applied [sw_if_index N]"
show the table of all of the ACEs applied for a given
sw_if_index or all interfaces.
"show acl-plugin tables hash [verbose N]"
show the 48x8 bihash used for the ACL lookup.
Change-Id: I89fff051424cb44bcb189e3cee04c1b8f76efc28
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Change-Id: Ide4f9bd6158fb64d069540fb43f4e593e39d6ff3
Signed-off-by: Pavel Kotucek <pkotucek@cisco.com>
|
|
(VPP-682)
This fixes the previously-implicit "drop all non-first fragments" behavior
to be more in line with security rules: a non-first fragment is treated
for the purposes of matching the ACL as a packet with the port
match succeeding. This allows to change the behavior to permit
the fragmented packets for the default "permit specific rules"
ruleset, but also gives the flexibility to block the non-initial
fragments by inserting into the begining a bogus rule
which would deny the L4 traffic.
Also, add a knob which allows to potentially turn this behavior off
in case of a dire need (and revert to dropping all non-initial fragments),
via a debug CLI.
Change-Id: I546b372b65ff2157d9c68b1d32f9e644f1dd71b4
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
(cherry picked from commit 9fc0c26c6b28fd6c8b8142ea52f52eafa7e8c7ac)
|
|
Change-Id: I95113a277b94cce5ff332fcf9f57ec6f385acec0
Signed-off-by: Pavel Kotucek <pkotucek@cisco.com>
|
Andrew Yourtchenko
Klement Sekera
Chris Luke
Jon Loeliger
Ole Troan
Pavel Kotucek