acl-plugin: bihash-based ACL lookup
Add a bihash-based ACL lookup mechanism and make it a new default. This changes the time required to lookup a 5-tuple match from O(total_N_entries) to O(total_N_mask_types), where "mask type" is an overall mask on the 5-tuple required to represent an ACE. For testing/comparison there is a temporary debug CLI "set acl-plugin use-hash-acl-matching {0|1}", which, when set to 0, makes the plugin use the "old" linear lookup, and when set to 1, makes it use the hash-based lookup. Based on the discussions on vpp-dev mailing list, prevent assigning the ACL index to an interface, when the ACL with that index is not defined, also prevent deleting an ACL if that ACL is applied. Also, for the easier debugging of the state, there are new debug CLI commands to see the ACL plugin state at several layers: "show acl-plugin acl [index N]" - show a high-level ACL representation, used for the linear lookup and as a base for building the hashtable-based lookup. Also shows if a given ACL is applied somewhere. "show acl-plugin interface [sw_if_index N]" - show which interfaces have which ACL(s) applied. "show acl-plugin tables" - a lower-level debug command used to see the state of all of the related data structures at once. There are specifiers possible, which make for a more focused and maybe augmented output: "show acl-plugin tables acl [index N]" show the "bitmask-ready" representations of the ACLs, we well as the mask types and their associated indices. "show acl-plutin tables mask" show the derived mask types and their indices only. "show acl-plugin tables applied [sw_if_index N]" show the table of all of the ACEs applied for a given sw_if_index or all interfaces. "show acl-plugin tables hash [verbose N]" show the 48x8 bihash used for the ACL lookup. Change-Id: I89fff051424cb44bcb189e3cee04c1b8f76efc28 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
This commit is contained in:
Andrew Yourtchenko
committed by
Damjan Marion
parent
029f3d2c1c
commit
7f4d577d6b
@ -16,6 +16,7 @@ vppplugins_LTLIBRARIES += acl_plugin.la
|
||||
|
||||
acl_plugin_la_SOURCES = \
|
||||
acl/acl.c \
|
||||
acl/hash_lookup.c \
|
||||
acl/fa_node.c \
|
||||
acl/l2sess.h \
|
||||
acl/manual_fns.h \
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -24,8 +24,10 @@
|
||||
#include <vppinfra/error.h>
|
||||
#include <vppinfra/bitmap.h>
|
||||
#include <vppinfra/elog.h>
|
||||
#include <vppinfra/bihash_48_8.h>
|
||||
#include "bihash_40_8.h"
|
||||
#include "fa_node.h"
|
||||
#include "hash_lookup_types.h"
|
||||
|
||||
#define ACL_PLUGIN_VERSION_MAJOR 1
|
||||
#define ACL_PLUGIN_VERSION_MINOR 3
|
||||
@ -109,17 +111,45 @@ typedef struct
|
||||
u32 l2_table_index;
|
||||
} macip_acl_list_t;
|
||||
|
||||
/*
|
||||
* An element describing a particular configuration fo the mask,
|
||||
* and how many times it has been used.
|
||||
*/
|
||||
typedef struct
|
||||
{
|
||||
fa_5tuple_t mask;
|
||||
u32 refcount;
|
||||
} ace_mask_type_entry_t;
|
||||
|
||||
typedef struct {
|
||||
/* API message ID base */
|
||||
u16 msg_id_base;
|
||||
|
||||
acl_list_t *acls; /* Pool of ACLs */
|
||||
hash_acl_info_t *hash_acl_infos; /* corresponding hash matching housekeeping info */
|
||||
clib_bihash_48_8_t acl_lookup_hash; /* ACL lookup hash table. */
|
||||
int acl_lookup_hash_initialized;
|
||||
applied_hash_ace_entry_t **input_hash_entry_vec_by_sw_if_index;
|
||||
applied_hash_ace_entry_t **output_hash_entry_vec_by_sw_if_index;
|
||||
applied_hash_acl_info_t *input_applied_hash_acl_info_by_sw_if_index;
|
||||
applied_hash_acl_info_t *output_applied_hash_acl_info_by_sw_if_index;
|
||||
|
||||
macip_acl_list_t *macip_acls; /* Pool of MAC-IP ACLs */
|
||||
|
||||
/* ACLs associated with interfaces */
|
||||
u32 **input_acl_vec_by_sw_if_index;
|
||||
u32 **output_acl_vec_by_sw_if_index;
|
||||
|
||||
/* interfaces on which given ACLs are applied */
|
||||
u32 **input_sw_if_index_vec_by_acl;
|
||||
u32 **output_sw_if_index_vec_by_acl;
|
||||
|
||||
/* Do we use hash-based ACL matching or linear */
|
||||
int use_hash_acl_matching;
|
||||
|
||||
/* a pool of all mask types present in all ACEs */
|
||||
ace_mask_type_entry_t *ace_mask_type_pool;
|
||||
|
||||
/*
|
||||
* Classify tables used to grab the packets for the ACL check,
|
||||
* and serving as the 5-tuple session tables at the same time
|
||||
|
@ -26,6 +26,7 @@
|
||||
#include <vppinfra/bihash_template.c>
|
||||
|
||||
#include "fa_node.h"
|
||||
#include "hash_lookup.h"
|
||||
|
||||
typedef struct
|
||||
{
|
||||
@ -136,7 +137,7 @@ fa_acl_match_port (u16 port, u16 port_first, u16 port_last, int is_ip6)
|
||||
}
|
||||
|
||||
int
|
||||
acl_match_5tuple (acl_main_t * am, u32 acl_index, fa_5tuple_t * pkt_5tuple,
|
||||
single_acl_match_5tuple (acl_main_t * am, u32 acl_index, fa_5tuple_t * pkt_5tuple,
|
||||
int is_ip6, u8 * r_action, u32 * r_acl_match_p,
|
||||
u32 * r_rule_match_p, u32 * trace_bitmap)
|
||||
{
|
||||
@ -259,7 +260,7 @@ acl_match_5tuple (acl_main_t * am, u32 acl_index, fa_5tuple_t * pkt_5tuple,
|
||||
}
|
||||
|
||||
static u8
|
||||
full_acl_match_5tuple (u32 sw_if_index, fa_5tuple_t * pkt_5tuple, int is_l2,
|
||||
linear_multi_acl_match_5tuple (u32 sw_if_index, fa_5tuple_t * pkt_5tuple, int is_l2,
|
||||
int is_ip6, int is_input, u32 * acl_match_p,
|
||||
u32 * rule_match_p, u32 * trace_bitmap)
|
||||
{
|
||||
@ -284,7 +285,7 @@ full_acl_match_5tuple (u32 sw_if_index, fa_5tuple_t * pkt_5tuple, int is_l2,
|
||||
clib_warning ("ACL_FA_NODE_DBG: Trying to match ACL: %d",
|
||||
acl_vector[i]);
|
||||
#endif
|
||||
if (acl_match_5tuple
|
||||
if (single_acl_match_5tuple
|
||||
(am, acl_vector[i], pkt_5tuple, is_ip6, &action,
|
||||
acl_match_p, rule_match_p, trace_bitmap))
|
||||
{
|
||||
@ -303,6 +304,21 @@ full_acl_match_5tuple (u32 sw_if_index, fa_5tuple_t * pkt_5tuple, int is_l2,
|
||||
return 0;
|
||||
}
|
||||
|
||||
static u8
|
||||
multi_acl_match_5tuple (u32 sw_if_index, fa_5tuple_t * pkt_5tuple, int is_l2,
|
||||
