summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--VNFs/vFW/pipeline/pipeline_vfw.c1
-rw-r--r--VNFs/vFW/pipeline/pipeline_vfw_be.c661
-rw-r--r--common/VIL/acl/lib_acl.c368
-rw-r--r--common/VIL/acl/lib_acl.h11
4 files changed, 2 insertions, 1039 deletions
diff --git a/VNFs/vFW/pipeline/pipeline_vfw.c b/VNFs/vFW/pipeline/pipeline_vfw.c
index 934e442a..f235bc59 100644
--- a/VNFs/vFW/pipeline/pipeline_vfw.c
+++ b/VNFs/vFW/pipeline/pipeline_vfw.c
@@ -2420,6 +2420,7 @@ static void cmd_vfw_clearstats_parsed(__attribute__ ((unused))
rte_vfw_counter_table[i].pkts_drop_ttl = 0;
rte_vfw_counter_table[i].pkts_drop_bad_size = 0;
rte_vfw_counter_table[i].pkts_drop_fragmented = 0;
+ rte_vfw_counter_table[i].pkts_drop_unsupported_type = 0;
rte_vfw_counter_table[i].pkts_drop_without_arp_entry = 0;
rte_vfw_counter_table[i].internal_time_sum = 0;
rte_vfw_counter_table[i].external_time_sum = 0;
diff --git a/VNFs/vFW/pipeline/pipeline_vfw_be.c b/VNFs/vFW/pipeline/pipeline_vfw_be.c
index 0d3f5279..70057b41 100644
--- a/VNFs/vFW/pipeline/pipeline_vfw_be.c
+++ b/VNFs/vFW/pipeline/pipeline_vfw_be.c
@@ -529,228 +529,6 @@ static uint8_t check_arp_icmp(
return 1;
}
-
-/**
- * Performs basic VFW packet filtering.
- * @param pkts
- * A pointer to the packets.
- * @param pkts_mask
- * packet mask.
- * @param vfw_pipe
- * A pointer to VFW pipeline.
- */
-
-static uint64_t
-rte_vfw_packet_filter_and_process(struct rte_mbuf **pkts,
- uint64_t pkts_mask,
- struct pipeline_vfw *vfw_pipe)
-{
-
- /*
- * Make use of cache prefetch. At beginning of loop, want to prefetch
- * mbuf data for next iteration (not current one).
- * Note that ethernet header (14 bytes) is cache aligned. IPv4 header
- * is 20 bytes (extensions not supported), while the IPv6 header is 40
- * bytes. TCP header is 20 bytes, UDP is 8. One cache line prefetch
- * will cover IPv4 and TCP or UDP, but to get IPv6 and TCP,
- * need two pre-fetches.
- */
-
- uint8_t pos, next_pos = 0;
- uint64_t pkt_mask; /* bitmask representing a single packet */
- struct rte_mbuf *pkt;
- struct rte_mbuf *next_pkt = NULL;
- void *iphdr;
- void *next_iphdr = NULL;
-
- if (unlikely(pkts_mask == 0))
- return pkts_mask;
- pos = (uint8_t) __builtin_ctzll(pkts_mask);
- pkt_mask = 1LLU << pos; /* bitmask representing only this packet */
- pkt = pkts[pos];
- iphdr = RTE_MBUF_METADATA_UINT32_PTR(pkt, IP_START);
- rte_prefetch0(iphdr);
-
- uint64_t bytes_processed = 0;
- /* bitmap of packets left to process */
- uint64_t pkts_to_process = pkts_mask;
- /* bitmap of valid packets to return */
- uint64_t valid_packets = pkts_mask;
-
- /* prefetch counters, updated below. Most likely counters to update
- * at beginnning */
- rte_prefetch0(&vfw_pipe->counters);
-
- do { /* always execute at least once */
-
- /* remove this packet from remaining list */
- uint64_t next_pkts_to_process = pkts_to_process &= ~pkt_mask;
-
- if (likely(next_pkts_to_process)) {
- /* another packet to process after this, prefetch it */
-
- next_pos =
- (uint8_t) __builtin_ctzll(next_pkts_to_process);
- next_pkt = pkts[next_pos];
- next_iphdr =
- RTE_MBUF_METADATA_UINT32_PTR(next_pkt, IP_START);
- rte_prefetch0(next_iphdr);
- }
-
- int discard = 0;
- /* remove this packet from remaining list */
- pkts_to_process &= ~pkt_mask;
- if (enable_hwlb)
- if (!check_arp_icmp(pkt, vfw_pipe))
- discard = 1;
- uint32_t packet_length = rte_pktmbuf_pkt_len(pkt);
-
- bytes_processed += packet_length;
-
- if (rte_vfw_is_IPv4(pkt)) {
- struct ipv4_hdr *ihdr4 = (struct ipv4_hdr *)iphdr;
-
- /* verify that packet size according to mbuf is at least
- * as large as the size according to the IP header.
- */
-
- uint32_t ip_length = rte_bswap16(ihdr4->total_length);
-
- if (unlikely
- (ip_length > (packet_length - ETH_HDR_SIZE))) {
- discard = 1;
- vfw_pipe->counters->pkts_drop_bad_size++;
- }
-
- /*
- * IPv4 fragmented if: MF (more fragments) or Fragment
- * Offset are non-zero. Header in Intel order, so flip
- * constant to compensate. Note that IPv6 uses a header
- * extension for identifying fragments.
