ACL fixes #465
ACL fixes #465
Conversation
AltraMayor
left a comment
AltraMayor
left a comment
There was a problem hiding this comment.
lls: fix ICMP/ICMPv6 ACL registration
AltraMayor
left a comment
AltraMayor
left a comment
There was a problem hiding this comment.
acl/net: be careful about ntuple filters and ACLs
AltraMayor
left a comment
AltraMayor
left a comment
There was a problem hiding this comment.
acl/net: coalesce ACL/ntuple into one abstraction
AltraMayor
left a comment
AltraMayor
left a comment
There was a problem hiding this comment.
Patch acl: update rule registration interface is ready for merge.
There was a problem hiding this comment.
acl/net: coalesce ACL/ntuple into one abstraction
-
With the exception of
lib/net.cand the GK and GT blocks, we should be able to stop including the headergatekeeper_acl.heverywhere else. -
The LLS block is not dealing with ICMP packets that may arrive now that it registers for ntuple filters. Given the current patch is already large, it would be better to just add a
TODOcomment in this patch, and address this issue in a following patch.
|
I removed |
cjdoucette
force-pushed
the
acl_fixes
branch
4 times, most recently
from
fa11ff2 to
e4c5e17
Compare
|
Ready for another review (but is not yet tested). |
AltraMayor
added
bug
Production requirement
AltraMayor
left a comment
AltraMayor
left a comment
There was a problem hiding this comment.
acl/net: be careful about ntuple filters and ACLs
AltraMayor
left a comment
AltraMayor
left a comment
There was a problem hiding this comment.
acl/net: coalesce ACL/ntuple into one abstraction
AltraMayor
left a comment
AltraMayor
left a comment
There was a problem hiding this comment.
acl/net: coalesce ACL/ntuple into one abstraction
AltraMayor
left a comment
AltraMayor
left a comment
There was a problem hiding this comment.
acl/net: coalesce ACL/ntuple into one abstraction
cjdoucette
force-pushed
the
acl_fixes
branch
2 times, most recently
from
fe63570 to
135db9b
Compare
|
Ready for another review. Tested on Amazon. |
AltraMayor
left a comment
AltraMayor
left a comment
There was a problem hiding this comment.
net: define RX methods for blocks
AltraMayor
left a comment
AltraMayor
left a comment
There was a problem hiding this comment.
net: combine ntuple filters/ACL into packet filters
We should be able to remove gatekeeper_acl.h from the GGU this time around.
It's worth verifying that only lib/net.c and the GK and GT blocks are adding the header gatekeeper_acl.h.
cjdoucette
force-pushed
the
acl_fixes
branch
2 times, most recently
from
38e67b6 to
6ad2d86
Compare
AltraMayor
left a comment
AltraMayor
left a comment
There was a problem hiding this comment.
net: define RX methods for blocks
|
Shouldn't we remove line |
|
My fault, it has already been removed. |
AltraMayor
left a comment
AltraMayor
left a comment
There was a problem hiding this comment.
net: combine ntuple filters/ACL into packet filters
|
Please fix the last comment, and run a test on Amazon. |
In at least some current NICs (Intel 82599) the IPv6 destination IP field cannot be matched by ntuple filters (AltraMayor#466). Therefore, it is possible for ntuple filters to appear to be available but can not be used, e.g., in an IPv6-only deployment. This patch makes the code more careful about this distinction, and defines RX methods so that blocks can decide whether they need to query NICs or mailboxes, for example, to receive packets.
Since ntuple filters can be mostly equivalent to ACL rules when hardware does not support ntuple filters, this patch coalesces their creation into a single API for packet filters, including one function for IPv4 and one for IPv6, so that blocks don't have to worry about what hardware supports. Closes AltraMayor#63.
|
Fixed and tested. Ready for another review. |
2 participants
No description provided.