1 /* SPDX-License-Identifier: BSD-3-Clause
2 * Copyright(c) 2016 Intel Corporation
9 #include <netinet/in.h>
10 #include <netinet/ip.h>
18 #define MAX_ACL_RULE_NUM 1024
20 #define IPV4_DST_FROM_SP(acr) \
21 (rte_cpu_to_be_32((acr).field[DST_FIELD_IPV4].value.u32))
23 #define IPV4_SRC_FROM_SP(acr) \
24 (rte_cpu_to_be_32((acr).field[SRC_FIELD_IPV4].value.u32))
26 #define IPV4_DST_MASK_FROM_SP(acr) \
27 ((acr).field[DST_FIELD_IPV4].mask_range.u32)
29 #define IPV4_SRC_MASK_FROM_SP(acr) \
30 ((acr).field[SRC_FIELD_IPV4].mask_range.u32)
33 * Rule and trace formats definitions.
45 * That effectively defines order of IPV4 classifications:
49 * - PORTS (SRC and DST)
59 static struct rte_acl_field_def ip4_defs[NUM_FIELDS_IPV4] = {
61 .type = RTE_ACL_FIELD_TYPE_BITMASK,
62 .size = sizeof(uint8_t),
63 .field_index = PROTO_FIELD_IPV4,
64 .input_index = RTE_ACL_IPV4_PROTO,
68 .type = RTE_ACL_FIELD_TYPE_MASK,
69 .size = sizeof(uint32_t),
70 .field_index = SRC_FIELD_IPV4,
71 .input_index = RTE_ACL_IPV4_SRC,
72 .offset = offsetof(struct ip, ip_src) - offsetof(struct ip, ip_p)
75 .type = RTE_ACL_FIELD_TYPE_MASK,
76 .size = sizeof(uint32_t),
77 .field_index = DST_FIELD_IPV4,
78 .input_index = RTE_ACL_IPV4_DST,
79 .offset = offsetof(struct ip, ip_dst) - offsetof(struct ip, ip_p)
82 .type = RTE_ACL_FIELD_TYPE_RANGE,
83 .size = sizeof(uint16_t),
84 .field_index = SRCP_FIELD_IPV4,
85 .input_index = RTE_ACL_IPV4_PORTS,
86 .offset = sizeof(struct ip) - offsetof(struct ip, ip_p)
89 .type = RTE_ACL_FIELD_TYPE_RANGE,
90 .size = sizeof(uint16_t),
91 .field_index = DSTP_FIELD_IPV4,
92 .input_index = RTE_ACL_IPV4_PORTS,
93 .offset = sizeof(struct ip) - offsetof(struct ip, ip_p) +
98 RTE_ACL_RULE_DEF(acl4_rules, RTE_DIM(ip4_defs));
100 static struct acl4_rules acl4_rules_out[MAX_ACL_RULE_NUM];
101 static uint32_t nb_acl4_rules_out;
103 static struct acl4_rules acl4_rules_in[MAX_ACL_RULE_NUM];
104 static uint32_t nb_acl4_rules_in;
107 parse_sp4_tokens(char **tokens, uint32_t n_tokens,
108 struct parse_status *status)
110 struct acl4_rules *rule_ipv4 = NULL;
112 uint32_t *ri = NULL; /* rule index */
113 uint32_t ti = 0; /* token index */
117 uint32_t protect_p = 0;
118 uint32_t bypass_p = 0;
119 uint32_t discard_p = 0;
123 uint32_t proto_p = 0;
124 uint32_t sport_p = 0;
125 uint32_t dport_p = 0;
127 if (strcmp(tokens[1], "in") == 0) {
128 ri = &nb_acl4_rules_in;
130 APP_CHECK(*ri <= MAX_ACL_RULE_NUM - 1, status,
131 "too many sp rules, abort insertion\n");
132 if (status->status < 0)
135 rule_ipv4 = &acl4_rules_in[*ri];
137 } else if (strcmp(tokens[1], "out") == 0) {
138 ri = &nb_acl4_rules_out;
140 APP_CHECK(*ri <= MAX_ACL_RULE_NUM - 1, status,
141 "too many sp rules, abort insertion\n");
142 if (status->status < 0)
145 rule_ipv4 = &acl4_rules_out[*ri];
147 APP_CHECK(0, status, "unrecognized input \"%s\", expect"
148 " \"in\" or \"out\"\n", tokens[ti]);
152 rule_ipv4->data.category_mask = 1;
154 for (ti = 2; ti < n_tokens; ti++) {
155 if (strcmp(tokens[ti], "esp") == 0) {
156 /* currently do nothing */
157 APP_CHECK_PRESENCE(esp_p, tokens[ti], status);
