diff --git a/docs/Plugins.md b/docs/Plugins.md index 42ce9507..68e73660 100644 --- a/docs/Plugins.md +++ b/docs/Plugins.md @@ -6,15 +6,9 @@ E.g., a plugin could filter traffic before it is processed by a worker, i.e., co In LF, to enable a plugin, add its name to the colon-separated list of the CMake variable `LF_PLUGINS`. E.g.: ``` -cmake -D LF_PLUGINS=\"bypass:wg_ratelimiter\" +cmake -D LF_PLUGINS=\"dst_ratelimiter:wg_ratelimiter\" ``` -## Bypass (name: bypass) - -The bypass plugin forwards network control packets directly without going through the other processing steps. Currently, the following packets are considered network control packets: -- ARP -- IPv6 ICMP Neighbor Discovery - ## Host Ratelimiter (name: dst_ratelimiter) The host ratelimiter plugin allows to define rate limits for destination addresses. diff --git a/src/plugins/CMakePlugins.cmake b/src/plugins/CMakePlugins.cmake index aa87f268..97c93a98 100644 --- a/src/plugins/CMakePlugins.cmake +++ b/src/plugins/CMakePlugins.cmake @@ -9,14 +9,6 @@ add_compile_definitions(LF_PLUGINS="${LF_PLUGINS_STRING}") message( STATUS ${LF_PLUGINS_STRING}) -if ("bypass" IN_LIST LF_PLUGINS) - message( STATUS "Plugin Bypass enabled") - add_compile_definitions(LF_PLUGIN_BYPASS=1) - target_sources(${EXEC} PRIVATE plugins/bypass.c) -else() - add_compile_definitions(LF_PLUGIN_BYPASS=0) -endif() - if ("wg_ratelimiter" IN_LIST LF_PLUGINS) message( STATUS "Plugin WireGuard Ratelimiter enabled") add_compile_definitions(LF_PLUGIN_WG_RATELIMITER=1) diff --git a/src/plugins/bypass.c b/src/plugins/bypass.c deleted file mode 100644 index 2264f575..00000000 --- a/src/plugins/bypass.c +++ /dev/null @@ -1,109 +0,0 @@ -/* SPDX-License-Identifier: BSD-3-Clause - * Copyright (c) 2021 ETH Zurich - */ - -#include -#include - -#include -#include -#include -#include -#include - -#include "../lib/utils/packet.h" -#include "../worker.h" -#include "plugins.h" - -#define LF_BP_LOG(level, ...) \ - LF_PLUGINS_LOG(level, RTE_FMT("Bypass: " RTE_FMT_HEAD(__VA_ARGS__, ), \ - RTE_FMT_TAIL(__VA_ARGS__, ))) - -#define LF_BP_LOG_DP(level, ...) \ - LF_PLUGINS_LOG_DP(level, RTE_FMT("Bypass: " RTE_FMT_HEAD(__VA_ARGS__, ), \ - RTE_FMT_TAIL(__VA_ARGS__, ))) -/** - * The bypass plugin forwards network control packets directly without them - * going through the other processing steps. Currently, the following packets - * are considered network control packets: - * - ARP - * - IPv6 ICMP Neighboor Discovery - */ -static inline enum lf_pkt_action -lf_bp_pre(struct lf_worker_context *worker_context, struct rte_mbuf *m, - enum lf_pkt_action pkt_action) -{ - int res; - struct rte_ether_hdr *ether_hdr; - struct rte_ipv6_hdr *ipv6_hdr; - unsigned int offset = 0; - - if (pkt_action != LF_PKT_UNKNOWN) { - return pkt_action; - } - - offset = lf_get_eth_hdr(worker_context, m, offset, ðer_hdr); - if (offset == 0) { - return pkt_action; - } - - res = is_arp(worker_context, m, ether_hdr); - res |= is_ipv6_neighbor_discovery(worker_context, m, ether_hdr, offset); - if (res > 0) { - return LF_PKT_UNKNOWN_FORWARD; - } else if (res < 0) { - return LF_PKT_UNKNOWN_DROP; - } - - return LF_PKT_UNKNOWN; -} - -static inline int -is_arp(struct lf_worker_context *worker_context, struct rte_mbuf *m, - struct rte_ether_hdr *ether_hdr) -{ - if (rte_be_to_cpu_16(ether_hdr->ether_type) == RTE_ETHER_TYPE_ARP) { - return 1; - } - return 0; -} - -static inline int -is_ipv6_neighbor_discovery(struct lf_worker_context *worker_context, - struct rte_mbuf *m, struct rte_ether_hdr *ether_hdr, int offset) -{ - struct rte_ipv6_hdr *ipv6_hdr; - struct lf_icmpv6_hdr *icmpv6_hdr; - - /* Check EtherType for IPv6 */ - if (rte_be_to_cpu_16(ether_hdr->ether_type) != RTE_ETHER_TYPE_IPV6) { - return 0; - } - - /* Get IPv6 header */ - offset = lf_get_ipv6_hdr(worker_context, m, offset, &ipv6_hdr); - if (offset == 0) { - return -1; - } - - /* Check Next Header for ICMPv6 */ - if (ipv6_hdr->proto != IPPROTO_ICMPV6) { - return 0; - } - - /* Get ICMPv6 header */ - offset = lf_get_icmpv6_hdr(worker_context, m, offset, &icmpv6_hdr); - if (offset == 0) { - return -1; - } - - // Check ICMPv6 Type for Neighbor Discovery - if (icmpv6_hdr->type == ND_ROUTER_SOLICIT || - icmpv6_hdr->type == ND_ROUTER_ADVERT || - icmpv6_hdr->type == ND_NEIGHBOR_SOLICIT || - icmpv6_hdr->type == ND_NEIGHBOR_ADVERT) { - return 1; - } - - return 0; -} diff --git a/src/plugins/plugins.h b/src/plugins/plugins.h index 3df5bd60..113e80f9 100644 --- a/src/plugins/plugins.h +++ b/src/plugins/plugins.h @@ -62,9 +62,6 @@ lf_plugins_pre(struct lf_worker_context *worker_context, struct rte_mbuf *m, enum lf_pkt_action pkt_action) { enum lf_pkt_action pkt_action_res = pkt_action; -#if LF_PLUGIN_BYPASS - pkt_action = lf_bp_pre(worker_context, m, pkt_action); -#endif (void)worker_context; (void)m; diff --git a/tests.sh b/tests.sh index 36b2ee9c..63d4758e 100755 --- a/tests.sh +++ b/tests.sh @@ -118,7 +118,7 @@ fi test_label="lf_fw_plugins" make_artifacts_dir -cmake_args="-D LF_WORKER=IPV4 -D LF_DRKEY_FETCHER=MOCK -D LF_PLUGINS=\"bypass:dst_ratelimiter:wg_ratelimiter\"" +cmake_args="-D LF_WORKER=IPV4 -D LF_DRKEY_FETCHER=MOCK -D LF_PLUGINS=\"dst_ratelimiter:wg_ratelimiter\"" build_test test_label="lf_scion_drkey_scion"