learning:vpp/classify(2)
2023-02-19 12:21:05 时间
classify table cli讲解
classify table [miss-next|l2-miss_next|acl-miss-next <next_index>]
mask <mask-value> buckets <nn> [skip <n>] [match <n>]
[current-data-flag <n>] [current-data-offset <n>] [table <n>]
[memory-size <nn>[M][G]] [next-table <n>]
[del] [del-chain]
作用如下图所示从table内存池上申请table内存,在main_heap上申请桶占用空间,从系统内存映射classify session中匹配规则表配置空间。这里操作和bihash一致。
下面分别来讲解: 1、classify miss处理,三者只能选择一个。 当classify 匹配miss时,送到下一个node在当前classify node的slot id。个人理解时支持三种类型处理逻辑,如下: l2: 二层转发流程处理逻辑,对应node节点 l2-input-classify. l3: 三层转发流程处理逻辑,区别ipv4、ipv6节点,分别对应node节点ip4-classify、ip6-classify. acl: acl功能扽别支持二层、三层转发处理。 l2转发 对应node节点 l2-input-acl,l2-output-acl、 L3转发 ip4-inacl,ip4-outacl,ip6-inacl,ip6-outacl).
miss-next,主要是三层处理流程中配置,
#三层处理流程,
miss-next [ip4-node <node name>] | [ip6-node <node name>]
| drop | local | rewrite | <slot id>
l2-miss_next 主要处理二层转发流程。
l2-miss_next drop | ethernet-input | ip4-input | <slot id> |
[input-node <node name> | output-node <node name>
acl-miss-next 配置s使能acl时使用
acl-miss-next deny | perimit | <slot id> |
[ip4-node <node name>] | [ip6-node <node name>]
2、mask匹配那些bit,或过滤那些bit。 设置该表是用数据包中的哪些字段用于过滤;mask是以16个字节为一组的数据。 mask支持支持配置16进制字符串方式,或者指定报文内容。下面分别说明。
#设置匹配报文ip version及protocol字段。
mask hex 0000000000000000000000000000FF0000000000000000FF
| |
ip version protocol
mask l2 根据vlan帧格式及QinQ帧格式,来确定mask长度
mask l2 src | dst | proto | tag1 | tag2 | ignore-tag1 |
# 源mac |目的mac|eth type | vlan | 忽略vlan
ignore-tag2 | cos1 | cos2 | dot1q | dot1ad |
# |Priority数值 | 一层vlan |二层vlan |
ignore-tag1(18字节),ignore-tag2(22字节) 用来确定二层头长度。不关心信息。
mask l3 支持匹配内容:
#ip4报文支持匹配内容
mask l3 ip4 version [hdr_length] [src/<prefix_len>] [dst/<prefix_len]
[src|src_address] [dst|dst_address] [tos] [length] [fragment_id] [ttl]
[proto|protocol] [checksum]
#ip6报文支持匹配内容
mask l3 ip6 [version] [traffic-class] [flow-label]
[src|src_address] [dst|dst_address] [payload_length]
[hop_limit] [proto|protocol]
mask l4支持匹配内容
mask l4 [ [tcp |udp] [src_port | dst_port] ] | src_port | dst_port ]
这里需要注意,不支持单独匹配l4,必须需要指定l3内容,个人认为是因为无法确定mask长度,ip4和ip6报文头长度不一致。
3、其他参数说明: buckets:buckets的最大数目,默认是2,需要用户自己根据支持 匹配规则的大小,来设置有效的桶大小。 [memory-size[M][G]]:classify table对应结构中mheap的大小。 默认是2M的大小,需要用户跟组匹配规则的大小,来设置有效的mheap大小。
这里的hash处理等同于bihash,因为classify entry的不固定性,所以没办法直接shiyongbihash。
skip:mask中跳过的全0数据的组数(16字节为一组) match:mask中有效组数(16字节为一组) current-data-flag:标识数据包过滤的头信息获取是从vlib_buff的curretn_data处加current-data-offset 获取. current-data-offset:与current-data-flag配合使用。如下代码所示:
#判断current_data_flag 是否设置,获取classify匹配头起始位置。
if (t[0]->current_data_flag == CLASSIFY_FLAG_USE_CURR_DATA)
{ #标识数据包过滤的头信息获取是从vlib_buff的curretn_data处加current-data-offset 获取.