158 if (status->status < 0)
164 if (strcmp(tokens[ti], "protect") == 0) {
165 APP_CHECK_PRESENCE(protect_p, tokens[ti], status);
166 if (status->status < 0)
168 APP_CHECK(bypass_p == 0, status, "conflict item "
169 "between \"%s\" and \"%s\"", tokens[ti],
171 if (status->status < 0)
173 APP_CHECK(discard_p == 0, status, "conflict item "
174 "between \"%s\" and \"%s\"", tokens[ti],
176 if (status->status < 0)
178 INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
179 if (status->status < 0)
181 APP_CHECK_TOKEN_IS_NUM(tokens, ti, status);
182 if (status->status < 0)
185 tv = atoi(tokens[ti]);
186 APP_CHECK(tv != DISCARD && tv != BYPASS, status,
187 "invalid SPI: %s", tokens[ti]);
188 if (status->status < 0)
190 rule_ipv4->data.userdata = tv;
196 if (strcmp(tokens[ti], "bypass") == 0) {
197 APP_CHECK_PRESENCE(bypass_p, tokens[ti], status);
198 if (status->status < 0)
200 APP_CHECK(protect_p == 0, status, "conflict item "
201 "between \"%s\" and \"%s\"", tokens[ti],
203 if (status->status < 0)
205 APP_CHECK(discard_p == 0, status, "conflict item "
206 "between \"%s\" and \"%s\"", tokens[ti],
208 if (status->status < 0)
211 rule_ipv4->data.userdata = BYPASS;
217 if (strcmp(tokens[ti], "discard") == 0) {
218 APP_CHECK_PRESENCE(discard_p, tokens[ti], status);
219 if (status->status < 0)
221 APP_CHECK(protect_p == 0, status, "conflict item "
222 "between \"%s\" and \"%s\"", tokens[ti],
224 if (status->status < 0)
226 APP_CHECK(bypass_p == 0, status, "conflict item "
227 "between \"%s\" and \"%s\"", tokens[ti],
229 if (status->status < 0)
232 rule_ipv4->data.userdata = DISCARD;
238 if (strcmp(tokens[ti], "pri") == 0) {
239 APP_CHECK_PRESENCE(pri_p, tokens[ti], status);
240 if (status->status < 0)
242 INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
243 if (status->status < 0)
245 APP_CHECK_TOKEN_IS_NUM(tokens, ti, status);
246 if (status->status < 0)
249 rule_ipv4->data.priority = atoi(tokens[ti]);
255 if (strcmp(tokens[ti], "src") == 0) {
259 APP_CHECK_PRESENCE(src_p, tokens[ti], status);
260 if (status->status < 0)
262 INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
263 if (status->status < 0)
266 APP_CHECK(parse_ipv4_addr(tokens[ti], &ip,
267 &depth) == 0, status, "unrecognized "
268 "input \"%s\", expect valid ipv4 addr",
270 if (status->status < 0)
273 rule_ipv4->field[1].value.u32 =
274 rte_bswap32(ip.s_addr);
275 rule_ipv4->field[1].mask_range.u32 =
282 if (strcmp(tokens[ti], "dst") == 0) {
286 APP_CHECK_PRESENCE(dst_p, tokens[ti], status);
287 if (status->status < 0)
289 INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
290 if (status->status < 0)
292 APP_CHECK(parse_ipv4_addr(tokens[ti], &ip,
293 &depth) == 0, status, "unrecognized "
294 "input \"%s\", expect valid ipv4 addr",
296 if (status->status < 0)
299 rule_ipv4->field[2].value.u32 =
300 rte_bswap32(ip.s_addr);
301 rule_ipv4->field[2].mask_range.u32 =
308 if (strcmp(tokens[ti], "proto") == 0) {
311 APP_CHECK_PRESENCE(proto_p, tokens[ti], status);
312 if (status->status < 0)
314 INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
