From 1b696ac9b334aa9305925e4759c6c6f6b47c3328 Mon Sep 17 00:00:00 2001 From: Dave Barach Date: Fri, 13 Sep 2019 17:47:50 -0400 Subject: misc: classifier-based packet trace filter See .../src/vnet/classify/trace_classify.h for the business end of the scheme. It would be best to hash pkts, prefetch buckets, and do the primary table lookups two at a time. The inline as given works, but perf tuning will be required. "At least it works..." Add "classify filter" debug cli, for example: classify filter mask l3 ip4 src dst \ match l3 ip4 dst 192.168.2.10 src 192.168.1.10 Add "pcap rx | tx trace ... filter" to use the current classify filter chain Patch includes sphinx documentation and doxygen tags. Next step: device-driver integration Type: feature Signed-off-by: Dave Barach Change-Id: I05b1358a769f61e6d32470e0c87058f640486b26 (cherry picked from commit 9137e5400699bed9f7c0095187839a8b38273100) --- src/vlib/main.h | 1 + src/vnet/CMakeLists.txt | 2 + src/vnet/classify/trace_classify.h | 100 +++++++++++++ src/vnet/classify/vnet_classify.c | 296 ++++++++++++++++++++++++++++++++++++- src/vnet/ethernet/node.c | 16 +- src/vnet/interface.h | 1 + src/vnet/interface_cli.c | 19 ++- src/vnet/interface_output.c | 19 ++- src/vnet/vnet.h | 3 + 9 files changed, 450 insertions(+), 7 deletions(-) create mode 100644 src/vnet/classify/trace_classify.h (limited to 'src') diff --git a/src/vlib/main.h b/src/vlib/main.h index 05687a8c987..88ce98bb405 100644 --- a/src/vlib/main.h +++ b/src/vlib/main.h @@ -63,6 +63,7 @@ typedef struct int pcap_enable; u32 pcap_sw_if_index; pcap_main_t pcap_main; + u32 filter_classify_table_index; } vnet_pcap_t; typedef struct vlib_main_t diff --git a/src/vnet/CMakeLists.txt b/src/vnet/CMakeLists.txt index 2a783810fdd..1e51f3d7102 100644 --- a/src/vnet/CMakeLists.txt +++ b/src/vnet/CMakeLists.txt @@ -384,6 +384,7 @@ list(APPEND VNET_API_FILES lldp/lldp.api) ############################################################################## list(APPEND VNET_SOURCES classify/vnet_classify.c + classify/trace_classify.h classify/ip_classify.c classify/in_out_acl.c classify/policer_classify.c @@ -400,6 +401,7 @@ list(APPEND VNET_MULTIARCH_SOURCES list(APPEND VNET_HEADERS classify/vnet_classify.h + classify/trace_classify.h classify/in_out_acl.h classify/policer_classify.h classify/flow_classify.h diff --git a/src/vnet/classify/trace_classify.h b/src/vnet/classify/trace_classify.h new file mode 100644 index 00000000000..bc25ecd0ff7 --- /dev/null +++ b/src/vnet/classify/trace_classify.h @@ -0,0 +1,100 @@ +/* + * trace_classify.h - Use the classifier to decide if a packet is traced + * + * Copyright (c) 2019 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#include +#include +#include +#include + +/** @file trace_classify.h + * Use the vpp classifier to decide whether to trace packets + */ + +/** @brief vnet_is_packet_traced + * @param vlib_buffer_t *b - packet to classify + * @param int func - 0 => use classifier w/ supplied table index + * @param u32 classify_table_index - classifier table index + * @return 0 => no trace, 1 => trace, -1 => error + */ + +static inline int +vnet_is_packet_traced_inline (vlib_buffer_t * b, + u32 classify_table_index, int func) +{ + vnet_classify_main_t *vcm = &vnet_classify_main; + vnet_classify_table_t *t; + vnet_classify_entry_t *e; + u64 hash; + + /*$$$ add custom classifiers here, if any */ + if (func != 0) + return -1; + + /* This will happen... */ + if (pool_is_free_index (vcm->tables, classify_table_index)) + return -1; + + /* Get the table */ + t = pool_elt_at_index (vcm->tables, classify_table_index); + + /* Hash the packet */ + hash = vnet_classify_hash_packet (t, vlib_buffer_get_current (b)); + + /* See if there's a matching entry */ + e = vnet_classify_find_entry (t, vlib_buffer_get_current (b), hash, + 0 /* time = 0, disables hit-counter */ ); + /* Hit means trace the packet... */ + if (e) + { + /* Manual hit accounting */ + e->hits++; + return 1; + } + + /* + * Look for a hit in a less-specific table. + * Performance hint: for this use-case, don't go there. + */ + while (1) + { + /* Most likely, we're done right now */ + if (PREDICT_TRUE (t->next_table_index == ~0)) + return 0; + t = pool_elt_at_index (vcm->tables, t->next_table_index); + + /* Compute hash for this table */ + hash = vnet_classify_hash_packet (t, vlib_buffer_get_current (b)); + + /* See if there's a matching entry */ + e = vnet_classify_find_entry (t, vlib_buffer_get_current (b), hash, + 0 /* time = 0, disables hit-counter */ ); + if (e) + { + /* Manual hit accounting */ + e->hits++; + return 1; + } + } + /* NOTREACHED */ +} + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ diff --git a/src/vnet/classify/vnet_classify.c b/src/vnet/classify/vnet_classify.c index b807a2679a7..94cc2419775 100755 --- a/src/vnet/classify/vnet_classify.c +++ b/src/vnet/classify/vnet_classify.c @@ -20,6 +20,11 @@ #include #include +/** + * @file + * @brief N-tuple classifier + */ + vnet_classify_main_t vnet_classify_main; #if VALIDATION_SCAFFOLDING @@ -939,6 +944,10 @@ unformat_ip4_mask (unformat_input_t * input, va_list * args) u8 *mask = 0; u8 found_something = 0; ip4_header_t *ip; + u32 src_prefix_len = 32; + u32 src_prefix_mask = ~0; + u32 dst_prefix_len = 32; + u32 dst_prefix_mask = ~0; #define _(a) u8 a=0; foreach_ip4_proto_field; @@ -953,6 +962,18 @@ unformat_ip4_mask (unformat_input_t * input, va_list * args) version = 1; else if (unformat (input, "hdr_length")) hdr_length = 1; + else if (unformat (input, "src/%d", &src_prefix_len)) + { + src_address = 1; + src_prefix_mask &= ~((1 << (32 - src_prefix_len)) - 1); + src_prefix_mask = clib_host_to_net_u32 (src_prefix_mask); + } + else if (unformat (input, "dst/%d", &dst_prefix_len)) + { + dst_address = 1; + dst_prefix_mask &= ~((1 << (32 - dst_prefix_len)) - 1); + dst_prefix_mask = clib_host_to_net_u32 (dst_prefix_mask); + } else if (unformat (input, "src")) src_address = 1; else if (unformat (input, "dst")) @@ -982,6 +1003,12 @@ unformat_ip4_mask (unformat_input_t * input, va_list * args) foreach_ip4_proto_field; #undef _ + if (src_address) + ip->src_address.as_u32 = src_prefix_mask; + + if (dst_address) + ip->dst_address.as_u32 = dst_prefix_mask; + ip->ip_version_and_header_length = 0; if (version) @@ -1577,7 +1604,7 @@ classify_table_command_fn (vlib_main_t * vm, if (!is_add && table_index == ~0) return clib_error_return (0, "table index required for delete"); - rv = vnet_classify_add_del_table (cm, mask, nbuckets, memory_size, + rv = vnet_classify_add_del_table (cm, mask, nbuckets, (u32) memory_size, skip, match, next_table_index, miss_next_index, &table_index, current_data_flag, current_data_offset, @@ -1595,7 +1622,8 @@ classify_table_command_fn (vlib_main_t * vm, } /* *INDENT-OFF* */ -VLIB_CLI_COMMAND (classify_table, static) = { +VLIB_CLI_COMMAND (classify_table, static) = +{ .path = "classify table", .short_help = "classify table [miss-next|l2-miss_next|acl-miss-next ]" @@ -1607,6 +1635,268 @@ VLIB_CLI_COMMAND (classify_table, static) = { }; /* *INDENT-ON* */ +static int +filter_table_mask_compare (void *a1, void *a2) +{ + vnet_classify_main_t *cm = &vnet_classify_main; + u32 *ti1 = a1; + u32 *ti2 = a2; + u32 n1 = 0, n2 = 0; + vnet_classify_table_t *t1, *t2; + u8 *m1, *m2; + int i; + + t1 = pool_elt_at_index (cm->tables, *ti1); + t2 = pool_elt_at_index (cm->tables, *ti2); + + m1 = (u8 *) (t1->mask); + m2 = (u8 *) (t2->mask); + + for (i = 0; i < vec_len (t1->mask) * sizeof (u32x4); i++) + { + n1 += count_set_bits (m1[0]); + m1++; + } + + for (i = 0; i < vec_len (t2->mask) * sizeof (u32x4); i++) + { + n2 += count_set_bits (m2[0]); + m2++; + } + + /* Reverse sort: descending number of set bits */ + if (n1 < n2) + return 1; + else if (n1 > n2) + return -1; + else + return 0; +} + +static clib_error_t * +classify_filter_command_fn (vlib_main_t * vm, + unformat_input_t * input, + vlib_cli_command_t * cmd) +{ + u32 nbuckets = 8; + vnet_main_t *vnm = vnet_get_main (); + uword memory_size = (uword) (128 << 10); + u32 skip = ~0; + u32 match = ~0; + u8 *match_vector; + int is_add = 1; + int del_chain = 0; + u32 table_index = ~0; + u32 next_table_index = ~0; + u32 miss_next_index = ~0; + u32 current_data_flag = 0; + int current_data_offset = 0; + int i; + vnet_classify_table_t *t; + u8 *mask = 0; + vnet_classify_main_t *cm = &vnet_classify_main; + int rv = 0; + + while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT) + { + if (unformat (input, "del")) + is_add = 0; + else if (unformat (input, "buckets %d", &nbuckets)) + ; + else if (unformat (input, "mask %U", unformat_classify_mask, + &mask, &skip, &match)) + ; + else if (unformat (input, "memory-size %U", unformat_memory_size, + &memory_size)) + ; + else + break; + } + + if (is_add && mask == 0 && table_index == ~0) + return clib_error_return (0, "Mask required"); + + if (is_add && skip == ~0 && table_index == ~0) + return clib_error_return (0, "skip count required"); + + if (is_add && match == ~0 && table_index == ~0) + return clib_error_return (0, "match count required"); + + if (!is_add) + { + if (vec_len (vnm->classify_filter_table_indices) == 0) + return clib_error_return (0, "No classify filter set..."); + + del_chain = 1; + table_index = vnm->classify_filter_table_indices[0]; + vec_reset_length (vnm->classify_filter_table_indices); + } + + /* see if we already have a table for that... */ + + if (is_add) + { + for (i = 0; i < vec_len (vnm->classify_filter_table_indices); i++) + { + t = pool_elt_at_index (cm->tables, i); + /* classifier geometry mismatch, can't use this table */ + if (t->match_n_vectors != match || t->skip_n_vectors != skip) + continue; + /* Masks aren't congruent, can't use this table */ + if (vec_len (t->mask) != vec_len (mask)) + continue; + /* Masks aren't bit-for-bit identical, can't use this table */ + if (memcmp (t->mask, mask, vec_len (mask))) + continue; + + /* Winner... */ + table_index = i; + goto found_table; + } + } + + rv = vnet_classify_add_del_table (cm, mask, nbuckets, memory_size, + skip, match, next_table_index, + miss_next_index, &table_index, + current_data_flag, current_data_offset, + is_add, del_chain); + vec_free (mask); + + switch (rv) + { + case 0: + break; + + default: + return clib_error_return (0, "vnet_classify_add_del_table returned %d", + rv); + } + + if (is_add == 0) + return 0; + + /* Remember the table */ + vec_add1 (vnm->classify_filter_table_indices, table_index); + +found_table: + + /* Now try to parse a session */ + if (unformat (input, "match %U", unformat_classify_match, + cm, &match_vector, table_index) == 0) + return 0; + + + /* + * We use hit or miss to determine whether to trace or pcap pkts + * so the session setup is very limited + */ + rv = vnet_classify_add_del_session (cm, table_index, + match_vector, 0 /* hit_next_index */ , + 0 /* opaque_index */ , + 0 /* advance */ , + 0 /* action */ , + 0 /* metadata */ , + 1 /* is_add */ ); + + vec_free (match_vector); + + /* Sort filter tables from most-specific mask to least-specific mask */ + vec_sort_with_function (vnm->classify_filter_table_indices, + filter_table_mask_compare); + + ASSERT (vec_len (vnm->classify_filter_table_indices)); + + /* Setup next_table_index fields */ + for (i = 0; i < vec_len (vnm->classify_filter_table_indices); i++) + { + t = pool_elt_at_index (cm->tables, + vnm->classify_filter_table_indices[i]); + + if ((i + 1) < vec_len (vnm->classify_filter_table_indices)) + t->next_table_index = vnm->classify_filter_table_indices[i + 1]; + else + t->next_table_index = ~0; + } + + return 0; +} + +/*? + * Construct an arbitrary set of packet classifier tables for use with + * "pcap rx | tx trace," and (eventually) with the vpp packet + * tracer + * + * Packets which match a rule in the classifier table chain + * will be traced. The tables are automatically ordered so that + * matches in the most specific table are tried first. + * + * It's reasonably likely that folks will configure a single + * table with one or two matches. As a result, we configure + * 8 hash buckets and 128K of match rule space. One can override + * the defaults by specifiying "buckets " and "memory-size " + * as desired. + * + * To build up complex filter chains, repeatedly issue the + * classify filter debug CLI command. Each command must specify the desired + * mask and match values. If a classifier table with a suitable mask + * already exists, the CLI command adds a match rule to the existing table. + * If not, the CLI command add a new table and the indicated mask rule + * + * Here is a terse description of the "mask " syntax: + * + * l2 src dst proto tag1 tag2 ignore-tag1 ignore-tag2 cos1 cos2 dot1q dot1ad + * + * l3 ip4 ip6 + * + * version hdr_length src[/width] dst[/width] + * tos length fragment_id ttl protocol checksum + * + * version traffic-class flow-label src dst proto + * payload_length hop_limit protocol + * + * l4 tcp udp src_port dst_port + * + * src dst # ports + * + * src_port dst_port + * + * To construct matches, add the values to match after the indicated keywords: + * in the match syntax. For example: + * mask l3 ip4 src -> match l3 ip4 src 192.168.1.11 + * + * @cliexpar + * Configuring the classify filter + * + * Configure a simple classify filter, and configure pcap rx trace to use it: + * + * classify filter mask l3 ip4 src match l3 ip4 src 192.168.1.11"
+ * pcap rx trace on max 100 filter + * + * Configure another fairly simple filter + * + * classify filter mask l3 ip4 src dst match l3 ip4 src 192.168.1.10 dst 192.168.2.10" + * + * Clear all current classifier filters + * + * classify filter del + * + * To inspect the classifier tables, use + * + * show classify table [verbose] + * The verbose form displays all of the match rules, with hit-counters + * @cliexend + ?*/ +/* *INDENT-OFF* */ +VLIB_CLI_COMMAND (classify_filter, static) = +{ + .path = "classify filter", + .short_help = + "classify filter mask match [del]" + "[buckets ] [memory-size ]", + .function = classify_filter_command_fn, +}; +/* *INDENT-ON* */ + static u8 * format_vnet_classify_table (u8 * s, va_list * args) { @@ -2442,7 +2732,7 @@ vnet_classify_init (vlib_main_t * vm) VLIB_INIT_FUNCTION (vnet_classify_init); -#define TEST_CODE 1 +#define TEST_CODE 0 #if TEST_CODE > 0 diff --git a/src/vnet/ethernet/node.c b/src/vnet/ethernet/node.c index 1f408de1bb5..cfbad8b8cc0 100755 --- a/src/vnet/ethernet/node.c +++ b/src/vnet/ethernet/node.c @@ -44,6 +44,7 @@ #include #include #include +#include #define foreach_ethernet_input_next \ _ (PUNT, "error-punt") \ @@ -993,15 +994,29 @@ ethernet_input_trace (vlib_main_t * vm, vlib_node_runtime_t * node, if (PREDICT_FALSE (vlib_global_main.pcap[VLIB_RX].pcap_enable)) { u32 bi0; + vnet_main_t *vnm = vnet_get_main (); from = vlib_frame_vector_args (from_frame); n_left = from_frame->n_vectors; while (n_left > 0) { + int classify_filter_result; vlib_buffer_t *b0; bi0 = from[0]; from++; + n_left--; b0 = vlib_get_buffer (vm, bi0); + if (vec_len (vnm->classify_filter_table_indices)) + { + classify_filter_result = + vnet_is_packet_traced_inline + (b0, vnm->classify_filter_table_indices[0], + 0 /* full classify */ ); + if (classify_filter_result) + pcap_add_buffer (&vlib_global_main.pcap[VLIB_RX].pcap_main, + vm, bi0, 512); + continue; + } if (vlib_global_main.pcap[VLIB_RX].pcap_sw_if_index == 0 || vlib_global_main.pcap[VLIB_RX].pcap_sw_if_index @@ -1010,7 +1025,6 @@ ethernet_input_trace (vlib_main_t * vm, vlib_node_runtime_t * node, pcap_add_buffer (&vlib_global_main.pcap[VLIB_RX].pcap_main, vm, bi0, 512); } - n_left--; } } } diff --git a/src/vnet/interface.h b/src/vnet/interface.h index 42aada453c1..0c273c6c7d2 100644 --- a/src/vnet/interface.h +++ b/src/vnet/interface.h @@ -901,6 +901,7 @@ typedef struct u32 packets_to_capture; vlib_rx_or_tx_t rxtx; u32 sw_if_index; + int filter; } vnet_pcap_dispatch_trace_args_t; int vnet_pcap_dispatch_trace_configure (vnet_pcap_dispatch_trace_args_t *); diff --git a/src/vnet/interface_cli.c b/src/vnet/interface_cli.c index 08d9628730c..4ad0cb025bd 100644 --- a/src/vnet/interface_cli.c +++ b/src/vnet/interface_cli.c @@ -1699,6 +1699,7 @@ int vnet_pcap_dispatch_trace_configure (vnet_pcap_dispatch_trace_args_t * a) { vlib_main_t *vm = vlib_get_main (); + vnet_main_t *vnm = vnet_get_main (); vlib_rx_or_tx_t rxtx = a->rxtx; vnet_pcap_t *pp = &vm->pcap[rxtx]; pcap_main_t *pm = &pp->pcap_main; @@ -1734,6 +1735,10 @@ vnet_pcap_dispatch_trace_configure (vnet_pcap_dispatch_trace_args_t * a) && (pm->n_packets_to_capture != a->packets_to_capture)) return VNET_API_ERROR_INVALID_VALUE_2; + if (a->enable && a->filter + && (vec_len (vnm->classify_filter_table_indices) == 0)) + return VNET_API_ERROR_NO_SUCH_LABEL; + if (a->enable) { /* Clean up from previous run, if any */ @@ -1754,6 +1759,11 @@ vnet_pcap_dispatch_trace_configure (vnet_pcap_dispatch_trace_args_t * a) pm->packet_type = PCAP_PACKET_TYPE_ethernet; pm->n_packets_to_capture = a->packets_to_capture; pp->pcap_sw_if_index = a->sw_if_index; + if (a->filter) + pp->filter_classify_table_index = + vnm->classify_filter_table_indices[0]; + else + pp->filter_classify_table_index = ~0; pp->pcap_enable = 1; } else @@ -1796,6 +1806,7 @@ pcap_trace_command_internal (vlib_main_t * vm, int rv; int enable = 0; int status = 0; + int filter = 0; u32 sw_if_index = 0; /* Get a line of input. */ @@ -1826,6 +1837,8 @@ pcap_trace_command_internal (vlib_main_t * vm, ; else if (unformat (line_input, "intfc any")) sw_if_index = 0; + else if (unformat (line_input, "filter")) + filter = 1; else { return clib_error_return (0, "unknown input `%U'", @@ -1842,6 +1855,7 @@ pcap_trace_command_internal (vlib_main_t * vm, a->packets_to_capture = max; a->rxtx = rxtx; a->sw_if_index = sw_if_index; + a->filter = filter; rv = vnet_pcap_dispatch_trace_configure (a); @@ -1866,6 +1880,10 @@ pcap_trace_command_internal (vlib_main_t * vm, case VNET_API_ERROR_NO_SUCH_ENTRY: return clib_error_return (0, "No packets captured..."); + case VNET_API_ERROR_NO_SUCH_LABEL: + return clib_error_return + (0, "No classify filter configured, see 'classify filter...'"); + default: vlib_cli_output (vm, "WARNING: trace configure returned %d", rv); break; @@ -1958,7 +1976,6 @@ VLIB_CLI_COMMAND (pcap_rx_trace_command, static) = { }; /* *INDENT-ON* */ - /* * fd.io coding-style-patch-verification: ON * diff --git a/src/vnet/interface_output.c b/src/vnet/interface_output.c index bf21587ae4d..250d0dbe251 100644 --- a/src/vnet/interface_output.c +++ b/src/vnet/interface_output.c @@ -43,6 +43,7 @@ #include #include #include +#include typedef struct { @@ -813,13 +814,29 @@ static_always_inline void vnet_interface_pcap_tx_trace else sw_if_index = ~0; + vnet_main_t *vnm = vnet_get_main (); n_left_from = frame->n_vectors; from = vlib_frame_vector_args (frame); while (n_left_from > 0) { + int classify_filter_result; u32 bi0 = from[0]; vlib_buffer_t *b0 = vlib_get_buffer (vm, bi0); + from++; + n_left_from--; + + if (vec_len (vnm->classify_filter_table_indices)) + { + classify_filter_result = + vnet_is_packet_traced_inline + (b0, vnm->classify_filter_table_indices[0], + 0 /* full classify */ ); + if (classify_filter_result) + pcap_add_buffer (&vlib_global_main.pcap[VLIB_TX].pcap_main, vm, + bi0, 512); + continue; + } if (sw_if_index_from_buffer) sw_if_index = vnet_buffer (b0)->sw_if_index[VLIB_TX]; @@ -828,8 +845,6 @@ static_always_inline void vnet_interface_pcap_tx_trace vlib_global_main.pcap[VLIB_TX].pcap_sw_if_index == sw_if_index) pcap_add_buffer (&vlib_global_main.pcap[VLIB_TX].pcap_main, vm, bi0, 512); - from++; - n_left_from--; } } diff --git a/src/vnet/vnet.h b/src/vnet/vnet.h index 3b20f71917b..a726f0379ef 100644 --- a/src/vnet/vnet.h +++ b/src/vnet/vnet.h @@ -77,6 +77,9 @@ typedef struct vnet_main_t */ vnet_api_error_t api_errno; + /* pcap rx/tx, packet tracer filter tables */ + u32 *classify_filter_table_indices; + vlib_main_t *vlib_main; } vnet_main_t; -- cgit 1.2.3-korg