diff options
Diffstat (limited to 'VNFs')
-rw-r--r-- | VNFs/vFW/pipeline/pipeline_vfw_be.c | 661 |
1 files changed, 1 insertions, 660 deletions
diff --git a/VNFs/vFW/pipeline/pipeline_vfw_be.c b/VNFs/vFW/pipeline/pipeline_vfw_be.c index 0d3f5279..70057b41 100644 --- a/VNFs/vFW/pipeline/pipeline_vfw_be.c +++ b/VNFs/vFW/pipeline/pipeline_vfw_be.c @@ -529,228 +529,6 @@ static uint8_t check_arp_icmp( return 1; } - -/** - * Performs basic VFW packet filtering. - * @param pkts - * A pointer to the packets. - * @param pkts_mask - * packet mask. - * @param vfw_pipe - * A pointer to VFW pipeline. - */ - -static uint64_t -rte_vfw_packet_filter_and_process(struct rte_mbuf **pkts, - uint64_t pkts_mask, - struct pipeline_vfw *vfw_pipe) -{ - - /* - * Make use of cache prefetch. At beginning of loop, want to prefetch - * mbuf data for next iteration (not current one). - * Note that ethernet header (14 bytes) is cache aligned. IPv4 header - * is 20 bytes (extensions not supported), while the IPv6 header is 40 - * bytes. TCP header is 20 bytes, UDP is 8. One cache line prefetch - * will cover IPv4 and TCP or UDP, but to get IPv6 and TCP, - * need two pre-fetches. - */ - - uint8_t pos, next_pos = 0; - uint64_t pkt_mask; /* bitmask representing a single packet */ - struct rte_mbuf *pkt; - struct rte_mbuf *next_pkt = NULL; - void *iphdr; - void *next_iphdr = NULL; - - if (unlikely(pkts_mask == 0)) - return pkts_mask; - pos = (uint8_t) __builtin_ctzll(pkts_mask); - pkt_mask = 1LLU << pos; /* bitmask representing only this packet */ - pkt = pkts[pos]; - iphdr = RTE_MBUF_METADATA_UINT32_PTR(pkt, IP_START); - rte_prefetch0(iphdr); - - uint64_t bytes_processed = 0; - /* bitmap of packets left to process */ - uint64_t pkts_to_process = pkts_mask; - /* bitmap of valid packets to return */ - uint64_t valid_packets = pkts_mask; - - /* prefetch counters, updated below. Most likely counters to update - * at beginnning */ - rte_prefetch0(&vfw_pipe->counters); - - do { /* always execute at least once */ - - /* remove this packet from remaining list */ - uint64_t next_pkts_to_process = pkts_to_process &= ~pkt_mask; - - if (likely(next_pkts_to_process)) { - /* another packet to process after this, prefetch it */ - - next_pos = - (uint8_t) __builtin_ctzll(next_pkts_to_process); - next_pkt = pkts[next_pos]; - next_iphdr = - RTE_MBUF_METADATA_UINT32_PTR(next_pkt, IP_START); - rte_prefetch0(next_iphdr); - } - - int discard = 0; - /* remove this packet from remaining list */ - pkts_to_process &= ~pkt_mask; - if (enable_hwlb) - if (!check_arp_icmp(pkt, vfw_pipe)) - discard = 1; - uint32_t packet_length = rte_pktmbuf_pkt_len(pkt); - - bytes_processed += packet_length; - - if (rte_vfw_is_IPv4(pkt)) { - struct ipv4_hdr *ihdr4 = (struct ipv4_hdr *)iphdr; - - /* verify that packet size according to mbuf is at least - * as large as the size according to the IP header. - */ - - uint32_t ip_length = rte_bswap16(ihdr4->total_length); - - if (unlikely - (ip_length > (packet_length - ETH_HDR_SIZE))) { - discard = 