新增kernel-ml，sapp，mrzcpd，mesaframework，解析解析层插件的相关dpi基础安装包

install_config/group_vars/server_as_tun_mode.yml

@@ -0,0 +1,64 @@
+#########################################
+#####0: Pcap;  1: Inline_device;   5:ATCA_VXLAN;
+tsg_access_type: 0
+#####0: Tun_mode;  1: normal;
+tsg_running_type: 0
+
+
+#########################################
+#Sapp Performance Config
+#如果tsg_access_type=0，sapp跑在pcap模式，则以下配置可忽略
+sapp:
+  worker_threads: 23
+  send_only_threads_max: 1
+  bind_mask: 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24
+  inbound_route_dir: 1
+
+#########################################
+#Sapp Double-Arm Config
+packet_io:
+  internal_interface: eth2
+  external_interface: eth3
+
+
+#########################################
+#Marsio Config
+mrzcpd:
+  iocore: 39
+
+mrtunnat:
+  lcore_id: 38
+
+
+#########################################
+#ATCA Config
+#下列配置只在tsg_access_type=4时生效
+ATCA_data_incoming:
+  ethname: enp1s0
+  vf0_name: enp1s2
+  vf1_name: enp1s2f1
+  vf2_name: enp1s2f2
+
+ATCA_VlanFlipping:
+  vlanID_1: 100
+  vlanID_2: 101
+  vlanID_3: 103
+  vlanID_4: 104
+
+#下列配置只在tsg_access_type=5时生效
+ATCA_VXLAN:
+  keepalive_ip: "10.254.19.1"
+  keepalive_mask: "255.255.255.252"
+
+#########################################
+#Inline Device Config
+inline_device_config:
+  keepalive_ip: 192.168.1.30
+  keepalive_mask: 255.255.255.252
+  data_incoming: eth5
+
+#########################################
+
+sapp_prometheus_enable: 1
+sapp_prometheus_port: 9273
+sapp_prometheus_url_path: "/metrics"

install_config/hosts

@@ -0,0 +1,45 @@
+###################
+#   For example   #
+###################
+#变量device_id根据设备序号设置即可
+#变量vvipv4_1、vvipv4_2、vvipv6_1、vvipv6_2为Allot相关配置，其他环境可不填或直接删除变量
+#
+#20.09版本新增APP部署
+#[app_global]
+#0.0.0.0
+
+#[server_as_tun_mode]
+#1.1.1.1 device_id=device_1
+#
+#[adc_mxn]
+#10.3.72.1
+#10.3.72.2
+#
+#[adc_mcn0]
+#10.3.73.1 device_id=device_1 vvipv4_1=10.3.61.1 vvipv4_2=10.3.62.1 vvipv6_1=fc00::61:1 vvipv6_2=fc00::62:1
+#10.3.73.2 device_id=device_2 vvipv4_1=10.3.61.2 vvipv4_2=10.3.62.2 vvipv6_1=fc00::61:2 vvipv6_2=fc00::62:2
+#
+#[adc_mcn1]
+#10.3.74.1 device_id=device_1
+#10.3.74.2 device_id=device_2
+#
+#[adc_mcn2]
+#10.3.75.1 device_id=device_1
+#10.3.75.2 device_id=device_2
+#
+#[adc_mcn3]
+#10.3.76.1 device_id=device_1
+#10.3.76.2 device_id=device_2
+
+#[app_global]
+#[server_as_tun_mode]
+#broken warning:
+#10.4.52.71
+[adc_mcn0]
+[adc_mcn1]
+[adc_mcn2]
+[adc_mcn3]
+[app_global]
+[server_as_tun_mode]
+
+

roles/firewall/tasks/main.yml

@@ -0,0 +1,21 @@
+---
+- name: "copy firewall rpms to destination server"
+  copy:
+    src: "{{ role_path }}/files/"
+    dest: /tmp/ansible_deploy/
+
+- name: "install firewall packages"
+  yum:
+    name: "{{ fw_packages }}"
+    state: present
+    skip_broken: yes
+  vars:
+    fw_packages:
+      - /tmp/ansible_deploy/dns-2.0.9.b639626-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/ftp-1.0.8.13d5fda-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/http-2.0.5.c61ad9a-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/mail-1.0.9.c1d3bde-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/quic-1.1.17.8c22b4d-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/ssl-1.0.12.16b8fb5-2.el7.x86_64.rpm
+ 
+

roles/framework/files/framework.conf

@@ -0,0 +1 @@
+/opt/MESA/lib/

roles/framework/tasks/main.yml

@@ -0,0 +1,40 @@
+- name: "copy framework rpms to destination server"
+  synchronize:
+    src: "{{ role_path }}/files/"
+    dest: "/tmp/ansible_deploy/"
+
+- name: "install framework packages"
+  yum:
+    name: "{{ packages }}"
+    state: present
+    skip_broken: yes
+  vars:
+    packages:
+      - /tmp/ansible_deploy/libcjson-1.7.10.ab2896f-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libdocumentanalyze-2.0.6.2d1abe0-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libmaatframe-3.1.10.653727e-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libMESA_field_stat-1.0.2.6d45eed-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libMESA_field_stat2-2.9.10.72ac4f1-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libMESA_handle_logger-2.0.7.cb4ad71-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libMESA_htable-3.10.12.cf4ccfc-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libMESA_prof_load-1.0.6.c6da36a-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/librdkafka-0.11.4-1.el7.x86_64.rpm
+      - /tmp/ansible_deploy/librulescan-2.2.2.e5a4457-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libtsglua-1.0.8.0dbf2e6-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libwiredcfg-2.0.6.67ae0ab-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libWiredLB-2.0.5.4629165-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/lz4-1.7.5-3.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libbreakpad_mini-1.0.2.a56ef00-2.el7.x86_64.rpm
+
+- name: "mkdir /etc/ld.so.conf.d/"
+  file:
+    path: /etc/ld.so.conf.d/
+    state: directory
+
+- name: "copy framework.conf to destination server"
+  copy:
+    src: "{{ role_path }}/files/framework.conf"
+    dest: /etc/ld.so.conf.d/
+
+- name: "update ld"
+  command: ldconfig

roles/kernel-ml/files/grub

@@ -0,0 +1,8 @@
+GRUB_TIMEOUT=5
+GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
+GRUB_DEFAULT=saved
+GRUB_DISABLE_SUBMENU=true
+GRUB_TERMINAL="serial console"
+GRUB_SERIAL_COMMAND="serial --speed=115200"
+GRUB_CMDLINE_LINUX="crashkernel=auto console=ttyS0,115200 intel_iommu=on iommu=pt pci=realloc,assign-busses"
+GRUB_DISABLE_RECOVERY="true"

