summaryrefslogtreecommitdiffstats
path: root/extras/deprecated/plugins/gbp/gbp_contract.h
diff options
context:
space:
mode:
Diffstat (limited to 'extras/deprecated/plugins/gbp/gbp_contract.h')
-rw-r--r--extras/deprecated/plugins/gbp/gbp_contract.h362
1 files changed, 362 insertions, 0 deletions
diff --git a/extras/deprecated/plugins/gbp/gbp_contract.h b/extras/deprecated/plugins/gbp/gbp_contract.h
new file mode 100644
index 00000000000..1e74db60116
--- /dev/null
+++ b/extras/deprecated/plugins/gbp/gbp_contract.h
@@ -0,0 +1,362 @@
+/*
+ * Copyright (c) 2018 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef __GBP_CONTRACT_H__
+#define __GBP_CONTRACT_H__
+
+#include <plugins/gbp/gbp.h>
+#include <plugins/gbp/gbp_types.h>
+
+#define foreach_gbp_contract_error \
+ _(ALLOW_NO_SCLASS, "allow-no-sclass") \
+ _(ALLOW_INTRA, "allow-intra-sclass") \
+ _(ALLOW_A_BIT, "allow-a-bit-set") \
+ _(ALLOW_SCLASS_1, "allow-sclass-1") \
+ _(ALLOW_CONTRACT, "allow-contract") \
+ _(DROP_CONTRACT, "drop-contract") \
+ _(DROP_ETHER_TYPE, "drop-ether-type") \
+ _(DROP_NO_CONTRACT, "drop-no-contract") \
+ _(DROP_NO_DCLASS, "drop-no-dclass") \
+ _(DROP_NO_RULE, "drop-no-rule")
+
+typedef enum
+{
+#define _(sym,str) GBP_CONTRACT_ERROR_##sym,
+ foreach_gbp_contract_error
+#undef _
+ GBP_CONTRACT_N_ERROR,
+#define GBP_CONTRACT_N_ERROR GBP_CONTRACT_N_ERROR
+} gbp_contract_error_t;
+
+extern char *gbp_contract_error_strings[GBP_CONTRACT_N_ERROR];
+
+/**
+ * The key for an Contract
+ */
+typedef struct gbp_contract_key_t_
+{
+ union
+ {
+ struct
+ {
+ gbp_scope_t gck_scope;
+ /**
+ * source and destination EPGs for which the ACL applies
+ */
+ sclass_t gck_src;
+ sclass_t gck_dst;
+ };
+ u64 as_u64;
+ };
+} gbp_contract_key_t;
+
+typedef struct gbp_next_hop_t_
+{
+ fib_node_t gnh_node;
+ ip46_address_t gnh_ip;
+ mac_address_t gnh_mac;
+ index_t gnh_gu;
+ index_t gnh_bd;
+ index_t gnh_rd;
+ u32 gnh_ge;
+ u32 gnh_sibling;
+ index_t gnh_ai[FIB_PROTOCOL_IP_MAX];
+} gbp_next_hop_t;
+
+#define foreach_gbp_hash_mode \
+ _(SRC_IP, "src-ip") \
+ _(DST_IP, "dst-ip") \
+ _(SYMMETRIC, "symmetric")
+
+typedef enum gbp_hash_mode_t_
+{
+#define _(v,s) GBP_HASH_MODE_##v,
+ foreach_gbp_hash_mode
+#undef _
+} gbp_hash_mode_t;
+
+#define foreach_gbp_rule_action \
+ _(PERMIT, "permit") \
+ _(DENY, "deny") \
+ _(REDIRECT, "redirect")
+
+typedef enum gbp_rule_action_t_
+{
+#define _(v,s) GBP_RULE_##v,
+ foreach_gbp_rule_action
+#undef _
+} gbp_rule_action_t;
+
+#define foreach_gbp_policy_node \
+ _(L2, "L2") \
+ _(IP4, "ip4") \
+ _(IP6, "ip6")
+
+typedef enum gbp_policy_node_t_
+{
+#define _(v,s) GBP_POLICY_NODE_##v,
+ foreach_gbp_policy_node
+#undef _
+} gbp_policy_node_t;
+#define GBP_POLICY_N_NODES (GBP_POLICY_NODE_IP6+1)
+
+#define FOR_EACH_GBP_POLICY_NODE(pnode) \
+ for (pnode = GBP_POLICY_NODE_L2; pnode < GBP_POLICY_N_NODES; pnode++)
+
+typedef struct gbp_rule_t_
+{
+ gbp_rule_action_t gu_action;
+ gbp_hash_mode_t gu_hash_mode;
+ index_t *gu_nhs;
+
+ /**
+ * DPO of the load-balance object used to redirect
+ */
+ dpo_id_t gu_dpo[GBP_POLICY_N_NODES][FIB_PROTOCOL_IP_MAX];
+} gbp_rule_t;
+
+/**
+ * A Group Based Policy Contract.
+ * Determines the ACL that applies to traffic pass between two endpoint groups
+ */
+typedef struct gbp_contract_t_
+{
+ /**
+ * source and destination EPGs
+ */
+ gbp_contract_key_t gc_key;
+
+ u32 gc_acl_index;
+ u32 gc_lc_index;
+
+ /**
+ * The ACL to apply for packets from the source to the destination EPG
+ */
+ index_t *gc_rules;
+
+ /**
+ * An ethertype whitelist
+ */
+ u16 *gc_allowed_ethertypes;
+} gbp_contract_t;
+
+/**
+ * EPG src,dst pair to ACL mapping table, aka contract DB
+ */
+typedef struct gbp_contract_db_t_
+{
+ /**
+ * We can form a u64 key from the pair, so use a simple hash table
+ */
+ uword *gc_hash;
+} gbp_contract_db_t;
+
+extern int gbp_contract_update (gbp_scope_t scope,
+ sclass_t sclass,
+ sclass_t dclass,
+ u32 acl_index,
+ index_t * rules,
+ u16 * allowed_ethertypes, u32 * stats_index);
+extern int gbp_contract_delete (gbp_scope_t scope, sclass_t sclass,
+ sclass_t dclass);
+
+extern index_t gbp_rule_alloc (gbp_rule_action_t action,
+ gbp_hash_mode_t hash_mode, index_t * nhs);
+extern void gbp_rule_free (index_t gui);
+extern index_t gbp_next_hop_alloc (const ip46_address_t * ip,
+ index_t grd,
+ const mac_address_t * mac, index_t gbd);
+
+typedef int (*gbp_contract_cb_t) (gbp_contract_t * gbpe, void *ctx);
+extern void gbp_contract_walk (gbp_contract_cb_t bgpe, void *ctx);
+
+extern u8 *format_gbp_rule_action (u8 * s, va_list * args);
+extern u8 *format_gbp_contract (u8 * s, va_list * args);
+
+/**
+ * DP functions and databases
+ */
+extern gbp_contract_db_t gbp_contract_db;
+
+always_inline index_t
+gbp_contract_find (gbp_contract_key_t * key)
+{
+ uword *p;
+
+ p = hash_get (gbp_contract_db.gc_hash, key->as_u64);
+
+ if (NULL != p)
+ return (p[0]);
+
+ return (INDEX_INVALID);
+}
+
+extern gbp_contract_t *gbp_contract_pool;
+
+always_inline gbp_contract_t *
+gbp_contract_get (index_t gci)
+{
+ return (pool_elt_at_index (gbp_contract_pool, gci));
+}
+
+extern gbp_rule_t *gbp_rule_pool;
+
+always_inline gbp_rule_t *
+gbp_rule_get (index_t gui)
+{
+ return (pool_elt_at_index (gbp_rule_pool, gui));
+}
+
+extern vlib_combined_counter_main_t gbp_contract_permit_counters;
+extern vlib_combined_counter_main_t gbp_contract_drop_counters;
+
+typedef enum
+{
+ GBP_CONTRACT_APPLY_L2,
+ GBP_CONTRACT_APPLY_IP4,
+ GBP_CONTRACT_APPLY_IP6,
+} gbp_contract_apply_type_t;
+
+static_always_inline gbp_rule_action_t
+gbp_contract_apply (vlib_main_t * vm, gbp_main_t * gm,
+ gbp_contract_key_t * key, vlib_buffer_t * b,
+ gbp_rule_t ** rule, u32 * intra, u32 * sclass1,
+ u32 * acl_match, u32 * rule_match,
+ gbp_contract_error_t * err,
+ gbp_contract_apply_type_t type)
+{
+ fa_5tuple_opaque_t fa_5tuple;
