ACL based forwarding

A poor man's flow switching or policy based rounting.

An ACL is used to match packets and is associated with a [set of] forwarding paths
that determine how to forward matched packets - collectively this association is a
'policy'.
Policies are then 'attached', in a priority order, to an interface when thaey are
encountered as an input feature. If a packet matches no policies it is forwarded
normally in the IP FIB.

This commit is used to test the "ACL-as-a-service" functionality,
which currently compiles, and the existing traffic ACL tests pass in both hash and linear modes.

Change-Id: I0b274ec9f2e645352fa898b43eb54c457e195964
Signed-off-by: Neale Ranns <nranns@cisco.com>
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Signed-off-by: Ole Troan <ot@cisco.com>

src/configure.ac

@@ -218,6 +218,7 @@ AC_SUBST(AR_FLAGS)
 ###############################################################################
 
 # Please keep alphabetical order
+PLUGIN_ENABLED(abf)
 PLUGIN_ENABLED(acl)
 PLUGIN_ENABLED(avf)
 PLUGIN_ENABLED(cdp)

src/plugins/Makefile.am

@@ -30,6 +30,10 @@ nobase_include_HEADERS =
 vppapitestpluginsdir = ${libdir}/vpp_api_test_plugins
 vpppluginsdir = ${libdir}/vpp_plugins
 
+if ENABLE_ABF_PLUGIN
+include abf.am
+endif
+
 if ENABLE_ACL_PLUGIN
 include acl.am
 endif

src/plugins/abf.am

@@ -0,0 +1,28 @@
+# Copyright (c) 2016 Cisco and/or its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+vppplugins_LTLIBRARIES += abf_plugin.la
+
+abf_plugin_la_SOURCES =				\
+	abf/abf_policy.c			\
+	abf/abf_api.c				\
+	abf/abf_itf_attach.c
+
+API_FILES += abf/abf.api
+
+nobase_apiinclude_HEADERS +=			\
+  abf/abf_all_api_h.h				\
+  abf/abf_msg_enum.h				\
+  abf/abf.api.h
+
+# vi:syntax=automake

src/plugins/abf/abf.api

@@ -0,0 +1,131 @@
+/* Hey Emacs use -*- mode: C -*- */
+/*
+ * Copyright (c) 2016 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/** \file
+    This file defines the vpp control-plane API messages
+    used to control the ABF plugin
+*/
+
+option version = "1.0.0";
+import "vnet/fib/fib_types.api";
+
+/** \brief Get the plugin version
+    @param client_index - opaque cookie to identify the sender
+    @param context - sender context, to match reply w/ request
+*/
+define abf_plugin_get_version
+{
+  u32 client_index;
+  u32 context;
+};
+
+/** \brief Reply to get the plugin version
+    @param context - returned sender context, to match reply w/ request
+    @param major - Incremented every time a known breaking behavior change is introduced
+    @param minor - Incremented with small changes, may be used to avoid buggy versions
+*/
+define abf_plugin_get_version_reply
+{
+  u32 context;
+  u32 major;
+  u32 minor;
+};
+
+/** \brief A description of an ABF policy
+    @param policy_id User chosen Identifier for the policy
+    @param acl_index The ACL that the policy will match against
+    @param n_paths Number of paths
+    @param paths The set of forwarding paths that are being added or removed.
+ */
+typeonly define abf_policy
+{
+  u32 policy_id;
+  u32 acl_index;
+  u8 n_paths;
+  vl_api_fib_path_t paths[n_paths];
+};
+
+/** \brief A description of an ABF policy
+    @param is_add Is this the addition or removal of paths from the policy
+           If the policy does not exist it is created. If the last path
+           Is being removed, the policy is deleted
+    @param policy The policy
+ */
+autoreply define abf_policy_add_del
+{
+  u32 client_index;
+  u32 context;
+  u8 is_add;
+  vl_api_abf_policy_t policy;
+};
+
+/** \brief Policy description returned in the dump
+ */
+define abf_policy_details
+{
+  u32 context;
+  vl_api_abf_policy_t policy;
+};
+
+/** \brief Dump all ABF policies
+ */
+define abf_policy_dump
+{
+  u32 client_index;
+  u32 context;
+};
+
+/** \brief A description of a policy attachment to an interface
+    @param The policy ID to attach
+    @param sw_if_index The interface to attach to
+    @param priority The priority of the attachment, w.r.t. to other attachments
+              on this interface. lower value is 'better'
+    @param is_ipv6 Does this attachment apply to IPv6 packets (or IPv4)
+*/
+typeonly define abf_itf_attach
+{
+  u32 policy_id;
+  u32 sw_if_index;
+  u32 priority;
+  u8 is_ipv6;
+};
+
+/** \brief Add or delete a policy attachment to an interface
+ */
+autoreply define abf_itf_attach_add_del
+{
+  u32 client_index;
+  u32 context;
+  u8 is_add;
+  vl_api_abf_itf_attach_t attach;
+};
+
+/** \brief Attachment details from a dump
+ */
+define abf_itf_attach_details
+{
+  u32 context;
+  vl_api_abf_itf_attach_t attach;
+};
+
+/** \brief Dump all the policy attachments
+ */
+define abf_itf_attach_dump
+{
+  u32 client_index;
+  u32 context;
+};
+

