DPDK中ACL(Access Control List)的学习（基于5元组增加MAC）

最新推荐文章于 2022-11-25 14:13:09 发布

原创

最新推荐文章于 2022-11-25 14:13:09 发布 · 4.8k 阅读

30 ·

CC 4.0 BY-SA版权

本文深入解析DPDK中的ACL模块，阐述其数据包分类功能及N元组规则定义，包括规则类型的详细说明，如掩码、范围和比特掩码，以及字段大小、索引和偏移量的含义。同时，介绍了如何创建、添加规则、构建运行时结构和执行报文分类，最后展示了基于IPv4五元组和MAC地址的规则示例。

该文章已生成可运行项目，

DPDK ACL源网页

ACL原理：
DPDK中的ACL(Access Control List)模块提供了数据包分类功能，Packet Classification and Access Control中所述：

The DPDK provides an Access Control library that gives the ability to classify an input packet based on a set of classification rules.
The ACL library is used to perform an N-tuple search over a set of rules with multiple categories and find the best match (highest priority) for each category. The library API provides the following basic operations:
Create a new Access Control (AC) context.
Add rules into the context.
For all rules in the context, build the runtime structures necessary to perform packet classification.
Perform input packet classifications.
Destroy an AC context and its runtime structures and free the associated memory.

就是事先定义一些基于数据包N元组的规则，每一个规则都有一个优先级，并且归属到一个或多个不同类别;然后对输入的数据包进行规则检查，如果该数据包满足一个类别里的某些规则，返回结果是其中优先级最高的那个，如果类别中的规则都不满足就返回0.

ACL库用来在一系列规则上执行N元组查找，可以实现多个分类和对每个分类查找最佳匹配（最高优先级），ACL库的api提供如下基本操作：

创建一个新的访问控制（AC）环境实例（context）
添加规则到这个环境实例
为这个实例里所有的规则，创建必需的运行时结构体来指针报文分类
执行接收报文分类
删除AC环境实例和对应的运行时结构体，并释放内存

规则定义
ACL的规则是基于N元组的，对N元组内的每一个字段来设置具体的规则内容.其字段定义如下：

rte_acl.h:
/**
 * ACL Field definition.
 * Each field in the ACL rule has an associate definition.
 * It defines the type of field, its size, its offset in the input buffer,
 * the field index, and the input index.
 * For performance reasons, the inner loop of the search function is unrolled
 * to process four input bytes at a time. This requires the input to be grouped
 * into sets of 4 consecutive bytes. The loop processes the first input byte as
 * part of the setup and then subsequent bytes must be in groups of 4
 * consecutive bytes.
 */
struct rte_acl_field_def {
   
   
	uint8_t  type;        /**< type - RTE_ACL_FIELD_TYPE_*. */
	uint8_t	 size;        /**< size of field 1,2,4, or 8. */
	uint8_t	 field_index; /**< index of field inside the rule. */
	uint8_t  input_index; /**< 0-N input index. */
	uint32_t offset;      /**< offset to start of field. */
};

各字段的意义：

type:该字段的规则类型，共有3种取值：
RTE_ACL_FIELD_TYPE_MASK: 字段值+掩码，典型的例子是带掩码的IP地址
RTE_ACL_FIELD_TYPE_RANGE: 字段值在一个范围内，典型例子是段口号范围
RTE_ACL_FIELD_TYPE_BITMASK: 字段值由掩码指定的的几个比特位表示，典型例子是协议号
size:该字段的大小，可以是1,2,4,8个字节，不可以随意设置，原因见后面
field_index: 该字段是第几个字段
input_index: 该字段属于那个分组，
offset: 该字段的偏移量
需要注意的是，基于优化考虑，DPDK在内部实现时对输入的N元组数据进行4字节分组(group)，
了解了ACL字段之后，我们就可以对具体的N元组定义规则了。以IPv4的5元组加MAC地址为例：

enum {
   
   
	PROTO_FIELD_IPV4,
	DMAC1_FIELD_IPV4,
	DMAC2_FIELD_IPV4,
	SMAC1_FIELD_IPV4,
	SMAC2_FIELD_IPV4,
	SRC_FIELD_IPV4,
	DST_FIELD_IPV4,
	SRCP_FIELD_IPV4,
	DSTP_FIELD_IPV4,
	NUM_FIELDS_IPV4
};

/*
 * That effectively defines order of IPV4VLAN classifications:
 *  - PROTO
 *  - VLAN (TAG and DOMAIN)
 *  - SRC IP ADDRESS
 *  - DST IP ADDRESS
 *  - PORTS (SRC and DST)
 */
enum {
   
   
	RTE_ACL_IPV4VLAN_PROTO,
	RTE_ACL_IPV4VLAN_MAC1,
	RTE_ACL_IPV4VLAN_MAC2,
	RTE_ACL_IPV4VLAN_MAC3,
	//RTE_ACL_IPV4VLAN_VLAN,
	RTE_ACL_IPV4VLAN_SRC,
	RTE_ACL_IPV4VLAN_DST,
	RTE_ACL_IPV4VLAN_PORTS,
	RTE_ACL_IPV4VLAN_NUM
};
	
struct rte_acl_field_def ipv4_defs[NUM_FIELDS_IPV4] = {
   
   

	{
   
   
		.type = RTE_ACL_FIELD_TYPE_BITMASK,
		.size = sizeof(uint8_t),
		.field_index = PROTO_FIELD_IPV4,
		.input_index = RTE_ACL_IPV4VLAN_PROTO,
		.offset = sizeof(struct ether_hdr) + offsetof(struct ipv4_hdr, next_proto_id),
	},

	{
   
   
		.type = RTE_ACL_FIELD_TYPE_MASK,
		.size = sizeof(uint32_t),
		.field_index = DMAC1_FIELD_IPV4,
		.input_index = RTE_ACL_IPV4VLAN_MAC1,
		.offset = 0,
	},	
	{
   
   
		.type = RTE_ACL_FIELD_TYPE_MASK,
		.size = sizeof(uint16_t),
		.field_index = DMAC2_FIELD_IPV4,
		.input_index = RTE_ACL_IPV4VLAN_MAC2,
		.offset = sizeof(uint32_t),
	},	
	{
   
   
		.type = RTE_ACL_FIELD_TYPE_MASK,
		.size = sizeof(uint16_t),
		.field_index = SMAC1_FIELD_IPV4,
		.input_index = RTE_ACL_IPV4VLAN_MAC2,
		.offset = sizeof(uint32_t) + sizeof(uint16_t),
	},	
	{
   
   
		.type = RTE_ACL_FIELD_TYPE_MASK,
		.size = sizeof(uint32_t),
		.field_index = SMAC2_FIELD_IPV4,
		.input_index = RTE_ACL_IPV4VLAN_MAC3,
		.offset = sizeof(uint32_t) + sizeof(uint16_t) + sizeof(uint16_t) ,
	},	
	{
   
   
		.type = RTE_ACL_FIELD_TYPE_MASK,
		.size = sizeof(uint32_t),
		.field_index = SRC_FIELD_IPV4,
		.input_index = RTE_ACL_IPV4VLAN_SRC,
		.offset = offsetof(struct ipv4_hdr, src_addr)+sizeof(struct ether_hdr),
	},
	{
   
   
		.type = RTE_ACL_FIELD_TYPE_MASK,
		.size = sizeof(uint32_t),
		.field_index = DST_FIELD_IPV4,
		.input_index = RTE_ACL_IPV4VLAN_DST,
		.offset = offsetof(struct ipv4_hdr, dst_addr)+sizeof(struct ether_hdr),
	},
	{
   
   
		.type = RTE_ACL_FIELD_TYPE_RANGE,
		.size = sizeof(uint16_t),
		.field_index = SRCP_FIELD_IPV4,
		.input_index = RTE_ACL_IPV4VLAN_PORTS,
		.offset = sizeof(struct ipv4_hdr) +sizeof(struct ether_hdr),
	},
	{
   
   
		.type = RTE_ACL_FIELD_TYPE_RANGE,
		.size = sizeof(uint16_t),
		.field_index = DSTP_FIELD_IPV4,
		.input_index = RTE_ACL_IPV4VLAN_PORTS,
		.offset = sizeof(struct ipv4_hdr) +
			sizeof(uint16_t)+sizeof(struct ether_hdr),
	},
};

注意事项：
第0个字段要求必须是1字节(size为1)，属于第0组(input_field为0)，后面每4字节算作一组，所以除了第0个字段以外，其余字段的size必须要能凑成4字节来进行分组。

最后，使用宏RTE_ACL_RULE_DEF定义rule结构体：

RTE_ACL_RULE_DEF(acl4_rule, RTE_DIM(ipv4_defs));

该宏的定义如下：

rte_acl.h:
#define	RTE_ACL_RULE_DEF(name, fld_num)	struct name {\
	struct rte_acl_rule_data data;               \
	struct rte_acl_field field[fld_num];         \
}

这样，我们的ipv4规则就被定义为struct acl4_rule。

规则编写
有了规则定义，就可以按照需求编写具体的规则。在实际应用中，分类规则一般是由配置文件等方式按需配置 详细代码可查看 dpdk\software\src\examples\l3fwd-acl 下的main.c

static int
parse_cb_ipv4vlan_rule(char *str, struct rte_acl_rule *v, int has_userdata)
{
   
   
	int i, rc;
	char *s, *sp, *in[CB_FLD_NUM];
	static const char *dlm = " \t\n";
	int dim = has_userdata ? CB_FLD_NUM : CB_FLD_USERDATA;
	s = str;
	//printf("rule: %s,dim = %d\n",s,dim);

	for (i = 0; i != dim; i++, s = NULL) {
   
   
		in[i] = strtok_r(s, dlm, &sp);
		if (in[i] == NULL)
			return -EINVAL;
	}
	
	
	rc = parse_mac_addr(in[CB_FLD_DMAC_ADDR],
			&v->field[DMAC1_FIELD_IPV4].value.u32,&v->field[DMAC2_FIELD_IPV4].value.u16);
	v->field[DMAC1_FIELD_IPV4].mask_range.u32 = 32;
	v->field[DMAC2_FIELD_IPV4].mask_range.u16 = 16;
	if (rc != 0) 
	{
   
   
		printf("failed to read DMAC address/mask: %s\n",in[CB_FLD_DMAC_ADDR]);
		return rc;
	}
	rc = parse_Smac_addr(in[CB_FLD_SMAC_ADDR],
			&v->field[SMAC2_FIELD_IPV4].value.u32,&v->field[SMAC1_FIELD_IPV4].value.u16);
	v->field[SMAC2_FIELD_IPV4].mask_range.u32 = 32;
	v->field[SMAC1_FIELD_IPV4].mask_range.u16 = 16;
	if (rc != 0) {
   
   
			printf("failed to read SMAC address/mask: %s\n",
			in[CB_FLD_SMAC_ADDR]);
		return rc;
	}
	
	rc = parse_ipv4_net(in[CB_FLD_SRC_ADDR],
			&v->field[SRC_FIELD_IPV4].value.u32,
			&v->field[SRC_FIELD_IPV4].mask_range.u32);
	if (rc != 0) {
   
   
			printf("failed to read source address/mask: %s\n",
			in[CB_FLD_SRC_ADDR]);
		return rc;
	}

	rc = parse_ipv4_net(in[CB_FLD_DST_ADDR],
			&v->field[DST_FIELD_IPV4].value.u32,
			&v->field[DST_FIELD_IPV4].mask_range.u32);
	if (rc != 0) {
   
   
		printf("failed to read destination address/mask: %s\n",
			in[CB_FLD_DST_ADDR]);
		return rc;
	}

	GET_CB_FIELD(in[CB_FLD_SRC_PORT_LOW],
		v->field[SRCP_FIELD_IPV4].value.u16,
		0, UINT16_MAX, 0);
	GET_CB_FIELD(in[CB_FLD_SRC_PORT_HIGH],
		v->field[SRCP_FIELD_IPV4].mask_range.u16,
		0, UINT16_MAX, 0);

	if (strncmp(in[CB_FLD_SRC_PORT_DLM], cb_port_delim,
			sizeof(cb_port_delim)) != 0)
		return -EINVAL;

	GET_CB_FIELD(in[CB_FLD_DST_PORT_LOW],
		v->field[DSTP_FIELD_IPV4].value.u16,
		0, UINT16_MAX, 0);
	GET_CB_FIELD(in[CB_FLD_DST_PORT_HIGH],
		v->field[DSTP_FIELD_IPV4].mask_range.u16,
		0, UINT16_MAX, 0);

	if (strncmp(in[CB_FLD_DST_PORT_DLM], cb_port_delim,
			sizeof(cb_port_delim)) != 0)
		return -EINVAL;

	if (v->field[SRCP_FIELD_IPV4].mask_range.u16
			< v->field[SRCP_FIELD_IPV4].value.u16
			|| v->field[DSTP_FIELD_IPV4].mask_range.u16
			< v->field[DSTP_FIELD_IPV4].value.u16)
		return -EINVAL;

	GET_CB_FIELD(in[CB_FLD_PROTO], v->field[PROTO_FIELD_IPV4].value.u8,
		0, UINT8_MAX, '/');
	GET_CB_FIELD(in[CB_FLD_PROTO], v->field[PROTO_FIELD_IPV4].mask_range.u8,
		0, UINT8_MAX, 0);

	if (has_userdata)
		GET_CB_FIELD(in[CB_FLD_USERDATA], v->data.userdata, 0,
			UINT32_MAX, 0);

	return 0;
}

下面解释一下编写方法。这里的struct acl4_rule就是刚刚通过RTE_ACL_RULE_DEF定义的规则类型，其中包含两个结构体字段data和field。

data字段的结构体定义为：

struct rte_acl_rule_data {
   
   
	uint32_t category_mask; /**< Mask of categories for that rule. */
	int32_t  priority;      /**< Priority for that rule. */
	uint32_t userdata;      /**< Associated with the rule user data. */
};

其中category_mask是类别掩码，32位中每一位代表一个类别，该规则属于哪个类别就将哪一位置1;priority是优先级，值越大表明优先级越高;userdata是用户自定义的一个数值（不能是0），当某个规则匹配成功时，就会返回该规则的userdata。

field字段的结构体定义为：

struct rte_acl_field {
   
   
	union rte_acl_field_types value;
	/**< a 1,2,4, or 8 byte value of the field. */
	union rte_acl_field_types mask_range;
	/**<
	 * depending on field type:
	 * mask -> 1.2.3.4/32 value=0x1020304, mask_range=32,
	 * range -> 0 : 65535 value=0, mask_range=65535,
	 * bitmask -> 0x06/0xff value=6, mask_range=0xff.
	 */
};
其中联合体union rte_acl_field_types定义为：

union rte_acl_field_types {
   
   
	uint8_t  u8;
	uint16_t u16;
	uint32_t u32;
	uint64_t u64;
};

对应了1,2,4,8四种字段长度。field字段要根据先前定义的字段类型设置其值，具体来说：

执行匹配
要执行匹配，首先需要创建规则上下文，相关代码如下：

struct rte_acl_ctx * acx;
int ret;
struct rte_acl_param prm = {
   
   
    .name = "ACL_example",
    .socket_id = SOCKET_ID_ANY,
    .rule_size = RTE_ACL_RULE_SZ(RTE_DIM(ipv4_defs)),
    .max_rule_num = 8,
};
if ((acx = rte_acl_create(&prm)) == NULL) {
   
   
    /* handle context create failure. */
}

接下来需要在刚刚创建的空上下文中添加规则：

ret = rte_acl_add_rules(acx, acl_rules, RTE_DIM(acl_rules));
if (ret != 0) {
   
   
   /* handle error at adding ACL rules. */
}

这样，就把的规则加入到上下文中。
然后需要构建运行时结构：

struct rte_acl_config cfg;
cfg.num_categories = 2;
cfg.num_fields = RTE_DIM(ipv4_defs);
cfg.max_size = 0x800000;
memcpy(cfg.defs, ipv4_defs, sizeof (ipv4_defs));
ret = rte_acl_build(acx, &cfg);
if (ret != 0 && ret != -ERANGE) {
   
   
     /* handle error at build runtime structures for ACL context. */
} else if (ret == -ERANGE) {
   
   
   cfg.max_size = 0;
   ret = rte_acl_build(acx, &cfg);
}

这里的cfg是构建运行时结构的配置，其定义如下：

struct rte_acl_config {
   
   
	uint32_t num_categories; /**< Number of categories to build with. */
	uint32_t num_fields;     /**< Number of field definitions. */
	struct rte_acl_field_def defs[RTE_ACL_MAX_FIELDS];
	/**< array of field definitions. */
	size_t max_size;
	/**< max memory limit for internal run-time structures. */
};

其他字段都很好理解，主要注意其中的max_size字段，该字段用来规定ACL运行时的内存上限，但是如果内存过小会增加分类时间，因此这是一个折中的设置选项。如果设置为0则会尽量减少内存占用，但不会保证使用限度。

至此执行规则的上下文创建完毕。对于一组输入数据，只要通过函数rte_acl_classify即可执行匹配，该函数原型如下：

int rte_acl_classify(const struct rte_acl_ctx *ctx,
		 const uint8_t **data,
		 uint32_t *results, uint32_t num,
		 uint32_t categories);

其中ctx即构建好的上下文了;data可以理解为一个指针数组：const uint8_t *data[INPUT_COUNT]，其每一个元素指针指向一条待匹配二进制数据。注意要进行匹配的二进制数据必须是按照网络字节序存储的;num表示data中的数据数量;categories是类别的数量;results是用来保存结果的数组，由于data中每一条数据都有categories个匹配结果，因此results的大小至少为categories * num。

以下是我基于5元组基础上增加MAC地址匹配的源码

/* SPDX-License-Identifier: BSD-3-Clause
 * Copyright(c) 2010-2016 Intel Corporation
 */

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <inttypes.h>
#include <sys/types.h>
#include <string.h>
#include <sys/queue.h>
#include <stdarg.h>
#include <errno.h>
#include <getopt.h>

#include <rte_common.h>
#include <rte_byteorder.h>
#include <rte_log.h>
#include <rte_memory.h>
#include <rte_memcpy.h>
#include <rte_eal.h>
#include <rte_launch.h>
#include <rte_atomic.h>
#include <rte_cycles.h>
#include <rte_prefetch.h>
#include <rte_lcore.h>
#include <rte_per_lcore.h>
#include <rte_branch_prediction.h>
#include <rte_interrupts.h>
#include <rte_random.h>
#include <rte_debug.h>
#include <rte_ether.h>
#include <rte_ethdev.h>
#include <rte_mempool.h>
#include <rte_mbuf.h>
#include <rte_ip.h>
#include <rte_tcp.h>
#include <rte_udp.h>
#include <rte_string_fns.h>
#include <rte_acl.h>

#if RTE_LOG_DP_LEVEL >= RTE_LOG_DEBUG
#define L3FWDACL_DEBUG
#endif
#define DO_RFC_1812_CHECKS

#define RTE_LOGTYPE_L3FWD RTE_LOGTYPE_USER1

#define MAX_JUMBO_PKT_LEN  9600

#define MEMPOOL_CACHE_SIZE 256

/*
 * This expression is used to calculate the number of mbufs needed
 * depending on user input, taking into account memory for rx and tx hardware
 * rings, cache per lcore and mtable per port per lcore.
 * RTE_MAX is used to ensure that NB_MBUF never goes below a
 * minimum value of 8192
 */

#define NB_MBUF	RTE_MAX(\
	(nb_ports * nb_rx_queue * nb_rxd +	\
	nb_ports * nb_lcores * MAX_PKT_BURST +	\
	nb_ports * n_tx_queue * nb_txd +	\
	nb_lcores * MEMPOOL_CACHE_SIZE),	\
	(unsigned)8192)

#define MAX_PKT_BURST 32
#define BURST_TX_DRAIN_US 100 /* TX drain every ~100us */

#define NB_SOCKETS 8

/* Configure how many packets ahead to prefetch, when reading packets */
#define PREFETCH_OFFSET	3

/*
 * Configurable number of RX/TX ring descriptors
 */
#define RTE_TEST_RX_DESC_DEFAULT 1024
#define RTE_TEST_TX_DESC_DEFAULT 1024
static uint16_t nb_rxd = RTE_TEST_RX_DESC_DEFAULT;
static uint16_t nb_txd = RTE_TEST_TX_DESC_DEFAULT;

/* ethernet addresses of ports */
static struct ether_addr ports_eth_addr[RTE_MAX_ETHPORTS];

/* mask of enabled ports */
static uint32_t enabled_port_mask;
static int promiscuous_on; /**< Ports set in promiscuous mode off by default. */
static int numa_on = 1; /**< NUMA is enabled by default. */

struct lcore_rx_queue {
   
   
	uint16_t port_id;
	uint8_t queue_id;
} __rte_cache_aligned;

#define MAX_RX_QUEUE_PER_LCORE 16
#define MAX_TX_QUEUE_PER_PORT RTE_MAX_ETHPORTS
#define MAX_RX_QUEUE_PER_PORT 128

#define MAX_LCORE_PARAMS 1024
struct lcore_params {
   
   
	uint16_t port_id;
	uint8_t queue_id;
	uint8_t lcore_id;
} __rte_cache_aligned;

static struct lcore_params lcore_params_array[MAX_LCORE_PARAMS];
static struct lcore_params lcore_params_array_default[] = {
   
   
	{
   
   0, 0, 2},
	{
   
   0, 1, 2},
	{
   
   0, 2, 2},
	{
   
   1, 0, 2},
	{
   
   1, 1, 2},
	{
   
   1, 2, 2},
	{
   
   2, 0, 2},
	{
   
   3, 0, 3},
	{
   
   3, 1, 3},
};

static struct lcore_params *lcore_params = lcore_params_array_default;
static uint16_t nb_lcore_params = sizeof(lcore_params_array_default) /
				sizeof(lcore_params_array_default[0]);

static struct rte_eth_conf port_conf = {
   
   
	.rxmode = {
   
   
		.mq_mode	= ETH_MQ_RX_RSS,
		.max_rx_pkt_len = ETHER_MAX_LEN,
		.split_hdr_size = 0,
		.offloads = (DEV_RX_OFFLOAD_CRC_STRIP |
			     DEV_RX_OFFLOAD_CHECKSUM),
	},
	.rx_adv_conf = {
   
   
		.rss_conf = {
   
   
			.rss_key = NULL,
			.rss_hf = ETH_RSS_IP | ETH_RSS_UDP |
				ETH_RSS_TCP | ETH_RSS_SCTP,
		},
	},
	.txmode = {
   
   
		.mq_mode = ETH_MQ_TX_NONE,
	},
};

static struct rte_mempool *pktmbuf_pool[NB_SOCKETS];

