static int start_loop(int verbose) { struct pg_error *error = NULL; struct pg_brick *nic_tmp, *switch_east, *print_tmp; uint16_t port_count = rte_eth_dev_count(); GList *nic_manager = NULL; GList *manager = NULL; g_assert(port_count > 1); /* * Here is an ascii graph of the links: * * [NIC-X] - [PRINT-X] --\ * \ * [NIC-X+1] - [PRINT-X+1] } -- [SWITCH] * / * [NIC-X+2] - [PRINT-X+2] / * .... */ switch_east = pg_switch_new("switch", 20, 20, &error); CHECK_ERROR(error); PG_BM_ADD(manager, switch_east); for (int i = 0; i < port_count; ++i) { nic_tmp = pg_nic_new_by_id("nic", 1, 1, WEST_SIDE, i, &error); CHECK_ERROR(error); print_tmp = pg_print_new("print", 1, 1, NULL, PG_PRINT_FLAG_MAX, NULL, &error); CHECK_ERROR(error); if (!verbose) pg_brick_chained_links(&error, nic_tmp, switch_east); else pg_brick_chained_links(&error, nic_tmp, print_tmp, switch_east); CHECK_ERROR(error); PG_BM_ADD(nic_manager, nic_tmp); PG_BM_ADD(manager, print_tmp); } while (1) { uint64_t tot_send_pkts = 0; for (int i = 0; i < 100000; ++i) { uint16_t nb_send_pkts; PG_BM_GET_NEXT(nic_manager, nic_tmp); pg_brick_poll(nic_tmp, &nb_send_pkts, &error); tot_send_pkts += nb_send_pkts; CHECK_ERROR(error); usleep(1); } printf("poll pkts: %lu\n", tot_send_pkts); } nic_manager = g_list_first(nic_manager); PG_BM_DESTROY(manager); PG_BM_DESTROY(nic_manager); return 0; }
static void test_antispoof_rarp(void) { # include "rarp.c" const unsigned char *pkts[] = {pkt1}; int pkts_size[] = {15}; uint16_t pkts_nb = 1; struct ether_addr inside_mac; struct pg_brick *gen_west; struct pg_brick *antispoof; struct pg_brick *col_east; struct pg_error *error = NULL; uint16_t packet_count; uint16_t i; struct rte_mbuf *packet; uint64_t filtered_pkts_mask; pg_scan_ether_addr(&inside_mac, "00:23:df:ff:c9:23"); /* [generator>]--[antispoof]--[collector] */ gen_west = pg_packetsgen_new("gen_west", 1, 1, EAST_SIDE, &packet, 1, &error); g_assert(!error); antispoof = pg_antispoof_new("antispoof", 1, 1, EAST_SIDE, inside_mac, &error); g_assert(!error); col_east = pg_collect_new("col_east", 1, 1, &error); g_assert(!error); pg_brick_link(gen_west, antispoof, &error); g_assert(!error); pg_brick_link(antispoof, col_east, &error); g_assert(!error); /* replay traffic */ for (i = 0; i < pkts_nb; i++) { packet = build_packet(pkts[i], pkts_size[i]); pg_brick_poll(gen_west, &packet_count, &error); g_assert(!error); g_assert(packet_count == 1); pg_brick_west_burst_get(col_east, &filtered_pkts_mask, &error); g_assert(!error); g_assert(pg_mask_count(filtered_pkts_mask) == 0); rte_pktmbuf_free(packet); } pg_brick_destroy(gen_west); pg_brick_destroy(antispoof); pg_brick_destroy(col_east); }
/* this test harness a Linux guest to check that packet are send and received * by the vhost brick. An ethernet bridge inside the guest will forward packets * between the two vhost-user virtio interfaces. */ static void test_vhost_flow_(int qemu_exit_signal) { const char mac_addr_0[18] = "52:54:00:12:34:11"; const char mac_addr_1[18] = "52:54:00:12:34:12"; struct rte_mempool *mbuf_pool = pg_get_mempool(); struct pg_brick *vhost_0, *vhost_1, *collect; struct rte_mbuf *pkts[PG_MAX_PKTS_BURST]; const char *socket_path_0, *socket_path_1; struct pg_error *error = NULL; struct rte_mbuf **result_pkts; int ret, qemu_pid, i; uint64_t pkts_mask; /* start vhost */ ret = pg_vhost_start("/tmp", &error); g_assert(ret == 0); g_assert(!error); /* instanciate brick */ vhost_0 = pg_vhost_new("vhost-0", &error); g_assert(!error); g_assert(vhost_0); vhost_1 = pg_vhost_new("vhost-1", &error); g_assert(!error); g_assert(vhost_1); collect = pg_collect_new("collect", &error); g_assert(!error); g_assert(collect); /* build the graph */ pg_brick_link(collect, vhost_1, &error); g_assert(!error); /* spawn first QEMU */ socket_path_0 = pg_vhost_socket_path(vhost_0, &error); g_assert(!error); g_assert(socket_path_0); socket_path_1 = pg_vhost_socket_path(vhost_1, &error); g_assert(!error); g_assert(socket_path_1); qemu_pid = pg_util_spawn_qemu(socket_path_0, socket_path_1, mac_addr_0, mac_addr_1, glob_vm_path, glob_vm_key_path, glob_hugepages_path, &error); g_assert(!error); g_assert(qemu_pid); /* Prepare VM's bridge. */ # define SSH(c) \ g_assert(pg_util_ssh("localhost", ssh_port_id, glob_vm_key_path, c) == 0) SSH("brctl addbr br0"); SSH("ifconfig br0 up"); SSH("ifconfig ens4 up"); SSH("ifconfig ens5 up"); SSH("brctl addif br0 ens4"); SSH("brctl addif br0 ens5"); SSH("brctl setfd br0 0"); SSH("brctl stp br0 off"); # undef SSH ssh_port_id++; /* prepare packet to send */ for (i = 0; i < NB_PKTS; i++) { pkts[i] = rte_pktmbuf_alloc(mbuf_pool); g_assert(pkts[i]); rte_pktmbuf_append(pkts[i], ETHER_MIN_LEN); /* set random dst/src mac address so the linux guest bridge * will not filter them */ pg_set_mac_addrs(pkts[i], "52:54:00:12:34:15", "52:54:00:12:34:16"); /* set size */ pg_set_ether_type(pkts[i], ETHER_MIN_LEN - ETHER_HDR_LEN - 4); } /* send packet to the guest via one interface */ pg_brick_burst_to_east(vhost_0, 0, pkts, pg_mask_firsts(NB_PKTS), &error); g_assert(!error); /* let the packet propagate and flow */ for (i = 0; i < 10; i++) { uint16_t count = 0; usleep(100000); pg_brick_poll(vhost_1, &count, &error); g_assert(!error); if (count) break; } result_pkts = pg_brick_east_burst_get(collect, &pkts_mask, &error); g_assert(!error); g_assert(result_pkts); g_assert(pg_brick_rx_bytes(vhost_0) == 0); g_assert(pg_brick_tx_bytes(vhost_0) != 0); g_assert(pg_brick_rx_bytes(vhost_1) != 0); g_assert(pg_brick_tx_bytes(vhost_1) == 0); /* kill QEMU */ pg_util_stop_qemu(qemu_pid, qemu_exit_signal); /* free result packets */ pg_packets_free(result_pkts, pkts_mask); /* free sent packet */ for (i = 0; i < NB_PKTS; i++) rte_pktmbuf_free(pkts[i]); /* break the graph */ pg_brick_unlink(collect, &error); g_assert(!error); /* clean up */ /* pg_brick_decref(vhost_0, &error); */ pg_brick_destroy(vhost_0); g_assert(!error); pg_brick_destroy(vhost_1); /* pg_brick_decref(vhost_1, &error); */ g_assert(!error); pg_brick_decref(collect, &error); g_assert(!error); /* stop vhost */ pg_vhost_stop(); }
static void test_nic_simple_flow(void) { struct pg_brick *nic_west, *nic_ring; int i = 0; int nb_iteration = 32; uint16_t nb_send_pkts; uint16_t total_send_pkts = 0; uint16_t total_get_pkts = 0; struct pg_error *error = NULL; struct pg_nic_stats info; /* create a chain of a few nop brick with collectors on each sides */ /* * [nic_west] ------- [nic_east] */ /* write rx pcap file (required bu pcap driver) */ const gchar pcap_in_file[] = { 212, 195, 178, 161, 2, 0, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 0, 0, 1, 0, 0, 0}; g_assert(g_file_set_contents("in.pcap", pcap_in_file, sizeof(pcap_in_file), NULL)); nic_west = pg_nic_new("nic", "eth_pcap0,rx_pcap=in.pcap,tx_pcap=out.pcap", &error); CHECK_ERROR(error); nic_ring = pg_nic_new_by_id("nic", 0, &error); CHECK_ERROR(error); pg_brick_link(nic_west, nic_ring, &error); CHECK_ERROR(error); for (i = 0; i < nb_iteration * 6; ++i) { /* max pkts is the maximum nbr of packets rte_eth_burst_wrap can send */ max_pkts = i * 2; if (max_pkts > 64) max_pkts = 64; /*poll packets to east*/ pg_brick_poll(nic_west, &nb_send_pkts, &error); CHECK_ERROR(error); /* collect pkts on the east */ if (nb_send_pkts) { total_send_pkts += max_pkts; } /* check no pkts end here */ CHECK_ERROR(error); } pg_nic_get_stats(nic_ring, &info); g_assert(info.opackets == total_send_pkts); max_pkts = 64; for (i = 0; i < nb_iteration; ++i) { /* poll packet to the west */ pg_brick_poll(nic_ring, &nb_send_pkts, &error); CHECK_ERROR(error); total_get_pkts += nb_send_pkts; } /* This assert allow us to check nb_send_pkts*/ g_assert(total_get_pkts == total_send_pkts); g_assert(info.opackets == total_send_pkts); /* use packets_count in collect_west here to made * another check when merge*/ /* break the chain */ pg_brick_destroy(nic_west); pg_brick_destroy(nic_ring); /* remove pcap files */ g_assert(g_unlink("in.pcap") == 0); g_assert(g_unlink("out.pcap") == 0); }
static void test_queue_reset(void) { # define NB_PKTS 64 struct pg_error *error = NULL; struct pg_brick *queue1, *queue2, *collect; struct rte_mbuf **result_pkts; struct rte_mbuf *pkts[NB_PKTS]; uint64_t pkts_mask, i, j; uint16_t count = 0; struct rte_mempool *mbuf_pool = pg_get_mempool(); /** * Burst packets in queue1 and test reset of queue1 * [queue1] ~ [queue2]----[collect] */ queue1 = pg_queue_new("q1", 10, &error); CHECK_ERROR(error); queue2 = pg_queue_new("q2", 10, &error); CHECK_ERROR(error); collect = pg_collect_new("collect", 1, 1, &error); CHECK_ERROR(error); pg_brick_link(queue2, collect, &error); CHECK_ERROR(error); g_assert(!pg_queue_friend(queue1, queue2, &error)); CHECK_ERROR(error); for (i = 0; i < NB_PKTS; i++) { pkts[i] = rte_pktmbuf_alloc(mbuf_pool); g_assert(pkts[i]); pkts[i]->udata64 = i; pg_set_mac_addrs(pkts[i], "F0:F1:F2:F3:F4:F5", "E0:E1:E2:E3:E4:E5"); } for (j = 0; j < 100; j++) { for (i = 0; i < NB_PKTS; i++) pkts[i]->udata64 = i * j; /* burst and reset */ pg_brick_burst_to_east(queue1, 0, pkts, pg_mask_firsts(NB_PKTS), &error); CHECK_ERROR(error); g_assert(pg_queue_pressure(queue1) > 0); g_assert(!pg_brick_reset(queue1, &error)); g_assert(pg_queue_get_friend(queue1) == NULL); g_assert(pg_queue_get_friend(queue2) == NULL); g_assert(pg_queue_pressure(queue1) == 0); g_assert(pg_queue_pressure(queue2) == 0); pg_brick_poll(queue2, &count, &error); g_assert(!error); g_assert(count == 0); /* refriend and burst ok */ g_assert(!pg_queue_friend(queue1, queue2, &error)); g_assert(!error); g_assert(pg_queue_are_friend(queue1, queue2)); g_assert(!error); pg_brick_burst_to_east(queue1, 0, pkts, pg_mask_firsts(NB_PKTS), &error); CHECK_ERROR(error); g_assert(pg_queue_pressure(queue1) > 0); pg_brick_poll(queue2, &count, &error); g_assert(count == NB_PKTS); result_pkts = pg_brick_west_burst_get(collect, &pkts_mask, &error); CHECK_ERROR(error); g_assert(pkts_mask == pg_mask_firsts(NB_PKTS)); for (i = 0; i < NB_PKTS; i++) { g_assert(result_pkts[i]); g_assert(result_pkts[i]->udata64 == i * j); } pg_brick_reset(collect, &error); CHECK_ERROR(error); } /* clean */ for (i = 0; i < NB_PKTS; i++) rte_pktmbuf_free(pkts[i]); pg_brick_decref(queue1, &error); CHECK_ERROR(error); pg_brick_decref(queue2, &error); CHECK_ERROR(error); pg_brick_decref(collect, &error); CHECK_ERROR(error); # undef NB_PKTS }
int main(int argc, char **argv) { struct pg_error *error = NULL; struct pg_brick *fw; struct pg_brick *nic_west, *nic_east; uint16_t nb_send_pkts; uint64_t total; struct timeval start, end; int i; pg_start(argc, argv, &error); CHECK_ERROR(error); g_assert(rte_eth_dev_count() >= 2); nic_west = pg_nic_new_by_id("port 0", 1, 1, WEST_SIDE, 0, &error); CHECK_ERROR(error); fw = pg_firewall_new("fw", 1, 1, PG_NO_CONN_WORKER, &error); pg_firewall_thread_register(fw); CHECK_ERROR(error); nic_east = pg_nic_new_by_id("port 1", 1, 1, EAST_SIDE, 1, &error); CHECK_ERROR(error); pg_brick_link(nic_west, fw, &error); CHECK_ERROR(error); pg_brick_link(fw, nic_east, &error); CHECK_ERROR(error); g_assert(!pg_firewall_rule_add(fw, "tcp portrange 50-60", MAX_SIDE, 1, &error)); CHECK_ERROR(error); g_assert(!pg_firewall_rule_add(fw, "icmp", MAX_SIDE, 1, &error)); CHECK_ERROR(error); g_assert(!pg_firewall_reload(fw, &error)); CHECK_ERROR(error); for (;;) { gettimeofday(&start, 0); total = 0; for (i = 0; i < LOOPS; i++) { g_assert(pg_brick_poll(nic_west, &nb_send_pkts, &error)); usleep(1); total += nb_send_pkts; g_assert(pg_brick_poll(nic_east, &nb_send_pkts, &error)); total += nb_send_pkts; usleep(1); } gettimeofday(&end, 0); usleep(100); printf("time in us: for %i loops: %lu\ntotal %"PRIu64"\n", LOOPS, (end.tv_sec * 1000000 + end.tv_usec) - (start.tv_sec * 1000000 + start.tv_usec), total); pg_firewall_gc(fw); } pg_stop(); return 0; }
static void test_pg_antispoof_arp_disable(void) { # include "arp_request.c" const unsigned char *pkts[] = {pkt1}; int pkts_size[] = {42}; uint16_t pkts_nb = 1; struct ether_addr inside_mac; uint32_t inside_ip; struct pg_brick *gen_west; struct pg_brick *antispoof; struct pg_brick *col_east; struct pg_error *error = NULL; uint16_t packet_count; uint16_t i; struct rte_mbuf *packet; uint64_t filtered_pkts_mask; struct rte_mbuf **filtered_pkts; pg_scan_ether_addr(&inside_mac, "00:e0:81:d5:02:91"); inside_ip = htobe32(IPv4(0, 0, 0, 42)); /* [generator>]--[antispoof]--[collector] */ gen_west = pg_packetsgen_new("gen_west", 1, 1, EAST_SIDE, &packet, 1, &error); g_assert(!error); antispoof = pg_antispoof_new("antispoof", 1, 1, EAST_SIDE, inside_mac, &error); g_assert(!error); col_east = pg_collect_new("col_east", 1, 1, &error); g_assert(!error); pg_brick_link(gen_west, antispoof, &error); g_assert(!error); pg_brick_link(antispoof, col_east, &error); g_assert(!error); /* enable ARP antispoof with a wrong IP */ pg_antispoof_arp_enable(antispoof, inside_ip); /* replay