roles/kernel-ml/tasks/main.yml

@@ -0,0 +1,45 @@
+---
+- name: "copy framework rpms to destination server"
+  synchronize:
+    src: "{{ role_path }}/files/"
+    dest: "/tmp/ansible_deploy/"
+
+- name: "install kernels-ml"
+  yum:
+    name:
+      - /tmp/ansible_deploy/pkgconfig-0.27.1-4.el7.x86_64.rpm
+      - /tmp/ansible_deploy/zlib-devel-1.2.7-17.el7.x86_64.rpm
+      - /tmp/ansible_deploy/elfutils-libelf-devel-0.168-8.el7.x86_64.rpm
+      - /tmp/ansible_deploy/kernel/kernel-ml-5.1.8-1.el7.elrepo.x86_64.rpm
+      - /tmp/ansible_deploy/kernel/kernel-ml-devel-5.1.8-1.el7.elrepo.x86_64.rpm
+      - /tmp/ansible_deploy/dkms-2.7.1-1.el7.noarch.rpm
+    state: present
+  register: t_kernel_ml
+
+- name: "set kernel-ml as default kernel"
+  command: /usr/sbin/grub2-set-default 0
+  when: t_kernel_ml.changed
+
+- name: "copy /etc/default/grub"
+  copy:
+    src: "{{ role_path }}/files/grub"
+    dest: "/etc/default"
+  when: 
+    - tsg_access_type == 4
+    - t_kernel_ml.changed
+
+- name: "BIOS:grub2-mkconfig"
+  shell: grub2-mkconfig -o /boot/grub2/grub.cfg
+  when:
+    - tsg_access_type == 4
+    - t_kernel_ml.changed
+
+- name: "UEFI:grub2-mkconfig"
+  shell: grub2-mkconfig  -o /boot/efi/EFI/centos/grub.cfg
+  when:
+    - tsg_access_type == 4
+    - t_kernel_ml.changed
+
+- name: "reboot"
+  reboot:
+  when: t_kernel_ml.changed

roles/mrzcpd/tasks/main.yml

@@ -0,0 +1,192 @@
+---
+- name: "copy mrzcpd to destination server"
+  synchronize:
+    src: "{{ role_path }}/files/"
+    dest: "/tmp/ansible_deploy/"
+
+- name: "install mrzcpd"
+  yum:
+    name: /tmp/ansible_deploy/mrzcpd-4.3.30.4627eb7-1.el7.x86_64.rpm
+    state: present
+
+- name: "update sysconfig/mrzcpd"
+  template:
+    src: "{{ role_path }}/templates/mrzcpd.j2"
+    dest: /etc/sysconfig/mrzcpd
+
+- name: "update mrglobal.conf - traffic_mirror"
+  template:
+    src: "{{ role_path }}/templates/traffic_mirror/mrglobal.conf.traffic_mirror.j2"
+    dest: /opt/mrzcpd/etc/mrglobal.conf
+  when: nic_traffic_mirror is defined
+
+
+- name: "copy mrapp.sapp4.conf to destination server"
+  template:
+    src: "{{ role_path }}/templates/mrapp.sapp4.conf "
+    dest: /opt/mrzcpd/etc/mrapp.sapp4.conf 
+  when: 
+    - tsg_access_type == 4
+
+- name: "update mrglobal.conf.adc_inline"
+  template:
+    src: "{{ role_path }}/templates/adc_inline/mrglobal.conf.adc_inline.j2"
+    dest: /opt/mrzcpd/etc/mrglobal.conf
+  when: 
+    - nic_traffic_mirror is not defined
+    - tsg_access_type == 1
+    - tsg_running_type == 2
+
+- name: "update mrglobal.conf.server_inline"
+  template:
+    src: "{{ role_path }}/templates/server_inline/mrglobal.conf.server_inline.j2"
+    dest: /opt/mrzcpd/etc/mrglobal.conf
+  when: 
+    - nic_traffic_mirror is not defined
+    - tsg_access_type == 1
+    - tsg_running_type != 2
+
+- name: "update mrglobal.conf.allot - mcn0"
+  template:
+    src: "{{ role_path }}/templates/allot_access/mrglobal.conf.allot_access.j2"
+    dest: /opt/mrzcpd/etc/mrglobal.conf
+  when: 
+    - nic_traffic_mirror is not defined
+    - tsg_access_type == 2
+
+- name: "update mrglobal.conf.adc_tun_mode - mcn0"
+  template:
+    src: "{{ role_path }}/templates/adc_tun_mode/mrglobal.conf.adc_tun_mode.j2"
+    dest: /opt/mrzcpd/etc/mrglobal.conf
+  when: 
+    - nic_traffic_mirror is not defined
+    - tsg_access_type == 3
+
+
+- name: "update mrglobal.conf.ATCA_Vlan_Flipping"
+  template:
+    src: "{{ role_path }}/templates/ATCA_Vlan_Flipping/mrglobal.conf.ATCA_Vlan_Flipping.j2"
+    dest: /opt/mrzcpd/etc/mrglobal.conf
+  when: 
+    - nic_traffic_mirror is not defined
+    - tsg_access_type == 4
+
+- name: "update mrglobal.conf.ATCA_VXLAN"
+  template:
+    src: "{{ role_path }}/templates/ATCA_VXLAN/mrglobal.conf.ATCA_VXLAN.j2"
+    dest: /opt/mrzcpd/etc/mrglobal.conf
+  when:
+    - nic_traffic_mirror is not defined
+    - tsg_access_type == 5
+
+- name: "update mrtunnat.conf.adc_inline"
+  template:
+    src: "{{ role_path }}/templates/adc_inline/mrtunnat.conf.adc_inline.j2"
+    dest: /opt/mrzcpd/etc/mrtunnat.conf
+  when: 
+    - nic_traffic_mirror is not defined
+    - tsg_access_type == 1
+    - tsg_running_type == 2 
+
+- name: "update mrtunnat.conf.server_inline"
+  template:
+    src: "{{ role_path }}/templates/server_inline/mrtunnat.conf.server_inline.j2"
+    dest: /opt/mrzcpd/etc/mrtunnat.conf
+  when: 
+    - nic_traffic_mirror is not defined
+    - tsg_access_type == 1
+    - tsg_running_type != 2 
+
+- name: "update mrtunnat.conf.allot_access - mcn0"
+  template:
+    src: "{{ role_path }}/templates/allot_access/mrtunnat.conf.allot_access.j2"
+    dest: /opt/mrzcpd/etc/mrtunnat.conf
+  when: 
+    - nic_traffic_mirror is not defined
+    - tsg_access_type == 2
+
+- name: "update mrtunnat.conf.adc_tun_mode - mcn0"
+  template:
+    src: "{{ role_path }}/templates/adc_tun_mode/mrtunnat.conf.adc_tun_mode.j2"
+    dest: /opt/mrzcpd/etc/mrtunnat.conf
+  when: 
+    - nic_traffic_mirror is not defined
+    - tsg_access_type == 3
+
+- name: "update mrtunnat.conf.ATCA_Vlan_Flipping"
+  template:
+    src: "{{ role_path }}/templates/ATCA_Vlan_Flipping/mrtunnat.conf.ATCA_Vlan_Flipping.j2"
+    dest: /opt/mrzcpd/etc/mrtunnat.conf
+  when: 
+    - nic_traffic_mirror is not defined
+    - tsg_access_type == 4
+
+- name: "update mrtunnat.conf.ATCA_VXLAN"
+  template:
+    src: "{{ role_path }}/templates/ATCA_VXLAN/mrtunnat.conf.ATCA_VXLAN.j2"
+    dest: /opt/mrzcpd/etc/mrtunnat.conf
+  when:
+    - nic_traffic_mirror is not defined
+    - tsg_access_type == 5
+
+- name: "enable mrenv"
+  systemd:
+    name: mrenv
+    enabled: yes
+    daemon_reload: yes
+  when: 
+    - tsg_access_type != 0
+
+- name: "enable mrzcpd"
+  systemd:
+    name: mrzcpd
+    enabled: yes
+    daemon_reload: yes
+  when: 
+    - tsg_access_type != 0
+
+- name: "enable prometheus output - monit_device"
+  systemd:
+    name: mrapm_device
+    enabled: yes
+    daemon_reload: yes
+
+- name: "enable prometheus output - monit_stream"
+  systemd:
+    name: mrapm_stream
+    enabled: yes
+    daemon_reload: yes
+
+- name: "enable mrtunnat on master"
+  systemd:
+    name: mrtunnat
+    enabled: no
+    daemon_reload: yes
+  when: 
+    - nic_traffic_mirror is not defined
+    - tsg_access_type != 0
+
+- name: "disable mrtunnat on slave"
+  systemd:
+    name: mrtunnat
+    enabled: no
+    daemon_reload: yes
+  when: nic_traffic_mirror is defined
+
+- name: "mask mrzcpd on server_tun_mode"
+  systemd:
+    name: mrzcpd
+    enabled: no
+    masked: yes
+    daemon_reload: yes
+  when: 
+    - tsg_access_type == 0
+
+- name: "mask mrtunnat on server_tun_mode"
+  systemd:
+    name: mrtunnat
+    enabled: no
+    masked: yes
+    daemon_reload: yes
+  when: 
+    - tsg_access_type == 0

roles/mrzcpd/templates/ATCA_VXLAN/mrglobal.conf.ATCA_VXLAN.j2

@@ -0,0 +1,57 @@
+[device]
+device={{ATCA_data_incoming.vf0_name}},{{ ATCA_data_incoming.vf1_name }},vxlan_user,vxlan_fwd
+sz_tunnel=8192
+sz_buffer=32
+
+[device:{{ATCA_data_incoming.vf0_name}}]
+mtu=4096
+clear_tx_flags=1
+hw_strip_crc=1
+in_addr={{ ATCA_VXLAN.keepalive_ip }}
+in_mask={{ ATCA_VXLAN.keepalive_mask }}
+#rssmode=3
+
+[device:{{ ATCA_data_incoming.vf1_name }}]
+mtu=4096
+clear_tx_flags=1
+vlan-filter=1
+vlan-strip=1
+vlan-id-allow=4095
+vlan-pvid=0
+vlan-pvid-mode=2
+hw_strip_crc=1
+sz_tunnel=8192
+sz_buffer=0
+
+[service]
+# lcore id for i/o service, use comma to split
+iocore={{ mrzcpd.iocore }}
+distmode=1
+hashmode=0
+idle_threshold=10000
+
+[eal]
+virtaddr=0x7f40c4a00000
+loglevel=7
+
+[keepalive]
+check_spinlock=0
+
+[ctrlzone]
+ctrlzone0=tunnat,64
+
+[pool]
+create_mode=3
+sz_direct_pktmbuf=4194304
+sz_indirect_pktmbuf=8192
+sz_cache=256
+sz_data=4096
+
+[forward]
+nr_forward_rule=6
+forward_rule_0=pv,{{ATCA_data_incoming.vf0_name}},{{ATCA_data_incoming.vf0_name}}
+forward_rule_1=vp,{{ATCA_data_incoming.vf0_name}},{{ATCA_data_incoming.vf0_name}}
+forward_rule_2=vv,vxlan_fwd,vxlan_user
+forward_rule_3=vv,vxlan_user,vxlan_fwd
+forward_rule_4=pv,{{ ATCA_data_incoming.vf1_name }},{{ ATCA_data_incoming.vf1_name }}
+forward_rule_5=vp,{{ ATCA_data_incoming.vf1_name }},{{ ATCA_data_incoming.vf1_name }}

roles/mrzcpd/templates/ATCA_VXLAN/mrtunnat.conf.ATCA_VXLAN.j2

@@ -0,0 +1,20 @@
+[tunnat]
+lcore_id={{ mrtunnat.lcore_id }}
+appsym=tunnat
+phydev={{ATCA_data_incoming.vf0_name}}
+virtdev=vxlan_fwd
+nr_max_sessions=524280
+nr_slots=1048576
+expire_time=60
+reverse_tunnel=0
+use_recent_tunnel=0
+use_link_info_table=1
+use_tuple4_as_sskey=0
+ctrlzone_addr_info_type=2
+idle_threshold=10000
+
+[vlan_flipping]
+enable=0
+c_router_vlan_id_0=1000
+i_router_vlan_id_0=1001
+en_mac_flipping_0=0

roles/mrzcpd/templates/ATCA_Vlan_Flipping/mrglobal.conf.ATCA_Vlan_Flipping.j2

@@ -0,0 +1,60 @@
+[device]
+device={{ATCA_data_incoming.vf0_name}},{{ ATCA_data_incoming.vf1_name }},vxlan_user,vxlan_fwd
+sz_tunnel=8192
+sz_buffer=32
+
+[device:{{ATCA_data_incoming.vf0_name}}]
+mtu=4096
+clear_tx_flags=1
+vlan-filter=1
+vlan-strip=1
+vlan-id-allow={{ ATCA_VlanFlipping.vlanID_1 }},{{ ATCA_VlanFlipping.vlanID_2 }},{{ ATCA_VlanFlipping.vlanID_3 }},{{ ATCA_VlanFlipping.vlanID_4 }}
+vlan-pvid=0
+vlan-pvid-mode=2
+hw_strip_crc=1
+#rssmode=3
+
+[device:{{ ATCA_data_incoming.vf1_name }}]
+mtu=4096
+clear_tx_flags=1
+vlan-filter=1
+vlan-strip=1
+vlan-id-allow=4095
+vlan-pvid=0
+vlan-pvid-mode=2
+hw_strip_crc=1
+sz_tunnel=8192
+sz_buffer=0
+
+[service]
+# lcore id for i/o service, use comma to split
+iocore={{ mrzcpd.iocore }}
+distmode=1
+hashmode=0
+idle_threshold=10000
+
+[eal]
+virtaddr=0x7f40c4a00000
+loglevel=7
+
+[keepalive]
+check_spinlock=0
+
+[ctrlzone]
+ctrlzone0=tunnat,64
+
+[pool]
+create_mode=3
+sz_direct_pktmbuf=4194304
+sz_indirect_pktmbuf=8192
+sz_cache=256
+sz_data=4096
+
+[forward]
+nr_forward_rule=6
+forward_rule_0=pv,{{ATCA_data_incoming.vf0_name}},{{ATCA_data_incoming.vf0_name}}
+forward_rule_1=vp,{{ATCA_data_incoming.vf0_name}},{{ATCA_data_incoming.vf0_name}}
+forward_rule_2=vv,vxlan_fwd,vxlan_user
+forward_rule_3=vv,vxlan_user,vxlan_fwd
+forward_rule_4=pv,{{ ATCA_data_incoming.vf1_name }},{{ ATCA_data_incoming.vf1_name }}
+forward_rule_5=vp,{{ ATCA_data_incoming.vf1_name }},{{ ATCA_data_incoming.vf1_name }}

