d5/dc4/dataplane__node_8c_source.html

 /*
  * Copyright (c) 2016-2018 Cisco and/or its affiliates.
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at:
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 #include <stddef.h>
 #include <netinet/in.h>

 #include <vlib/vlib.h>
 #include <vnet/vnet.h>
 #include <vnet/pg/pg.h>
 #include <vppinfra/error.h>


 #include <acl/acl.h>
 #include <vnet/ip/icmp46_packet.h>

 #include <plugins/acl/fa_node.h>
 #include <plugins/acl/acl.h>
 #include <plugins/acl/lookup_context.h>
 #include <plugins/acl/public_inlines.h>
 #include <plugins/acl/session_inlines.h>

 #include <vppinfra/bihash_40_8.h>
 #include <vppinfra/bihash_template.h>

 typedef struct
 {
   u32 next_index;
   u32 sw_if_index;
   u32 lc_index;
   u32 match_acl_in_index;
   u32 match_rule_index;
   u64 packet_info[6];
   u32 trace_bitmap;
   u8 action;
 } acl_fa_trace_t;

 /* *INDENT-OFF* */
 #define foreach_acl_fa_error \
 _(ACL_DROP, "ACL deny packets")  \
 _(ACL_PERMIT, "ACL permit packets")  \
 _(ACL_NEW_SESSION, "new sessions added") \
 _(ACL_EXIST_SESSION, "existing session packets") \
 _(ACL_CHECK, "checked packets") \
 _(ACL_RESTART_SESSION_TIMER, "restart session timer") \
 _(ACL_TOO_MANY_SESSIONS, "too many sessions to add new") \
 /* end  of errors */

 typedef enum
 {
 #define _(sym,str) ACL_FA_ERROR_##sym,
   foreach_acl_fa_error
 #undef _
     ACL_FA_N_ERROR,
 } acl_fa_error_t;

 /* *INDENT-ON* */

 always_inline u16
 get_current_policy_epoch (acl_main_t * am, int is_input, u32 sw_if_index0)
 {
   u32 **p_epoch_vec =
     is_input ? &am->input_policy_epoch_by_sw_if_index :
     &am->output_policy_epoch_by_sw_if_index;
   u16 current_policy_epoch =
     sw_if_index0 < vec_len (*p_epoch_vec) ? vec_elt (*p_epoch_vec,
                                                      sw_if_index0)
     : (is_input * FA_POLICY_EPOCH_IS_INPUT);
   return current_policy_epoch;
 }

 always_inline uword
 acl_fa_node_fn (vlib_main_t * vm,
                 vlib_node_runtime_t * node, vlib_frame_t * frame, int is_ip6,
                 int is_input, int is_l2_path, u32 * l2_feat_next_node_index,
                 vlib_node_registration_t * acl_fa_node)
 {
   u32 n_left, *from;
   u32 pkts_acl_checked = 0;
   u32 pkts_new_session = 0;
   u32 pkts_exist_session = 0;
   u32 pkts_acl_permit = 0;
   u32 pkts_restart_session_timer = 0;
   u32 trace_bitmap = 0;
   acl_main_t *am = &acl_main;
   fa_5tuple_t fa_5tuple;
   vlib_node_runtime_t *error_node;
   u64 now = clib_cpu_time_now ();
   uword thread_index = os_get_thread_index ();
   acl_fa_per_worker_data_t *pw = &am->per_worker_data[thread_index];

   u16 nexts[VLIB_FRAME_SIZE], *next;
   vlib_buffer_t *bufs[VLIB_FRAME_SIZE], **b;

   from = vlib_frame_vector_args (frame);

   error_node = vlib_node_get_runtime (vm, acl_fa_node->index);

   vlib_get_buffers (vm, from, bufs, frame->n_vectors);
   /* set the initial values for the current buffer the next pointers */
   b = bufs;
   next = nexts;

   n_left = frame->n_vectors;
   while (n_left > 0)
     {
       u32 next0 = 0;
       u8 action = 0;
       u32 sw_if_index0;
       u32 lc_index0 = ~0;
       int acl_check_needed = 1;
       u32 match_acl_in_index = ~0;
       u32 match_acl_pos = ~0;
       u32 match_rule_index = ~0;
       u8 error0 = 0;

       n_left -= 1;

       if (is_input)
         sw_if_index0 = vnet_buffer (b[0])->sw_if_index[VLIB_RX];
       else
         sw_if_index0 = vnet_buffer (b[0])->sw_if_index[VLIB_TX];

       if (is_input)
         lc_index0 = am->input_lc_index_by_sw_if_index[sw_if_index0];
       else
         lc_index0 = am->output_lc_index_by_sw_if_index[sw_if_index0];

       u16 current_policy_epoch =
         get_current_policy_epoch (am, is_input, sw_if_index0);


       /*
        * Extract the L3/L4 matching info into a 5-tuple structure.
        */

       acl_fill_5tuple (&acl_main, sw_if_index0, b[0], is_ip6,
                        is_input, is_l2_path, &fa_5tuple);

 #ifdef FA_NODE_VERBOSE_DEBUG
       clib_warning
         ("ACL_FA_NODE_DBG: packet 5-tuple %016llx %016llx %016llx %016llx %016llx %016llx",
          fa_5tuple.kv.key[0], fa_5tuple.kv.key[1], fa_5tuple.kv.key[2],
          fa_5tuple.kv.key[3], fa_5tuple.kv.key[4], fa_5tuple.kv.value);
 #endif

