pcn-firewall: introduce datapath pipeline early break

this commit introduces the support for some firewall
filtering pipeline modules to early break the pipeline
if no rule is matched.

the idea is that during the execution of the pipeline
some modules are implemented in a way in wich the cost
of checking if the resulting bitvector is all zero
is almost negligible.

this support enables to speedup the execution since is no
longer needed to go through all the pipeline modules
if this condition is matched.

Signed-off-by: Matteo Bertrone <m.bertrone@gmail.com>

Author: mbertrone

src/services/pcn-firewall/src/Firewall.h

@@ -223,16 +223,21 @@ class Firewall : public FirewallBase {
   };
 
   class L4PortLookup : public Program {
-   private:
-    int type;  // SOURCE or DESTINATION
-
    public:
     L4PortLookup(const int &index, const ChainNameEnum &direction,
                  const int &type, Firewall &outer);
+    L4PortLookup(const int &index, const ChainNameEnum &chain, const int &type,
+                 Firewall &outer,
+                 const std::map<uint16_t, std::vector<uint64_t>> &ports);
     ~L4PortLookup();
     std::string getCode();
     bool updateTableValue(uint16_t port, const std::vector<uint64_t> &value);
     void updateMap(const std::map<uint16_t, std::vector<uint64_t>> &ports);
+
+  private:
+      int type;  // SOURCE or DESTINATION
+      bool wildcard_rule_;
+      std::string wildcard_string_;
   };
 
   class TcpFlagsLookup : public Program {
@@ -318,4 +323,29 @@ class Firewall : public FirewallBase {
 
   static void replaceAll(std::string &str, const std::string &from,
                          const std::string &to);
+
+  template <typename Iterator>
+  static std::string fromContainerToMapString(Iterator begin, Iterator end,
+                                              const std::string open,
+                                              const std::string close,
+                                              const std::string separator);
 };
+
+template <typename Iterator>
+std::string Firewall::fromContainerToMapString(Iterator it, Iterator end,
+                                               const std::string open,
+                                               const std::string close,
+                                               const std::string separator) {
+  std::string result = open;
+  bool first = true;
+  int cnt = 0;
+  for (; it != end; ++it) {
+    cnt++;
+    if (!first)
+      result += separator;
+    first = false;
+    result += /*"-" + */ std::to_string((*it));
+  }
+  result += close;
+  return result;
+}

src/services/pcn-firewall/src/datapaths/Firewall_IpLookup_dp.c

@@ -87,16 +87,26 @@ static int handle_rx(struct CTXTYPE *ctx, struct pkt_metadata *md) {
     } else {
 /*#pragma unroll does not accept a loop with a single iteration, so we need to
  * distinguish cases to avoid a verifier error.*/
+      bool isAllZero = true;
 #if _NR_ELEMENTS == 1
       (result->bits)[0] = (result->bits)[0] & (ele->bits)[0];
+      if (result->bits[0] != 0)
+        isAllZero = false;
 #else
 #pragma unroll
       for (int i = 0; i < _NR_ELEMENTS; ++i) {
         /*This is the first module, it initializes the percpu*/
         (result->bits)[i] = (result->bits)[i] & (ele->bits)[i];
-      }
 
+        if (result->bits[i] != 0)
+          isAllZero = false;
+      }
 #endif
+      if (isAllZero) {
+        pcn_log(ctx, LOG_DEBUG,
+                "[_CHAIN_NAME][IP_TYPE]: Bitvector is all zero. Break pipeline");
+        _DEFAULTACTION
+      }
     }  // if result == NULL
   }    // if ele==NULL
   call_next_program(ctx, _NEXT_HOP_1);

src/services/pcn-firewall/src/datapaths/Firewall_L4PortLookup_dp.c

@@ -57,6 +57,10 @@ static __always_inline struct elements *getBitVect(uint16_t *key) {
 #endif
 
 static int handle_rx(struct CTXTYPE *ctx, struct pkt_metadata *md) {
+#if _WILDCARD_RULE
+  u64 wildcard_ele[_MAXRULES] = _WILDCARD_BITVECTOR;
+#endif
+
 /*The struct elements and the lookup table are defined only if _NR_ELEMENTS>0,
  * so
  * this code has to be used only in this case.*/
@@ -78,35 +82,79 @@ static int handle_rx(struct CTXTYPE *ctx, struct pkt_metadata *md) {
     _TYPEPort = pkt->_TYPEPort;
   }
 
