-
Improvement
-
Resolution: Done
-
Medium
-
None
-
None
-
None
Policy-based routing(PBR) is applied to incoming packets, and VPP’s input ACL feature can be used to classify and redirect traffic to pre-defined VRF. Especially this feature can be applied to L3 input ACL.
- Classify API change to add PBR related parameters to update fib index for traffic redirection inside VPP’s input ACL node.
<define classify_add_del_session>
@param action -
0: no action (by default)
metadata is not used.
1: Classified IP packets will be looked up from the
specified ipv4 fib table (configured by metadata as VRF id).
Only valid for L3 input ACL node
2: Classified IP packets will be looked up from the
specified ipv6 fib table (configured by metadata as VRF id).
Only valid for L3 input ACL node
@param metadata - valid only if action != 0
VRF id if action is 1 or 2.
@@ -1736,6 +1759,8 @@ define classify_add_del_session
u32 hit_next_index;
u32 opaque_index;
i32 advance;
+ u8 action;
+ u32 metadata;
u8 match[0];
};
Here's how it works:
Ingress packets are punted to the “Input ACL node” where traffic is classified based on n-tuple keys. If no matched session is found from the classify tables, then it will be passed to “the lookup node” for normal routing. If a classify session is hit from one of classify tables, then sw_if_index will be updated depending on action field in the session entry. This action parameter is configured when a classify session creation API is called by the control plane. If action is VRF_SET (1 or 2), user-defined VRF id will be used for destination IP lookup from “the lookup node”.
Additionally, current classify API needs to be expanded to have a easy & quick way to locate the current node's packet pointer.
<define classify_add_del_table>
@param current_data_flag - option to use current node's packet payload
as the starting point from where packets are classified,
This option is only valid for L2/L3 input ACL for now.
0: by default, classify data from the buffer's start location
1: classify packets from VPP node’s current data pointer
@param current_data_offset - a signed value to shift the start location of
the packet to be classified
For example, if input IP ACL node is used, L2 header’s first byte
can be accessible by configuring current_data_offset to -14.
This is valid only if current_data_flag is set to 1.
@@ -1698,6 +1708,8 @@ define classify_add_del_table
u32 match_n_vectors;
u32 next_table_index;
u32 miss_next_index;
+ u8 current_data_flag;
+ i16 current_data_offset;
u8 mask[0];
};