h[0] = (void *) vlib_buffer_get_current (b[0]) + t[0]->current_data_offset;
}
else
{ #从原始报文data处获取classify 过滤头信息。
h[0] = b[0]->data;
}
#计算hash
hash[0] = vnet_classify_hash_packet_inline (t[0], (u8 *) h[0]);
#查询报文是否命中classify 表内容。
e[0] = vnet_classify_find_entry_inline (t[0], (u8 *) h[0], hash[0], now);
table:表索引;新增就不填,只有更新表信息才指定索引,更新仅支持多table链时,设置next table index。
l2 classify acl测试
1、vpp基本配置
vpp2 接口GigabitEthernetb/0/0 接口与内核接口ens33直连。在vpp2上创建一个二层域bridge-domain 13及loopback接口,loop0接口及GigabitEthernetb/0/0加入二层域。从而实现一个二层转发流程。
#vpp2配置
#创建一个二层域BD 13
create bridge-domain 13 learn 1 forward 1 uu-flood 1 flood 1 arp-term 1
#
set interface state GigabitEthernetb/0/0 up
set interface l2 bridge GigabitEthernetb/0/0 13
#创建loopback接口
loopback create mac 11:22:33:44:55:66
#loopback接口加入二层域名,并设置为bvi接口
set interface l2 bridge loop0 13 bvi
#配置loopback接口ip地址
set interface ip table loop0 0
set interface state loop0 up
set interface ip addr loop0 192.168.3.1/24
#vpp2 接口配置查询情况:
learning_vpp2# show interface addr
GigabitEthernetb/0/0 (up):
L2 bridge bd-id 13 idx 1 shg 0
local0 (dn):
loop0 (up):
L2 bridge bd-id 13 idx 1 shg 0 bvi
L3 192.168.3.1/24
#内核ens33接口与GigabitEthernetb/0/0直连
[root@learning_vpp2 vpp]# ifconfig ens33
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.3.2 netmask 255.255.255.0 broadcast
2、配置classify table 、session
#创建clssify 表匹配IP version及IP Protocol。
classify table acl-miss-next deny mask hex 0000000000000000000000000000FF0000000000000000FF
#匹配规则:ipv4及tcp报文
classify session acl-hit-next permit table-index 0 match hex 000000000000000000000000000045000000000000000006
#匹配规则:ipv4及icmp报文
classify session acl-hit-next permit table-index 0 match hex 000000000000000000000000000045000000000000000001
##匹配规则:ipv4及icmp报文
classify session acl-hit-next permit table-index 0 match hex 000000000000000000000000000045000000000000000011
#查询配置表:
learning_vpp2# show classify tables index 0 verbose
TableIdx Sessions NextTbl NextNode
0 3 -1 0
Heap: base 0x7fffc920d000, size 2m, locked, unmap-on-destroy, name 'classify'
page stats: page-size 4K, total 512, mapped 2, not-mapped 0, unknown 510
numa 0: 2 pages, 8k bytes
total: 1.99M, used: 1.92K, free: 1.99M, trimmable: 1.99M
nbuckets 2, skip 0 match 2 flag 0 offset 0
mask 0000000000000000000000000000ff0000000000000000ff0000000000000000
linear-search buckets 0
[0]: heap offset 1856, elts 2, normal
0: [1856]: next_index -1 advance 0 opaque -1 action 0 metadata 0
k: 0000000000000000000000000000450000000000000000110000000000000000
hits 0, last_heard 0.00
[1]: heap offset 1280, elts 2, normal
0: [1280]: next_index -1 advance 0 opaque -1 action 0 metadata 0
k: 0000000000000000000000000000450000000000000000060000000000000000
hits 0, last_heard 0.00
1: [1344]: next_index -1 advance 0 opaque -1 action 0 metadata 0
k: 0000000000000000000000000000450000000000000000010000000000000000
hits 8, last_heard 2062.06
