FD.io VPP  v20.09-64-g4f7b92f0a
Vector Packet Processing
hash_lookup.c
Go to the documentation of this file.
1 /*
2  *------------------------------------------------------------------
3  * Copyright (c) 2017 Cisco and/or its affiliates.
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at:
7  *
8  * http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  *------------------------------------------------------------------
16  */
17 
18 #include <stddef.h>
19 #include <netinet/in.h>
20 
21 #include <vlibapi/api.h>
22 #include <vlibmemory/api.h>
23 
24 #include <vlib/vlib.h>
25 #include <vnet/vnet.h>
26 #include <vnet/pg/pg.h>
27 #include <vppinfra/error.h>
28 #include <vnet/plugin/plugin.h>
29 #include <acl/acl.h>
30 #include <vppinfra/bihash_48_8.h>
31 
32 #include "hash_lookup.h"
33 #include "hash_lookup_private.h"
34 
35 
37 {
38  applied_hash_ace_entry_t **applied_hash_aces = vec_elt_at_index(am->hash_entry_vec_by_lc_index, lc_index);
39 
40 /*is_input ? vec_elt_at_index(am->input_hash_entry_vec_by_sw_if_index, sw_if_index)
41  : vec_elt_at_index(am->output_hash_entry_vec_by_sw_if_index, sw_if_index);
42 */
43  return applied_hash_aces;
44 }
45 
46 
47 static void
49 {
50  DBG("HASH ADD/DEL: %016llx %016llx %016llx %016llx %016llx %016llx %016llx add %d",
51  kv->key[0], kv->key[1], kv->key[2],
52  kv->key[3], kv->key[4], kv->key[5], kv->value, is_add);
53  BV (clib_bihash_add_del) (&am->acl_lookup_hash, kv, is_add);
54 }
55 
56 /*
57  * TupleMerge
58  *
59  * Initial adaptation by Valerio Bruschi (valerio.bruschi@telecom-paristech.fr)
60  * based on the TupleMerge [1] simulator kindly made available
61  * by James Daly (dalyjamese@gmail.com) and Eric Torng (torng@cse.msu.edu)
62  * ( http://www.cse.msu.edu/~dalyjame/ or http://www.cse.msu.edu/~torng/ ),
63  * refactoring by Andrew Yourtchenko.
64  *
65  * [1] James Daly, Eric Torng "TupleMerge: Building Online Packet Classifiers
66  * by Omitting Bits", In Proc. IEEE ICCCN 2017, pp. 1-10
67  *
68  */
69 
70 static int
72 {
73  int counter = 0;
74  while (word)
75  {
76  counter += word & 1;
77  word >>= 1;
78  }
79  return counter;
80 }
81 
82 /* check if mask2 can be contained by mask1 */
83 static u8
85 {
86  int i;
87  if (is_ip6)
88  {
89  for (i = 0; i < 2; i++)
90  {
91  if ((mask1->ip6_addr[0].as_u64[i] & mask2->ip6_addr[0].as_u64[i]) !=
92  mask1->ip6_addr[0].as_u64[i])
93  return 0;
94  if ((mask1->ip6_addr[1].as_u64[i] & mask2->ip6_addr[1].as_u64[i]) !=
95  mask1->ip6_addr[1].as_u64[i])
96  return 0;
97  }
98  }
99  else
100  {
101  /* check the pads, both masks must have it 0 */
102  u32 padcheck = 0;
103  int i;
104  for (i=0; i<6; i++) {
105  padcheck |= mask1->l3_zero_pad[i];
106  padcheck |= mask2->l3_zero_pad[i];
107  }
108  if (padcheck != 0)
109  return 0;
110  if ((mask1->ip4_addr[0].as_u32 & mask2->ip4_addr[0].as_u32) !=
111  mask1->ip4_addr[0].as_u32)
112  return 0;
113  if ((mask1->ip4_addr[1].as_u32 & mask2->ip4_addr[1].as_u32) !=
114  mask1->ip4_addr[1].as_u32)
115  return 0;
116  }
117 
118  /* take care if port are not exact-match */
119  if ((mask1->l4.as_u64 & mask2->l4.as_u64) != mask1->l4.as_u64)
120  return 0;
121 
122  if ((mask1->pkt.as_u64 & mask2->pkt.as_u64) != mask1->pkt.as_u64)
123  return 0;
124 
125  return 1;
126 }
127 
128 
129 
130 /*
131  * TupleMerge:
132  *
133  * Consider the situation when we have to create a new table
134  * T for a given rule R. This occurs for the first rule inserted and
135  * for later rules if it is incompatible with all existing tables.
136  * In this event, we need to determine mT for a new table.
137  * Setting mT = mR is not a good strategy; if another similar,
138  * but slightly less specific, rule appears we will be unable to
139  * add it to T and will thus have to create another new table. We
140  * thus consider two factors: is the rule more strongly aligned
141  * with source or destination addresses (usually the two most
142  * important fields) and how much slack needs to be given to
143  * allow for other rules. If the source and destination addresses
144  * are close together (within 4 bits for our experiments), we use
145  * both of them. Otherwise, we drop the smaller (less specific)
146  * address and its associated port field from consideration; R is
147  * predominantly aligned with one of the two fields and should
148  * be grouped with other similar rules. This is similar to TSS
149  * dropping port fields, but since it is based on observable rule
150  * characteristics it is more likely to keep important fields and
151  * discard less useful ones.
152  * We then look at the absolute lengths of the addresses. If
153  * the address is long, we are more likely to try to add shorter
154  * lengths and likewise the reverse. We thus remove a few bits
155  * from both address fields with more bits removed from longer
156  * addresses. For 32 bit addresses, we remove 4 bits, 3 for more
157  * than 24, 2 for more than 16, and so on (so 8 and fewer bits
158  * don’t have any removed). We only do this for prefix fields like
159  * addresses; both range fields (like ports) and exact match fields
160  * (like protocol) should remain as they are.
161  */
162 
163 
164 static u32
165 shift_ip4_if(u32 mask, u32 thresh, int numshifts, u32 else_val)
166 {
167  if (mask > thresh)
168  return clib_host_to_net_u32((clib_net_to_host_u32(mask) << numshifts) & 0xFFFFFFFF);
169  else
170  return else_val;
171 }
172 
173 static void
174 relax_ip4_addr(ip4_address_t *ip4_mask, int relax2) {
175  int shifts_per_relax[2][4] = { { 6, 5, 4, 2 }, { 3, 2, 1, 1 } };
176 
177  int *shifts = shifts_per_relax[relax2];
178  if(ip4_mask->as_u32 == 0xffffffff)
179  ip4_mask->as_u32 = clib_host_to_net_u32((clib_net_to_host_u32(ip4_mask->as_u32) << shifts[0])&0xFFFFFFFF);
180  else
181  ip4_mask->as_u32 = shift_ip4_if(ip4_mask->as_u32, 0xffffff00, shifts[1],
182  shift_ip4_if(ip4_mask->as_u32, 0xffff0000, shifts[2],
183  shift_ip4_if(ip4_mask->as_u32, 0xff000000, shifts[3], ip4_mask->as_u32)));
184 }
185 
186 static void
187 relax_ip6_addr(ip6_address_t *ip6_mask, int relax2) {
188  /*
189  * This "better than nothing" relax logic is based on heuristics
190  * from IPv6 knowledge, and may not be optimal.
191  * Some further tuning may be needed in the future.
192  */
193  if (ip6_mask->as_u64[0] == 0xffffffffffffffffULL) {
194  if (ip6_mask->as_u64[1] == 0xffffffffffffffffULL) {
195  /* relax a /128 down to /64 - likely to have more hosts */
196  ip6_mask->as_u64[1] = 0;
197  } else if (ip6_mask->as_u64[1] == 0) {
198  /* relax a /64 down to /56 - likely to have more subnets */
199  ip6_mask->as_u64[0] = clib_host_to_net_u64(0xffffffffffffff00ULL);
200  }
201  }
202 }
203 
204 static void
205 relax_tuple(fa_5tuple_t *mask, int is_ip6, int relax2){
206  fa_5tuple_t save_mask = *mask;
207 
208  int counter_s = 0, counter_d = 0;
209  if (is_ip6) {
210  int i;
211  for(i=0; i<2; i++){
212  counter_s += count_bits(mask->ip6_addr[0].as_u64[i]);
213  counter_d += count_bits(mask->ip6_addr[1].as_u64[i]);
214  }
215  } else {
216  counter_s += count_bits(mask->ip4_addr[0].as_u32);
217  counter_d += count_bits(mask->ip4_addr[1].as_u32);
218  }
219 
220 /*
221  * is the rule more strongly aligned with source or destination addresses
222  * (usually the two most important fields) and how much slack needs to be
223  * given to allow for other rules. If the source and destination addresses
224  * are close together (within 4 bits for our experiments), we use both of them.
225  * Otherwise, we drop the smaller (less specific) address and its associated
226  * port field from consideration
227  */
228  const int deltaThreshold = 4;
229  /* const int deltaThreshold = 8; if IPV6? */
230  int delta = counter_s - counter_d;
231  if (-delta > deltaThreshold) {
232  if (is_ip6)
233  mask->ip6_addr[0].as_u64[1] = mask->ip6_addr[0].as_u64[0] = 0;
234  else
235  mask->ip4_addr[0].as_u32 = 0;
236  mask->l4.port[0] = 0;
237  } else if (delta > deltaThreshold) {
238  if (is_ip6)
239  mask->ip6_addr[1].as_u64[1] = mask->ip6_addr[1].as_u64[0] = 0;
240  else
241  mask->ip4_addr[1].as_u32 = 0;
242  mask->l4.port[1] = 0;
243  }
244 
245  if (is_ip6) {
246  relax_ip6_addr(&mask->ip6_addr[0], relax2);
247  relax_ip6_addr(&mask->ip6_addr[1], relax2);
248  } else {
249  relax_ip4_addr(&mask->ip4_addr[0], relax2);
250  relax_ip4_addr(&mask->ip4_addr[1], relax2);
251  }
252  mask->pkt.is_nonfirst_fragment = 0;
253  mask->pkt.l4_valid = 0;
254  if(!first_mask_contains_second_mask(is_ip6, mask, &save_mask)){
255  DBG( "TM-relaxing-ERROR");
256  *mask = save_mask;
257  }
258  DBG( "TM-relaxing-end");
259 }
260 
261 static u32
263 {
265  /* *INDENT-OFF* */
267  ({
268  if(memcmp(&mte->mask, mask, sizeof(*mask)) == 0)
269  return (mte - am->ace_mask_type_pool);
270  }));
271  /* *INDENT-ON* */
272  return ~0;
273 }
274 
275 static u32
277 {
278  u32 mask_type_index = find_mask_type_index(am, mask);
280  if(~0 == mask_type_index) {
282  mask_type_index = mte - am->ace_mask_type_pool;
283  clib_memcpy_fast(&mte->mask, mask, sizeof(mte->mask));
284  mte->refcount = 0;
285 
286  /*
287  * We can use only 16 bits, since in the match there is only u16 field.
288  * Realistically, once you go to 64K of mask types, it is a huge
289  * problem anyway, so we might as well stop half way.
290  */
291  ASSERT(mask_type_index < 32768);
292  }
293  mte = am->ace_mask_type_pool + mask_type_index;
294  mte->refcount++;
295  DBG0("ASSIGN MTE index %d new refcount %d", mask_type_index, mte->refcount);
296  return mask_type_index;
297 }
298 
299 static void
300 lock_mask_type_index(acl_main_t *am, u32 mask_type_index)
301 {
302  DBG0("LOCK MTE index %d", mask_type_index);
303  ace_mask_type_entry_t *mte = pool_elt_at_index(am->ace_mask_type_pool, mask_type_index);
304  mte->refcount++;
305  DBG0("LOCK MTE index %d new refcount %d", mask_type_index, mte->refcount);
306 }
307 
308 
309 static void
311 {
312  DBG0("RELEAS MTE index %d", mask_type_index);
313  ace_mask_type_entry_t *mte = pool_elt_at_index(am->ace_mask_type_pool, mask_type_index);
314  mte->refcount--;
315  DBG0("RELEAS MTE index %d new refcount %d", mask_type_index, mte->refcount);
316  if (mte->refcount == 0) {
317  /* we are not using this entry anymore */
318  clib_memset(mte, 0xae, sizeof(*mte));
319  pool_put(am->ace_mask_type_pool, mte);
320  }
321 }
322 
323 
324 static u32
326 {
327  u32 mask_type_index = ~0;
328  u32 for_mask_type_index = ~0;
329  ace_mask_type_entry_t *mte = 0;
330  int order_index;
331  /* look for existing mask comparable with the one in input */
332 
333  hash_applied_mask_info_t **hash_applied_mask_info_vec = vec_elt_at_index(am->hash_applied_mask_info_vec_by_lc_index, lc_index);
335 
336  if (vec_len(*hash_applied_mask_info_vec) > 0) {
337  for(order_index = vec_len((*hash_applied_mask_info_vec)) -1; order_index >= 0; order_index--) {
338  minfo = vec_elt_at_index((*hash_applied_mask_info_vec), order_index);
339  for_mask_type_index = minfo->mask_type_index;
340  mte = vec_elt_at_index(am->ace_mask_type_pool, for_mask_type_index);
341  if(first_mask_contains_second_mask(is_ip6, &mte->mask, mask)){
342  mask_type_index = (mte - am->ace_mask_type_pool);
343  lock_mask_type_index(am, mask_type_index);
344  break;
345  }
346  }
347  }
348 
349  if(~0 == mask_type_index) {
350  /* if no mask is found, then let's use a relaxed version of the original one, in order to be used by new ace_entries */
351  DBG( "TM-assigning mask type index-new one");
352  fa_5tuple_t relaxed_mask = *mask;
353  relax_tuple(&relaxed_mask, is_ip6, 0);
354  mask_type_index = assign_mask_type_index(am, &relaxed_mask);
355 
356  hash_applied_mask_info_t **hash_applied_mask_info_vec = vec_elt_at_index(am->hash_applied_mask_info_vec_by_lc_index, lc_index);
357 
358  int spot = vec_len((*hash_applied_mask_info_vec));
359  vec_validate((*hash_applied_mask_info_vec), spot);
360  minfo = vec_elt_at_index((*hash_applied_mask_info_vec), spot);
361  minfo->mask_type_index = mask_type_index;
362  minfo->num_entries = 0;
363  minfo->max_collisions = 0;
364  minfo->first_rule_index = ~0;
365 
366  /*
367  * We can use only 16 bits, since in the match there is only u16 field.
368  * Realistically, once you go to 64K of mask types, it is a huge
369  * problem anyway, so we might as well stop half way.
370  */
371  ASSERT(mask_type_index < 32768);
372  }
373  mte = am->ace_mask_type_pool + mask_type_index;
374  DBG0("TM-ASSIGN MTE index %d new refcount %d", mask_type_index, mte->refcount);
375  return mask_type_index;
376 }
377 
378 
379 static void
381  applied_hash_ace_entry_t **applied_hash_aces,
382  u32 lc_index,
383  u32 new_index, clib_bihash_kv_48_8_t *kv)
384 {
385  fa_5tuple_t *kv_key = (fa_5tuple_t *)kv->key;
387  applied_hash_ace_entry_t *pae = vec_elt_at_index((*applied_hash_aces), new_index);
389 
390  /* apply the mask to ace key */
393 
394  u64 *pmatch = (u64 *) &ace_info->match;
395  u64 *pmask = (u64 *)&mte->mask;
396  u64 *pkey = (u64 *)kv->key;
397 
398  *pkey++ = *pmatch++ & *pmask++;
399  *pkey++ = *pmatch++ & *pmask++;
400  *pkey++ = *pmatch++ & *pmask++;
401  *pkey++ = *pmatch++ & *pmask++;
402  *pkey++ = *pmatch++ & *pmask++;
403  *pkey++ = *pmatch++ & *pmask++;
404 
405  kv_key->pkt.mask_type_index_lsb = pae->mask_type_index;
406  kv_key->pkt.lc_index = lc_index;
407  kv_val->as_u64 = 0;
408  kv_val->applied_entry_index = new_index;
409 }
410 
411 static void
413  u32 lc_index,
414  applied_hash_ace_entry_t **applied_hash_aces,
415  u32 index, int is_add)
416 {
418 
419  fill_applied_hash_ace_kv(am, applied_hash_aces, lc_index, index, &kv);
420  hashtable_add_del(am, &kv, is_add);
421 }
422 
423 
424 static void
427  applied_hash_aces, u32 lc_index)
428 {
429  DBG0("remake applied hash mask info lc_index %d", lc_index);
430  hash_applied_mask_info_t *new_hash_applied_mask_info_vec =
432 
434  int i;
435  for (i = 0; i < vec_len ((*applied_hash_aces)); i++)
436  {
438  vec_elt_at_index ((*applied_hash_aces), i);
439 
440  /* check if mask_type_index is already there */
441  u32 new_pointer = vec_len (new_hash_applied_mask_info_vec);
442  int search;
443  for (search = 0; search < vec_len (new_hash_applied_mask_info_vec);
444  search++)
445  {
446  minfo = vec_elt_at_index (new_hash_applied_mask_info_vec, search);
447  if (minfo->mask_type_index == pae->mask_type_index)
448  break;
449  }
450 
451  vec_validate ((new_hash_applied_mask_info_vec), search);
452  minfo = vec_elt_at_index ((new_hash_applied_mask_info_vec), search);
453  if (search == new_pointer)
454  {
455  DBG0("remaking index %d", search);
456  minfo->mask_type_index = pae->mask_type_index;
457  minfo->num_entries = 0;
458  minfo->max_collisions = 0;
459  minfo->first_rule_index = ~0;
460  }
461 
462  minfo->num_entries = minfo->num_entries + 1;
463 
464  if (vec_len (pae->colliding_rules) > minfo->max_collisions)
465  minfo->max_collisions = vec_len (pae->colliding_rules);
466 
467  if (minfo->first_rule_index > i)
468  minfo->first_rule_index = i;
469  }
470 
471  hash_applied_mask_info_t **hash_applied_mask_info_vec =
473 
474  vec_free ((*hash_applied_mask_info_vec));
475  (*hash_applied_mask_info_vec) = new_hash_applied_mask_info_vec;
476 }
477 
478 static void
480  u32 applied_entry_index)
481 {
482  u32 i = 0;
483  u32 deleted = 0;
484  while (i < _vec_len ((*pvec)))
485  {
486  collision_match_rule_t *cr = vec_elt_at_index ((*pvec), i);
487  if (cr->applied_entry_index == applied_entry_index)
488  {
489  /* vec_del1 ((*pvec), i) would be more efficient but would reorder the elements. */
490  vec_delete((*pvec), 1, i);
491  deleted++;
492  DBG0("vec_del_collision_rule deleting one at index %d", i);
493  }
494  else
495  {
496  i++;
497  }
498  }
499  ASSERT(deleted > 0);
500 }
501 
502 static void
504 
505 static void
507  u32 head_index, u32 applied_entry_index)
508 {
509  DBG0("DEL COLLIDING RULE: head_index %d applied index %d", head_index, applied_entry_index);
510 
511 
512  applied_hash_ace_entry_t *head_pae =
513  vec_elt_at_index ((*applied_hash_aces), head_index);
514  if (ACL_HASH_LOOKUP_DEBUG > 0)
515  acl_plugin_print_pae(acl_main.vlib_main, head_index, head_pae);
516  vec_del_collision_rule (&head_pae->colliding_rules, applied_entry_index);
517  if (vec_len(head_pae->colliding_rules) == 0) {
518  vec_free(head_pae->colliding_rules);
519  }
520  if (ACL_HASH_LOOKUP_DEBUG > 0)
521  acl_plugin_print_pae(acl_main.vlib_main, head_index, head_pae);
522 }
523 
524 static void
526  applied_hash_ace_entry_t ** applied_hash_aces,
527  u32 head_index, u32 applied_entry_index)
528 {
529  applied_hash_ace_entry_t *head_pae =
530  vec_elt_at_index ((*applied_hash_aces), head_index);
532  vec_elt_at_index ((*applied_hash_aces), applied_entry_index);
533  DBG0("ADD COLLIDING RULE: head_index %d applied index %d", head_index, applied_entry_index);
534  if (ACL_HASH_LOOKUP_DEBUG > 0)
535  acl_plugin_print_pae(acl_main.vlib_main, head_index, head_pae);
536 
538 
539  cr.acl_index = pae->acl_index;
540  cr.ace_index = pae->ace_index;
541  cr.acl_position = pae->acl_position;
542  cr.applied_entry_index = applied_entry_index;
543  cr.rule = am->acls[pae->acl_index].rules[pae->ace_index];
544  pae->collision_head_ae_index = head_index;
545  vec_add1 (head_pae->colliding_rules, cr);
546  if (ACL_HASH_LOOKUP_DEBUG > 0)
547  acl_plugin_print_pae(acl_main.vlib_main, head_index, head_pae);
548 }
549 
550 static u32
552  u32 lc_index,
553  applied_hash_ace_entry_t **applied_hash_aces,
554  u32 new_index)
555 {
557  ASSERT(new_index != ~0);
558  DBG("activate_applied_ace_hash_entry lc_index %d new_index %d", lc_index, new_index);
559 
560  fill_applied_hash_ace_kv(am, applied_hash_aces, lc_index, new_index, &kv);
561 
562  DBG("APPLY ADD KY: %016llx %016llx %016llx %016llx %016llx %016llx",
563  kv.key[0], kv.key[1], kv.key[2],
564  kv.key[3], kv.key[4], kv.key[5]);
565 
566  clib_bihash_kv_48_8_t result;
567  hash_acl_lookup_value_t *result_val = (hash_acl_lookup_value_t *)&result.value;
568  int res = BV (clib_bihash_search) (&am->acl_lookup_hash, &kv, &result);
569  ASSERT(new_index != ~0);
570  ASSERT(new_index < vec_len((*applied_hash_aces)));
571  if (res == 0) {
572  u32 first_index = result_val->applied_entry_index;
573  ASSERT(first_index != ~0);
574  ASSERT(first_index < vec_len((*applied_hash_aces)));
575  /* There already exists an entry or more. Append at the end. */
576  DBG("A key already exists, with applied entry index: %d", first_index);
577  add_colliding_rule(am, applied_hash_aces, first_index, new_index);
578  return first_index;
579  } else {
580  /* It's the very first entry */
581  hashtable_add_del(am, &kv, 1);
582  ASSERT(new_index != ~0);
583  add_colliding_rule(am, applied_hash_aces, new_index, new_index);
584  return new_index;
585  }
586 }
587 
588 
589 static void *
591 {
592  if (0 == am->hash_lookup_mheap) {
593  am->hash_lookup_mheap = mheap_alloc_with_lock (0 /* use VM */ ,
595  1 /* locked */);
596  if (0 == am->hash_lookup_mheap) {
597  clib_error("ACL plugin failed to allocate lookup heap of %U bytes",
599  }
600  /*
601  * DLMALLOC is being "helpful" in that it ignores the heap size parameter
602  * by default and tries to allocate the larger amount of memory.
603  *
604  * Pin the heap so this does not happen and if we run out of memory
605  * in this heap, we will bail out with "out of memory", rather than
606  * an obscure error sometime later.
607  */
609  }
610  void *oldheap = clib_mem_set_heap(am->hash_lookup_mheap);
611  return oldheap;
612 }
613 
614 void
616 {
617  acl_main_t *am = &acl_main;
619 }
620 
621 void
623 {
624  acl_main_t *am = &acl_main;
626 }
627 
628 static void
630 {
633 
636  /*
637  * Start taking base_mask associated to ace, and essentially copy it.
638  * With TupleMerge we will assign a relaxed mask here.
639  */
641  mask = mte->mask;
642  if (am->use_tuple_merge)
643  pae->mask_type_index = tm_assign_mask_type_index(am, &mask, is_ip6, lc_index);
644  else
645  pae->mask_type_index = assign_mask_type_index(am, &mask);
646 }
647 
648 static void
649 split_partition(acl_main_t *am, u32 first_index,
650  u32 lc_index, int is_ip6);
651 
652 
653 static void
655 {
656  applied_hash_ace_entry_t **applied_hash_aces = get_applied_hash_aces(am, lc_index);
657  applied_hash_ace_entry_t *first_pae = vec_elt_at_index((*applied_hash_aces), first_index);
658  if (vec_len(first_pae->colliding_rules) > am->tuple_merge_split_threshold) {
659  split_partition(am, first_index, lc_index, is_ip6);
660  }
661 }
662 
663 void
664 hash_acl_apply(acl_main_t *am, u32 lc_index, int acl_index, u32 acl_position)
665 {
666  int i;
667 
668  DBG0("HASH ACL apply: lc_index %d acl %d", lc_index, acl_index);
669  if (!am->acl_lookup_hash_initialized) {
670  BV (clib_bihash_init) (&am->acl_lookup_hash, "ACL plugin rule lookup bihash",
673  }
674 
675  void *oldheap = hash_acl_set_heap(am);
677  vec_validate(am->hash_acl_infos, acl_index);
678  applied_hash_ace_entry_t **applied_hash_aces = get_applied_hash_aces(am, lc_index);
679 
680  hash_acl_info_t *ha = vec_elt_at_index(am->hash_acl_infos, acl_index);
681  u32 **hash_acl_applied_lc_index = &ha->lc_index_list;
682 
683  int base_offset = vec_len(*applied_hash_aces);
684 
685  /* Update the bitmap of the mask types with which the lookup
686  needs to happen for the ACLs applied to this lc_index */
688  vec_validate((*applied_hash_acls), lc_index);
689  applied_hash_acl_info_t *pal = vec_elt_at_index((*applied_hash_acls), lc_index);
690 
691  /* ensure the list of applied hash acls is initialized and add this acl# to it */
692  u32 index = vec_search(pal->applied_acls, acl_index);
693  if (index != ~0) {
694  clib_warning("BUG: trying to apply twice acl_index %d on lc_index %d, according to lc",
695  acl_index, lc_index);
696  goto done;
697  }
698  vec_add1(pal->applied_acls, acl_index);
699  u32 index2 = vec_search((*hash_acl_applied_lc_index), lc_index);
700  if (index2 != ~0) {
701  clib_warning("BUG: trying to apply twice acl_index %d on lc_index %d, according to hash h-acl info",
702  acl_index, lc_index);
703  goto done;
704  }
705  vec_add1((*hash_acl_applied_lc_index), lc_index);
706 
707  /*
708  * if the applied ACL is empty, the current code will cause a
709  * different behavior compared to current linear search: an empty ACL will
710  * simply fallthrough to the next ACL, or the default deny in the end.
711  *
712  * This is not a problem, because after vpp-dev discussion,
713  * the consensus was it should not be possible to apply the non-existent
714  * ACL, so the change adding this code also takes care of that.
715  */
716 
717 
719 
720  /* since we know (in case of no split) how much we expand, preallocate that space */
721  if (vec_len(ha->rules) > 0) {
722  int old_vec_len = vec_len(*applied_hash_aces);
723  vec_validate((*applied_hash_aces), old_vec_len + vec_len(ha->rules) - 1);
724  _vec_len((*applied_hash_aces)) = old_vec_len;
725  }
726 
727  /* add the rules from the ACL to the hash table for lookup and append to the vector*/
728  for(i=0; i < vec_len(ha->rules); i++) {
729  /*
730  * Expand the applied aces vector to fit a new entry.
731  * One by one not to upset split_partition() if it is called.