int is_ip6, int is_input, u32 * acl_match_p,
|
||||
u32 * rule_match_p, u32 * trace_bitmap)
|
||||
{
|
||||
acl_main_t *am = &acl_main;
|
||||
if (am->use_hash_acl_matching) {
|
||||
return hash_multi_acl_match_5tuple(sw_if_index, pkt_5tuple, is_l2, is_ip6,
|
||||
is_input, acl_match_p, rule_match_p, trace_bitmap);
|
||||
} else {
|
||||
return linear_multi_acl_match_5tuple(sw_if_index, pkt_5tuple, is_l2, is_ip6,
|
||||
is_input, acl_match_p, rule_match_p, trace_bitmap);
|
||||
}
|
||||
}
|
||||
|
||||
static int
|
||||
offset_within_packet (vlib_buffer_t * b0, int offset)
|
||||
{
|
||||
@ -973,6 +989,10 @@ acl_fa_node_fn (vlib_main_t * vm,
|
||||
acl_fill_5tuple (am, b0, is_ip6, is_input, is_l2_path, &fa_5tuple);
|
||||
fa_5tuple.l4.lsb_of_sw_if_index = sw_if_index0 & 0xffff;
|
||||
acl_make_5tuple_session_key (is_input, &fa_5tuple, &kv_sess);
|
||||
fa_5tuple.pkt.sw_if_index = sw_if_index0;
|
||||
fa_5tuple.pkt.is_ip6 = is_ip6;
|
||||
fa_5tuple.pkt.is_input = is_input;
|
||||
fa_5tuple.pkt.mask_type_index_lsb = ~0;
|
||||
#ifdef FA_NODE_VERBOSE_DEBUG
|
||||
clib_warning
|
||||
("ACL_FA_NODE_DBG: session 5-tuple %016llx %016llx %016llx %016llx %016llx : %016llx",
|
||||
@ -1039,7 +1059,7 @@ acl_fa_node_fn (vlib_main_t * vm,
|
||||
if (acl_check_needed)
|
||||
{
|
||||
action =
|
||||
full_acl_match_5tuple (sw_if_index0, &fa_5tuple, is_l2_path,
|
||||
multi_acl_match_5tuple (sw_if_index0, &fa_5tuple, is_l2_path,
|
||||
is_ip6, is_input, &match_acl_in_index,
|
||||
&match_rule_index, &trace_bitmap);
|
||||
error0 = action;
|
||||
@ -1590,6 +1610,17 @@ acl_fa_enable_disable (u32 sw_if_index, int is_input, int enable_disable)
|
||||
}
|
||||
}
|
||||
|
||||
void
|
||||
show_fa_sessions_hash(vlib_main_t * vm, u32 verbose)
|
||||
{
|
||||
acl_main_t *am = &acl_main;
|
||||
if (am->fa_sessions_hash_is_initialized) {
|
||||
vlib_cli_output(vm, "\nSession lookup hash table:\n%U\n\n",
|
||||
BV (format_bihash), &am->fa_sessions_hash, verbose);
|
||||
} else {
|
||||
vlib_cli_output(vm, "\nSession lookup hash table is not allocated.\n\n");
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/* *INDENT-OFF* */
|
||||
|
@ -22,12 +22,15 @@
|
||||
typedef union {
|
||||
u64 as_u64;
|
||||
struct {
|
||||
u32 sw_if_index;
|
||||
u16 mask_type_index_lsb;
|
||||
u8 tcp_flags;
|
||||
u8 tcp_flags_valid:1;
|
||||
u8 is_input:1;
|
||||
u8 l4_valid:1;
|
||||
u8 is_nonfirst_fragment:1;
|
||||
u8 flags_reserved:4;
|
||||
u8 is_ip6:1;
|
||||
u8 flags_reserved:3;
|
||||
};
|
||||
} fa_packet_info_t;
|
||||
|
||||
@ -158,5 +161,7 @@ enum
|
||||
|
||||
void acl_fa_enable_disable(u32 sw_if_index, int is_input, int enable_disable);
|
||||
|
||||
void show_fa_sessions_hash(vlib_main_t * vm, u32 verbose);
|
||||
|
||||
|
||||
#endif
|
||||
|
742
src/plugins/acl/hash_lookup.c
Normal file
742
src/plugins/acl/hash_lookup.c
Normal file
File diff suppressed because it is too large
Load Diff
60
src/plugins/acl/hash_lookup.h
Normal file
60
src/plugins/acl/hash_lookup.h
Normal file
@ -0,0 +1,60 @@
|
||||
/*
|
||||
*------------------------------------------------------------------
|
||||
* Copyright (c) 2017 Cisco and/or its affiliates.