3 active elements
1 free lists
0 linear-search buckets
3、接口绑定clssify table
set interface input acl intfc GigabitEthernetb/0/0 l2-table 0
set interface output acl intfc GigabitEthernetb/0/0 l2-table 0
从内核发起ping报文,trace流程如下:
00:34:10:049788: dpdk-input
GigabitEthernetb/0/0 rx queue 0
buffer 0x9bad1: current data 0, length 98, buffer-pool 0, ref-count 1, totlen-nifb 0, trace handle 0x1000000
ext-hdr-valid
l4-cksum-computed l4-cksum-correct
PKT MBUF: port 0, nb_segs 1, pkt_len 98
buf_len 2176, data_len 98, ol_flags 0x80, data_off 128, phys_addr 0x53aeb4c0
packet_type 0x91 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
rss 0x0 fdir.hi 0x0 fdir.lo 0x0
Packet Offload Flags
PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid
Packet Types
RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet
RTE_PTYPE_L3_IPV4_EXT_UNKNOWN (0x0090) IPv4 packet with or without extension headers
IP4: 00:0c:29:17:0a:58 -> 11:22:33:44:55:66
ICMP: 192.168.3.2 -> 192.168.3.1
tos 0x00, ttl 64, length 84, checksum 0x8734 dscp CS0 ecn NON_ECN
fragment id 0x2c21, flags DONT_FRAGMENT
ICMP echo_request checksum 0x8dcb id 2020
00:34:10:049819: ethernet-input
frame: flags 0x1, hw-if-index 1, sw-if-index 1
IP4: 00:0c:29:17:0a:58 -> 11:22:33:44:55:66
00:34:10:049838: l2-input
l2-input: sw_if_index 1 dst 11:22:33:44:55:66 src 00:0c:29:17:0a:58 [l2-input-acl l2-learn l2-flood ]
00:34:10:049844: l2-input-acl
INACL: sw_if_index 1, next_index 9, table 0, offset 1344
00:34:10:067214: l2-learn
l2-learn: sw_if_index 1 dst 11:22:33:44:55:66 src 00:0c:29:17:0a:58 bd_index 1
00:34:10:067221: l2-flood
l2-flood: sw_if_index 1 dst 11:22:33:44:55:66 src 00:0c:29:17:0a:58 bd_index 1
00:34:10:067228: ip4-input
ICMP: 192.168.3.2 -> 192.168.3.1
tos 0x00, ttl 64, length 84, checksum 0x8734 dscp CS0 ecn NON_ECN
fragment id 0x2c21, flags DONT_FRAGMENT
ICMP echo_request checksum 0x8dcb id 2020
00:34:10:067236: ip4-lookup
fib 0 dpo-idx 7 flow hash: 0x00000000
ICMP: 192.168.3.2 -> 192.168.3.1
tos 0x00, ttl 64, length 84, checksum 0x8734 dscp CS0 ecn NON_ECN
fragment id 0x2c21, flags DONT_FRAGMENT
ICMP echo_request checksum 0x8dcb id 2020
00:34:10:067248: ip4-local
ICMP: 192.168.3.2 -> 192.168.3.1
tos 0x00, ttl 64, length 84, checksum 0x8734 dscp CS0 ecn NON_ECN
fragment id 0x2c21, flags DONT_FRAGMENT
ICMP echo_request checksum 0x8dcb id 2020
00:34:10:067457: ip4-icmp-input
ICMP: 192.168.3.2 -> 192.168.3.1
tos 0x00, ttl 64, length 84, checksum 0x8734 dscp CS0 ecn NON_ECN
fragment id 0x2c21, flags DONT_FRAGMENT
ICMP echo_request checksum 0x8dcb id 2020
00:34:10:067462: ip4-icmp-echo-request
ICMP: 192.168.3.2 -> 192.168.3.1
tos 0x00, ttl 64, length 84, checksum 0x8734 dscp CS0 ecn NON_ECN
fragment id 0x2c21, flags DONT_FRAGMENT
ICMP echo_request checksum 0x8dcb id 2020
00:34:10:067468: ip4-load-balance
fib 0 dpo-idx 2 flow hash: 0x00000000
ICMP: 192.168.3.1 -> 192.168.3.2
