4 * Copyright(c) 2010-2014 Intel Corporation. All rights reserved.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
11 * * Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * * Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in
15 * the documentation and/or other materials provided with the
17 * * Neither the name of Intel Corporation nor the names of its
18 * contributors may be used to endorse or promote products derived
19 * from this software without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
22 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
23 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
24 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
25 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
26 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
27 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
28 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
29 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
30 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
31 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
50 * Legacy support for 7-tuple IPv4 and VLAN rule.
51 * This structure and corresponding API is deprecated.
53 struct rte_acl_ipv4vlan_rule {
54 struct rte_acl_rule_data data; /**< Miscellaneous data for the rule. */
55 uint8_t proto; /**< IPv4 protocol ID. */
56 uint8_t proto_mask; /**< IPv4 protocol ID mask. */
57 uint16_t vlan; /**< VLAN ID. */
58 uint16_t vlan_mask; /**< VLAN ID mask. */
59 uint16_t domain; /**< VLAN domain. */
60 uint16_t domain_mask; /**< VLAN domain mask. */
61 uint32_t src_addr; /**< IPv4 source address. */
62 uint32_t src_mask_len; /**< IPv4 source address mask. */
63 uint32_t dst_addr; /**< IPv4 destination address. */
64 uint32_t dst_mask_len; /**< IPv4 destination address mask. */
65 uint16_t src_port_low; /**< L4 source port low. */
66 uint16_t src_port_high; /**< L4 source port high. */
67 uint16_t dst_port_low; /**< L4 destination port low. */
68 uint16_t dst_port_high; /**< L4 destination port high. */
72 * Specifies fields layout inside rte_acl_rule for rte_acl_ipv4vlan_rule.
75 RTE_ACL_IPV4VLAN_PROTO_FIELD,
76 RTE_ACL_IPV4VLAN_VLAN1_FIELD,
77 RTE_ACL_IPV4VLAN_VLAN2_FIELD,
78 RTE_ACL_IPV4VLAN_SRC_FIELD,
79 RTE_ACL_IPV4VLAN_DST_FIELD,
80 RTE_ACL_IPV4VLAN_SRCP_FIELD,
81 RTE_ACL_IPV4VLAN_DSTP_FIELD,
82 RTE_ACL_IPV4VLAN_NUM_FIELDS
86 * Macro to define rule size for rte_acl_ipv4vlan_rule.
88 #define RTE_ACL_IPV4VLAN_RULE_SZ \
89 RTE_ACL_RULE_SZ(RTE_ACL_IPV4VLAN_NUM_FIELDS)
92 * That effectively defines order of IPV4VLAN classifications:
94 * - VLAN (TAG and DOMAIN)
97 * - PORTS (SRC and DST)
100 RTE_ACL_IPV4VLAN_PROTO,
101 RTE_ACL_IPV4VLAN_VLAN,
102 RTE_ACL_IPV4VLAN_SRC,
103 RTE_ACL_IPV4VLAN_DST,
104 RTE_ACL_IPV4VLAN_PORTS,
108 /* rules for invalid layout test */
109 struct rte_acl_ipv4vlan_rule invalid_layout_rules[] = {
110 /* test src and dst address */
112 .data = {.userdata = 1, .category_mask = 1},
113 .src_addr = IPv4(10,0,0,0),
117 .data = {.userdata = 2, .category_mask = 1},
118 .dst_addr = IPv4(10,0,0,0),
121 /* test src and dst ports */
123 .data = {.userdata = 3, .category_mask = 1},
125 .dst_port_high = 100,
128 .data = {.userdata = 4, .category_mask = 1},
130 .src_port_high = 100,
134 .data = {.userdata = 5, .category_mask = 1},
139 .data = {.userdata = 6, .category_mask = 1},
141 .dst_port_high = 0xf,
145 /* these might look odd because they don't match up the rules. This is
146 * intentional, as the invalid layout test presumes returning the correct
147 * results using the wrong data layout.
149 struct ipv4_7tuple invalid_layout_data[] = {
150 {.ip_src = IPv4(10,0,1,0)}, /* should not match */
151 {.ip_src = IPv4(10,0,0,1), .allow = 2}, /* should match 2 */
152 {.port_src = 100, .allow = 4}, /* should match 4 */
153 {.port_dst = 0xf, .allow = 6}, /* should match 6 */
158 #define ACL_ALLOW_MASK 0x1
159 #define ACL_DENY_MASK 0x2
161 /* ruleset for ACL unit test */
162 struct rte_acl_ipv4vlan_rule acl_test_rules[] = {
163 /* destination IP addresses */
164 /* matches all packets traveling to 192.168.0.0/16 */
166 .data = {.userdata = 1, .category_mask = ACL_ALLOW_MASK,
168 .dst_addr = IPv4(192,168,0,0),
171 .src_port_high = 0xffff,
173 .dst_port_high = 0xffff,
175 /* matches all packets traveling to 192.168.1.0/24 */
177 .data = {.userdata = 2, .category_mask = ACL_ALLOW_MASK,
179 .dst_addr = IPv4(192,168,1,0),
182 .src_port_high = 0xffff,
184 .dst_port_high = 0xffff,
186 /* matches all packets traveling to 192.168.1.50 */
188 .data = {.userdata = 3, .category_mask = ACL_DENY_MASK,
190 .dst_addr = IPv4(192,168,1,50),
193 .src_port_high = 0xffff,
195 .dst_port_high = 0xffff,
198 /* source IP addresses */
199 /* matches all packets traveling from 10.0.0.0/8 */
201 .data = {.userdata = 4, .category_mask = ACL_ALLOW_MASK,
203 .src_addr = IPv4(10,0,0,0),
206 .src_port_high = 0xffff,
208 .dst_port_high = 0xffff,
210 /* matches all packets traveling from 10.1.1.0/24 */
212 .data = {.userdata = 5, .category_mask = ACL_ALLOW_MASK,
214 .src_addr = IPv4(10,1,1,0),
217 .src_port_high = 0xffff,
219 .dst_port_high = 0xffff,
221 /* matches all packets traveling from 10.1.1.1 */
223 .data = {.userdata = 6, .category_mask = ACL_DENY_MASK,
225 .src_addr = IPv4(10,1,1,1),
228 .src_port_high = 0xffff,
230 .dst_port_high = 0xffff,
234 /* matches all packets with lower 7 bytes of VLAN tag equal to 0x64 */
236 .data = {.userdata = 7, .category_mask = ACL_ALLOW_MASK,
241 .src_port_high = 0xffff,
243 .dst_port_high = 0xffff,
245 /* matches all packets with VLAN tags that have 0x5 in them */
247 .data = {.userdata = 8, .category_mask = ACL_ALLOW_MASK,
252 .src_port_high = 0xffff,
254 .dst_port_high = 0xffff,
256 /* matches all packets with VLAN tag 5 */
258 .data = {.userdata = 9, .category_mask = ACL_DENY_MASK,
263 .src_port_high = 0xffff,
265 .dst_port_high = 0xffff,
269 /* matches all packets with lower 7 bytes of domain equal to 0x64 */
271 .data = {.userdata = 10, .category_mask = ACL_ALLOW_MASK,
276 .src_port_high = 0xffff,
278 .dst_port_high = 0xffff,
280 /* matches all packets with domains that have 0x5 in them */
282 .data = {.userdata = 11, .category_mask = ACL_ALLOW_MASK,
287 .src_port_high = 0xffff,
289 .dst_port_high = 0xffff,
291 /* matches all packets with domain 5 */
293 .data = {.userdata = 12, .category_mask = ACL_DENY_MASK,
296 .domain_mask = 0xffff,
298 .src_port_high = 0xffff,
300 .dst_port_high = 0xffff,
303 /* destination port */
304 /* matches everything with dst port 80 */
306 .data = {.userdata = 13, .category_mask = ACL_ALLOW_MASK,
311 .src_port_high = 0xffff,
313 /* matches everything with dst port 22-1023 */
315 .data = {.userdata = 14, .category_mask = ACL_ALLOW_MASK,
318 .dst_port_high = 1023,
320 .src_port_high = 0xffff,
322 /* matches everything with dst port 1020 */
324 .data = {.userdata = 15, .category_mask = ACL_DENY_MASK,
326 .dst_port_low = 1020,
327 .dst_port_high = 1020,
329 .src_port_high = 0xffff,
331 /* matches everything with dst portrange 1000-2000 */
333 .data = {.userdata = 16, .category_mask = ACL_DENY_MASK,
335 .dst_port_low = 1000,
336 .dst_port_high = 2000,
338 .src_port_high = 0xffff,
342 /* matches everything with src port 80 */
344 .data = {.userdata = 17, .category_mask = ACL_ALLOW_MASK,
349 .dst_port_high = 0xffff,
351 /* matches everything with src port 22-1023 */
353 .data = {.userdata = 18, .category_mask = ACL_ALLOW_MASK,
356 .src_port_high = 1023,
358 .dst_port_high = 0xffff,
360 /* matches everything with src port 1020 */
362 .data = {.userdata = 19, .category_mask = ACL_DENY_MASK,
364 .src_port_low = 1020,
365 .src_port_high = 1020,
367 .dst_port_high = 0xffff,
369 /* matches everything with src portrange 1000-2000 */
371 .data = {.userdata = 20, .category_mask = ACL_DENY_MASK,
373 .src_port_low = 1000,
374 .src_port_high = 2000,
376 .dst_port_high = 0xffff,
379 /* protocol number */
380 /* matches all packets with protocol number either 0x64 or 0xE4 */
382 .data = {.userdata = 21, .category_mask = ACL_ALLOW_MASK,
387 .src_port_high = 0xffff,
389 .dst_port_high = 0xffff,
391 /* matches all packets with protocol that have 0x5 in them */
393 .data = {.userdata = 22, .category_mask = ACL_ALLOW_MASK,
398 .src_port_high = 0xffff,
400 .dst_port_high = 0xffff,
402 /* matches all packets with protocol 5 */
404 .data = {.userdata = 23, .category_mask = ACL_DENY_MASK,
409 .src_port_high = 0xffff,
411 .dst_port_high = 0xffff,
414 /* rules combining various fields */
416 .data = {.userdata = 24, .category_mask = ACL_ALLOW_MASK,
418 /** make sure that unmasked bytes don't fail! */
419 .dst_addr = IPv4(1,2,3,4),
421 .src_addr = IPv4(5,6,7,8),
426 .src_port_high = 0xffff,
428 .dst_port_high = 1024,
432 .domain_mask = 0xffff,
435 .data = {.userdata = 25, .category_mask = ACL_DENY_MASK,
437 .dst_addr = IPv4(5,6,7,8),
439 .src_addr = IPv4(1,2,3,4),
444 .src_port_high = 0xffff,
446 .dst_port_high = 1024,
450 .domain_mask = 0xffff,
453 .data = {.userdata = 26, .category_mask = ACL_ALLOW_MASK,
455 .dst_addr = IPv4(1,2,3,4),
457 .src_addr = IPv4(5,6,7,8),
462 .src_port_high = 0xffff,
464 .dst_port_high = 1024,
469 .data = {.userdata = 27, .category_mask = ACL_DENY_MASK,
471 .dst_addr = IPv4(5,6,7,8),
473 .src_addr = IPv4(1,2,3,4),
478 .src_port_high = 0xffff,
480 .dst_port_high = 1024,
486 /* data for ACL unit test */
487 struct ipv4_7tuple acl_test_data[] = {
488 /* testing single rule aspects */
489 {.ip_src = IPv4(10,0,0,0), .allow = 4}, /* should match 4 */
490 {.ip_src = IPv4(10,1,1,2), .allow = 5}, /* should match 5 */
491 {.ip_src = IPv4(10,1,1,1), .allow = 5,
492 .deny = 6}, /* should match 5, 6 */
493 {.ip_dst = IPv4(10,0,0,0)}, /* should not match */
494 {.ip_dst = IPv4(10,1,1,2)}, /* should not match */
495 {.ip_dst = IPv4(10,1,1,1)}, /* should not match */
497 {.ip_src = IPv4(192,168,2,50)}, /* should not match */
498 {.ip_src = IPv4(192,168,1,2)}, /* should not match */
499 {.ip_src = IPv4(192,168,1,50)}, /* should not match */
500 {.ip_dst = IPv4(192,168,2,50), .allow = 1}, /* should match 1 */
501 {.ip_dst = IPv4(192,168,1,49), .allow = 2}, /* should match 2 */
502 {.ip_dst = IPv4(192,168,1,50), .allow = 2,
503 .deny = 3}, /* should match 2, 3 */
505 {.vlan = 0x64, .allow = 7}, /* should match 7 */
506 {.vlan = 0xfE4, .allow = 7}, /* should match 7 */
507 {.vlan = 0xE2}, /* should not match */
508 {.vlan = 0xD, .allow = 8}, /* should match 8 */
509 {.vlan = 0x6}, /* should not match */
510 {.vlan = 0x5, .allow = 8, .deny = 9}, /* should match 8, 9 */
512 {.domain = 0x64, .allow = 10}, /* should match 10 */
513 {.domain = 0xfE4, .allow = 10}, /* should match 10 */
514 {.domain = 0xE2}, /* should not match */
515 {.domain = 0xD, .allow = 11}, /* should match 11 */
516 {.domain = 0x6}, /* should not match */
517 {.domain = 0x5, .allow = 11, .deny = 12}, /* should match 11, 12 */
519 {.port_dst = 80, .allow = 13}, /* should match 13 */
520 {.port_dst = 79, .allow = 14}, /* should match 14 */
521 {.port_dst = 81, .allow = 14}, /* should match 14 */
522 {.port_dst = 21}, /* should not match */
523 {.port_dst = 1024, .deny = 16}, /* should match 16 */
524 {.port_dst = 1020, .allow = 14, .deny = 15}, /* should match 14, 15 */
526 {.port_src = 80, .allow = 17}, /* should match 17 */
527 {.port_src = 79, .allow = 18}, /* should match 18 */
528 {.port_src = 81, .allow = 18}, /* should match 18 */
529 {.port_src = 21}, /* should not match */
530 {.port_src = 1024, .deny = 20}, /* should match 20 */
531 {.port_src = 1020, .allow = 18, .deny = 19}, /* should match 18, 19 */
533 {.proto = 0x64, .allow = 21}, /* should match 21 */
534 {.proto = 0xE4, .allow = 21}, /* should match 21 */
535 {.proto = 0xE2}, /* should not match */
536 {.proto = 0xD, .allow = 22}, /* should match 22 */
537 {.proto = 0x6}, /* should not match */
538 {.proto = 0x5, .allow = 22, .deny = 23}, /* should match 22, 23 */
540 /* testing matching multiple rules at once */
541 {.vlan = 0x5, .ip_src = IPv4(10,1,1,1),
542 .allow = 5, .deny = 9}, /* should match 5, 9 */
543 {.vlan = 0x5, .ip_src = IPv4(192,168,2,50),
544 .allow = 8, .deny = 9}, /* should match 8, 9 */
545 {.vlan = 0x55, .ip_src = IPv4(192,168,1,49),
546 .allow = 8}, /* should match 8 */
547 {.port_dst = 80, .port_src = 1024,
548 .allow = 13, .deny = 20}, /* should match 13,20 */
549 {.port_dst = 79, .port_src = 1024,
550 .allow = 14, .deny = 20}, /* should match 14,20 */
551 {.proto = 0x5, .ip_dst = IPv4(192,168,2,50),
552 .allow = 1, .deny = 23}, /* should match 1, 23 */
554 {.proto = 0x5, .ip_dst = IPv4(192,168,1,50),
555 .allow = 2, .deny = 23}, /* should match 2, 23 */
556 {.vlan = 0x64, .domain = 0x5,
557 .allow = 11, .deny = 12}, /* should match 11, 12 */
558 {.proto = 0x5, .port_src = 80,
559 .allow = 17, .deny = 23}, /* should match 17, 23 */
560 {.proto = 0x5, .port_dst = 80,
561 .allow = 13, .deny = 23}, /* should match 13, 23 */
562 {.proto = 0x51, .port_src = 5000}, /* should not match */
563 {.ip_src = IPv4(192,168,1,50),
564 .ip_dst = IPv4(10,0,0,0),
567 .port_dst = 5000}, /* should not match */
569 /* test full packet rules */
571 .ip_dst = IPv4(1,2,100,200),
572 .ip_src = IPv4(5,6,7,254),
580 }, /* should match 23, 24 */
582 .ip_dst = IPv4(5,6,7,254),
583 .ip_src = IPv4(1,2,100,200),
591 }, /* should match 13, 25 */
593 .ip_dst = IPv4(1,10,20,30),
594 .ip_src = IPv4(5,6,7,8),
601 }, /* should match 23, 26 */
603 .ip_dst = IPv4(5,6,7,8),
604 .ip_src = IPv4(1,10,20,30),
611 }, /* should match 13, 27 */
613 .ip_dst = IPv4(2,2,3,4),
614 .ip_src = IPv4(4,6,7,8),
621 }, /* should match 13, 23 */
623 .ip_dst = IPv4(1,2,3,4),
624 .ip_src = IPv4(4,6,7,8),
631 }, /* should match 13, 23 */
634 /* visual separator! */
636 .ip_dst = IPv4(1,2,100,200),
637 .ip_src = IPv4(5,6,7,254),
644 }, /* should match 10 */
646 .ip_dst = IPv4(5,6,7,254),
647 .ip_src = IPv4(1,2,100,200),
654 }, /* should match 10 */
656 .ip_dst = IPv4(1,10,20,30),
657 .ip_src = IPv4(5,6,7,8),
663 }, /* should match 7 */
665 .ip_dst = IPv4(5,6,7,8),
666 .ip_src = IPv4(1,10,20,30),
672 }, /* should match 7 */
674 .ip_dst = IPv4(2,2,3,4),
675 .ip_src = IPv4(4,6,7,8),
681 }, /* should match 7 */
683 .ip_dst = IPv4(1,2,3,4),
684 .ip_src = IPv4(4,6,7,8),
689 }, /* should not match */
692 #endif /* TEST_ACL_H_ */