732  */
733  vec_resize((*applied_hash_aces), 1);
734 
735  int is_ip6 = ha->rules[i].match.pkt.is_ip6;
736  u32 new_index = base_offset + i;
737  applied_hash_ace_entry_t *pae = vec_elt_at_index((*applied_hash_aces), new_index);
738  pae->acl_index = acl_index;
739  pae->ace_index = ha->rules[i].ace_index;
740  pae->acl_position = acl_position;
741  pae->action = ha->rules[i].action;
742  pae->hitcount = 0;
743  pae->hash_ace_info_index = i;
744  /* we might link it in later */
745  pae->collision_head_ae_index = ~0;
746  pae->colliding_rules = NULL;
747  pae->mask_type_index = ~0;
748  assign_mask_type_index_to_pae(am, lc_index, is_ip6, pae);
749  u32 first_index = activate_applied_ace_hash_entry(am, lc_index, applied_hash_aces, new_index);
750  if (am->use_tuple_merge)
751  check_collision_count_and_maybe_split(am, lc_index, is_ip6, first_index);
752  }
753  remake_hash_applied_mask_info_vec(am, applied_hash_aces, lc_index);
754 done:
755  clib_mem_set_heap (oldheap);
756 }
757 
758 static u32
760 {
761  ASSERT(curr_index != ~0);
762  applied_hash_ace_entry_t *pae = vec_elt_at_index((*applied_hash_aces), curr_index);
763  ASSERT(pae);
764  ASSERT(pae->collision_head_ae_index != ~0);
765  return pae->collision_head_ae_index;
766 }
767 
768 static void
769 set_collision_head_ae_index(applied_hash_ace_entry_t **applied_hash_aces, collision_match_rule_t *colliding_rules, u32 new_index)
770 {
772  vec_foreach(cr, colliding_rules) {
773  applied_hash_ace_entry_t *pae = vec_elt_at_index((*applied_hash_aces), cr->applied_entry_index);
774  pae->collision_head_ae_index = new_index;
775  }
776 }
777 
778 static void
780  u32 lc_index,
781  applied_hash_ace_entry_t **applied_hash_aces,
782  u32 old_index, u32 new_index)
783 {
784  ASSERT(old_index != ~0);
785  ASSERT(new_index != ~0);
786  /* move the entry */
787  *vec_elt_at_index((*applied_hash_aces), new_index) = *vec_elt_at_index((*applied_hash_aces), old_index);
788 
789  /* update the linkage and hash table if necessary */
790  applied_hash_ace_entry_t *pae = vec_elt_at_index((*applied_hash_aces), old_index);
791  applied_hash_ace_entry_t *new_pae = vec_elt_at_index((*applied_hash_aces), new_index);
792 
793  if (ACL_HASH_LOOKUP_DEBUG > 0) {
794  clib_warning("Moving pae from %d to %d", old_index, new_index);
795  acl_plugin_print_pae(am->vlib_main, old_index, pae);
796  }
797 
798  if (pae->collision_head_ae_index == old_index) {
799  /* first entry - so the hash points to it, update */
800  add_del_hashtable_entry(am, lc_index,
801  applied_hash_aces, new_index, 1);
802  }
803  if (new_pae->colliding_rules) {
804  /* update the information within the collision rule entry */
805  ASSERT(vec_len(new_pae->colliding_rules) > 0);
807  ASSERT(cr->applied_entry_index == old_index);
808  cr->applied_entry_index = new_index;
809  set_collision_head_ae_index(applied_hash_aces, new_pae->colliding_rules, new_index);
810  } else {
811  /* find the index in the collision rule entry on the head element */
812  u32 head_index = find_head_applied_ace_index(applied_hash_aces, new_index);
813  ASSERT(head_index != ~0);
814  applied_hash_ace_entry_t *head_pae = vec_elt_at_index((*applied_hash_aces), head_index);
815  ASSERT(vec_len(head_pae->colliding_rules) > 0);
816  u32 i;
817  for (i=0; i<vec_len(head_pae->colliding_rules); i++) {
819  if (cr->applied_entry_index == old_index) {
820  cr->applied_entry_index = new_index;
821  }
822  }
823  if (ACL_HASH_LOOKUP_DEBUG > 0) {
824  clib_warning("Head pae at index %d after adjustment", head_index);
825  acl_plugin_print_pae(am->vlib_main, head_index, head_pae);
826  }
827  }
828  /* invalidate the old entry */
829  pae->collision_head_ae_index = ~0;
830  pae->colliding_rules = NULL;
831 }
832 
833 static void
835  u32 lc_index,
836  applied_hash_ace_entry_t **applied_hash_aces,
837  u32 old_index)
838 {
839  applied_hash_ace_entry_t *pae = vec_elt_at_index((*applied_hash_aces), old_index);
840  DBG("UNAPPLY DEACTIVATE: lc_index %d applied index %d", lc_index, old_index);
841  if (ACL_HASH_LOOKUP_DEBUG > 0) {
842  clib_warning("Deactivating pae at index %d", old_index);
843  acl_plugin_print_pae(am->vlib_main, old_index, pae);
844  }
845 
846  if (pae->collision_head_ae_index != old_index) {
847  DBG("UNAPPLY = index %d has collision head %d", old_index, pae->collision_head_ae_index);
848 
849  u32 head_index = find_head_applied_ace_index(applied_hash_aces, old_index);
850  ASSERT(head_index != ~0);
851  del_colliding_rule(applied_hash_aces, head_index, old_index);
852 
853  } else {
854  /* It was the first entry. We need either to reset the hash entry or delete it */
855  /* delete our entry from the collision vector first */
856  del_colliding_rule(applied_hash_aces, old_index, old_index);
857  if (vec_len(pae->colliding_rules) > 0) {
858  u32 next_pae_index = pae->colliding_rules[0].applied_entry_index;
859  applied_hash_ace_entry_t *next_pae = vec_elt_at_index((*applied_hash_aces), next_pae_index);
860  /* Remove ourselves and transfer the ownership of the colliding rules vector */
861  next_pae->colliding_rules = pae->colliding_rules;
862  set_collision_head_ae_index(applied_hash_aces, next_pae->colliding_rules, next_pae_index);
863  add_del_hashtable_entry(am, lc_index,
864  applied_hash_aces, next_pae_index, 1);
865  } else {
866  /* no next entry, so just delete the entry in the hash table */
867  add_del_hashtable_entry(am, lc_index,
868  applied_hash_aces, old_index, 0);
869  }
870  }
871  DBG0("Releasing mask type index %d for pae index %d on lc_index %d", pae->mask_type_index, old_index, lc_index);
873  /* invalidate the old entry */
874  pae->mask_type_index = ~0;
875  pae->collision_head_ae_index = ~0;
876  /* always has to be 0 */
877  pae->colliding_rules = NULL;
878 }
879 
880 
881 void
883 {
884  int i;
885 
886  DBG0("HASH ACL unapply: lc_index %d acl %d", lc_index, acl_index);
888  applied_hash_acl_info_t *pal = vec_elt_at_index((*applied_hash_acls), lc_index);
889 
890  hash_acl_info_t *ha = vec_elt_at_index(am->hash_acl_infos, acl_index);
891  u32 **hash_acl_applied_lc_index = &ha->lc_index_list;
892 
893  if (ACL_HASH_LOOKUP_DEBUG > 0) {
894  clib_warning("unapplying acl %d", acl_index);
898  }
899 
900  /* remove this acl# from the list of applied hash acls */
901  u32 index = vec_search(pal->applied_acls, acl_index);
902  if (index == ~0) {
903  clib_warning("BUG: trying to unapply unapplied acl_index %d on lc_index %d, according to lc",
904  acl_index, lc_index);
905  return;
906  }
907  vec_del1(pal->applied_acls, index);
908 
909  u32 index2 = vec_search((*hash_acl_applied_lc_index), lc_index);
910  if (index2 == ~0) {
911  clib_warning("BUG: trying to unapply twice acl_index %d on lc_index %d, according to h-acl info",
912  acl_index, lc_index);
913  return;
914  }
915  vec_del1((*hash_acl_applied_lc_index), index2);
916 
917  applied_hash_ace_entry_t **applied_hash_aces = get_applied_hash_aces(am, lc_index);
918 
919  for(i=0; i < vec_len((*applied_hash_aces)); i++) {
920  if (vec_elt_at_index(*applied_hash_aces,i)->acl_index == acl_index) {
921  DBG("Found applied ACL#%d at applied index %d", acl_index, i);
922  break;
923  }
924  }
925  if (vec_len((*applied_hash_aces)) <= i) {
926  DBG("Did not find applied ACL#%d at lc_index %d", acl_index, lc_index);
927  /* we went all the way without finding any entries. Probably a list was empty. */
928  return;
929  }
930 
931  void *oldheap = hash_acl_set_heap(am);
932  int base_offset = i;
933  int tail_offset = base_offset + vec_len(ha->rules);
934  int tail_len = vec_len((*applied_hash_aces)) - tail_offset;
935  DBG("base_offset: %d, tail_offset: %d, tail_len: %d", base_offset, tail_offset, tail_len);
936 
937  for(i=0; i < vec_len(ha->rules); i ++) {
939  applied_hash_aces, base_offset + i);
940  }
941  for(i=0; i < tail_len; i ++) {
942  /* move the entry at tail offset to base offset */
943  /* that is, from (tail_offset+i) -> (base_offset+i) */
944  DBG0("UNAPPLY MOVE: lc_index %d, applied index %d -> %d", lc_index, tail_offset+i, base_offset + i);
945  move_applied_ace_hash_entry(am, lc_index, applied_hash_aces, tail_offset + i, base_offset + i);
946  }
947  /* trim the end of the vector */
948  _vec_len((*applied_hash_aces)) -= vec_len(ha->rules);
949 
950  remake_hash_applied_mask_info_vec(am, applied_hash_aces, lc_index);
951 
952  if (vec_len((*applied_hash_aces)) == 0) {
953  vec_free((*applied_hash_aces));
954  }
955 
956  clib_mem_set_heap (oldheap);
957 }
958 
959 /*
960  * Create the applied ACEs and update the hash table,
961  * taking into account that the ACL may not be the last
962  * in the vector of applied ACLs.
963  *
964  * For now, walk from the end of the vector and unapply the ACLs,
965  * then apply the one in question and reapply the rest.
966  */
967 
968 void
970 {
972  u32 **applied_acls = &acontext->acl_indices;
973  int i;
974  int start_index = vec_search((*applied_acls), acl_index);
975 
976  DBG0("Start index for acl %d in lc_index %d is %d", acl_index, lc_index, start_index);
977  /*
978  * This function is called after we find out the lc_index where ACL is applied.
979  * If the by-lc_index vector does not have the ACL#, then it's a bug.
980  */
981  ASSERT(start_index < vec_len(*applied_acls));
982 
983  /* unapply all the ACLs at the tail side, up to the current one */
984  for(i = vec_len(*applied_acls) - 1; i > start_index; i--) {
985  hash_acl_unapply(am, lc_index, *vec_elt_at_index(*applied_acls, i));
986  }
987  for(i = start_index; i < vec_len(*applied_acls); i++) {
988  hash_acl_apply(am, lc_index, *vec_elt_at_index(*applied_acls, i), i);
989  }
990 }
991 
992 static void
993 make_ip6_address_mask(ip6_address_t *addr, u8 prefix_len)
994 {
995  ip6_address_mask_from_width(addr, prefix_len);
996 }
997 
998 
999 /* Maybe should be moved into the core somewhere */
1000 always_inline void
1002 {
1003  int i, byte, bit, bitnum;
1004  ASSERT (width <= 32);
1005  clib_memset (a, 0, sizeof (a[0]));
1006  for (i = 0; i < width; i++)
1007  {
1008  bitnum = (7 - (i & 7));
1009  byte = i / 8;
1010  bit = 1 << bitnum;
1011  a->as_u8[byte] |= bit;
1012  }
1013 }
1014 
1015 
1016 static void
1018 {
1019  ip4_address_mask_from_width(addr, prefix_len);
1020 }
1021 
1022 static void
1023 make_port_mask(u16 *portmask, u16 port_first, u16 port_last)
1024 {
1025  if (port_first == port_last) {
1026  *portmask = 0xffff;
1027  /* single port is representable by masked value */
1028  return;
1029  }
1030 
1031  *portmask = 0;
1032  return;
1033 }
1034 
1035 static void
1037 {
1038  clib_memset(mask, 0, sizeof(*mask));
1039  clib_memset(&hi->match, 0, sizeof(hi->match));
1040  hi->action = r->is_permit;
1041 
1042  /* we will need to be matching based on lc_index and mask_type_index when applied */
1043  mask->pkt.lc_index = ~0;
1044  /* we will assign the match of mask_type_index later when we find it*/
1045  mask->pkt.mask_type_index_lsb = ~0;
1046 
1047  mask->pkt.is_ip6 = 1;
1048  hi->match.pkt.is_ip6 = r->is_ipv6;
1049  if (r->is_ipv6) {
1051  hi->match.ip6_addr[0] = r->src.ip6;
1053  hi->match.ip6_addr[1] = r->dst.ip6;
1054  } else {
1055  clib_memset(hi->match.l3_zero_pad, 0, sizeof(hi->match.l3_zero_pad));
1057  hi->match.ip4_addr[0] = r->src.ip4;
1059  hi->match.ip4_addr[1] = r->dst.ip4;
1060  }
1061 
1062  if (r->proto != 0) {
1063  mask->l4.proto = ~0; /* L4 proto needs to be matched */
1064  hi->match.l4.proto = r->proto;
1065 
1066  /* Calculate the src/dst port masks and make the src/dst port matches accordingly */
1068  hi->match.l4.port[0] = r->src_port_or_type_first & mask->l4.port[0];
1069 
1071  hi->match.l4.port[1] = r->dst_port_or_code_first & mask->l4.port[1];
1072  /* L4 info must be valid in order to match */
1073  mask->pkt.l4_valid = 1;
1074  hi->match.pkt.l4_valid = 1;
1075  /* And we must set the mask to check that it is an initial fragment */
1076  mask->pkt.is_nonfirst_fragment = 1;
1077  hi->match.pkt.is_nonfirst_fragment = 0;
1078  if ((r->proto == IPPROTO_TCP) && (r->tcp_flags_mask != 0)) {
1079  /* if we want to match on TCP flags, they must be masked off as well */
1080  mask->pkt.tcp_flags = r->tcp_flags_mask;
1082  /* and the flags need to be present within the packet being matched */
1083  mask->pkt.tcp_flags_valid = 1;
1084  hi->match.pkt.tcp_flags_valid = 1;
1085  }
1086  }
1087  /* Sanitize the mask and the match */
1088  u64 *pmask = (u64 *)mask;
1089  u64 *pmatch = (u64 *)&hi->match;
1090  int j;
1091  for(j=0; j<6; j++) {
1092  pmatch[j] = pmatch[j] & pmask[j];
1093  }
1094 }
1095 
1096 
1098 {
1099  if (acl_index >= vec_len(am->hash_acl_infos))
1100  return 0;
1101 
1102  hash_acl_info_t *ha = vec_elt_at_index(am->hash_acl_infos, acl_index);
1103  return ha->hash_acl_exists;
1104 }
1105 
1107 {
1108  void *oldheap = hash_acl_set_heap(am);
1109  DBG("HASH ACL add : %d", acl_index);
1110  int i;
1111  acl_rule_t *acl_rules = am->acls[acl_index].rules;
1112  vec_validate(am->hash_acl_infos, acl_index);
1113  hash_acl_info_t *ha = vec_elt_at_index(am->hash_acl_infos, acl_index);
1114  clib_memset(ha, 0, sizeof(*ha));
1115  ha->hash_acl_exists = 1;
1116 
1117  /* walk the newly added ACL entries and ensure that for each of them there
1118  is a mask type, increment a reference count for that mask type */
1119 
1120  /* avoid small requests by preallocating the entire vector before running the additions */
1121  if (vec_len(acl_rules) > 0) {
1122  vec_validate(ha->rules, vec_len(acl_rules)-1);
1123  vec_reset_length(ha->rules);
1124  }
1125 
1126  for(i=0; i < vec_len(acl_rules); i++) {
1127  hash_ace_info_t ace_info;
1128  fa_5tuple_t mask;
1129  clib_memset(&ace_info, 0, sizeof(ace_info));
1130  ace_info.acl_index = acl_index;
1131  ace_info.ace_index = i;
1132 
1133  make_mask_and_match_from_rule(&mask, &acl_rules[i], &ace_info);
1134  mask.pkt.flags_reserved = 0b000;
1135  ace_info.base_mask_type_index = assign_mask_type_index(am, &mask);
1136  /* assign the mask type index for matching itself */
1137  ace_info.match.pkt.mask_type_index_lsb = ace_info.base_mask_type_index;
1138  DBG("ACE: %d mask_type_index: %d", i, ace_info.base_mask_type_index);
1139  vec_add1(ha->rules, ace_info);
1140  }
1141  /*
1142  * if an ACL is applied somewhere, fill the corresponding lookup data structures.
1143  * We need to take care if the ACL is not the last one in the vector of ACLs applied to the interface.
1144  */
1145  if (acl_index < vec_len(am->lc_index_vec_by_acl)) {
1146  u32 *lc_index;
1147  vec_foreach(lc_index, am->lc_index_vec_by_acl[acl_index]) {
1148  hash_acl_reapply(am, *lc_index, acl_index);
1149  }
1150  }
1151  clib_mem_set_heap (oldheap);
1152 }
1153 
1155 {
1156  void *oldheap = hash_acl_set_heap(am);
1157  DBG0("HASH ACL delete : %d", acl_index);
1158  /*
1159  * If the ACL is applied somewhere, remove the references of it (call hash_acl_unapply)
1160  * this is a different behavior from the linear lookup where an empty ACL is "deny all",
1161  *
1162  * However, following vpp-dev discussion the ACL that is referenced elsewhere
1163  * should not be possible to delete, and the change adding this also adds
1164  * the safeguards to that respect, so this is not a problem.
1165  *
1166  * The part to remember is that this routine is called in process of reapplication
1167  * during the acl_add_replace() API call - the old acl ruleset is deleted, then
1168  * the new one is added, without the change in the applied ACLs - so this case
1169  * has to be handled.
1170  */
1171  hash_acl_info_t *ha = vec_elt_at_index(am->hash_acl_infos, acl_index);
1172  u32 *lc_list_copy = 0;
1173  {
1174  u32 *lc_index;
1175  lc_list_copy = vec_dup(ha->lc_index_list);
1176  vec_foreach(lc_index, lc_list_copy) {
1177  hash_acl_unapply(am, *lc_index, acl_index);
1178  }
1179  vec_free(lc_list_copy);
1180  }
1181  vec_free(ha->lc_index_list);
1182 
1183  /* walk the mask types for the ACL about-to-be-deleted, and decrease
1184  * the reference count, possibly freeing up some of them */
1185  int i;
1186  for(i=0; i < vec_len(ha->rules); i++) {
1188  }
1189  ha->hash_acl_exists = 0;
1190  vec_free(ha->rules);
1191  clib_mem_set_heap (oldheap);
1192 }
1193 
1194 
1195 void
1197 {
1198  vlib_cli_output(vm, "\nACL lookup hash table:\n%U\n",
1199  BV (format_bihash), &am->acl_lookup_hash, verbose);
1200 }
1201 
1202 void
1204 {
1205  acl_main_t *am = &acl_main;
1206  vlib_main_t *vm = am->vlib_main;
1207  ace_mask_type_entry_t *mte;
1208 
1209  vlib_cli_output (vm, "Mask-type entries:");
1210  /* *INDENT-OFF* */
1212  ({
1213  vlib_cli_output(vm, " %3d: %016llx %016llx %016llx %016llx %016llx %016llx refcount %d",
1214  mte - am->ace_mask_type_pool,
1215  mte->mask.kv_40_8.key[0], mte->mask.kv_40_8.key[1], mte->mask.kv_40_8.key[2],
1216  mte->mask.kv_40_8.key[3], mte->mask.kv_40_8.key[4], mte->mask.kv_40_8.value, mte->refcount);
1217  }));
1218  /* *INDENT-ON* */
1219 }
1220 
1221 void
1223 {
1224  acl_main_t *am = &acl_main;
1225  vlib_main_t *vm = am->vlib_main;
1226  u32 i, j;
1227  u64 *m;
1228  vlib_cli_output (vm, "Mask-ready ACL representations\n");
1229  for (i = 0; i < vec_len (am->hash_acl_infos); i++)
1230  {
1231  if ((acl_index != ~0) && (acl_index != i))
1232  {
1233  continue;
1234  }
1235  hash_acl_info_t *ha = &am->hash_acl_infos[i];
1236  vlib_cli_output (vm, "acl-index %u bitmask-ready layout\n", i);
1237  vlib_cli_output (vm, " applied lc_index list: %U\n",
1238  format_vec32, ha->lc_index_list, "%d");
1239  for (j = 0; j < vec_len (ha->rules); j++)
1240  {
1241  hash_ace_info_t *pa = &ha->rules[j];
1242  m = (u64 *) & pa->match;
1243  vlib_cli_output (vm,
1244  " %4d: %016llx %016llx %016llx %016llx %016llx %016llx base mask index %d acl %d rule %d action %d\n",
1245  j, m[0], m[1], m[2], m[3], m[4], m[5],
1247  pa->action);
1248  }
1249  }
1250 }
1251 
1252 static void
1254  vlib_cli_output(vm,
1255  " %4d: acl %d ace %d acl pos %d pae index: %d",
1256  j, cr->acl_index, cr->ace_index, cr->acl_position, cr->applied_entry_index);
1257 }
1258 
1259 static void
1261 {
1262  vlib_cli_output (vm,
1263  " %4d: acl %d rule %d action %d bitmask-ready rule %d mask type index: %d colliding_rules: %d collision_head_ae_idx %d hitcount %lld acl_pos: %d",
1264  j, pae->acl_index, pae->ace_index, pae->action,
1266  pae->hitcount, pae->acl_position);
1267  int jj;
1268  for(jj=0; jj<vec_len(pae->colliding_rules); jj++)
1270 }
1271 
1272 static void
1274 {
1275  vlib_cli_output (vm,
1276  " %4d: mask type index %d first rule index %d num_entries %d max_collisions %d",
1278 }
1279 
1280 void
1282 {
1283  acl_main_t *am = &acl_main;
1284  vlib_main_t *vm = am->vlib_main;
1285  u32 lci, j;
1286  vlib_cli_output (vm, "Applied lookup entries for lookup contexts");
1287 
1288  for (lci = 0;
1289  (lci < vec_len(am->applied_hash_acl_info_by_lc_index)); lci++)
1290  {
1291  if ((lc_index != ~0) && (lc_index != lci))
1292  {
1293  continue;
1294  }
1295  vlib_cli_output (vm, "lc_index %d:", lci);
1297  {
1300  vlib_cli_output (vm, " applied acls: %U", format_vec32,
1301  pal->applied_acls, "%d");
1302  }
1304  {
1305  vlib_cli_output (vm, " applied mask info entries:");
1306  for (j = 0;
1308  j++)
1309  {
1312  [lci][j]);
1313  }
1314  }
1315  if (lci < vec_len (am->hash_entry_vec_by_lc_index))
1316  {
1317  vlib_cli_output (vm, " lookup applied entries:");
1318  for (j = 0;
1319  j < vec_len (am->hash_entry_vec_by_lc_index[lci]);
1320  j++)
1321  {
1322  acl_plugin_print_pae (vm, j,
1324  [lci][j]);
1325  }
1326  }
1327  }
1328 }
1329 
1330 void
1331 acl_plugin_show_tables_bihash (u32 show_bihash_verbose)
1332 {
1333  acl_main_t *am = &acl_main;
1334  vlib_main_t *vm = am->vlib_main;
1335  show_hash_acl_hash (vm, am, show_bihash_verbose);
1336 }
1337 
1338 /*
1339  * Split of the partition needs to happen when the collision count
1340  * goes over a specified threshold.