+ const gbp_contract_t *contract;
+ index_t contract_index;
+ u32 acl_pos, trace_bitmap;
+ u16 etype;
+ u8 ip6, action;
+
+ *rule = 0;
+ trace_bitmap = 0;
+
+ if (key->gck_src == key->gck_dst)
+ {
+ /* intra-epg allowed */
+ (*intra)++;
+ *err = GBP_CONTRACT_ERROR_ALLOW_INTRA;
+ return GBP_RULE_PERMIT;
+ }
+
+ if (1 == key->gck_src || 1 == key->gck_dst)
+ {
+ /* sclass 1 allowed */
+ (*sclass1)++;
+ *err = GBP_CONTRACT_ERROR_ALLOW_SCLASS_1;
+ return GBP_RULE_PERMIT;
+ }
+
+ /* look for contract */
+ contract_index = gbp_contract_find (key);
+ if (INDEX_INVALID == contract_index)
+ {
+ *err = GBP_CONTRACT_ERROR_DROP_NO_CONTRACT;
+ return GBP_RULE_DENY;
+ }
+
+ contract = gbp_contract_get (contract_index);
+
+ *err = GBP_CONTRACT_ERROR_DROP_CONTRACT;
+
+ switch (type)
+ {
+ case GBP_CONTRACT_APPLY_IP4:
+ ip6 = 0;
+ break;
+ case GBP_CONTRACT_APPLY_IP6:
+ ip6 = 1;
+ break;
+ case GBP_CONTRACT_APPLY_L2:
+ {
+ /* check ethertype */
+ etype =
+ ((u16 *) (vlib_buffer_get_current (b) +
+ vnet_buffer (b)->l2.l2_len))[-1];
+
+ if (~0 == vec_search (contract->gc_allowed_ethertypes, etype))
+ {
+ *err = GBP_CONTRACT_ERROR_DROP_ETHER_TYPE;
+ goto contract_deny;
+ }
+
+ switch (clib_net_to_host_u16 (etype))
+ {
+ case ETHERNET_TYPE_IP4:
+ ip6 = 0;
+ break;
+ case ETHERNET_TYPE_IP6:
+ ip6 = 1;
+ break;
+ default:
+ goto contract_deny;
+ }
+ }
+ break;
+ }
+
+ /* check ACL */
+ action = 0;
+ acl_plugin_fill_5tuple_inline (gm->acl_plugin.p_acl_main,
+ contract->gc_lc_index, b, ip6,
+ GBP_CONTRACT_APPLY_L2 != type /* input */ ,
+ GBP_CONTRACT_APPLY_L2 == type /* l2_path */ ,
+ &fa_5tuple);
+ acl_plugin_match_5tuple_inline (gm->acl_plugin.p_acl_main,
+ contract->gc_lc_index, &fa_5tuple, ip6,
+ &action, &acl_pos, acl_match, rule_match,
+ &trace_bitmap);
+ if (action <= 0)
+ goto contract_deny;
+
+ if (PREDICT_FALSE (*rule_match >= vec_len (contract->gc_rules)))
+ {
+ *err = GBP_CONTRACT_ERROR_DROP_NO_RULE;
+ goto contract_deny;
+ }
+
+ *rule = gbp_rule_get (contract->gc_rules[*rule_match]);
+ switch ((*rule)->gu_action)
+ {
+ case GBP_RULE_PERMIT:
+ case GBP_RULE_REDIRECT:
+ *err = GBP_CONTRACT_ERROR_ALLOW_CONTRACT;
+ vlib_increment_combined_counter (&gbp_contract_permit_counters,
+ vm->thread_index, contract_index, 1,
+ vlib_buffer_length_in_chain (vm, b));
+ return (*rule)->gu_action;
+ case GBP_RULE_DENY:
+ break;
+ }
+
+contract_deny:
+ vlib_increment_combined_counter (&gbp_contract_drop_counters,
+ vm->thread_index, contract_index, 1,
+ vlib_buffer_length_in_chain (vm, b));
+ return GBP_RULE_DENY;
+}
+
+#endif /* __GBP_CONTRACT_H__ */
+/*
+ * fd.io coding-style-patch-verification: ON
+ *
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */