summaryrefslogtreecommitdiffstats
path: root/src/plugins
diff options
context:
space:
mode:
authorDave Barach <dave@barachs.net>2019-03-06 11:14:03 -0500
committerFlorin Coras <florin.coras@gmail.com>2019-03-06 17:19:22 +0000
commita55df1081762b4e40698ef7d9196551851be646a (patch)
treeeb1867e1de1fc78d18da9067d04423dfdb199cd1 /src/plugins
parente275bed64d12009726fcf43943f1684195cd1e5d (diff)
ipv6 connection tracking plugin
A security feature: drop unsolicited global unicast traffic. Change-Id: I421da7d52e08b7acf40c62a1f6e2a6caac349e7e Signed-off-by: Dave Barach <dave@barachs.net>
Diffstat (limited to 'src/plugins')
-rw-r--r--src/plugins/ct6/CMakeLists.txt35
-rw-r--r--src/plugins/ct6/ct6.api27
-rw-r--r--src/plugins/ct6/ct6.c573
-rw-r--r--src/plugins/ct6/ct6.h179
-rw-r--r--src/plugins/ct6/ct6_all_api_h.h19
-rw-r--r--src/plugins/ct6/ct6_in2out.c362
-rw-r--r--src/plugins/ct6/ct6_msg_enum.h31
-rw-r--r--src/plugins/ct6/ct6_out2in.c278
-rw-r--r--src/plugins/ct6/ct6_test.c202
9 files changed, 1706 insertions, 0 deletions
diff --git a/src/plugins/ct6/CMakeLists.txt b/src/plugins/ct6/CMakeLists.txt
new file mode 100644
index 00000000000..069b33ad2d0
--- /dev/null
+++ b/src/plugins/ct6/CMakeLists.txt
@@ -0,0 +1,35 @@
+
+# Copyright (c) <current-year> <your-organization>
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+add_vpp_plugin(ct6
+ SOURCES
+ ct6.c
+ ct6_in2out.c
+ ct6_out2in.c
+ ct6.h
+
+ MULTIARCH_SOURCES
+ ct6_in2out.c
+ ct6_out2in.c
+
+ API_FILES
+ ct6.api
+
+ INSTALL_HEADERS
+ ct6_all_api_h.h
+ ct6_msg_enum.h
+
+ API_TEST_SOURCES
+ ct6_test.c
+)
diff --git a/src/plugins/ct6/ct6.api b/src/plugins/ct6/ct6.api
new file mode 100644
index 00000000000..67af42fd9fe
--- /dev/null
+++ b/src/plugins/ct6/ct6.api
@@ -0,0 +1,27 @@
+
+/* Define a simple enable-disable binary API to control the feature */
+
+define ct6_enable_disable {
+ /* Client identifier, set from api_main.my_client_index */
+ u32 client_index;
+
+ /* Arbitrary context, so client can match reply to request */
+ u32 context;
+
+ /* Enable / disable the feature */
+ u8 enable_disable;
+
+ /* Inside or outside interface */
+ u8 is_inside;
+
+ /* Interface handle */
+ u32 sw_if_index;
+};
+
+define ct6_enable_disable_reply {
+ /* From the request */
+ u32 context;
+
+ /* Return value, zero means all OK */
+ i32 retval;
+};
diff --git a/src/plugins/ct6/ct6.c b/src/plugins/ct6/ct6.c
new file mode 100644
index 00000000000..f0ad67a80c9
--- /dev/null
+++ b/src/plugins/ct6/ct6.c
@@ -0,0 +1,573 @@
+/*
+ * ct6.c - skeleton vpp engine plug-in
+ *
+ * Copyright (c) <current-year> <your-organization>
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <vnet/vnet.h>
+#include <vnet/plugin/plugin.h>
+#include <ct6/ct6.h>
+
+#include <vlibapi/api.h>
+#include <vlibmemory/api.h>
+#include <vpp/app/version.h>
+
+/* define message IDs */
+#include <ct6/ct6_msg_enum.h>
+
+/* define message structures */
+#define vl_typedefs
+#include <ct6/ct6_all_api_h.h>
+#undef vl_typedefs
+
+/* define generated endian-swappers */
+#define vl_endianfun
+#include <ct6/ct6_all_api_h.h>
+#undef vl_endianfun
+
+/* instantiate all the print functions we know about */
+#define vl_print(handle, ...) vlib_cli_output (handle, __VA_ARGS__)
+#define vl_printfun
+#include <ct6/ct6_all_api_h.h>
+#undef vl_printfun
+
+/* Get the API version number */
+#define vl_api_version(n,v) static u32 api_version=(v);
+#include <ct6/ct6_all_api_h.h>
+#undef vl_api_version
+
+#define REPLY_MSG_ID_BASE cmp->msg_id_base
+#include <vlibapi/api_helper_macros.h>
+
+ct6_main_t ct6_main;
+
+/* List of message types that this plugin understands */
+
+#define foreach_ct6_plugin_api_msg \
+_(CT6_ENABLE_DISABLE, ct6_enable_disable)
+
+/* Action function shared between message handler and debug CLI */
+
+static void
+ct6_feature_init (ct6_main_t * cmp)
+{
+ u32 nworkers = vlib_num_workers ();
+
+ if (cmp->feature_initialized)
+ return;
+
+ clib_bihash_init_48_8 (&cmp->session_hash, "ct6 session table",
+ cmp->session_hash_buckets, cmp->session_hash_memory);
+ cmp->feature_initialized = 1;
+ vec_validate (cmp->sessions, nworkers);
+ vec_validate_init_empty (cmp->first_index, nworkers, ~0);
+ vec_validate_init_empty (cmp->last_index, nworkers, ~0);
+}
+
+int
+ct6_in2out_enable_disable (ct6_main_t * cmp, u32 sw_if_index,
+ int enable_disable)
+{
+ vnet_sw_interface_t *sw;
+ int rv = 0;
+
+ ct6_feature_init (cmp);
+
+ /* Utterly wrong? */
+ if (pool_is_free_index (cmp->vnet_main->interface_main.sw_interfaces,
+ sw_if_index))
+ return VNET_API_ERROR_INVALID_SW_IF_INDEX;
+
+ /* Not a physical port? */
+ sw = vnet_get_sw_interface (cmp->vnet_main, sw_if_index);
+ if (sw->type != VNET_SW_INTERFACE_TYPE_HARDWARE)
+ return VNET_API_ERROR_INVALID_SW_IF_INDEX;
+
+ vnet_feature_enable_disable ("interface-output", "ct6-in2out",
+ sw_if_index, enable_disable, 0, 0);
+
+ return rv;
+}
+
+int
+ct6_out2in_enable_disable (ct6_main_t * cmp, u32 sw_if_index,
+ int enable_disable)
+{
+ vnet_sw_interface_t *sw;
+ int rv = 0;
+
+ ct6_feature_init (cmp);
+
+ /* Utterly wrong? */
+ if (pool_is_free_index (cmp->vnet_main->interface_main.sw_interfaces,
+ sw_if_index))
+ return VNET_API_ERROR_INVALID_SW_IF_INDEX;
+
+ /* Not a physical port? */
+ sw = vnet_get_sw_interface (cmp->vnet_main, sw_if_index);
+ if (sw->type != VNET_SW_INTERFACE_TYPE_HARDWARE)