1341  *
1342  * This is a signal that we ignored too many bits in
1343  * mT and we need to split the table into two tables. We select
1344  * all of the colliding rules L and find their maximum common
1345  * tuple mL. Normally mL is specific enough to hash L with few
1346  * or no collisions. We then create a new table T2 with tuple mL
1347  * and transfer all compatible rules from T to T2. If mL is not
1348  * specific enough, we find the field with the biggest difference
1349  * between the minimum and maximum tuple lengths for all of
1350  * the rules in L and set that field to be the average of those two
1351  * values. We then transfer all compatible rules as before. This
1352  * guarantees that some rules from L will move and that T2 will
1353  * have a smaller number of collisions than T did.
1354  */
1355 
1356 
1357 static void
1358 ensure_ip6_min_addr (ip6_address_t * min_addr, ip6_address_t * mask_addr)
1359 {
1360  int update =
1361  (clib_net_to_host_u64 (mask_addr->as_u64[0]) <
1362  clib_net_to_host_u64 (min_addr->as_u64[0]))
1363  ||
1364  ((clib_net_to_host_u64 (mask_addr->as_u64[0]) ==
1365  clib_net_to_host_u64 (min_addr->as_u64[0]))
1366  && (clib_net_to_host_u64 (mask_addr->as_u64[1]) <
1367  clib_net_to_host_u64 (min_addr->as_u64[1])));
1368  if (update)
1369  {
1370  min_addr->as_u64[0] = mask_addr->as_u64[0];
1371  min_addr->as_u64[1] = mask_addr->as_u64[1];
1372  }
1373 }
1374 
1375 static void
1376 ensure_ip6_max_addr (ip6_address_t * max_addr, ip6_address_t * mask_addr)
1377 {
1378  int update =
1379  (clib_net_to_host_u64 (mask_addr->as_u64[0]) >
1380  clib_net_to_host_u64 (max_addr->as_u64[0]))
1381  ||
1382  ((clib_net_to_host_u64 (mask_addr->as_u64[0]) ==
1383  clib_net_to_host_u64 (max_addr->as_u64[0]))
1384  && (clib_net_to_host_u64 (mask_addr->as_u64[1]) >
1385  clib_net_to_host_u64 (max_addr->as_u64[1])));
1386  if (update)
1387  {
1388  max_addr->as_u64[0] = mask_addr->as_u64[0];
1389  max_addr->as_u64[1] = mask_addr->as_u64[1];
1390  }
1391 }
1392 
1393 static void
1395 {
1396  int update =
1397  (clib_net_to_host_u32 (mask_addr->as_u32) <
1398  clib_net_to_host_u32 (min_addr->as_u32));
1399  if (update)
1400  min_addr->as_u32 = mask_addr->as_u32;
1401 }
1402 
1403 static void
1405 {
1406  int update =
1407  (clib_net_to_host_u32 (mask_addr->as_u32) >
1408  clib_net_to_host_u32 (max_addr->as_u32));
1409  if (update)
1410  max_addr->as_u32 = mask_addr->as_u32;
1411 }
1412 
1413 enum {
1419 };
1420 
1421 
1422 
1423 static void
1424 split_partition(acl_main_t *am, u32 first_index,
1425  u32 lc_index, int is_ip6){
1426  DBG( "TM-split_partition - first_entry:%d", first_index);
1427  applied_hash_ace_entry_t **applied_hash_aces = get_applied_hash_aces(am, lc_index);
1428  ace_mask_type_entry_t *mte;
1429  fa_5tuple_t the_min_tuple, *min_tuple = &the_min_tuple;
1430  fa_5tuple_t the_max_tuple, *max_tuple = &the_max_tuple;
1431  applied_hash_ace_entry_t *pae = vec_elt_at_index((*applied_hash_aces), first_index);
1433  hash_ace_info_t *ace_info;
1434  u32 coll_mask_type_index = pae->mask_type_index;
1435  clib_memset(&the_min_tuple, 0, sizeof(the_min_tuple));
1436  clib_memset(&the_max_tuple, 0, sizeof(the_max_tuple));
1437 
1438  int i=0;
1439  collision_match_rule_t *colliding_rules = pae->colliding_rules;
1440  u64 collisions = vec_len(pae->colliding_rules);
1441  for(i=0; i<collisions; i++){
1442  /* reload the hash acl info as it might be a different ACL# */
1443  pae = vec_elt_at_index((*applied_hash_aces), colliding_rules[i].applied_entry_index);
1444  ha = vec_elt_at_index(am->hash_acl_infos, pae->acl_index);
1445 
1446  DBG( "TM-collision: base_ace:%d (ace_mask:%d, first_collision_mask:%d)",
1447  pae->ace_index, pae->mask_type_index, coll_mask_type_index);
1448 
1449  ace_info = vec_elt_at_index(ha->rules, pae->hash_ace_info_index);
1451  fa_5tuple_t *mask = &mte->mask;
1452 
1453  if(pae->mask_type_index != coll_mask_type_index) continue;
1454  /* Computing min_mask and max_mask for colliding rules */
1455  if(i==0){
1456  clib_memcpy_fast(min_tuple, mask, sizeof(fa_5tuple_t));
1457  clib_memcpy_fast(max_tuple, mask, sizeof(fa_5tuple_t));
1458  }else{
1459  int j;
1460  for(j=0; j<2; j++){
1461  if (is_ip6)
1462  ensure_ip6_min_addr(&min_tuple->ip6_addr[j], &mask->ip6_addr[j]);
1463  else
1464  ensure_ip4_min_addr(&min_tuple->ip4_addr[j], &mask->ip4_addr[j]);
1465 
1466  if ((mask->l4.port[j] < min_tuple->l4.port[j]))
1467  min_tuple->l4.port[j] = mask->l4.port[j];
1468  }
1469 
1470  if ((mask->l4.proto < min_tuple->l4.proto))
1471  min_tuple->l4.proto = mask->l4.proto;
1472 
1473  if(mask->pkt.as_u64 < min_tuple->pkt.as_u64)
1474  min_tuple->pkt.as_u64 = mask->pkt.as_u64;
1475 
1476 
1477  for(j=0; j<2; j++){
1478  if (is_ip6)
1479  ensure_ip6_max_addr(&max_tuple->ip6_addr[j], &mask->ip6_addr[j]);
1480  else
1481  ensure_ip4_max_addr(&max_tuple->ip4_addr[j], &mask->ip4_addr[j]);
1482 
1483  if ((mask->l4.port[j] > max_tuple->l4.port[j]))
1484  max_tuple->l4.port[j] = mask->l4.port[j];
1485  }
1486 
1487  if ((mask->l4.proto < max_tuple->l4.proto))
1488  max_tuple->l4.proto = mask->l4.proto;
1489 
1490  if(mask->pkt.as_u64 > max_tuple->pkt.as_u64)
1491  max_tuple->pkt.as_u64 = mask->pkt.as_u64;
1492  }
1493  }
1494 
1495  /* Computing field with max difference between (min/max)_mask */
1496  int best_dim=-1, best_delta=0, delta=0;
1497 
1498  /* SRC_addr dimension */
1499  if (is_ip6) {
1500  int i;
1501  for(i=0; i<2; i++){
1502  delta += count_bits(max_tuple->ip6_addr[0].as_u64[i]) - count_bits(min_tuple->ip6_addr[0].as_u64[i]);
1503  }
1504  } else {
1505  delta += count_bits(max_tuple->ip4_addr[0].as_u32) - count_bits(min_tuple->ip4_addr[0].as_u32);
1506  }
1507  if(delta > best_delta){
1508  best_delta = delta;
1509  best_dim = DIM_SRC_ADDR;
1510  }
1511 
1512  /* DST_addr dimension */
1513  delta = 0;
1514  if (is_ip6) {
1515  int i;
1516  for(i=0; i<2; i++){
1517  delta += count_bits(max_tuple->ip6_addr[1].as_u64[i]) - count_bits(min_tuple->ip6_addr[1].as_u64[i]);
1518  }
1519  } else {
1520  delta += count_bits(max_tuple->ip4_addr[1].as_u32) - count_bits(min_tuple->ip4_addr[1].as_u32);
1521  }
1522  if(delta > best_delta){
1523  best_delta = delta;
1524  best_dim = DIM_DST_ADDR;
1525  }
1526 
1527  /* SRC_port dimension */
1528  delta = count_bits(max_tuple->l4.port[0]) - count_bits(min_tuple->l4.port[0]);
1529  if(delta > best_delta){
1530  best_delta = delta;
1531  best_dim = DIM_SRC_PORT;
1532  }
1533 
1534  /* DST_port dimension */
1535  delta = count_bits(max_tuple->l4.port[1]) - count_bits(min_tuple->l4.port[1]);
1536  if(delta > best_delta){
1537  best_delta = delta;
1538  best_dim = DIM_DST_PORT;
1539  }
1540 
1541  /* Proto dimension */
1542  delta = count_bits(max_tuple->l4.proto) - count_bits(min_tuple->l4.proto);
1543  if(delta > best_delta){
1544  best_delta = delta;
1545  best_dim = DIM_PROTO;
1546  }
1547 
1548  int shifting = 0; //, ipv4_block = 0;
1549  switch(best_dim){
1550  case DIM_SRC_ADDR:
1551  shifting = (best_delta)/2; // FIXME IPV4-only
1552  // ipv4_block = count_bits(max_tuple->ip4_addr[0].as_u32);
1553  min_tuple->ip4_addr[0].as_u32 =
1554  clib_host_to_net_u32((clib_net_to_host_u32(max_tuple->ip4_addr[0].as_u32) << (shifting))&0xFFFFFFFF);
1555 
1556  break;
1557  case DIM_DST_ADDR:
