Remove virtual service sync isolation rules

Author: PlagueCZ

include/dp_virtsvc.h

@@ -105,7 +105,6 @@ void dp_virtsvc_free(void);
 
 size_t dp_virtsvc_get_count(void);
 
-int dp_install_virtsvc_sync_isolation_rules(uint16_t port_id);
 uint16_t dp_create_virtsvc_async_isolation_rules(uint16_t port_id,
 												 struct rte_flow_template_table *template_table);
 void dp_destroy_virtsvc_async_isolation_rules(uint16_t port_id);

include/rte_flow/dp_rte_flow_init.h

@@ -0,0 +1,19 @@
+// SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and IronCore contributors
+// SPDX-License-Identifier: Apache-2.0
+
+#ifndef __INCLUDE_DP_RTE_FLOW_ISOLATION_H__
+#define __INCLUDE_DP_RTE_FLOW_ISOLATION_H__
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include <stdint.h>
+
+int dp_install_isolated_mode(uint16_t port_id);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif

include/rte_flow/dp_rte_flow_isolation.h

@@ -20,7 +20,7 @@
 #include "rte_flow/dp_rte_async_flow_template.h"
 #include "rte_flow/dp_rte_flow.h"
 #include "rte_flow/dp_rte_flow_capture.h"
-#include "rte_flow/dp_rte_flow_init.h"
+#include "rte_flow/dp_rte_flow_isolation.h"
 
 #define DP_PORT_INIT_PF true
 #define DP_PORT_INIT_VF false
@@ -425,18 +425,6 @@ void dp_ports_free(void)
 }
 
 
-static int dp_port_install_sync_isolated_mode(uint16_t port_id)
-{
-	DPS_LOG_INFO("Init isolation flow rules");
-	if (DP_FAILED(dp_install_isolated_mode_ipip(port_id)))
-		return DP_ERROR;
-#ifdef ENABLE_VIRTSVC
-	return dp_install_virtsvc_sync_isolation_rules(port_id);
-#else
-	return DP_OK;
-#endif
-}
-
 static int dp_port_bind_port_hairpins(const struct dp_port *port)
 {
 	// two pf port's hairpins are bound when processing the second port
@@ -562,9 +550,11 @@ static int dp_init_port(struct dp_port *port)
 			if (DP_FAILED(dp_port_create_default_pf_async_templates(port))
 				|| DP_FAILED(dp_port_install_async_isolated_mode(port)))
 				return DP_ERROR;
-		} else
-			if (DP_FAILED(dp_port_install_sync_isolated_mode(port->port_id)))
+		} else {
+			DPS_LOG_INFO("Init isolation flow rules");
+			if (DP_FAILED(dp_install_isolated_mode(port->port_id)))
 				return DP_ERROR;
+		}
 	}
 
 	if (dp_conf_is_offload_enabled()) {

src/dp_port.c

@@ -13,7 +13,6 @@
 #include "dp_log.h"
 #include "dp_multi_path.h"
 #include "dp_util.h"
-#include "rte_flow/dp_rte_flow_init.h"
 #include "rte_flow/dp_rte_async_flow.h"
 #include "rte_flow/dp_rte_async_flow_isolation.h"
 
@@ -224,23 +223,6 @@ size_t dp_virtsvc_get_count(void)
 }
 
 
-int dp_install_virtsvc_sync_isolation_rules(uint16_t port_id)
-{
-	int ret;
-
-	DP_FOREACH_VIRTSVC(&dp_virtservices, service) {
-		ret = dp_install_isolated_mode_virtsvc(port_id,
-											   service->proto,
-											   &service->service_addr,
-											   service->service_port);
-		if (DP_FAILED(ret)) {
-			DPS_LOG_ERR("Cannot create isolation rule", DP_LOG_VIRTSVC(service), DP_LOG_RET(ret));
-			return DP_ERROR;
-		}
-	}
-	return DP_OK;
-}
-
 uint16_t dp_create_virtsvc_async_isolation_rules(uint16_t port_id,
 												 struct rte_flow_template_table *template_table)
 {

