Revision as of 12:06, 9 October 2016

VPP Security Groups

Introduction

Features are tracked as they are developed in the following VPP-427.

Requirements

• Support classifiers/filters on any interface type (bridged / routed)
• Filter on IP-addresses with address mask or prefix length (IPv4 and IPv6)
• Filter on source and destination TCP/UDP port ranges
• Filter on source and destination L2 MAC addresses
• Support IPv6 with extension headers present
• Support fragmented packets and unknown transport layer headers
• Combinations of the above filters (e.g. MAC + IP)
• Filters on ingress and egress interfaces
• Stateful firewall. No application layer filtering.

Work list

API

add or delete classifier table:

define classify_add_del_table
{
 u32 client_index;
 u32 context;
 u8 is_add;
 u32 table_index;
 u32 nbuckets;
 u32 memory_size;
 u32 skip_n_vectors;
 u32 match_n_vectors;
 u32 next_table_index;
 u32 miss_next_index;
 u8 mask[0];
};

define classify_add_del_table_reply
{
 u32 context;
 i32 retval;
 u32 new_table_index;
 u32 skip_n_vectors;
 u32 match_n_vectors;
};

add or delete classifier session:

define classify_add_del_session
{
 u32 client_index;
 u32 context;
 u8 is_add;
 u32 table_index;
 u32 hit_next_index;
 u32 opaque_index;
 i32 advance;
 u8 match[0];
};

define classify_add_del_session_reply
{
 u32 context;
 i32 retval;
};

define classify_set_interface_ip_table
{
 u32 client_index;
 u32 context;
 u8 is_ipv6;
 u32 sw_if_index;
 u32 table_index;		/* ~0 => off */
};

define classify_set_interface_ip_table_reply
{
 u32 context;
 i32 retval;
};

define classify_set_interface_l2_tables
{
 u32 client_index;
 u32 context;
 u32 sw_if_index;
 /* 3 x ~0 => off */
 u32 ip4_table_index;
 u32 ip6_table_index;
 u32 other_table_index;
 u8 is_input;
};

define classify_set_interface_l2_tables_reply
{
 u32 context;
 i32 retval;
};

apply input ACL to an interface:

define input_acl_set_interface
{
 u32 client_index;
 u32 context;
 u32 sw_if_index;
 u32 ip4_table_index;
 u32 ip6_table_index;
 u32 l2_table_index;
 u8 is_add;
};

define input_acl_set_interface_reply
{
 u32 context;
 i32 retval;
};

apply an output ACL to an interface:

define output_acl_set_interface
{
 u32 client_index;
 u32 context;
 u32 sw_if_index;
 u32 ip4_table_index;
 u32 ip6_table_index;
 u32 l2_table_index;
 u8 is_add;
};

define output_acl_set_interface_reply
{
 u32 context;
 i32 retval;
};

classify get table IDs

define classify_table_ids
{
 u32 client_index;
 u32 context;
};

define classify_table_ids_reply
{
 u32 context;
 i32 retval;
 u32 count;
 u32 ids[count];
};

classify table ids by interface index request

define classify_table_by_interface
{
 u32 client_index;
 u32 context;
 u32 sw_if_index;
};

define classify_table_by_interface_reply
{
 u32 context;
 i32 retval;
 u32 sw_if_index;
 u32 l2_table_id;
 u32 ip4_table_id;
 u32 ip6_table_id;
};

classify table info

define classify_table_info
{
 u32 client_index;
 u32 context;
 u32 table_id;
};

define classify_table_info_reply
{
 u32 context;
 i32 retval;
 u32 table_id;
 u32 nbuckets;
 u32 match_n_vectors;
 u32 skip_n_vectors;
 u32 active_sessions;
 u32 next_table_index;
 u32 miss_next_index;
 u32 mask_length;
 u8 mask[mask_length];
};

classify sessions dump request

define classify_session_dump
{
 u32 client_index;
 u32 context;
 u32 table_id;
};

define classify_session_details
{
 u32 context;
 i32 retval;
 u32 table_id;
 u32 hit_next_index;
 i32 advance;
 u32 opaque_index;
 u32 match_length;
 u8 match[match_length];
};

CLI

Examples

YANG model

References

• [1]
• [2]