commit | 17ddc0fee1bc20d0da84dd70bb579c8844a48ef4 | [log] [tgz] |
---|---|---|
author | Andrew Yourtchenko <ayourtch@gmail.com> | Wed Mar 28 14:33:48 2018 +0200 |
committer | Damjan Marion <dmarion.lists@gmail.com> | Fri Mar 30 20:48:01 2018 +0000 |
tree | 1b7444cfc8a6ff4fad13a5fed69d8503ae8cf7af | |
parent | 6091d230e3786c635eea3513d73af45081a5770c [diff] |
acl-plugin: implement an optional session reclassification when ACL is (re-)applied There were several discussions in which users would expect the sessions to be deleted if the new policy after the change does not permit them. There is no right or wrong answer to this question - it is a policy decision. This patch implements an idea to approach this. It uses a per-interface-per-direction counter to designate a "policy epoch" - a period of unchanging rulesets. The moment one removes or adds an ACL applied to an interface, this counter increments. The newly created connections inherit the current policy epoch in a given direction. Likewise, this counter increments if anyone updates an ACL applied to an interface. There is also a new (so far hidden) CLI "set acl-plugin reclassify-sessions [0|1]" (with default being 0) which allows to enable the checking of the existing sessions against the current policy epoch in a given direction. The session is not verified unless there is traffic hitting that session *in the direction of the policy creation* - if the epoch has changed, the session is deleted and within the same processing cycle is evaluated against the ACL rule base and recreated - thus, it should allow traffic-driven session state refresh without affecting the connectivity for the existing sessions. If the packet is coming in the direction opposite to which the session was initially created, the state adjustment is never done, because doing so generically is not really possible without diving too deep into the special cases, which may or may not work. Change-Id: I9e90426492d4bd474b5e89ea8dfb75a7c9de2646 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
The VPP platform is an extensible framework that provides out-of-the-box production quality switch/router functionality. It is the open source version of Cisco's Vector Packet Processing (VPP) technology: a high performance, packet-processing stack that can run on commodity CPUs.
The benefits of this implementation of VPP are its high performance, proven technology, its modularity and flexibility, and rich feature set.
For more information on VPP and its features please visit the FD.io website and What is VPP? pages.
Details of the changes leading up to this version of VPP can be found under @ref release_notes.
Directory name | Description |
---|---|
build-data | Build metadata |
build-root | Build output directory |
doxygen | Documentation generator configuration |
dpdk | DPDK patches and build infrastructure |
@ref extras/libmemif | Client library for memif |
@ref src/examples | VPP example code |
@ref src/plugins | VPP bundled plugins directory |
@ref src/svm | Shared virtual memory allocation library |
src/tests | Standalone tests (not part of test harness) |
src/vat | VPP API test program |
@ref src/vlib | VPP application library |
@ref src/vlibapi | VPP API library |
@ref src/vlibmemory | VPP Memory management |
@ref src/vlibsocket | VPP Socket I/O |
@ref src/vnet | VPP networking |
@ref src/vpp | VPP application |
@ref src/vpp-api | VPP application API bindings |
@ref src/vppinfra | VPP core library |
@ref src/vpp/api | Not-yet-relocated API bindings |
test | Unit tests and Python test harness |
In general anyone interested in building, developing or running VPP should consult the VPP wiki for more complete documentation.
In particular, readers are recommended to take a look at [Pulling, Building, Running, Hacking, Pushing](https://wiki.fd.io/view/VPP/Pulling,_Building,_Run ning,_Hacking_and_Pushing_VPP_Code) which provides extensive step-by-step coverage of the topic.
For the impatient, some salient information is distilled below.
To install system dependencies, build VPP and then install it, simply run the build script. This should be performed a non-privileged user with sudo
access from the project base directory:
./extras/vagrant/build.sh
If you want a more fine-grained approach because you intend to do some development work, the Makefile
in the root directory of the source tree provides several convenience shortcuts as make
targets that may be of interest. To see the available targets run:
make
The directory extras/vagrant
contains a VagrantFile
and supporting scripts to bootstrap a working VPP inside a Vagrant-managed Virtual Machine. This VM can then be used to test concepts with VPP or as a development platform to extend VPP. Some obvious caveats apply when using a VM for VPP since its performance will never match that of bare metal; if your work is timing or performance sensitive, consider using bare metal in addition or instead of the VM.
For this to work you will need a working installation of Vagrant. Instructions for this can be found [on the Setting up Vagrant wiki page] (https://wiki.fd.io/view/DEV/Setting_Up_Vagrant).
Several modules provide documentation, see @subpage user_doc for more end-user-oriented information. Also see @subpage dev_doc for developer notes.
Visit the VPP wiki for details on more advanced building strategies and other development notes.
There is PyDoc generated documentation available for the VPP test framework. See @ref test_framework_doc for details.