traffic */ for (i = 0; i < pkts_nb; i++) { packet = build_packet(pkts[i], pkts_size[i]); pg_brick_poll(gen_west, &packet_count, &error); g_assert(!error); g_assert(packet_count == 1); filtered_pkts = pg_brick_west_burst_get(col_east, &filtered_pkts_mask, &error); g_assert(!error); g_assert(pg_mask_count(filtered_pkts_mask) == 0); pg_packets_free(filtered_pkts, filtered_pkts_mask); rte_pktmbuf_free(packet); } /* disable ARP antispoof, should now pass */ pg_antispoof_arp_disable(antispoof); /* replay traffic */ for (i = 0; i < pkts_nb; i++) { packet = build_packet(pkts[i], pkts_size[i]); pg_brick_poll(gen_west, &packet_count, &error); g_assert(!error); g_assert(packet_count == 1); filtered_pkts = pg_brick_west_burst_get(col_east, &filtered_pkts_mask, &error); g_assert(!error); g_assert(pg_mask_count(filtered_pkts_mask) == 1); pg_packets_free(filtered_pkts, filtered_pkts_mask); rte_pktmbuf_free(packet); } pg_brick_destroy(gen_west); pg_brick_destroy(antispoof); pg_brick_destroy(col_east); }
static void test_antispoof_generic(const unsigned char **pkts, int *pkts_size, uint16_t pkts_nb, struct ether_addr inside_mac, uint32_t inside_ip) { struct pg_brick *gen_west; struct pg_brick *antispoof; struct pg_brick *col_east; struct pg_error *error = NULL; uint16_t packet_count; uint16_t i; struct rte_mbuf *packet; uint64_t filtered_pkts_mask; struct rte_mbuf **filtered_pkts; /* [generator>]--[antispoof]--[collector] */ gen_west = pg_packetsgen_new("gen_west", 1, 1, EAST_SIDE, &packet, 1, &error); g_assert(!error); antispoof = pg_antispoof_new("antispoof", 1, 1, EAST_SIDE, inside_mac, &error); g_assert(!error); col_east = pg_collect_new("col_east", 1, 1, &error); g_assert(!error); pg_brick_link(gen_west, antispoof, &error); g_assert(!error); pg_brick_link(antispoof, col_east, &error); g_assert(!error); /* enable ARP antispoof with the correct IP */ pg_antispoof_arp_enable(antispoof, inside_ip); /* replay traffic */ for (i = 0; i < pkts_nb; i++) { packet = build_packet(pkts[i], pkts_size[i]); pg_brick_poll(gen_west, &packet_count, &error); g_assert(!error); g_assert(packet_count == 1); filtered_pkts = pg_brick_west_burst_get(col_east, &filtered_pkts_mask, &error); g_assert(!error); g_assert(pg_mask_count(filtered_pkts_mask) == 1); pg_packets_free(filtered_pkts, filtered_pkts_mask); rte_pktmbuf_free(packet); } /* set another IP, should not pass */ inside_ip = htobe32(IPv4(42, 0, 42, 0)); pg_antispoof_arp_enable(antispoof, inside_ip); /* replay traffic */ for (i = 0; i < pkts_nb; i++) { packet = build_packet(pkts[i], pkts_size[i]); pg_brick_poll(gen_west, &packet_count, &error); g_assert(!error); g_assert(packet_count == 1); filtered_pkts = pg_brick_west_burst_get(col_east, &filtered_pkts_mask, &error); g_assert(!error); g_assert(pg_mask_count(filtered_pkts_mask) == 0); pg_packets_free(filtered_pkts, filtered_pkts_mask); rte_pktmbuf_free(packet); } pg_brick_destroy(gen_west); pg_brick_destroy(antispoof); pg_brick_destroy(col_east); }
static int start_loop(int verbose, int nb_vhost) { struct pg_error *error = NULL; struct pg_brick *nic_tmp, *switch_east, *print_tmp; uint16_t port_count = rte_eth_dev_count(); GList *nic_manager = NULL; GList *manager = NULL; int ret = -1; /* * Here is an ascii graph of the links: * * [NIC-X] - [PRINT-X] --\ * \ * [NIC-X+1] - [PRINT-X+1] } -- [SWITCH] * / * [NIC-X+2] - [PRINT-X+2] / * .... */ switch_east = pg_switch_new("switch", 20, 20, EAST_SIDE, &error); CHECK_ERROR(error); PG_BM_ADD(manager, switch_east); if (nb_vhost) { if (pg_vhost_start("/tmp", &error) < 0) goto free_switch; port_count = nb_vhost; } g_assert(port_count > 1); for (int i = 0; i < port_count; ++i) { char *tmp_name; if (nb_vhost) { tmp_name = g_strdup_printf("vhost-%d", i); nic_tmp = pg_vhost_new(tmp_name, 1, 1, WEST_SIDE, &error); } else { tmp_name = g_strdup_printf("nic-%d", i); nic_tmp = pg_nic_new_by_id(tmp_name, i, &error); } g_free(tmp_name); CHECK_ERROR(error); tmp_name = g_strdup_printf("print-%d", i); print_tmp = pg_print_new(tmp_name, 1, 1, NULL, PG_PRINT_FLAG_MAX, NULL, &error); g_free(tmp_name); CHECK_ERROR(error); if (!verbose) pg_brick_chained_links(&error, nic_tmp, switch_east); else pg_brick_chained_links(&error, nic_tmp, print_tmp, switch_east); CHECK_ERROR(error); PG_BM_ADD(nic_manager, nic_tmp); PG_BM_ADD(manager, print_tmp); } while (1) { uint64_t tot_send_pkts = 0; for (int i = 0; i < 100000; ++i) { uint16_t nb_send_pkts; PG_BM_GET_NEXT(nic_manager, nic_tmp); pg_brick_poll(nic_tmp, &nb_send_pkts, &error); tot_send_pkts += nb_send_pkts; CHECK_ERROR(error); usleep(1); } printf("poll pkts: %lu\n", tot_send_pkts); } ret = 0; nic_manager = g_list_first(nic_manager); PG_BM_DESTROY(nic_manager); free_switch: PG_BM_DESTROY(manager); pg_vhost_stop(); return ret; }
