diff options
author | Dave Barach <dave@barachs.net> | 2019-03-06 11:14:03 -0500 |
---|---|---|
committer | Florin Coras <florin.coras@gmail.com> | 2019-03-06 17:19:22 +0000 |
commit | a55df1081762b4e40698ef7d9196551851be646a (patch) | |
tree | eb1867e1de1fc78d18da9067d04423dfdb199cd1 /src/plugins/ct6/ct6.h | |
parent | e275bed64d12009726fcf43943f1684195cd1e5d (diff) |
ipv6 connection tracking plugin
A security feature: drop unsolicited global unicast traffic.
Change-Id: I421da7d52e08b7acf40c62a1f6e2a6caac349e7e
Signed-off-by: Dave Barach <dave@barachs.net>
Diffstat (limited to 'src/plugins/ct6/ct6.h')
-rw-r--r-- | src/plugins/ct6/ct6.h | 179 |
1 files changed, 179 insertions, 0 deletions
diff --git a/src/plugins/ct6/ct6.h b/src/plugins/ct6/ct6.h new file mode 100644 index 00000000000..534534f5c99 --- /dev/null +++ b/src/plugins/ct6/ct6.h @@ -0,0 +1,179 @@ + +/* + * ct6.h - skeleton vpp engine plug-in header file + * + * Copyright (c) <current-year> <your-organization> + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#ifndef __included_ct6_h__ +#define __included_ct6_h__ + +#include <vnet/vnet.h> +#include <vnet/ip/ip.h> +#include <vnet/ethernet/ethernet.h> +#include <vppinfra/bihash_48_8.h> + +#include <vppinfra/hash.h> +#include <vppinfra/error.h> + +/* *INDENT-OFF* */ +typedef CLIB_PACKED (struct +{ + union + { + struct + { + /* out2in */ + ip6_address_t src; + ip6_address_t dst; + u16 sport; + u16 dport; + u8 proto; /* byte 37 */ + }; + u64 as_u64[6]; + }; +}) ct6_session_key_t; +/* *INDENT-ON* */ + +typedef struct +{ + ct6_session_key_t key; + u32 thread_index; + u32 next_index; + u32 prev_index; + u32 hits; + f64 expires; +} ct6_session_t; + +typedef struct +{ + /* API message ID base */ + u16 msg_id_base; + + /* session lookup table */ + clib_bihash_48_8_t session_hash; + u8 feature_initialized; + + /* per_thread session pools */ + ct6_session_t **sessions; + u32 *first_index; + u32 *last_index; + + /* Config parameters */ + f64 session_timeout_interval; + uword session_hash_memory; + u32 session_hash_buckets; + u32 max_sessions_per_worker; + + /* convenience */ + vlib_main_t *vlib_main; + vnet_main_t *vnet_main; + ethernet_main_t *ethernet_main; +} ct6_main_t; + +extern ct6_main_t ct6_main; + +extern vlib_node_registration_t ct6_out2in_node; +extern vlib_node_registration_t ct6_in2out_node; + +format_function_t format_ct6_session; + +ct6_session_t *ct6_create_or_recycle_session (ct6_main_t * cmp, + clib_bihash_kv_48_8_t * kvpp, + f64 now, u32 my_thread_index, + u32 * recyclep, u32 * createp); + +static inline void +ct6_lru_remove (ct6_main_t * cmp, ct6_session_t * s0) +{ + ct6_session_t *next_sess, *prev_sess; + u32 thread_index; + u32 s0_index; + + thread_index = s0->thread_index; + + s0_index = s0 - cmp->sessions[thread_index]; + + /* Deal with list heads */ + if (s0_index == cmp->first_index[thread_index]) + cmp->first_index[thread_index] = s0->next_index; + if (s0_index == cmp->last_index[thread_index]) + cmp->last_index[thread_index] = s0->prev_index; + + /* Fix next->prev */ + if (s0->next_index != ~0) + { + next_sess = pool_elt_at_index (cmp->sessions[thread_index], + s0->next_index); + next_sess->prev_index = s0->prev_index; + } + /* Fix prev->next */ + if (s0->prev_index != ~0) + { + prev_sess = pool_elt_at_index (cmp->sessions[thread_index], + s0->prev_index); + prev_sess->next_index = s0->next_index; + } +} + +static inline void +ct6_lru_add (ct6_main_t * cmp, ct6_session_t * s0, f64 now) +{ + ct6_session_t *next_sess; + u32 thread_index; + u32 s0_index; + + s0->hits++; + s0->expires = now + cmp->session_timeout_interval; + thread_index = s0->thread_index; + + s0_index = s0 - cmp->sessions[thread_index]; + + /* + * Re-add at the head of the forward LRU list, + * tail of the reverse LRU list + */ + if (cmp->first_index[thread_index] != ~0) + { + next_sess = pool_elt_at_index (cmp->sessions[thread_index], + cmp->first_index[thread_index]); + next_sess->prev_index = s0_index; + } + + s0->prev_index = ~0; + + /* s0 now the new head of the LRU forward list */ + s0->next_index = cmp->first_index[thread_index]; + cmp->first_index[thread_index] = s0_index; + + /* single session case: also the tail of the reverse LRU list */ + if (cmp->last_index[thread_index] == ~0) + cmp->last_index[thread_index] = s0_index; +} + +static inline void +ct6_update_session_hit (ct6_main_t * cmp, ct6_session_t * s0, f64 now) +{ + ct6_lru_remove (cmp, s0); + ct6_lru_add (cmp, s0, now); +} + +#endif /* __included_ct6_h__ */ + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ |