summaryrefslogtreecommitdiffstats
path: root/src/plugins/hsi
diff options
context:
space:
mode:
authorFlorin Coras <fcoras@cisco.com>2023-05-12 16:27:13 -0700
committerDave Wallace <dwallacelf@gmail.com>2023-05-15 22:04:55 +0000
commit4add3f4c8b5ea6c787bd374727787084a8b7dc78 (patch)
tree7c2bf03e3af07b4d368c72d11ae2aa2d18344da3 /src/plugins/hsi
parentf34420ff1169746c07946940ed165416a5908f06 (diff)
hsi: interop with ip reassembly
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I8d3a1939870601297ecccf4cda6767510c2abfa5
Diffstat (limited to 'src/plugins/hsi')
-rw-r--r--src/plugins/hsi/hsi.c65
1 files changed, 46 insertions, 19 deletions
diff --git a/src/plugins/hsi/hsi.c b/src/plugins/hsi/hsi.c
index 9382a94de56..0fea0a3f288 100644
--- a/src/plugins/hsi/hsi.c
+++ b/src/plugins/hsi/hsi.c
@@ -89,7 +89,7 @@ hsi_udp_lookup (vlib_buffer_t *b, void *ip_hdr, u8 is_ip4)
}
always_inline transport_connection_t *
-hsi_tcp_lookup (vlib_buffer_t *b, void *ip_hdr, u8 is_ip4)
+hsi_tcp_lookup (vlib_buffer_t *b, void *ip_hdr, tcp_header_t **rhdr, u8 is_ip4)
{
transport_connection_t *tc;
tcp_header_t *hdr;
@@ -98,7 +98,7 @@ hsi_tcp_lookup (vlib_buffer_t *b, void *ip_hdr, u8 is_ip4)
if (is_ip4)
{
ip4_header_t *ip4 = (ip4_header_t *) ip_hdr;
- hdr = ip4_next_header (ip4);
+ *rhdr = hdr = ip4_next_header (ip4);
tc = session_lookup_connection_wt4 (
vnet_buffer (b)->ip.fib_index, &ip4->dst_address, &ip4->src_address,
hdr->dst_port, hdr->src_port, TRANSPORT_PROTO_TCP,
@@ -107,7 +107,7 @@ hsi_tcp_lookup (vlib_buffer_t *b, void *ip_hdr, u8 is_ip4)
else
{
ip6_header_t *ip6 = (ip6_header_t *) ip_hdr;
- hdr = ip6_next_header (ip6);
+ *rhdr = hdr = ip6_next_header (ip6);
tc = session_lookup_connection_wt6 (
vnet_buffer (b)->ip.fib_index, &ip6->dst_address, &ip6->src_address,
hdr->dst_port, hdr->src_port, TRANSPORT_PROTO_TCP,
@@ -118,15 +118,27 @@ hsi_tcp_lookup (vlib_buffer_t *b, void *ip_hdr, u8 is_ip4)
}
always_inline void
-hsi_lookup_and_update (vlib_buffer_t *b, u32 *next, u8 is_ip4)
+hsi_lookup_and_update (vlib_buffer_t *b, u32 *next, u8 is_ip4, u8 is_input)
{
- transport_connection_t *tc;
u8 proto, state, have_udp;
+ tcp_header_t *tcp_hdr = 0;
+ tcp_connection_t *tc;
+ u32 rw_len = 0;
void *ip_hdr;
- u32 rw_len;
- rw_len = vnet_buffer (b)->ip.save_rewrite_length;
- ip_hdr = vlib_buffer_get_current (b) + rw_len;
+ if (is_input)
+ {
+ ip_hdr = vlib_buffer_get_current (b);
+ if (is_ip4)
+ ip_lookup_set_buffer_fib_index (ip4_main.fib_index_by_sw_if_index, b);
+ else
+ ip_lookup_set_buffer_fib_index (ip6_main.fib_index_by_sw_if_index, b);
+ }
+ else
+ {
+ rw_len = vnet_buffer (b)->ip.save_rewrite_length;
+ ip_hdr = vlib_buffer_get_current (b) + rw_len;
+ }
if (is_ip4)
proto = ((ip4_header_t *) ip_hdr)->protocol;
@@ -136,12 +148,18 @@ hsi_lookup_and_update (vlib_buffer_t *b, u32 *next, u8 is_ip4)
switch (proto)
{
case IP_PROTOCOL_TCP:
- tc = hsi_tcp_lookup (b, ip_hdr, is_ip4);
+ tc = (tcp_connection_t *) hsi_tcp_lookup (b, ip_hdr, &tcp_hdr, is_ip4);
if (tc)
{
- state = ((tcp_connection_t *) tc)->state;
+ state = tc->state;
if (state == TCP_STATE_LISTEN)
{
+ /* Avoid processing non syn packets that match listener */
+ if (!tcp_syn (tcp_hdr))
+ {
+ vnet_feature_next (next, b);
+ break;
+ }
*next = HSI_INPUT_NEXT_TCP_INPUT;
}
else if (state == TCP_STATE_SYN_SENT)