/***********************start of ACL part******************************/
#ifdef DO_RFC_1812_CHECKS
static inline int
is_valid_ipv4_pkt(struct ipv4_hdr *pkt, uint32_t link_len);
#endif
static inline void
send_single_packet(struct rte_mbuf *m, uint16_t port);

#define MAX_ACL_RULE_NUM	100000
#define DEFAULT_MAX_CATEGORIES	1
#define L3FWD_ACL_IPV4_NAME	"l3fwd-acl-ipv4"
#define L3FWD_ACL_IPV6_NAME	"l3fwd-acl-ipv6"
#define ACL_LEAD_CHAR		('@')
#define ROUTE_LEAD_CHAR		('R')
#define COMMENT_LEAD_CHAR	('#')
#define OPTION_CONFIG		"config"
#define OPTION_NONUMA		"no-numa"
#define OPTION_ENBJMO		"enable-jumbo"
#define OPTION_RULE_IPV4	"rule_ipv4"
#define OPTION_RULE_IPV6	"rule_ipv6"
#define OPTION_SCALAR		"scalar"
#define ACL_DENY_SIGNATURE	0xf0000000
#define RTE_LOGTYPE_L3FWDACL	RTE_LOGTYPE_USER3
#define acl_log(format, ...)	RTE_LOG(ERR, L3FWDACL, format, ##__VA_ARGS__)
#define uint32_t_to_char(ip, a, b, c, d) do {\
		*a = (unsigned char)(ip >> 24 & 0xff);\
		*b = (unsigned char)(ip >> 16 & 0xff);\
		*c = (unsigned char)(ip >> 8 & 0xff);\
		*d = (unsigned char)(ip & 0xff);\
	} while (0)
#define uint16_t_to_char(ip, a, b) do {\
			*a = (unsigned char)(ip >> 8 & 0xff);\
			*b = (unsigned char)(ip & 0xff);\
		} while (0)


#define OFF_ETHHEAD	(sizeof(struct ether_hdr))
#define OFF_IPV42PROTO (offsetof(struct ipv4_hdr, next_proto_id))
#define OFF_IPV62PROTO (offsetof(struct ipv6_hdr, proto))
#define MBUF_IPV4_2PROTO(m)	\
	rte_pktmbuf_mtod_offset((m), uint8_t *, 0)	
	//rte_pktmbuf_mtod_offset((m), uint8_t *, OFF_ETHHEAD + OFF_IPV42PROTO)
#define MBUF_IPV6_2PROTO(m)	\
	rte_pktmbuf_mtod_offset((m), uint8_t *, OFF_ETHHEAD + OFF_IPV62PROTO)

#define GET_CB_FIELD(in, fd, base, lim, dlm)	do {            \
	unsigned long val;                                      \
	char *end;                                              \
	errno = 0;                                              \
	val = strtoul((in), &end, (base));                      \
	if (errno != 0 || end[0] != (dlm) || val > (lim))       \
		return -EINVAL;                               \
	(fd) = (typeof(fd))val;                                 \
	(in) = end + 1;                                         \
} while (0)

/*
  * ACL rules should have higher priorities than route ones to ensure ACL rule
  * always be found when input packets have multi-matches in the database.
  * A exception case is performance measure, which can define route rules with
  * higher priority and route rules will always be returned in each lookup.
  * Reserve range from ACL_RULE_PRIORITY_MAX + 1 to
  * RTE_ACL_MAX_PRIORITY for route entries in performance measure
  */
#define ACL_RULE_PRIORITY_MAX 0x10000000

/*
  * Forward port info save in ACL lib starts from 1
  * since ACL assume 0 is invalid.
  * So, need add 1 when saving and minus 1 when forwarding packets.
  */
#define FWD_PORT_SHIFT 1

/*
 * Rule and trace formats definitions.
 */

enum {
   
   
	PROTO_FIELD_IPV4,
	DMAC1_FIELD_IPV4,
	DMAC2_FIELD_IPV4,
	SMAC1_FIELD_IPV4,
	SMAC2_FIELD_IPV4,
	SRC_FIELD_IPV4,
	DST_FIELD_IPV4,
	SRCP_FIELD_IPV4,
	DSTP_FIELD_IPV4,
	NUM_FIELDS_IPV4
};

/*
 * That effectively defines order of IPV4VLAN classifications:
 *  - PROTO
 *  - VLAN (TAG and DOMAIN)
 *  - SRC IP ADDRESS
 *  - DST IP ADDRESS
 *  - PORTS (SRC and DST)
 */
enum {
   
   
	RTE_ACL_IPV4VLAN_PROTO,
	RTE_ACL_IPV4VLAN_MAC1,
	RTE_ACL_IPV4VLAN_MAC2,
	RTE_ACL_IPV4VLAN_MAC3,
	//RTE_ACL_IPV4VLAN_VLAN,
	RTE_ACL_IPV4VLAN_SRC,
	RTE_ACL_IPV4VLAN_DST,
	RTE_ACL_IPV4VLAN_PORTS,
	RTE_ACL_IPV4VLAN_NUM
};
	
struct rte_acl_field_def ipv4_defs[NUM_FIELDS_IPV4] = {
   
   

	{
   
   
		.type = RTE_ACL_FIELD_TYPE_BITMASK,
		.size = sizeof(uint8_t),
		.field_index = PROTO_FIELD_IPV4,
		.input_index = RTE_ACL_IPV4VLAN_PROTO,
		.offset = sizeof(struct ether_hdr) + offsetof(struct ipv4_hdr, next_proto_id),
	},

	{
   
   
		.type = RTE_ACL_FIELD_TYPE_MASK,
		.size = sizeof(uint32_t),
		.field_index = DMAC1_FIELD_IPV4,
		.input_index = RTE_ACL_IPV4VLAN_MAC1,
		.offset = 0,
	},	
	{
   
   
		.type = RTE_ACL_FIELD_TYPE_MASK,
		.size = sizeof(uint16_t),
		.field_index = DMAC2_FIELD_IPV4,
		.input_index = RTE_ACL_IPV4VLAN_MAC2,
		.offset = sizeof(uint32_t),
	},	
	{
   
   
		.type = RTE_ACL_FIELD_TYPE_MASK,
		.size = sizeof(uint16_t),
		.field_index = SMAC1_FIELD_IPV4,
		.input_index = RTE_ACL_IPV4VLAN_MAC2,
		.offset = sizeof(uint32_t) + sizeof(uint16_t),
	},	
	{
   
   
		.type = RTE_ACL_FIELD_TYPE_MASK,
		.size = sizeof(uint32_t),
		.field_index = SMAC2_FIELD_IPV4,
		.input_index = RTE_ACL_IPV4VLAN_MAC3,
		.offset = sizeof(uint32_t) + sizeof(uint16_t) + sizeof(uint16_t) ,
	},	
	{
   
   
		.type = RTE_ACL_FIELD_TYPE_MASK,
		.size = sizeof(uint32_t),
		.field_index = SRC_FIELD_IPV4,
		.input_index = RTE_ACL_IPV4VLAN_SRC,
		.offset = offsetof(struct ipv4_hdr, src_addr)+sizeof(struct ether_hdr),
	},
	{
   
   
		.type = RTE_ACL_FIELD_TYPE_MASK,
		.size = sizeof(uint32_t),
		.field_index = DST_FIELD_IPV4,
		.input_index = RTE_ACL_IPV4VLAN_DST,
		.offset = offsetof(struct ipv4_hdr, dst_addr)+sizeof(struct ether_hdr),
	},
	{
   
   
		.type = RTE_ACL_FIELD_TYPE_RANGE,
		.size = sizeof(uint16_t),
		.field_index