       /* Try to match an existing session first */

       if (acl_fa_ifc_has_sessions (am, sw_if_index0))
         {
           u64 value_sess = ~0ULL;
           if (acl_fa_find_session
               (am, is_ip6, sw_if_index0, &fa_5tuple, &value_sess)
               && (value_sess != ~0ULL))
             {
               trace_bitmap |= 0x80000000;
               error0 = ACL_FA_ERROR_ACL_EXIST_SESSION;
               fa_full_session_id_t f_sess_id;

               f_sess_id.as_u64 = value_sess;
               ASSERT (f_sess_id.thread_index < vec_len (vlib_mains));

               fa_session_t *sess =
                 get_session_ptr (am, f_sess_id.thread_index,
                                  f_sess_id.session_index);
               int old_timeout_type = fa_session_get_timeout_type (am, sess);
               action =
                 acl_fa_track_session (am, is_input, sw_if_index0, now,
                                       sess, &fa_5tuple);
               /* expose the session id to the tracer */
               match_rule_index = f_sess_id.session_index;
               int new_timeout_type = fa_session_get_timeout_type (am, sess);
               acl_check_needed = 0;
               pkts_exist_session += 1;
               /* Tracking might have changed the session timeout type, e.g. from transient to established */
               if (PREDICT_FALSE (old_timeout_type != new_timeout_type))
                 {
                   acl_fa_restart_timer_for_session (am, now, f_sess_id);
                   pkts_restart_session_timer++;
                   trace_bitmap |=
                     0x00010000 + ((0xff & old_timeout_type) << 8) +
                     (0xff & new_timeout_type);
                 }
               /*
                * I estimate the likelihood to be very low - the VPP needs
                * to have >64K interfaces to start with and then on
                * exactly 64K indices apart needs to be exactly the same
                * 5-tuple... Anyway, since this probability is nonzero -
                * print an error and drop the unlucky packet.
                * If this shows up in real world, we would need to bump
                * the hash key length.
                */
               if (PREDICT_FALSE (sess->sw_if_index != sw_if_index0))
                 {
                   clib_warning
                     ("BUG: session LSB16(sw_if_index) and 5-tuple collision!");
                   acl_check_needed = 0;
                   action = 0;
                 }
               if (PREDICT_FALSE (am->reclassify_sessions))
                 {
                   /* if the MSB of policy epoch matches but not the LSB means it is a stale session */
                   if ((0 ==
                        ((current_policy_epoch ^
                          f_sess_id.intf_policy_epoch) &
                         FA_POLICY_EPOCH_IS_INPUT))
                       && (current_policy_epoch !=
                           f_sess_id.intf_policy_epoch))
                     {
                       /* delete session and increment the counter */
                       vec_validate
                         (pw->fa_session_epoch_change_by_sw_if_index,
                          sw_if_index0);
                       vec_elt (pw->fa_session_epoch_change_by_sw_if_index,
                                sw_if_index0)++;
                       if (acl_fa_conn_list_delete_session
                           (am, f_sess_id, now))
                         {
                           /* delete the session only if we were able to unlink it */
                           acl_fa_two_stage_delete_session (am, sw_if_index0,
                                                            f_sess_id, now);
                         }
                       acl_check_needed = 1;
                       trace_bitmap |= 0x40000000;
                     }
                 }
             }
         }

       if (acl_check_needed)
         {
           action = 0;           /* deny by default */
           acl_plugin_match_5tuple_inline (&acl_main, lc_index0,
                                           (fa_5tuple_opaque_t *) &
                                           fa_5tuple, is_ip6, &action,
                                           &match_acl_pos,
                                           &match_acl_in_index,
                                           &match_rule_index, &trace_bitmap);
           error0 = action;
           if (1 == action)
             pkts_acl_permit += 1;
           if (2 == action)
             {
               if (!acl_fa_can_add_session (am, is_input, sw_if_index0))
                 acl_fa_try_recycle_session (am, is_input, thread_index,
                                             sw_if_index0, now);

               if (acl_fa_can_add_session (am, is_input, sw_if_index0))
                 {
                   fa_session_t *sess =
                     acl_fa_add_session (am, is_input, is_ip6,
                                         sw_if_index0,
                                         now, &fa_5tuple,
                                         current_policy_epoch);
                   acl_fa_track_session (am, is_input, sw_if_index0,
                                         now, sess, &fa_5tuple);
                   pkts_new_session += 1;
                 }
               else
                 {
                   action = 0;
                   error0 = ACL_FA_ERROR_ACL_TOO_MANY_SESSIONS;
                 }
             }
         }


       if (action > 0)
         {
           if (is_l2_path)
             next0 = vnet_l2_feature_next (b[0], l2_feat_next_node_index, 0);
           else
             vnet_feature_next (&next0, b[0]);
         }
 #ifdef FA_NODE_VERBOSE_DEBUG
       clib_warning
         ("ACL_FA_NODE_DBG: sw_if_index %d lc_index %d action %d acl_index %d rule_index %d",
          sw_if_index0, lc_index0, action, match_acl_in_index,
          match_rule_index);
 #endif

       if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
                          && (b[0]->flags & VLIB_BUFFER_IS_TRACED)))
         {
           acl_fa_trace_t *t = vlib_add_trace (vm, node, b[0], sizeof (*t));
           t->sw_if_index = sw_if_index0;
           t->lc_index = lc_index0;
           t->next_index = next0;
           t->match_acl_in_index = match_acl_in_index;
           t->match_rule_index = match_rule_index;
           t->packet_info[0] = fa_5tuple.kv_40_8.key[0];
           t->packet_info[1] = fa_5tuple.kv_40_8.key[1];
           t->packet_info[2] = fa_5tuple.kv_40_8.key[2];
           t->packet_info[3] = fa_5tuple.kv_40_8.key[3];
           t->packet_info[4] = fa_5tuple.kv_40_8.key[4];
           t->packet_info[5] = fa_5tuple.kv_40_8.value;
           t->action = action;
           t->trace_bitmap = trace_bitmap;
         }

       next0 = next0 < node->n_next_nodes ? next0 : 0;
       if (0 == next0)
         b[0]->error = error_node->errors[error0];
       next[0] = next0;

       next++;
       b++;
       pkts_acl_checked += 1;
     }

   vlib_buffer_enqueue_to_next (vm, node, from, nexts, frame->n_vectors);

   vlib_node_increment_counter (vm, acl_fa_node->index,
                                ACL_FA_ERROR_ACL_CHECK, pkts_acl_checked);
   vlib_node_increment_counter (vm, acl_fa_node->index,
                                ACL_FA_ERROR_ACL_PERMIT, pkts_acl_permit);
   vlib_node_increment_counter (vm, acl_fa_node->index,
                                ACL_FA_ERROR_ACL_NEW_SESSION,
                                pkts_new_session);
   vlib_node_increment_counter (vm, acl_fa_node->index,
                                ACL_FA_ERROR_ACL_EXIST_SESSION,
                                pkts_exist_session);
   vlib_node_increment_counter (vm, acl_fa_node->index,
                                ACL_FA_ERROR_ACL_RESTART_SESSION_TIMER,
                                pkts_restart_session_timer);
   return frame->n_vectors;
 }

 vlib_node_registration_t acl_in_l2_ip6_node;
 VLIB_NODE_FN (acl_in_l2_ip6_node) (vlib_main_t * vm,
                                    vlib_node_runtime_t * node,
                                    vlib_frame_t * frame)
 {
   acl_main_t *am = &acl_main;
   return acl_fa_node_fn (vm, node, frame, 1, 1, 1,
                          am->fa_acl_in_ip6_l2_node_feat_next_node_index,
                          &acl_in_l2_ip6_node);
 }

 vlib_node_registration_t acl_in_l2_ip4_node;
 VLIB_NODE_FN (acl_in_l2_ip4_node) (vlib_main_t * vm,
                                    vlib_node_runtime_t * node,
                                    vlib_frame_t * frame)
 {
   acl_main_t *am = &acl_main;
   return acl_fa_node_fn (vm, node, frame, 0, 1, 1,
                          am->fa_acl_in_ip4_l2_node_feat_next_node_index,
                          &acl_in_l2_ip4_node);
 }

 vlib_node_registration_t acl_out_l2_ip6_node;
 VLIB_NODE_FN (acl_out_l2_ip6_node) (vlib_main_t * vm,
                                     vlib_node_runtime_t * node,
                                     vlib_frame_t * frame)
 {
   acl_main_t *am = &acl_main;
   return acl_fa_node_fn (vm, node, frame, 1, 0, 1,
                          am->fa_acl_out_ip6_l2_node_feat_next_node_index,
                          &acl_out_l2_ip6_node);
 }

 vlib_node_registration_t acl_out_l2_ip4_node;
 VLIB_NODE_FN (acl_out_l2_ip4_node) (vlib_main_t * vm,
                                     vlib_node_runtime_t * node,
                                     vlib_frame_t * frame)
 {
   acl_main_t *am = &acl_main;
   return acl_fa_node_fn (vm, node, frame, 0, 0, 1,
                          am->fa_acl_out_ip4_l2_node_feat_next_node_index,
                          &acl_out_l2_ip4_node);
 }

 /**** L3 processing path nodes ****/

 vlib_node_registration_t acl_in_fa_ip6_node;
 VLIB_NODE_FN (acl_in_fa_ip6_node) (vlib_main_t * vm,
                                    vlib_node_runtime_t * node,
                                    vlib_frame_t * frame)
 {
   return acl_fa_node_fn (vm, node, frame, 1, 1, 0, 0, &acl_in_fa_ip6_node);
 }

 vlib_node_registration_t acl_in_fa_ip4_node;
 VLIB_NODE_FN (acl_in_fa_ip4_node) (vlib_main_t * vm,
                                    vlib_node_runtime_t * node,
                                    vlib_frame_t * frame)
 {
   return acl_fa_node_fn (vm, node, frame, 0, 1, 0, 0, &acl_in_fa_ip4_node);
 }

 vlib_node_registration_t acl_out_fa_ip6_node;
 VLIB_NODE_FN (acl_out_fa_ip6_node) (vlib_main_t * vm,
                                     vlib_node_runtime_t * node,
                                     vlib_frame_t * frame)
 {
   return acl_fa_node_fn (vm, node, frame, 1, 0, 0, 0, &acl_out_fa_ip6_node);
 }