@@ -152,7 +170,7 @@ hsi_lookup_and_update (vlib_buffer_t *b, u32 *next, u8 is_ip4)
{
/* Lookup already done, use result */
*next = HSI_INPUT_NEXT_TCP_INPUT_NOLOOKUP;
- vnet_buffer (b)->tcp.connection_index = tc->c_index;
+ vnet_buffer (b)->tcp.connection_index = tc->c_c_index;
}
vlib_buffer_advance (b, rw_len);
}
@@ -166,6 +184,9 @@ hsi_lookup_and_update (vlib_buffer_t *b, u32 *next, u8 is_ip4)
if (have_udp)
{
*next = HSI_INPUT_NEXT_UDP_INPUT;
+ /* Emulate udp-local and consume headers up to udp payload */
+ rw_len += is_ip4 ? sizeof (ip4_header_t) : sizeof (ip6_header_t);
+ rw_len += sizeof (udp_header_t);
vlib_buffer_advance (b, rw_len);
}
else
@@ -199,7 +220,7 @@ hsi_input_trace_frame (vlib_main_t *vm, vlib_node_runtime_t *node,
always_inline uword
hsi46_input_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
- vlib_frame_t *frame, int is_ip4)
+ vlib_frame_t *frame, u8 is_ip4, u8 is_input)
{
vlib_buffer_t *bufs[VLIB_FRAME_SIZE], **b;
u16 nexts[VLIB_FRAME_SIZE], *next;
@@ -222,8 +243,8 @@ hsi46_input_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
vlib_prefetch_buffer_header (b[3], LOAD);
CLIB_PREFETCH (b[3]->data, 2 * CLIB_CACHE_LINE_BYTES, LOAD);
- hsi_lookup_and_update (b[0], &next0, is_ip4);
- hsi_lookup_and_update (b[1], &next1, is_ip4);
+ hsi_lookup_and_update (b[0], &next0, is_ip4, is_input);
+ hsi_lookup_and_update (b[1], &next1, is_ip4, is_input);
next[0] = next0;
next[1] = next1;
@@ -237,7 +258,7 @@ hsi46_input_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
{
u32 next0;
- hsi_lookup_and_update (b[0], &next0, is_ip4);
+ hsi_lookup_and_update (b[0], &next0, is_ip4, is_input);
next[0] = next0;
@@ -257,7 +278,8 @@ hsi46_input_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
VLIB_NODE_FN (hsi4_in_node)
(vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame)
{
- return hsi46_input_inline (vm, node, frame, 1 /* is_ip4 */);
+ return hsi46_input_inline (vm, node, frame, 1 /* is_ip4 */,
+ 1 /* is_input */);
}
VLIB_REGISTER_NODE (hsi4_in_node) = {
@@ -279,12 +301,14 @@ VNET_FEATURE_INIT (hsi4_in_feature, static) = {
.arc_name = "ip4-unicast",
.node_name = "hsi4-in",
.runs_before = VNET_FEATURES ("ip4-lookup"),
+ .runs_after = VNET_FEATURES ("ip4-full-reassembly-feature"),
};
VLIB_NODE_FN (hsi4_out_node)
(vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame)
{
- return hsi46_input_inline (vm, node, frame, 1 /* is_ip4 */);
+ return hsi46_input_inline (vm, node, frame, 1 /* is_ip4 */,
+ 0 /* is_input */);
}
VLIB_REGISTER_NODE (hsi4_out_node) = {
@@ -311,7 +335,8 @@ VNET_FEATURE_INIT (hsi4_out_feature, static) = {
VLIB_NODE_FN (hsi6_in_node)
(vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame)
{
- return hsi46_input_inline (vm, node, frame, 0 /* is_ip4 */);
+ return hsi46_input_inline (vm, node, frame, 0 /* is_ip4 */,
+ 1 /* is_input */);
}
VLIB_REGISTER_NODE (hsi6_in_node) = {
@@ -333,12 +358,14 @@ VNET_FEATURE_INIT (hsi6_in_feature, static) = {
.arc_name = "ip6-unicast",
.node_name = "hsi6-in",
.runs_before = VNET_FEATURES ("ip6-lookup"),
+ .runs_after = VNET_FEATURES ("ip6-full-reassembly-feature"),
};
VLIB_NODE_FN (hsi6_out_node)
(vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame)
{
- return hsi46_input_inline (vm, node, frame, 0 /* is_ip4 */);
+ return hsi46_input_inline (vm, node, frame, 0 /* is_ip4 */,
+ 0 /* is_input */);
}
VLIB_REGISTER_NODE (hsi6_out_node) = {