315 if (status->status < 0)
318 APP_CHECK(parse_range(tokens[ti], &low, &high)
319 == 0, status, "unrecognized input \"%s\""
320 ", expect \"from:to\"", tokens[ti]);
321 if (status->status < 0)
323 APP_CHECK(low <= 0xff, status, "proto low "
325 if (status->status < 0)
327 APP_CHECK(high <= 0xff, status, "proto high "
329 if (status->status < 0)
332 rule_ipv4->field[0].value.u8 = (uint8_t)low;
333 rule_ipv4->field[0].mask_range.u8 = (uint8_t)high;
339 if (strcmp(tokens[ti], "sport") == 0) {
340 uint16_t port_low, port_high;
342 APP_CHECK_PRESENCE(sport_p, tokens[ti], status);
343 if (status->status < 0)
345 INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
346 if (status->status < 0)
349 APP_CHECK(parse_range(tokens[ti], &port_low,
350 &port_high) == 0, status, "unrecognized "
351 "input \"%s\", expect \"port_from:"
352 "port_to\"", tokens[ti]);
353 if (status->status < 0)
356 rule_ipv4->field[3].value.u16 = port_low;
357 rule_ipv4->field[3].mask_range.u16 = port_high;
363 if (strcmp(tokens[ti], "dport") == 0) {
364 uint16_t port_low, port_high;
366 APP_CHECK_PRESENCE(dport_p, tokens[ti], status);
367 if (status->status < 0)
369 INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
370 if (status->status < 0)
373 APP_CHECK(parse_range(tokens[ti], &port_low,
374 &port_high) == 0, status, "unrecognized "
375 "input \"%s\", expect \"port_from:"
376 "port_to\"", tokens[ti]);
377 if (status->status < 0)
380 rule_ipv4->field[4].value.u16 = port_low;
381 rule_ipv4->field[4].mask_range.u16 = port_high;
387 /* unrecognizeable input */
388 APP_CHECK(0, status, "unrecognized input \"%s\"",
393 /* check if argument(s) are missing */
394 APP_CHECK(esp_p == 1, status, "missing argument \"esp\"");
395 if (status->status < 0)
398 APP_CHECK(protect_p | bypass_p | discard_p, status, "missing "
399 "argument \"protect\", \"bypass\", or \"discard\"");
400 if (status->status < 0)
407 print_one_ip4_rule(const struct acl4_rules *rule, int32_t extra)
411 uint32_t_to_char(rule->field[SRC_FIELD_IPV4].value.u32,
413 printf("%hhu.%hhu.%hhu.%hhu/%u ", a, b, c, d,
414 rule->field[SRC_FIELD_IPV4].mask_range.u32);
415 uint32_t_to_char(rule->field[DST_FIELD_IPV4].value.u32,
417 printf("%hhu.%hhu.%hhu.%hhu/%u ", a, b, c, d,
418 rule->field[DST_FIELD_IPV4].mask_range.u32);
419 printf("%hu : %hu %hu : %hu 0x%hhx/0x%hhx ",
420 rule->field[SRCP_FIELD_IPV4].value.u16,
421 rule->field[SRCP_FIELD_IPV4].mask_range.u16,
422 rule->field[DSTP_FIELD_IPV4].value.u16,
423 rule->field[DSTP_FIELD_IPV4].mask_range.u16,
424 rule->field[PROTO_FIELD_IPV4].value.u8,
425 rule->field[PROTO_FIELD_IPV4].mask_range.u8);
427 printf("0x%x-0x%x-0x%x ",
428 rule->data.category_mask,
430 rule->data.userdata);
434 dump_ip4_rules(const struct acl4_rules *rule, int32_t num, int32_t extra)
438 for (i = 0; i < num; i++, rule++) {
439 printf("\t%d:", i + 1);
440 print_one_ip4_rule(rule, extra);
445 static struct rte_acl_ctx *
446 acl4_init(const char *name, int32_t socketid, const struct acl4_rules *rules,
450 struct rte_acl_param acl_param;
451 struct rte_acl_config acl_build_param;
452 struct rte_acl_ctx *ctx;
454 printf("Creating SP context with %u max rules\n", MAX_ACL_RULE_NUM);
456 memset(&acl_param, 0, sizeof(acl_param));
458 /* Create ACL contexts */
459 snprintf(s, sizeof(s), "%s_%d", name, socketid);
461 printf("IPv4 %s entries [%u]:\n", s, rules_nb);
462 dump_ip4_rules(rules, rules_nb, 1);
465 acl_param.socket_id = socketid;
466 acl_param.rule_size = RTE_ACL_RULE_SZ(RTE_DIM(ip4_defs));
467 acl_param.max_rule_num = MAX_ACL_RULE_NUM;
469 ctx = rte_acl_create(&acl_param);
471 rte_exit(EXIT_FAILURE, "Failed to create ACL context\n");
473 if (rte_acl_add_rules(ctx, (const struct rte_acl_rule *)rules,
475 rte_exit(EXIT_FAILURE, "add rules failed\n");
478 memset(&acl_build_param, 0, sizeof(acl_build_param));
480 acl_build_param.num_categories = DEFAULT_MAX_CATEGORIES;
481 acl_build_param.num_fields = RTE_DIM(ip4_defs);
482 memcpy(&acl_build_param.defs, ip4_defs, sizeof(ip4_defs));
484 if (rte_acl_build(ctx, &acl_build_param) != 0)
485 rte_exit(EXIT_FAILURE, "Failed to build ACL trie\n");
493 * check that for each rule it's SPI has a correspondent entry in SAD
496 check_spi_value(int inbound)
498 uint32_t i, num, spi;
499 const struct acl4_rules *acr;
503 num = nb_acl4_rules_in;
505 acr = acl4_rules_out;
506 num = nb_acl4_rules_out;
509 for (i = 0; i != num; i++) {
510 spi = acr[i].data.userdata;
511 if (spi != DISCARD && spi != BYPASS &&
512 sa_spi_present(spi, inbound) < 0) {
513 RTE_LOG(ERR, IPSEC, "SPI %u is not present in SAD\n",
523 sp4_init(struct socket_ctx *ctx, int32_t socket_id)
528 rte_exit(EXIT_FAILURE, "NULL context.\n");
530 if (ctx->sp_ip4_in != NULL)
531 rte_exit(EXIT_FAILURE, "Inbound SP DB for socket %u already "
532 "initialized\n", socket_id);
534 if (ctx->sp_ip4_out != NULL)
535 rte_exit(EXIT_FAILURE, "Outbound SP DB for socket %u already "
536 "initialized\n", socket_id);
538 if (check_spi_value(1) < 0)
539 rte_exit(EXIT_FAILURE,
540 "Inbound IPv4 SP DB has unmatched in SAD SPIs\n");
542 if (check_spi_value(0) < 0)
543 rte_exit(EXIT_FAILURE,
544 "Outbound IPv4 SP DB has unmatched in SAD SPIs\n");
546 if (nb_acl4_rules_in > 0) {
548 ctx->sp_ip4_in = (struct sp_ctx *)acl4_init(name,
549 socket_id, acl4_rules_in, nb_acl4_rules_in);
551 RTE_LOG(WARNING, IPSEC, "No IPv4 SP Inbound rule "
554 if (nb_acl4_rules_out > 0) {
556 ctx->sp_ip4_out = (struct sp_ctx *)acl4_init(name,
557 socket_id, acl4_rules_out, nb_acl4_rules_out);
559 RTE_LOG(WARNING, IPSEC, "No IPv4 SP Outbound rule "
564 * Search though SP rules for given SPI.
567 sp4_spi_present(uint32_t spi, int inbound, struct ip_addr ip_addr[2],
571 const struct acl4_rules *acr;
575 num = nb_acl4_rules_in;
577 acr = acl4_rules_out;
578 num = nb_acl4_rules_out;
581 for (i = 0; i != num; i++) {
582 if (acr[i].data.userdata == spi) {
583 if (NULL != ip_addr && NULL != mask) {
584 ip_addr[0].ip.ip4 = IPV4_SRC_FROM_SP(acr[i]);
585 ip_addr[1].ip.ip4 = IPV4_DST_FROM_SP(acr[i]);
586 mask[0] = IPV4_SRC_MASK_FROM_SP(acr[i]);
587 mask[1] = IPV4_DST_MASK_FROM_SP(acr[i]);
git.droids-corp.org / dpdk.git / blob