+ return VNET_API_ERROR_INVALID_SW_IF_INDEX;
+
+ vnet_feature_enable_disable ("ip6-unicast", "ct6-out2in",
+ sw_if_index, enable_disable, 0, 0);
+
+ return rv;
+}
+
+static clib_error_t *
+set_ct6_enable_disable_command_fn (vlib_main_t * vm,
+ unformat_input_t * input,
+ vlib_cli_command_t * cmd)
+{
+ ct6_main_t *cmp = &ct6_main;
+ u32 sw_if_index = ~0;
+ int enable_disable = 1;
+ u32 inside = ~0;
+ int rv;
+
+ while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
+ {
+ if (unformat (input, "disable"))
+ enable_disable = 0;
+ else if (unformat (input, "%U", unformat_vnet_sw_interface,
+ cmp->vnet_main, &sw_if_index))
+ ;
+ else if (unformat (input, "inside") || unformat (input, "in"))
+ inside = 1;
+ else if (unformat (input, "outside") || unformat (input, "out"))
+ inside = 0;
+ else
+ break;
+ }
+
+ if (inside == ~0)
+ return clib_error_return (0, "Please specify inside or outside");
+
+ if (sw_if_index == ~0)
+ return clib_error_return (0, "Please specify an interface...");
+
+ if (inside == 1)
+ rv = ct6_in2out_enable_disable (cmp, sw_if_index, enable_disable);
+ else
+ rv = ct6_out2in_enable_disable (cmp, sw_if_index, enable_disable);
+
+ switch (rv)
+ {
+ case 0:
+ break;
+
+ case VNET_API_ERROR_INVALID_SW_IF_INDEX:
+ return clib_error_return
+ (0, "Invalid interface, only works on physical ports");
+ break;
+
+ default:
+ return clib_error_return (0, "ct6_enable_disable returned %d", rv);
+ }
+ return 0;
+}
+
+/* *INDENT-OFF* */
+VLIB_CLI_COMMAND (set_ct6_command, static) =
+{
+ .path = "set ct6",
+ .short_help =
+ "set ct6 [inside|outside] <interface-name> [disable]",
+ .function = set_ct6_enable_disable_command_fn,
+};
+/* *INDENT-ON* */
+
+/* API message handler */
+static void vl_api_ct6_enable_disable_t_handler
+ (vl_api_ct6_enable_disable_t * mp)
+{
+ vl_api_ct6_enable_disable_reply_t *rmp;
+ ct6_main_t *cmp = &ct6_main;
+ int rv;
+
+ if (mp->is_inside)
+ rv = ct6_in2out_enable_disable (cmp, ntohl (mp->sw_if_index),
+ (int) (mp->enable_disable));
+ else
+ rv = ct6_out2in_enable_disable (cmp, ntohl (mp->sw_if_index),
+ (int) (mp->enable_disable));
+
+ REPLY_MACRO (VL_API_CT6_ENABLE_DISABLE_REPLY);
+}
+
+/* Set up the API message handling tables */
+static clib_error_t *
+ct6_plugin_api_hookup (vlib_main_t * vm)
+{
+ ct6_main_t *cmp = &ct6_main;
+#define _(N,n) \
+ vl_msg_api_set_handlers((VL_API_##N + cmp->msg_id_base), \
+ #n, \
+ vl_api_##n##_t_handler, \
+ vl_noop_handler, \
+ vl_api_##n##_t_endian, \
+ vl_api_##n##_t_print, \
+ sizeof(vl_api_##n##_t), 1);
+ foreach_ct6_plugin_api_msg;
+#undef _
+
+ return 0;
+}
+
+#define vl_msg_name_crc_list
+#include <ct6/ct6_all_api_h.h>
+#undef vl_msg_name_crc_list
+
+static void
+setup_message_id_table (ct6_main_t * cmp, api_main_t * am)
+{
+#define _(id,n,crc) vl_msg_api_add_msg_name_crc (am, #n #crc, id + cmp->msg_id_base);
+ foreach_vl_msg_name_crc_ct6;
+#undef _
+}
+
+static clib_error_t *
+ct6_init (vlib_main_t * vm)
+{
+ ct6_main_t *cmp = &ct6_main;
+ clib_error_t *error = 0;
+ u8 *name;
+
+ cmp->vlib_main = vm;
+ cmp->vnet_main = vnet_get_main ();
+
+ name = format (0, "ct6_%08x%c", api_version, 0);
+
+ /* Ask for a correctly-sized block of API message decode slots */
+ cmp->msg_id_base = vl_msg_api_get_msg_ids
+ ((char *) name, VL_MSG_FIRST_AVAILABLE);
+
+ error = ct6_plugin_api_hookup (vm);
+
+ /* Add our API messages to the global name_crc hash table */
+ setup_message_id_table (cmp, &api_main);
+
+ vec_free (name);
+
+ /*
+ * Set default parameters...
+ * 256K sessions
+ * 64K buckets
+ * 2 minute inactivity timer
+ * 10000 concurrent sessions
+ */
+ cmp->session_hash_memory = 16ULL << 20;
+ cmp->session_hash_buckets = 64 << 10;
+ cmp->session_timeout_interval = 120.0;
+ cmp->max_sessions_per_worker = 10000;
+
+ /* ... so the packet generator can feed the in2out node ... */
+ ethernet_setup_node (vm, ct6_in2out_node.index);
+ return error;
+}
+
+VLIB_INIT_FUNCTION (ct6_init);
+
+/* *INDENT-OFF* */
+VNET_FEATURE_INIT (ct6out2in, static) =
+{
+ .arc_name = "ip6-unicast",
+ .node_name = "ct6-out2in",
+ .runs_before = VNET_FEATURES ("ip6-lookup"),
+};
+/* *INDENT-ON */
+
+/* *INDENT-OFF* */
+VNET_FEATURE_INIT (ct6in2out, static) =
+{
+ .arc_name = "interface-output",
+ .node_name = "ct6-in2out",
+ .runs_before = VNET_FEATURES ("interface-output"),
+};
+/* *INDENT-ON */
+
+/* *INDENT-OFF* */
+VLIB_PLUGIN_REGISTER () =
+{
+ .version = VPP_BUILD_VER,
+ .description = "ipv6 connection tracker",
+};
+/* *INDENT-ON* */
+
+u8 *
+format_ct6_session (u8 * s, va_list * args)
+{
+ ct6_main_t *cmp = va_arg (*args, ct6_main_t *);
+ int i = va_arg (*args, int);
+ ct6_session_t *s0 = va_arg (*args, ct6_session_t *);
+ int verbose = va_arg (*args, int);
+ clib_bihash_kv_48_8_t kvp0;
+
+ if (s0 == 0)
+ {
+ s = format (s, "\n%6s%6s%20s%6s%20s%6s",
+ "Sess", "Prot", "Src", "Sport", "Dst", "Dport");
+ return s;
+ }
+
+ s = format (s, "\n%6d%6d%20U%6u%20U%6u",
+ s0 - cmp->sessions[i], s0->key.proto,
+ format_ip6_address, &s0->key.src,
+ clib_net_to_host_u16 (s0->key.sport),
+ format_ip6_address, &s0->key.dst,
+ clib_net_to_host_u16 (s0->key.dport));
+
+ clib_memcpy_fast (&kvp0, s0, sizeof (ct6_session_key_t));
+
+ if (clib_bihash_search_48_8 (&cmp->session_hash, &kvp0, &kvp0) < 0)
+ {
+ s = format (s, " LOOKUP FAIL!");
+ }