- */
-
- int fragmented = (ihdr4->fragment_offset & 0xff3f) != 0;
- uint8_t ttl = ihdr4->time_to_live;
-
- if (unlikely(fragmented)) {
- discard = 1;
- vfw_pipe->counters->pkts_drop_fragmented++;
- }
-
- /*
- * Behave like a router, and decrement the TTL of an
- * IP packet. If this causes the TTL to become zero,
- * the packet will be discarded. Unlike a router,
- * no ICMP code 11 (Time * Exceeded) message will be
- * sent back to the packet originator.
- */
-
- if (unlikely(ttl <= 1)) {
- /*
- * about to decrement to zero (or is somehow
- * already zero), so discard
- */
- discard = 1;
- vfw_pipe->counters->pkts_drop_ttl++;
- }
-
- /*
- * Dropping the packets other than TCP AND UDP.
- */
-
- uint8_t proto = ihdr4->next_proto_id;
-
- if (unlikely(!(proto == IP_TCP_PROTOCOL ||
- proto == IP_UDP_PROTOCOL ||
- proto == IP_ICMP_PROTOCOL))) {
- discard = 1;
- vfw_pipe->counters->
- pkts_drop_unsupported_type++;
- }
-
- if (unlikely(discard)) {
- valid_packets &= ~pkt_mask;
- }
-
- } else if (likely(rte_vfw_is_IPv6(pkt))) {
- struct ipv6_hdr *ihdr6 = (struct ipv6_hdr *)iphdr;
-
- /*
- * verify that packet size according to mbuf is at least
- * as large as the size according to the IP header.
- * For IPv6, note that size includes header extensions
- * but not the base header size
- */
-
- uint32_t ip_length =
- rte_bswap16(ihdr6->payload_len) + IPv6_HEADER_SIZE;
-
- if (unlikely
- (ip_length > (packet_length - ETH_HDR_SIZE))) {
- discard = 1;
- vfw_pipe->counters->pkts_drop_bad_size++;
- }
-
- /*
- * Dropping the packets other than TCP AND UDP.
- */
-
- uint8_t proto = ihdr6->proto;
-
- if (unlikely(!(proto == IP_TCP_PROTOCOL ||
- proto == IP_UDP_PROTOCOL ||
- proto == IP_ICMP_PROTOCOL))) {
- discard = 1;
- if (proto == IPv6_FRAGMENT_HEADER)
- vfw_pipe->counters->
- pkts_drop_fragmented++;
- else
- vfw_pipe->counters->
- pkts_drop_unsupported_type++;
- }
-
- /*
- * Behave like a router, and decrement the TTL of an
- * IP packet. If this causes the TTL to become zero,
- * the packet will be discarded. Unlike a router,
- * no ICMP code 11 (Time * Exceeded) message will be
- * sent back to the packet originator.
- */
-
- if (unlikely(ihdr6->hop_limits <= 1)) {
- /*
- * about to decrement to zero (or is somehow
- * already zero), so discard
- */
- discard = 1;
- vfw_pipe->counters->pkts_drop_ttl++;
- }
-
- if (unlikely(discard))
- valid_packets &= ~pkt_mask;
- else
- ihdr6->hop_limits--;
- } else
- /* discard non-ip */
- valid_packets &= ~pkt_mask;
-
- /* make next packet data the current */
- pkts_to_process = next_pkts_to_process;
- pos = next_pos;
- pkt = next_pkt;
- iphdr = next_iphdr;
- pkt_mask = 1LLU << pos;
-
- } while (pkts_to_process);
-
- /* finalize counters, etc. */
- vfw_pipe->counters->bytes_processed += bytes_processed;
-
- if (likely(firewall_flag))
- return valid_packets;
- else
- return pkts_mask;
-}
/**
* Performs basic VFW ipv4 packet filtering.
* @param pkts
@@ -1091,302 +869,6 @@ static inline void rte_sp_exchange_mac_addresses(struct ether_hdr *ehdr)
ether_addr_copy(&ehdr->s_addr, &ehdr->d_addr);
ether_addr_copy(&saved_copy, &ehdr->s_addr);
}
-/**
- * walk every valid mbuf (denoted by pkts_mask) and apply arp to the packet.
- * To support synproxy, some (altered) packets may need to be sent back where
- * they came from. The ip header has already been adjusted, but the ethernet
- * header has not, so this must be performed here.
- * Return an updated pkts_mask, since arp may drop some packets
- *
- * @param pkts
- * A pointer to the packet.
- * @param pkts_mask
- * Packet mask
- * @param synproxy_reply_mask
- * Reply Packet mask for Synproxy
- * @param vfw_pipe
- * A pointer to VFW pipeline.
- */
-
-static uint64_t
-rte_vfw_arp_packets(struct rte_mbuf **pkts,
- uint64_t pkts_mask,
- uint64_t synproxy_reply_mask,
- struct pipeline_vfw *vfw_pipe)
-{
- uint64_t pkts_to_arp = pkts_mask;
- uint32_t ret;
- uint32_t dest_if = INVALID_DESTIF;
- int ret_mac;
-
- for (; pkts_to_arp;) {
- struct ether_addr hw_addr;
- struct mbuf_tcp_meta_data *meta_data_addr;
- struct ether_hdr *ehdr;
- struct rte_mbuf *pkt;
- uint16_t phy_port;
- uint8_t pos = (uint8_t) __builtin_ctzll(pkts_to_arp);
- /* bitmask representing only this packet */
- uint64_t pkt_mask = 1LLU << pos;
- /* remove this packet from remaining list */
- pkts_to_arp &= ~pkt_mask;
- pkt = pkts[pos];
- int must_reverse = ((synproxy_reply_mask & pkt_mask) != 0);
-
- phy_port = pkt->port;
- meta_data_addr = (struct mbuf_tcp_meta_data *)
- RTE_MBUF_METADATA_UINT32_PTR(pkt, META_DATA_OFFSET);
- ehdr = rte_vfw_get_ether_addr(pkt);
-
- void *iphdr = RTE_MBUF_METADATA_UINT32_PTR(pkt, IP_START);
-
- if (rte_vfw_is_IPv4(pkt)) {
- struct ipv4_hdr *ihdr = (struct ipv4_hdr *)iphdr;
- uint32_t nhip = 0;
-
- uint32_t dest_address = rte_bswap32(ihdr->dst_addr);
-
- ret = local_get_nh_ipv4(dest_address, &dest_if,
- &nhip, vfw_pipe);
- if (must_reverse) {
- rte_sp_exchange_mac_addresses(ehdr);
- if (is_phy_port_privte(phy_port)) {
- if (!ret) {
- dest_if = get_pub_to_prv_port(
- &dest_address,
- IP_VERSION_4);
- if (dest_if == INVALID_DESTIF) {
- pkts_mask &= ~pkt_mask;
- vfw_pipe->counters->
- pkts_drop_without_arp_entry++;
- }
- do_local_nh_ipv4_cache(dest_if,
- vfw_pipe);
- }
-
- } else {
- if (!ret) {
- dest_if = get_prv_to_pub_port(
- &dest_address,
- IP_VERSION_4);
- if (dest_if == INVALID_DESTIF) {
- pkts_mask &= ~pkt_mask;
- vfw_pipe->counters->
- pkts_drop_without_arp_entry++;
- }
- do_local_nh_ipv4_cache(dest_if,
- vfw_pipe);
- }
- }
-
- } else if (is_phy_port_privte(phy_port)) {
- if (!ret) {
- dest_if = get_prv_to_pub_port(
- &dest_address,
- IP_VERSION_4);
- if (dest_if == INVALID_DESTIF) {
- pkts_mask &= ~pkt_mask;
- vfw_pipe->counters->
- pkts_drop_without_arp_entry++;
- }
- do_local_nh_ipv4_cache(dest_if,
- vfw_pipe);
- }
-
- } else {
- if (!ret) {
- dest_if = get_pub_to_prv_port(
- &dest_address,
- IP_VERSION_4);
- if (dest_if == INVALID_DESTIF) {
- pkts_mask &= ~pkt_mask;
- vfw_pipe->counters->
- pkts_drop_without_arp_entry++;
- }
- do_local_nh_ipv4_cache(dest_if,
- vfw_pipe);
- }
- }
-
- meta_data_addr->output_port =
- vfw_pipe->outport_id[dest_if];
- if (local_dest_mac_present(dest_if)) {
- ether_addr_copy(get_local_link_hw_addr(dest_if),
- &ehdr->d_addr);
- ether_addr_copy(get_link_hw_addr(dest_if),
- &ehdr->s_addr);
- } else {
- ret_mac = get_dest_mac_addr_port(dest_address,
- &dest_if, &hw_addr);
- if (ret_mac == ARP_FOUND) {
-
- link_hw_laddr_valid[dest_if] = 1;
- memcpy(&link_hw_laddr[dest_if], &hw_addr,
- sizeof(struct ether_addr));
-
- ether_addr_copy(&hw_addr,
- &ehdr->d_addr);
- ether_addr_copy(get_link_hw_addr(dest_if),
- &ehdr->s_addr);
-
- if (vfw_debug >= DEBUG_LEVEL_4) {
- char buf[HW_ADDR_SIZE];
-
- ether_format_addr(buf, sizeof(buf),
- &hw_addr);
- printf("MAC found for ip 0x%"PRIx32
- ",dest_if %d: %s, ",
- dest_address,
- dest_if, buf);
- ether_format_addr(buf, sizeof(buf),
- &ehdr->s_addr);
- printf("new eth hdr src: %s, ", buf);
- ether_format_addr(buf, sizeof(buf),
- &ehdr->d_addr);
- printf("new eth hdr dst: %s\n", buf);
- }
-
- } else {
-
- if (vfw_debug >= DEBUG_LEVEL_4) {
- char buf[HW_ADDR_SIZE];
-
- ether_format_addr(buf, sizeof(buf),
- &hw_addr);
- printf("MAC NOT FOUND for ip 0x%"
- PRIx32", dest_if %"
- PRId16": %s, ",
- dest_address,
- dest_if, buf);
- }
- /* ICMP req sent, drop packet by
- * changing the mask */
- pkts_mask &= ~pkt_mask;
- vfw_pipe->
- counters->pkts_drop_without_arp_entry++;
- }
-
- }
- } else if (likely(rte_vfw_is_IPv6(pkt))) {
- struct ipv6_hdr *ihdr = (struct ipv6_hdr *)iphdr;
- uint8_t dest_addr_ipv6[IPV6_ADD_SIZE];
-
- rte_mov16(dest_addr_ipv6, ihdr->dst_addr);
- uint8_t nh_ipv6[IPV6_ADD_SIZE];
-
- memset(nh_ipv6, 0, IPV6_ADD_SIZE);
- ret = local_get_nh_ipv6(&dest_addr_ipv6[0], &dest_if,
- &nh_ipv6[0], vfw_pipe);
- if (must_reverse) {
- rte_sp_exchange_mac_addresses(ehdr);
- if (is_phy_port_privte(phy_port)) {
- if (!ret) {
- dest_if = get_pub_to_prv_port(
- (uint32_t *)
- &dest_addr_ipv6[0],
- IP_VERSION_6);
- if (dest_if == INVALID_DESTIF) {
- pkts_mask &= ~pkt_mask;
- vfw_pipe->counters->
- pkts_drop_without_arp_entry++;
- }
- do_local_nh_ipv6_cache(dest_if,
- vfw_pipe);
- }
-
- } else {
- if (!ret) {
- dest_if = get_prv_to_pub_port(
- (uint32_t *)
- &dest_addr_ipv6[0],
- IP_VERSION_6);
- if (dest_if == INVALID_DESTIF) {
- pkts_mask &= ~pkt_mask;
- vfw_pipe->counters->
- pkts_drop_without_arp_entry++;
- }
- do_local_nh_ipv6_cache(dest_if,
- vfw_pipe);
- }
-
-
- }
-
- } else if (is_phy_port_privte(phy_port)) {
- if (!ret) {
- dest_if = get_prv_to_pub_port(
- (uint32_t *)
- &dest_addr_ipv6[0],
- IP_VERSION_6);
- if (dest_if == INVALID_DESTIF) {
- pkts_mask &= ~pkt_mask;
- vfw_pipe->counters->
- pkts_drop_without_arp_entry++;
- }
- do_local_nh_ipv6_cache(dest_if,
- vfw_pipe);
- }
-
- } else {
- if (!ret) {
- dest_if = get_pub_to_prv_port(
- (uint32_t *)
- &dest_addr_ipv6[0],
- IP_VERSION_6);
- if (dest_if == INVALID_DESTIF) {
- pkts_mask &= ~pkt_mask;
- vfw_pipe->counters->
- pkts_drop_without_arp_entry++;
- }
- do_local_nh_ipv6_cache(dest_if,
- vfw_pipe);
- }
-
- }
- meta_data_addr->output_port = vfw_pipe->
- outport_id[dest_if];
-
- memset(nh_ipv6, 0, IPV6_ADD_SIZE);
- if (get_dest_mac_address_ipv6_port(
- &dest_addr_ipv6[0],
- &dest_if,
- &hw_addr,
- &nh_ipv6[0])) {
- ether_addr_copy(&hw_addr, &ehdr->d_addr);
- ether_addr_copy(get_link_hw_addr(dest_if),
- &ehdr->s_addr);
-
- if (vfw_debug >= DEBUG_LEVEL_4) {
- char buf[HW_ADDR_SIZE];
-
- ether_format_addr(buf, sizeof(buf),
- &hw_addr);
- printf("MAC found for dest_if %d: %s,",
- dest_if, buf);
- ether_format_addr(buf, sizeof(buf),
- &ehdr->s_addr);
- printf("new eth hdr src: %s, ", buf);
- ether_format_addr(buf, sizeof(buf),
- &ehdr->d_addr);
- printf("new eth hdr dst: %s\n", buf);
- }
-
- } else {
- printf("deleting ipv6\n");
- pkts_mask &= ~pkt_mask;
- /*Next Neighbor is not yet implemented
- * for ipv6.*/
- vfw_pipe->counters->
- pkts_drop_without_arp_entry++;
- }
-
- } else
- /* neither IPv4 or IPv6, drop quietly */
- pkts_mask &= ~pkt_mask;
- }
- return pkts_mask;
-}
-
#ifdef EN_SWP_ARP
/**
@@ -2557,144 +2039,6 @@ vfw_handle_buffered_packets(struct rte_pipeline *p,
keep_mask = 0;
}
}
-
-/**
- * The pipeline port-in action is used to do all the firewall and
- * connection tracking work.
- *
- * @param p
- * A pointer to the pipeline.
- * @param pkts
- * A pointer to a burst of packets.
- * @param n_pkts
- * Number of packets to process.
- * @param arg
- * A pointer to pipeline specific data.
- *
- * @return
- * 0 on success, negative on error.