1558  shifting = (best_delta)/2;
1559 /*
1560  ipv4_block = count_bits(max_tuple->addr[1].as_u64[1]);
1561  if(ipv4_block > shifting)
1562  min_tuple->addr[1].as_u64[1] =
1563  clib_host_to_net_u64((clib_net_to_host_u64(max_tuple->addr[1].as_u64[1]) << (shifting))&0xFFFFFFFF);
1564  else{
1565  shifting = shifting - ipv4_block;
1566  min_tuple->addr[1].as_u64[1] = 0;
1567  min_tuple->addr[1].as_u64[0] =
1568  clib_host_to_net_u64((clib_net_to_host_u64(max_tuple->addr[1].as_u64[0]) << (shifting))&0xFFFFFFFF);
1569  }
1570 */
1571  min_tuple->ip4_addr[1].as_u32 =
1572  clib_host_to_net_u32((clib_net_to_host_u32(max_tuple->ip4_addr[1].as_u32) << (shifting))&0xFFFFFFFF);
1573 
1574  break;
1575  case DIM_SRC_PORT: min_tuple->l4.port[0] = max_tuple->l4.port[0] << (best_delta)/2;
1576  break;
1577  case DIM_DST_PORT: min_tuple->l4.port[1] = max_tuple->l4.port[1] << (best_delta)/2;
1578  break;
1579  case DIM_PROTO: min_tuple->l4.proto = max_tuple->l4.proto << (best_delta)/2;
1580  break;
1581  default: relax_tuple(min_tuple, is_ip6, 1);
1582  break;
1583  }
1584 
1585  min_tuple->pkt.is_nonfirst_fragment = 0;
1586  u32 new_mask_type_index = assign_mask_type_index(am, min_tuple);
1587 
1588  hash_applied_mask_info_t **hash_applied_mask_info_vec = vec_elt_at_index(am->hash_applied_mask_info_vec_by_lc_index, lc_index);
1589 
1590  hash_applied_mask_info_t *minfo;
1591  //search in order pool if mask_type_index is already there
1592  int search;
1593  for (search=0; search < vec_len((*hash_applied_mask_info_vec)); search++){
1594  minfo = vec_elt_at_index((*hash_applied_mask_info_vec), search);
1595  if(minfo->mask_type_index == new_mask_type_index)
1596  break;
1597  }
1598 
1599  vec_validate((*hash_applied_mask_info_vec), search);
1600  minfo = vec_elt_at_index((*hash_applied_mask_info_vec), search);
1601  minfo->mask_type_index = new_mask_type_index;
1602  minfo->num_entries = 0;
1603  minfo->max_collisions = 0;
1604  minfo->first_rule_index = ~0;
1605 
1606  DBG( "TM-split_partition - mask type index-assigned!! -> %d", new_mask_type_index);
1607 
1608  if(coll_mask_type_index == new_mask_type_index){
1609  //vlib_cli_output(vm, "TM-There are collisions over threshold, but i'm not able to split! %d %d", coll_mask_type_index, new_mask_type_index);
1610  return;
1611  }
1612 
1613 
1614  /* populate new partition */
1615  DBG( "TM-Populate new partition");
1616  u32 r_ace_index = first_index;
1617  int repopulate_count = 0;
1618 
1619  collision_match_rule_t *temp_colliding_rules = vec_dup(colliding_rules);
1620  collisions = vec_len(temp_colliding_rules);
1621 
1622  for(i=0; i<collisions; i++){
1623 
1624  r_ace_index = temp_colliding_rules[i].applied_entry_index;
1625 
1626  applied_hash_ace_entry_t *pop_pae = vec_elt_at_index((*applied_hash_aces), r_ace_index);
1627  ha = vec_elt_at_index(am->hash_acl_infos, pop_pae->acl_index);
1628  DBG( "TM-Population-collision: base_ace:%d (ace_mask:%d, first_collision_mask:%d)",
1629  pop_pae->ace_index, pop_pae->mask_type_index, coll_mask_type_index);
1630 
1631  ASSERT(pop_pae->mask_type_index == coll_mask_type_index);
1632 
1633  ace_info = vec_elt_at_index(ha->rules, pop_pae->hash_ace_info_index);
1635  //can insert rule?
1636  //mte = vec_elt_at_index(am->ace_mask_type_pool, pop_pae->mask_type_index);
1637  fa_5tuple_t *pop_mask = &mte->mask;
1638 
1639  if(!first_mask_contains_second_mask(is_ip6, min_tuple, pop_mask)) continue;
1640  DBG( "TM-new partition can insert -> applied_ace:%d", r_ace_index);
1641 
1642  //delete and insert in new format
1643  deactivate_applied_ace_hash_entry(am, lc_index, applied_hash_aces, r_ace_index);
1644 
1645  /* insert the new entry */
1646  pop_pae->mask_type_index = new_mask_type_index;
1647  /* The very first repopulation gets the lock by virtue of a new mask being created above */
1648  if (++repopulate_count > 1)
1649  lock_mask_type_index(am, new_mask_type_index);
1650 
1651  activate_applied_ace_hash_entry(am, lc_index, applied_hash_aces, r_ace_index);
1652 
1653  }
1654  vec_free(temp_colliding_rules);
1655 
1656  DBG( "TM-Populate new partition-END");
1657  DBG( "TM-split_partition - END");
1658 
1659 }
static void move_applied_ace_hash_entry(acl_main_t *am, u32 lc_index, applied_hash_ace_entry_t **applied_hash_aces, u32 old_index, u32 new_index)
Definition: hash_lookup.c:779
acl_rule_t * rules
Definition: acl.h:84
#define vec_validate(V, I)
Make sure vector is long enough for given index (no header, unspecified alignment) ...
Definition: vec.h:509
static void ensure_ip4_max_addr(ip4_address_t *max_addr, ip4_address_t *mask_addr)
Definition: hash_lookup.c:1404
static void deactivate_applied_ace_hash_entry(acl_main_t *am, u32 lc_index, applied_hash_ace_entry_t **applied_hash_aces, u32 old_index)
Definition: hash_lookup.c:834
u32 acl_index
Definition: abf.api:60
u8 is_ipv6
Definition: types.h:24
fa_5tuple_t mask
Definition: acl.h:112
void acl_plugin_show_tables_mask_type(void)
Definition: hash_lookup.c:1203
static void ensure_ip6_min_addr(ip6_address_t *min_addr, ip6_address_t *mask_addr)
Definition: hash_lookup.c:1358
Definition: acl.h:108
a
Definition: bitmap.h:538
u32 acl_index
static void * hash_acl_set_heap(acl_main_t *am)
Definition: hash_lookup.c:590
fa_session_l4_key_t l4
Definition: fa_node.h:81
fa_packet_info_t pkt
Definition: fa_node.h:83
void hash_acl_unapply(acl_main_t *am, u32 lc_index, int acl_index)
Definition: hash_lookup.c:882
void acl_plugin_hash_acl_set_trace_heap(int on)
Definition: hash_lookup.c:622
void acl_plugin_show_tables_applied_info(u32 lc_index)
Definition: hash_lookup.c:1281
void hash_acl_reapply(acl_main_t *am, u32 lc_index, int acl_index)
Definition: hash_lookup.c:969
#define clib_error(format, args...)
Definition: error.h:62
unsigned long u64
Definition: types.h:89
#define clib_memcpy_fast(a, b, c)
Definition: string.h:81
clib_memset(h->entries, 0, sizeof(h->entries[0]) *entries)
u8 dst_prefixlen
Definition: types.h:28
u8 action
u32 hash_ace_info_index
static void add_colliding_rule(acl_main_t *am, applied_hash_ace_entry_t **applied_hash_aces, u32 head_index, u32 applied_entry_index)
Definition: hash_lookup.c:525
#define vec_add1(V, E)
Add 1 element to end of vector (unspecified alignment).
Definition: vec.h:592
static u32 activate_applied_ace_hash_entry(acl_main_t *am, u32 lc_index, applied_hash_ace_entry_t **applied_hash_aces, u32 new_index)
Definition: hash_lookup.c:551
u16 mask
Definition: flow_types.api:52
vhost_vring_addr_t addr
Definition: vhost_user.h:111
unsigned char u8
Definition: types.h:56
#define vec_reset_length(v)
Reset vector length to zero NULL-pointer tolerant.
static u32 find_head_applied_ace_index(applied_hash_ace_entry_t **applied_hash_aces, u32 curr_index)
Definition: hash_lookup.c:759
void hash_acl_add(acl_main_t *am, int acl_index)
Definition: hash_lookup.c:1106
u32 ** lc_index_vec_by_acl
Definition: acl.h:170
static void ensure_ip6_max_addr(ip6_address_t *max_addr, ip6_address_t *mask_addr)
Definition: hash_lookup.c:1376
u16 dst_port_or_code_last
Definition: types.h:33
u8 src_prefixlen
Definition: types.h:26
static void make_port_mask(u16 *portmask, u16 port_first, u16 port_last)
Definition: hash_lookup.c:1023
u32 acl_position
#define ACL_HASH_LOOKUP_DEBUG
#define pool_foreach(VAR, POOL, BODY)
Iterate through pool.
Definition: pool.h:513
i64 word
Definition: types.h:111
int clib_bihash_add_del(clib_bihash *h, clib_bihash_kv *add_v, int is_add)
Add or delete a (key,value) pair from a bi-hash table.
static void assign_mask_type_index_to_pae(acl_main_t *am, u32 lc_index, int is_ip6, applied_hash_ace_entry_t *pae)
Definition: hash_lookup.c:629
#define vec_new(T, N)
Create new vector of given type and length (unspecified alignment, no header).
Definition: vec.h:350
ip46_address_t src
Definition: types.h:25
u8 * format_memory_size(u8 *s, va_list *va)
Definition: std-formats.c:209
#define vec_elt_at_index(v, i)
Get vector value at index i checking that i is in bounds.
static void lock_mask_type_index(acl_main_t *am, u32 mask_type_index)
Definition: hash_lookup.c:300
u8 is_permit
Definition: types.h:23
#define vec_resize(V, N)
Resize a vector (no header, unspecified alignment) Add N elements to end of given vector V...
Definition: vec.h:281
unsigned int u32
Definition: types.h:88
#define vec_search(v, E)
Search a vector for the index of the entry that matches.
Definition: vec.h:1012
static void release_mask_type_index(acl_main_t *am, u32 mask_type_index)
Definition: hash_lookup.c:310
void hash_acl_apply(acl_main_t *am, u32 lc_index, int acl_index, u32 acl_position)
Definition: hash_lookup.c:664
bool is_ip6
Definition: ip.api:43
static u32 assign_mask_type_index(acl_main_t *am, fa_5tuple_t *mask)
Definition: hash_lookup.c:276
int hash_acl_exists(acl_main_t *am, int acl_index)
Definition: hash_lookup.c:1097
ip46_address_t dst
Definition: types.h:27
static void add_del_hashtable_entry(acl_main_t *am, u32 lc_index, applied_hash_ace_entry_t **applied_hash_aces, u32 index, int is_add)
Definition: hash_lookup.c:412
collision_match_rule_t * colliding_rules
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
Definition: pool.h:534
u32 l3_zero_pad[6]
Definition: fa_node.h:76
static void ip4_address_mask_from_width(ip4_address_t *a, u32 width)
Definition: hash_lookup.c:1001
u32 mask_type_index
u16 dst_port_or_code_first
Definition: types.h:32
hash_applied_mask_info_t ** hash_applied_mask_info_vec_by_lc_index
Definition: acl.h:198
DLMALLOC_EXPORT void mspace_disable_expand(mspace msp)
unsigned short u16
Definition: types.h:57
hash_acl_info_t * hash_acl_infos
Definition: acl.h:131
#define pool_put(P, E)
Free an object E in pool P.
Definition: pool.h:302
#define vec_dup(V)
Return copy of vector (no header, no alignment)
Definition: vec.h:429
static void make_mask_and_match_from_rule(fa_5tuple_t *mask, acl_rule_t *r, hash_ace_info_t *hi)
Definition: hash_lookup.c:1036
u64 hitcount
hash_ace_info_t * rules
#define always_inline
Definition: ipsec.h:28
#define vec_del1(v, i)
Delete the element at index I.
Definition: vec.h:875
static void check_collision_count_and_maybe_split(acl_main_t *am, u32 lc_index, int is_ip6, u32 first_index)
Definition: hash_lookup.c:654
clib_bihash_48_8_t acl_lookup_hash
Definition: acl.h:132
void show_hash_acl_hash(vlib_main_t *vm, acl_main_t *am, u32 verbose)
Definition: hash_lookup.c:1196
static u32 shift_ip4_if(u32 mask, u32 thresh, int numshifts, u32 else_val)
Definition: hash_lookup.c:165
void acl_plugin_hash_acl_set_validate_heap(int on)
Definition: hash_lookup.c:615
u8 proto
Definition: types.h:29
void clib_bihash_init(clib_bihash *h, char *name, u32 nbuckets, uword memory_size)
initialize a bounded index extensible hash table
u16 src_port_or_type_first
Definition: types.h:30
void acl_plugin_show_tables_bihash(u32 show_bihash_verbose)
Definition: hash_lookup.c:1331
#define pool_get_aligned(P, E, A)
Allocate an object E from a pool P with alignment A.
Definition: pool.h:246
static void vec_del_collision_rule(collision_match_rule_t **pvec, u32 applied_entry_index)
Definition: hash_lookup.c:479
u32 refcount
Definition: acl.h:113
static void split_partition(acl_main_t *am, u32 first_index, u32 lc_index, int is_ip6)
Definition: hash_lookup.c:1424
sll srl srl sll sra u16x4 i
Definition: vector_sse42.h:317
applied_hash_acl_info_t * applied_hash_acl_info_by_lc_index
Definition: acl.h:147
#define vec_free(V)
Free vector&#39;s memory (no header).
Definition: vec.h:380
static void make_ip4_address_mask(ip4_address_t *addr, u8 prefix_len)
Definition: hash_lookup.c:1017
int acl_lookup_hash_initialized
Definition: acl.h:139
static void * clib_mem_set_heap(void *heap)
Definition: mem.h:268
void hash_acl_delete(acl_main_t *am, int acl_index)
Definition: hash_lookup.c:1154
#define clib_warning(format, args...)
Definition: error.h:59
u8 * format_vec32(u8 *s, va_list *va)
Definition: std-formats.c:43
#define DBG(...)
static int count_bits(u64 word)
Definition: hash_lookup.c:71
applied_hash_ace_entry_t ** hash_entry_vec_by_lc_index
Definition: acl.h:146
static u8 first_mask_contains_second_mask(int is_ip6, fa_5tuple_t *mask1, fa_5tuple_t *mask2)
Definition: hash_lookup.c:84
uword hash_lookup_hash_memory
Definition: acl.h:134
int tuple_merge_split_threshold
Definition: acl.h:192
static void relax_ip6_addr(ip6_address_t *ip6_mask, int relax2)
Definition: hash_lookup.c:187
static void acl_plugin_print_colliding_rule(vlib_main_t *vm, int j, collision_match_rule_t *cr)
Definition: hash_lookup.c:1253
u32 hash_lookup_hash_buckets
Definition: acl.h:133
#define ASSERT(truth)
void vlib_cli_output(vlib_main_t *vm, char *fmt,...)
Definition: cli.c:696
static void ensure_ip4_min_addr(ip4_address_t *min_addr, ip4_address_t *mask_addr)
Definition: hash_lookup.c:1394
#define vec_delete(V, N, M)
Delete N elements starting at element M.
Definition: vec.h:854
u8 tcp_flags_valid
Definition: fa_node.h:33
u16 src_port_or_type_last
Definition: types.h:31
void * mheap_alloc_with_lock(void *memory, uword size, int locked)
Definition: mem_dlmalloc.c:507
static void acl_plugin_print_pae(vlib_main_t *vm, int j, applied_hash_ace_entry_t *pae)
Definition: hash_lookup.c:1260
acl_main_t acl_main
Definition: acl.c:42
u32 collision_head_ae_index
static void acl_plugin_print_applied_mask_info(vlib_main_t *vm, int j, hash_applied_mask_info_t *mi)
Definition: hash_lookup.c:1273
#define DBG0(...)
vl_api_ip4_address_t hi
Definition: arp.api:37
static applied_hash_ace_entry_t ** get_applied_hash_aces(acl_main_t *am, u32 lc_index)
Definition: hash_lookup.c:36
ace_mask_type_entry_t * ace_mask_type_pool
Definition: acl.h:195
static u32 find_mask_type_index(acl_main_t *am, fa_5tuple_t *mask)
Definition: hash_lookup.c:262
static void fill_applied_hash_ace_kv(acl_main_t *am, applied_hash_ace_entry_t **applied_hash_aces, u32 lc_index, u32 new_index, clib_bihash_kv_48_8_t *kv)
Definition: hash_lookup.c:380
u8 is_nonfirst_fragment
Definition: fa_node.h:35
acl_lookup_context_t * acl_lookup_contexts
Definition: acl.h:128
uword hash_lookup_mheap_size
Definition: acl.h:138
#define vec_len(v)
Number of elements in vector (rvalue-only, NULL tolerant)
u8 tcp_flags_mask
Definition: types.h:35
static void relax_ip4_addr(ip4_address_t *ip4_mask, int relax2)
Definition: hash_lookup.c:174
int use_tuple_merge
Definition: acl.h:188
u32 index
Definition: flow_types.api:221
static void hashtable_add_del(acl_main_t *am, clib_bihash_kv_48_8_t *kv, int is_add)
Definition: hash_lookup.c:48
static void ip6_address_mask_from_width(ip6_address_t *a, u32 width)
Definition: ip6_packet.h:211
u8 tcp_flags_value
Definition: types.h:34
static u32 tm_assign_mask_type_index(acl_main_t *am, fa_5tuple_t *mask, int is_ip6, u32 lc_index)
Definition: hash_lookup.c:325
#define vec_foreach(var, vec)
Vector iterator.
void * hash_lookup_mheap
Definition: acl.h:137
static void del_colliding_rule(applied_hash_ace_entry_t **applied_hash_aces, u32 head_index, u32 applied_entry_index)
Definition: hash_lookup.c:506
static void relax_tuple(fa_5tuple_t *mask, int is_ip6, int relax2)
Definition: hash_lookup.c:205
ip4_address_t ip4_addr[2]
Definition: fa_node.h:77
u16 mask_type_index_lsb
Definition: fa_node.h:31
static void remake_hash_applied_mask_info_vec(acl_main_t *am, applied_hash_ace_entry_t **applied_hash_aces, u32 lc_index)
Definition: hash_lookup.c:425
static void make_ip6_address_mask(ip6_address_t *addr, u8 prefix_len)
Definition: hash_lookup.c:993
#define CLIB_CACHE_LINE_BYTES
Definition: cache.h:59
static void set_collision_head_ae_index(applied_hash_ace_entry_t **applied_hash_aces, collision_match_rule_t *colliding_rules, u32 new_index)
Definition: hash_lookup.c:769
void acl_plugin_show_tables_acl_hash_info(u32 acl_index)
Definition: hash_lookup.c:1222
acl_list_t * acls
Definition: acl.h:130
u32 ace_index
ip6_address_t ip6_addr[2]
Definition: fa_node.h:79
foreach_fa_cleaner_counter vlib_main_t * vlib_main
Definition: acl.h:303