+ else
+ {
+ if (kvp0.value == s0 - cmp->sessions[s0->thread_index])
+ {
+ s = format (s, " OK");
+ if (verbose > 1)
+ {
+ s = format (s, " next %d prev %d", s0->next_index,
+ s0->prev_index);
+ s = format (s, " hits %d expires %.2f", s0->hits, s0->expires);
+ }
+ }
+ else
+ s = format (s, " BOGUS LOOKUP RESULT!");
+ }
+
+ return s;
+}
+
+static clib_error_t *
+show_ct6_command_fn_command_fn (vlib_main_t * vm,
+ unformat_input_t * input,
+ vlib_cli_command_t * cmd)
+{
+ ct6_main_t *cmp = &ct6_main;
+ ct6_session_t *s0;
+ int verbose = 0;
+ u8 *s = 0;
+ int i;
+
+ if (!cmp->feature_initialized)
+ return clib_error_return (0, "ip6 connection tracking not enabled...");
+
+ if (unformat (input, "verbose %d", &verbose))
+ ;
+ else if (unformat (input, "verbose"))
+ verbose = 1;
+
+ for (i = 0; i < vec_len (cmp->sessions); i++)
+ {
+ s = format (s, "Thread %d: %d sessions\n", i,
+ pool_elts (cmp->sessions[i]));
+
+ if (verbose == 0)
+ continue;
+
+ s =
+ format (s, "%U", format_ct6_session, cmp,
+ 0 /* pool */ , 0 /* header */ , verbose);
+
+ /* *INDENT-OFF* */
+ pool_foreach (s0, cmp->sessions[i],
+ ({
+ s = format (s, "%U", format_ct6_session, cmp, i, s0, verbose);
+ }));
+ /* *INDENT-ON* */
+ }
+ vlib_cli_output (cmp->vlib_main, "%v", s);
+ vec_free (s);
+ return 0;
+}
+
+/* *INDENT-OFF* */
+VLIB_CLI_COMMAND (show_ct6_command_fn_command, static) =
+{
+ .path = "show ip6 connection-tracker",
+ .short_help = "show ip6 connection-tracker",
+ .function = show_ct6_command_fn_command_fn,
+};
+/* *INDENT-ON* */
+
+static void
+increment_v6_address (ip6_address_t * a)
+{
+ u64 v0, v1;
+
+ v0 = clib_net_to_host_u64 (a->as_u64[0]);
+ v1 = clib_net_to_host_u64 (a->as_u64[1]);
+
+ v1 += 1;
+ if (v1 == 0)
+ v0 += 1;
+ a->as_u64[0] = clib_net_to_host_u64 (v0);
+ a->as_u64[1] = clib_net_to_host_u64 (v1);
+}
+
+
+static clib_error_t *
+test_ct6_command_fn_command_fn (vlib_main_t * vm,
+ unformat_input_t * input,
+ vlib_cli_command_t * cmd)
+{
+ ct6_main_t *cmp = &ct6_main;
+ clib_bihash_kv_48_8_t kvp0;
+ ct6_session_key_t *key0;
+ ct6_session_t *s0;
+ u8 src[16], dst[16];
+ u32 recycled = 0, created = 0;
+ int i, num_sessions = 5;
+ u32 midpt_index;
+ u8 *s = 0;
+
+ cmp->max_sessions_per_worker = 4;
+
+ while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
+ {
+ if (unformat (input, "num-sessions %d", &num_sessions))
+ ;
+ else
+ if (unformat
+ (input, "max-sessions %d", &cmp->max_sessions_per_worker))
+ ;
+ else
+ break;
+ }
+
+ ct6_feature_init (cmp);
+
+ /* Set up starting src/dst addresses */
+ memset (src, 0, sizeof (src));
+ memset (dst, 0, sizeof (dst));
+
+ src[0] = 0xdb;
+ dst[0] = 0xbe;
+
+ src[15] = 1;
+ dst[15] = 1;
+
+ /*
+ * See if we know about this flow.
+ * Key set up for the out2in path, the performant case
+ */
+ key0 = (ct6_session_key_t *) & kvp0;
+ memset (&kvp0, 0, sizeof (kvp0));
+
+ for (i = 0; i < num_sessions; i++)
+ {
+ clib_memcpy_fast (&key0->src, src, sizeof (src));
+ clib_memcpy_fast (&key0->dst, dst, sizeof (dst));
+ key0->as_u64[4] = 0;
+ key0->as_u64[5] = 0;
+ key0->sport = clib_host_to_net_u16 (1234);
+ key0->dport = clib_host_to_net_u16 (4321);
+ key0->proto = 17; /* udp, fwiw */
+
+ s0 = ct6_create_or_recycle_session
+ (cmp, &kvp0, 3.0 /* now */ , 0 /* thread index */ ,
+ &recycled, &created);
+
+ s = format (s, "%U (%d, %d)", format_ct6_session, cmp,
+ 0 /* thread index */ , s0, 1 /* verbose */ ,
+ recycled, created);
+ vlib_cli_output (vm, "%v", s);
+ vec_free (s);
+ increment_v6_address ((ip6_address_t *) src);
+ recycled = 0;
+ created = 0;
+ }
+
+ /* *INDENT-OFF* */
+ pool_foreach (s0, cmp->sessions[0],
+ ({
+ s = format (s, "%U", format_ct6_session, cmp, 0, s0, 1 /* verbose */);
+ }));
+ /* *INDENT-ON* */
+
+ vlib_cli_output (vm, "\nEnd state: first index %d last index %d\n%v",
+ cmp->first_index[0], cmp->last_index[0], s);
+
+ vec_free (s);
+
+ midpt_index = cmp->max_sessions_per_worker / 3;
+
+ s0 = pool_elt_at_index (cmp->sessions[0], midpt_index);
+ vlib_cli_output (vm, "\nSimulate LRU hit on session %d",
+ s0 - cmp->sessions[0]);
+
+ ct6_update_session_hit (cmp, s0, 234.0);
+
+ /* *INDENT-OFF* */
+ pool_foreach (s0, cmp->sessions[0],
+ ({
+ s = format (s, "%U", format_ct6_session, cmp, 0, s0, 1 /* verbose */);
+ }));
+ /* *INDENT-ON* */
+
+ vlib_cli_output (vm, "\nEnd state: first index %d last index %d\n%v",
+ cmp->first_index[0], cmp->last_index[0], s);
+
+ vec_free (s);
+
+ return 0;
+}
+
+/* *INDENT-OFF* */
+VLIB_CLI_COMMAND (test_ct6_command_fn_command, static) =
+{
+ .path = "test ip6 connection-tracker",
+ .short_help = "test ip6 connection-tracker",
+ .function = test_ct6_command_fn_command_fn,
+};
+/* *INDENT-ON* */
+
+static clib_error_t *
+ct6_config (vlib_main_t * vm, unformat_input_t * input)
+{
+ ct6_main_t *cmp = &ct6_main;
+
+ while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
+ {
+ if (unformat (input, "session-hash-buckets %u",
+ &cmp->session_hash_buckets))
+ ;
+ else if (unformat (input, "session-hash-memory %U",
+ unformat_memory_size, &cmp->session_hash_memory))
+ ;
+ else if (unformat (input, "session-timeout %f",
+ &cmp->session_timeout_interval))
+ ;
+ else
+ {
+ return clib_error_return (0, "unknown input '%U'",
+ format_unformat_error, input);
+ }
+ }
+ return 0;
+}
+
+VLIB_CONFIG_FUNCTION (ct6_config, "ct6");
+
+/*
