diff options
| author |   Steven Luong <sluong@cisco.com> | 2024-11-08 08:35:14 -0800 |
|---|---|---|
| committer |   Florin Coras <florin.coras@gmail.com> | 2024-12-08 23:39:24 +0000 |
| commit | 2e67a3f37798bb7ae68e53554a163a4945a46e4b (patch) | |
| tree | 8a7f5642528e5ee777ea0c994fe4f846155de4e6 | |
| parent | fd896fc9faeae2a97adf4b53ca15c7e36365021c (diff) | |
session: add ip4-fib-id and ip6-fib-id to app ns CLI
Problem
The API app_namespace_add_del allows specifying ip4_fib_id and
ip6_fib_id. But the CLI does not. It only allows interface.
Interface binding may change after the application namespace
is created and there is no registration for the callback
when the interface binding changes.
Fix
Add ip4-fib-id and ip6-fib-id to app ns CLI. When both
interface and fib-id's are specified, interface takes
precedence. When interface is not specified, either ip4-fib-id
or ip6-fib-id or both ip4 and ip6 fib-id's may be specified.
If only ip4-fib-id is specified, ip6 is disable for this
particular app namespace. If only ip6-fib-id is specified,
ip4 is disable for this namespace.
When the interface binding changes to different vrf and the
application namespace was created via interface option, we
delete the application namespace and recreate the application
namespace with the new interface binding. Notice when the
application namespace is removed, all session rules and
sdl rules previously created for the deleted application
namespace will be deleted. However, if the fib table/session
table was shared by another namespace, the other namespace
will still contain the session rules and sdl rules.
Type: improvement
Change-Id: I76eb30da1ed8a39d06694c1e66d0675bf03516bf
Signed-off-by: Steven Luong <sluong@cisco.com>
| -rw-r--r-- | src/vnet/interface.h | 16 | ||||
| -rw-r--r-- | src/vnet/session/application_namespace.c | 149 | ||||
| -rw-r--r-- | src/vnet/session/session_lookup.c | 4 | ||||
| -rw-r--r-- | test/asf/test_session.py | 155 |
4 files changed, 312 insertions, 12 deletions
diff --git a/src/vnet/interface.h b/src/vnet/interface.h index f0cb540f979..eb557fdef8b 100644 --- a/src/vnet/interface.h +++ b/src/vnet/interface.h @@ -191,6 +191,22 @@ static __clib_unused void * __clib_unused_##f = f; #define VNET_SW_INTERFACE_ADMIN_UP_DOWN_FUNCTION_PRIO(f,p) \ _VNET_INTERFACE_FUNCTION_DECL_PRIO(f,sw_interface_admin_up_down, p) +#define VNET_SW_INTERFACE_TABLE_BIND_V4_CB(f) \ + { \ + ip4_table_bind_callback_t cb = { \ + .function = f, \ + }; \ + vec_add1 (ip4_main.table_bind_callbacks, cb); \ + } + +#define VNET_SW_INTERFACE_TABLE_BIND_V6_CB(f) \ + { \ + ip6_table_bind_callback_t cb = { \ + .function = f, \ + }; \ + vec_add1 (ip6_main.table_bind_callbacks, cb); \ + } + /** * Tunnel description parameters */ diff --git a/src/vnet/session/application_namespace.c b/src/vnet/session/application_namespace.c index 5930c34dce5..c1c8527fb02 100644 --- a/src/vnet/session/application_namespace.c +++ b/src/vnet/session/application_namespace.c @@ -107,6 +107,7 @@ vnet_app_namespace_add_del (vnet_app_namespace_add_del_args_t *a) session_table_t *st; u32 ns_index; session_error_t rv; + u32 ip4_fib_index, ip6_fib_index; if (a->is_add) { @@ -115,6 +116,10 @@ vnet_app_namespace_add_del (vnet_app_namespace_add_del_args_t *a) a->sw_if_index)) return SESSION_E_INVALID; + /* + * sw_if_index takes precedence over fib_id's. + * When sw_if_index is provided, overwrite what's in fib_id's + */ if (a->sw_if_index != APP_NAMESPACE_INVALID_INDEX) { a->ip4_fib_id = @@ -124,8 +129,23 @@ vnet_app_namespace_add_del (vnet_app_namespace_add_del_args_t *a) fib_table_get_table_id_for_sw_if_index (FIB_PROTOCOL_IP6, a->sw_if_index); } - if (a->sw_if_index == APP_NAMESPACE_INVALID_INDEX - && a->ip4_fib_id == APP_NAMESPACE_INVALID_INDEX) + /* Either sw_if_index or one of 2 fib_id's must be provided */ + if (a->sw_if_index == APP_NAMESPACE_INVALID_INDEX && + a->ip4_fib_id == APP_NAMESPACE_INVALID_INDEX && + a->ip6_fib_id == APP_NAMESPACE_INVALID_INDEX) + return SESSION_E_INVALID; + + /* Validate the fib_id's */ + ip4_fib_index = fib_table_find (FIB_PROTOCOL_IP4, a->ip4_fib_id); + ip6_fib_index = fib_table_find (FIB_PROTOCOL_IP6, a->ip6_fib_id); + if ((ip4_fib_index == ~0) && (ip6_fib_index == ~0)) + return SESSION_E_INVALID; + + /* if fib_id entered, check fib_id exist */ + if (((a->ip4_fib_id != APP_NAMESPACE_INVALID_INDEX) && + (ip4_fib_index == ~0)) || + ((a->ip6_fib_id != APP_NAMESPACE_INVALID_INDEX) && + (ip6_fib_index == ~0))) return SESSION_E_INVALID; app_ns = app_namespace_get_from_id (a->ns_id); @@ -169,8 +189,8 @@ vnet_app_namespace_add_del (vnet_app_namespace_add_del_args_t *a) app_ns->ns_secret = a->secret; app_ns->sw_if_index = a->sw_if_index; - app_ns->ip4_fib_index = fib_table_find (FIB_PROTOCOL_IP4, a->ip4_fib_id); - app_ns->ip6_fib_index = fib_table_find (FIB_PROTOCOL_IP6, a->ip6_fib_id); + app_ns->ip4_fib_index = ip4_fib_index; + app_ns->ip6_fib_index = ip6_fib_index; session_lookup_set_tables_appns (app_ns); } else @@ -266,11 +286,98 @@ appns_sapi_enabled (void) return app_sapi_enabled; } +static void +app_namespace_table_bind_v4 (ip4_main_t *im, uword opaque, u32 sw_if_index, + u32 new_fib_index, u32 old_fib_index) +{ + app_namespace_t *app_ns; + + pool_foreach (app_ns, app_namespace_pool) + { + if (app_ns->sw_if_index == sw_if_index) + { + /* + * For add, call vnet_app_namespace_add_del without sw_if_index and + * keep the existing ip6_fib_index. + */ + vnet_app_namespace_add_del_args_t add = { + .ns_id = vec_dup (app_ns->ns_id), + .secret = app_ns->ns_secret, + .sw_if_index = APP_NAMESPACE_INVALID_INDEX, + .sock_name = vec_dup (app_ns->sock_name), + .ip4_fib_id = + fib_table_get_table_id (new_fib_index, FIB_PROTOCOL_IP4), + .ip6_fib_id = + fib_table_get_table_id (app_ns->ip6_fib_index, FIB_PROTOCOL_IP6), + .is_add = 1, + }; + vnet_app_namespace_add_del_args_t del = { + .ns_id = app_ns->ns_id, + .is_add = 0, + }; + vnet_app_namespace_add_del (&del); + + vnet_app_namespace_add_del (&add); + + /* keep the sw_if_index */ + app_ns->sw_if_index = sw_if_index; + + vec_free (add.ns_id); + vec_free (add.sock_name); + } + } +} + +static void +app_namespace_table_bind_v6 (ip6_main_t *im, uword opaque, u32 sw_if_index, + u32 new_fib_index, u32 old_fib_index) +{ + app_namespace_t *app_ns; + + pool_foreach (app_ns, app_namespace_pool) + { + if (app_ns->sw_if_index == sw_if_index) + { + /* + * For add, call vnet_app_namespace_add_del without sw_if_index and + * keep the existing ip4_fib_index. + */ + vnet_app_namespace_add_del_args_t add = { + .ns_id = vec_dup (app_ns->ns_id), + .secret = app_ns->ns_secret, + .sw_if_index = APP_NAMESPACE_INVALID_INDEX, + .sock_name = vec_dup (app_ns->sock_name), + .ip4_fib_id = + fib_table_get_table_id (app_ns->ip4_fib_index, FIB_PROTOCOL_IP4), + .ip6_fib_id = + fib_table_get_table_id (new_fib_index, FIB_PROTOCOL_IP6), + .is_add = 1, + }; + vnet_app_namespace_add_del_args_t del = { + .ns_id = app_ns->ns_id, + .is_add = 0, + }; + vnet_app_namespace_add_del (&del); + + vnet_app_namespace_add_del (&add); + + /* keep the sw_if_index */ + app_ns->sw_if_index = sw_if_index; + + vec_free (add.ns_id); + vec_free (add.sock_name); + } + } +} + void app_namespaces_init (void) { u8 *ns_id = format (0, "default"); + VNET_SW_INTERFACE_TABLE_BIND_V4_CB (app_namespace_table_bind_v4); + VNET_SW_INTERFACE_TABLE_BIND_V6_CB (app_namespace_table_bind_v6); + if (!app_namespace_lookup_table) app_namespace_lookup_table = hash_create_vec (0, sizeof (u8), sizeof (uword)); @@ -298,9 +405,11 @@ app_ns_fn (vlib_main_t * vm, unformat_input_t * input, vlib_cli_command_t * cmd) { u8 is_add = 0, *ns_id = 0, secret_set = 0, sw_if_index_set = 0; + u8 fib6_id_set = 0, fib4_id_set = 0; u8 *sock_name = 0; unformat_input_t _line_input, *line_input = &_line_input; - u32 sw_if_index, fib_id = APP_NAMESPACE_INVALID_INDEX; + u32 sw_if_index = APP_NAMESPACE_INVALID_INDEX; + u32 fib4_id = ~0, fib6_id = ~0; vnet_main_t *vnm = vnet_get_main (); u64 secret; clib_error_t *error = 0; @@ -326,8 +435,10 @@ app_ns_fn (vlib_main_t * vm, unformat_input_t * input, else if (unformat (line_input, "if %U", unformat_vnet_sw_interface, vnm, &sw_if_index)) sw_if_index_set = 1; - else if (unformat (line_input, "fib_id", &fib_id)) - ; + else if (unformat (line_input, "ip4-fib-id %u", &fib4_id)) + fib4_id_set = 1; + else if (unformat (line_input, "ip6-fib-id %u", &fib6_id)) + fib6_id_set = 1; else if (unformat (line_input, "sock-name %_%v%_", &sock_name)) ; else @@ -344,9 +455,23 @@ app_ns_fn (vlib_main_t * vm, unformat_input_t * input, goto done; } - if (is_add && (!secret_set || !sw_if_index_set)) + if (is_add && + (!secret_set || (!sw_if_index_set && !fib4_id_set && !fib6_id_set))) + { + vlib_cli_output (vm, "secret and interface or fib-id must be provided"); + goto done; + } + + /* Validate the fib-id is valid */ + if (fib4_id_set && (fib_table_find (FIB_PROTOCOL_IP4, fib4_id) == ~0)) + { + vlib_cli_output (vm, "ip4-fib-id %u does not exist", fib4_id); + goto done; + } + + if (fib6_id_set && (fib_table_find (FIB_PROTOCOL_IP6, fib6_id) == ~0)) { - vlib_cli_output (vm, "secret and interface must be provided"); + vlib_cli_output (vm, "ip6-fib-id %u does not exist", fib6_id); goto done; } @@ -356,7 +481,8 @@ app_ns_fn (vlib_main_t * vm, unformat_input_t * input, .secret = secret, .sw_if_index = sw_if_index, .sock_name = sock_name, - .ip4_fib_id = fib_id, + .ip4_fib_id = fib4_id, + .ip6_fib_id = fib6_id, .is_add = is_add, }; /* clang-format on */ @@ -376,7 +502,8 @@ done: VLIB_CLI_COMMAND (app_ns_command, static) = { .path = "app ns", .short_help = "app ns [add|del] id <namespace-id> secret <secret> " - "sw_if_index <sw_if_index> if <interface>", + "sw_if_index <sw_if_index> " + "{ip4-fib-id <id> ip6-fib-id <id> | if <interface>}", .function = app_ns_fn, }; diff --git a/src/vnet/session/session_lookup.c b/src/vnet/session/session_lookup.c index 3a99c0b5aaf..28a1feb1ed8 100644 --- a/src/vnet/session/session_lookup.c +++ b/src/vnet/session/session_lookup.c @@ -1454,6 +1454,8 @@ session_lookup_set_tables_appns (app_namespace_t * app_ns) for (fp = 0; fp < ARRAY_LEN (fib_index_to_table_index); fp++) { fib_index = app_namespace_get_fib_index (app_ns, fp); + if (fib_index == ~0) + continue; st = session_table_get_or_alloc (fp, fib_index); if (st) { @@ -1953,6 +1955,8 @@ session_lookup_table_cleanup (u32 fib_proto, u32 fib_index, u32 ns_index) u32 table_index, appns_index; int i; + if (fib_index == ~0) + return; session_lookup_fib_table_unlock (fib_index, fib_proto); table_index = session_lookup_get_index_for_fib (fib_proto, fib_index); st = session_table_get (table_index); diff --git a/test/asf/test_session.py b/test/asf/test_session.py index fe8da126195..79bbbd63b35 100644 --- a/test/asf/test_session.py +++ b/test/asf/test_session.py @@ -122,7 +122,6 @@ class TestSession(VppAsfTestCase): ip_t10.remove_vpp_config() -@tag_fixme_vpp_workers class TestApplicationNamespace(VppAsfTestCase): """Application Namespacee""" @@ -219,6 +218,160 @@ class TestApplicationNamespace(VppAsfTestCase): ) self.assertEqual(rv.retval, -1) + def test_application_namespace_binding(self): + """Application Namespace Interface Binding""" + + self.vapi.session_enable_disable_v2( + rt_engine_type=VppEnum.vl_api_rt_backend_engine_t.RT_BACKEND_ENGINE_API_RULE_TABLE + ) + + table_id = 99 + + # Bad ip4_fib_id + with self.vapi.assert_negative_api_retval(): + rv = self.vapi.app_namespace_add_del_v4( + is_add=1, namespace_id="2", ip4_fib_id=table_id, ip6_fib_id=0 + ) + self.assertEqual(rv.retval, -19) + + # Bad ip6_fib_id + with self.vapi.assert_negative_api_retval(): + rv = self.vapi.app_namespace_add_del_v4( + is_add=1, namespace_id="2", ip4_fib_id=0, ip6_fib_id=table_id + ) + self.assertEqual(rv.retval, -19) + + tbl = VppIpTable(self, table_id) + tbl.add_vpp_config() + + tbl6 = VppIpTable(self, table_id, is_ip6=1) + tbl6.add_vpp_config() + + # Not expecting an error with valid table_id's + self.vapi.app_namespace_add_del_v4( + is_add=1, namespace_id="2", ip4_fib_id=table_id, ip6_fib_id=table_id + ) + # delete + self.vapi.app_namespace_add_del_v4( + is_add=0, namespace_id="2", ip4_fib_id=table_id, ip6_fib_id=table_id + ) + + # ip4 only + self.vapi.app_namespace_add_del_v4( + is_add=1, namespace_id="2", ip4_fib_id=table_id, ip6_fib_id=0xFFFFFFFF + ) + # delete + self.vapi.app_namespace_add_del_v4( + is_add=0, namespace_id="2", ip4_fib_id=table_id, ip6_fib_id=0xFFFFFFFF + ) + + # ip6 only + self.vapi.app_namespace_add_del_v4( + is_add=1, namespace_id="2", ip4_fib_id=0xFFFFFFFF, ip6_fib_id=table_id + ) + # delete + self.vapi.app_namespace_add_del_v4( + is_add=0, namespace_id="2", ip4_fib_id=0xFFFFFFFF, ip6_fib_id=table_id + ) + + app0 = self.vapi.app_namespace_add_del_v4( + namespace_id="0", sw_if_index=self.loop0.sw_if_index, is_add=1 + ) + self.vapi.session_rule_add_del( + transport_proto=VppEnum.vl_api_transport_proto_t.TRANSPORT_PROTO_API_TCP, + lcl="172.100.1.1/32", + rmt="172.100.1.2/32", + lcl_port=5000, + rmt_port=5000, + action_index=1, + appns_index=app0.appns_index, + scope=VppEnum.vl_api_session_rule_scope_t.SESSION_RULE_SCOPE_API_GLOBAL, + is_add=1, + ) + dump = self.vapi.session_rules_v2_dump() + self.assertEqual(len(dump[1].appns_index), 2) + self.assertEqual(dump[1].count, 2) + + # move the interface to vrf 99 + self.vapi.sw_interface_set_table( + sw_if_index=self.loop0.sw_if_index, + is_ipv6=0, + vrf_id=table_id, + ) + dump = self.vapi.session_rules_v2_dump() + self.assertEqual(len(dump[1].appns_index), 1) + self.assertEqual(dump[1].count, 1) + + self.vapi.session_rule_add_del( + transport_proto=VppEnum.vl_api_transport_proto_t.TRANSPORT_PROTO_API_TCP, + lcl="172.100.1.1/32", + rmt="172.100.1.2/32", + lcl_port=5000, + rmt_port=5000, + action_index=1, + appns_index=0, + scope=VppEnum.vl_api_session_rule_scope_t.SESSION_RULE_SCOPE_API_GLOBAL, + is_add=0, + ) + + # move the interface to vrf 0 + self.vapi.sw_interface_set_table( + sw_if_index=self.loop0.sw_if_index, + is_ipv6=0, + vrf_id=0, + ) + + # try it with ip6 + self.vapi.session_rule_add_del( + transport_proto=VppEnum.vl_api_transport_proto_t.TRANSPORT_PROTO_API_TCP, + lcl="2001::1/128", + rmt="2002::1/128", + lcl_port=5000, + rmt_port=5000, + action_index=1, + appns_index=app0.appns_index, + scope=VppEnum.vl_api_session_rule_scope_t.SESSION_RULE_SCOPE_API_GLOBAL, + is_add=1, + ) + dump = self.vapi.session_rules_v2_dump() + self.assertEqual(len(dump[1].appns_index), 2) + self.assertEqual(dump[1].count, 2) + + self.vapi.sw_interface_set_table( + sw_if_index=self.loop0.sw_if_index, + is_ipv6=1, + vrf_id=table_id, + ) + dump = self.vapi.session_rules_v2_dump() + self.assertEqual(len(dump[1].appns_index), 2) + self.assertEqual(dump[1].count, 2) + + # move back to 0 + self.vapi.sw_interface_set_table( + sw_if_index=self.loop0.sw_if_index, + is_ipv6=1, + vrf_id=0, + ) + + self.vapi.session_rule_add_del( + transport_proto=VppEnum.vl_api_transport_proto_t.TRANSPORT_PROTO_API_TCP, + lcl="2001::1/128", + rmt="2002::1/128", + lcl_port=5000, + rmt_port=5000, + action_index=1, + appns_index=0, + scope=VppEnum.vl_api_session_rule_scope_t.SESSION_RULE_SCOPE_API_GLOBAL, + is_add=0, + ) + + self.vapi.app_namespace_add_del_v4( + namespace_id="0", sw_if_index=self.loop0.sw_if_index, is_add=0 + ) + + tbl.remove_vpp_config() + tbl6.remove_vpp_config() + @tag_fixme_vpp_workers class TestSessionUnitTests(VppAsfTestCase): |