mactime: upstream new features

Add per mac address data quotas (simple version) Add mini-ACLs to turf "call home" traffic from a certain species of security DVR. Add FEATURE.yaml Update the API version number Type: feature Feature-name: mactime Change-Id: Ida6945f7791ab43909afa68dcf2f652b20c53afd Signed-off-by: Dave Barach <dave@barachs.net>
author: Dave Barach <dave@barachs.net> 2019-06-03 10:23:30 -0400
committer: Damjan Marion <dmarion@me.com> 2019-06-04 07:47:24 +0000
commit: 0c6ac791dde099346af1752aa92d0eb05fc2db11 (patch)
tree: f6dade9bb0beae5efb79cb04feb1fc62ed894679 /src/plugins/mactime/node.c
parent: d5cf64f8c2a08d2f41327cc99dd2d96f77d82ca3 (diff)
1 files changed, 56 insertions, 12 deletions
diff --git a/src/plugins/mactime/node.c b/src/plugins/mactime/node.c
index 4d45dd54ef3..e4d12f80db4 100644
--- a/src/plugins/mactime/node.c
+++ b/src/plugins/mactime/node.c
@@ -19,6 +19,7 @@
 #include <vnet/pg/pg.h>
 #include <vppinfra/error.h>
 #include <mactime/mactime.h>
+#include <vnet/ip/ip4.h>
 
 typedef struct
 {
@@ -32,8 +33,11 @@ vlib_node_registration_t mactime_node;
 vlib_node_registration_t mactime_tx_node;
 
 #define foreach_mactime_error                   \
-_(DROP, "Dropped packets")                      \
-_(OK, "Permitted packets")
+_(OK, "Permitted packets")			\
+_(STATIC_DROP, "Static drop packets")           \
+_(RANGE_DROP, "Range drop packets")             \
+_(QUOTA_DROP, "Data quota drop packets")	\
+_(DROP_10001, "Dropped UDP DST-port 10001")
 
 typedef enum
 {
@@ -82,7 +86,7 @@ mactime_node_inline (vlib_main_t * vm,
   mactime_device_t *dp;
   clib_bihash_kv_8_8_t kv;
   clib_bihash_8_8_t *lut = &mm->lookup_table;
-  u32 packets_ok = 0, packets_dropped = 0;
+  u32 packets_ok = 0;
   f64 now;
   u32 thread_index = vm->thread_index;
   vnet_main_t *vnm = vnet_get_main ();
@@ -164,6 +168,24 @@ mactime_node_inline (vlib_main_t * vm,
 
 	  dp = pool_elt_at_index (mm->devices, device_index0);
 
+	  /* Known device, check for a traffic quota */
+	  if (PREDICT_FALSE (dp->data_quota))
+	    {
+	      vlib_counter_t device_current_count;
+	      vlib_get_combined_counter (&mm->allow_counters,
+					 dp - mm->devices,
+					 &device_current_count);
+	      if (device_current_count.bytes >= dp->data_quota)
+		{
+		  next0 = MACTIME_NEXT_DROP;
+		  b0->error = node->errors[MACTIME_ERROR_QUOTA_DROP];
+		  vlib_increment_combined_counter
+		    (&mm->drop_counters, thread_index, dp - mm->devices, 1,
+		     len0);
+		  goto trace0;
+		}
+	    }
+
 	  /* Static drop / allow? */
 	  if (PREDICT_FALSE
 	      (dp->flags &
@@ -173,17 +195,41 @@ mactime_node_inline (vlib_main_t * vm,
 	      if (dp->flags & MACTIME_DEVICE_FLAG_STATIC_DROP)
 		{
 		  next0 = MACTIME_NEXT_DROP;
+		  b0->error = node->errors[MACTIME_ERROR_STATIC_DROP];
 		  vlib_increment_combined_counter
 		    (&mm->drop_counters, thread_index, dp - mm->devices, 1,
 		     len0);
-		  packets_dropped++;
 		}
 	      else		/* note next0 set to allow */
 		{
-		  vlib_increment_combined_counter
-		    (&mm->allow_counters, thread_index, dp - mm->devices, 1,
-		     len0);
-		  packets_ok++;
+		  /*
+		   * Special-case mini-ACL for a certain species of
+		   * home security DVR which likes to "call home."
+		   */
+		  if (PREDICT_FALSE
+		      (dp->flags & MACTIME_DEVICE_FLAG_DROP_UDP_10001))
+		    {
+		      ip4_header_t *ip = (void *) (((u8 *) en0) + 14);
+		      udp_header_t *udp = (udp_header_t *) (ip + 1);
+		      if (ip->protocol != IP_PROTOCOL_UDP)
+			goto pass;
+		      if (clib_net_to_host_u16 (udp->dst_port) == 10001 ||
+			  clib_net_to_host_u16 (udp->dst_port) == 9603)
+			{
+			  next0 = MACTIME_NEXT_DROP;
+			  b0->error = node->errors[MACTIME_ERROR_DROP_10001];
+			}
+		      else
+			goto pass;
+		    }
+		  else
+		    {
+		    pass:
+		      vlib_increment_combined_counter
+			(&mm->allow_counters, thread_index, dp - mm->devices,
+			 1, len0);
+		      packets_ok++;
+		    }
 		}
 	      goto trace0;
 	    }
@@ -205,8 +251,8 @@ mactime_node_inline (vlib_main_t * vm,
 		      vlib_increment_combined_counter
 			(&mm->drop_counters, thread_index,
 			 dp - mm->devices, 1, len0);
-		      packets_dropped++;
 		      next0 = MACTIME_NEXT_DROP;
+		      b0->error = node->errors[MACTIME_ERROR_RANGE_DROP];
 		    }
 		  else		/* it's an allow range, allow it */
 		    {
@@ -225,9 +271,9 @@ mactime_node_inline (vlib_main_t * vm,
 	  if (dp->flags & MACTIME_DEVICE_FLAG_DYNAMIC_ALLOW)
 	    {
 	      next0 = MACTIME_NEXT_DROP;
+	      b0->error = node->errors[MACTIME_ERROR_STATIC_DROP];
 	      vlib_increment_combined_counter
 		(&mm->drop_counters, thread_index, dp - mm->devices, 1, len0);
-	      packets_dropped++;
 	    }
 	  else
 	    {
@@ -266,8 +312,6 @@ mactime_node_inline (vlib_main_t * vm,
     }
 
   vlib_node_increment_counter (vm, node->node_index,
-			       MACTIME_ERROR_DROP, packets_dropped);
-  vlib_node_increment_counter (vm, node->node_index,
 			       MACTIME_ERROR_OK, packets_ok);
   return frame->n_vectors;
 }
author	Dave Barach <dave@barachs.net>	2019-06-03 10:23:30 -0400
committer	Damjan Marion <dmarion@me.com>	2019-06-04 07:47:24 +0000
commit	0c6ac791dde099346af1752aa92d0eb05fc2db11 (patch)
tree	f6dade9bb0beae5efb79cb04feb1fc62ed894679 /src/plugins/mactime/node.c
parent	d5cf64f8c2a08d2f41327cc99dd2d96f77d82ca3 (diff)