+ * fd.io coding-style-patch-verification: ON
+ *
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */
diff --git a/src/plugins/ct6/ct6.h b/src/plugins/ct6/ct6.h
new file mode 100644
index 00000000000..534534f5c99
--- /dev/null
+++ b/src/plugins/ct6/ct6.h
@@ -0,0 +1,179 @@
+
+/*
+ * ct6.h - skeleton vpp engine plug-in header file
+ *
+ * Copyright (c) <current-year> <your-organization>
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef __included_ct6_h__
+#define __included_ct6_h__
+
+#include <vnet/vnet.h>
+#include <vnet/ip/ip.h>
+#include <vnet/ethernet/ethernet.h>
+#include <vppinfra/bihash_48_8.h>
+
+#include <vppinfra/hash.h>
+#include <vppinfra/error.h>
+
+/* *INDENT-OFF* */
+typedef CLIB_PACKED (struct
+{
+ union
+ {
+ struct
+ {
+ /* out2in */
+ ip6_address_t src;
+ ip6_address_t dst;
+ u16 sport;
+ u16 dport;
+ u8 proto; /* byte 37 */
+ };
+ u64 as_u64[6];
+ };
+}) ct6_session_key_t;
+/* *INDENT-ON* */
+
+typedef struct
+{
+ ct6_session_key_t key;
+ u32 thread_index;
+ u32 next_index;
+ u32 prev_index;
+ u32 hits;
+ f64 expires;
+} ct6_session_t;
+
+typedef struct
+{
+ /* API message ID base */
+ u16 msg_id_base;
+
+ /* session lookup table */
+ clib_bihash_48_8_t session_hash;
+ u8 feature_initialized;
+
+ /* per_thread session pools */
+ ct6_session_t **sessions;
+ u32 *first_index;
+ u32 *last_index;
+
+ /* Config parameters */
+ f64 session_timeout_interval;
+ uword session_hash_memory;
+ u32 session_hash_buckets;
+ u32 max_sessions_per_worker;
+
+ /* convenience */
+ vlib_main_t *vlib_main;
+ vnet_main_t *vnet_main;
+ ethernet_main_t *ethernet_main;
+} ct6_main_t;
+
+extern ct6_main_t ct6_main;
+
+extern vlib_node_registration_t ct6_out2in_node;
+extern vlib_node_registration_t ct6_in2out_node;
+
+format_function_t format_ct6_session;
+
+ct6_session_t *ct6_create_or_recycle_session (ct6_main_t * cmp,
+ clib_bihash_kv_48_8_t * kvpp,
+ f64 now, u32 my_thread_index,
+ u32 * recyclep, u32 * createp);
+
+static inline void
+ct6_lru_remove (ct6_main_t * cmp, ct6_session_t * s0)
+{
+ ct6_session_t *next_sess, *prev_sess;
+ u32 thread_index;
+ u32 s0_index;
+
+ thread_index = s0->thread_index;
+
+ s0_index = s0 - cmp->sessions[thread_index];
+
+ /* Deal with list heads */
+ if (s0_index == cmp->first_index[thread_index])
+ cmp->first_index[thread_index] = s0->next_index;
+ if (s0_index == cmp->last_index[thread_index])
+ cmp->last_index[thread_index] = s0->prev_index;
+
+ /* Fix next->prev */
+ if (s0->next_index != ~0)
+ {
+ next_sess = pool_elt_at_index (cmp->sessions[thread_index],
+ s0->next_index);
+ next_sess->prev_index = s0->prev_index;
+ }
+ /* Fix prev->next */
+ if (s0->prev_index != ~0)
+ {
+ prev_sess = pool_elt_at_index (cmp->sessions[thread_index],
+ s0->prev_index);
+ prev_sess->next_index = s0->next_index;
+ }
+}
+
+static inline void
+ct6_lru_add (ct6_main_t * cmp, ct6_session_t * s0, f64 now)
+{
+ ct6_session_t *next_sess;
+ u32 thread_index;
+ u32 s0_index;
+
+ s0->hits++;
+ s0->expires = now + cmp->session_timeout_interval;
+ thread_index = s0->thread_index;
+
+ s0_index = s0 - cmp->sessions[thread_index];
+
+ /*
+ * Re-add at the head of the forward LRU list,
+ * tail of the reverse LRU list
+ */
+ if (cmp->first_index[thread_index] != ~0)
+ {
+ next_sess = pool_elt_at_index (cmp->sessions[thread_index],
+ cmp->first_index[thread_index]);
+ next_sess->prev_index = s0_index;
+ }
+
+ s0->prev_index = ~0;
+
+ /* s0 now the new head of the LRU forward list */
+ s0->next_index = cmp->first_index[thread_index];
+ cmp->first_index[thread_index] = s0_index;
+
+ /* single session case: also the tail of the reverse LRU list */
+ if (cmp->last_index[thread_index] == ~0)
+ cmp->last_index[thread_index] = s0_index;
+}
+
+static inline void
+ct6_update_session_hit (ct6_main_t * cmp, ct6_session_t * s0, f64 now)
+{
+ ct6_lru_remove (cmp, s0);
+ ct6_lru_add (cmp, s0, now);
+}
+
+#endif /* __included_ct6_h__ */
+
+/*
+ * fd.io coding-style-patch-verification: ON
+ *
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */
diff --git a/src/plugins/ct6/ct6_all_api_h.h b/src/plugins/ct6/ct6_all_api_h.h
new file mode 100644
index 00000000000..3642216cefa
--- /dev/null
+++ b/src/plugins/ct6/ct6_all_api_h.h
@@ -0,0 +1,19 @@
+
+/*
+ * ct6_all_api_h.h - skeleton vpp engine plug-in api #include file
+ *
+ * Copyright (c) <current-year> <your-organization>
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/* Include the generated file, see BUILT_SOURCES in Makefile.am */
+#include <ct6/ct6.api.h>
diff --git a/src/plugins/ct6/ct6_in2out.c b/src/plugins/ct6/ct6_in2out.c
new file mode 100644
index 00000000000..b28d349dd29
--- /dev/null
+++ b/src/plugins/ct6/ct6_in2out.c
@@ -0,0 +1,362 @@
+/*
+ * ct6_in2out.c - ip6 connection tracker, inside-to-outside path
+ *
+ * Copyright (c) 2019 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <vlib/vlib.h>
+#include <vnet/vnet.h>
+#include <vnet/pg/pg.h>
+#include <vppinfra/error.h>
+#include <ct6/ct6.h>
+
+typedef struct
+{
+ u32 sw_if_index;
+ u32 next_index;
+ u32 session_index;
+} ct6_in2out_trace_t;
+
+#ifndef CLIB_MARCH_VARIANT
+
+/* packet trace format function */
+static u8 *
+format_ct6_in2out_trace (u8 * s, va_list * args)
+{
+ CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
+ CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
