[dpdk-dev] Regarding new feature development in dpdk-acl
Santhosh Bendalam
santhosh.bendalam at tcs.com
Fri Jul 25 17:02:12 CEST 2014
Missed the patch. Please find the patch.
diff --git a/examples/l3fwd-acl/main.c b/examples/l3fwd-acl/main.c
index 9b2c21b..8a5dde8 100644
--- a/examples/l3fwd-acl/main.c
+++ b/examples/l3fwd-acl/main.c
@@ -85,6 +85,8 @@
#define MBUF_SIZE (2048 + sizeof(struct rte_mbuf) + RTE_PKTMBUF_HEADROOM)
+#define L3FWDACL_DEBUG
+
/*
* This expression is used to calculate the number of mbufs needed
* depending on user input, taking into account memory for rx and tx hardware
@@ -135,6 +137,16 @@
static uint16_t nb_rxd = RTE_TEST_RX_DESC_DEFAULT;
static uint16_t nb_txd = RTE_TEST_TX_DESC_DEFAULT;
+/* TCP header flags */
+#define TCPHDR_FIN 0x01
+#define TCPHDR_SYN 0x02
+#define TCPHDR_RST 0x04
+#define TCPHDR_PSH 0x08
+#define TCPHDR_ACK 0x10
+#define TCPHDR_URG 0x20
+#define TCPHDR_ECE 0x40
+#define TCPHDR_CWR 0x80
+
/* ethernet addresses of ports */
static struct ether_addr ports_eth_addr[RTE_MAX_ETHPORTS];
@@ -314,6 +326,7 @@ enum {
DST_FIELD_IPV4,
SRCP_FIELD_IPV4,
DSTP_FIELD_IPV4,
+ PROTO_FIELD_FLAGS,
NUM_FIELDS_IPV4
};
@@ -358,6 +371,15 @@ struct rte_acl_field_def ipv4_defs[NUM_FIELDS_IPV4] = {
offsetof(struct ipv4_hdr, next_proto_id) +
sizeof(uint16_t),
},
+ {
+ .type = RTE_ACL_FIELD_TYPE_BITMASK,
+ .size = sizeof(uint8_t),
+ .field_index = PROTO_FIELD_FLAGS,
+ .input_index = RTE_ACL_IPV4VLAN_PROTO_FLAGS,
+ .offset = sizeof(struct ipv4_hdr) - offsetof(struct ipv4_hdr, next_proto_id)
+ + sizeof(uint16_t) + sizeof(uint16_t) + sizeof (uint32_t)
+ + sizeof (uint32_t) + sizeof(uint8_t),
+ },
};
#define IPV6_ADDR_LEN 16
@@ -376,6 +398,7 @@ enum {
DST4_FIELD_IPV6,
SRCP_FIELD_IPV6,
DSTP_FIELD_IPV6,
+ PROTO_FIELD_FLAGS_IPV6,
NUM_FIELDS_IPV6
};
@@ -467,6 +490,15 @@ struct rte_acl_field_def ipv6_defs[NUM_FIELDS_IPV6] = {
.offset = sizeof(struct ipv6_hdr) -
offsetof(struct ipv6_hdr, proto) + sizeof(uint16_t),
},
+ {
+ .type = RTE_ACL_FIELD_TYPE_BITMASK,
+ .size = sizeof(uint8_t),
+ .field_index = PROTO_FIELD_FLAGS_IPV6,
+ .input_index = PROTO_FIELD_FLAGS_IPV6,
+ .offset = sizeof(struct ipv6_hdr) - offsetof(struct ipv6_hdr, proto)
+ + sizeof(uint16_t) + sizeof(uint16_t) + sizeof (uint32_t)
+ + sizeof (uint32_t) + sizeof(uint8_t),
+ },
};
enum {
@@ -479,6 +511,7 @@ enum {
CB_FLD_DST_PORT_DLM,
CB_FLD_DST_PORT_HIGH,
CB_FLD_PROTO,
+ CB_FLD_PROTO_FLAGS,
CB_FLD_USERDATA,
CB_FLD_NUM,
};
@@ -536,6 +569,8 @@ print_one_ipv4_rule(struct acl4_rule *rule, int extra)
rule->field[DSTP_FIELD_IPV4].mask_range.u16,
rule->field[PROTO_FIELD_IPV4].value.u8,
rule->field[PROTO_FIELD_IPV4].mask_range.u8);
+
+ printf(" Proto flags: %hu ", rule->field[PROTO_FIELD_FLAGS].value.u8);
if (extra)
printf("0x%x-0x%x-0x%x ",
rule->data.category_mask,
@@ -589,6 +624,9 @@ print_one_ipv6_rule(struct acl6_rule *rule, int extra)
rule->field[DSTP_FIELD_IPV6].mask_range.u16,
rule->field[PROTO_FIELD_IPV6].value.u8,
rule->field[PROTO_FIELD_IPV6].mask_range.u8);
+
+ printf(" Proto flags: %hu ", rule->field[PROTO_FIELD_FLAGS].value.u8);
+
if (extra)
printf("0x%x-0x%x-0x%x ",
rule->data.category_mask,
@@ -700,14 +738,19 @@ prepare_one_packet(struct rte_mbuf **pkts_in, struct acl_search_t *acl,
{
struct ipv4_hdr *ipv4_hdr;
struct rte_mbuf *pkt = pkts_in[index];
-
+ struct tcp_hdr *tcp_hdr;
int type = pkt->ol_flags & (PKT_RX_IPV4_HDR | PKT_RX_IPV6_HDR);
-
- if (type == PKT_RX_IPV4_HDR) {
+ printf ("\n bendalam pkt->ol_flags: %d\n", pkt->ol_flags);
+ printf("\n From prepare_one_packet -1\n");
+ //if (type == PKT_RX_IPV4_HDR) {
+ if (1) {
ipv4_hdr = (struct ipv4_hdr *)(rte_pktmbuf_mtod(pkt,
unsigned char *) + sizeof(struct ether_hdr));
+ tcp_hdr = (struct tcp_hdr *)(rte_pktmbuf_mtod(pkt, unsigned char *) +
+ sizeof(struct ether_hdr) + sizeof(struct ipv4_hdr));
+
/* Check to make sure the packet is valid (RFC1812) */
if (is_valid_ipv4_pkt(ipv4_hdr, pkt->pkt.pkt_len) >= 0) {
@@ -715,10 +758,28 @@ prepare_one_packet(struct rte_mbuf **pkts_in, struct acl_search_t *acl,
--(ipv4_hdr->time_to_live);
++(ipv4_hdr->hdr_checksum);
+ printf("\n From prepare_one_packet -2\n");
+#if 0
+ if(tcp_hdr->tcp_flags & TCPHDR_SYN)
+ {
+
+ printf("\n tcp Flag is SYN: %x \n",tcp_hdr->tcp_flags);
+ rte_pktmbuf_free(pkt);
+ return;
+ }
+ else
+ {
+ printf("\n other tcp Flags are %x \n",tcp_hdr->tcp_flags);
+
+ }
+#endif
/* Fill acl structure */
acl->data_ipv4[acl->num_ipv4] = MBUF_IPV4_2PROTO(pkt);
acl->m_ipv4[(acl->num_ipv4)++] = pkt;
+ printf ("\n tcp_hdr src port is %x and dst port is %x",tcp_hdr->src_port,
+ tcp_hdr->dst_port);
+
} else {
/* Not a valid IPv4 packet */
rte_pktmbuf_free(pkt);
@@ -745,7 +806,8 @@ prepare_one_packet(struct rte_mbuf **pkts_in, struct acl_search_t *acl,
int type = pkt->ol_flags & (PKT_RX_IPV4_HDR | PKT_RX_IPV6_HDR);
- if (type == PKT_RX_IPV4_HDR) {
+// if (type == PKT_RX_IPV4_HDR) {
+ if (1) {
/* Fill acl structure */
acl->data_ipv4[acl->num_ipv4] = MBUF_IPV4_2PROTO(pkt);
@@ -793,20 +855,25 @@ prepare_acl_parameter(struct rte_mbuf **pkts_in, struct acl_search_t *acl,
static inline void
send_one_packet(struct rte_mbuf *m, uint32_t res)
{
+ dump_acl4_rule(m, res);
if (likely((res & ACL_DENY_SIGNATURE) == 0 && res != 0)) {
/* forward packets */
+ dump_acl4_rule(m, res);
+ printf("@@@@@@@@ forwarding pkt !!!! resid:%x", res);
send_single_packet(m,
(uint8_t)(res - FWD_PORT_SHIFT));
} else{
/* in the ACL list, drop it */
#ifdef L3FWDACL_DEBUG
if ((res & ACL_DENY_SIGNATURE) != 0) {
- if (m->ol_flags & PKT_RX_IPV4_HDR)
+// if (m->ol_flags & PKT_RX_IPV4_HDR)
+ if (1)
dump_acl4_rule(m, res);
else
dump_acl6_rule(m, res);
}
#endif
+ printf("@@@@@@@@@@@@@@@@Packet Drop !!!!!!!! resid: %x\n", res);
rte_pktmbuf_free(m);
}
}
@@ -958,10 +1025,17 @@ parse_cb_ipv6_rule(char *str, struct rte_acl_rule *v, int has_userdata)
GET_CB_FIELD(in[CB_FLD_PROTO], v->field[PROTO_FIELD_IPV6].mask_range.u8,
0, UINT8_MAX, 0);
+ GET_CB_FIELD(in[CB_FLD_PROTO_FLAGS], v->field[PROTO_FIELD_FLAGS_IPV6].value.u8,
+ 0, UINT8_MAX, '/');
+ GET_CB_FIELD(in[CB_FLD_PROTO_FLAGS],
+ v->field[PROTO_FIELD_FLAGS_IPV6].mask_range.u8,
+ 0, UINT8_MAX, 0);
+
if (has_userdata)
GET_CB_FIELD(in[CB_FLD_USERDATA], v->data.userdata,
0, UINT32_MAX, 0);
+
return 0;
}
@@ -1057,9 +1131,18 @@ parse_cb_ipv4vlan_rule(char *str, struct rte_acl_rule *v, int has_userdata)
GET_CB_FIELD(in[CB_FLD_PROTO], v->field[PROTO_FIELD_IPV4].mask_range.u8,
0, UINT8_MAX, 0);
+ GET_CB_FIELD(in[CB_FLD_PROTO_FLAGS], v->field[PROTO_FIELD_FLAGS].value.u8,
+ 0, UINT8_MAX, '/');
+ GET_CB_FIELD(in[CB_FLD_PROTO_FLAGS], v->field[PROTO_FIELD_FLAGS].mask_range.u8,
+ 0, UINT8_MAX, 0);
+
if (has_userdata)
+ {
GET_CB_FIELD(in[CB_FLD_USERDATA], v->data.userdata, 0,
UINT32_MAX, 0);
+ printf("\nbendalam In parser.. User data: %u\n", v->data.userdata);
+ }
+
return 0;
}
@@ -1136,6 +1219,7 @@ add_rules(const char *rule_path,
rule_path, i, ROUTE_LEAD_CHAR, ACL_LEAD_CHAR);
if (parser(buff + 1, next, s == ROUTE_LEAD_CHAR) != 0)
+// if (parser(buff + 1, next, 1) != 0)
rte_exit(EXIT_FAILURE,
"%s Line %u: parse rules error\n",
rule_path, i);
@@ -1499,10 +1583,12 @@ main_loop(__attribute__((unused)) void *dummy)
if (nb_rx > 0) {
struct acl_search_t acl_search;
+ printf("\n bendalam IPv4 pkt received: before prepare_acl\n");
prepare_acl_parameter(pkts_burst, &acl_search,
nb_rx);
if (acl_search.num_ipv4) {
+ printf("\n bendalam IPv4 pkt received\n");
CLASSIFY(acl_config.acx_ipv4[socketid],
acl_search.data_ipv4,
acl_search.res_ipv4,
@@ -1982,6 +2068,7 @@ MAIN(int argc, char **argv)
/* init EAL */
ret = rte_eal_init(argc, argv);
+ rte_set_log_level(RTE_LOG_DEBUG);
if (ret < 0)
rte_exit(EXIT_FAILURE, "Invalid EAL parameters\n");
argc -= ret;
diff --git a/lib/librte_acl/Makefile b/lib/librte_acl/Makefile
index 4fe4593..2ab4d34 100644
--- a/lib/librte_acl/Makefile
+++ b/lib/librte_acl/Makefile
@@ -34,7 +34,8 @@ include $(RTE_SDK)/mk/rte.vars.mk
# library name
LIB = librte_acl.a
-CFLAGS += -O3
+#CFLAGS += -O3
+CFLAGS += -O0 -g
CFLAGS += $(WERROR_FLAGS) -I$(SRCDIR)
# all source are stored in SRCS-y
diff --git a/lib/librte_acl/acl_run.c b/lib/librte_acl/acl_run.c
index e3d9fc1..95afa04 100644
--- a/lib/librte_acl/acl_run.c
+++ b/lib/librte_acl/acl_run.c
@@ -820,6 +820,16 @@ search_sse_2(const struct rte_acl_ctx *ctx, const uint8_t **data,
mm_shuffle_input64.m, mm_ones_16.m,
mm_bytes64.m, mm_type_quad_range64.m,
flows.trans, &indicies);
+#if 0
+ /* Gather 4 bytes of input data for each stream. */
+ input = MM_INSERT32(input, GET_NEXT_4BYTES(parms, 1), 0);
+ input = MM_INSERT32(input, GET_NEXT_4BYTES(parms, 1), 0);
+
+ input = transition2(mm_index_mask64.m, input,
+ mm_shuffle_input64.m, mm_ones_16.m,
+ mm_bytes64.m, mm_type_quad_range64.m,
+ flows.trans, &indicies);
+#endif
/* Check for any matches. */
acl_match_check_x2(0, ctx, parms, &flows, &indicies,
diff --git a/lib/librte_acl/rte_acl.c b/lib/librte_acl/rte_acl.c
index ea3ce3a..763dc72 100644
--- a/lib/librte_acl/rte_acl.c
+++ b/lib/librte_acl/rte_acl.c
@@ -168,6 +168,7 @@ rte_acl_add_rules(struct rte_acl_ctx *ctx, const struct rte_acl_rule *rules,
uint32_t i;
int32_t rc;
+ RTE_LOG(ERR, ACL, "\n --------HARSHA----------1");
if (ctx == NULL || rules == NULL || 0 == ctx->rule_sz)
return -EINVAL;
diff --git a/lib/librte_acl/rte_acl.h b/lib/librte_acl/rte_acl.h
index afc0f69..8127c3f 100644
--- a/lib/librte_acl/rte_acl.h
+++ b/lib/librte_acl/rte_acl.h
@@ -362,6 +362,7 @@ struct rte_acl_ipv4vlan_rule {
uint16_t src_port_high; /**< L4 source port high. */
uint16_t dst_port_low; /**< L4 destination port low. */
uint16_t dst_port_high; /**< L4 destination port high. */
+ uint8_t proto_flags; /**< L4 protocol flags. */
};
/**
@@ -375,6 +376,7 @@ enum {
RTE_ACL_IPV4VLAN_DST_FIELD,
RTE_ACL_IPV4VLAN_SRCP_FIELD,
RTE_ACL_IPV4VLAN_DSTP_FIELD,
+ RTE_ACL_IPV4VLAN_PROTO_FLAGS_FIELD,
RTE_ACL_IPV4VLAN_NUM_FIELDS
};
@@ -398,6 +400,7 @@ enum {
RTE_ACL_IPV4VLAN_SRC,
RTE_ACL_IPV4VLAN_DST,
RTE_ACL_IPV4VLAN_PORTS,
+ RTE_ACL_IPV4VLAN_PROTO_FLAGS,
RTE_ACL_IPV4VLAN_NUM
};
Warm Regards,
Santhosh Kumar Bendalam,
Assistant Consultant,
Tata Consultancy Services Limited | Synergy Park, Hyderabad, Andhra Pradesh, India | +91-9949950400
-----"dev" wrote: -----
To: dev at dpdk.org
From: Santhosh Bendalam
Sent by: "dev"
Date: 07/25/2014 08:30PM
Subject: [dpdk-dev] Regarding new feature development in dpdk-acl
Hi All,
I am trying to add new acl rule support to filter the packets based on TCP flags. I have followed the structure updates as per DPDK Programmers guide. I have attached the code diff along with this mail.
Some how packet filtering is not happening with our modifications.
Input configuration file used is (Here we are trying to restrict SYN+FIN flag)
@20.0.0.0/24 40.0.0.0/24 0 : 65535 0 : 65535 6/0xfe 0x3/0xFF
R20.0.0.0/24 40.0.0.0/24 0 : 65535 0 : 65535 6/0xfe 0x0/0x00 1
R40.0.0.0/24 20.0.0.0/24 0 : 65535 0 : 65535 6/0xfe 0x0/0x00 1
Could you please share your thoughts on this problem.
Warm Regards,
Santhosh Kumar Bendalam,
Assistant Consultant,
Tata Consultancy Services Limited
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you
More information about the dev
mailing list