diff options
author | Neale Ranns <nranns@cisco.com> | 2018-12-20 12:03:59 -0800 |
---|---|---|
committer | Neale Ranns <nranns@cisco.com> | 2018-12-21 18:12:25 +0000 |
commit | 1c17e2ecac42e001ce905418463edcb26fe58b01 (patch) | |
tree | a1c5c69e868d28eb3f3b338db4cde65eff7b2534 /src/plugins/gbp | |
parent | fc7344f9beffe506085730e8e03f7c8771deb3a6 (diff) |
GBP: add allowed ethertypes to contracts
Change-Id: I74782d3b9b71a071bb500c34866a017b8ee15767
Signed-off-by: Neale Ranns <nranns@cisco.com>
Diffstat (limited to 'src/plugins/gbp')
-rw-r--r-- | src/plugins/gbp/gbp.api | 2 | ||||
-rw-r--r-- | src/plugins/gbp/gbp_api.c | 26 | ||||
-rw-r--r-- | src/plugins/gbp/gbp_contract.c | 17 | ||||
-rw-r--r-- | src/plugins/gbp/gbp_contract.h | 8 | ||||
-rw-r--r-- | src/plugins/gbp/gbp_policy.c | 131 |
5 files changed, 129 insertions, 55 deletions
diff --git a/src/plugins/gbp/gbp.api b/src/plugins/gbp/gbp.api index bf7c167a42f..e96cb508387 100644 --- a/src/plugins/gbp/gbp.api +++ b/src/plugins/gbp/gbp.api @@ -295,6 +295,8 @@ typedef gbp_contract u32 acl_index; u8 n_rules; vl_api_gbp_rule_t rules[n_rules]; + u8 n_ether_types; + u16 allowed_ethertypes[n_ether_types]; }; autoreply define gbp_contract_add_del diff --git a/src/plugins/gbp/gbp_api.c b/src/plugins/gbp/gbp_api.c index 74355d1c033..8ea5a0e6d0a 100644 --- a/src/plugins/gbp/gbp_api.c +++ b/src/plugins/gbp/gbp_api.c @@ -924,8 +924,11 @@ static void vl_api_gbp_contract_add_del_t_handler (vl_api_gbp_contract_add_del_t * mp) { vl_api_gbp_contract_add_del_reply_t *rmp; + u16 *allowed_ethertypes; index_t *rules; - int rv = 0; + int ii, rv = 0; + u8 *data, n_et; + u16 *et; if (mp->is_add) { @@ -934,9 +937,28 @@ vl_api_gbp_contract_add_del_t_handler (vl_api_gbp_contract_add_del_t * mp) if (0 != rv) goto out; + allowed_ethertypes = NULL; + + /* + * move past the variable legnth array of rules to get to the + * allowed ether types + */ + data = (((u8 *) & mp->contract.n_ether_types) + + (sizeof (mp->contract.rules[0]) * mp->contract.n_rules)); + n_et = *data; + et = (u16 *) (++data); + vec_validate (allowed_ethertypes, n_et - 1); + + for (ii = 0; ii < n_et; ii++) + { + /* leave the ether types in network order */ + allowed_ethertypes[ii] = et[ii]; + } + rv = gbp_contract_update (ntohs (mp->contract.src_epg), ntohs (mp->contract.dst_epg), - ntohl (mp->contract.acl_index), rules); + ntohl (mp->contract.acl_index), + rules, allowed_ethertypes); } else rv = gbp_contract_delete (ntohs (mp->contract.src_epg), diff --git a/src/plugins/gbp/gbp_contract.c b/src/plugins/gbp/gbp_contract.c index ee12a760f4b..f7b8b6474c5 100644 --- a/src/plugins/gbp/gbp_contract.c +++ b/src/plugins/gbp/gbp_contract.c @@ -434,7 +434,8 @@ gbp_contract_mk_lbs (index_t * guis) int gbp_contract_update (epg_id_t src_epg, - epg_id_t dst_epg, u32 acl_index, index_t * rules) + epg_id_t dst_epg, + u32 acl_index, index_t * rules, u16 * allowed_ethertypes) { gbp_main_t *gm = &gbp_main; u32 *acl_vec = NULL; @@ -462,6 +463,7 @@ gbp_contract_update (epg_id_t src_epg, gbp_contract_rules_free (gc->gc_rules); gbp_main.acl_plugin.put_lookup_context_index (gc->gc_lc_index); gc->gc_rules = NULL; + vec_free (gc->gc_allowed_ethertypes); } else { @@ -474,6 +476,7 @@ gbp_contract_update (epg_id_t src_epg, GBP_CONTRACT_DBG ("update: %U", format_gbp_contract, gci); gc->gc_rules = rules; + gc->gc_allowed_ethertypes = allowed_ethertypes; gbp_contract_resolve (gc->gc_rules); gbp_contract_mk_lbs (gc->gc_rules); @@ -506,6 +509,7 @@ gbp_contract_delete (epg_id_t src_epg, epg_id_t dst_epg) gbp_contract_rules_free (gc->gc_rules); gbp_main.acl_plugin.put_lookup_context_index (gc->gc_lc_index); + vec_free (gc->gc_allowed_ethertypes); hash_unset (gbp_contract_db.gc_hash, key.as_u32); pool_put (gbp_contract_pool, gc); @@ -561,7 +565,7 @@ gbp_contract_cli (vlib_main_t * vm, if (add) { - gbp_contract_update (src_epg_id, dst_epg_id, acl_index, NULL); + gbp_contract_update (src_epg_id, dst_epg_id, acl_index, NULL, NULL); } else { @@ -604,6 +608,7 @@ format_gbp_contract (u8 * s, va_list * args) index_t gci = va_arg (*args, index_t); gbp_contract_t *gc; index_t *gui; + u16 *et; gc = gbp_contract_get (gci); @@ -615,6 +620,14 @@ format_gbp_contract (u8 * s, va_list * args) s = format (s, "\n %d: %U", *gui, format_gbp_rule, *gui); } + s = format (s, "\n allowed-ethertypes:["); + vec_foreach (et, gc->gc_allowed_ethertypes) + { + int host_et = clib_net_to_host_u16 (*et); + s = format (s, "0x%x, ", host_et); + } + s = format (s, "]"); + return (s); } diff --git a/src/plugins/gbp/gbp_contract.h b/src/plugins/gbp/gbp_contract.h index bd7d8339e21..876c10f3702 100644 --- a/src/plugins/gbp/gbp_contract.h +++ b/src/plugins/gbp/gbp_contract.h @@ -120,6 +120,11 @@ typedef struct gbp_contract_t_ * The ACL to apply for packets from the source to the destination EPG */ index_t *gc_rules; + + /** + * An ethertype whitelist + */ + u16 *gc_allowed_ethertypes; } gbp_contract_t; /** @@ -135,7 +140,8 @@ typedef struct gbp_contract_db_t_ extern int gbp_contract_update (epg_id_t src_epg, epg_id_t dst_epg, - u32 acl_index, index_t * rules); + u32 acl_index, + index_t * rules, u16 * allowed_ethertypes); extern int gbp_contract_delete (epg_id_t src_epg, epg_id_t dst_epg); extern index_t gbp_rule_alloc (gbp_rule_action_t action, diff --git a/src/plugins/gbp/gbp_policy.c b/src/plugins/gbp/gbp_policy.c index 3b204ff4da8..174223e09f7 100644 --- a/src/plugins/gbp/gbp_policy.c +++ b/src/plugins/gbp/gbp_policy.c @@ -106,6 +106,19 @@ gbp_rule_l2_redirect (const gbp_rule_t * gu, vlib_buffer_t * b0) return (dpo->dpoi_next_node); } +always_inline u8 +gbp_policy_is_ethertype_allowed (const gbp_contract_t * gc0, u16 ethertype) +{ + u16 *et; + + vec_foreach (et, gc0->gc_allowed_ethertypes) + { + if (*et == ethertype) + return (1); + } + return (0); +} + static uword gbp_policy_inline (vlib_main_t * vm, vlib_node_runtime_t * node, @@ -130,9 +143,9 @@ gbp_policy_inline (vlib_main_t * vm, { const ethernet_header_t *h0; const gbp_endpoint_t *ge0; + const gbp_contract_t *gc0; gbp_policy_next_t next0; gbp_contract_key_t key0; - gbp_contract_t *gc0; u32 bi0, sw_if_index0; vlib_buffer_t *b0; index_t gci0; @@ -204,66 +217,84 @@ gbp_policy_inline (vlib_main_t * vm, if (INDEX_INVALID != gci0) { + u32 rule_match_p0, trace_bitmap0; fa_5tuple_opaque_t pkt_5tuple0; - u8 action0 = 0; u32 acl_pos_p0, acl_match_p0; - u32 rule_match_p0, trace_bitmap0; - u8 *h0, l2_len0; + u8 is_ip60, l2_len0, action0; + const gbp_rule_t *gu; u16 ether_type0; - u8 is_ip60 = 0; + const u8 *h0; + action0 = 0; gc0 = gbp_contract_get (gci0); l2_len0 = vnet_buffer (b0)->l2.l2_len; h0 = vlib_buffer_get_current (b0); - ether_type0 = - clib_net_to_host_u16 (*(u16 *) (h0 + l2_len0 - 2)); - - is_ip60 = (ether_type0 == ETHERNET_TYPE_IP6) ? 1 : 0; - /* - * tests against the ACL - */ - acl_plugin_fill_5tuple_inline (gm-> - acl_plugin.p_acl_main, - gc0->gc_lc_index, b0, - is_ip60, - /* is_input */ 0, - /* is_l2_path */ 1, - &pkt_5tuple0); - acl_plugin_match_5tuple_inline (gm-> - acl_plugin.p_acl_main, - gc0->gc_lc_index, - &pkt_5tuple0, is_ip60, - &action0, &acl_pos_p0, - &acl_match_p0, - &rule_match_p0, - &trace_bitmap0); - - if (action0 > 0) - { - gbp_rule_t *gu; + ether_type0 = *(u16 *) (h0 + l2_len0 - 2); - vnet_buffer2 (b0)->gbp.flags |= VXLAN_GBP_GPFLAGS_A; - gu = gbp_rule_get (gc0->gc_rules[rule_match_p0]); + if (!gbp_policy_is_ethertype_allowed (gc0, ether_type0)) + { + /* + * black list model so drop + */ + goto trace; + } - switch (gu->gu_action) + if ((ether_type0 == + clib_net_to_host_u16 (ETHERNET_TYPE_IP6)) + || (ether_type0 == + clib_net_to_host_u16 (ETHERNET_TYPE_IP4))) + { + is_ip60 = + (ether_type0 == + clib_net_to_host_u16 (ETHERNET_TYPE_IP6)) ? 1 : + 0; + /* + * tests against the ACL + */ + acl_plugin_fill_5tuple_inline (gm-> + acl_plugin.p_acl_main, + gc0->gc_lc_index, b0, + is_ip60, + /* is_input */ 0, + /* is_l2_path */ 1, + &pkt_5tuple0); + acl_plugin_match_5tuple_inline (gm-> + acl_plugin.p_acl_main, + gc0->gc_lc_index, + &pkt_5tuple0, + is_ip60, &action0, + &acl_pos_p0, + &acl_match_p0, + &rule_match_p0, + &trace_bitmap0); + + if (action0 > 0) { - case GBP_RULE_PERMIT: - next0 = vnet_l2_feature_next - (b0, - gpm->l2_output_feat_next - [is_port_based], - (is_port_based ? - L2OUTPUT_FEAT_GBP_POLICY_PORT : - L2OUTPUT_FEAT_GBP_POLICY_MAC)); - break; - case GBP_RULE_DENY: - ASSERT (0); - next0 = 0; - break; - case GBP_RULE_REDIRECT: - next0 = gbp_rule_l2_redirect (gu, b0); - break; + vnet_buffer2 (b0)->gbp.flags |= + VXLAN_GBP_GPFLAGS_A; + gu = + gbp_rule_get (gc0->gc_rules[rule_match_p0]); + + switch (gu->gu_action) + { + case GBP_RULE_PERMIT: + next0 = vnet_l2_feature_next + (b0, + gpm->l2_output_feat_next + [is_port_based], + (is_port_based ? + L2OUTPUT_FEAT_GBP_POLICY_PORT : + L2OUTPUT_FEAT_GBP_POLICY_MAC)); + break; + case GBP_RULE_DENY: + ASSERT (0); + next0 = 0; + break; + case GBP_RULE_REDIRECT: + next0 = gbp_rule_l2_redirect (gu, b0); + break; + } } } } |