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at:
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*------------------------------------------------------------------
|
||||
*/
|
||||
|
||||
#ifndef _ACL_HASH_LOOKUP_H_
|
||||
#define _ACL_HASH_LOOKUP_H_
|
||||
|
||||
#include <stddef.h>
|
||||
#include "acl.h"
|
||||
|
||||
/*
|
||||
* Do the necessary to logically apply the ACL to the existing vector of ACLs looked up
|
||||
* during the packet processing
|
||||
*/
|
||||
|
||||
void hash_acl_apply(acl_main_t *am, u32 sw_if_index, u8 is_input, int acl_index);
|
||||
|
||||
/* Remove the ACL from the packet processing lookups on a given interface */
|
||||
|
||||
void hash_acl_unapply(acl_main_t *am, u32 sw_if_index, u8 is_input, int acl_index);
|
||||
|
||||
/*
|
||||
* Add an ACL or delete an ACL. ACL may already have been referenced elsewhere,
|
||||
* so potentially we also need to do the work to enable the lookups.
|
||||
*/
|
||||
|
||||
void hash_acl_add(acl_main_t *am, int acl_index);
|
||||
void hash_acl_delete(acl_main_t *am, int acl_index);
|
||||
|
||||
/*
|
||||
* Do the work required to match a given 5-tuple from the packet,
|
||||
* and return the action as well as populate the values pointed
|
||||
* to by the *_match_p pointers and maybe trace_bitmap.
|
||||
*/
|
||||
|
||||
u8
|
||||
hash_multi_acl_match_5tuple (u32 sw_if_index, fa_5tuple_t * pkt_5tuple, int is_l2,
|
||||
int is_ip6, int is_input, u32 * acl_match_p,
|
||||
u32 * rule_match_p, u32 * trace_bitmap);
|
||||
|
||||
|
||||
/*
|
||||
* The debug function to show the contents of the ACL lookup hash
|
||||
*/
|
||||
void show_hash_acl_hash(vlib_main_t * vm, acl_main_t *am, u32 verbose);
|
||||
|
||||
#endif
|
241
src/plugins/acl/hash_lookup.md
Normal file
241
src/plugins/acl/hash_lookup.md
Normal file
@ -0,0 +1,241 @@
|
||||
ACL plugin constant-time lookup design
|
||||
======================================
|
||||
|
||||
The initial implementation of ACL plugin performs a trivial for() cycle,
|
||||
going through the assigned ACLs on a per-packet basis. This is not very
|
||||
efficient, even if for very short ACLs due to its simplicity it can beat
|
||||
more advanced methods.
|
||||
|
||||
However, to cover the case of longer ACLs with acceptable performance,
|
||||
we need to have a better way of matching. This write-up proposes
|
||||
a mechanism to make a lookup from O(M) where M is number of entries
|
||||
to O(N) where N is number of different mask combinations.
|
||||
|
||||
Preparation of ACL(s)
|
||||
---------------------
|
||||
|
||||
The ACL plugin will maintain a global list of "mask types", i.e. the specific
|
||||
configurations of "do not care" bits within the ACEs.
|
||||
Upon the creation of a new ACL, a pass will be made through all the
|
||||
ACEs, to assign and possibly allocate the "mask type number".
|
||||
|
||||
Each ACL has a structure *hash_acl_info_t* representing the "hash-based"
|
||||
parts of information related to that ACL, primarily the array of
|
||||
*hash_ace_info_t* structures - each of the members of that array
|
||||
corresponding to one of the rules (ACEs) in the original ACL,
|
||||
for this they have a pair of *(acl_index, ace_index)* to keep track,
|
||||
predominantly for the debugging.
|
||||
|
||||
Why do we need a whole separate structure, and are not adding new fields
|
||||
to the existing rile structure ? First, encapsulation, to minimize
|
||||
the pollution of the main ACL code with the hash-based lookup artifacts.
|
||||
|
||||
Second, one rule may correspond to more than one "hash-based" ACE.
|
||||
In fact, most of the rules do correspond to two of those. Why ?
|
||||
|
||||
Consider that the current ACL lookup logic is that if a packet
|
||||
is not the initial fragment, and there is an L4 entry acting on the packet,
|
||||
the comparison will be made only on the L4 protocol field value rather
|
||||
than on the protocol and port values. This beaviour is governed by
|
||||
*l4_match_nonfirst_fragment* flag in the *acl_main*, and was needed to
|
||||
maintain the compatibility with the existing software switch implementation.
|
||||
|
||||
While for the sequential check in *single_acl_match_5tuple()*
|
||||
it is very easy to implement by just breaking out at the right moment,
|
||||
in case of hash-based matching this cost us two checks:
|
||||
one on full 5-tuple and the flag *pkt.is_nonfirst_fragment* being zero,
|
||||
the second on 3-tuple and the flag *pkt.is_nonfirst_fragment* being one,
|
||||
with the second check triggered by the *acl_main.l4_match_nonfirst_fragment*
|
||||
setting being the default 1. This dictates the necessity of having a "match"
|
||||
field in a given *hash_ace_info_t* element, which would reflect the value
|
||||
we are supposed to match after applying the mask.
|
||||
|
||||
There can be other circumstances when it might be beneficial to expand
|
||||
the given rule in the original ACL into multiple - for example, as an
|
||||
optimization within the port range handling for small port ranges
|
||||
(this is not done as of the time of writing).
|
||||
|
||||
Assigning ACLs to an interface
|
||||
------------------------------
|
||||
|
||||
Once the ACL list is assigned to an interface, or, rather, a new ACL
|
||||
is added to the list of the existing ACLs applied to the interface,
|
||||
we need to update the bihash accelerating the lookup.
|
||||
|
||||
All the entries for the lookups are stored within a single *48_8* bihash,
|
||||
which captures the 5-tuple from the packet as well as the miscellaneous
|
||||
per-packet information flags, e.g. *l4_valid*, *is_non_first_fragment*,
|
||||
and so on. To facilitate the use of the single bihash by all the interfaces,
|
||||
the *is_ip6*, *is_input*, *sw_if_index* are part of the key,
|
||||
as well as *mask_type_index* - the latter being necessary because
|
||||
there can be entries with the same value but different masks, e.g.:
|
||||
`permit ::/0, permit::/128`.
|
||||
|
||||
At the moment of an ACL being applied to an interface, we need to
|
||||
walk the list of *hash_ace_info_t* entries corresponding to that ACL,
|
||||
and update the bihash with the keys corresponding to the match
|
||||
values in these entries.
|
||||
|
||||
The value of the hash match contains the index into a per-*sw_if_index* vector
|
||||
of *applied_ace_hash_entry_t* elements, as well as a couple of flags:
|
||||
*shadowed* (optimization: if this flag on a matched entry is zero, means
|
||||
we can stop the lookup early and declare a match - see below),
|
||||
and *need_portrange_check* - meaning that what matched was a superset
|
||||
of the actual match, and we need to perform an extra check.
|
||||
|
||||
Also, upon insertion, we must keep in mind there can be
|
||||
multiple *applied_ace_hash_entry_t* for the same key and must keep
|
||||
a list of those. This is necessary to incrementally apply/unapply
|
||||
the ACLs as part of the ACL vector: say, two ACLs have
|
||||
"permit 2001:db8::1/128 any" - we should be able to retain the entry
|
||||
for the second ACL even if we have deleted the first one.
|
||||
Also, in case there are two entries with the same key but
|
||||
different port ranges, say 0..42 and 142..65535 - we need
|
||||
to be able to sequentially match on those if we decide not
|
||||
to expand them into individual port-specific entries.
|
||||
|
||||
Per-packet lookup
|
||||
-----------------
|
||||
|
||||
The simple single-packet lookup is defined in
|
||||
*multi_acl_match_get_applied_ace_index*, which returns the index
|
||||
of the applied hash ACE if there was a match, or ~0 if there wasn't.
|
||||
|
||||
The future optimized per-packet lookup may be batched in three phases:
|
||||
|
||||
1. Prepare the keys in the per-worker vector by doing logical AND of
|
||||
original 5-tuple record with the elements of the mask vector.
|
||||
2. Lookup the keys in the bihash in a batch manner, collecting the
|
||||
result with lowest u64 (acl index within vector, ACE index) from
|
||||
the hash lookup value, and performing the list walk if necessary
|
||||
(for portranges)
|
||||
3. Take the action from the ACL record as defined by (ACL#, ACE#) from the
|
||||
resulting lookup winner, or, if no match found, then perform default deny.
|
||||
|
||||
Shadowed/independent/redundant ACEs
|
||||
------------------------------------
|
||||
|
||||
During the phase of combining multiple ACLs into one rulebase, when they
|
||||
are applied to interface, we also can perform several optimizations.
|
||||
|
||||
If a given ACE is a strict subset of another ACE located up in the linear
|
||||
search order, we can ignore this ACE completely - because by definition
|
||||
it will never match. We will call such an ACE *redundant*. Here is an example:
|
||||
|
||||
```
|
||||
permit 2001:db8:1::/48 2001:db8:2::/48 (B)
|
||||
deny 2001:d8b:1:1::/64 2001:db8:2:1::/64 (A)
|
||||
```
|
||||
|
||||
A bit more formally, we can define this relationship of an ACE A to ACE B as:
|
||||
|
||||
```
|
||||
redundant(aceA, aceB) := (contains(protoB, protoA) && contains(srcB, srcA)
|
||||
&& contains(dstB, dstA) && is_after(A, B))
|
||||
```
|
||||
|
||||
Here as "contains" we define an operation operating on the sets defined by
|
||||
the protocol, (srcIP, srcPortDefinition) and (dstIP, dstPortDefinition)
|
||||
respectively, and returning true if all the elements represented by
|
||||
the second argument are represented by the first argument. The "is_after"
|
||||
is true if A is located below B in the ruleset.
|
||||
|
||||
If a given ACE does not intersect at all with any other ACE
|
||||
in front of it, we can mark it as such.
|
||||
|
||||
Then during the sequence of the lookups the successful hit on this ACE means
|
||||
we do not need to look up other mask combinations - thus potentially
|
||||
significantly speeding up the match process. Here is an example,
|
||||
assuming we have the following ACL:
|
||||
|
||||
```
|
||||
permit 2001:db8:1::/48 2001:db8:2::/48 (B)
|
||||
deny 2001:db8:3::/48 2001:db8:2:1::/64 (A)
|
||||
```
|
||||
|
||||
In this case if we match the second entry, we do not need to check whether
|
||||
we have matched the first one - the source addresses are completely
|
||||
different. We call such an ACE *independent* from another.
|
||||
|
||||
We can define this as
|
||||
|
||||
```
|
||||
independent(aceA, aceB) := (!intersect(protoA, protoB) ||
|
||||
!intersect(srcA, srcB) ||
|
||||
!intersect(dstA, dstB))
|
||||
```
|
||||
|
||||
where intersect is defined as operation returning true if there are
|
||||
elements belonging to the sets of both arguments.
|
||||
|
||||
If the entry A is neither redundant nor independent from B, and is below
|
||||
B in the ruleset, we call such an entry *shadowed* by B, here is an example:
|
||||
|
||||
```
|
||||
deny tcp 2001:db8:1::/48 2001:db8:2::/48 (B)
|
||||
permit 2001:d8b:1:1::/64 2001:db8:2:1::/64 (A)
|
||||
```
|
||||
|
||||
This means the earlier rule "carves out" a subset of A, thus leaving
|
||||
a "shadow". (Evidently, the action needs to be different for the shadow
|
||||
to have an effect, but for for the terminology sake we do not care).
|
||||
|
||||
The more formal definition:
|
||||
|
||||
```
|
||||
shadowed(aceA, aceB) := !redundante(aceA, aceB) &&
|
||||
!independent(aceA, aceB) &&
|
||||
is_after(aceA, aceB)
|
||||
```
|
||||
|
||||
Using this terminology, any ruleset can be represented as
|
||||
a DAG (Directed Acyclic Graph), with the bottom being the implicit
|
||||
"deny any", pointing to the set of rules shadowing it or the ones
|
||||
it is redundant for.
|
||||
|
||||
These rules may in turn be shadowing each other. There is no cycles in
|
||||
this graph because of the natural order of the rules - the rule located
|
||||
closer to the end of the ruleset can never shadow or make redundant a rule
|
||||
higher up.
|
||||
|
||||
The optimization that enables can allow for is to skip matching certain
|
||||
masks on a per-lookup basis - if a given rule has matched,
|
||||
the only adjustments that can happen is the match with one of
|
||||
the shadowing rules.
|
||||
|
||||
Also, another avenue for the optimization can be starting the lookup process
|
||||
with the mask type that maximizes the chances of the independent ACE match,
|
||||
thus resulting in an ACE lookup being a single hash table hit.
|
||||
|
||||
|
||||
Plumbing
|
||||
--------
|
||||
|
||||
All the new routines are located in a separate file,
|
||||
so we can cleanly experiment with a different approach if this
|
||||
does not fit all of the use cases.
|
||||
|
||||
The constant-time lookup within the data path has the API with
|
||||
the same signature as:
|
||||
|
||||
```
|
||||
u8
|
||||
multi_acl_match_5tuple (u32 sw_if_index, fa_5tuple_t * pkt_5tuple, int is_l2,
|
||||
int is_ip6, int is_input, u32 * acl_match_p,
|
||||
u32 * rule_match_p, u32 * trace_bitmap)
|
||||
```
|
||||
|
||||
There should be a new upper-level function with the same signature, which
|
||||
will make a decision whether to use a linear lookup, or to use the
|
||||
constant-time lookup implemented by this work, or to add some other
|
||||
optimizations (e.g. by keeping the cache of the last N lookups).
|
||||
|
||||
The calls to the routine doing preparatory work should happen
|
||||
in `acl_add_list()` after creating the linear-lookup structures,
|
||||
and the routine doing the preparatory work populating the hashtable
|
||||
should be called from `acl_interface_add_del_inout_acl()` or its callees.
|
||||
|
||||
The initial implementation will be geared towards looking up a single
|
||||
match at a time, with the subsequent optimizations possible to make
|
||||
the lookup for more than one packet.
|
||||
|
27
src/plugins/acl/hash_lookup_private.h
Normal file
27
src/plugins/acl/hash_lookup_private.h
Normal file
@ -0,0 +1,27 @@
|
||||
/*
|
||||
*------------------------------------------------------------------
|
||||
* Copyright (c) 2017 Cisco and/or its affiliates.
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at:
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*------------------------------------------------------------------
|
||||
*/
|
||||
|
||||
#define ACL_HASH_LOOKUP_DEBUG 0
|
||||
|
||||
#if ACL_HASH_LOOKUP_DEBUG == 1
|
||||
#define DBG(...) clib_warning(__VA_ARGS__)
|
||||
#define DBG_UNIX_LOG(...) clib_unix_warning(__VA_ARGS__)
|
||||
#else
|
||||
#define DBG(...)
|
||||
#define DBG_UNIX_LOG(...)
|
||||
#endif
|
||||
|
94
src/plugins/acl/hash_lookup_types.h
Normal file
94
src/plugins/acl/hash_lookup_types.h
Normal file
@ -0,0 +1,94 @@
|
||||
/*
|
||||
*------------------------------------------------------------------
|
||||
* Copyright (c) 2017 Cisco and/or its affiliates.
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at:
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*------------------------------------------------------------------
|
||||
*/
|
||||
|
||||
#ifndef _ACL_HASH_LOOKUP_TYPES_H_
|
||||
#define _ACL_HASH_LOOKUP_TYPES_H_
|
||||
|
||||
/* The structure representing the single entry with hash representation */
|
||||
typedef struct {
|
||||
/* these two entries refer to the original ACL# and rule# within that ACL */
|
||||
u32 acl_index;
|
||||
u32 ace_index;
|
||||
|
||||
u32 mask_type_index;
|
||||
u8 src_portrange_not_powerof2;
|
||||
u8 dst_portrange_not_powerof2;
|
||||
|
||||
fa_5tuple_t match;
|
||||
u8 action;
|
||||
} hash_ace_info_t;
|
||||
|
||||
/*
|
||||
* The structure holding the information necessary for the hash-based ACL operation
|
||||
*/
|
||||
typedef struct {
|
||||
/* The mask types present in this ACL */
|
||||
uword *mask_type_index_bitmap;
|
||||
hash_ace_info_t *rules;
|
||||
} hash_acl_info_t;
|
||||
|
||||
typedef struct {
|
||||
/* original non-compiled ACL */
|
||||
u32 acl_index;
|
||||
u32 ace_index;
|
||||
/* the index of the hash_ace_info_t */
|
||||
u32 hash_ace_info_index;
|
||||
/*
|
||||
* in case of the same key having multiple entries,
|
||||
* this holds the index of the next entry.
|
||||
*/
|
||||
u32 next_applied_entry_index;
|
||||
/*
|
||||
* previous entry in the list of the chained ones,
|
||||
* if ~0 then this is entry in the hash.
|
||||
*/
|
||||
u32 prev_applied_entry_index;
|
||||
/*
|
||||
* Action of this applied ACE
|
||||
*/
|
||||
u8 action;
|
||||
} applied_hash_ace_entry_t;
|
||||
|
||||
typedef struct {
|
||||
/*
|
||||
* A logical OR of all the applied_ace_hash_entry_t=>
|
||||
* hash_ace_info_t=>mask_type_index bits set
|
||||
*/
|
||||
uword *mask_type_index_bitmap;
|
||||
} applied_hash_acl_info_t;
|
||||
|
||||
|
||||
typedef union {
|
||||
u64 as_u64;
|
||||
struct {
|
||||
u32 applied_entry_index;
|
||||
u16 reserved_u16;
|
||||
u8 reserved_u8;
|
||||
/* means there is some other entry in front intersecting with this one */
|
||||
u8 shadowed:1;
|
||||
u8 need_portrange_check:1;
|
||||
u8 reserved_flags:6;
|
||||
};
|
||||
} hash_acl_lookup_value_t;
|
||||
|
||||
#define CT_ASSERT_EQUAL(name, x,y) typedef int assert_ ## name ## _compile_time_assertion_failed[((x) == (y))-1]
|
||||
|
||||
CT_ASSERT_EQUAL(hash_acl_lookup_value_t_is_u64, sizeof(hash_acl_lookup_value_t), sizeof(u64));
|
||||
|
||||
#undef CT_ASSERT_EQUAL
|
||||
|
||||
#endif
|
@ -121,6 +121,9 @@ class TestACLplugin(VppTestCase):
|
||||
super(TestACLplugin, self).tearDown()
|
||||
if not self.vpp_dead:
|
||||
self.logger.info(self.vapi.ppcli("show l2fib verbose"))
|
||||
self.logger.info(self.vapi.ppcli("show acl-plugin acl"))
|
||||
self.logger.info(self.vapi.ppcli("show acl-plugin interface"))
|
||||
self.logger.info(self.vapi.ppcli("show acl-plugin tables"))
|
||||
self.logger.info(self.vapi.ppcli("show bridge-domain %s detail"
|
||||
% self.bd_id))
|
||||
|
||||
|
@ -185,6 +185,18 @@ class ACLPluginConnTestCase(VppTestCase):
|
||||
i.resolve_arp()
|
||||
i.resolve_ndp()
|
||||
|
||||
def tearDown(self):
|
||||
"""Run standard test teardown and log various show commands
|
||||
"""
|
||||
super(ACLPluginConnTestCase, self).tearDown()
|
||||
if not self.vpp_dead:
|
||||
self.logger.info(self.vapi.cli("show ip arp"))
|
||||
self.logger.info(self.vapi.cli("show ip6 neighbors"))
|
||||
self.logger.info(self.vapi.cli("show acl-plugin sessions"))
|
||||
self.logger.info(self.vapi.cli("show acl-plugin acl"))
|
||||
self.logger.info(self.vapi.cli("show acl-plugin interface"))
|
||||
self.logger.info(self.vapi.cli("show acl-plugin tables"))
|
||||
|
||||
def api_acl_add_replace(self, acl_index, r, count=-1, tag="",
|
||||
expected_retval=0):
|
||||
"""Add/replace an ACL
|
||||
|
@ -115,6 +115,9 @@ class TestIpIrb(VppTestCase):
|
||||
self.logger.info(self.vapi.cli("show ip arp"))
|
||||
self.logger.info(self.vapi.cli("show ip6 neighbors"))
|
||||
self.logger.info(self.vapi.cli("show acl-plugin sessions"))
|
||||
self.logger.info(self.vapi.cli("show acl-plugin acl"))
|
||||
self.logger.info(self.vapi.cli("show acl-plugin interface"))
|
||||
self.logger.info(self.vapi.cli("show acl-plugin tables"))
|
||||
|
||||
def api_acl_add_replace(self, acl_index, r, count, tag="",
|
||||
expected_retval=0):
|
||||
|
Reference in New Issue
Block a user