- */
-
-static int
-vfw_port_in_action(struct rte_pipeline *p,
- struct rte_mbuf **pkts,
- __rte_unused uint32_t n_pkts, __rte_unused void *arg)
-{
- struct vfw_ports_in_args *port_in_args =
- (struct vfw_ports_in_args *)arg;
- struct pipeline_vfw *vfw_pipe =
- (struct pipeline_vfw *)port_in_args->pipe;
- struct rte_ct_cnxn_tracker *ct = port_in_args->cnxn_tracker;
-
- start_tsc_measure(vfw_pipe);
-
- uint64_t packet_mask_in = RTE_LEN2MASK(n_pkts, uint64_t);
- uint64_t pkts_drop_mask;
- uint64_t hijack_mask = 0;
- uint64_t synproxy_reply_mask = 0; /* for synproxy */
- uint64_t keep_mask = packet_mask_in;
- struct rte_CT_helper ct_helper;
-
- memset(&ct_helper, 0, sizeof(struct rte_CT_helper));
-
-
- /*
- * This routine uses a bit mask to represent which packets in the
- * "pkts" table are considered valid. Any table entry which exists
- * and is considered valid has the corresponding bit in the mask set.
- * Otherwise, it is cleared. Note that the mask is 64 bits,
- * but the number of packets in the table may be considerably less.
- * Any mask bits which do correspond to actual packets are cleared.
- * Various routines are called which may determine that an existing
- * packet is somehow invalid. The routine will return an altered bit
- * mask, with the bit cleared. At the end of all the checks,
- * packets are dropped if their mask bit is a zero
- */
-
- if (vfw_debug > 1)
- printf("Enter in-port action with %p packet mask\n",
- (void *)packet_mask_in);
- vfw_pipe->counters->pkts_received =
- vfw_pipe->counters->pkts_received + n_pkts;
- if (VFW_DEBUG)
- printf("vfw_port_in_action pkts_received: %" PRIu64
- " n_pkts: %u\n",
- vfw_pipe->counters->pkts_received, n_pkts);
-
- /* first handle handle any previously buffered packets now released */
- vfw_handle_buffered_packets(p, vfw_pipe, ct,
- FORWARD_BUFFERED_PACKETS);
-
- /* now handle any new packets on input ports */
- if (likely(firewall_flag)) {
- keep_mask =
- rte_vfw_packet_filter_and_process(pkts, keep_mask,
- vfw_pipe);
- vfw_pipe->counters->pkts_fw_forwarded +=
- __builtin_popcountll(keep_mask);
- }
-#ifdef ACL_ENABLE
- uint64_t conntrack_mask = 0, connexist_mask = 0;
- keep_mask = lib_acl_pkt_work_key(
- vfw_pipe->plib_acl, pkts, keep_mask,
- &vfw_pipe->counters->pkts_drop_without_rule,
- vfw_rule_table_ipv4_active,
- vfw_rule_table_ipv6_active,
- action_array_active,
- action_counter_table,
- &conntrack_mask, &connexist_mask,
- vfw_ipv4_enabled,
- vfw_ipv6_enabled);
- vfw_pipe->counters->pkts_acl_forwarded +=
- __builtin_popcountll(keep_mask);
- if (conntrack_mask > 0) {
- keep_mask = conntrack_mask;
- ct_helper.no_new_cnxn_mask = connexist_mask;
- cnxn_tracking_is_active = 1;
- } else
- cnxn_tracking_is_active = 0;
-#endif
- if (likely(cnxn_tracking_is_active)) {
- keep_mask = rte_ct_cnxn_tracker_batch_lookup(ct, pkts,
- keep_mask, &ct_helper);
- synproxy_reply_mask = ct_helper.reply_pkt_mask;
- hijack_mask = ct_helper.hijack_mask;
-
- }
-
-
- keep_mask =
- rte_vfw_arp_packets(pkts, keep_mask, synproxy_reply_mask,
- vfw_pipe);
-
- if (vfw_debug > 1) {
- printf(" Exit in-port action with %p packet mask\n",
- (void *)keep_mask);
- if (keep_mask != packet_mask_in)
- printf("dropped packets, %p in, %p out\n",
- (void *)packet_mask_in,
- (void *)keep_mask);
- }
-
- /* Update mask before returning, so that bad packets are dropped */
-
- pkts_drop_mask = packet_mask_in & ~keep_mask;
-
- if (unlikely(pkts_drop_mask != 0)) {
- /* printf("drop %p\n", (void *) pkts_drop_mask); */
- rte_pipeline_ah_packet_drop(p, pkts_drop_mask);
- }
-
- if (unlikely(hijack_mask != 0))
- rte_pipeline_ah_packet_hijack(p, hijack_mask);
-
- vfw_pipe->counters->num_batch_pkts_sum += n_pkts;
- vfw_pipe->counters->num_pkts_measurements++;
-
- end_tsc_measure(vfw_pipe, n_pkts);
-
- return 0;
-}
/**
* The pipeline port-in action is used to do all the firewall and
* connection tracking work for IPV4 packets.
