第21周:ACL 与流表

字数统计: 1.9k字   |   阅读时长≈ 10分

第21周:ACL 与流表

目标:使用 DPDK ACL 库和精确匹配库实现包过滤,为负载均衡器做访问控制。

1. DPDK ACL 库

1.1 ACL 概念

1
2
3
4
5
6
7
8
9
10
11
ACL(Access Control List)= 一组规则,每条规则匹配一个范围

5 元组规则示例:
  规则 1:允许 TCP 源 10.0.0.0/8 → 目的 192.168.1.0/24 端口 80
  规则 2:拒绝 UDP 源 0.0.0.0/0 → 目的 0.0.0.0/0 端口 23
  规则 3:允许 ICMP 任何 → 任何

ACL 匹配过程:
  输入:5 元组(src_ip, dst_ip, src_port, dst_port, protocol)
  逐条匹配规则
  优先级:最高优先级(priority)的匹配规则决定动作

1.2 ACL 数据结构

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
#include <rte_acl.h>

// ACL 参数
struct rte_acl_ctx *acl_ctx;

// 创建 ACL 上下文
acl_ctx = rte_acl_create(&acl_params);
if (acl_ctx == NULL) {
    printf("Cannot create ACL: %s\n", rte_strerror(rte_errno));
    return -1;
}

// 参数配置
struct rte_acl_config acl_cfg = {
    .num_categories = 1,
    .num_fields = 5,  // 5 元组
};

rte_acl_set_config(acl_ctx, &acl_cfg);

// 添加规则
struct rte_acl_rule_data rule = {
    .priority = 10,    // 优先级(越大越高)
    .category_mask = 1,
};

// 定义 5 个字段的类型
enum {
    RTE_ACL_FIELD_SRC_IP,    // 源 IP(32 bit)
    RTE_ACL_FIELD_DST_IP,    // 目的 IP
    RTE_ACL_FIELD_SRC_PORT,  // 源端口(16 bit)
    RTE_ACL_FIELD_DST_PORT,  // 目的端口
    RTE_ACL_FIELD_PROTO,     // 协议(8 bit)
    RTE_ACL_FIELD_MAX,
};

// 字段定义
struct rte_acl_field fields[RTE_ACL_FIELD_MAX] = {
    [RTE_ACL_FIELD_SRC_IP] = {
        .value = {.mask_u32 = 0xFFFFFFFF, .value_u32 = src_ip},
        .mask = {.mask_u32 = 0xFFFFFFFF},
        .type = RTE_ACL_FIELD_TYPE_UINT32,
    },
    [RTE_ACL_FIELD_DST_IP] = {
        .value = {.mask_u32 = 0xFFFFFF00, .value_u32 = dst_ip & 0xFFFFFF00},
        .mask = {.mask_u32 = 0xFFFFFF00},
        .type = RTE_ACL_FIELD_TYPE_UINT32,
    },
    [RTE_ACL_FIELD_SRC_PORT] = {
        .value = {.mask_u16 = 0xFFFF, .value_u16 = src_port},
        .mask = {.mask_u16 = 0xFFFF},
        .type = RTE_ACL_FIELD_TYPE_UINT16,
    },
    [RTE_ACL_FIELD_DST_PORT] = {
        .value = {.mask_u16 = 0xFFFF, .value_u16 = dst_port},
        .mask = {.mask_u16 = 0xFFFF},
        .type = RTE_ACL_FIELD_TYPE_UINT16,
    },
    [RTE_ACL_FIELD_PROTO] = {
        .value = {.mask_u8 = 0xFF, .value_u8 = proto},
        .mask = {.mask_u8 = 0xFF},
        .type = RTE_ACL_FIELD_TYPE_UINT8,
    },
};

// 添加规则
int ret = rte_acl_add_rule(acl_ctx, &rule, fields, RTE_ACL_FIELD_MAX);
if (ret != 0) {
    printf("Cannot add rule: %d\n", ret);
    return -1;
}

// 构建 ACL(优化内部结构)
rte_acl_build(acl_ctx);

// 匹配
uint32_t result[RTE_ACL_RESULTS_MAX];
struct rte_acl_parsed_params parsed = {0};
struct rte_acl_search search;

// 输入数据(5 元组)
uint8_t data[5] = {
    src_ip,       // 32 bit 分 4 bytes
    dst_ip,       // 32 bit
    src_port >> 8, src_port & 0xFF,  // 16 bit
    dst_port >> 8, dst_port & 0xFF,  // 16 bit
    proto,        // 8 bit
};

int nb_results = rte_acl_classify(acl_ctx, &data, result, 1, 1);

2. DPDK Hash 库(精确匹配)

2.1 哈希表基础

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
#include <rte_hash.h>

// 创建哈希表(精确匹配)
struct rte_hash *hash = rte_hash_create(&params);

struct rte_hash_parameters params = {
    .name = "FLOW_HASH",         // 名称
    .entries = 1024 * 1024,      // 条目数(必须是 2^n)
    .key_len = sizeof(struct flow_key),  // key 大小
    .hash_func = rte_jhash,      // 哈希函数
    .hash_func_init_val = 0,     // 初始值
    .socket_id = SOCKET_ID_ANY,
};

struct flow_key {
    uint32_t src_ip;
    uint32_t dst_ip;
    uint16_t src_port;
    uint16_t dst_port;
    uint8_t  proto;
} __rte_packed;

// 插入
struct flow_entry *entry = rte_zmalloc(NULL, sizeof(*entry), 0);
entry->out_port = 1;
entry->action = RTE_ACL_ACTION_PERMIT;

int ret = rte_hash_add_key_data(hash, &key, entry);

// 查找
struct flow_entry **found;
int ret = rte_hash_lookup_data(hash, &key, (void **)&found);
if (ret >= 0) {
    printf("Found: out_port=%d\n", (*found)->out_port);
} else {
    printf("Not found\n");
}

// 删除
rte_hash_del_key(hash, &key);

2.2 五元组流表

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
struct flow_entry {
    struct flow_key key;
    uint16_t out_port;
    uint32_t action;     // 0=DROP, 1=FORWARD
    uint64_t packets;    // 匹配到的包数
    uint64_t bytes;      // 总字节数
    uint64_t first_ts;   // 首次匹配时间
    uint64_t last_ts;    // 最后匹配时间
};

struct flow_table {
    struct rte_hash *hash;
    struct rte_mempool *entry_pool;
};

struct flow_table *flow_table_create(void) {
    struct flow_table *ft = rte_zmalloc(NULL, sizeof(*ft), 0);

    // 创建哈希表
    struct rte_hash_parameters hp = {
        .name = "FLOW_TABLE",
        .entries = 1 << 20,   // 1M entries
        .key_len = sizeof(struct flow_key),
        .hash_func = rte_jhash,
        .hash_func_init_val = 0,
        .socket_id = SOCKET_ID_ANY,
    };
    ft->hash = rte_hash_create(&hp);

    // 创建条目池
    ft->entry_pool = rte_mempool_create("FLOW_ENTRY",
                                         1 << 20,
                                         sizeof(struct flow_entry),
                                         256, 0, NULL, NULL, NULL,
                                         SOCKET_ID_ANY);
    return ft;
}

// 匹配
int flow_match(struct flow_table *ft, struct rte_mbuf *m,
               uint16_t *out_port) {
    struct rte_ipv4_hdr *ip;
    struct rte_tcp_hdr *tcp;
    struct rte_udp_hdr *udp;
    struct flow_key key = {0};
    struct flow_entry **entry;
    int ret;

    ip = (struct rte_ipv4_hdr *)(rte_pktmbuf_mtod(m, char *) + sizeof(struct rte_ether_hdr));

    key.src_ip = ip->src_addr;
    key.dst_ip = ip->dst_addr;
    key.proto = ip->next_proto_id;

    if (ip->next_proto_id == IPPROTO_TCP) {
        tcp = (struct rte_tcp_hdr *)((uint8_t *)ip + rte_ipv4_hdr_len(ip));
        key.src_port = tcp->src_port;
        key.dst_port = tcp->dst_port;
    } else if (ip->next_proto_id == IPPROTO_UDP) {
        udp = (struct rte_udp_hdr *)((uint8_t *)ip + rte_ipv4_hdr_len(ip));
        key.src_port = udp->src_port;
        key.dst_port = udp->dst_port;
    }

    ret = rte_hash_lookup_data(ft->hash, &key, (void **)&entry);
    if (ret >= 0) {
        *out_port = (*entry)->out_port;
        (*entry)->packets++;
        (*entry)->last_ts = rte_rdtsc();
        return (*entry)->action;
    }