+ ct6_in2out_trace_t *t = va_arg (*args, ct6_in2out_trace_t *);
+
+ s = format (s, "CT6_IN2OUT: sw_if_index %d, next index %d session %d\n",
+ t->sw_if_index, t->next_index, t->session_index);
+ return s;
+}
+
+vlib_node_registration_t ct6_in2out_node;
+
+#endif /* CLIB_MARCH_VARIANT */
+
+#define foreach_ct6_in2out_error \
+_(PROCESSED, "ct6 packets processed") \
+_(CREATED, "ct6 sessions created") \
+_(RECYCLED, "ct6 sessions recycled")
+
+typedef enum
+{
+#define _(sym,str) CT6_IN2OUT_ERROR_##sym,
+ foreach_ct6_in2out_error
+#undef _
+ CT6_IN2OUT_N_ERROR,
+} ct6_in2out_error_t;
+
+#ifndef CLIB_MARCH_VARIANT
+static char *ct6_in2out_error_strings[] = {
+#define _(sym,string) string,
+ foreach_ct6_in2out_error
+#undef _
+};
+#endif /* CLIB_MARCH_VARIANT */
+
+typedef enum
+{
+ CT6_IN2OUT_NEXT_DROP,
+ CT6_IN2OUT_N_NEXT,
+} ct6_next_t;
+
+#ifndef CLIB_MARCH_VARIANT
+ct6_session_t *
+ct6_create_or_recycle_session (ct6_main_t * cmp,
+ clib_bihash_kv_48_8_t * kvpp, f64 now,
+ u32 my_thread_index, u32 * recyclep,
+ u32 * createp)
+{
+ ct6_session_t *s0;
+
+ /* Empty arena? */
+ if (PREDICT_FALSE (cmp->last_index[my_thread_index] == ~0))
+ goto alloc0;
+
+ /* Look at the least-recently-used session */
+ s0 = pool_elt_at_index (cmp->sessions[my_thread_index],
+ cmp->last_index[my_thread_index]);
+
+ if (s0->expires < now)
+ clib_warning ("session %d expired %.2f time now %.2f",
+ s0 - cmp->sessions[my_thread_index], s0->expires, now);
+
+ if (pool_elts (cmp->sessions[my_thread_index]) >=
+ cmp->max_sessions_per_worker)
+ clib_warning ("recycle session %d have %d max %d",
+ s0 - cmp->sessions[my_thread_index],
+ pool_elts (cmp->sessions[my_thread_index]),
+ cmp->max_sessions_per_worker);
+
+ /* Session expired, or we have as many sessions as is allowed by law? */
+ if ((s0->expires < now) || (pool_elts (cmp->sessions[my_thread_index])
+ >= cmp->max_sessions_per_worker))
+ {
+ /* recycle the session */
+ if (clib_bihash_add_del_48_8 (&cmp->session_hash,
+ (clib_bihash_kv_48_8_t *) s0,
+ 0 /* is_add */ ) < 0)
+ clib_warning ("session %d not found in hash?",
+ s0 - cmp->sessions[my_thread_index]);
+
+ ct6_lru_remove (cmp, s0);
+ *recyclep += 1;
+ }
+ else
+ {
+ alloc0:
+ /* Allocate a fresh session */
+ pool_get (cmp->sessions[my_thread_index], s0);
+ *createp += 1;
+ }
+
+ /* Sesison setup */
+ memset (s0, 0, sizeof (*s0));
+ clib_memcpy_fast (s0, kvpp, sizeof (ct6_session_key_t));
+ s0->thread_index = my_thread_index;
+ s0->expires = now + cmp->session_timeout_interval;
+ kvpp->value = s0 - cmp->sessions[my_thread_index];
+ clib_bihash_add_del_48_8 (&cmp->session_hash, kvpp, 1 /* is_add */ );
+ ct6_lru_add (cmp, s0, now);
+ return s0;
+}
+#endif /* CLIB_MARCH_VARIANT */
+
+always_inline uword
+ct6_in2out_inline (vlib_main_t * vm,
+ vlib_node_runtime_t * node, vlib_frame_t * frame,
+ int is_trace)
+{
+ u32 n_left_from, *from;
+ vlib_buffer_t *bufs[VLIB_FRAME_SIZE], **b;
+ u16 nexts[VLIB_FRAME_SIZE], *next;
+ ct6_main_t *cmp = &ct6_main;
+ u32 my_thread_index = vm->thread_index;
+ f64 now = vlib_time_now (vm);
+ u32 created = 0;
+ u32 recycled = 0;
+
+ from = vlib_frame_vector_args (frame);
+ n_left_from = frame->n_vectors;
+
+ vlib_get_buffers (vm, from, bufs, n_left_from);
+ b = bufs;
+ next = nexts;
+
+#if 0
+ while (n_left_from >= 4)
+ {
+ /* Prefetch next iteration. */
+ if (PREDICT_TRUE (n_left_from >= 8))
+ {
+ vlib_prefetch_buffer_header (b[4], STORE);
+ vlib_prefetch_buffer_header (b[5], STORE);
+ vlib_prefetch_buffer_header (b[6], STORE);
+ vlib_prefetch_buffer_header (b[7], STORE);
+ CLIB_PREFETCH (b[4]->data, CLIB_CACHE_LINE_BYTES, STORE);
+ CLIB_PREFETCH (b[5]->data, CLIB_CACHE_LINE_BYTES, STORE);
+ CLIB_PREFETCH (b[6]->data, CLIB_CACHE_LINE_BYTES, STORE);
+ CLIB_PREFETCH (b[7]->data, CLIB_CACHE_LINE_BYTES, STORE);
+ }
+
+ /* $$$$ process 4x pkts right here */
+ next[0] = 0;
+ next[1] = 0;
+ next[2] = 0;
+ next[3] = 0;
+
+ if (is_trace)
+ {
+ if (b[0]->flags & VLIB_BUFFER_IS_TRACED)
+ {
+ ct6_trace_t *t = vlib_add_trace (vm, node, b[0], sizeof (*t));
+ t->next_index = next[0];
+ t->sw_if_index = vnet_buffer (b[0])->sw_if_index[VLIB_RX];
+ }
+ if (b[1]->flags & VLIB_BUFFER_IS_TRACED)
+ {
+ ct6_trace_t *t = vlib_add_trace (vm, node, b[1], sizeof (*t));
+ t->next_index = next[1];
+ t->sw_if_index = vnet_buffer (b[1])->sw_if_index[VLIB_RX];
+ }
+ if (b[2]->flags & VLIB_BUFFER_IS_TRACED)
+ {
+ ct6_trace_t *t = vlib_add_trace (vm, node, b[2], sizeof (*t));
+ t->next_index = next[2];
+ t->sw_if_index = vnet_buffer (b[2])->sw_if_index[VLIB_RX];
+ }
+ if (b[3]->flags & VLIB_BUFFER_IS_TRACED)
+ {
+ ct6_trace_t *t = vlib_add_trace (vm, node, b[3], sizeof (*t));
+ t->next_index = next[3];
+ t->sw_if_index = vnet_buffer (b[3])->sw_if_index[VLIB_RX];
+ }
+ }
+
+ b += 4;
+ next += 4;
+ n_left_from -= 4;
+ }
+#endif
+
+ while (n_left_from > 0)
+ {
+ clib_bihash_kv_48_8_t kvp0;
+ ct6_session_key_t *key0;
+ ct6_session_t *s0;
+ u32 session_index0 = ~0;
+ u32 next0, delta0;
+ ethernet_header_t *e0;
+
+ ip6_header_t *ip0;
+ udp_header_t *udp0;
+
+ /* $$$ Set to 0 for pg testing */
+ if (1)
+ {
+ vnet_feature_next (&next0, b[0]);
+ next[0] = next0;
+ }
+ else
+ next[0] = CT6_IN2OUT_NEXT_DROP;
+
+ /*
+ * This is an output feature which runs at the last possible
+ * moment. Assume an ethernet header.
