Difference between revisions of "VPP/SecurityGroups"
From fd.io
< VPP
(→Requirements) |
(→CLI) |
||
| Line 238: | Line 238: | ||
== CLI == | == CLI == | ||
| + | |||
| + | set interface input acl intfc <int> [ip4-table <index>] [ip6-table <index>] [l2-table <index>] [del] | ||
| + | show inacl type [ip4|ip6|l2] | ||
| + | |||
| + | classify table [miss-next|l2-miss_next|acl-miss-next <next_index>] mask <mask-value> buckets <nn> [skip <n>] [match <n>] [del] | ||
| + | show classify tables [index <nn>] | ||
| + | classify session [hit-next|l2-hit-next|acl-hit-next <next_index>|policer-hit-next <policer_name>] table-index <nn> match [hex] [l2] [l3 ip4] [opaque-index <index>] | ||
| + | |||
| + | test classify [src <ip>] [sessions <nn>] [buckets <nn>] [table <nn>] [del] | ||
| + | |||
| + | set ip classify intfc <int> table-index <index> | ||
| + | |||
| + | set interface ip6 table <intfc> <table-id> | ||
| + | |||
| + | set interface l2 input classify intfc <interface-name> [ip4-table <n>] [ip6-table <n>] [other-table <n>] | ||
| + | |||
| + | set interface l2 output classify intfc <<interface-name>> [ip4-table <n>] [ip6-table <n>] [other-table <n>] | ||
== Examples == | == Examples == | ||
Revision as of 12:12, 9 October 2016
Contents
VPP Security Groups
Introduction
Features are tracked as they are developed in the following VPP-427.
Requirements
- Support classifiers/filters on any interface type (bridged / routed)
- Filter on IP-addresses with address mask or prefix length (IPv4 and IPv6)
- Filter on source and destination TCP/UDP port ranges
- Filter on source and destination L2 MAC addresses
- Support IPv6 with extension headers present
- Support fragmented packets and unknown transport layer headers
- Combinations of the above filters (e.g. MAC + IP)
- Filters on ingress and egress interfaces
- Stateful firewall. No application layer filtering.
Work list
| Task | Owner | Priority | Status | Description |
|---|---|---|---|---|
| API definition | Ole | 0 | WIP | |
| Ingress/Egress support for classifier | 0 | |||
| Support for L2/L3 interfaces | 0 |
API
add or delete classifier table:
define classify_add_del_table
{
u32 client_index;
u32 context;
u8 is_add;
u32 table_index;
u32 nbuckets;
u32 memory_size;
u32 skip_n_vectors;
u32 match_n_vectors;
u32 next_table_index;
u32 miss_next_index;
u8 mask[0];
};
define classify_add_del_table_reply
{
u32 context;
i32 retval;
u32 new_table_index;
u32 skip_n_vectors;
u32 match_n_vectors;
};
add or delete classifier session:
define classify_add_del_session
{
u32 client_index;
u32 context;
u8 is_add;
u32 table_index;
u32 hit_next_index;
u32 opaque_index;
i32 advance;
u8 match[0];
};
define classify_add_del_session_reply
{
u32 context;
i32 retval;
};
define classify_set_interface_ip_table
{
u32 client_index;
u32 context;
u8 is_ipv6;
u32 sw_if_index;
u32 table_index; /* ~0 => off */
};
define classify_set_interface_ip_table_reply
{
u32 context;
i32 retval;
};
define classify_set_interface_l2_tables
{
u32 client_index;
u32 context;
u32 sw_if_index;
/* 3 x ~0 => off */
u32 ip4_table_index;
u32 ip6_table_index;
u32 other_table_index;
u8 is_input;
};
define classify_set_interface_l2_tables_reply
{
u32 context;
i32 retval;
};
apply input ACL to an interface:
define input_acl_set_interface
{
u32 client_index;
u32 context;
u32 sw_if_index;
u32 ip4_table_index;
u32 ip6_table_index;
u32 l2_table_index;
u8 is_add;
};
define input_acl_set_interface_reply
{
u32 context;
i32 retval;
};
apply an output ACL to an interface:
define output_acl_set_interface
{
u32 client_index;
u32 context;
u32 sw_if_index;
u32 ip4_table_index;
u32 ip6_table_index;
u32 l2_table_index;
u8 is_add;
};
define output_acl_set_interface_reply
{
u32 context;
i32 retval;
};
classify get table IDs
define classify_table_ids
{
u32 client_index;
u32 context;
};
define classify_table_ids_reply
{
u32 context;
i32 retval;
u32 count;
u32 ids[count];
};
classify table ids by interface index request
define classify_table_by_interface
{
u32 client_index;
u32 context;
u32 sw_if_index;
};
define classify_table_by_interface_reply
{
u32 context;
i32 retval;
u32 sw_if_index;
u32 l2_table_id;
u32 ip4_table_id;
u32 ip6_table_id;
};
classify table info
define classify_table_info
{
u32 client_index;
u32 context;
u32 table_id;
};
define classify_table_info_reply
{
u32 context;
i32 retval;
u32 table_id;
u32 nbuckets;
u32 match_n_vectors;
u32 skip_n_vectors;
u32 active_sessions;
u32 next_table_index;
u32 miss_next_index;
u32 mask_length;
u8 mask[mask_length];
};
classify sessions dump request
define classify_session_dump
{
u32 client_index;
u32 context;
u32 table_id;
};
define classify_session_details
{
u32 context;
i32 retval;
u32 table_id;
u32 hit_next_index;
i32 advance;
u32 opaque_index;
u32 match_length;
u8 match[match_length];
};
CLI
set interface input acl intfc <int> [ip4-table <index>] [ip6-table <index>] [l2-table <index>] [del] show inacl type [ip4|ip6|l2]
classify table [miss-next|l2-miss_next|acl-miss-next <next_index>] mask <mask-value> buckets <nn> [skip <n>] [match <n>] [del] show classify tables [index <nn>] classify session [hit-next|l2-hit-next|acl-hit-next <next_index>|policer-hit-next <policer_name>] table-index <nn> match [hex] [l2] [l3 ip4] [opaque-index <index>]
test classify [src <ip>] [sessions <nn>] [buckets <nn>] [table <nn>] [del]
set ip classify intfc <int> table-index <index>
set interface ip6 table <intfc> <table-id>
set interface l2 input classify intfc <interface-name> [ip4-table <n>] [ip6-table <n>] [other-table <n>]
set interface l2 output classify intfc <<interface-name>> [ip4-table <n>] [ip6-table <n>] [other-table <n>]