    return ACTION_MISS;  // 未匹配
}

// 插入流
int flow_insert(struct flow_table *ft, struct flow_key *key,
                uint16_t out_port, uint32_t action) {
    struct flow_entry *entry = rte_mempool_get(ft->entry_pool, NULL);
    if (!entry) return -ENOMEM;

    entry->key = *key;
    entry->out_port = out_port;
    entry->action = action;
    entry->packets = 0;
    entry->first_ts = rte_rdtsc();

    return rte_hash_add_key_data(ft->hash, key, entry);
}

3. ACL 规则示例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
// acl_rules.c — ACL 规则定义

// 规则 1:允许 TCP 目的端口 80(HTTP)
struct rte_acl_rule allow_http = {
    .priority = 10,
    .data = {.permit = 1},
};
// 匹配:proto=TCP, dst_port=80

// 规则 2:拒绝 Telnet(TCP 23)
struct rte_acl_rule deny_telnet = {
    .priority = 20,
    .data = {.drop = 1},
};
// 匹配:proto=TCP, dst_port=23

// 规则 3:允许内网互访
struct rte_acl_rule allow_internal = {
    .priority = 5,
    .data = {.permit = 1},
};
// 匹配:src ∈ 10.0.0.0/8 AND dst ∈ 10.0.0.0/8

// 规则 4:默认拒绝
struct rte_acl_rule default_drop = {
    .priority = 0,
    .data = {.drop = 1},
};
// 匹配:任何

4. 在转发器上集成 ACL

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
// 将 ACL 集成到 L3 转发器中
static int acl_check(struct rte_mbuf *m) {
    struct rte_ipv4_hdr *ip;
    struct rte_tcp_hdr *tcp;
    struct rte_udp_hdr *udp;
    uint32_t results[1];

    ip = (struct rte_ipv4_hdr *)(rte_pktmbuf_mtod(m, char *) + sizeof(struct rte_ether_hdr));

    // 准备匹配数据
    uint8_t data[16];
    rte_memcpy(data, &ip->src_addr, 4);
    rte_memcpy(data + 4, &ip->dst_addr, 4);

    if (ip->next_proto_id == IPPROTO_TCP) {
        tcp = (struct rte_tcp_hdr *)((uint8_t *)ip + rte_ipv4_hdr_len(ip));
        rte_memcpy(data + 8, &tcp->src_port, 2);
        rte_memcpy(data + 10, &tcp->dst_port, 2);
        data[12] = IPPROTO_TCP;
    } else if (ip->next_proto_id == IPPROTO_UDP) {
        udp = (struct rte_udp_hdr *)((uint8_t *)ip + rte_ipv4_hdr_len(ip));
        rte_memcpy(data + 8, &udp->src_port, 2);
        rte_memcpy(data + 10, &udp->dst_port, 2);
        data[12] = IPPROTO_UDP;
    } else {
        data[12] = ip->next_proto_id;
    }
    data[13] = 0;
    data[14] = 0;
    data[15] = 0;

    // 匹配
    int nb = rte_acl_classify(acl_ctx, &data, results, 1, 1);
    if (nb > 0) {
        return results[0];  // 返回动作(permit/drop)
    }

    return ACTION_MISS;  // 未匹配,走默认策略
}

5. 实践:五元组包过滤转发器

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
// acl_fwd.c — 带 ACL 过滤的 L3 转发器
#include <rte_eal.h>
#include <rte_ethdev.h>
#include <rte_mbuf.h>
#include <rte_ip.h>
#include <rte_ether.h>
#include <rte_acl.h>
#include <rte_hash.h>
#include <rte_jhash.h>

#define NB_MBUF    65536
#define NB_RULES   256
#define MAX_RULES  1024

struct acl_fwd_ctx {
    struct rte_acl_ctx *acl;
    struct rte_hash *flow_hash;  // 缓存(加速已匹配的流)
    struct rte_mempool *mbuf_pool;
};

// 初始化 ACL
static int acl_init(struct acl_fwd_ctx *ctx) {
    struct rte_acl_ctx *acl;
    struct rte_acl_config cfg;