 vlib_node_registration_t acl_out_fa_ip4_node;
 VLIB_NODE_FN (acl_out_fa_ip4_node) (vlib_main_t * vm,
                                     vlib_node_runtime_t * node,
                                     vlib_frame_t * frame)
 {
   return acl_fa_node_fn (vm, node, frame, 0, 0, 0, 0, &acl_out_fa_ip4_node);
 }

 static u8 *
 format_fa_5tuple (u8 * s, va_list * args)
 {
   fa_5tuple_t *p5t = va_arg (*args, fa_5tuple_t *);

   if (p5t->pkt.is_ip6)
     return format (s, "lc_index %d (lsb16 of sw_if_index %d) l3 %s%s %U -> %U"
                    " l4 proto %d l4_valid %d port %d -> %d tcp flags (%s) %02x rsvd %x",
                    p5t->pkt.lc_index, p5t->l4.lsb_of_sw_if_index,
                    "ip6",
                    p5t->
                    pkt.is_nonfirst_fragment ? " non-initial fragment" : "",
                    format_ip6_address, &p5t->ip6_addr[0], format_ip6_address,
                    &p5t->ip6_addr[1], p5t->l4.proto, p5t->pkt.l4_valid,
                    p5t->l4.port[0], p5t->l4.port[1],
                    p5t->pkt.tcp_flags_valid ? "valid" : "invalid",
                    p5t->pkt.tcp_flags, p5t->pkt.flags_reserved);
   else
     return format (s, "lc_index %d (lsb16 of sw_if_index %d) l3 %s%s %U -> %U"
                    " l4 proto %d l4_valid %d port %d -> %d tcp flags (%s) %02x rsvd %x",
                    p5t->pkt.lc_index, p5t->l4.lsb_of_sw_if_index,
                    "ip4",
                    p5t->
                    pkt.is_nonfirst_fragment ? " non-initial fragment" : "",
                    format_ip4_address, &p5t->ip4_addr[0], format_ip4_address,
                    &p5t->ip4_addr[1], p5t->l4.proto, p5t->pkt.l4_valid,
                    p5t->l4.port[0], p5t->l4.port[1],
                    p5t->pkt.tcp_flags_valid ? "valid" : "invalid",
                    p5t->pkt.tcp_flags, p5t->pkt.flags_reserved);
 }

 #ifndef CLIB_MARCH_VARIANT
 u8 *
 format_acl_plugin_5tuple (u8 * s, va_list * args)
 {
   return format_fa_5tuple (s, args);
 }
 #endif

 /* packet trace format function */
 static u8 *
 format_acl_plugin_trace (u8 * s, va_list * args)
 {
   CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
   CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
   acl_fa_trace_t *t = va_arg (*args, acl_fa_trace_t *);

   s =
     format (s,
             "acl-plugin: lc_index: %d, sw_if_index %d, next index %d, action: %d, match: acl %d rule %d trace_bits %08x\n"
             "  pkt info %016llx %016llx %016llx %016llx %016llx %016llx",
             t->lc_index, t->sw_if_index, t->next_index, t->action,
             t->match_acl_in_index, t->match_rule_index, t->trace_bitmap,
             t->packet_info[0], t->packet_info[1], t->packet_info[2],
             t->packet_info[3], t->packet_info[4], t->packet_info[5]);

   /* Now also print out the packet_info in a form usable by humans */
   s = format (s, "\n   %U", format_fa_5tuple, t->packet_info);
   return s;
 }

 /* *INDENT-OFF* */

 static char *acl_fa_error_strings[] = {
 #define _(sym,string) string,
   foreach_acl_fa_error
 #undef _
 };

 VLIB_REGISTER_NODE (acl_in_l2_ip6_node) =
 {
   .name = "acl-plugin-in-ip6-l2",
   .vector_size = sizeof (u32),
   .format_trace = format_acl_plugin_trace,
   .type = VLIB_NODE_TYPE_INTERNAL,
   .n_errors = ARRAY_LEN (acl_fa_error_strings),
   .error_strings = acl_fa_error_strings,
   .n_next_nodes = ACL_FA_N_NEXT,
   .next_nodes =
   {
     [ACL_FA_ERROR_DROP] = "error-drop",
   }
 };

 VLIB_REGISTER_NODE (acl_in_l2_ip4_node) =
 {
   .name = "acl-plugin-in-ip4-l2",
   .vector_size = sizeof (u32),
   .format_trace = format_acl_plugin_trace,
   .type = VLIB_NODE_TYPE_INTERNAL,
   .n_errors = ARRAY_LEN (acl_fa_error_strings),
   .error_strings = acl_fa_error_strings,
   .n_next_nodes = ACL_FA_N_NEXT,
   .next_nodes =
   {
     [ACL_FA_ERROR_DROP] = "error-drop",
   }
 };

 VLIB_REGISTER_NODE (acl_out_l2_ip6_node) =
 {
   .name = "acl-plugin-out-ip6-l2",
   .vector_size = sizeof (u32),
   .format_trace = format_acl_plugin_trace,
   .type = VLIB_NODE_TYPE_INTERNAL,
   .n_errors = ARRAY_LEN (acl_fa_error_strings),
   .error_strings = acl_fa_error_strings,
   .n_next_nodes = ACL_FA_N_NEXT,
   .next_nodes =
   {
     [ACL_FA_ERROR_DROP] = "error-drop",
   }
 };

 VLIB_REGISTER_NODE (acl_out_l2_ip4_node) =
 {
   .name = "acl-plugin-out-ip4-l2",
   .vector_size = sizeof (u32),
   .format_trace = format_acl_plugin_trace,
   .type = VLIB_NODE_TYPE_INTERNAL,
   .n_errors = ARRAY_LEN (acl_fa_error_strings),
   .error_strings = acl_fa_error_strings,
   .n_next_nodes = ACL_FA_N_NEXT,
   .next_nodes =
   {
     [ACL_FA_ERROR_DROP] = "error-drop",
   }
 };


 VLIB_REGISTER_NODE (acl_in_fa_ip6_node) =
 {
   .name = "acl-plugin-in-ip6-fa",
   .vector_size = sizeof (u32),
   .format_trace = format_acl_plugin_trace,
   .type = VLIB_NODE_TYPE_INTERNAL,
   .n_errors = ARRAY_LEN (acl_fa_error_strings),
   .error_strings = acl_fa_error_strings,
   .n_next_nodes = ACL_FA_N_NEXT,
   .next_nodes =
   {
     [ACL_FA_ERROR_DROP] = "error-drop",
   }
 };

 VNET_FEATURE_INIT (acl_in_ip6_fa_feature, static) =
 {
   .arc_name = "ip6-unicast",
   .node_name = "acl-plugin-in-ip6-fa",
   .runs_before = VNET_FEATURES ("ip6-flow-classify"),
 };

 VLIB_REGISTER_NODE (acl_in_fa_ip4_node) =
 {
   .name = "acl-plugin-in-ip4-fa",
   .vector_size = sizeof (u32),
   .format_trace = format_acl_plugin_trace,
   .type = VLIB_NODE_TYPE_INTERNAL,
   .n_errors = ARRAY_LEN (acl_fa_error_strings),
   .error_strings = acl_fa_error_strings,
   .n_next_nodes = ACL_FA_N_NEXT,
   .next_nodes =
   {
     [ACL_FA_ERROR_DROP] = "error-drop",
   }
 };

 VNET_FEATURE_INIT (acl_in_ip4_fa_feature, static) =
 {
   .arc_name = "ip4-unicast",
   .node_name = "acl-plugin-in-ip4-fa",
   .runs_before = VNET_FEATURES ("ip4-flow-classify"),
 };


 VLIB_REGISTER_NODE (acl_out_fa_ip6_node) =
 {
   .name = "acl-plugin-out-ip6-fa",
   .vector_size = sizeof (u32),
   .format_trace = format_acl_plugin_trace,
   .type = VLIB_NODE_TYPE_INTERNAL,
   .n_errors = ARRAY_LEN (acl_fa_error_strings),
   .error_strings = acl_fa_error_strings,
   .n_next_nodes = ACL_FA_N_NEXT,
   .next_nodes =
   {
     [ACL_FA_ERROR_DROP] = "error-drop",
   }
 };

 VNET_FEATURE_INIT (acl_out_ip6_fa_feature, static) =
 {
   .arc_name = "ip6-output",
   .node_name = "acl-plugin-out-ip6-fa",
   .runs_before = VNET_FEATURES ("interface-output"),
 };

 VLIB_REGISTER_NODE (acl_out_fa_ip4_node) =
 {
   .name = "acl-plugin-out-ip4-fa",
   .vector_size = sizeof (u32),
   .format_trace = format_acl_plugin_trace,
   .type = VLIB_NODE_TYPE_INTERNAL,
   .n_errors = ARRAY_LEN (acl_fa_error_strings),
   .error_strings = acl_fa_error_strings,
   .n_next_nodes = ACL_FA_N_NEXT,
     /* edit / add dispositions here */
   .next_nodes =
   {
     [ACL_FA_ERROR_DROP] = "error-drop",
   }
 };

 VNET_FEATURE_INIT (acl_out_ip4_fa_feature, static) =
 {
   .arc_name = "ip4-output",
   .node_name = "acl-plugin-out-ip4-fa",
   .runs_before = VNET_FEATURES ("interface-output"),
 };

 /* *INDENT-ON* */

 /*
  * fd.io coding-style-patch-verification: ON
  *
  * Local Variables:
  * eval: (c-set-style "gnu")
  * End:
  */
acl_in_l2_ip4_node
vlib_node_registration_t acl_in_l2_ip4_node
(constructor) VLIB_REGISTER_NODE (acl_in_l2_ip4_node)
Definition: dataplane_node.c:351

vec_validate
#define vec_validate(V, I)
Make sure vector is long enough for given index (no header, unspecified alignment) ...
Definition: vec.h:437

acl_main_t::input_policy_epoch_by_sw_if_index
u32 * input_policy_epoch_by_sw_if_index
Definition: acl.h:184

acl_fa_add_session
static fa_session_t * acl_fa_add_session(acl_main_t *am, int is_input, int is_ip6, u32 sw_if_index, u64 now, fa_5tuple_t *p5tuple, u16 current_policy_epoch)
Definition: session_inlines.h:508

acl_main_t::fa_acl_in_ip4_l2_node_feat_next_node_index
u32 fa_acl_in_ip4_l2_node_feat_next_node_index[32]
Definition: acl.h:262

