VPP/SecurityGroups
From fd.io
Contents
VPP Security Groups
Introduction
Features are tracked as they are developed in the following VPP-427.
Requirements
- Support classifiers/filters on any interface type (bridged / routed)
- Filter on IP-addresses with address mask or prefix length (IPv4 and IPv6)
- Filter on source and destination TCP/UDP port ranges
- Filter on source and destination L2 MAC addresses
- Support IPv6 with extension headers present
- Support fragmented packets and unknown transport layer headers
- Combinations of the above filters (e.g. MAC + IP)
- Filters on ingress and egress interfaces
- Stateful firewall. No application layer filtering.
Work list
| Task | Owner | Priority | Status | Description |
|---|---|---|---|---|
| API definition | Ole | 0 | WIP | |
| Ingress/Egress support for classifier | 0 | |||
| Support for L2/L3 interfaces | 0 |
API
add or delete classifier table:
define classify_add_del_table
{
u32 client_index;
u32 context;
u8 is_add;
u32 table_index;
u32 nbuckets;
u32 memory_size;
u32 skip_n_vectors;
u32 match_n_vectors;
u32 next_table_index;
u32 miss_next_index;
u8 mask[0];
};
define classify_add_del_table_reply
{
u32 context;
i32 retval;
u32 new_table_index;
u32 skip_n_vectors;
u32 match_n_vectors;
};
add or delete classifier session:
define classify_add_del_session
{
u32 client_index;
u32 context;
u8 is_add;
u32 table_index;
u32 hit_next_index;
u32 opaque_index;
i32 advance;
u8 match[0];
};
define classify_add_del_session_reply
{
u32 context;
i32 retval;
};
define classify_set_interface_ip_table
{
u32 client_index;
u32 context;
u8 is_ipv6;
u32 sw_if_index;
u32 table_index; /* ~0 => off */
};
define classify_set_interface_ip_table_reply
{
u32 context;
i32 retval;
};
define classify_set_interface_l2_tables
{
u32 client_index;
u32 context;
u32 sw_if_index;
/* 3 x ~0 => off */
u32 ip4_table_index;
u32 ip6_table_index;
u32 other_table_index;
u8 is_input;
};
define classify_set_interface_l2_tables_reply
{
u32 context;
i32 retval;
};
apply input ACL to an interface:
define input_acl_set_interface
{
u32 client_index;
u32 context;
u32 sw_if_index;
u32 ip4_table_index;
u32 ip6_table_index;
u32 l2_table_index;
u8 is_add;
};
define input_acl_set_interface_reply
{
u32 context;
i32 retval;
};
apply an output ACL to an interface:
define output_acl_set_interface
{
u32 client_index;
u32 context;
u32 sw_if_index;
u32 ip4_table_index;
u32 ip6_table_index;
u32 l2_table_index;
u8 is_add;
};
define output_acl_set_interface_reply
{
u32 context;
i32 retval;
};
classify get table IDs
define classify_table_ids
{
u32 client_index;
u32 context;
};
define classify_table_ids_reply
{
u32 context;
i32 retval;
u32 count;
u32 ids[count];
};
classify table ids by interface index request
define classify_table_by_interface
{
u32 client_index;
u32 context;
u32 sw_if_index;
};
define classify_table_by_interface_reply
{
u32 context;
i32 retval;
u32 sw_if_index;
u32 l2_table_id;
u32 ip4_table_id;
u32 ip6_table_id;
};
classify table info
define classify_table_info
{
u32 client_index;
u32 context;
u32 table_id;
};
define classify_table_info_reply
{
u32 context;
i32 retval;
u32 table_id;
u32 nbuckets;
u32 match_n_vectors;
u32 skip_n_vectors;
u32 active_sessions;
u32 next_table_index;
u32 miss_next_index;
u32 mask_length;
u8 mask[mask_length];
};
classify sessions dump request
define classify_session_dump
{
u32 client_index;
u32 context;
u32 table_id;
};
define classify_session_details
{
u32 context;
i32 retval;
u32 table_id;
u32 hit_next_index;
i32 advance;
u32 opaque_index;
u32 match_length;
u8 match[match_length];
};