roles/mrzcpd/templates/ATCA_Vlan_Flipping/mrtunnat.conf.ATCA_Vlan_Flipping.j2

@@ -0,0 +1,23 @@
+[tunnat]
+lcore_id={{ mrtunnat.lcore_id }}
+appsym=tunnat
+phydev={{ATCA_data_incoming.vf0_name}}
+virtdev=vxlan_fwd
+nr_max_sessions=524280
+nr_slots=1048576
+expire_time=60
+reverse_tunnel=0
+use_recent_tunnel=0
+use_link_info_table=1
+use_tuple4_as_sskey=0
+ctrlzone_addr_info_type=2
+idle_threshold=10000
+
+[vlan_flipping]
+enable=1
+c_router_vlan_id_0={{ ATCA_VlanFlipping.vlanID_1 }}
+i_router_vlan_id_0={{ ATCA_VlanFlipping.vlanID_2 }}
+en_mac_flipping_0=0
+c_router_vlan_id_1={{ ATCA_VlanFlipping.vlanID_3 }}
+i_router_vlan_id_1={{ ATCA_VlanFlipping.vlanID_4 }}
+en_mac_flipping_1=0

roles/mrzcpd/templates/adc_inline/mrglobal.conf.adc_inline.j2

@@ -0,0 +1,67 @@
+[device]
+device={{nic_data_incoming.name}},{{nic_to_tfe.tfe0.name}},{{nic_to_tfe.tfe1.name}},{{nic_to_tfe.tfe2.name}},vxlan_user,vxlan_fwd
+sz_tunnel=8192
+sz_buffer=0
+
+[device:{{nic_data_incoming.name}}]
+in_addr={{inline_device_config.keepalive_ip}}
+in_mask={{inline_device_config.keepalive_mask}}
+jumbo_frame=1
+max_rx_pkt_len=15360
+clear_tx_flags=1
+vlan-filter=1
+vlan-id-allow=1000,1001,4000,4001
+
+[device:{{nic_to_tfe.tfe0.name}}]
+jumbo_frame=1
+max_rx_pkt_len=15360
+clear_tx_flags=1
+promisc=1
+
+[device:{{nic_to_tfe.tfe1.name}}]
+jumbo_frame=1
+max_rx_pkt_len=15360
+clear_tx_flags=1
+promisc=1
+
+[device:{{nic_to_tfe.tfe2.name}}]
+jumbo_frame=1
+max_rx_pkt_len=15360
+clear_tx_flags=1
+promisc=1
+
+[service]
+# lcore id for i/o service, use comma to split
+iocore={{ mcn0_mrzcpd.iocore }}
+distmode=2
+hashmode=0
+
+[eal]
+virtaddr=0x7f40c4a00000
+loglevel=7
+
+[keepalive]
+check_spinlock=0
+
+[ctrlzone]
+ctrlzone0=tunnat,64
+
+[pool]
+create_mode=3
+sz_direct_pktmbuf=4194304
+sz_indirect_pktmbuf=8192
+sz_cache=256
+sz_data=4096
+
+[forward]
+nr_forward_rule=10
+forward_rule_0=pv,{{nic_data_incoming.name}},{{nic_data_incoming.name}}
+forward_rule_1=vp,{{nic_data_incoming.name}},{{nic_data_incoming.name}}
+forward_rule_2=vv,vxlan_fwd,vxlan_user
+forward_rule_3=vv,vxlan_user,vxlan_fwd
+forward_rule_4=pv,{{nic_to_tfe.tfe0.name}},{{nic_to_tfe.tfe0.name}}
+forward_rule_5=vp,{{nic_to_tfe.tfe0.name}},{{nic_to_tfe.tfe0.name}}
+forward_rule_6=pv,{{nic_to_tfe.tfe1.name}},{{nic_to_tfe.tfe1.name}}
+forward_rule_7=vp,{{nic_to_tfe.tfe1.name}},{{nic_to_tfe.tfe1.name}}
+forward_rule_8=pv,{{nic_to_tfe.tfe2.name}},{{nic_to_tfe.tfe2.name}}
+forward_rule_9=vp,{{nic_to_tfe.tfe2.name}},{{nic_to_tfe.tfe2.name}}

roles/mrzcpd/templates/adc_inline/mrtunnat.conf.adc_inline.j2

@@ -0,0 +1,21 @@
+[tunnat]
+lcore_id={{ mrtunnat.lcore_id }}
+appsym=tunnat
+phydev={{nic_data_incoming.name}}
+virtdev=vxlan_fwd
+nr_max_sessions=524280
+nr_slots=1048576
+expire_time=60
+reverse_tunnel=0
+use_recent_tunnel=0
+use_tuple4_as_sskey=1
+ctrlzone_addr_info_type=2
+
+[vlan_flipping]
+enable=1
+c_router_vlan_id_0=1000
+i_router_vlan_id_0=1001
+en_mac_flipping_0=0
+c_router_vlan_id_1=4000
+i_router_vlan_id_1=4001
+en_mac_flipping_1=0

roles/mrzcpd/templates/adc_tun_mode/mrglobal.conf.adc_tun_mode.j2

@@ -0,0 +1,68 @@
+[device]
+device={{nic_data_incoming.name}},{{nic_to_tfe.tfe0.name}},{{nic_to_tfe.tfe1.name}},{{nic_to_tfe.tfe2.name}},vxlan_user,vxlan_fwd
+sz_tunnel=8192
+sz_buffer=0
+
+[device:{{nic_data_incoming.name}}]
+jumbo_frame=1
+max_rx_pkt_len=15360
+clear_tx_flags=1
+vlan-filter=1
+vlan-id-allow=1000,1001,2000,2001,4000,4001
+vlan-pvid=0
+vlan-pvid-mode=2
+promisc=1
+
+[device:{{nic_to_tfe.tfe0.name}}]
+jumbo_frame=1
+max_rx_pkt_len=15360
+clear_tx_flags=1
+promisc=1
+
+[device:{{nic_to_tfe.tfe1.name}}]
+jumbo_frame=1
+max_rx_pkt_len=15360
+clear_tx_flags=1
+promisc=1
+
+[device:{{nic_to_tfe.tfe2.name}}]
+jumbo_frame=1
+max_rx_pkt_len=15360
+clear_tx_flags=1
+promisc=1
+
+[service]
+# lcore id for i/o service, use comma to split
+iocore={{ mrzcpd.iocore }}
+distmode=2
+hashmode=0
+
+[eal]
+virtaddr=0x7f40c4a00000
+loglevel=7
+
+[keepalive]
+check_spinlock=0
+
+[ctrlzone]
+ctrlzone0=tunnat,64
+
+[pool]
+create_mode=3
+sz_direct_pktmbuf=4194304
+sz_indirect_pktmbuf=8192
+sz_cache=256
+sz_data=4096
+
+[forward]
+nr_forward_rule=10
+forward_rule_0=pv,{{nic_data_incoming.name}},{{nic_data_incoming.name}}
+forward_rule_1=vp,{{nic_data_incoming.name}},{{nic_data_incoming.name}}
+forward_rule_2=vv,vxlan_fwd,vxlan_user
+forward_rule_3=vv,vxlan_user,vxlan_fwd
+forward_rule_4=pv,{{nic_to_tfe.tfe0.name}},{{nic_to_tfe.tfe0.name}}
+forward_rule_5=vp,{{nic_to_tfe.tfe0.name}},{{nic_to_tfe.tfe0.name}}
+forward_rule_6=pv,{{nic_to_tfe.tfe1.name}},{{nic_to_tfe.tfe1.name}}
+forward_rule_7=vp,{{nic_to_tfe.tfe1.name}},{{nic_to_tfe.tfe1.name}}
+forward_rule_8=pv,{{nic_to_tfe.tfe2.name}},{{nic_to_tfe.tfe2.name}}
+forward_rule_9=vp,{{nic_to_tfe.tfe2.name}},{{nic_to_tfe.tfe2.name}}

roles/mrzcpd/templates/adc_tun_mode/mrtunnat.conf.adc_tun_mode.j2

@@ -0,0 +1,24 @@
+[tunnat]
+lcore_id={{ mrtunnat.lcore_id }}
+appsym=tunnat
+phydev={{nic_data_incoming.name}}
+virtdev=vxlan_fwd
+nr_max_sessions=524280
+nr_slots=1048576
+expire_time=60
+reverse_tunnel=0
+use_recent_tunnel=0
+use_tuple4_as_sskey=1
+ctrlzone_addr_info_type=2
+
+[vlan_flipping]
+enable=1
+c_router_vlan_id_0=1000
+i_router_vlan_id_0=1001
+en_mac_flipping_0=0
+c_router_vlan_id_1=2000
+i_router_vlan_id_1=2001
+en_mac_flipping_1=0
+c_router_vlan_id_2=4000
+i_router_vlan_id_2=4001
+en_mac_flipping_2=0

roles/mrzcpd/templates/allot_access/mrglobal.conf.allot_access.j2

@@ -0,0 +1,69 @@
+[device]
+device=ens1f4,ens1f5,ens1f6,ens1f7,vxlan_user,vxlan_fwd
+sz_tunnel=8192
+sz_buffer=0
+
+[device:ens1f4]
+jumbo_frame=1
+max_rx_pkt_len=15360
+clear_tx_flags=1
+vlan-filter=1
+vlan-id-allow={{ AllotAccess.virturlID_1 }},{{ AllotAccess.virturlID_2 }},{{ AllotAccess.virturlID_3 }},{{ AllotAccess.virturlID_4 }},4000,4001
+vlan-pvid=0
+vlan-pvid-mode=2
+promisc=1
+
+[device:ens1f5]
+jumbo_frame=1
+max_rx_pkt_len=15360
+clear_tx_flags=1
+promisc=1
+
+[device:ens1f6]
+jumbo_frame=1
+max_rx_pkt_len=15360
+clear_tx_flags=1
+promisc=1
+
+[device:ens1f7]
+jumbo_frame=1
+max_rx_pkt_len=15360
+clear_tx_flags=1
+promisc=1
+
+[service]
+# lcore id for i/o service, use comma to split
+iocore={{ mcn0_mrzcpd.iocore }}
+distmode=2
+hashmode=0
+
+[eal]
+virtaddr=0x7f40c4a00000
+loglevel=7
+
+[keepalive]
+check_spinlock=0
+
+[ctrlzone]
+ctrlzone0=tunnat,64
+
+[pool]
+create_mode=3
+sz_direct_pktmbuf=4194304
+sz_indirect_pktmbuf=8192
+sz_cache=256
+sz_data=4096
+
+[forward]
+nr_forward_rule=10
+forward_rule_0=pv,ens1f4,ens1f4
+forward_rule_1=vp,ens1f4,ens1f4
+forward_rule_2=vv,vxlan_fwd,vxlan_user
+forward_rule_3=vv,vxlan_user,vxlan_fwd
+forward_rule_4=pv,ens1f5,ens1f5
+forward_rule_5=vp,ens1f5,ens1f5
+forward_rule_6=pv,ens1f6,ens1f6
+forward_rule_7=vp,ens1f6,ens1f6
+forward_rule_8=pv,ens1f7,ens1f7
+forward_rule_9=vp,ens1f7,ens1f7
+

roles/mrzcpd/templates/allot_access/mrtunnat.conf.allot_access.j2

@@ -0,0 +1,25 @@
+[tunnat]
+lcore_id={{ mrtunnat.lcore_id }}
+appsym=tunnat
+phydev=ens1f4
+virtdev=vxlan_fwd
+nr_max_sessions=524280
+nr_slots=1048576
+expire_time=60
+reverse_tunnel=0
+use_recent_tunnel=0
+use_tuple4_as_sskey=1
+ctrlzone_addr_info_type=2
+
+[vlan_flipping]
+enable=1
+c_router_vlan_id_0={{ AllotAccess.virturlID_1 }}
+i_router_vlan_id_0={{ AllotAccess.virturlID_2 }}
+en_mac_flipping_0=1
+c_router_vlan_id_1={{ AllotAccess.virturlID_3 }}
+i_router_vlan_id_1={{ AllotAccess.virturlID_4 }}
+en_mac_flipping_1=1
+c_router_vlan_id_2=4000
+i_router_vlan_id_2=4001
+en_mac_flipping_2=0
+

roles/mrzcpd/templates/mrapp.sapp4.conf

@@ -0,0 +1,2 @@
+[bpfdump:vxlan_user]
+enable=1

roles/mrzcpd/templates/mrzcpd.j2

@@ -0,0 +1,3 @@
+MRZCPD_ROOT=/opt/mrzcpd
+HUGEPAGE_NUM_2M=16384
+DEFAULT_UIO_MODULE="igb_uio"

roles/mrzcpd/templates/server_inline/mrglobal.conf.server_inline.j2

@@ -0,0 +1,47 @@
+[device]
+device={{inline_device_config.data_incoming}},vxlan_user,vxlan_fwd
+sz_tunnel=8192
+sz_buffer=0
+
+[device:{{inline_device_config.data_incoming}}]
+in_addr={{inline_device_config.keepalive_ip}}
+in_mask={{inline_device_config.keepalive_mask}}
+jumbo_frame=1
+max_rx_pkt_len=15360
+clear_tx_flags=1
+
+#[device:]
+#jumbo_frame=1
+#max_rx_pkt_len=15360
+#clear_tx_flags=1
+#promisc=1
+
+[service]
+# lcore id for i/o service, use comma to split
+iocore={{ mrzcpd.iocore }}
+distmode=2
+hashmode=0
+
+[eal]
+virtaddr=0x7f40c4a00000
+loglevel=7
+
+[keepalive]
+check_spinlock=0
+
+[ctrlzone]
+ctrlzone0=tunnat,64
+
+[pool]
+create_mode=3
+sz_direct_pktmbuf=4194304
+sz_indirect_pktmbuf=8192
+sz_cache=256
+sz_data=4096
+
+[forward]
+nr_forward_rule=4
+forward_rule_0=pv,{{inline_device_config.data_incoming}},{{inline_device_config.data_incoming}}
+forward_rule_1=vp,{{inline_device_config.data_incoming}},{{inline_device_config.data_incoming}}
+forward_rule_2=vv,vxlan_fwd,vxlan_user
+forward_rule_3=vv,vxlan_user,vxlan_fwd