src/plugins/abf/abf_all_api_h.h

@@ -0,0 +1,16 @@
+/*
+ * Copyright (c) 2017 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/* Include the generated file, see BUILT_SOURCES in Makefile.am */
+#include <abf/abf.api.h>

src/plugins/abf/abf_error.def

@@ -0,0 +1,19 @@
+/*
+ * abf_error.def: ABF errors
+ *
+ * Copyright (c) 2012 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+abf_error (NONE, "no match")
+abf_error (MATCHED, "matched")

src/plugins/abf/abf_itf_attach.h

@@ -0,0 +1,104 @@
+/*
+ * Copyright (c) 2017 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef __ABF_ITF_ATTACH_H__
+#define __ABF_ITF_ATTACH_H__
+
+#include <plugins/abf/abf_policy.h>
+#include <vnet/fib/fib_path_list.h>
+
+/**
+ * Attachment data for an ABF policy to an interface
+ */
+typedef struct abf_itf_attach_t_
+{
+  CLIB_CACHE_LINE_ALIGN_MARK (marker);
+  /**
+   * The ACL and DPO are cached for fast DP access
+   */
+  /**
+   * ACL index to match
+   */
+  u32 aia_acl;
+
+  /**
+   * The DPO actually used for forwarding
+   */
+  dpo_id_t aia_dpo;
+
+  /**
+   * Linkage into the FIB graph
+   */
+  fib_node_t aia_node;
+
+  /**
+   * The VPP index of the ABF policy
+   */
+  u32 aia_abf;
+
+  /**
+   * Sibling index on the policy's path list
+   */
+  u32 aia_sibling;
+
+  /**
+   * The protocol for the attachment. i.e. the protocol
+   * of the packets that are being forwarded
+   */
+  fib_protocol_t aia_proto;
+
+  /**
+   * The interface for the attachment
+   */
+  u32 aia_sw_if_index;
+
+  /**
+   * The priority of this policy for attachment.
+   * The lower the value the higher the priority.
+   * The higher priority policies are matched first.
+   */
+  u32 aia_prio;
+} abf_itf_attach_t;
+
+/**
+ * Pool of ABF interface attachment objects
+ */
+extern abf_itf_attach_t *abf_itf_attach_pool;
+
+static inline abf_itf_attach_t *
+abf_itf_attach_get (u32 index)
+{
+  return (pool_elt_at_index (abf_itf_attach_pool, index));
+}
+
+extern int abf_itf_attach (fib_protocol_t fproto,
+			   u32 policy_id, u32 priority, u32 sw_if_index);
+
+extern int abf_itf_detach (fib_protocol_t fproto,
+			   u32 policy_id, u32 sw_if_index);
+
+typedef int (*abf_itf_attach_walk_cb_t) (index_t aii, void *ctx0);
+
+extern void abf_itf_attach_walk (abf_itf_attach_walk_cb_t cb, void *ctx);
+
+/*
+ * fd.io coding-style-patch-verification: ON
+ *
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */
+
+#endif

src/plugins/abf/abf_msg_enum.h

@@ -0,0 +1,28 @@
+/*
+ * Copyright (c) 2016 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef included_abf_msg_enum_h
+#define included_abf_msg_enum_h
+
+#include <vppinfra/byte_order.h>
+
+#define vl_msg_id(n,h) n,
+typedef enum {
+#include <abf/abf_all_api_h.h>
+    /* We'll want to know how many messages IDs we need... */
+    VL_MSG_FIRST_AVAILABLE,
+} vl_msg_id_t;
+#undef vl_msg_id
+
+#endif