src/dp_virtsvc.c

@@ -32,13 +32,13 @@ dp_sources = [
   'nodes/rx_periodic_node.c',
   'nodes/snat_node.c',
   'nodes/tx_node.c',
-  'rte_flow/dp_rte_flow.c',
-  'rte_flow/dp_rte_flow_capture.c',
-  'rte_flow/dp_rte_flow_init.c',
-  'rte_flow/dp_rte_flow_traffic_forward.c',
   'rte_flow/dp_rte_async_flow.c',
   'rte_flow/dp_rte_async_flow_isolation.c',
   'rte_flow/dp_rte_async_flow_template.c',
+  'rte_flow/dp_rte_flow.c',
+  'rte_flow/dp_rte_flow_capture.c',
+  'rte_flow/dp_rte_flow_isolation.c',
+  'rte_flow/dp_rte_flow_traffic_forward.c',
   'dp_argparse.c',
   'dp_cntrack.c',
   'dp_conf.c',

src/meson.build

@@ -8,7 +8,6 @@
 #include "dp_log.h"
 #include "dp_port.h"
 #include "monitoring/dp_monitoring.h"
-#include "rte_flow/dp_rte_flow_init.h"
 
 
 static int dp_send_event_msg(const struct dp_event_msg *msg)

src/monitoring/dp_event.c

@@ -12,7 +12,6 @@
 #include "dpdk_layer.h"
 #include "monitoring/dp_graphtrace_shared.h"
 #include "monitoring/dp_pcap.h"
-#include "rte_flow/dp_rte_flow_init.h"
 #include "rte_flow/dp_rte_flow.h"
 #include "monitoring/dp_event.h"
 

src/monitoring/dp_graphtrace.c

@@ -0,0 +1,50 @@
+// SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and IronCore contributors
+// SPDX-License-Identifier: Apache-2.0
+
+#include "rte_flow/dp_rte_flow_isolation.h"
+
+#include "dp_error.h"
+#include "dp_log.h"
+#include "rte_flow/dp_rte_flow_helpers.h"
+#include "dp_conf.h"
+#include "monitoring/dp_monitoring.h"
+
+static const struct rte_flow_attr dp_flow_attr_prio_ingress = {
+	.group = 0,
+	.priority = 1,
+	.ingress = 1,
+	.egress = 0,
+	.transfer = 0,
+};
+
+
+int dp_install_isolated_mode(uint16_t port_id)
+{
+	struct rte_flow_item_eth eth_spec;   // #1
+	struct rte_flow_item_ipv6 ipv6_spec; // #2
+	struct rte_flow_item pattern[3];     // + end
+	int pattern_cnt = 0;
+	struct rte_flow_action_queue queue_action; // #1
+	struct rte_flow_action action[2];          // + end
+	int action_cnt = 0;
+	union dp_ipv6 ul_addr6;
+
+	ul_addr6._ul.prefix = dp_conf_get_underlay_ip()->_prefix;
+	ul_addr6._ul.kernel = htons(DP_UNDERLAY_KERNEL_BYTES);
+
+	// create match pattern: IP in IPv6 tunnel packets
+	dp_set_eth_flow_item(&pattern[pattern_cnt++], &eth_spec, htons(RTE_ETHER_TYPE_IPV6));
+	dp_set_ipv6_dst_pfx68_flow_item(&pattern[pattern_cnt++], &ipv6_spec, &ul_addr6);
+	dp_set_end_flow_item(&pattern[pattern_cnt++]);
+
+	// create flow action: allow packets to enter dp-service packet queue
+	dp_set_redirect_queue_action(&action[action_cnt++], &queue_action, 0);
+	dp_set_end_action(&action[action_cnt++]);
+
+	if (!dp_install_rte_flow(port_id, &dp_flow_attr_prio_ingress, pattern, action))
+		return DP_ERROR;
+
+	DPS_LOG_DEBUG("Installed IPIP isolation flow rule", DP_LOG_PORTID(port_id));
+	return DP_OK;
+}
+