1*6de0ea50SSean Morrissey /* SPDX-License-Identifier: BSD-3-Clause 2*6de0ea50SSean Morrissey * Copyright(c) 2022 Intel Corporation 3*6de0ea50SSean Morrissey */ 4*6de0ea50SSean Morrissey 5*6de0ea50SSean Morrissey #ifndef L3FWD_ACL_H 6*6de0ea50SSean Morrissey #define L3FWD_ACL_H 7*6de0ea50SSean Morrissey 8*6de0ea50SSean Morrissey #if RTE_LOG_DP_LEVEL >= RTE_LOG_DEBUG 9*6de0ea50SSean Morrissey #define L3FWDACL_DEBUG 10*6de0ea50SSean Morrissey #endif 11*6de0ea50SSean Morrissey 12*6de0ea50SSean Morrissey #define MAX_ACL_RULE_NUM 100000 13*6de0ea50SSean Morrissey #define DEFAULT_MAX_CATEGORIES 1 14*6de0ea50SSean Morrissey #define L3FWD_ACL_IPV4_NAME "l3fwd-acl-ipv4" 15*6de0ea50SSean Morrissey #define L3FWD_ACL_IPV6_NAME "l3fwd-acl-ipv6" 16*6de0ea50SSean Morrissey 17*6de0ea50SSean Morrissey #define ACL_DENY_SIGNATURE 0xf0000000 18*6de0ea50SSean Morrissey #define RTE_LOGTYPE_L3FWDACL RTE_LOGTYPE_USER3 19*6de0ea50SSean Morrissey #define acl_log(format, ...) RTE_LOG(ERR, L3FWDACL, format, ##__VA_ARGS__) 20*6de0ea50SSean Morrissey #define uint32_t_to_char(ip, a, b, c, d) do {\ 21*6de0ea50SSean Morrissey *a = (unsigned char)(ip >> 24 & 0xff);\ 22*6de0ea50SSean Morrissey *b = (unsigned char)(ip >> 16 & 0xff);\ 23*6de0ea50SSean Morrissey *c = (unsigned char)(ip >> 8 & 0xff);\ 24*6de0ea50SSean Morrissey *d = (unsigned char)(ip & 0xff);\ 25*6de0ea50SSean Morrissey } while (0) 26*6de0ea50SSean Morrissey #define OFF_ETHHEAD (sizeof(struct rte_ether_hdr)) 27*6de0ea50SSean Morrissey #define OFF_IPV42PROTO (offsetof(struct rte_ipv4_hdr, next_proto_id)) 28*6de0ea50SSean Morrissey #define OFF_IPV62PROTO (offsetof(struct rte_ipv6_hdr, proto)) 29*6de0ea50SSean Morrissey #define MBUF_IPV4_2PROTO(m) \ 30*6de0ea50SSean Morrissey rte_pktmbuf_mtod_offset((m), uint8_t *, OFF_ETHHEAD + OFF_IPV42PROTO) 31*6de0ea50SSean Morrissey #define MBUF_IPV6_2PROTO(m) \ 32*6de0ea50SSean Morrissey rte_pktmbuf_mtod_offset((m), uint8_t *, OFF_ETHHEAD + OFF_IPV62PROTO) 33*6de0ea50SSean Morrissey 34*6de0ea50SSean Morrissey /* 35*6de0ea50SSean Morrissey * ACL rules should have higher priorities than route ones to ensure ACL rule 36*6de0ea50SSean Morrissey * always be found when input packets have multi-matches in the database. 37*6de0ea50SSean Morrissey * A exception case is performance measure, which can define route rules with 38*6de0ea50SSean Morrissey * higher priority and route rules will always be returned in each lookup. 39*6de0ea50SSean Morrissey * Reserve range from ACL_RULE_PRIORITY_MAX + 1 to 40*6de0ea50SSean Morrissey * RTE_ACL_MAX_PRIORITY for route entries in performance measure 41*6de0ea50SSean Morrissey */ 42*6de0ea50SSean Morrissey #define ACL_RULE_PRIORITY_MAX 0x10000000 43*6de0ea50SSean Morrissey 44*6de0ea50SSean Morrissey /* 45*6de0ea50SSean Morrissey * Forward port info save in ACL lib starts from 1 46*6de0ea50SSean Morrissey * since ACL assume 0 is invalid. 47*6de0ea50SSean Morrissey * So, need add 1 when saving and minus 1 when forwarding packets. 48*6de0ea50SSean Morrissey */ 49*6de0ea50SSean Morrissey #define FWD_PORT_SHIFT 1 50*6de0ea50SSean Morrissey 51*6de0ea50SSean Morrissey void 52*6de0ea50SSean Morrissey print_one_ipv4_rule(struct acl4_rule *rule, int extra); 53*6de0ea50SSean Morrissey 54*6de0ea50SSean Morrissey void 55*6de0ea50SSean Morrissey print_one_ipv6_rule(struct acl6_rule *rule, int extra); 56*6de0ea50SSean Morrissey 57*6de0ea50SSean Morrissey #endif /* L3FWD_ACL_H */ 58