acl_fill_5tuple
static void acl_fill_5tuple(acl_main_t *am, u32 sw_if_index0, vlib_buffer_t *b0, int is_ip6, int is_input, int is_l2_path, fa_5tuple_t *p5tuple_pkt)
Definition: public_inlines.h:222

fa_session_l4_key_t::proto
u8 proto
Definition: fa_node.h:47

CLIB_UNUSED
#define CLIB_UNUSED(x)
Definition: clib.h:81

public_inlines.h

fa_full_session_id_t::intf_policy_epoch
u16 intf_policy_epoch
Definition: fa_node.h:114

acl_fa_conn_list_delete_session
static int acl_fa_conn_list_delete_session(acl_main_t *am, fa_full_session_id_t sess_id, u64 now)
Definition: session_inlines.h:185

acl_out_fa_ip4_node
vlib_node_registration_t acl_out_fa_ip4_node
(constructor) VLIB_REGISTER_NODE (acl_out_fa_ip4_node)
Definition: dataplane_node.c:410

ACL_FA_N_ERROR
Definition: dataplane_node.c:64

fa_5tuple_t::l4
fa_session_l4_key_t l4
Definition: fa_node.h:71

fa_5tuple_t::pkt
fa_packet_info_t pkt
Definition: fa_node.h:73

VLIB_NODE_TYPE_INTERNAL
Definition: node.h:61

acl_out_l2_ip6_node
vlib_node_registration_t acl_out_l2_ip6_node
(constructor) VLIB_REGISTER_NODE (acl_out_l2_ip6_node)
Definition: dataplane_node.c:362

acl_fa_error_t
acl_fa_error_t
Definition: dataplane_node.c:59

acl_in_fa_ip4_node
vlib_node_registration_t acl_in_fa_ip4_node
(constructor) VLIB_REGISTER_NODE (acl_in_fa_ip4_node)
Definition: dataplane_node.c:394

u64
unsigned long u64
Definition: types.h:89

acl_fa_trace_t::action
u8 action
Definition: dataplane_node.c:45

clib_cpu_time_now
static u64 clib_cpu_time_now(void)
Definition: time.h:73

acl_fa_ifc_has_sessions
static int acl_fa_ifc_has_sessions(acl_main_t *am, int sw_if_index0)
Definition: session_inlines.h:51

acl_fa_two_stage_delete_session
static int acl_fa_two_stage_delete_session(acl_main_t *am, u32 sw_if_index, fa_full_session_id_t sess_id, u64 now)
Definition: session_inlines.h:439

vlib_node_runtime_t::n_next_nodes
u16 n_next_nodes
Definition: node.h:511

acl_main_t::output_policy_epoch_by_sw_if_index
u32 * output_policy_epoch_by_sw_if_index
Definition: acl.h:185

format
u8 * format(u8 *s, const char *fmt,...)
Definition: format.c:419

acl_fa_node_fn
static uword acl_fa_node_fn(vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame, int is_ip6, int is_input, int is_l2_path, u32 *l2_feat_next_node_index, vlib_node_registration_t *acl_fa_node)
Definition: dataplane_node.c:83

VLIB_NODE_FN
#define VLIB_NODE_FN(node)
Definition: node.h:187

ACL_FA_ERROR_DROP
Definition: fa_node.h:207

fa_full_session_id_t::thread_index
u16 thread_index
Definition: fa_node.h:113

vlib_node_runtime_t::errors
vlib_error_t * errors
Vector of errors for this node.
Definition: node.h:472

acl_fa_trace_t::next_index
u32 next_index
Definition: dataplane_node.c:38

vlib_mains
vlib_main_t ** vlib_mains
Definition: buffer.c:303

u8
unsigned char u8
Definition: types.h:56

vlib_frame_t
Definition: node.h:386

vnet_l2_feature_next
static u32 vnet_l2_feature_next(vlib_buffer_t *b, u32 *next_nodes, u32 feat_bit)
Return the graph node index for the feature corresponding to the next set bit after clearing the curr...
Definition: feat_bitmap.h:94

acl_in_fa_ip6_node
vlib_node_registration_t acl_in_fa_ip6_node
(constructor) VLIB_REGISTER_NODE (acl_in_fa_ip6_node)
Definition: dataplane_node.c:386

acl_main_t::fa_acl_out_ip4_l2_node_feat_next_node_index
u32 fa_acl_out_ip4_l2_node_feat_next_node_index[32]
Definition: acl.h:264

fa_full_session_id_t
Definition: fa_node.h:108

get_session_ptr
static fa_session_t * get_session_ptr(acl_main_t *am, u16 thread_index, u32 session_index)
Definition: session_inlines.h:120

fa_packet_info_t::lc_index
u32 lc_index
Definition: fa_node.h:30

fa_session_l4_key_t::lsb_of_sw_if_index
u16 lsb_of_sw_if_index
Definition: fa_node.h:51

vlib_node_runtime_t
Definition: node.h:466

format_ip4_address
format_function_t format_ip4_address
Definition: format.h:75

VNET_FEATURE_INIT
VNET_FEATURE_INIT(acl_in_ip6_fa_feature, static)

fa_full_session_id_t::session_index
u32 session_index
Definition: fa_node.h:112

fa_packet_info_t::l4_valid
u8 l4_valid
Definition: fa_node.h:34

acl_out_fa_ip6_node
vlib_node_registration_t acl_out_fa_ip6_node
(constructor) VLIB_REGISTER_NODE (acl_out_fa_ip6_node)
Definition: dataplane_node.c:402

always_inline
#define always_inline
Definition: clib.h:94

acl_fa_trace_t::trace_bitmap
u32 trace_bitmap
Definition: dataplane_node.c:44

acl_fa_trace_t::sw_if_index
u32 sw_if_index
Definition: dataplane_node.c:39

u32
unsigned int u32
Definition: types.h:88

acl_fa_error_strings
static char * acl_fa_error_strings[]
Definition: dataplane_node.c:481

VLIB_FRAME_SIZE
#define VLIB_FRAME_SIZE
Definition: node.h:382

acl_main_t::fa_acl_out_ip6_l2_node_feat_next_node_index
u32 fa_acl_out_ip6_l2_node_feat_next_node_index[32]
Definition: acl.h:265

acl_fa_try_recycle_session
static void acl_fa_try_recycle_session(acl_main_t *am, int is_input, u16 thread_index, u32 sw_if_index, u64 now)
Definition: session_inlines.h:468

acl_fa_per_worker_data_t
Definition: fa_node.h:145

u16
unsigned short u16
Definition: types.h:57

acl.h

clib_bihash_kv_40_8_t::value
u64 value
Definition: bihash_40_8.h:34

acl_fa_per_worker_data_t::fa_session_epoch_change_by_sw_if_index
u64 * fa_session_epoch_change_by_sw_if_index
Definition: fa_node.h:163

acl_main_t::output_lc_index_by_sw_if_index
u32 * output_lc_index_by_sw_if_index
Definition: acl.h:162

PREDICT_FALSE
#define PREDICT_FALSE(x)
Definition: clib.h:107

get_current_policy_epoch
static u16 get_current_policy_epoch(acl_main_t *am, int is_input, u32 sw_if_index0)
Definition: dataplane_node.c:70

vnet.h

vlib_buffer_t::error
vlib_error_t error
Error code for buffers to be enqueued to error handler.
Definition: buffer.h:138

FA_POLICY_EPOCH_IS_INPUT
#define FA_POLICY_EPOCH_IS_INPUT
Definition: fa_node.h:103

vlib_node_increment_counter
static void vlib_node_increment_counter(vlib_main_t *vm, u32 node_index, u32 counter_index, u64 increment)
Definition: node_funcs.h:1176

foreach_acl_fa_error
#define foreach_acl_fa_error
Definition: dataplane_node.c:49

fa_node.h

acl_fa_trace_t::match_rule_index
u32 match_rule_index
Definition: dataplane_node.c:42

fa_full_session_id_t::as_u64
u64 as_u64
Definition: fa_node.h:110

VLIB_REGISTER_NODE
#define VLIB_REGISTER_NODE(x,...)
Definition: node.h:155

fa_packet_info_t::flags_reserved
u8 flags_reserved
Definition: fa_node.h:37

vlib_frame_t::n_vectors
u16 n_vectors
Definition: node.h:401

format_ip6_address
format_function_t format_ip6_address
Definition: format.h:93

vm
vlib_main_t * vm
Definition: buffer.c:294

vlib_buffer_enqueue_to_next
static_always_inline void vlib_buffer_enqueue_to_next(vlib_main_t *vm, vlib_node_runtime_t *node, u32 *buffers, u16 *nexts, uword count)
Definition: buffer_node.h:332

vnet_feature_next
static_always_inline void vnet_feature_next(u32 *next0, vlib_buffer_t *b0)
Definition: feature.h:246

acl_fa_trace_t::packet_info
u64 packet_info[6]
Definition: dataplane_node.c:43

fa_5tuple_t::kv_40_8
clib_bihash_kv_40_8_t kv_40_8
Definition: fa_node.h:75

clib_warning
#define clib_warning(format, args...)
Definition: error.h:59

vlib_node_get_runtime
static vlib_node_runtime_t * vlib_node_get_runtime(vlib_main_t *vm, u32 node_index)
Get node runtime by node index.
Definition: node_funcs.h:89

vlib_buffer_t
Definition: buffer.h:103

fa_session_l4_key_t::port
u16 port[2]
Definition: fa_node.h:44

fa_session_t::sw_if_index
u32 sw_if_index
Definition: fa_node.h:85

ARRAY_LEN
#define ARRAY_LEN(x)
Definition: clib.h:61

clib_bihash_kv_40_8_t::key
u64 key[5]
Definition: bihash_40_8.h:33

acl_fa_restart_timer_for_session
static int acl_fa_restart_timer_for_session(acl_main_t *am, u64 now, fa_full_session_id_t sess_id)
Definition: session_inlines.h:239

fa_packet_info_t::is_ip6
u8 is_ip6
Definition: fa_node.h:36

vlib.h

pg.h

acl_main_t
Definition: acl.h:128

acl_fa_find_session
static int acl_fa_find_session(acl_main_t *am, int is_ip6, u32 sw_if_index0, fa_5tuple_t *p5tuple, u64 *pvalue_sess)
Definition: session_inlines.h:579

fa_session_get_timeout_type
static int fa_session_get_timeout_type(acl_main_t *am, fa_session_t *sess)
Definition: session_inlines.h:71