    // 定义 5 个字段
    struct rte_acl_field acl_fields[5] = {
        // 源 IP(32 bit,范围匹配)
        {
            .type = RTE_ACL_FIELD_TYPE_UINT32,
            .size = 32,
            .offset = 0,  // data[0..3]
        },
        // 目的 IP(32 bit)
        {
            .type = RTE_ACL_FIELD_TYPE_UINT32,
            .size = 32,
            .offset = 4,  // data[4..7]
        },
        // 源端口(16 bit)
        {
            .type = RTE_ACL_FIELD_TYPE_UINT16,
            .size = 16,
            .offset = 8,  // data[8..9]
        },
        // 目的端口(16 bit)
        {
            .type = RTE_ACL_FIELD_TYPE_UINT16,
            .size = 16,
            .offset = 10, // data[10..11]
        },
        // 协议(8 bit)
        {
            .type = RTE_ACL_FIELD_TYPE_UINT8,
            .size = 8,
            .offset = 12, // data[12]
        },
    };

    acl = rte_acl_create(&(struct rte_acl_param){
        .name = "ACL_FWD",
        .socket_id = SOCKET_ID_ANY,
        .rule_size = RTE_ACL_RULE_SZ(sizeof(uint8_t)),
    });
    if (!acl) return -1;

    cfg.num_categories = 1;
    cfg.num_fields = 5;
    rte_acl_set_config(acl, &cfg);

    ctx->acl = acl;

    // 创建流缓存哈希表
    ctx->flow_hash = rte_hash_create(&(struct rte_hash_parameters){
        .name = "FLOW_CACHE",
        .entries = 1 << 20,
        .key_len = sizeof(struct flow_key),
        .hash_func = rte_jhash,
        .socket_id = SOCKET_ID_ANY,
    });

    return 0;
}

// 包处理
static int acl_fwd_process(struct acl_fwd_ctx *ctx, struct rte_mbuf *m,
                            uint16_t in_port) {
    struct rte_ether_hdr *eth;
    struct rte_ipv4_hdr *ip;
    uint32_t result;
    uint8_t data[16];

    eth = rte_pktmbuf_mtod(m, struct rte_ether_hdr *);
    if (eth->ether_type != rte_cpu_to_be_16(RTE_ETHER_TYPE_IPv4)) {
        return -1;  // 只处理 IPv4
    }

    ip = (struct rte_ipv4_hdr *)(eth + 1);

    // 检查流缓存
    struct flow_key key = {
        .src_ip = ip->src_addr,
        .dst_ip = ip->dst_addr,
        .src_port = 0,
        .dst_port = 0,
        .proto = ip->next_proto_id,
    };

    // 获取端口信息
    if (key.proto == IPPROTO_TCP || key.proto == IPPROTO_UDP) {
        uint8_t *l4 = (uint8_t *)ip + rte_ipv4_hdr_len(ip);
        key.src_port = *(uint16_t *)l4;
        key.dst_port = *(uint16_t *)(l4 + 2);
    }

    struct flow_entry **fe;
    int ret = rte_hash_lookup_data(ctx->flow_hash, &key, (void **)&fe);
    if (ret >= 0) {
        // 缓存命中
        (*fe)->packets++;
        // TODO: 转发到 (*fe)->out_port
        return 0;
    }

    // ACL 匹配
    rte_memcpy(data, &ip->src_addr, 4);
    rte_memcpy(data + 4, &ip->dst_addr, 4);
    rte_memcpy(data + 8, &key.src_port, 2);
    rte_memcpy(data + 10, &key.dst_port, 2);
    data[12] = key.proto;
    data[13] = data[14] = data[15] = 0;

    ret = rte_acl_classify(ctx->acl, &data, &result, 1, 1);
    if (ret <= 0) {
        return -1;  // 无匹配 → 丢弃
    }

    // 缓存结果
    struct flow_entry *entry = rte_mempool_get(
        ctx->entry_pool, NULL);
    if (entry) {
        entry->key = key;
        entry->action = result;
        rte_hash_add_key_data(ctx->flow_hash, &key, entry);
    }

    // TODO: 根据 result 转发
    return 0;
}

6. 编译

1
2
3
4
5
gcc -o acl_fwd acl_fwd.c \
    -I dpdk/build/include \
    -L dpdk/build/lib \
    -Wl,--whole-archive -ldpdk -Wl,--no-whole-archive \
    -lpthread -lm -ldl
1
2
./acl_fwd -l 0-3 --socket-mem 1024 -p 0x3 -- \
    --config "(0,0,C)(1,0,C)"

谢谢你请我吃糖果

支付宝
微信

扫一扫,分享到微信

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia-plus根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

主要涉及技术:
Java后端开发、Linux开发、
公众号开发、开源爱好者、Linux

联系QQ:562054870