sonic-net
diff --git a/‎vslib/inc/HostInterfaceInfo.h
Lines changed: 23 additions & 3 deletions b/‎vslib/inc/HostInterfaceInfo.h
Lines changed: 23 additions & 3 deletions
diff --git a/‎vslib/inc/MACsecFilter.h
Lines changed: 2 additions & 2 deletions b/‎vslib/inc/MACsecFilter.h
Lines changed: 2 additions & 2 deletions
diff --git a/‎vslib/inc/MACsecForwarder.h
Lines changed: 8 additions & 3 deletions b/‎vslib/inc/MACsecForwarder.h
Lines changed: 8 additions & 3 deletions
diff --git a/‎vslib/inc/SwitchStateBase.h
Lines changed: 5 additions & 3 deletions b/‎vslib/inc/SwitchStateBase.h
Lines changed: 5 additions & 3 deletions
diff --git a/‎vslib/inc/TrafficForwarder.h
Lines changed: 32 additions & 0 deletions b/‎vslib/inc/TrafficForwarder.h
Lines changed: 32 additions & 0 deletions
diff --git a/‎vslib/src/HostInterfaceInfo.cpp
Lines changed: 64 additions & 55 deletions b/‎vslib/src/HostInterfaceInfo.cpp
Lines changed: 64 additions & 55 deletions
@@ -5,6 +5,8 @@ extern "C" {
 }
 
 #include "EventQueue.h"
+#include "TrafficFilterPipes.h"
+#include "TrafficForwarder.h"
 
 #include "swss/selectableevent.h"
 
@@ -14,7 +16,8 @@ extern "C" {
 
 namespace saivs
 {
-    class HostInterfaceInfo
+    class HostInterfaceInfo :
+        public TrafficForwarder
     {
         private:
 
@@ -38,6 +41,20 @@ namespace saivs
                     _In_ const uint8_t *buffer,
                     _In_ size_t size) const;
 
+            bool installEth2TapFilter(
+                    _In_ int priority,
+                    _In_ std::shared_ptr<TrafficFilter> filter);
+
+            bool uninstallEth2TapFilter(
+                    _In_ std::shared_ptr<TrafficFilter> filter);
+
+            bool installTap2EthFilter(
+                    _In_ int priority,
+                    _In_ std::shared_ptr<TrafficFilter> filter);
+
+            bool uninstallTap2EthFilter(
+                    _In_ std::shared_ptr<TrafficFilter> filter);
+
         private:
 
             void veth2tap_fun();
@@ -58,13 +75,16 @@ namespace saivs
 
             std::shared_ptr<EventQueue> m_eventQueue;
 
-        private:
-
             int m_tapfd;
 
+        private:
+
             std::shared_ptr<std::thread> m_e2t;
             std::shared_ptr<std::thread> m_t2e;
 
+            TrafficFilterPipes m_e2tFilters;
+            TrafficFilterPipes m_t2eFilters;
+
             swss::SelectableEvent m_e2tEvent;
             swss::SelectableEvent m_t2eEvent;
     };
 
@@ -30,10 +30,10 @@ namespace saivs
             _In_ const void *buffer,
             _In_ size_t length) = 0;
 
-        bool m_macsec_device_enable;
+        bool m_macsecDeviceEnable;
 
         int m_macsecfd;
 
-        const std::string m_macsec_interface_name;
+        const std::string m_macsecInterfaceName;
     };
 }
@@ -1,5 +1,8 @@
 #pragma once
 
+#include "HostInterfaceInfo.h"
+#include "TrafficForwarder.h"
+
 #include "swss/sal.h"
 #include "swss/selectableevent.h"
 
@@ -9,12 +12,13 @@
 
 namespace saivs
 {
-    class MACsecForwarder
+    class MACsecForwarder :
+        public TrafficForwarder
     {
     public:
         MACsecForwarder(
             _In_ const std::string &macsecInterfaceName,
-            _In_ int tapfd);
+            _In_ std::shared_ptr<HostInterfaceInfo> info);
 
         virtual ~MACsecForwarder();
 