+ */
+
+ e0 = vlib_buffer_get_current (b[0]);
+ delta0 = sizeof (*e0);
+ delta0 += (e0->type == clib_net_to_host_u16 (ETHERNET_TYPE_VLAN))
+ ? 4 : 0;
+ delta0 += (e0->type == clib_net_to_host_u16 (ETHERNET_TYPE_DOT1AD))
+ ? 8 : 0;
+
+ ip0 = (ip6_header_t *) (vlib_buffer_get_current (b[0]) + delta0);
+
+ /*
+ * Pass non-global unicast traffic
+ */
+ if (PREDICT_FALSE (!ip6_address_is_global_unicast (&ip0->src_address)
+ ||
+ !ip6_address_is_global_unicast (&ip0->src_address)))
+ goto trace0;
+ /* Pass non-udp, non-tcp traffic */
+ if (PREDICT_FALSE (ip0->protocol != IP_PROTOCOL_TCP &&
+ ip0->protocol != IP_PROTOCOL_UDP))
+ goto trace0;
+
+ udp0 = ip6_next_header (ip0);
+
+ /*
+ * See if we know about this flow.
+ * Key set up for the out2in path, the performant case
+ */
+ key0 = (ct6_session_key_t *) & kvp0;
+ clib_memcpy_fast (&key0->src, &ip0->dst_address,
+ sizeof (ip6_address_t));
+ clib_memcpy_fast (&key0->dst, &ip0->src_address,
+ sizeof (ip6_address_t));
+ key0->as_u64[4] = 0;
+ key0->as_u64[5] = 0;
+ key0->sport = udp0->dst_port;
+ key0->dport = udp0->src_port;
+ key0->proto = ip0->protocol;
+
+ /* Need to create a new session? */
+ if (clib_bihash_search_48_8 (&cmp->session_hash, &kvp0, &kvp0) < 0)
+ {
+ s0 =
+ ct6_create_or_recycle_session (cmp, &kvp0, now, my_thread_index,
+ &recycled, &created);
+ session_index0 = kvp0.value;
+ }
+ else
+ {
+ s0 = pool_elt_at_index (cmp->sessions[my_thread_index], kvp0.value);
+ session_index0 = kvp0.value;
+ ct6_update_session_hit (cmp, s0, now);
+ }
+
+ trace0:
+ if (is_trace)
+ {
+ if (b[0]->flags & VLIB_BUFFER_IS_TRACED)
+ {
+ ct6_in2out_trace_t *t =
+ vlib_add_trace (vm, node, b[0], sizeof (*t));
+ t->next_index = next[0];
+ t->sw_if_index = vnet_buffer (b[0])->sw_if_index[VLIB_RX];
+ t->session_index = session_index0;
+ }
+ }
+
+ b += 1;
+ next += 1;
+ n_left_from -= 1;
+ }
+
+ vlib_buffer_enqueue_to_next (vm, node, from, nexts, frame->n_vectors);
+
+ vlib_node_increment_counter (vm, node->node_index,
+ CT6_IN2OUT_ERROR_PROCESSED, frame->n_vectors);
+ vlib_node_increment_counter (vm, node->node_index,
+ CT6_IN2OUT_ERROR_CREATED, created);
+ vlib_node_increment_counter (vm, node->node_index,
+ CT6_IN2OUT_ERROR_RECYCLED, recycled);
+
+ return frame->n_vectors;
+}
+
+VLIB_NODE_FN (ct6_in2out_node) (vlib_main_t * vm, vlib_node_runtime_t * node,
+ vlib_frame_t * frame)
+{
+ if (PREDICT_FALSE (node->flags & VLIB_NODE_FLAG_TRACE))
+ return ct6_in2out_inline (vm, node, frame, 1 /* is_trace */ );
+ else
+ return ct6_in2out_inline (vm, node, frame, 0 /* is_trace */ );
+}
+
+/* *INDENT-OFF* */
+#ifndef CLIB_MARCH_VARIANT
+VLIB_REGISTER_NODE (ct6_in2out_node) =
+{
+ .name = "ct6-in2out",
+ .vector_size = sizeof (u32),
+ .format_trace = format_ct6_in2out_trace,
+ .type = VLIB_NODE_TYPE_INTERNAL,
+
+ .n_errors = ARRAY_LEN(ct6_in2out_error_strings),
+ .error_strings = ct6_in2out_error_strings,
+
+ .n_next_nodes = CT6_IN2OUT_N_NEXT,
+
+ /* edit / add dispositions here */
+ .next_nodes = {
+ [CT6_IN2OUT_NEXT_DROP] = "error-drop",
+ },
+ .unformat_buffer = unformat_ethernet_header,
+};
+#endif /* CLIB_MARCH_VARIANT */
+/* *INDENT-ON* */
+
+/*
+ * fd.io coding-style-patch-verification: ON
+ *
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */
diff --git a/src/plugins/ct6/ct6_msg_enum.h b/src/plugins/ct6/ct6_msg_enum.h
new file mode 100644
index 00000000000..05b1751550d
--- /dev/null
+++ b/src/plugins/ct6/ct6_msg_enum.h
@@ -0,0 +1,31 @@
+
+/*
+ * ct6_msg_enum.h - skeleton vpp engine plug-in message enumeration
+ *
+ * Copyright (c) <current-year> <your-organization>
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef included_ct6_msg_enum_h
+#define included_ct6_msg_enum_h
+
+#include <vppinfra/byte_order.h>
+
+#define vl_msg_id(n,h) n,
+typedef enum {
+#include <ct6/ct6_all_api_h.h>
+ /* We'll want to know how many messages IDs we need... */
+ VL_MSG_FIRST_AVAILABLE,
+} vl_msg_id_t;
+#undef vl_msg_id
+
+#endif /* included_ct6_msg_enum_h */
diff --git a/src/plugins/ct6/ct6_out2in.c b/src/plugins/ct6/ct6_out2in.c
new file mode 100644
index 00000000000..eac4c155aa4
--- /dev/null
+++ b/src/plugins/ct6/ct6_out2in.c
@@ -0,0 +1,278 @@
+/*
+ * ct6_out2in.c - ip6 connection tracker, inside-to-outside path