static void test_nic_simple_flow(void) { struct pg_brick *nic_west, *nic_ring; int i = 0; int nb_iteration = 32; uint16_t nb_send_pkts; uint16_t total_send_pkts = 0; uint16_t total_get_pkts = 0; struct pg_error *error = NULL; struct pg_nic_stats info; gchar *tmp; /* create a chain of a few nop brick with collectors on each sides */ /* * [nic_west] ------- [nic_east] */ tmp = g_strdup_printf("eth_pcap0,rx_pcap=%s,tx_pcap=out.pcap", glob_pcap_in); nic_west = pg_nic_new("nic", tmp, &error); g_free(tmp); CHECK_ERROR(error); nic_ring = pg_nic_new_by_id("nic", 0, &error); CHECK_ERROR(error); pg_brick_link(nic_west, nic_ring, &error); CHECK_ERROR(error); for (i = 0; i < nb_iteration * 6; ++i) { /* max pkts is the maximum nbr of packets rte_eth_burst_wrap can send */ max_pkts = i * 2; if (max_pkts > 64) max_pkts = 64; /*poll packets to east*/ pg_brick_poll(nic_west, &nb_send_pkts, &error); CHECK_ERROR(error); /* collect pkts on the east */ if (nb_send_pkts) { total_send_pkts += max_pkts; } /* check no pkts end here */ CHECK_ERROR(error); } pg_nic_get_stats(nic_ring, &info); g_assert(info.opackets == total_send_pkts); max_pkts = 64; for (i = 0; i < nb_iteration; ++i) { /* poll packet to the west */ pg_brick_poll(nic_ring, &nb_send_pkts, &error); CHECK_ERROR(error); total_get_pkts += nb_send_pkts; } /* This assert allow us to check nb_send_pkts*/ g_assert(total_get_pkts == total_send_pkts); g_assert(info.opackets == total_send_pkts); /* use packets_count in collect_west here to made * another check when merge*/ /* break the chain */ pg_brick_destroy(nic_west); pg_brick_destroy(nic_ring); }
static int start_loop(uint32_t vtep_ip, struct ether_addr *vtep_mac, struct ether_addr *inner_mac, GList *neighbor_macs) { struct pg_error *error = NULL; struct pg_brick *nic_east, *nic_west, *vtep_east, *vtep_west; struct pg_brick *print_east, *print_west, *print_middle; /* * Here is an ascii graph of the links: * NIC = nic * VT = vtep * * [NIC] - [PRINT] - [VT] -- [PRINT] -- [VT] -- [PRINT] -- [NIC] */ nic_east = pg_nic_new_by_id("nic-e", 1, 1, EAST_SIDE, 0, &error); CHECK_ERROR(error); nic_west = pg_nic_new_by_id("nic-w", 1, 1, WEST_SIDE, 1, &error); CHECK_ERROR(error); vtep_east = pg_vtep_new("vt-e", 1, 1, WEST_SIDE, vtep_ip, *vtep_mac, 1, &error); CHECK_ERROR(error); inverse_mac(vtep_mac); pg_print_mac(vtep_mac); printf("\n"); vtep_west = pg_vtep_new("vt-w", 1, 1, EAST_SIDE, ~vtep_ip, *vtep_mac, 1, &error); CHECK_ERROR(error); print_west = pg_print_new("west", 1, 1, NULL, PG_PRINT_FLAG_MAX, NULL, &error); CHECK_ERROR(error); print_east = pg_print_new("east", 1, 1, NULL, PG_PRINT_FLAG_MAX, NULL, &error); CHECK_ERROR(error); print_middle = pg_print_new("middle", 1, 1, NULL, PG_PRINT_FLAG_MAX, NULL, &error); CHECK_ERROR(error); /* If you want to print transmiting pkts uncomment this and coment * the bellow pg_brick_chained_links * Attention: this may slow down the transmition */ /* pg_brick_chained_links(&error, nic_west, print_west, */ /* vtep_west, print_middle, vtep_east, */ /* print_east, nic_east); */ pg_brick_chained_links(&error, nic_west, vtep_west, vtep_east, nic_east); CHECK_ERROR(error); pg_vtep_add_vni(vtep_west, nic_west, 0, inet_addr("225.0.0.43"), &error); CHECK_ERROR(error); pg_vtep_add_vni(vtep_east, nic_east, 0, inet_addr("225.0.0.43"), &error); CHECK_ERROR(error); while (!quit) { uint16_t nb_send_pkts; g_assert(pg_brick_poll(nic_west, &nb_send_pkts, &error)); usleep(1); g_assert(pg_brick_poll(nic_east, &nb_send_pkts, &error)); usleep(1); } pg_brick_destroy(nic_west); pg_brick_destroy(print_west); pg_brick_destroy(vtep_west); pg_brick_destroy(print_middle); pg_brick_destroy(vtep_east); pg_brick_destroy(print_east); pg_brick_destroy(nic_east); return 0; }
static void firewall_replay(const unsigned char *pkts[], int pkts_nb, int *pkts_size) { struct pg_brick *gen_west, *gen_east; struct pg_brick *fw; struct pg_brick *col_west, *col_east; struct pg_error *error = NULL; uint16_t i, packet_count; struct rte_mbuf *packet; struct ether_hdr *eth; uint64_t filtered_pkts_mask; struct rte_mbuf **filtered_pkts; struct ether_addr tmp_addr; int ret; /* have some collectors and generators on each sides * [collector]--[generator>]--[firewall]--[<generator]--[collector] * 10.0.2.15 173.194.40.111 * 8:0:27:b6:5:16 52:54:0:12:35:2 */ gen_west = pg_packetsgen_new("gen_west", 1, 1, EAST_SIDE, &packet, 1, &error); g_assert(!error); gen_east = pg_packetsgen_new("gen_east", 1, 1, WEST_SIDE, &packet, 1, &error); g_assert(!error); fw = pg_firewall_new("fw", 1, 1, PG_NONE, &error); g_assert(!error); col_west = pg_collect_new("col_west", 1, 1, &error); g_assert(!error); col_east = pg_collect_new("col_east", 1, 1, &error); g_assert(!error); pg_brick_link(col_west, gen_west, &error); g_assert(!error); pg_brick_link(gen_west, fw, &error); g_assert(!error); pg_brick_link(fw, gen_east, &error); g_assert(!error); pg_brick_link(gen_east, col_east, &error); g_assert(!error); /* open all traffic of 10.0.2.15 from the west side of the firewall * returning traffic should be allowed due to STATEFUL option */ ret = pg_firewall_rule_add(fw, "src host 10.0.2.15", WEST_SIDE, 1, &error); g_assert(!error); g_assert(ret == 0); ret = pg_firewall_reload(fw, &error); g_assert(!error); g_assert(ret < 0); /* replay traffic */ for (i = 0; i < pkts_nb; i++) { struct ip *ip; packet = build_packet(pkts[i], pkts_size[i]); eth = rte_pktmbuf_mtod(packet, struct ether_hdr*); ip = (struct ip *)(eth + 1); if (ip->ip_src.s_addr == inet_addr("10.0.2.15")) { pg_brick_poll(gen_west, &packet_count, &error); g_assert(!error); g_assert(packet_count == 1); filtered_pkts = pg_brick_west_burst_get(col_east, &filtered_pkts_mask, &error); g_assert(!error); g_assert(pg_mask_count(filtered_pkts_mask) == 1); /* check eth source address */ eth = rte_pktmbuf_mtod(filtered_pkts[0], struct ether_hdr*); pg_scan_ether_addr(&tmp_addr, "08:00:27:b6:05:16"); g_assert(is_same_ether_addr(ð->s_addr, &tmp_addr)); /* check ip source address */ ip = (struct ip *)(eth + 1); g_assert(ip->ip_src.s_addr == inet_addr("10.0.2.15")); } else if (ip->ip_src.s_addr == inet_addr("173.194.40.111")) {
static void firewall_filter_rules(enum pg_side dir) { struct pg_brick *gen; struct pg_brick *fw; struct pg_brick *col; struct pg_error *error = NULL; uint16_t i; int ret; static uint16_t nb = 30; struct rte_mbuf *packets[nb]; uint64_t filtered_pkts_mask; struct rte_mbuf **filtered_pkts; uint64_t bit; uint16_t packet_count; struct ip *ip; struct ether_hdr *eth; /* create and connect 3 bricks: generator -> firewall -> collector */ gen = pg_packetsgen_new("gen", 2, 2, pg_flip_side(dir), packets, nb, &error); g_assert(!error); fw = pg_firewall_new("fw", 2, 2, PG_NONE, &error); g_assert(!error); col = pg_collect_new("col", 2, 2, &error); g_assert(!error); /* revert link if needed */ if (dir == WEST_SIDE) { pg_brick_link(gen, fw, &error); g_assert(!error); pg_brick_link(fw, col, &error); g_assert(!error); } else { pg_brick_link(col, fw, &error); g_assert(!error); pg_brick_link(fw, gen, &error); g_assert(!error); } /* build some UDP packets mixed sources */ for (i = 0; i < nb; i++) switch (i % 3) { case 0: packets[i] = build_ip_packet("10.0.0.1", "10.0.0.255", i); break; case 1: packets[i] = build_ip_packet("10.0.0.2", "10.0.0.255", i); break; case 2: packets[i] = build_ip_packet("10.0.0.3", "10.0.0.255", i); break; } /* configure firewall to allow traffic from 10.0.0.1 */ ret = pg_firewall_rule_add(fw, "src host 10.0.0.1", dir, 0, &error); g_assert(!error); g_assert(ret == 0); ret = pg_firewall_reload(fw, &error); g_assert(ret < 0); g_assert(!error); /* let's burst ! */ pg_brick_poll(gen, &packet_count, &error); g_assert(!error); g_assert(packet_count == nb); /* check collect brick */ if (dir == WEST_SIDE) filtered_pkts = pg_brick_west_burst_get(col, &filtered_pkts_mask, &error); else filtered_pkts = pg_brick_east_burst_get(col, &filtered_pkts_mask, &error); g_assert(!error); g_assert(pg_mask_count(filtered_pkts_mask) == nb / 3); for (; filtered_pkts_mask;) { pg_low_bit_iterate_full(filtered_pkts_mask, bit, i); g_assert(i % 3 == 0); eth = rte_pktmbuf_mtod(filtered_pkts[i], struct ether_hdr*); ip = (struct ip *)(eth + 1); g_assert(ip->ip_src.s_addr == inet_addr("10.0.0.1")); } /* now allow packets from 10.0.0.2 */ ret = pg_firewall_rule_add(fw, "src host 10.0.0.2", dir, 0, &error); g_assert(!error); g_assert(ret == 0); ret = pg_firewall_reload(fw, &error); g_assert(ret < 0); g_assert(!error); /* let it goooo */ pg_brick_poll(gen, &packet_count, &error); g_assert(!error); g_assert(packet_count == nb); /* check collect brick */ if (dir == WEST_SIDE) filtered_pkts = pg_brick_west_burst_get(col, &filtered_pkts_mask, &error); else filtered_pkts = pg_brick_east_burst_get(col, &filtered_pkts_mask, &error); g_assert(!error); g_assert(pg_mask_count(filtered_pkts_mask) == nb * 2 / 3); for (; filtered_pkts_mask;) { pg_low_bit_iterate_full(filtered_pkts_mask, bit, i); g_assert(i % 3 == 0 || i % 3 == 1); eth = rte_pktmbuf_mtod(filtered_pkts[i], struct ether_hdr*); ip = (struct ip *)(eth + 1); g_assert(ip->ip_src.s_addr == inet_addr("10.0.0.1") || ip->ip_src.s_addr == inet_addr("10.0.0.2")); } /* test that flush really blocks */ pg_firewall_rule_flush(fw); ret = pg_firewall_reload(fw, &error); g_assert(!error); g_assert(ret < 0); /* let it goooo */ pg_brick_poll(gen, &packet_count, &error); g_assert(!error); g_assert(packet_count == nb); /* check collect brick */ if (dir == WEST_SIDE) filtered_pkts = pg_brick_west_burst_get(col, &filtered_pkts_mask, &error); else filtered_pkts = pg_brick_east_burst_get(col, &filtered_pkts_mask, &error); g_assert(!error); g_assert(pg_mask_count(filtered_pkts_mask) == 0); /* flush and only allow packets from 10.0.0.2 */ pg_firewall_rule_flush(fw); ret = pg_firewall_rule_add(fw, "src host 10.0.0.2", dir, 0, &error); g_assert(!error); g_assert(ret == 0); ret = pg_firewall_reload(fw, &error); g_assert(ret < 0); g_assert(!error); /* let it goooo */ pg_brick_poll(gen, &packet_count, &error); g_assert(!error); g_assert(packet_count == nb); /* check collect brick */ if (dir == WEST_SIDE) filtered_pkts = pg_brick_west_burst_get(col, &filtered_pkts_mask, &error); else filtered_pkts = pg_brick_east_burst_get(col, &filtered_pkts_mask, &error); g_assert(!error); g_assert(pg_mask_count(filtered_pkts_mask) == nb / 3); for (; filtered_pkts_mask;) { pg_low_bit_iterate_full(filtered_pkts_mask, bit, i); g_assert(i % 3 == 1); eth = rte_pktmbuf_mtod(filtered_pkts[i], struct ether_hdr*); ip = (struct ip *)(eth + 1); g_assert(ip->ip_src.s_addr == inet_addr("10.0.0.2")); } /* flush and make two rules in one */ pg_firewall_rule_flush(fw); ret = pg_firewall_rule_add(fw, "src host (10.0.0.1 or 10.0.0.2)", dir, 0, &error); g_assert(!error); g_assert(ret == 0); ret = pg_firewall_reload(fw, &error); g_assert(ret < 0); g_assert(!error); /* let it goooo */ pg_brick_poll(gen, &packet_count, &error); g_assert(!error); g_assert(packet_count == nb); /* check collect brick */ if (dir == WEST_SIDE) filtered_pkts = pg_brick_west_burst_get(col, &filtered_pkts_mask, &error); else filtered_pkts = pg_brick_east_burst_get(col, &filtered_pkts_mask, &error); g_assert(!error); g_assert(pg_mask_count(filtered_pkts_mask) == nb * 2 / 3); for (; filtered_pkts_mask;) { pg_low_bit_iterate_full(filtered_pkts_mask, bit, i); g_assert(i % 3 == 0 || i % 3 == 1); eth = rte_pktmbuf_mtod(filtered_pkts[i], struct ether_hdr*); ip = (struct ip *)(eth + 1); g_assert(ip->ip_src.s_addr == inet_addr("10.0.0.1") || ip->ip_src.s_addr == inet_addr("10.0.0.2")); } /* flush and revert rules, packets should not pass */ pg_firewall_rule_flush(fw); ret = pg_firewall_rule_add(fw, "src host (10.0.0.1)", pg_flip_side(dir), 0, &error); g_assert(!error); g_assert(ret == 0); ret = pg_firewall_reload(fw, &error); g_assert(ret < 0); g_assert(!error); /* let it goooo */ pg_brick_poll(gen, &packet_count, &error); g_assert(!error); g_assert(packet_count == nb); /* check collect brick */ if (dir == WEST_SIDE) filtered_pkts = pg_brick_west_burst_get(col, &filtered_pkts_mask, &error); else filtered_pkts = pg_brick_east_burst_get(col, &filtered_pkts_mask, &error); g_assert(!error); g_assert(pg_mask_count(filtered_pkts_mask) == 0); /* flush and allow packets from both sides */ pg_firewall_rule_flush(fw); ret = pg_firewall_rule_add(fw, "src host (10.0.0.1)", MAX_SIDE, 0, &error); g_assert(!error); g_assert(ret == 0); ret = pg_firewall_reload(fw, &error); g_assert(ret < 0); g_assert(!error); /* let it goooo */ pg_brick_poll(gen, &packet_count, &error); g_assert(!error); g_assert(packet_count == nb); if (dir == WEST_SIDE) filtered_pkts = pg_brick_west_burst_get(col, &filtered_pkts_mask, &error); else filtered_pkts = pg_brick_east_burst_get(col, &filtered_pkts_mask, &error); g_assert(!error); g_assert(pg_mask_count(filtered_pkts_mask) == nb / 3); for (; filtered_pkts_mask;) { pg_low_bit_iterate_full(filtered_pkts_mask, bit, i); g_assert(i % 3 == 0); eth = rte_pktmbuf_mtod(filtered_pkts[i], struct ether_hdr*); ip = (struct ip *)(eth + 1); g_assert(ip->ip_src.s_addr == inet_addr("10.0.0.1")); } /* inverse generator and collector to test both sides */ pg_brick_unlink(fw, &error); g_assert(!error); if (dir == WEST_SIDE) { pg_brick_link(col, fw, &error); g_assert(!error); pg_brick_link(fw, gen, &error); g_assert(!error); } else { pg_brick_link(gen, fw, &error); g_assert(!error); pg_brick_link(fw, col, &error); g_assert(!error); } /* let it goooo */ pg_brick_poll(gen, &packet_count, &error); g_assert(!error); g_assert(packet_count == nb); if (dir == WEST_SIDE) filtered_pkts = pg_brick_west_burst_get(col, &filtered_pkts_mask, &error); else filtered_pkts = pg_brick_east_burst_get(col, &filtered_pkts_mask, &error); g_assert(!error); g_assert(pg_mask_count(filtered_pkts_mask) == nb / 3); for (; filtered_pkts_mask;) { pg_low_bit_iterate_full(filtered_pkts_mask, bit, i); g_assert(i % 3 == 0); eth = rte_pktmbuf_mtod(filtered_pkts[i], struct ether_hdr*); ip = (struct ip *)(eth + 1); g_assert(ip->ip_src.s_addr == inet_addr("10.0.0.1")); } /* clean */ for (i = 0; i < nb; i++) rte_pktmbuf_free(packets[i]); pg_brick_destroy(gen); pg_brick_destroy(fw); pg_brick_destroy(col); }
int pg_bench_run(struct pg_bench *bench, struct pg_bench_stats *result, struct pg_error **error) { uint64_t bit; uint64_t it_mask; uint64_t i; uint16_t cnt; uint64_t pkts_burst; struct pg_brick_side *side = NULL; struct pg_brick *count_brick; struct pg_bench bl; if (bench == NULL || result == NULL || bench->pkts == NULL || bench->pkts_nb == 0 || bench->max_burst_cnt == 0 || bench->pkts_mask == 0) { *error = pg_error_new("missing or bad bench parameters"); return -1; } /* Link ouput brick to a nop brick to count outcoming packets. */ if (bench->count_brick == NULL) { count_brick = pg_nop_new("nop-bench", error); if (*error) return -1; if (bench->output_side == WEST_SIDE) pg_brick_link(count_brick, bench->output_brick, error); else pg_brick_link(bench->output_brick, count_brick, error); if (*error) return -1; } else { count_brick = bench->count_brick; } /* Set all stats to zero. */ memset(result, 0, sizeof(struct pg_bench_stats)); /* Setup callback to get burst count. */ pkts_burst = 0; switch (bench->input_brick->type) { case PG_MONOPOLE: side = bench->input_brick->sides; break; case PG_DIPOLE: case PG_MULTIPOLE: side = &(bench->input_brick->sides [pg_flip_side(bench->input_side)]); break; default: g_assert(0); break; } side->burst_count_cb = pg_bench_burst_cb; side->burst_count_private_data = (void *)(&pkts_burst); /* Compute average size of packets. */ it_mask = bench->pkts_mask; for (; it_mask;) { pg_low_bit_iterate_full(it_mask, bit, i); result->pkts_average_size += bench->pkts[i]->data_len; } result->pkts_average_size /= bench->pkts_nb; /* Let's run ! */ memcpy(&bl, bench, sizeof(struct pg_bench)); gettimeofday(&result->date_start, NULL); for (i = 0; i < bl.max_burst_cnt; i++) { /* Burst packets. */ pg_brick_burst(bl.input_brick, bl.input_side, 0, bl.pkts, bl.pkts_mask, error); sched_yield(); if (*error) return -1; /* Poll back packets if needed. */ if (bl.output_poll) pg_brick_poll(bl.output_brick, &cnt, error); if (bl.post_burst_op) bl.post_burst_op(bench); } gettimeofday(&result->date_end, NULL); memcpy(bench, &bl, sizeof(struct pg_bench)); result->pkts_sent = bench->max_burst_cnt * bench->pkts_nb; result->burst_cnt = bench->max_burst_cnt; result->pkts_burst = pkts_burst; result->pkts_received = pg_brick_pkts_count_get( count_brick, bench->output_side); if (bench->count_brick == NULL) { pg_brick_unlink(count_brick, error); if (*error) return -1; } return 0; }