Difference between revisions of "VPP/SecurityGroups"
From fd.io
< VPP
(→API) |
(→API) |
||
| Line 47: | Line 47: | ||
== API == | == API == | ||
add or delete classifier table: | add or delete classifier table: | ||
| − | define classify_add_del_table | + | define classify_add_del_table |
| − | { | + | { |
u32 client_index; | u32 client_index; | ||
u32 context; | u32 context; | ||
| Line 60: | Line 60: | ||
u32 miss_next_index; | u32 miss_next_index; | ||
u8 mask[0]; | u8 mask[0]; | ||
| − | }; | + | }; |
| − | define classify_add_del_table_reply | + | define classify_add_del_table_reply |
| − | { | + | { |
u32 context; | u32 context; | ||
i32 retval; | i32 retval; | ||
| Line 69: | Line 69: | ||
u32 skip_n_vectors; | u32 skip_n_vectors; | ||
u32 match_n_vectors; | u32 match_n_vectors; | ||
| − | }; | + | }; |
add or delete classifier session: | add or delete classifier session: | ||
| − | define classify_add_del_session | + | define classify_add_del_session |
| − | { | + | { |
u32 client_index; | u32 client_index; | ||
u32 context; | u32 context; | ||
| Line 82: | Line 82: | ||
i32 advance; | i32 advance; | ||
u8 match[0]; | u8 match[0]; | ||
| − | }; | + | }; |
| − | define classify_add_del_session_reply | + | define classify_add_del_session_reply |
| − | { | + | { |
u32 context; | u32 context; | ||
i32 retval; | i32 retval; | ||
| − | }; | + | }; |
| − | define classify_set_interface_ip_table | + | define classify_set_interface_ip_table |
| − | { | + | { |
u32 client_index; | u32 client_index; | ||
u32 context; | u32 context; | ||
| Line 97: | Line 97: | ||
u32 sw_if_index; | u32 sw_if_index; | ||
u32 table_index; /* ~0 => off */ | u32 table_index; /* ~0 => off */ | ||
| − | }; | + | }; |
| − | define classify_set_interface_ip_table_reply | + | define classify_set_interface_ip_table_reply |
| − | { | + | { |
u32 context; | u32 context; | ||
i32 retval; | i32 retval; | ||
| − | }; | + | }; |
| − | define classify_set_interface_l2_tables | + | define classify_set_interface_l2_tables |
| − | { | + | { |
u32 client_index; | u32 client_index; | ||
u32 context; | u32 context; | ||
| Line 115: | Line 115: | ||
u32 other_table_index; | u32 other_table_index; | ||
u8 is_input; | u8 is_input; | ||
| − | }; | + | }; |
| − | define classify_set_interface_l2_tables_reply | + | define classify_set_interface_l2_tables_reply |
| − | { | + | { |
u32 context; | u32 context; | ||
i32 retval; | i32 retval; | ||
| − | }; | + | }; |
| − | define input_acl_set_interface | + | apply input ACL to an interface: |
| − | { | + | define input_acl_set_interface |
| + | { | ||
u32 client_index; | u32 client_index; | ||
u32 context; | u32 context; | ||
| Line 132: | Line 133: | ||
u32 l2_table_index; | u32 l2_table_index; | ||
u8 is_add; | u8 is_add; | ||
| − | }; | + | }; |
| − | define input_acl_set_interface_reply | + | define input_acl_set_interface_reply |
| − | { | + | { |
u32 context; | u32 context; | ||
i32 retval; | i32 retval; | ||
| − | }; | + | }; |
| − | define output_acl_set_interface | + | apply an output ACL to an interface: |
| − | { | + | define output_acl_set_interface |
| + | { | ||
u32 client_index; | u32 client_index; | ||
u32 context; | u32 context; | ||
| Line 149: | Line 151: | ||
u32 l2_table_index; | u32 l2_table_index; | ||
u8 is_add; | u8 is_add; | ||
| − | }; | + | }; |
| − | define output_acl_set_interface_reply | + | define output_acl_set_interface_reply |
| − | { | + | { |
u32 context; | u32 context; | ||
i32 retval; | i32 retval; | ||
| − | }; | + | }; |
== CLI == | == CLI == | ||
Revision as of 11:41, 9 October 2016
Contents
VPP Security Groups
Introduction
Features are tracked as they are developed in the following VPP-427.
Requirements
- Support classifiers/filters on L2/bridging interfaces
- Filter on IP-addresses with address mask (IPv4 and IPv6)
- Filter on L4 port ranges
- Filter on L2 MAC addresses
- Support IPv6 with extension headers present
- Combinations of the above filters (e.g. MAC + IP)
- Filters on ingress and egress
Work list
| Task | Owner | Priority | Status | Description |
|---|---|---|---|---|
| API definition | Ole | 0 | WIP | |
| Ingress/Egress support for classifier | 0 | |||
| Support for L2/L3 interfaces | 0 |
API
add or delete classifier table:
define classify_add_del_table
{
u32 client_index;
u32 context;
u8 is_add;
u32 table_index;
u32 nbuckets;
u32 memory_size;
u32 skip_n_vectors;
u32 match_n_vectors;
u32 next_table_index;
u32 miss_next_index;
u8 mask[0];
};
define classify_add_del_table_reply
{
u32 context;
i32 retval;
u32 new_table_index;
u32 skip_n_vectors;
u32 match_n_vectors;
};
add or delete classifier session:
define classify_add_del_session
{
u32 client_index;
u32 context;
u8 is_add;
u32 table_index;
u32 hit_next_index;
u32 opaque_index;
i32 advance;
u8 match[0];
};
define classify_add_del_session_reply
{
u32 context;
i32 retval;
};
define classify_set_interface_ip_table
{
u32 client_index;
u32 context;
u8 is_ipv6;
u32 sw_if_index;
u32 table_index; /* ~0 => off */
};
define classify_set_interface_ip_table_reply
{
u32 context;
i32 retval;
};
define classify_set_interface_l2_tables
{
u32 client_index;
u32 context;
u32 sw_if_index;
/* 3 x ~0 => off */
u32 ip4_table_index;
u32 ip6_table_index;
u32 other_table_index;
u8 is_input;
};
define classify_set_interface_l2_tables_reply
{
u32 context;
i32 retval;
};
apply input ACL to an interface:
define input_acl_set_interface
{
u32 client_index;
u32 context;
u32 sw_if_index;
u32 ip4_table_index;
u32 ip6_table_index;
u32 l2_table_index;
u8 is_add;
};
define input_acl_set_interface_reply
{
u32 context;
i32 retval;
};
apply an output ACL to an interface:
define output_acl_set_interface
{
u32 client_index;
u32 context;
u32 sw_if_index;
u32 ip4_table_index;
u32 ip6_table_index;
u32 l2_table_index;
u8 is_add;
};
define output_acl_set_interface_reply
{
u32 context;
i32 retval;
};