-  struct elements *ele = getBitVect(&_TYPEPort);
+  // Ports are stored in an hashmap
+  // A. map[0] (if exists) contains wildcard match
+  // B. map[port] (if some exists) contain ports matching
+
+  // if no match in A. and B.
+  // we assume current bitvector is 0x000000...
+  // also AND returns 0x0000...
+  // so we can apply DEFAULT action with no additional cost.
 
-  if (ele == NULL) {
-    _TYPEPort = 0;
-    ele = getBitVect(&_TYPEPort);
-    if (ele == NULL) {
-      pcn_log(ctx, LOG_DEBUG, "[_CHAIN_NAME][L4PortLookup_TYPE]: No match");
-      _DEFAULTACTION
-    }
-  }
   struct elements *result = getShared();
+
+  bool isAllZero = true;
   if (result == NULL) {
     /*Can't happen. The PERCPU is preallocated.*/
     return RX_DROP;
   } else {
+    struct elements *ele = getBitVect(&_TYPEPort);
+
+    if (ele == NULL) {
+    // if lookup with port fails, we have to
+    // a. verify if we have a wildcard key (0)
+    // b. if so, use to bitvector from wildcard key
+
+#if _WILDCARD_RULE
+      pcn_log(ctx, LOG_DEBUG, "[_CHAIN_NAME][L4PortLookup_TYPE]: +WILDCARD RULE+");
+      goto WILDCARD;
+#else
+      pcn_log(ctx, LOG_DEBUG, "[_CHAIN_NAME][L4PortLookup_TYPE]: No match. ");
+      _DEFAULTACTION
+#endif
+    }
+
 /*#pragma unroll does not accept a loop with a single iteration, so we need to
- * distinguish cases to avoid a verifier error.*/
+* distinguish cases to avoid a verifier error.*/
 #if _NR_ELEMENTS == 1
     (result->bits)[0] = (ele->bits)[0] & (result->bits)[0];
+    if (result->bits[0] != 0)
+      isAllZero = false;
+    goto NEXT;
+
+#if _WILDCARD_RULE
+  WILDCARD:;
+    (result->bits)[0] = wildcard_ele[0] & (result->bits)[0];
+    if (result->bits[0] != 0)
+      isAllZero = false;
+#endif
 #else
     int i = 0;
 #pragma unroll
     for (i = 0; i < _NR_ELEMENTS; ++i) {
       (result->bits)[i] = (result->bits)[i] & (ele->bits)[i];
+      if (result->bits[i] != 0)
+        isAllZero = false;
     }
-
+    goto NEXT;
+#if _WILDCARD_RULE
+  WILDCARD:;
+#pragma unroll
+    for (i = 0; i < _NR_ELEMENTS; ++i) {
+      (result->bits)[i] = wildcard_ele[i] & (result->bits)[i];
+      if (result->bits[i] != 0)
+        isAllZero = false;
+    }
+#endif
 #endif
   }  // if result == NULL
 
+NEXT:;
+  if (isAllZero) {
+    pcn_log(ctx, LOG_DEBUG,
+            "[_CHAIN_NAME][L4PortLookup_TYPE]: Bitvector is all zero. Break pipeline");
+    _DEFAULTACTION
+  }
   call_next_program(ctx, _NEXT_HOP_1);
 #else
   return RX_DROP;

src/services/pcn-firewall/src/datapaths/Firewall_L4ProtocolLookup_dp.c

@@ -84,18 +84,29 @@ static int handle_rx(struct CTXTYPE *ctx, struct pkt_metadata *md) {
     /*Can't happen. The PERCPU is preallocated.*/
     return RX_DROP;
   } else {
+    bool isAllZero = true;
 /*#pragma unroll does not accept a loop with a single iteration, so we need to
  * distinguish cases to avoid a verifier error.*/
 #if _NR_ELEMENTS == 1
     (result->bits)[0] = (ele->bits)[0] & (result->bits)[0];
+    if (result->bits[0])
+      isAllZero = false;
 #else
     int i = 0;
 #pragma unroll
     for (i = 0; i < _NR_ELEMENTS; ++i) {
       (result->bits)[i] = (result->bits)[i] & (ele->bits)[i];
+
+      if (result->bits[i])
+        isAllZero = false;
     }
 
 #endif
+    if (isAllZero) {
+      pcn_log(ctx, LOG_DEBUG,
+              "[_CHAIN_NAME][L4ProtoLookup]: Bitvector is all zero. Break pipeline");
+      _DEFAULTACTION
+    }
   }  // if result == NULL
 
   call_next_program(ctx, _NEXT_HOP_1);

src/services/pcn-firewall/src/datapaths/Firewall_TcpFlagsLookup_dp.c

@@ -88,8 +88,11 @@ static int handle_rx(struct CTXTYPE *ctx, struct pkt_metadata *md) {
     } else {
 /*#pragma unroll does not accept a loop with a single iteration, so we need to
  * distinguish cases to avoid a verifier error.*/
+      bool isAllZero = true;
 #if _NR_ELEMENTS == 1
       (result->bits)[0] = (result->bits)[0] & (ele->bits)[0];
+      if (result->bits[0])
+        isAllZero = false;
       pcn_log(ctx, LOG_DEBUG,
               "[_CHAIN_NAME][TCPFlagsLookup]:  Match found. Bitvec: %llu, result %llu.",
               (ele->bits)[0], (result->bits)[0]);
@@ -98,9 +101,16 @@ static int handle_rx(struct CTXTYPE *ctx, struct pkt_metadata *md) {
 #pragma unroll
       for (i = 0; i < _NR_ELEMENTS; ++i) {
         (result->bits)[i] = (result->bits)[i] & (ele->bits)[i];
+        if (result->bits[i])
+          isAllZero = false;
       }
 
 #endif
+      if (isAllZero) {
+        pcn_log(ctx, LOG_DEBUG,
+                "[_CHAIN_NAME][TCPFlagsLookup]: Bitvector is all zero. Break pipeline.");
+        _DEFAULTACTION
+      }
     }  // if result == NULL
   }    // if ele==NULL
 

src/services/pcn-firewall/src/modules/L4PortLookup.cpp

@@ -22,6 +22,34 @@ Firewall::L4PortLookup::L4PortLookup(const int &index,
                                      const int &type, Firewall &outer)
     : Firewall::Program(firewall_code_l4portlookup, index, direction, outer) {
   this->type = type;
+
+  wildcard_rule_ = false;
+  wildcard_string_ = "";
+
+  load();
+}
+
+Firewall::L4PortLookup::L4PortLookup(const int &index,
+                                     const ChainNameEnum &direction,
+                                     const int &type, Firewall &outer,
+                                     const std::map<uint16_t, std::vector<uint64_t>> &ports)
+    : Firewall::Program(firewall_code_l4portlookup, index, direction, outer) {
+
+  this->type = type;
+
+  auto it = ports.find(0);
+  if (it == ports.end()) {
+    wildcard_rule_ = false;
+    wildcard_string_ = "";
+    // std::cout << "-- wildcard NO --+" << std::endl;
+  } else {
+    wildcard_rule_ = true;
+    wildcard_string_ = fromContainerToMapString(
+            it->second.begin(), it->second.end(), "{", "}", ",");
+    // std::cout << "-- wildcard YES --+" << std::endl;
+    // std::cout << wildcardString << std::endl;
+  }
+
   load();
 }
 
@@ -54,6 +82,13 @@ std::string Firewall::L4PortLookup::getCode() {
   /*Replacing the default action*/
   replaceAll(noMacroCode, "_DEFAULTACTION", defaultActionString());
 
+  if (wildcard_rule_) {
+    replaceAll(noMacroCode, "_WILDCARD_RULE", std::to_string(1));
+    replaceAll(noMacroCode, "_WILDCARD_BITVECTOR", wildcard_string_);
+  } else {
+    replaceAll(noMacroCode, "_WILDCARD_RULE", std::to_string(0));
+  }
+
   return noMacroCode;
 }