1; - vfw_pipe->counters->pkts_drop_bad_size++; - } - - /* - * IPv4 fragmented if: MF (more fragments) or Fragment - * Offset are non-zero. Header in Intel order, so flip - * constant to compensate. Note that IPv6 uses a header - * extension for identifying fragments. - */ - - int fragmented = (ihdr4->fragment_offset & 0xff3f) != 0; - uint8_t ttl = ihdr4->time_to_live; - - if (unlikely(fragmented)) { - discard = 1; - vfw_pipe->counters->pkts_drop_fragmented++; - } - - /* - * Behave like a router, and decrement the TTL of an - * IP packet. If this causes the TTL to become zero, - * the packet will be discarded. Unlike a router, - * no ICMP code 11 (Time * Exceeded) message will be - * sent back to the packet originator. - */ - - if (unlikely(ttl <= 1)) { - /* - * about to decrement to zero (or is somehow - * already zero), so discard - */ - discard = 1; - vfw_pipe->counters->pkts_drop_ttl++; - } - - /* - * Dropping the packets other than TCP AND UDP. - */ - - uint8_t proto = ihdr4->next_proto_id; - - if (unlikely(!(proto == IP_TCP_PROTOCOL || - proto == IP_UDP_PROTOCOL || - proto == IP_ICMP_PROTOCOL))) { - discard = 1; - vfw_pipe->counters-> - pkts_drop_unsupported_type++; - } - - if (unlikely(discard)) { - valid_packets &= ~pkt_mask; - } - - } else if (likely(rte_vfw_is_IPv6(pkt))) { - struct ipv6_hdr *ihdr6 = (struct ipv6_hdr *)iphdr; - - /* - * verify that packet size according to mbuf is at least - * as large as the size according to the IP header. - * For IPv6, note that size includes header extensions - * but not the base header size - */ - - uint32_t ip_length = - rte_bswap16(ihdr6->payload_len) + IPv6_HEADER_SIZE; - - if (unlikely - (ip_length > (packet_length - ETH_HDR_SIZE))) { - discard = 1; - vfw_pipe->counters->pkts_drop_bad_size++; - } - - /* - * Dropping the packets other than TCP AND UDP. - */ - - uint8_t proto = ihdr6->proto; - - if (unlikely(!(proto == IP_TCP_PROTOCOL || - proto == IP_UDP_PROTOCOL || - proto == IP_ICMP_PROTOCOL))) { - discard = 1; - if (proto == IPv6_FRAGMENT_HEADER) - vfw_pipe->counters-> - pkts_drop_fragmented++; - else - vfw_pipe->counters-> - pkts_drop_unsupported_type++; - } - - /* - * Behave like a router, and decrement the TTL of an - * IP packet. If this causes the TTL to become zero, - * the packet will be discarded. Unlike a router, - * no ICMP code 11 (Time * Exceeded) message will be - * sent back to the packet originator. - */ - - if (unlikely(ihdr6->hop_limits <= 1)) { - /* - * about to decrement to zero (or is somehow - * already zero), so discard - */ - discard = 1; - vfw_pipe->counters->pkts_drop_ttl++; - } - - if (unlikely(discard)) - valid_packets &= ~pkt_mask; - else - ihdr6->hop_limits--; - } else - /* discard non-ip */ - valid_packets &= ~pkt_mask; - - /* make next packet data the current */ - pkts_to_process = next_pkts_to_process; - pos = next_pos; - pkt = next_pkt; - iphdr = next_iphdr; - pkt_mask = 1LLU << pos; - - } while (pkts_to_process); - - /* finalize counters, etc. */ - vfw_pipe->counters->bytes_processed += bytes_processed; - - if (likely(firewall_flag)) - return valid_packets; - else - return pkts_mask; -} /** * Performs basic VFW ipv4 packet filtering. * @param pkts @@ -1091,302 +869,6 @@ static inline void rte_sp_exchange_mac_addresses(struct ether_hdr *ehdr) ether_addr_copy(&ehdr->s_addr, &ehdr->d_addr); ether_addr_copy(&saved_copy, &ehdr->s_addr); } -/** - * walk every valid mbuf (denoted by pkts_mask) and apply arp to the packet. - * To support synproxy, some (altered) packets may need to be sent back where - * they came from. The ip header has already been adjusted, but the ethernet - * header has not, so this must be performed here. - * Return an updated pkts_mask, since arp may drop some packets - * - * @param pkts - * A pointer to the packet. - * @param pkts_mask - * Packet mask - * @param synproxy_reply_mask - * Reply Packet mask for Synproxy - * @param vfw_pipe - * A pointer to VFW pipeline. - */ - -static uint64_t -rte_vfw_arp_packets(struct rte_mbuf **pkts, - uint64_t pkts_mask, - uint64_t synproxy_reply_mask, - struct pipeline_vfw *vfw_pipe) -{ - uint64_t pkts_to_arp = pkts_mask; - uint32_t ret; - uint32_t dest_if = INVALID_DESTIF; - int ret_mac; - - for (; pkts_to_arp;) { - struct ether_addr hw_addr; - struct mbuf_tcp_meta_data *meta_data_addr; - struct ether_hdr *ehdr; - struct rte_mbuf *pkt; - uint16_t phy_port; - uint8_t pos = (uint8_t) __builtin_ctzll(pkts_to_arp); - /* bitmask representing only this packet */ - uint64_t pkt_mask = 1LLU << pos; - /* remove this packet from remaining list */ - pkts_to_arp &= ~pkt_mask; - pkt = pkts[pos]; - int must_reverse = ((synproxy_reply_mask & pkt_mask) != 0); - - phy_port = pkt->port; - meta_data_addr = (struct mbuf_tcp_meta_data *) - RTE_MBUF_METADATA_UINT32_PTR(pkt, META_DATA_OFFSET); - ehdr = rte_vfw_get_ether_addr(pkt); - - void *iphdr = RTE_MBUF_METADATA_UINT32_PTR(pkt, IP_START); - - if (rte_vfw_is_IPv4(pkt)) { - struct ipv4_hdr *ihdr = (struct ipv4_hdr *)iphdr; - uint32_t nhip = 0; - - uint32_t dest_address = rte_bswap32(ihdr->dst_addr); - - ret = local_get_nh_ipv4(dest_address, &dest_if, - &nhip, vfw_pipe); - if (must_reverse) { - rte_sp_exchange_mac_addresses(ehdr); - if (is_phy_port_privte(phy_port)) { - if (!ret) { - dest_if = get_pub_to_prv_port( - &dest_address, - IP_VERSION_4); - if (dest_if == INVALID_DESTIF) { - pkts_mask &= ~pkt_mask; - vfw_pipe->counters-> - pkts_drop_without_arp_entry++; - } - do_local_nh_ipv4_cache(dest_if, - vfw_pipe); - } - - } else { - if (!ret) { - dest_if = get_prv_to_pub_port( - &dest_address, - IP_VERSION_4); - if (dest_if == INVALID_DESTIF) { - pkts_mask &= ~pkt_mask; - vfw_pipe->counters-> - pkts_drop_without_arp_entry++; - } - do_local_nh_ipv4_cache(dest_if, - vfw_pipe); - } - } - - } else if (is_phy_port_privte(phy_port)) { - if (!ret) { - dest_if = get_prv_to_pub_port( - &dest_address, - IP_VERSION_4); - if (dest_if == INVALID_DESTIF) { - pkts_mask &= ~pkt_mask; - vfw_pipe->counters-> - pkts_drop_without_arp_entry++; - } - do_local_nh_ipv4_cache(dest_if, - vfw_pipe); - } - - } else { - if (!ret) { - dest_if = get_pub_to_prv_port( - &dest_address, - IP_VERSION_4); - if (dest_if == INVALID_DESTIF) { - pkts_mask &= ~pkt_mask; - vfw_pipe->counters-> - pkts_drop_without_arp_entry++; - } - do_local_nh_ipv4_cache(dest_if, - vfw_pipe); - } - } - - meta_data_addr->output_port = - vfw_pipe->outport_id[dest_if]; - if (local_dest_mac_present(dest_if)) { - ether_addr_copy(get_local_link_hw_addr(dest_if), - &ehdr->d_addr); - ether_addr_copy(get_link_hw_addr(dest_if), - &ehdr->s_addr); - } else { - ret_mac = get_dest_mac_addr_port(dest_address, - &dest_if, &hw_addr); - if (ret_mac == ARP_FOUND) { - - link_hw_laddr_valid[dest_if] = 1; - memcpy(&link_hw_laddr[dest_if], &hw_addr, - sizeof(struct ether_addr)); - - ether_addr_copy(&hw_addr, - &ehdr->d_addr); - ether_addr_copy(get_link_hw_addr(dest_if), - &ehdr->s_addr); - - if (vfw_debug >= DEBUG_LEVEL_4) { - char buf[HW_ADDR_SIZE]; - - ether_format_addr(buf, sizeof(buf), - &hw_addr); - printf("MAC found for ip 0x%"PRIx32 - ",dest_if %d: %s, ", - dest_address, - dest_if, buf); - ether_format_addr(buf, sizeof(buf), - &ehdr->s_addr); - printf("new eth hdr src: %s, ", buf); - ether_format_addr(buf, sizeof(buf), - &ehdr->d_addr); - printf("new eth hdr dst: %s\n", buf); - } - - } else { - - if (vfw_debug >= DEBUG_LEVEL_4) { - char buf[HW_ADDR_SIZE]; - - ether_format_addr(buf, sizeof(buf), - &hw_addr); - printf("MAC NOT FOUND for ip 0x%" - PRIx32", dest_if %" - PRId16": %s, ", - dest_address, - dest_if, buf); - } - /* ICMP req sent, drop packet by - * changing the mask */ - pkts_mask &= ~pkt_mask; - vfw_pipe-> - counters->pkts_drop_without_arp_entry++; - } - - } - } else if (likely(rte_vfw_is_IPv6(pkt))) { - struct ipv6_hdr *ihdr = (struct ipv6_hdr *)iphdr; - uint8_t dest_addr_ipv6[IPV6_ADD_SIZE]; - - rte_mov16(dest_addr_ipv6, ihdr->dst_addr); - uint8_t nh_ipv6[IPV6_ADD_SIZE]; - - memset(nh_ipv6, 0, IPV6_ADD_SIZE); - ret = local_get_nh_ipv6(&dest_addr_ipv6[0], &dest_if, - &nh_ipv6[0], vfw_pipe); - if (must_reverse) { - rte_sp_exchange_mac_addresses(ehdr); - if (is_phy_port_privte(phy_port)) { - if (!ret) { - dest_if = get_pub_to_prv_port( - (uint32_t *) - &dest_addr_ipv6[0], - IP_VERSION_6); - if (dest_if == INVALID_DESTIF) { - pkts_mask &= ~pkt_mask; - vfw_pipe->counters-> - pkts_drop_without_arp_entry++; - } - do_local_nh_ipv6_cache(dest_if, - vfw_pipe); - } - - } else { - if (!ret) { - dest_if = get_prv_to_pub_port( - (uint32_t *) - &dest_addr_ipv6[0], - IP_VERSION_6); - if (dest_if == INVALID_DESTIF) { - pkts_mask &= ~pkt_mask; - vfw_pipe->counters-> - pkts_drop_without_arp_entry++; - } - do_local_nh_ipv6_cache(dest_if, - vfw_pipe); - } - - - } - - } else if (is_phy_port_privte(phy_port)) { - if (!ret) { - dest_if = get_prv_to_pub_port( - (uint32_t *) - &dest_addr_ipv6[0], - IP_VERSION_6); - if (dest_if == INVALID_DESTIF) { - pkts_mask &= ~pkt_mask; - vfw_pipe->counters-> - pkts_drop_without_arp_entry++; - } - do_local_nh_ipv6_cache(dest_if, - vfw_pipe); - } - - } else { - if (!ret) { - dest_if = get_pub_to_prv_port( - (uint32_t *) - &dest_addr_ipv6[0], - IP_VERSION_6); - if (dest_if == INVALID_DESTIF) { - pkts_mask &= ~pkt_mask; - vfw_pipe->counters-> - pkts_drop_without_arp_entry++; - } - do_local_nh_ipv6_cache(dest_if, - vfw_pipe); - } - - } - meta_data_addr->output_port = vfw_pipe-> - outport_id[dest_if]; - - memset(nh_ipv6, 0, IPV6_ADD_SIZE); - if (get_dest_mac_address_ipv6_port( - &dest_addr_ipv6[0], - &dest_if, - &hw_addr, - &nh_ipv6[0])) { - ether_addr_copy(&hw_addr, &ehdr->d_addr); - ether_addr_copy(get_link_hw_addr(dest_if), - &ehdr->s_addr); - - if (vfw_debug >= DEBUG_LEVEL_4) { - char buf[HW_ADDR_SIZE]; - - ether_format_addr(buf, sizeof(buf), - &hw_addr); - printf("MAC found for dest_if %d: %s,", - dest_if, buf); - ether_format_addr(buf, sizeof(buf), - &ehdr->s_addr); - printf("new eth hdr src: %s, ", buf); - ether_format_addr(buf, sizeof(buf), - &ehdr->d_addr); - printf("new eth hdr dst: %s\n", buf); - } - - } else { - printf("deleting ipv6\n"); - pkts_mask &= ~pkt_mask; - /*Next Neighbor is not yet implemented - * for ipv6.*/ - vfw_pipe->counters-> - pkts_drop_without_arp_entry++; - } - - } else - /* neither IPv4 or IPv6, drop quietly */ - pkts_mask &= ~pkt_mask; - } - return pkts_mask; -} - #ifdef EN_SWP_ARP /** @@ -2557,144 +2039,6 @@ vfw_handle_buffered_packets(struct rte_pipeline *p, keep_mask = 0; } } - -/** - * The pipeline port-in action is used to do all the firewall and - * connection tracking work. - * - * @param p - * A pointer to the pipeline. - * @param pkts - * A pointer to a burst of packets. - * @param n_pkts - * Number of packets to process. - * @param arg - * A pointer to pipeline specific data. - * - * @return - * 0 on success, negative on error. - */ - -static int -vfw_port_in_action(struct rte_pipeline *p, - struct rte_mbuf **pkts, - __rte_unused uint32_t n_pkts, __rte_unused void *arg) -{ - struct vfw_ports_in_args *port_in_args = - (struct vfw_ports_in_args *)arg; - struct pipeline_vfw *vfw_pipe = - (struct pipeline_vfw *)port_in_args->pipe; - struct rte_ct_cnxn_tracker *ct = port_in_args->cnxn_tracker; - - start_tsc_measure(vfw_pipe); - - uint64_t packet_mask_in = RTE_LEN2MASK(n_pkts, uint64_t); - uint64_t pkts_drop_mask; - uint64_t hijack_mask = 0; - uint64_t synproxy_reply_mask = 0; /* for synproxy */ - uint64_t keep_mask = packet_mask_in; - struct rte_CT_helper ct_helper; - - memset(&ct_helper, 0, sizeof(struct rte_CT_helper)); - - - /* - * This routine uses a bit mask to represent which packets in the - * "pkts" table are considered valid. Any table entry which exists - * and is considered valid has the corresponding bit in the mask set. - * Otherwise, it is cleared. Note that the mask is 64 bits, - * but the number of packets in the table may be considerably less. - * Any mask bits which do correspond to actual packets are cleared. - * Various routines are called which may determine that an existing - * packet is somehow invalid. The routine will return an altered bit - * mask, with the bit cleared. At the end of all the checks, - * packets are dropped if their mask bit is a zero - */ - - if (vfw_debug > 1) - printf("Enter in-port action with %p packet mask\n", - (void *)packet_mask_in); - vfw_pipe->counters->pkts_received = - vfw_pipe->counters->pkts_received + n_pkts; - if (VFW_DEBUG) - printf("vfw_port_in_action pkts_received: %" PRIu64 - " n_pkts: %u\n", - vfw_pipe->counters->pkts_received, n_pkts); - - /* first handle handle any previously buffered packets now released */ - vfw_handle_buffered_packets(p, vfw_pipe, ct, - FORWARD_BUFFERED_PACKETS); - - /* now handle any new packets on input ports */ - if (likely(firewall_flag)) { - keep_mask = - rte_vfw_packet_filter_and_process(pkts, keep_mask, - vfw_pipe); - vfw_pipe->counters->pkts_fw_forwarded += - __builtin_popcountll(keep_mask); - } -#ifdef ACL_ENABLE - uint64_t conntrack_mask = 0, connexist_mask = 0; - keep_mask = lib_acl_pkt_work_key( - vfw_pipe->plib_acl, pkts, keep_mask, - &vfw_pipe->counters->pkts_drop_without_rule, - vfw_rule_table_ipv4_active, - vfw_rule_table_ipv6_active, - action_array_active, - action_counter_table, - &conntrack_mask, &connexist_mask, - vfw_ipv4_enabled, - vfw_ipv6_enabled); - vfw_pipe->counters->pkts_acl_forwarded += - __builtin_popcountll(keep_mask); - if (conntrack_mask > 0) { - keep_mask = conntrack_mask; - ct_helper.no_new_cnxn_mask = connexist_mask; - cnxn_tracking_is_active = 1; - } else - cnxn_tracking_is_active = 0; -#endif - if (likely(cnxn_tracking_is_active)) { - keep_mask = rte_ct_cnxn_tracker_batch_lookup(ct, pkts, - keep_mask, &ct_helper); - synproxy_reply_mask = ct_helper.reply_pkt_mask; - hijack_mask = ct_helper.hijack_mask; - - } - - - keep_mask = - rte_vfw_arp_packets(pkts, keep_mask, synproxy_reply_mask, - vfw_pipe); - - if (vfw_debug > 1) { - printf(" Exit in-port action with %p packet mask\n", - (void *)keep_mask); - if (keep_mask != packet_mask_in) - printf("dropped packets, %p in, %p out\n", - (void *)packet_mask_in, - (void *)keep_mask); - } - - /* Update mask before returning, so that bad packets are dropped */ - - pkts_drop_mask = packet_mask_in & ~keep_mask; - - if (unlikely(pkts_drop_mask != 0)) { - /* printf("drop %p\n", (void *) pkts_drop_mask); */ - rte_pipeline_ah_packet_drop(p, pkts_drop_mask); - } - - if (unlikely(hijack_mask != 0)) - rte_pipeline_ah_packet_hijack(p, hijack_mask); - - vfw_pipe->counters->num_batch_pkts_sum += n_pkts; - vfw_pipe->counters->num_pkts_measurements++; - - end_tsc_measure(vfw_pipe, n_pkts); - - return 0; -} /** * The pipeline port-in action is used to do all the firewall and * connection tracking work for IPV4 packets. @@ -3322,13 +2666,10 @@ static void .arg_create = pipeline_port_in_params_convert(¶ms->port_in [i]), - .f_action = vfw_port_in_action, + .f_action = vfw_port_in_action_ipv4, .arg_ah = &(port_in_args[i]), .burst_size = params->port_in[i].burst_size, }; - if (pipe_vfw->traffic_type == IP_VERSION_4) - port_params.f_action = vfw_port_in_action_ipv4; - if (pipe_vfw->traffic_type == IP_VERSION_6) port_params.f_action = vfw_port_in_action_ipv6; int status = rte_pipeline_port_in_create(pipe->p, &port_params, |