* [dpdk-dev] Regarding new feature development in dpdk-acl
@ 2014-07-25 14:59 Santhosh Bendalam
2014-07-25 15:02 ` Santhosh Bendalam
0 siblings, 1 reply; 2+ messages in thread
From: Santhosh Bendalam @ 2014-07-25 14:59 UTC (permalink / raw)
To: dev
Hi All,
I am trying to add new acl rule support to filter the packets based on TCP flags. I have followed the structure updates as per DPDK Programmers guide. I have attached the code diff along with this mail.
Some how packet filtering is not happening with our modifications.
Input configuration file used is (Here we are trying to restrict SYN+FIN flag)
@20.0.0.0/24 40.0.0.0/24 0 : 65535 0 : 65535 6/0xfe 0x3/0xFF
R20.0.0.0/24 40.0.0.0/24 0 : 65535 0 : 65535 6/0xfe 0x0/0x00 1
R40.0.0.0/24 20.0.0.0/24 0 : 65535 0 : 65535 6/0xfe 0x0/0x00 1
Could you please share your thoughts on this problem.
Warm Regards,
Santhosh Kumar Bendalam,
Assistant Consultant,
Tata Consultancy Services Limited
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [dpdk-dev] Regarding new feature development in dpdk-acl
2014-07-25 14:59 [dpdk-dev] Regarding new feature development in dpdk-acl Santhosh Bendalam
@ 2014-07-25 15:02 ` Santhosh Bendalam
0 siblings, 0 replies; 2+ messages in thread
From: Santhosh Bendalam @ 2014-07-25 15:02 UTC (permalink / raw)
To: Santhosh Bendalam; +Cc: dev
Missed the patch. Please find the patch.
diff --git a/examples/l3fwd-acl/main.c b/examples/l3fwd-acl/main.c
index 9b2c21b..8a5dde8 100644
--- a/examples/l3fwd-acl/main.c
+++ b/examples/l3fwd-acl/main.c
@@ -85,6 +85,8 @@
#define MBUF_SIZE (2048 + sizeof(struct rte_mbuf) + RTE_PKTMBUF_HEADROOM)
+#define L3FWDACL_DEBUG
+
/*
* This expression is used to calculate the number of mbufs needed
* depending on user input, taking into account memory for rx and tx hardware
@@ -135,6 +137,16 @@
static uint16_t nb_rxd = RTE_TEST_RX_DESC_DEFAULT;
static uint16_t nb_txd = RTE_TEST_TX_DESC_DEFAULT;
+/* TCP header flags */
+#define TCPHDR_FIN 0x01
+#define TCPHDR_SYN 0x02
+#define TCPHDR_RST 0x04
+#define TCPHDR_PSH 0x08
+#define TCPHDR_ACK 0x10
+#define TCPHDR_URG 0x20
+#define TCPHDR_ECE 0x40
+#define TCPHDR_CWR 0x80
+
/* ethernet addresses of ports */
static struct ether_addr ports_eth_addr[RTE_MAX_ETHPORTS];
@@ -314,6 +326,7 @@ enum {
DST_FIELD_IPV4,
SRCP_FIELD_IPV4,
DSTP_FIELD_IPV4,
+ PROTO_FIELD_FLAGS,
NUM_FIELDS_IPV4
};
@@ -358,6 +371,15 @@ struct rte_acl_field_def ipv4_defs[NUM_FIELDS_IPV4] = {
offsetof(struct ipv4_hdr, next_proto_id) +
sizeof(uint16_t),
},
+ {
+ .type = RTE_ACL_FIELD_TYPE_BITMASK,
+ .size = sizeof(uint8_t),
+ .field_index = PROTO_FIELD_FLAGS,
+ .input_index = RTE_ACL_IPV4VLAN_PROTO_FLAGS,
+ .offset = sizeof(struct ipv4_hdr) - offsetof(struct ipv4_hdr, next_proto_id)
+ + sizeof(uint16_t) + sizeof(uint16_t) + sizeof (uint32_t)
+ + sizeof (uint32_t) + sizeof(uint8_t),
+ },
};
#define IPV6_ADDR_LEN 16
@@ -376,6 +398,7 @@ enum {
DST4_FIELD_IPV6,
SRCP_FIELD_IPV6,
DSTP_FIELD_IPV6,
+ PROTO_FIELD_FLAGS_IPV6,
NUM_FIELDS_IPV6
};
@@ -467,6 +490,15 @@ struct rte_acl_field_def ipv6_defs[NUM_FIELDS_IPV6] = {
.offset = sizeof(struct ipv6_hdr) -
offsetof(struct ipv6_hdr, proto) + sizeof(uint16_t),
},
+ {
+ .type = RTE_ACL_FIELD_TYPE_BITMASK,
+ .size = sizeof(uint8_t),
+ .field_index = PROTO_FIELD_FLAGS_IPV6,
+ .input_index = PROTO_FIELD_FLAGS_IPV6,
+ .offset = sizeof(struct ipv6_hdr) - offsetof(struct ipv6_hdr, proto)
+ + sizeof(uint16_t) + sizeof(uint16_t) + sizeof (uint32_t)
+ + sizeof (uint32_t) + sizeof(uint8_t),
+ },
};
enum {
@@ -479,6 +511,7 @@ enum {
CB_FLD_DST_PORT_DLM,
CB_FLD_DST_PORT_HIGH,
CB_FLD_PROTO,
+ CB_FLD_PROTO_FLAGS,
CB_FLD_USERDATA,
CB_FLD_NUM,
};
@@ -536,6 +569,8 @@ print_one_ipv4_rule(struct acl4_rule *rule, int extra)
rule->field[DSTP_FIELD_IPV4].mask_range.u16,
rule->field[PROTO_FIELD_IPV4].value.u8,
rule->field[PROTO_FIELD_IPV4].mask_range.u8);
+
+ printf(" Proto flags: %hu ", rule->field[PROTO_FIELD_FLAGS].value.u8);
if (extra)
printf("0x%x-0x%x-0x%x ",
rule->data.category_mask,
@@ -589,6 +624,9 @@ print_one_ipv6_rule(struct acl6_rule *rule, int extra)
rule->field[DSTP_FIELD_IPV6].mask_range.u16,
rule->field[PROTO_FIELD_IPV6].value.u8,
rule->field[PROTO_FIELD_IPV6].mask_range.u8);
+
+ printf(" Proto flags: %hu ", rule->field[PROTO_FIELD_FLAGS].value.u8);
+
if (extra)
printf("0x%x-0x%x-0x%x ",
rule->data.category_mask,
@@ -700,14 +738,19 @@ prepare_one_packet(struct rte_mbuf **pkts_in, struct acl_search_t *acl,
{
struct ipv4_hdr *ipv4_hdr;
struct rte_mbuf *pkt = pkts_in[index];
-
+ struct tcp_hdr *tcp_hdr;
int type = pkt->ol_flags & (PKT_RX_IPV4_HDR | PKT_RX_IPV6_HDR);
-
- if (type == PKT_RX_IPV4_HDR) {
+ printf ("\n bendalam pkt->ol_flags: %d\n", pkt->ol_flags);
+ printf("\n From prepare_one_packet -1\n");
+ //if (type == PKT_RX_IPV4_HDR) {
+ if (1) {
ipv4_hdr = (struct ipv4_hdr *)(rte_pktmbuf_mtod(pkt,
unsigned char *) + sizeof(struct ether_hdr));
+ tcp_hdr = (struct tcp_hdr *)(rte_pktmbuf_mtod(pkt, unsigned char *) +
+ sizeof(struct ether_hdr) + sizeof(struct ipv4_hdr));
+
/* Check to make sure the packet is valid (RFC1812) */
if (is_valid_ipv4_pkt(ipv4_hdr, pkt->pkt.pkt_len) >= 0) {
@@ -715,10 +758,28 @@ prepare_one_packet(struct rte_mbuf **pkts_in, struct acl_search_t *acl,
--(ipv4_hdr->time_to_live);
++(ipv4_hdr->hdr_checksum);
+ printf("\n From prepare_one_packet -2\n");
+#if 0
+ if(tcp_hdr->tcp_flags & TCPHDR_SYN)
+ {
+
+ printf("\n tcp Flag is SYN: %x \n",tcp_hdr->tcp_flags);
+ rte_pktmbuf_free(pkt);
+ return;
+ }
+ else
+ {
+ printf("\n other tcp Flags are %x \n",tcp_hdr->tcp_flags);
+
+ }
+#endif
/* Fill acl structure */
acl->data_ipv4[acl->num_ipv4] = MBUF_IPV4_2PROTO(pkt);
acl->m_ipv4[(acl->num_ipv4)++] = pkt;
+ printf ("\n tcp_hdr src port is %x and dst port is %x",tcp_hdr->src_port,
+ tcp_hdr->dst_port);
+
} else {
/* Not a valid IPv4 packet */
rte_pktmbuf_free(pkt);
@@ -745,7 +806,8 @@ prepare_one_packet(struct rte_mbuf **pkts_in, struct acl_search_t *acl,
int type = pkt->ol_flags & (PKT_RX_IPV4_HDR | PKT_RX_IPV6_HDR);
- if (type == PKT_RX_IPV4_HDR) {
+// if (type == PKT_RX_IPV4_HDR) {
+ if (1) {
/* Fill acl structure */
acl->data_ipv4[acl->num_ipv4] = MBUF_IPV4_2PROTO(pkt);
@@ -793,20 +855,25 @@ prepare_acl_parameter(struct rte_mbuf **pkts_in, struct acl_search_t *acl,
static inline void
send_one_packet(struct rte_mbuf *m, uint32_t res)
{
+ dump_acl4_rule(m, res);
if (likely((res & ACL_DENY_SIGNATURE) == 0 && res != 0)) {
/* forward packets */
+ dump_acl4_rule(m, res);
+ printf("@@@@@@@@ forwarding pkt !!!! resid:%x", res);
send_single_packet(m,
(uint8_t)(res - FWD_PORT_SHIFT));
} else{
/* in the ACL list, drop it */
#ifdef L3FWDACL_DEBUG
if ((res & ACL_DENY_SIGNATURE) != 0) {
- if (m->ol_flags & PKT_RX_IPV4_HDR)
+// if (m->ol_flags & PKT_RX_IPV4_HDR)
+ if (1)
dump_acl4_rule(m, res);
else
dump_acl6_rule(m, res);
}
#endif
+ printf("@@@@@@@@@@@@@@@@Packet Drop !!!!!!!! resid: %x\n", res);
rte_pktmbuf_free(m);
}
}
@@ -958,10 +1025,17 @@ parse_cb_ipv6_rule(char *str, struct rte_acl_rule *v, int has_userdata)
GET_CB_FIELD(in[CB_FLD_PROTO], v->field[PROTO_FIELD_IPV6].mask_range.u8,
0, UINT8_MAX, 0);
+ GET_CB_FIELD(in[CB_FLD_PROTO_FLAGS], v->field[PROTO_FIELD_FLAGS_IPV6].value.u8,
+ 0, UINT8_MAX, '/');
+ GET_CB_FIELD(in[CB_FLD_PROTO_FLAGS],
+ v->field[PROTO_FIELD_FLAGS_IPV6].mask_range.u8,
+ 0, UINT8_MAX, 0);
+
if (has_userdata)
GET_CB_FIELD(in[CB_FLD_USERDATA], v->data.userdata,
0, UINT32_MAX, 0);
+
return 0;
}
@@ -1057,9 +1131,18 @@ parse_cb_ipv4vlan_rule(char *str, struct rte_acl_rule *v, int has_userdata)
GET_CB_FIELD(in[CB_FLD_PROTO], v->field[PROTO_FIELD_IPV4].mask_range.u8,
0, UINT8_MAX, 0);
+ GET_CB_FIELD(in[CB_FLD_PROTO_FLAGS], v->field[PROTO_FIELD_FLAGS].value.u8,
+ 0, UINT8_MAX, '/');
+ GET_CB_FIELD(in[CB_FLD_PROTO_FLAGS], v->field[PROTO_FIELD_FLAGS].mask_range.u8,
+ 0, UINT8_MAX, 0);
+
if (has_userdata)
+ {
GET_CB_FIELD(in[CB_FLD_USERDATA], v->data.userdata, 0,
UINT32_MAX, 0);
+ printf("\nbendalam In parser.. User data: %u\n", v->data.userdata);
+ }
+
return 0;
}
@@ -1136,6 +1219,7 @@ add_rules(const char *rule_path,
rule_path, i, ROUTE_LEAD_CHAR, ACL_LEAD_CHAR);
if (parser(buff + 1, next, s == ROUTE_LEAD_CHAR) != 0)
+// if (parser(buff + 1, next, 1) != 0)
rte_exit(EXIT_FAILURE,
"%s Line %u: parse rules error\n",
rule_path, i);
@@ -1499,10 +1583,12 @@ main_loop(__attribute__((unused)) void *dummy)
if (nb_rx > 0) {
struct acl_search_t acl_search;
+ printf("\n bendalam IPv4 pkt received: before prepare_acl\n");
prepare_acl_parameter(pkts_burst, &acl_search,
nb_rx);
if (acl_search.num_ipv4) {
+ printf("\n bendalam IPv4 pkt received\n");
CLASSIFY(acl_config.acx_ipv4[socketid],
acl_search.data_ipv4,
acl_search.res_ipv4,
@@ -1982,6 +2068,7 @@ MAIN(int argc, char **argv)
/* init EAL */
ret = rte_eal_init(argc, argv);
+ rte_set_log_level(RTE_LOG_DEBUG);
if (ret < 0)
rte_exit(EXIT_FAILURE, "Invalid EAL parameters\n");
argc -= ret;
diff --git a/lib/librte_acl/Makefile b/lib/librte_acl/Makefile
index 4fe4593..2ab4d34 100644
--- a/lib/librte_acl/Makefile
+++ b/lib/librte_acl/Makefile
@@ -34,7 +34,8 @@ include $(RTE_SDK)/mk/rte.vars.mk
# library name
LIB = librte_acl.a
-CFLAGS += -O3
+#CFLAGS += -O3
+CFLAGS += -O0 -g
CFLAGS += $(WERROR_FLAGS) -I$(SRCDIR)
# all source are stored in SRCS-y
diff --git a/lib/librte_acl/acl_run.c b/lib/librte_acl/acl_run.c
index e3d9fc1..95afa04 100644
--- a/lib/librte_acl/acl_run.c
+++ b/lib/librte_acl/acl_run.c
@@ -820,6 +820,16 @@ search_sse_2(const struct rte_acl_ctx *ctx, const uint8_t **data,
mm_shuffle_input64.m, mm_ones_16.m,
mm_bytes64.m, mm_type_quad_range64.m,
flows.trans, &indicies);
+#if 0
+ /* Gather 4 bytes of input data for each stream. */
+ input = MM_INSERT32(input, GET_NEXT_4BYTES(parms, 1), 0);
+ input = MM_INSERT32(input, GET_NEXT_4BYTES(parms, 1), 0);
+
+ input = transition2(mm_index_mask64.m, input,
+ mm_shuffle_input64.m, mm_ones_16.m,
+ mm_bytes64.m, mm_type_quad_range64.m,
+ flows.trans, &indicies);
+#endif
/* Check for any matches. */
acl_match_check_x2(0, ctx, parms, &flows, &indicies,
diff --git a/lib/librte_acl/rte_acl.c b/lib/librte_acl/rte_acl.c
index ea3ce3a..763dc72 100644
--- a/lib/librte_acl/rte_acl.c
+++ b/lib/librte_acl/rte_acl.c
@@ -168,6 +168,7 @@ rte_acl_add_rules(struct rte_acl_ctx *ctx, const struct rte_acl_rule *rules,
uint32_t i;
int32_t rc;
+ RTE_LOG(ERR, ACL, "\n --------HARSHA----------1");
if (ctx == NULL || rules == NULL || 0 == ctx->rule_sz)
return -EINVAL;
diff --git a/lib/librte_acl/rte_acl.h b/lib/librte_acl/rte_acl.h
index afc0f69..8127c3f 100644
--- a/lib/librte_acl/rte_acl.h
+++ b/lib/librte_acl/rte_acl.h
@@ -362,6 +362,7 @@ struct rte_acl_ipv4vlan_rule {
uint16_t src_port_high; /**< L4 source port high. */
uint16_t dst_port_low; /**< L4 destination port low. */
uint16_t dst_port_high; /**< L4 destination port high. */
+ uint8_t proto_flags; /**< L4 protocol flags. */
};
/**
@@ -375,6 +376,7 @@ enum {
RTE_ACL_IPV4VLAN_DST_FIELD,
RTE_ACL_IPV4VLAN_SRCP_FIELD,
RTE_ACL_IPV4VLAN_DSTP_FIELD,
+ RTE_ACL_IPV4VLAN_PROTO_FLAGS_FIELD,
RTE_ACL_IPV4VLAN_NUM_FIELDS
};
@@ -398,6 +400,7 @@ enum {
RTE_ACL_IPV4VLAN_SRC,
RTE_ACL_IPV4VLAN_DST,
RTE_ACL_IPV4VLAN_PORTS,
+ RTE_ACL_IPV4VLAN_PROTO_FLAGS,
RTE_ACL_IPV4VLAN_NUM
};
Warm Regards,
Santhosh Kumar Bendalam,
Assistant Consultant,
Tata Consultancy Services Limited | Synergy Park, Hyderabad, Andhra Pradesh, India | +91-9949950400
-----"dev" wrote: -----
To: dev@dpdk.org
From: Santhosh Bendalam
Sent by: "dev"
Date: 07/25/2014 08:30PM
Subject: [dpdk-dev] Regarding new feature development in dpdk-acl
Hi All,
I am trying to add new acl rule support to filter the packets based on TCP flags. I have followed the structure updates as per DPDK Programmers guide. I have attached the code diff along with this mail.
Some how packet filtering is not happening with our modifications.
Input configuration file used is (Here we are trying to restrict SYN+FIN flag)
@20.0.0.0/24 40.0.0.0/24 0 : 65535 0 : 65535 6/0xfe 0x3/0xFF
R20.0.0.0/24 40.0.0.0/24 0 : 65535 0 : 65535 6/0xfe 0x0/0x00 1
R40.0.0.0/24 20.0.0.0/24 0 : 65535 0 : 65535 6/0xfe 0x0/0x00 1
Could you please share your thoughts on this problem.
Warm Regards,
Santhosh Kumar Bendalam,
Assistant Consultant,
Tata Consultancy Services Limited
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you
From mhall@mhcomputing.net Fri Jul 25 17:27:44 2014
Return-Path: <mhall@mhcomputing.net>
Received: from mail.mhcomputing.net (master.mhcomputing.net [74.208.46.186])
by dpdk.org (Postfix) with ESMTP id BEC6C592E
for <dev@dpdk.org>; Fri, 25 Jul 2014 17:27:44 +0200 (CEST)
Received: from 182-192-223-21.pools.spcsdns.net
(66-87-118-182.pools.spcsdns.net [66.87.118.182])
by mail.mhcomputing.net (Postfix) with ESMTPSA id A906680C4EE;
Fri, 25 Jul 2014 08:28:40 -0700 (PDT)
User-Agent: K-9 Mail for Android
In-Reply-To: <53D26C42.3060907@fixup.fi>
References: <20140724075918.GA21277@mhcomputing.net>
<53D18EFF.8080804@fixup.fi> <1432797.FfhxlLyX1P@xps13>
<53D26C42.3060907@fixup.fi>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain;
charset=UTF-8
From: Matthew Hall <mhall@mhcomputing.net>
Date: Fri, 25 Jul 2014 07:44:37 -0700
To: Antti Kantee <pooka@fixup.fi>, Thomas Monjalon <thomas.monjalon@6wind.com>,
dev@dpdk.org
Message-ID: <8d2a5eff-ea7c-4035-95ec-1e391c1cda38@email.android.com>
Subject: Re: [dpdk-dev] symbol conflicts between netinet/in.h, arpa/inet.h,
and rte_ip.h
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: patches and discussions about DPDK <dev.dpdk.org>
List-Unsubscribe: <http://dpdk.org/ml/options/dev>,
<mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <http://dpdk.org/ml/listinfo/dev>,
<mailto:dev-request@dpdk.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Jul 2014 15:27:45 -0000
If the bare metal mode is getting yanked, then I think we can go with Antti's advice and just yank the conflicting symbols and use the system versions.
--
Sent from my mobile device.
On July 25, 2014 7:40:02 AM PDT, Antti Kantee <pooka@fixup.fi> wrote:
>On 25/07/14 10:43, Thomas Monjalon wrote:
>>> On 24/07/14 07:59, Matthew Hall wrote:
>>>> I ran into some weird symbol conflicts between system netinet/in.h
>and DPDK
>>>> rte_ip.h. They have a lot of duplicated definitions for stuff like
>IPPROTO_IP
>>>> and so on. This breaks when you want to use inet_pton from
>arpa/inet.h,
>>>> because it includes netinet/in.h to define struct in_addr.
>> [...]
>>> Again, I recommend steering away from any tightrope approaches that
>>> "know" which types are non-conflicting, or pick out half-and-half
>from
>>> the host and IP stack. "Do, or do not, there is no half-and-half"
>>
>> The general problem here is that DPDK is conflicting with libc.
>> So the obvious question would be: "why DPDK needs to redefine libc
>stuff"?
>> I don't see any obvious answer since bare metal is planned to be
>removed.
>> (see http://dpdk.org/ml/archives/dev/2014-June/003868.html)
>
>One reason is if you want DPDK to be a portable network programming
>environment. Especially in that case you do not want definitions based
>
>on hackish assumptions of some particular version of some particular
>host implementation. However, I'm not trying to argue if DPDK should
>or
>shouldn't be that, just that you should either dramatically improve the
>
>current implementation or nuke it.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2014-07-25 15:00 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-07-25 14:59 [dpdk-dev] Regarding new feature development in dpdk-acl Santhosh Bendalam
2014-07-25 15:02 ` Santhosh Bendalam
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).