@@ -23,7 +27,6 @@ namespace saivs
         void forward();
 
     private:
-        int m_tapfd;
         int m_macsecfd;
 
         const std::string m_macsecInterfaceName;
@@ -33,5 +36,7 @@ namespace saivs
         swss::SelectableEvent m_exitEvent;
 
         std::shared_ptr<std::thread> m_forwardThread;
+
+        std::shared_ptr<HostInterfaceInfo> m_info;
     };
 }
@@ -363,6 +363,11 @@ namespace saivs
             sai_status_t removeDebugCounter(
                     _In_ sai_object_id_t objectId);
 
+        public:
+
+            static int promisc(
+                    _In_ const char *dev);
+
         protected: // custom hostif
 
             sai_status_t createHostif(
@@ -394,9 +399,6 @@ namespace saivs
                     _In_ const char *dev,
                     _In_ const sai_mac_t& mac);
 
-            static int promisc(
-                    _In_ const char *dev);
-
             static int get_default_gw_mac_address(
                     _Out_ sai_mac_t& mac);
 
 
@@ -0,0 +1,32 @@
+#pragma once
+
+#include "swss/sal.h"
+
+#include <stddef.h>
+#include <sys/socket.h>
+
+namespace saivs
+{
+    static constexpr size_t ETH_FRAME_BUFFER_SIZE = 0x4000;
+    static constexpr size_t CONTROL_MESSAGE_BUFFER_SIZE = 0x1000;
+
+    class TrafficForwarder
+    {
+    public:
+        virtual ~TrafficForwarder() = default;
+
+    protected:
+        TrafficForwarder() = default;
+
+        static void addVlanTag(
+            _Inout_ unsigned char *buffer,
+            _Inout_ size_t &length,
+            _Inout_ struct msghdr &msg);
+
+        virtual bool sendTo(
+            _In_ int fd,
+            _In_ const unsigned char *buffer,
+            _In_ size_t length) const;
+
+    };
+}
@@ -90,11 +90,39 @@ void HostInterfaceInfo::async_process_packet_for_fdb_event(
     m_eventQueue->enqueue(std::make_shared<Event>(EventType::EVENT_TYPE_PACKET, payload));
 }
 
-#define ETH_FRAME_BUFFER_SIZE (0x4000)
-#define CONTROL_MESSAGE_BUFFER_SIZE (0x1000)
-#define IEEE_8021Q_ETHER_TYPE (0x8100)
-#define MAC_ADDRESS_SIZE (6)
-#define VLAN_TAG_SIZE (4)
+bool HostInterfaceInfo::installEth2TapFilter(
+        _In_ int priority,
+        _In_ std::shared_ptr<TrafficFilter> filter)
+{
+    SWSS_LOG_ENTER();
+
+    return m_e2tFilters.installFilter(priority, filter);
+}
+
+bool HostInterfaceInfo::uninstallEth2TapFilter(
+        _In_ std::shared_ptr<TrafficFilter> filter)
+{
+    SWSS_LOG_ENTER();
+
+    return m_e2tFilters.uninstallFilter(filter);
+}
+
+bool HostInterfaceInfo::installTap2EthFilter(
+        _In_ int priority,
+        _In_ std::shared_ptr<TrafficFilter> filter)
+{
+    SWSS_LOG_ENTER();
+
+    return m_t2eFilters.installFilter(priority, filter);
+}
+
+bool HostInterfaceInfo::uninstallTap2EthFilter(
+        _In_ std::shared_ptr<TrafficFilter> filter)
+{
+    SWSS_LOG_ENTER();
+
+    return m_t2eFilters.uninstallFilter(filter);
+}
 
 void HostInterfaceInfo::veth2tap_fun()
 {
@@ -161,63 +189,28 @@ void HostInterfaceInfo::veth2tap_fun()
             continue;
         }
 