@@ -3322,13 +2666,10 @@ static void
.arg_create =
pipeline_port_in_params_convert(&params->port_in
[i]),
- .f_action = vfw_port_in_action,
+ .f_action = vfw_port_in_action_ipv4,
.arg_ah = &(port_in_args[i]),
.burst_size = params->port_in[i].burst_size,
};
- if (pipe_vfw->traffic_type == IP_VERSION_4)
- port_params.f_action = vfw_port_in_action_ipv4;
-
if (pipe_vfw->traffic_type == IP_VERSION_6)
port_params.f_action = vfw_port_in_action_ipv6;
int status = rte_pipeline_port_in_create(pipe->p, &port_params,
diff --git a/common/VIL/acl/lib_acl.c b/common/VIL/acl/lib_acl.c
index 279727ef..9adb5a2f 100644
--- a/common/VIL/acl/lib_acl.c
+++ b/common/VIL/acl/lib_acl.c
@@ -417,376 +417,8 @@ int lib_acl_parse_config(struct lib_acl *plib_acl,
/* Parameter not processed in this parse function */
return 1;
}
-/**
- * Main packet processing function.
- * 64 packet bit mask are used to identify which packets to forward.
- * Performs the following:
- * - Burst lookup packets in the IPv4 ACL Rule Table.
- * - Burst lookup packets in the IPv6 ACL Rule Table.
- * - Lookup Action Table, perform actions.
- * - Burst lookup Connection Tracking, if enabled.
- * - Lookup MAC address.
- * - Set bit mask.
- * - Packets with bit mask set are forwarded
- *
- * @param p
- * A pointer to the pipeline.
- * @param pkts
- * A pointer to a burst of packets.
- * @param n_pkts
- * Number of packets to process.
- * @param arg
- * A pointer to pipeline specific data.
- *
- * @return
- * 0 on success, negative on error.
- */
- uint64_t
-lib_acl_pkt_work_key(struct lib_acl *plib_acl,
- struct rte_mbuf **pkts, uint64_t pkts_mask,
- uint64_t *pkts_drop_without_rule,
- void *plib_acl_rule_table_ipv4_active,
- void *plib_acl_rule_table_ipv6_active,
- struct pipeline_action_key *action_array_active,
- struct action_counter_block (*p_action_counter_table)[action_array_max],
- uint64_t *conntrack_mask,
- uint64_t *connexist_mask,
- int lib_acl_ipv4_enabled, int lib_acl_ipv6_enabled)
-{
-
- uint64_t lookup_hit_mask = 0;
- uint64_t lookup_hit_mask_ipv4 = 0;
- uint64_t lookup_hit_mask_ipv6 = 0;
- uint64_t lookup_miss_mask = 0;
- int status;
-
-
- if (lib_acl_ipv4_enabled) {
- if (ACL_LIB_DEBUG)
- printf("ACL IPV4 Lookup Mask Before = 0x%"PRIx64"\n",
- pkts_mask);
- status = rte_table_acl_ops.f_lookup(
- plib_acl_rule_table_ipv4_active,
- pkts, pkts_mask, &lookup_hit_mask_ipv4,
- (void **) plib_acl->plib_acl_entries_ipv4);
- if (status < 0)
- printf("Lookup failed\n");
- if (ACL_LIB_DEBUG)
- printf("ACL IPV4 Lookup Mask After = 0x%"PRIx64"\n",
- lookup_hit_mask_ipv4);
- }
-
- if (lib_acl_ipv6_enabled) {
- if (ACL_LIB_DEBUG)
- printf("ACL IPV6 Lookup Mask Before = 0x%"PRIx64"\n",
- pkts_mask);
- status = rte_table_acl_ops.f_lookup(
- plib_acl_rule_table_ipv6_active,
- pkts, pkts_mask, &lookup_hit_mask_ipv6,
- (void **) plib_acl->plib_acl_entries_ipv6);
- if (status < 0)
- printf("Lookup Failed\n");
- if (ACL_LIB_DEBUG)
- printf("ACL IPV6 Lookup Mask After = 0x%"PRIx64"\n",
- lookup_hit_mask_ipv6);
- }
-
- /* Merge lookup results since we process both IPv4 and IPv6 below */
- lookup_hit_mask = lookup_hit_mask_ipv4 | lookup_hit_mask_ipv6;
- if (ACL_LIB_DEBUG)
- printf("ACL Lookup Mask After = 0x%"PRIx64"\n",
- lookup_hit_mask);
-
- lookup_miss_mask = pkts_mask & (~lookup_hit_mask);
- pkts_mask = lookup_hit_mask;
- *pkts_drop_without_rule += __builtin_popcountll(lookup_miss_mask);
- if (ACL_LIB_DEBUG)
- printf("pkt_work_acl_key pkts_drop: %" PRIu64 " n_pkts: %u\n",
- *pkts_drop_without_rule,
- __builtin_popcountll(lookup_miss_mask));
- /* bitmap of packets left to process for ARP */
- uint64_t pkts_to_process = lookup_hit_mask;
-
- for (; pkts_to_process;) {
- uint8_t pos = (uint8_t)__builtin_ctzll(pkts_to_process);
- /* bitmask representing only this packet */
- uint64_t pkt_mask = 1LLU << pos;
- /* remove this packet from remaining list */
- pkts_to_process &= ~pkt_mask;
- struct rte_mbuf *pkt = pkts[pos];
-
- uint8_t hdr_chk = RTE_MBUF_METADATA_UINT8(pkt, IP_START);
-
- hdr_chk = hdr_chk >> IP_VERSION_CHECK;
-
- if (hdr_chk == IPv4_HDR_VERSION) {
-
- struct lib_acl_table_entry *entry =
- (struct lib_acl_table_entry *)
- plib_acl->plib_acl_entries_ipv4[pos];
- uint16_t phy_port = entry->head.port_id;
- uint32_t action_id = entry->action_id;
-
- if (ACL_LIB_DEBUG)
- printf("action_id = %u\n", action_id);
-
- uint32_t dscp_offset = IP_START + IP_HDR_DSCP_OFST;
-
- if (action_array_active[action_id].action_bitmap &
- lib_acl_action_count) {
- p_action_counter_table
- [plib_acl->action_counter_index]
- [action_id].packetCount++;
- p_action_counter_table
- [plib_acl->action_counter_index]
- [action_id].byteCount +=
- rte_pktmbuf_pkt_len(pkt);
- if (ACL_LIB_DEBUG)
- printf("Action Count Packet Count: %"
- PRIu64 " Byte Count: %"
- PRIu64 "\n"
- , p_action_counter_table
- [plib_acl->action_counter_index]
- [action_id].packetCount,
- p_action_counter_table
- [plib_acl->action_counter_index]
- [action_id].byteCount);
- }
-
- if (action_array_active[action_id].action_bitmap &
- lib_acl_action_packet_drop) {
-
- /* Drop packet by changing the mask */
- if (ACL_LIB_DEBUG)
- printf("ACL before drop pkt_mask %"
- PRIx64", pkt_num %d\n",
- pkts_mask, pos);
- pkts_mask &= ~(1LLU << pos);
- (*pkts_drop_without_rule)++;
- if (ACL_LIB_DEBUG)
- printf("ACL after drop pkt_mask %"PRIx64
- ", pkt_num %d, packet_drop%"
- PRIu64"\n", pkts_mask, pos,
- *pkts_drop_without_rule);
- }
-
- if (action_array_active[action_id].action_bitmap &
- lib_acl_action_fwd) {
- phy_port = action_array_active[action_id].
- fwd_port;
- entry->head.port_id = phy_port;
- if (ACL_LIB_DEBUG)
- printf("Action FWD Port ID: %"
- PRIu16"\n", phy_port);
- }
-
- if (action_array_active[action_id].action_bitmap &
- lib_acl_action_nat) {
- phy_port = action_array_active[action_id].
- nat_port;
- entry->head.port_id = phy_port;
- if (ACL_LIB_DEBUG)
- printf("Action NAT Port ID: %"
- PRIu16"\n", phy_port);
- }
-
- if (action_array_active[action_id].action_bitmap &
- lib_acl_action_dscp) {
-
- /* Set DSCP priority */
- uint8_t *dscp = RTE_MBUF_METADATA_UINT8_PTR(pkt,
- dscp_offset);
- *dscp = action_array_active[action_id].
- dscp_priority << 2;
- if (ACL_LIB_DEBUG)
- printf("Action DSCP DSCP Priority: %"
- PRIu16 "\n", *dscp);
- }
-
- if (action_array_active[action_id].action_bitmap &
- lib_acl_action_packet_accept) {
- if (ACL_LIB_DEBUG)
- printf("Action Accept\n");
-
- if (action_array_active[action_id].action_bitmap
- & lib_acl_action_conntrack) {
-
- /* Set conntrack bit for this pkt */
- *conntrack_mask |= pkt_mask;
- if (ACL_LIB_DEBUG)
- printf("ACL CT enabled: 0x%"
- PRIx64" pkt_mask: 0x%"
- PRIx64"\n",
- *conntrack_mask,
- pkt_mask);
- }
-
- if (action_array_active[action_id].action_bitmap
- & lib_acl_action_connexist) {
-
- /* Set conntrack bit for this pkt */
- *conntrack_mask |= pkt_mask;
-
- /* Set connexist bit for this pkt for
- * public -> private */
- /* Private -> public packet will open
- * the connection */
- if (action_array_active[action_id].
- private_public ==
- lib_acl_public_private)
- *connexist_mask |= pkt_mask;
-
- if (ACL_LIB_DEBUG)
- printf("Connexist ENB CT:0x%"
- PRIx64" connexist: 0x%"
- PRIx64" pkt_mask: 0x%"
- PRIx64"\n",
- *conntrack_mask,
- *connexist_mask,
- pkt_mask);
- }
- }
- }
-
- if (hdr_chk == IPv6_HDR_VERSION) {
-
- struct lib_acl_table_entry *entry =
- (struct lib_acl_table_entry *)
- plib_acl->plib_acl_entries_ipv6[pos];
- uint16_t phy_port = entry->head.port_id;
- uint32_t action_id = entry->action_id;
-
- if (ACL_LIB_DEBUG)
- printf("action_id = %u\n", action_id);
-
- if (action_array_active[action_id].action_bitmap &
- lib_acl_action_count) {
- p_action_counter_table
- [plib_acl->action_counter_index]
- [action_id].packetCount++;
- p_action_counter_table
- [plib_acl->action_counter_index]
- [action_id].byteCount +=
- rte_pktmbuf_pkt_len(pkt);
- if (ACL_LIB_DEBUG)
- printf("Action Count Packet Count: %"
- PRIu64 " Byte Count: %"
- PRIu64 "\n",
- p_action_counter_table
- [plib_acl->action_counter_index]
- [action_id].packetCount,
- p_action_counter_table
- [plib_acl->action_counter_index]
- [action_id].byteCount);
- }
- if (action_array_active[action_id].action_bitmap &
- lib_acl_action_packet_drop) {
- /* Drop packet by changing the mask */
- if (ACL_LIB_DEBUG)
- printf("ACL before drop pkt_mask %"
- PRIx64", pkt_num %d\n",
- pkts_mask, pos);
- pkts_mask &= ~(1LLU << pos);
- (*pkts_drop_without_rule)++;
- if (ACL_LIB_DEBUG)
- printf("ACL after drop pkt_mask %"PRIx64
- ", pkt_num %d, packet_drop %"
- PRIu64 "\n", pkts_mask, pos,
- *pkts_drop_without_rule);
-
- }
-
- if (action_array_active[action_id].action_bitmap &
- lib_acl_action_fwd) {
- phy_port = action_array_active[action_id].
- fwd_port;
- entry->head.port_id = phy_port;
- if (ACL_LIB_DEBUG)
- printf("Action FWD Port ID: %"
- PRIu16"\n", phy_port);
- }
-
- if (action_array_active[action_id].action_bitmap &
- lib_acl_action_nat) {
- phy_port = action_array_active[action_id].
- nat_port;
- entry->head.port_id = phy_port;
- if (ACL_LIB_DEBUG)
- printf("Action NAT Port ID: %"
- PRIu16"\n", phy_port);
- }
-
- if (action_array_active[action_id].action_bitmap &
- lib_acl_action_dscp) {
-
- /* Set DSCP priority */
- uint32_t dscp_offset = IP_START +
- IP_HDR_DSCP_OFST_IPV6;
- uint16_t *dscp = RTE_MBUF_METADATA_UINT16_PTR(
- pkt, dscp_offset);
- uint16_t temp = *dscp;
- uint16_t dscp_value = (rte_bswap16(temp) &
- 0XF00F);
- uint8_t dscp_store =
- action_array_active
- [action_id].dscp_priority << 2;
- uint16_t dscp_temp = dscp_store;
-
- dscp_temp = dscp_temp << 4;
- *dscp = rte_bswap16(dscp_temp | dscp_value);
- if (ACL_LIB_DEBUG)
- printf("Action DSCP DSCP Priority: %"
- PRIu16"\n", *dscp);
- }
-
- if (action_array_active[action_id].action_bitmap
- & lib_acl_action_packet_accept) {
- if (ACL_LIB_DEBUG)
- printf("Action Accept\n");
- if (action_array_active[action_id].action_bitmap
- & lib_acl_action_conntrack) {
-
- /* Set conntrack bit for this pkt */
- *conntrack_mask |= pkt_mask;
- if (ACL_LIB_DEBUG)
- printf("ACL CT enabled: 0x%"
- PRIx64" pkt_mask: 0x%"
- PRIx64"\n",
- *conntrack_mask,
- pkt_mask);
- }
-
- if (action_array_active[action_id].action_bitmap
- & lib_acl_action_connexist) {
-
- /* Set conntrack bit for this pkt */
- *conntrack_mask |= pkt_mask;
-
- /* Set connexist bit for this pkt for
- * public -> private */
- /* Private -> public packet will open
- * the connection */
- if (action_array_active[action_id].
- private_public ==
- lib_acl_public_private)
- *connexist_mask |= pkt_mask;
-
- if (ACL_LIB_DEBUG)
- printf("Connexist ENB CT:0x%"
- PRIx64" connexist: 0x%"
- PRIx64" pkt_mask: 0x%"
- PRIx64"\n",
- *conntrack_mask,
- *connexist_mask,
- pkt_mask);
- }
- }
- }
- }
- return pkts_mask;
-}
/**
* Main packet processing function.
* 64 packet bit mask are used to identify which packets to forward.
diff --git a/common/VIL/acl/lib_acl.h b/common/VIL/acl/lib_acl.h
index 6eaaf55f..64d5ae1a 100644
--- a/common/VIL/acl/lib_acl.h
+++ b/common/VIL/acl/lib_acl.h
@@ -94,17 +94,6 @@ int lib_acl_parse_config(struct lib_acl *plib_acl,
char *arg_name, char *arg_value,
uint32_t *libacl_n_rules);
uint64_t
-lib_acl_pkt_work_key(struct lib_acl *plib_acl,
- struct rte_mbuf **pkts, uint64_t pkts_mask,
- uint64_t *pkts_drop_without_rule,
- void *plib_acl_rule_table_ipv4_active,
- void *plib_acl_rule_table_ipv6_active,
- struct pipeline_action_key *action_array_active,
- struct action_counter_block (*p_action_counter_table)[action_array_max],
- uint64_t *conntrack_mask,
- uint64_t *connexist_mask,
- int lib_acl_ipv4_enabled, int lib_acl_ipv6_enabled);
-uint64_t
lib_acl_ipv4_pkt_work_key(struct lib_acl *plib_acl,
struct rte_mbuf **pkts, uint64_t pkts_mask,
uint64_t *pkts_drop_without_rule,