ASSERT
#define ASSERT(truth)
Definition: error_bootstrap.h:69

fa_packet_info_t::tcp_flags_valid
u8 tcp_flags_valid
Definition: fa_node.h:33

acl_plugin_match_5tuple_inline
static int acl_plugin_match_5tuple_inline(void *p_acl_main, u32 lc_index, fa_5tuple_opaque_t *pkt_5tuple, int is_ip6, u8 *r_action, u32 *r_acl_pos_p, u32 *r_acl_match_p, u32 *r_rule_match_p, u32 *trace_bitmap)
Definition: public_inlines.h:668

acl_main
acl_main_t acl_main
Definition: acl.c:56

acl_fa_can_add_session
static int acl_fa_can_add_session(acl_main_t *am, int is_input, u32 sw_if_index)
Definition: session_inlines.h:458

session_inlines.h

bihash_40_8.h

VNET_FEATURES
#define VNET_FEATURES(...)
Definition: feature.h:386

acl_main_t::fa_acl_in_ip6_l2_node_feat_next_node_index
u32 fa_acl_in_ip6_l2_node_feat_next_node_index[32]
Definition: acl.h:263

vlib_add_trace
static void * vlib_add_trace(vlib_main_t *vm, vlib_node_runtime_t *r, vlib_buffer_t *b, u32 n_data_bytes)
Definition: trace_funcs.h:57

vec_elt
#define vec_elt(v, i)
Get vector value at index i.
Definition: vec_bootstrap.h:182

acl_out_l2_ip4_node
vlib_node_registration_t acl_out_l2_ip4_node
(constructor) VLIB_REGISTER_NODE (acl_out_l2_ip4_node)
Definition: dataplane_node.c:373

vlib_node_registration_t
struct _vlib_node_registration vlib_node_registration_t

ACL_FA_N_NEXT
Definition: fa_node.h:208

VLIB_TX
Definition: defs.h:47

icmp46_packet.h

vec_len
#define vec_len(v)
Number of elements in vector (rvalue-only, NULL tolerant)
Definition: vec_bootstrap.h:143

vlib_main_t
Definition: main.h:59

acl_main_t::per_worker_data
acl_fa_per_worker_data_t * per_worker_data
Definition: acl.h:305

uword
u64 uword
Definition: types.h:112

vlib_node_t
Definition: node.h:266

vlib_frame_vector_args
static void * vlib_frame_vector_args(vlib_frame_t *f)
Get pointer to frame vector data.
Definition: node_funcs.h:267

os_get_thread_index
static_always_inline uword os_get_thread_index(void)
Definition: os.h:62

fa_session_t
Definition: fa_node.h:82

acl_fa_track_session
static u8 acl_fa_track_session(acl_main_t *am, int is_input, u32 sw_if_index, u64 now, fa_session_t *sess, fa_5tuple_t *pkt_5tuple)
Definition: session_inlines.h:272

error.h

vnet_buffer
#define vnet_buffer(b)
Definition: buffer.h:344

fa_packet_info_t::tcp_flags
u8 tcp_flags
Definition: fa_node.h:32

bihash_template.h

format_fa_5tuple
static u8 * format_fa_5tuple(u8 *s, va_list *args)
Definition: dataplane_node.c:419

fa_5tuple_opaque_t
Definition: exported_types.h:25

acl_fa_trace_t::lc_index
u32 lc_index
Definition: dataplane_node.c:40

acl_fa_trace_t
Definition: dataplane_node.c:36

vlib_node_runtime_t::flags
u16 flags
Copy of main node flags.
Definition: node.h:507

fa_5tuple_t::ip4_addr
ip4_address_t ip4_addr[2]
Definition: fa_node.h:67

acl_main_t::reclassify_sessions
int reclassify_sessions
Definition: acl.h:188

format_acl_plugin_5tuple
u8 * format_acl_plugin_5tuple(u8 *s, va_list *args)
Definition: dataplane_node.c:451

acl_main_t::input_lc_index_by_sw_if_index
u32 * input_lc_index_by_sw_if_index
Definition: acl.h:161

vlib_get_buffers
static_always_inline void vlib_get_buffers(vlib_main_t *vm, u32 *bi, vlib_buffer_t **b, int count)
Translate array of buffer indices into buffer pointers.
Definition: buffer_funcs.h:141

VLIB_NODE_FLAG_TRACE
#define VLIB_NODE_FLAG_TRACE
Definition: node.h:310

vlib_buffer_t::flags
u32 flags
buffer flags:   VLIB_BUFFER_FREE_LIST_INDEX_MASK: bits used to store free list index,   VLIB_BUFFER_IS_TRACED: trace this buffer.
Definition: buffer.h:116

acl_fa_trace_t::match_acl_in_index
u32 match_acl_in_index
Definition: dataplane_node.c:41

format_acl_plugin_trace
static u8 * format_acl_plugin_trace(u8 *s, va_list *args)
Definition: dataplane_node.c:459

VLIB_RX
Definition: defs.h:46

acl_in_l2_ip6_node
vlib_node_registration_t acl_in_l2_ip6_node
(constructor) VLIB_REGISTER_NODE (acl_in_l2_ip6_node)
Definition: dataplane_node.c:340

lookup_context.h

fa_5tuple_t::ip6_addr
ip6_address_t ip6_addr[2]
Definition: fa_node.h:69

fa_5tuple_t
Definition: fa_node.h:58