+ *
+ * Copyright (c) 2019 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <vlib/vlib.h>
+#include <vnet/vnet.h>
+#include <vnet/pg/pg.h>
+#include <vppinfra/error.h>
+#include <ct6/ct6.h>
+
+typedef struct
+{
+ u32 sw_if_index;
+ u32 next_index;
+ u32 session_index;
+} ct6_out2in_trace_t;
+
+#ifndef CLIB_MARCH_VARIANT
+
+/* packet trace format function */
+static u8 *
+format_ct6_out2in_trace (u8 * s, va_list * args)
+{
+ CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
+ CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
+ ct6_out2in_trace_t *t = va_arg (*args, ct6_out2in_trace_t *);
+
+ s = format (s, "CT6_OUT2IN: sw_if_index %d, next index %d session %d\n",
+ t->sw_if_index, t->next_index, t->session_index);
+ return s;
+}
+
+vlib_node_registration_t ct6_out2in_node;
+
+#endif /* CLIB_MARCH_VARIANT */
+
+#define foreach_ct6_out2in_error \
+_(PROCESSED, "ct6 packets processed") \
+_(NO_SESSION, "ct6 no session drops")
+
+
+typedef enum
+{
+#define _(sym,str) CT6_OUT2IN_ERROR_##sym,
+ foreach_ct6_out2in_error
+#undef _
+ CT6_OUT2IN_N_ERROR,
+} ct6_out2in_error_t;
+
+#ifndef CLIB_MARCH_VARIANT
+static char *ct6_out2in_error_strings[] = {
+#define _(sym,string) string,
+ foreach_ct6_out2in_error
+#undef _
+};
+#endif /* CLIB_MARCH_VARIANT */
+
+typedef enum
+{
+ CT6_OUT2IN_NEXT_DROP,
+ CT6_OUT2IN_N_NEXT,
+} ct6_next_t;
+
+always_inline uword
+ct6_out2in_inline (vlib_main_t * vm,
+ vlib_node_runtime_t * node, vlib_frame_t * frame,
+ int is_trace)
+{
+ u32 n_left_from, *from;
+ vlib_buffer_t *bufs[VLIB_FRAME_SIZE], **b;
+ u16 nexts[VLIB_FRAME_SIZE], *next;
+ ct6_main_t *cmp = &ct6_main;
+ u32 my_thread_index = vm->thread_index;
+ f64 now = vlib_time_now (vm);
+ u32 dropped = 0;
+
+ from = vlib_frame_vector_args (frame);
+ n_left_from = frame->n_vectors;
+
+ vlib_get_buffers (vm, from, bufs, n_left_from);
+ b = bufs;
+ next = nexts;
+
+#if 0
+ while (n_left_from >= 4)
+ {
+ /* Prefetch next iteration. */
+ if (PREDICT_TRUE (n_left_from >= 8))
+ {
+ vlib_prefetch_buffer_header (b[4], STORE);
+ vlib_prefetch_buffer_header (b[5], STORE);
+ vlib_prefetch_buffer_header (b[6], STORE);
+ vlib_prefetch_buffer_header (b[7], STORE);
+ CLIB_PREFETCH (b[4]->data, CLIB_CACHE_LINE_BYTES, STORE);
+ CLIB_PREFETCH (b[5]->data, CLIB_CACHE_LINE_BYTES, STORE);
+ CLIB_PREFETCH (b[6]->data, CLIB_CACHE_LINE_BYTES, STORE);
+ CLIB_PREFETCH (b[7]->data, CLIB_CACHE_LINE_BYTES, STORE);
+ }
+
+ /* $$$$ process 4x pkts right here */
+ next[0] = 0;
+ next[1] = 0;
+ next[2] = 0;
+ next[3] = 0;
+
+ if (is_trace)
+ {
+ if (b[0]->flags & VLIB_BUFFER_IS_TRACED)
+ {
+ ct6_trace_t *t = vlib_add_trace (vm, node, b[0], sizeof (*t));
+ t->next_index = next[0];
+ t->sw_if_index = vnet_buffer (b[0])->sw_if_index[VLIB_RX];
+ }
+ if (b[1]->flags & VLIB_BUFFER_IS_TRACED)
+ {
+ ct6_trace_t *t = vlib_add_trace (vm, node, b[1], sizeof (*t));
+ t->next_index = next[1];
+ t->sw_if_index = vnet_buffer (b[1])->sw_if_index[VLIB_RX];
+ }
+ if (b[2]->flags & VLIB_BUFFER_IS_TRACED)
+ {
+ ct6_trace_t *t = vlib_add_trace (vm, node, b[2], sizeof (*t));
+ t->next_index = next[2];
+ t->sw_if_index = vnet_buffer (b[2])->sw_if_index[VLIB_RX];
+ }
+ if (b[3]->flags & VLIB_BUFFER_IS_TRACED)
+ {
+ ct6_trace_t *t = vlib_add_trace (vm, node, b[3], sizeof (*t));
+ t->next_index = next[3];
+ t->sw_if_index = vnet_buffer (b[3])->sw_if_index[VLIB_RX];
+ }
+ }
+
+ b += 4;
+ next += 4;
+ n_left_from -= 4;
+ }
+#endif
+
+ while (n_left_from > 0)
+ {
+ clib_bihash_kv_48_8_t kvp0;
+ ct6_session_key_t *key0;
+ ct6_session_t *s0;
+ u32 session_index0 = ~0;
+ u32 next0;
+
+ ip6_header_t *ip0;
+ udp_header_t *udp0;
+
+ /* Are we having fun yet? */
+ vnet_feature_next (&next0, b[0]);
+ next[0] = next0;
+
+ ip0 = vlib_buffer_get_current (b[0]);
+
+ /*
+ * Pass non-global unicast traffic
+ */
+ if (PREDICT_FALSE (!ip6_address_is_global_unicast (&ip0->src_address)
+ ||
+ !ip6_address_is_global_unicast (&ip0->src_address)))
+ goto trace0;
+ /* Pass non-udp, non-tcp traffic */
+ if (PREDICT_FALSE (ip0->protocol != IP_PROTOCOL_TCP &&
+ ip0->protocol != IP_PROTOCOL_UDP))
+ goto trace0;
+
+ udp0 = ip6_next_header (ip0);
+
+ /*
+ * See if we know about this flow.