roles/mrzcpd/templates/server_inline/mrtunnat.conf.server_inline.j2

@@ -0,0 +1,18 @@
+[tunnat]
+lcore_id={{ mrtunnat.lcore_id }}
+appsym=tunnat
+phydev={{inline_device_config.data_incoming}}
+virtdev=vxlan_fwd
+nr_max_sessions=524280
+nr_slots=1048576
+expire_time=60
+reverse_tunnel=0
+use_recent_tunnel=0
+use_tuple4_as_sskey=1
+ctrlzone_addr_info_type=2
+
+[vlan_flipping]
+enable=0
+c_router_vlan_id_0=1000
+i_router_vlan_id_0=1001
+en_mac_flipping_0=0

roles/mrzcpd/templates/traffic_mirror/mrglobal.conf.traffic_mirror.j2

@@ -0,0 +1,27 @@
+[device]
+device={{nic_traffic_mirror.name}}
+sz_tunnel=8192
+sz_buffer=0
+
+[device:{{nic_traffic_mirror.name}}]
+jumbo_frame=1
+max_rx_pkt_len=15360
+clear_tx_flags=1
+promisc=1
+
+[service]
+iocore={{ mcn123_mrzcpd.iocore }}
+
+[eal]
+virtaddr=0x7d0000000000
+loglevel=7
+
+[keepalive]
+check_spinlock=1
+
+[pool]
+create_mode=3
+sz_direct_pktmbuf=4194304
+sz_indirect_pktmbuf=8192
+sz_cache=256
+sz_data=4096

roles/sapp/files/memory.conf

@@ -0,0 +1,3 @@
+[Service]
+MemoryLimit=80G
+ExecStartPost=/bin/bash -c "echo 80G > /sys/fs/cgroup/memory/system.slice/sapp.service/memory.memsw.limit_in_bytes"

roles/sapp/files/tera_fake_promisc_setup.conf

@@ -0,0 +1,2 @@
+[Service]
+ExecStartPre=/bin/bash tera_fake_promisc_setup.sh

roles/sapp/files/tera_fake_promisc_setup.sh

@@ -0,0 +1,4 @@
+set -ex
+dp_adapter_ether_addr=$(ifconfig ens1f2 | grep ether | awk '{print $2}')
+bpf_rule="ether dst $dp_adapter_ether_addr or ether dst 02:42:c0:a8:fd:03 or ether dst 02:42:c0:a8:fd:83 or ether dst 02:42:c0:a8:fd:82"
+sed -i "/BSD_packet_filter=/s/=.*/=\"$bpf_rule\"/" etc/sapp.toml

roles/sapp/tasks/main.yml

@@ -0,0 +1,104 @@
+---
+- name: "copy sapp to destination server"
+  copy:
+    src: "{{ role_path }}/files/"
+    dest: /tmp/ansible_deploy/
+
+- name: "copy maat_redis_tool to destination server"
+  copy:
+    src: "{{ role_path }}/files/maat_redis_tool"
+    dest: /usr/local/bin
+    mode: 0755
+
+- name: "install sapp rpms from localhost"
+  yum:
+    name:
+      - /tmp/ansible_deploy/sapp-4.2.25.893d15d-2.el7.x86_64.rpm
+    state: present
+ 
+- name: "install tcpdump_mesa rpms from localhost"
+  yum:
+    name:
+      - /tmp/ansible_deploy/tcpdump_mesa-1.0.2.0c5a950-2.el7.x86_64.rpm
+    state: present
+    skip_broken: yes
+
+- name: "mkdir tsgconf"
+  file:
+    path: /home/mesasoft/sapp_run/tsgconf
+    state: directory
+
+- name: Template the sapp.toml
+  template:
+    src: "{{ role_path }}/templates/sapp.toml.j2"
+    dest: /home/mesasoft/sapp_run/etc/sapp.toml
+  tags: template
+
+- name: Template the project_list.conf
+  template:
+    src: "{{ role_path }}/templates/project_list.conf.j2"
+    dest: /home/mesasoft/sapp_run/etc/project_list.conf
+  tags: template
+
+- name: Template the conflist.inf
+  template:
+    src: "{{ role_path }}/templates/conflist.inf.j2"
+    dest: /home/mesasoft/sapp_run/plug/conflist.inf
+  tags: template
+
+- name: Template the sapp_log.conf
+  template:
+    src: "{{ role_path }}/templates/sapp_log.conf.j2"
+    dest: /home/mesasoft/sapp_run/etc/sapp_log.conf
+  tags: template
+
+- name: Template the sapp_tmpfile.conf
+  template:
+    src: "{{ role_path }}/templates/sapp_tmpfile.conf.j2"
+    dest: /etc/tmpfiles.d/sapp_tmpfile.conf
+  tags: template
+
+- name: Template the gdev.conf
+  template:
+    src: "{{ role_path }}/templates/gdev.conf.j2"
+    dest: /home/mesasoft/sapp_run/etc/gdev.conf
+  when: tsg_access_type == 1
+
+- name: Template the vlan_flipping_map.conf
+  template:
+    src: "{{ role_path }}/templates/vlan_flipping_map.conf.j2"
+    dest: /home/mesasoft/sapp_run/etc/vlan_flipping_map.conf
+  when: tsg_access_type == 2
+
+
+- name: "Template sapp.service destination server"
+  template:
+    src: "{{ role_path }}/templates/sapp.service.j2"
+    dest: /usr/lib/systemd/system/sapp.service
+    mode: 0755
+
+- name: "copy memory limit file to sapp.service.d"
+  copy:
+    src: "{{ role_path }}/files/memory.conf"
+    dest: /etc/systemd/system/sapp.service.d/
+    mode: 0644
+
+- name: "copy fake promisc tools for tera mode - service file"
+  copy:
+    src: "{{ role_path }}/files/tera_fake_promisc_setup.conf"
+    dest: /etc/systemd/system/sapp.service.d/
+    mode: 0644
+  when: tsg_access_type == 2
+
+- name: "copy fake promisc tools for tera mode - scripts"
+  copy:
+    src: "{{ role_path }}/files/tera_fake_promisc_setup.sh"
+    dest: /home/mesasoft/sapp_run/tera_fake_promisc_setup.sh
+    mode: 0755
+  when: tsg_access_type == 2
+ 
+- name: "enable sapp"
+  systemd:
+    name: sapp
+    enabled: yes
+    daemon_reload: yes

