Learning VPP: ACL

logo_fdio-300x184

Overview

Our goal is to leverage the ACL plugin for traffic classification based on L3/L4 header fields. The ACL plugin does not supply the CLI for configuration but all APIs are covered in VAT CLI.

Integration

First, register as a user of the ACL plugin API.

acl_plugin_exports_init (&acl_plugin);
acl_user_id = acl_plugin.register_user_module ("Test", "label1", "label2");
acl_lc_id = acl_plugin.get_lookup_context_index (acl_user_id, 1, 2);

Second, add ACL rules into the current context.

vec_add1 (acl_vec, 0);
vec_add1 (acl_vec, 1);
acl_plugin.set_acl_vec_for_context (acl_lc_id, acl_vec);
vec_free (acl_vec);

Third, match traffic against the ACL rules.

acl_plugin_fill_5tuple_inline (acl_plugin.p_acl_main,
                               acl_lc_id, b0,
                               is_ip60,
                               /* is_input */ 0,
                               /* is_l2_path */ 1,
                               &pkt_5tuple0);

res = acl_plugin_match_5tuple_inline (acl_plugin.p_acl_main,
                                      acl_lc_id,
                                      &pkt_5tuple0, is_ip60,
                                      &action0, &acl_pos_p0,
                                      &acl_match_p0,
                                      &rule_match_p0,
                                      &trace_bitmap0);
if (res > 0)
{
    printf ("Rule matched! \n");
}

Testing

Build and run VPP. And run VAT.

./build-root/build-vpp_debug-native/vpp/bin/vpp
./vpp/build-root/build-vpp_debug-native/vpp/bin/vpp_api_test

Create ACL rules.

vat# acl_add_replace ipv6 permit dst 2001:db8::1/128, ipv4 permit src 192.0.2.1/32
vl_api_acl_add_replace_reply_t_handler:108: ACL index: 0
vat# acl_add_replace ipv6 permit dst 2001:db8::1/128, ipv4 permit src 10.10.2.1/32
vl_api_acl_add_replace_reply_t_handler:108: ACL index: 1

Check registered ACL users and ACL rules in CLI.

DBGvpp# show acl-plugin lookup context 
index 0:Test label1: 1 label2: 2, acl_indices: 0, 1
DBGvpp# show acl-plugin acl            
acl-index 0 count 2 tag {}
          0: ipv6 permit src ::/0 dst 2001:db8::1/128 proto 0 sport 0-65535 dport 0-65535
          1: ipv4 permit src 192.0.2.1/32 dst 0.0.0.0/0 proto 0 sport 0-65535 dport 0-65535
  used in lookup context index: 0
acl-index 1 count 2 tag {}
          0: ipv6 permit src ::/0 dst 2001:db8::1/128 proto 0 sport 0-65535 dport 0-65535
          1: ipv4 permit src 10.10.2.1/32 dst 0.0.0.0/0 proto 0 sport 0-65535 dport 0-65535
  used in lookup context index: 0

References

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s