Difference between revisions of "VPP/SecurityGroups"

From fd.io
< VPP
Jump to: navigation, search
(API)
Line 65: Line 65:
  
 
== API ==
 
== API ==
add or delete classifier table:
+
Add or delete egress IP access list:
define classify_add_del_table
+
{
+
  u32 client_index;
+
  u32 context;
+
  u8 is_add;
+
  u32 table_index;
+
  u32 nbuckets;
+
  u32 memory_size;
+
  u32 skip_n_vectors;
+
  u32 match_n_vectors;
+
  u32 next_table_index;
+
  u32 miss_next_index;
+
  u8 mask[0];
+
};
+
  
define classify_add_del_table_reply
+
define if_acl_add_ip_egress_rule
{
+
        u32 sw_ifindex;
  u32 context;
+
        u8 allow;
  i32 retval;
+
        u8 is_add
  u32 new_table_index;
+
        u8 is_ipv6;
  u32 skip_n_vectors;
+
        u8 src_ip_addr[16];
  u32 match_n_vectors;
+
        u8 src_ip_prefix_len;
};
+
        u8 proto;
 +
        u16 dst_min_port;
 +
        u16 dst_max_port;
 +
}
  
add or delete classifier session:
+
Add or delete ingress IP access list:
define classify_add_del_session
+
{
+
  u32 client_index;
+
  u32 context;
+
  u8 is_add;
+
  u32 table_index;
+
  u32 hit_next_index;
+
  u32 opaque_index;
+
  i32 advance;
+
  u8 match[0];
+
};
+
  
define classify_add_del_session_reply
+
define if_acl_add_ip_ingress_rule
{
+
        u32 sw_ifindex;
  u32 context;
+
        u8 allow;
  i32 retval;
+
        u8 is_add
};
+
        u8 is_ipv6;
 
+
        u8 dst_ip_addr[16];
define classify_set_interface_ip_table
+
        u8 dst_ip_prefix_len;
{
+
        u8 proto;
  u32 client_index;
+
        u16 dst_min_port;
  u32 context;
+
        u16 dst_max_port;
  u8 is_ipv6;
+
}
  u32 sw_if_index;
+
  u32 table_index; /* ~0 => off */
+
};
+
 
+
define classify_set_interface_ip_table_reply
+
{
+
  u32 context;
+
  i32 retval;
+
};
+
 
+
define classify_set_interface_l2_tables
+
{
+
  u32 client_index;
+
  u32 context;
+
  u32 sw_if_index;
+
  /* 3 x ~0 => off */
+
  u32 ip4_table_index;
+
  u32 ip6_table_index;
+
  u32 other_table_index;
+
  u8 is_input;
+
};
+
 
+
define classify_set_interface_l2_tables_reply
+
{
+
  u32 context;
+
  i32 retval;
+
};
+
 
+
apply input ACL to an interface:
+
define input_acl_set_interface
+
{
+
  u32 client_index;
+
  u32 context;
+
  u32 sw_if_index;
+
  u32 ip4_table_index;
+
  u32 ip6_table_index;
+
  u32 l2_table_index;
+
  u8 is_add;
+
};
+
 
+
define input_acl_set_interface_reply
+
{
+
  u32 context;
+
  i32 retval;
+
};
+
 
+
apply an output ACL to an interface:
+
define output_acl_set_interface
+
{
+
  u32 client_index;
+
  u32 context;
+
  u32 sw_if_index;
+
  u32 ip4_table_index;
+
  u32 ip6_table_index;
+
  u32 l2_table_index;
+
  u8 is_add;
+
};
+
 
+
define output_acl_set_interface_reply
+
{
+
  u32 context;
+
  i32 retval;
+
};
+
 
+
classify get table IDs
+
define classify_table_ids
+
{
+
  u32 client_index;
+
  u32 context;
+
};
+
 
+
define classify_table_ids_reply
+
{
+
  u32 context;
+
  i32 retval;
+
  u32 count;
+
  u32 ids[count];
+
};
+
 
+
classify table ids by interface index request
+
define classify_table_by_interface
+
{
+
  u32 client_index;
+
  u32 context;
+
  u32 sw_if_index;
+
};
+
 
+
define classify_table_by_interface_reply
+
{
+
  u32 context;
+
  i32 retval;
+
  u32 sw_if_index;
+
  u32 l2_table_id;
+
  u32 ip4_table_id;
+
  u32 ip6_table_id;
+
};
+
 
+
classify table info
+
define classify_table_info
+
{
+
  u32 client_index;
+
  u32 context;
+
  u32 table_id;
+
};
+
 
+
define classify_table_info_reply
+
{
+
  u32 context;
+
  i32 retval;
+
  u32 table_id;
+
  u32 nbuckets;
+
  u32 match_n_vectors;
+
  u32 skip_n_vectors;
+
  u32 active_sessions;
+
  u32 next_table_index;
+
  u32 miss_next_index;
+
  u32 mask_length;
+
  u8 mask[mask_length];
+
};
+
 
+
classify sessions dump request
+
define classify_session_dump
+
{
+
  u32 client_index;
+
  u32 context;
+
  u32 table_id;
+
};
+
 
+
define classify_session_details
+
{
+
  u32 context;
+
  i32 retval;
+
  u32 table_id;
+
  u32 hit_next_index;
+
  i32 advance;
+
  u32 opaque_index;
+
  u32 match_length;
+
  u8 match[match_length];
+
};
+
  
 
== CLI ==
 
== CLI ==

Revision as of 11:46, 12 October 2016

VPP Security Groups

Introduction

Features are tracked as they are developed in the following VPP-427.

Requirements

  • Support classifiers/filters on any interface type (bridged / routed)
  • Filter on IP-addresses with address mask or prefix length (IPv4 and IPv6)
  • Filter on source and destination TCP/UDP port ranges
  • Filter on source and destination L2 MAC addresses
  • Support IPv6 with extension headers present
  • Support fragmented packets and unknown transport layer headers
  • Combinations of the above filters (e.g. MAC + IP)
  • Filters on ingress and egress interfaces
  • Stateful firewall. No application layer filtering.

Work list

Task Owner Priority Status Description
API definition Ole 0 WIP
Ingress/Egress support for classifier 0
Support for L2/L3 interfaces 0
"Established" behaviour 1
Stateful firewall 1
Port ip_tables_firewall.py from Neutron as unit test 1

API

Add or delete egress IP access list:

define if_acl_add_ip_egress_rule 

       u32 sw_ifindex;
       u8 allow;
       u8 is_add
       u8 is_ipv6;
       u8 src_ip_addr[16];
       u8 src_ip_prefix_len;
       u8 proto;
       u16 dst_min_port;
       u16 dst_max_port;

}

Add or delete ingress IP access list:

define if_acl_add_ip_ingress_rule 

       u32 sw_ifindex;
       u8 allow;
       u8 is_add
       u8 is_ipv6;
       u8 dst_ip_addr[16];
       u8 dst_ip_prefix_len;
       u8 proto;
       u16 dst_min_port;
       u16 dst_max_port;

}

CLI

set interface input acl intfc <int> [ip4-table <index>] [ip6-table <index>] [l2-table <index>] [del] 
show inacl type [ip4|ip6|l2]

classify table [miss-next|l2-miss_next|acl-miss-next <next_index>] mask <mask-value> buckets <nn> [skip <n>] [match <n>] [del]
show classify tables [index <nn>]
classify session [hit-next|l2-hit-next|acl-hit-next <next_index>|policer-hit-next <policer_name>] table-index <nn> match [hex] [l2] [l3 ip4] [opaque-index <index>]

test classify [src <ip>] [sessions <nn>] [buckets <nn>] [table <nn>] [del]

set ip classify intfc <int> table-index <index>

set interface ip6 table <intfc> <table-id>

set interface l2 input classify intfc <interface-name> [ip4-table <n>] [ip6-table <n>] [other-table <n>]

set interface l2 output classify intfc <<interface-name>> [ip4-table <n>] [ip6-table <n>] [other-table <n>]

set ip source-and-port-range-check

show ip source-and-port-range-check vrf <nn> <ip-addr> <port>

Examples

YANG model

Open Issues

  • Security Group use case specific API. Done in VPP or control plane plugin?

References

Retrieved from "https://wiki.fd.io/index.php?title=VPP/SecurityGroups&oldid=3489"