+ */
+ key0 = (ct6_session_key_t *) & kvp0;
+ clib_memcpy_fast (&key0->src, &ip0->src_address,
+ sizeof (ip6_address_t));
+ clib_memcpy_fast (&key0->dst, &ip0->dst_address,
+ sizeof (ip6_address_t));
+ key0->as_u64[4] = 0;
+ key0->as_u64[5] = 0;
+ key0->sport = udp0->src_port;
+ key0->dport = udp0->dst_port;
+ key0->proto = ip0->protocol;
+
+ /* Do we know about this session? */
+ if (clib_bihash_search_48_8 (&cmp->session_hash, &kvp0, &kvp0) < 0)
+ {
+ /* Bad engineer, no donut for you... */
+ next[0] = CT6_OUT2IN_NEXT_DROP;
+ b[0]->error = node->errors[CT6_OUT2IN_ERROR_NO_SESSION];
+ dropped++;
+ goto trace0;
+ }
+ else
+ {
+ s0 = pool_elt_at_index (cmp->sessions[my_thread_index], kvp0.value);
+ session_index0 = kvp0.value;
+ ct6_update_session_hit (cmp, s0, now);
+ }
+
+ trace0:
+ if (is_trace)
+ {
+ if (b[0]->flags & VLIB_BUFFER_IS_TRACED)
+ {
+ ct6_out2in_trace_t *t =
+ vlib_add_trace (vm, node, b[0], sizeof (*t));
+ t->next_index = next[0];
+ t->sw_if_index = vnet_buffer (b[0])->sw_if_index[VLIB_RX];
+ t->session_index = session_index0;
+ }
+ }
+
+ b += 1;
+ next += 1;
+ n_left_from -= 1;
+ }
+
+ vlib_buffer_enqueue_to_next (vm, node, from, nexts, frame->n_vectors);
+
+ vlib_node_increment_counter (vm, node->node_index,
+ CT6_OUT2IN_ERROR_PROCESSED, frame->n_vectors);
+ vlib_node_increment_counter (vm, node->node_index,
+ CT6_OUT2IN_ERROR_NO_SESSION, dropped);
+
+ return frame->n_vectors;
+}
+
+VLIB_NODE_FN (ct6_out2in_node) (vlib_main_t * vm, vlib_node_runtime_t * node,
+ vlib_frame_t * frame)
+{
+ if (PREDICT_FALSE (node->flags & VLIB_NODE_FLAG_TRACE))
+ return ct6_out2in_inline (vm, node, frame, 1 /* is_trace */ );
+ else
+ return ct6_out2in_inline (vm, node, frame, 0 /* is_trace */ );
+}
+
+/* *INDENT-OFF* */
+#ifndef CLIB_MARCH_VARIANT
+VLIB_REGISTER_NODE (ct6_out2in_node) =
+{
+ .name = "ct6-out2in",
+ .vector_size = sizeof (u32),
+ .format_trace = format_ct6_out2in_trace,
+ .type = VLIB_NODE_TYPE_INTERNAL,
+
+ .n_errors = ARRAY_LEN(ct6_out2in_error_strings),
+ .error_strings = ct6_out2in_error_strings,
+
+ .n_next_nodes = CT6_OUT2IN_N_NEXT,
+
+ /* edit / add dispositions here */
+ .next_nodes = {
+ [CT6_OUT2IN_NEXT_DROP] = "error-drop",
+ },
+};
+#endif /* CLIB_MARCH_VARIANT */
+/* *INDENT-ON* */
+
+/*
+ * fd.io coding-style-patch-verification: ON
+ *
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */
diff --git a/src/plugins/ct6/ct6_test.c b/src/plugins/ct6/ct6_test.c
new file mode 100644
index 00000000000..507620eaf0b
--- /dev/null
+++ b/src/plugins/ct6/ct6_test.c
@@ -0,0 +1,202 @@
+/*
+ * ct6.c - skeleton vpp-api-test plug-in
+ *
+ * Copyright (c) <current-year> <your-organization>
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <vat/vat.h>
+#include <vlibapi/api.h>
+#include <vlibmemory/api.h>
+#include <vppinfra/error.h>
+
+uword unformat_sw_if_index (unformat_input_t * input, va_list * args);
+
+/* Declare message IDs */
+#include <ct6/ct6_msg_enum.h>
+
+/* define message structures */
+#define vl_typedefs
+#include <ct6/ct6_all_api_h.h>
+#undef vl_typedefs
+
+/* declare message handlers for each api */
+
+#define vl_endianfun /* define message structures */
+#include <ct6/ct6_all_api_h.h>
+#undef vl_endianfun
+
+/* instantiate all the print functions we know about */
+#define vl_print(handle, ...)
+#define vl_printfun
+#include <ct6/ct6_all_api_h.h>
+#undef vl_printfun
+
+/* Get the API version number. */
+#define vl_api_version(n,v) static u32 api_version=(v);
+#include <ct6/ct6_all_api_h.h>
+#undef vl_api_version
+
+
+typedef struct
+{
+ /* API message ID base */
+ u16 msg_id_base;
+ vat_main_t *vat_main;
+} ct6_test_main_t;
+
+ct6_test_main_t ct6_test_main;
+
+#define __plugin_msg_base ct6_test_main.msg_id_base
+#include <vlibapi/vat_helper_macros.h>
+
+#define foreach_standard_reply_retval_handler \
+_(ct6_enable_disable_reply)
+
+#define _(n) \
+ static void vl_api_##n##_t_handler \
+ (vl_api_##n##_t * mp) \
+ { \
+ vat_main_t * vam = ct6_test_main.vat_main; \
+ i32 retval = ntohl(mp->retval); \
+ if (vam->async_mode) { \
+ vam->async_errors += (retval < 0); \
+ } else { \
+ vam->retval = retval; \
+ vam->result_ready = 1; \
+ } \
+ }
+foreach_standard_reply_retval_handler;
+#undef _
+
+/*
+ * Table of message reply handlers, must include boilerplate handlers
+ * we just generated
+ */
+#define foreach_vpe_api_reply_msg \
+_(CT6_ENABLE_DISABLE_REPLY, ct6_enable_disable_reply)
+
+
+static int
+api_ct6_enable_disable (vat_main_t * vam)
+{
+ unformat_input_t *i = vam->input;
+ int enable_disable = 1;
+ u32 sw_if_index = ~0;
+ vl_api_ct6_enable_disable_t *mp;
+ u32 inside = ~0;
+ int ret;
+
+ /* Parse args required to build the message */
+ while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
+ {
+ if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index))
+ ;
+ else if (unformat (i, "sw_if_index %d", &sw_if_index))
+ ;
+ else if (unformat (i, "disable"))
+ enable_disable = 0;
+ else if (unformat (i, "inside") || unformat (i, "in"))
+ inside = 1;
+ else if (unformat (i, "outside") || unformat (i, "out"))
+ inside = 0;
+ else
+ break;
+ }
+
+ if (inside == ~0)
+ {
+ errmsg ("must specify inside or outside");
+ return -99;
+ }
+
+ if (sw_if_index == ~0)
+ {
+ errmsg ("missing interface name / explicit sw_if_index number \n");
+ return -99;
+ }
+
+ /* Construct the API message */
+ M (CT6_ENABLE_DISABLE, mp);
+ mp->sw_if_index = ntohl (sw_if_index);
+ mp->enable_disable = enable_disable;
+ mp->is_inside = (u8) inside;
+
+ /* send it... */
+ S (mp);
+
+ /* Wait for a reply... */
+ W (ret);
+ return ret;
+}
+
+/*
+ * List of messages that the api test plugin sends,
+ * and that the data plane plugin processes
+ */
+#define foreach_vpe_api_msg \
+_(ct6_enable_disable, "<intfc> [disable]")
+
+static void
+ct6_api_hookup (vat_main_t * vam)
+{
+ ct6_test_main_t *ctmp = &ct6_test_main;
+ /* Hook up handlers for replies from the data plane plug-in */
+#define _(N,n) \
+ vl_msg_api_set_handlers((VL_API_##N + ctmp->msg_id_base), \
+ #n, \
+ vl_api_##n##_t_handler, \
+ vl_noop_handler, \
+ vl_api_##n##_t_endian, \
+ vl_api_##n##_t_print, \
+ sizeof(vl_api_##n##_t), 1);
+ foreach_vpe_api_reply_msg;
+#undef _
+
+ /* API messages we can send */
+#define _(n,h) hash_set_mem (vam->function_by_name, #n, api_##n);
+ foreach_vpe_api_msg;
+#undef _
+
+ /* Help strings */
+#define _(n,h) hash_set_mem (vam->help_by_name, #n, h);
+ foreach_vpe_api_msg;
+#undef _
+}
+
+clib_error_t *
+vat_plugin_register (vat_main_t * vam)
+{
+ ct6_test_main_t *ctmp = &ct6_test_main;
+ u8 *name;
+
+ ctmp->vat_main = vam;
+
+ /* Ask the vpp engine for the first assigned message-id */
+ name = format (0, "ct6_%08x%c", api_version, 0);
+ ctmp->msg_id_base = vl_client_get_first_plugin_msg_id ((char *) name);
+
+ if (ctmp->msg_id_base != (u16) ~ 0)
+ ct6_api_hookup (vam);
+
+ vec_free (name);
+
+ return 0;
+}
+
+/*
+ * fd.io coding-style-patch-verification: ON
+ *
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */