Tunnel Termination ACL VPP Plugin #114
Conversation
There was a problem hiding this comment.
If not already done, can you use the plugin source code within vpp and run the following to make sure all the code is validated against vpp guidelines:
make checkstyle
make checkstyle-api
make chekcstyle-python
The code may have to committed in local branch for the scripts to work.
|
|
||
| It is currently designed to support a single specific use-case: | ||
|
|
||
| IPv4 VxLAN tunnel termination and classification based on inner DST IPv4/6 fields, followed by a redirect action using ip4/6-rewrite. |
There was a problem hiding this comment.
Is there any limitation on the redirect action (redirect to NH IP only, IP has to be in default VRF, etc)? If yes, let's put them here.
There was a problem hiding this comment.
Clarified that this is a redirect via a VPP Fib path (as declared in the API using vl_api_fib_path_t)
|
|
||
| if (is_ipv6) { | ||
| for (int i = 0; i < 16; i++) { | ||
| mask[8 + i + skip * CLASSIFY_TABLE_VECTOR_SIZE] = dst.ip6.as_u8[i]; |
There was a problem hiding this comment.
Define an constant for offset 8 and use it also when you initialize the mask. Can you also put in a comment there indicating why we need to put IPv6 address at this offset instead of starting at 0.
There was a problem hiding this comment.
Removed in latest commit (no longer offset, masking directly from start of DIP)
| } | ||
| } else { | ||
| for (int i = 0; i < 4; i++) { | ||
| mask[i + skip * CLASSIFY_TABLE_VECTOR_SIZE] = dst.ip4.data[i]; |
There was a problem hiding this comment.
why are we using skip to increase the offset?
There was a problem hiding this comment.
Removed in latest commit (no longer skipping vectors, masking directly from start of DIP)
|
|
||
| if (ethertype == 0x86DD) { | ||
| table_index = tunterm_acl_main.classify_table_index_by_sw_if_index_v6[sw_if_index0]; | ||
| } else if (ethertype == 0x0800) { |
There was a problem hiding this comment.
Do we have a usecase where the inner L2 payload may have vlans? If we do, we may need additional parsing to skip the VLAN headers.
There was a problem hiding this comment.
Added support for vlan tagged inner packet along with testing.
- Classify relative to start of inner DIP - Support inner vlan tag + add testing - Formatting of test and src code
Overview:
This PR introduces a custom VPP plugin named
tunterm_aclinto Sonic-VPP. This plugin provides the required dataplane ACL functionality to support Smart Switch HA. In particular, it allows v4-vxlan decap'ed packets to be redirected based on their inner DST IP.Changes:
tunterm_aclplugin source code (including tests and docs) underplatform/vpp/vppbld/plugins/vppbldMakefile to allow for custom plugins to be copied to & built with VPPtunterm_aclplugin in thestartup.conffilesvpp.patchfile to exportvxlan_mainPlugin:
Details of the
tunterm_aclplugin implementation can be found in the README.rst file.