tos 0x00, ttl 64, length 84, checksum 0x0266 dscp CS0 ecn NON_ECN
fragment id 0xb0ef, flags DONT_FRAGMENT
ICMP echo_reply checksum 0x95cb id 2020
00:34:10:067471: ip4-rewrite
tx_sw_if_index 4 dpo-idx 2 : ipv4 via 192.168.3.2 loop0: mtu:9000 next:3 flags:[] 000c29170a581122334455660800 flow hash: 0x00000000
00000000: 000c29170a58112233445566080045000054b0ef400040010266c0a80301c0a8
00000020: 0302000095cb07e400017124c760000000005ef70c00000000001011
00:34:10:067474: loop0-output
loop0
IP4: 11:22:33:44:55:66 -> 00:0c:29:17:0a:58
ICMP: 192.168.3.1 -> 192.168.3.2
tos 0x00, ttl 64, length 84, checksum 0x0266 dscp CS0 ecn NON_ECN
fragment id 0xb0ef, flags DONT_FRAGMENT
ICMP echo_reply checksum 0x95cb id 2020
00:34:10:067488: l2-input
l2-input: sw_if_index 4 dst 00:0c:29:17:0a:58 src 11:22:33:44:55:66 [l2-fwd l2-flood arp-term-l2bd l2-flood ]
00:34:10:067490: l2-fwd
l2-fwd: sw_if_index 4 dst 00:0c:29:17:0a:58 src 11:22:33:44:55:66 bd_index 1 result [0x1160000000001, 1] none
00:34:10:067494: l2-output
l2-output: sw_if_index 1 dst 00:0c:29:17:0a:58 src 11:22:33:44:55:66 data 08 00 45 00 00 54 b0 ef 40 00 40 01
00:34:10:067498: l2-output-acl
OUTACL: sw_if_index 1, next_index 1, table 0, offset 1344
00:34:10:067505: GigabitEthernetb/0/0-output
GigabitEthernetb/0/0
IP4: 11:22:33:44:55:66 -> 00:0c:29:17:0a:58
ICMP: 192.168.3.1 -> 192.168.3.2
tos 0x00, ttl 64, length 84, checksum 0x0266 dscp CS0 ecn NON_ECN
fragment id 0xb0ef, flags DONT_FRAGMENT
ICMP echo_reply checksum 0x95cb id 2020
00:34:10:067506: GigabitEthernetb/0/0-tx
GigabitEthernetb/0/0 tx queue 1
buffer 0x9bad1: current data 0, length 98, buffer-pool 0, ref-count 1, totlen-nifb 0, trace handle 0x1000000
ext-hdr-valid
l4-cksum-computed l4-cksum-correct local l2-hdr-offset 0 l3-hdr-offset 14
PKT MBUF: port 0, nb_segs 1, pkt_len 98
buf_len 2176, data_len 98, ol_flags 0x80, data_off 128, phys_addr 0x53aeb4c0
packet_type 0x91 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
rss 0x0 fdir.hi 0x0 fdir.lo 0x0
Packet Offload Flags
PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid
Packet Types
RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet
RTE_PTYPE_L3_IPV4_EXT_UNKNOWN (0x0090) IPv4 packet with or without extension headers
IP4: 11:22:33:44:55:66 -> 00:0c:29:17:0a:58
ICMP: 192.168.3.1 -> 192.168.3.2
tos 0x00, ttl 64, length 84, checksum 0x0266 dscp CS0 ecn NON_ECN
fragment id 0xb0ef, flags DONT_FRAGMENT
ICMP echo_reply checksum 0x95cb id 2020
相关文章
- C++ 中的卷积神经网络 (CNN)
- 一个git仓库多个项目配置pre-commit代码校验
- 搭建PHP开发环境(PHPStorm+PHPStudy)
- 记一次git丢失代码找回
- 记 ThinkPHP 项目部署
- MongoDB按时间分组
- 记一次Github提交PR过程
- Docusaurus配置Gitalk评论插件
- 使用Github Action自动化部署
- 搭建GitLab代码管理仓库
- 记 Github 学生认证
- Gitea 与 Drone 实践
- WP插件CodeColorer兼容PHP7
- PHP时间函数总结
- 在Linux上使用sysstat的iostat监控系统IO
- PHP编译错误的解决办法
- 修改Linux系统语言
- thinkphp钩子的实现
- thinkphp框架解析1 -- 只是一个开始
- PHP一些不为人知的使用方法