roles/sapp/templates/conflist.inf.j2

@@ -0,0 +1,12 @@
+[platform]
+
+[protocol]
+./plug/protocol/ssl/ssl.inf
+./plug/protocol/http/http.inf
+./plug/protocol/dns/dns.inf
+./plug/protocol/mail/mail.inf
+./plug/protocol/ftp/ftp.inf
+./plug/protocol/quic/quic.inf
+./plug/protocol/l2tp_protocol_plug/l2tp_protocol_plug.inf
+
+[business]

roles/sapp/templates/gdev.conf.j2

@@ -0,0 +1,11 @@
+[Module]
+{% if tsg_running_type == 2 %}
+pcapdevice={{ nic_data_incoming.name }}
+sendto_gdev_card={{ nic_data_incoming.name }}
+sendto_gdev_ip={{ inline_device_config.keepalive_ip }}
+{% else %}
+pcapdevice={{ inline_device_config.data_incoming }}
+sendto_gdev_card={{ inline_device_config.data_incoming }}
+sendto_gdev_ip={{ inline_device_config.keepalive_ip }}
+{% endif %}
+gdev_status_switch=1

roles/sapp/templates/project_list.conf.j2

@@ -0,0 +1,20 @@
+tcp_flow_stat           struct
+udp_flow_stat           struct
+tcp_deduce_flow_stat    struct
+POLICY_PRIORITY	struct
+ESTABLISH_LATENCY	long
+MAIL_IDENTIFY	int
+TSG_MASTER_INTERNAL_LABEL	struct
+APP_ID_LABEL	struct
+BASIC_PROTO_LABEL	struct
+USER_DEFINED_ATTRIBUTE	struct
+SKETCH_TRANS_LAYER_CTX_LABEL    struct
+SKETCH_PROTO_CTX_LABEL   struct
+common_link_info_c2s	struct
+common_link_info_s2c	struct
+common_link_info struct
+JA3_FINGERPRINT_LABEL	struct
+DKPT_PRO_V2	struct
+DPKT_PROJECT_V2	struct
+PPROJECT_PRO_V2	struct
+DPKT_BHSTAT_PROJECT	struct

roles/sapp/templates/sapp.service.j2

@@ -0,0 +1,22 @@
+[Unit]
+Description=sapp service
+{% if tsg_running_type != 0 %}
+Requires=mrzcpd.service
+After=mrzcpd.service
+{% endif %}
+[Service]
+Type=notify
+WorkingDirectory=/home/mesasoft/sapp_run
+ExecStart=/home/mesasoft/sapp_run/sapp
+TimeoutSec=900s
+RestartSec=10s
+Restart=always
+LimitNOFILE=524288
+LimitNPROC=infinity
+LimitCORE=0
+TasksMax=infinity
+Delegate=yes
+KillMode=process
+
+[Install]
+WantedBy=multi-user.target

roles/sapp/templates/sapp.toml.j2

@@ -0,0 +1,225 @@
+###################################################################################################
+# NOTE:
+#    The format of this file is toml (https://github.com/cktan/tomlc99)
+#    to make vim editor display colorful and human readable, 
+#    you can create a symbolic links named sapp.ini to sapp.toml, ln -sf sapp.toml sapp.ini
+###################################################################################################
+
+[SYSTEM]
+instance_name = "sapp4"
+
+[CPU]
+{% if tsg_access_type == 0 %}
+worker_threads=1
+{% else %}
+worker_threads={{ sapp.worker_threads }}
+{% endif %}
+send_only_threads_max={{ sapp.send_only_threads_max }}
+### note, bind_mask, if you do not want to bind thread to special CPU core, keep it empty as []
+{% if tsg_access_type == 0 %}
+bind_mask=[]
+{% else %}
+bind_mask=[{{ sapp.bind_mask }}]
+{% endif %}
+
+[MEM]
+dictator_enable=0
+
+[PACKET_IO]
+
+    [overlay_tunnel_definition]
+### note, since 2020-10-01, L2-L3 tunnel(VLAN,MPLS,PPPOE,etc.) is process and offload by mrtunnat, 	
+### after 2020-10-01, sapp support L2-L3 tunnel(VLAN,MPLS,PPPOE,etc.) without mrtunnat.
+    l2_l3_tunnel_support=1
+
+### note, optional value is [none, vxlan]
+    overlay_mode=none
+    stream_compare_layer_cfg_file="etc/stream_compare_layer.conf"
+    vlan_flipping_cfg_file="etc/vlan_flipping_map.conf"
+    asymmetric_presence_layer_cfg_file="etc/asymmetric_presence_layer.conf"
+    asymmetric_addr_layer_cfg_file="etc/asymmetric_addr_layer.conf"
+    prune_inject_layer_cfg_file="etc/prune_inject_layer.conf"
+
+    [packet_io.feature]
+	
+	{% if tsg_access_type == 4 %}
+	### note, used to represent inbound or outbound direction value,
+	### because it comes from Third party device, so it needs to be specified manually,
+	### if inbound_route_dir=1, then outbound_route_dir=0, vice versa,
+	### in other words, outbound_route_dir = 1 ^ inbound_route_dir;
+	inbound_route_dir={{ sapp.inbound_route_dir }}
+	{% endif %}
+	
+### note, BSD_packet_filter, if you do not want to set any filter rule, keep it empty as ""
+    BSD_packet_filter=""
+
+### note, same as tcpdump -Q/-P arg, possible values are `in', `out' and `inout', default is "in"
+    pcap_capture_direction="in"
+
+
+### note, depolyment.mode options: [sys_route, vxlan_by_inline_device, raw_ethernet_single_gateway, raw_ethernet_multi_gateway]
+### sys_route: send ip(ipv6) packet by system route table, this is default mode in mirror mode;
+### vxlan_by_inline_device: encapsulation inject packet with vxlan, and then send to inline device by udp socket.
+### raw_ethernet_single_gateway: send layer2 ethernet packet to specific gateway in same broadcast domain. 
+### raw_ethernet_multi_gateway: send layer2 ethernet packet to multiple gateway in same broadcast domain. 
+    inject_pkt_mode=sys_route
+
+### note, this config is valid if inject_pkt_mode==vxlan_by_inline_device, means udp socket src port.
+    inject_mode_inline_device_sport=54789
+
+### note, this config is valid if inject_pkt_mode==raw_ethernet_single_gateway.
+    inject_mode_single_gateway_device="eth1"
+### inject_mode_single_gateway_src_mac has lower priority than get smac from inject_mode_single_gateway_device
+    inject_mode_single_gateway_src_mac="00:11:22:77:88:99"
+    inject_mode_single_gateway_dst_mac="00:11:22:33:44:55"
+    dumpfile_sleep_time_before_exit=3
+   
+### note, depolyment.mode options: [mirror, inline, transparent]
+    [packet_io.depolyment]
+    {% if tsg_access_type == 0 %}
+    mode=transparent
+    {% else %}
+    mode=inline
+    {% endif %}
+
+### note, interface.type options: [pag,pcap,marsio]
+    [packet_io.internal.interface]
+    {% if tsg_access_type == 0 %}
+    type=pcap
+    name={{packet_io.internal_interface}}
+    {% else %}
+    type=marsio
+    name={{nic_data_incoming.name}}
+    {% endif %}
+
+    [packet_io.external.interface]
+    {% if tsg_access_type == 0 %}
+    type=pcap
+    name={{packet_io.external_interface}}
+    {% else %}
+    type=pcap
+    name=lo
+    {% endif %}
+
+    [packet_io.polling]
+### note, polling_priority = call sapp_recv_pkt every call polling_entry times,     
+    polling_priority=1
+
+[PROTOCOL_FEATURE]
+    ipv6_decapsulation_enabled=1
+    ipv6_send_packet_enabled=1
+    tcp_drop_pure_ack_pkt=0
+    tcp_syn_option_parse_enabled=1 
+    skip_not_ip_layer_over_eth=0
+    treat_vlan_as_mac_in_mac=0
+    reverse_ethernet_addr=1
+
+	
+[STREAM]
+### note, stream_id_base_time format is "%Y-%m-%d %H:%M:%S" 
+    stream_id_base_time="2018-08-08 08:00:00"
+    [stream.tcp]
+    max=100000
+    timeout=30
+    syn_mandatory=1
+    reorder_pkt_max=128
+    analyse_option_enabled=1
+    tuple4_reuse_time_interval=30
+
+    meaningful_statistics_minimum_pkt=3
+    meaningful_statistics_minimum_byte=5
+    
+        [stream.tcp.inject]
+        link_mss=1460
+	  
+        [stream.tcp.inject.rst]
+        auto_remedy=0
+        number=3
+        signature_enabled=1
+        signature_seed1=65535
+        signature_seed2=13
+        remedy_kill_tcp_by_inline_device=0
+	
+    [stream.udp]
+    max=100000
+    timeout=60
+    meaningful_statistics_minimum_pkt=3
+    meaningful_statistics_minimum_byte=5
+    
+
+[PROFILING]
+    [profiling.pkt_latency]
+    enabled=0
+### note, threshold unit is microseconds (us)
+    threshold=1000000
+	
+    [profiling.sanity_check]
+    raw_pkt_broken_enabled=0
+    symbol_conflict_enabled=0
+  
+    [profiling.log]
+    level=10
+    interval=5
+    
+        [profiling.log.local]
+        enabled=1
+### note, if "file_truncate_open_enabled=1", file will be truncated, otherwise open the file for appending.	 
+        file_truncate_enabled = 1
+        log_file_name = "fs2_sysinfo.log"
+        log_conf_name = "etc/sapp_log.conf"
+        [profiling.log.remote]
+        enabled=1
+        server_ip=127.0.0.1
+        server_port=8100
+
+        [profiling.log.remote.field_stat2]
+### note, is valid when "remote_send_out_type=field_stat2"	 
+### note, metric_type option value: [default, json]
+        metric_type = default
+        app_name=sapp
+     
+        [profiling.log.prometheus]
+        prometheus_enabled={{ sapp_prometheus_enable }}
+        prometheus_port={{ sapp_prometheus_port }}
+        prometheus_url_path="{{ sapp_prometheus_url_path }}"
+
+[TOOLS]
+    [tools.pkt_dump]
+    enabled=1
+### note, mode options value:[storage, udp_socket]
+    mode=udp_socket
+    BSD_packet_filter=""
+   
+        [tools.pkt_dump.threads]
+### note, if you want enable pkt dump in all thread, set dump_thread_all_enabled=1, then 'dump_thread_id' is obsoleted.
+###       if dump_thread_all_enabled=0, then use dump_thread_id to specify separate specified thread index.
+        all_threads_enabled=1
+   
+### note, dump_thread_id start from 0, max is CPU.worker_threads-1
+        dump_thread_id=[0,1,2,3,4]
+   
+        [tools.pkt_dump.udp]
+        command_port=9345
+
+        [tools.pkt_dump.storage]
+### note, file path must be double quotation mark extension, for example,  path="/dev/shm/pkt_dump"
+        path="/dev/shm/pkt_dump"
+### note, file size unit: MB
+        file_size_max_per_thread=10000 
+
+### note:
+### These configurations format is complex and difficult to describe with toml grammar,
+### so, create a Independent config file to description specific information.
+[SPECIAL_CONFIG_LINK]	 
+    project_list_path="./etc/project_list.conf"
+    plugin_path="./etc/plugin.conf"
+    entrylist_path="./etc/entrylist.conf"
+    send_raw_pkt_path="./etc/send_raw_pkt.conf"
+    vxlan_sport_service_map_path="./etc/vxlan_sport_service_map.conf"
+
+[breakpad]
+    disable_coredump=1
+    enable_breakpad=1
+    breakpad_minidump_dir="/tmp/crashreport"
+    enable_breakpad_upload=1
+    breakpad_upload_url="{{ breakpad_upload_url }}"

roles/sapp/templates/sapp_log.conf.j2

@@ -0,0 +1,14 @@
+[global]
+default format = "%d(%c), %V, %U, %m%n"
+[levels]
+DEBUG=10
+INFO=20
+FATAL=30
+[formats]
+other = "%d(%c), %V, %F, %U, %m%n"
+plugin = "%d(%c), %m%n"
+[rules]
+__log_runtimelog.info    "./log/runtimelog.%d(%F)"
+__log_runtimelog_plugin.fatal    >stdout; plugin
+__log_runtimelog_plugin.info    "./log/plugin.log"; plugin
+!.fatal    "./log/%c.%d(%F)"; other

roles/sapp/templates/sapp_tmpfile.conf.j2

@@ -0,0 +1 @@
+d /home/mesasoft/sapp_run/log          	    0755 - -   2d -

roles/sapp/templates/vlan_flipping_map.conf.j2

@@ -0,0 +1,11 @@
+#for inline a device vlan flipping 
+#数据包来自C路由器端, 即C2I(I2E)方向, 
+#数据包来自I路由器端, 即I2C(E2I)方向, 
+#平台会根据vlan_id,设置当前包route_dir的值, 以便上层业务插件做两个方向的流量统计,
+#如果一对vlan_id写反了, 网络是通的, 但是I2E,E2I的流量统计就颠倒了.
+#配置文件格式, pattern:
+#来自C路由器vlan_id	  	来自I路由器vlan_id   	是否开启mac地址翻转
+#C_router_vlan_id  I_router_vlan_id mac_flipping_enable
+1301	1302	1
+1201	1202	1
+4000	4001	0

server_deploy.yml

@@ -0,0 +1,10 @@
+- hosts: server_as_tun_mode
+  remote_user: root
+  vars_files:
+    - install_config/group_vars/server_as_tun_mode.yml
+  roles:
+    - {role: framework, tags: framework}
+    - {role: kernel-ml, tags: kernel-ml}
+    - {role: mrzcpd, tags: mrzcpd}
+    - {role: sapp, tags: sapp}
+    - {role: firewall, tags: firewall}