src/plugins/abf/abf_policy.h

@@ -0,0 +1,118 @@
+/*
+ * Copyright (c) 2017 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef __ABF_H__
+#define __ABF_H__
+
+#include <vnet/fib/fib_node.h>
+
+#define ABF_PLUGIN_VERSION_MAJOR 1
+#define ABF_PLUGIN_VERSION_MINOR 0
+
+/**
+ * An ACL based Forwading 'policy'.
+ * This comprises the ACL index to match against and the forwarding
+ * path to take if the match is successfull.
+ *
+ * ABF policies are then 'attached' to interfaces. An input feature
+ * will run through the list of policies a match will divert the packet,
+ * if all miss then we continues down the interface's feature arc
+ */
+typedef struct abf_policy_t_
+{
+  /**
+   * Linkage into the FIB graph
+   */
+  fib_node_t ap_node;
+
+  /**
+   * ACL index to match
+   */
+  u32 ap_acl;
+
+  /**
+   * The path-list describing how to forward in case of a match
+   */
+  fib_node_index_t ap_pl;
+
+  /**
+   * Sibling index on the path-list
+   */
+  u32 ap_sibling;
+
+  /**
+   * The policy ID - as configured by the client
+   */
+  u32 ap_id;
+} abf_policy_t;
+
+/**
+ * Get an ABF object from its VPP index
+ */
+extern abf_policy_t *abf_policy_get (index_t index);
+
+/**
+ * Find a ABF object from the client's policy ID
+ *
+ * @param policy_id Client's defined policy ID
+ * @return VPP's object index
+ */
+extern index_t abf_policy_find (u32 policy_id);
+
+/**
+ * The FIB node type for ABF policies
+ */
+extern fib_node_type_t abf_policy_fib_node_type;
+
+/**
+ * Create or update an ABF Policy
+ *
+ * @param policy_id User defined Policy ID
+ * @param acl_index The ACL the policy with match on
+ * @param rpaths The set of paths to add to the forwarding set
+ */
+extern void abf_policy_update (u32 policy_id,
+			       u32 acl_index,
+			       const fib_route_path_t * rpaths);
+
+/**
+ * Delete paths from an ABF Policy. If no more paths exist, the policy
+ * is deleted.
+ *
+ * @param policy_id User defined Policy ID
+ * @param rpaths The set of paths to forward remove
+ */
+extern int abf_policy_delete (u32 policy_id, const fib_route_path_t * rpaths);
+
+/**
+ * Callback function invoked during a walk of all policies
+ */
+typedef int (*abf_policy_walk_cb_t) (index_t index, void *ctx);
+
+/**
+ * Walk/visit each of the ABF policies
+ */
+extern void abf_policy_walk (abf_policy_walk_cb_t cb, void *ctx);
+
+
+/*
+ * fd.io coding-style-patch-verification: ON
+ *
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */
+
+#endif

src/tools/vppapigen/vppapigen.py

@@ -655,7 +655,7 @@ class VPPAPI(object):
         imported_objs = []
         for o in objs:
             if isinstance(o, Import):
-                return objs + self.process_imports(o.result, True)
+                return self.process_imports(o.result, True) + objs
             if in_import:
                 if isinstance(o, Define) and o.typeonly:
                     imported_objs.append(o)

test/vpp_papi_provider.py

@@ -3532,3 +3532,23 @@ class VppPapiProvider(object):
         """
         return self.api(self.papi.sw_interface_vhost_user_dump,
                         {})
+
+    def abf_policy_add_del(self, is_add, policy):
+        return self.api(
+            self.papi.abf_policy_add_del,
+            {'is_add': is_add,
+             'policy': policy})
+
+    def abf_itf_attach_add_del(self, is_add, attach):
+        return self.api(
+            self.papi.abf_itf_attach_add_del,
+            {'is_add': is_add,
+             'attach': attach})
+
+    def abf_policy_dump(self):
+        return self.api(
+            self.papi.abf_policy_dump, {})
+
+    def abf_itf_attach_dump(self):
+        return self.api(
+            self.papi.abf_itf_attach_dump, {})

test/vpp_udp_encap.py

@@ -1,3 +1,4 @@
+#!/usr/bin/env python
 """
   UDP encap objects
 """