-        struct cmsghdr *cmsg;
+        // Buffer include the ingress packets
+        // MACsec scenario: EAPOL packets and encrypted packets
+        size_t length = static_cast<size_t>(size);
+        auto ret = m_e2tFilters.execute(buffer, length);
 
-        for (cmsg = CMSG_FIRSTHDR(&msg); cmsg != NULL; cmsg = CMSG_NXTHDR(&msg, cmsg))
+        if (ret == TrafficFilter::TERMINATE)
         {
-            if (cmsg->cmsg_level != SOL_PACKET || cmsg->cmsg_type != PACKET_AUXDATA)
-                continue;
-
-            struct tpacket_auxdata* aux = (struct tpacket_auxdata*)CMSG_DATA(cmsg);
-
-            if ((aux->tp_status & TP_STATUS_VLAN_VALID) &&
-                    (aux->tp_status & TP_STATUS_VLAN_TPID_VALID))
-            {
-                SWSS_LOG_DEBUG("got vlan tci: 0x%x, vlanid: %d", aux->tp_vlan_tci, aux->tp_vlan_tci & 0xFFF);
-
-                // inject vlan tag into frame
-
-                // for overlapping buffers
-                memmove(buffer + 2 * MAC_ADDRESS_SIZE + VLAN_TAG_SIZE,
-                        buffer + 2 * MAC_ADDRESS_SIZE,
-                        size - (2 * MAC_ADDRESS_SIZE));
-
-                uint16_t tci = htons(aux->tp_vlan_tci);
-                uint16_t tpid = htons(IEEE_8021Q_ETHER_TYPE);
-
-                uint8_t* pvlan =  (uint8_t *)(buffer + 2 * MAC_ADDRESS_SIZE);
-                memcpy(pvlan, &tpid, sizeof(uint16_t));
-                memcpy(pvlan + sizeof(uint16_t), &tci, sizeof(uint16_t));
-
-                size += VLAN_TAG_SIZE;
-
-                break;
-            }
+            continue;
         }
-
-        async_process_packet_for_fdb_event(buffer, size);
-
-        if (write(m_tapfd, buffer, size) < 0)
+        else if (ret == TrafficFilter::ERROR)
         {
-            /*
-             * We filter out EIO because of this patch:
-             * https://github.com/torvalds/linux/commit/1bd4978a88ac2589f3105f599b1d404a312fb7f6
-             */
+            // Error log should be recorded in filter
+            return;
+        }
 
-            if (errno != ENETDOWN && errno != EIO)
-            {
-                SWSS_LOG_ERROR("failed to write to tap device fd %d, errno(%d): %s",
-                        m_tapfd, errno, strerror(errno));
-            }
+        addVlanTag(buffer, length, msg);
 
-            if (errno == EBADF)
-            {
-                // bad file descriptor, just end thread
-                SWSS_LOG_NOTICE("ending thread for tap fd %d", m_tapfd);
-                return;
-            }
+        async_process_packet_for_fdb_event(buffer, length);
 
-            continue;
+        if (!sendTo(m_tapfd, buffer, length))
+        {
+            break;
         }
     }
 
@@ -268,6 +261,22 @@ void HostInterfaceInfo::tap2veth_fun()
             continue;
         }
 
+        // Buffer include the egress packets
+        // MACsec scenario: EAPOL packets and plaintext packets
+        size_t length = static_cast<size_t>(size);
+        auto ret = m_t2eFilters.execute(buffer, length);
+        size = static_cast<ssize_t>(length);
+
+        if (ret == TrafficFilter::TERMINATE)
+        {
+            continue;
+        }
+        else if (ret == TrafficFilter::ERROR)
+        {
+            // Error log should be recorded in filter
+            return;
+        }
+
         if (write(m_packet_socket, buffer, (int)size) < 0)
         {
             if (errno != ENETDOWN)