diff options
Diffstat (limited to 'extras/deprecated/plugins/gbp/gbp_contract.h')
-rw-r--r-- | extras/deprecated/plugins/gbp/gbp_contract.h | 362 |
1 files changed, 362 insertions, 0 deletions
diff --git a/extras/deprecated/plugins/gbp/gbp_contract.h b/extras/deprecated/plugins/gbp/gbp_contract.h new file mode 100644 index 00000000000..1e74db60116 --- /dev/null +++ b/extras/deprecated/plugins/gbp/gbp_contract.h @@ -0,0 +1,362 @@ +/* + * Copyright (c) 2018 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef __GBP_CONTRACT_H__ +#define __GBP_CONTRACT_H__ + +#include <plugins/gbp/gbp.h> +#include <plugins/gbp/gbp_types.h> + +#define foreach_gbp_contract_error \ + _(ALLOW_NO_SCLASS, "allow-no-sclass") \ + _(ALLOW_INTRA, "allow-intra-sclass") \ + _(ALLOW_A_BIT, "allow-a-bit-set") \ + _(ALLOW_SCLASS_1, "allow-sclass-1") \ + _(ALLOW_CONTRACT, "allow-contract") \ + _(DROP_CONTRACT, "drop-contract") \ + _(DROP_ETHER_TYPE, "drop-ether-type") \ + _(DROP_NO_CONTRACT, "drop-no-contract") \ + _(DROP_NO_DCLASS, "drop-no-dclass") \ + _(DROP_NO_RULE, "drop-no-rule") + +typedef enum +{ +#define _(sym,str) GBP_CONTRACT_ERROR_##sym, + foreach_gbp_contract_error +#undef _ + GBP_CONTRACT_N_ERROR, +#define GBP_CONTRACT_N_ERROR GBP_CONTRACT_N_ERROR +} gbp_contract_error_t; + +extern char *gbp_contract_error_strings[GBP_CONTRACT_N_ERROR]; + +/** + * The key for an Contract + */ +typedef struct gbp_contract_key_t_ +{ + union + { + struct + { + gbp_scope_t gck_scope; + /** + * source and destination EPGs for which the ACL applies + */ + sclass_t gck_src; + sclass_t gck_dst; + }; + u64 as_u64; + }; +} gbp_contract_key_t; + +typedef struct gbp_next_hop_t_ +{ + fib_node_t gnh_node; + ip46_address_t gnh_ip; + mac_address_t gnh_mac; + index_t gnh_gu; + index_t gnh_bd; + index_t gnh_rd; + u32 gnh_ge; + u32 gnh_sibling; + index_t gnh_ai[FIB_PROTOCOL_IP_MAX]; +} gbp_next_hop_t; + +#define foreach_gbp_hash_mode \ + _(SRC_IP, "src-ip") \ + _(DST_IP, "dst-ip") \ + _(SYMMETRIC, "symmetric") + +typedef enum gbp_hash_mode_t_ +{ +#define _(v,s) GBP_HASH_MODE_##v, + foreach_gbp_hash_mode +#undef _ +} gbp_hash_mode_t; + +#define foreach_gbp_rule_action \ + _(PERMIT, "permit") \ + _(DENY, "deny") \ + _(REDIRECT, "redirect") + +typedef enum gbp_rule_action_t_ +{ +#define _(v,s) GBP_RULE_##v, + foreach_gbp_rule_action +#undef _ +} gbp_rule_action_t; + +#define foreach_gbp_policy_node \ + _(L2, "L2") \ + _(IP4, "ip4") \ + _(IP6, "ip6") + +typedef enum gbp_policy_node_t_ +{ +#define _(v,s) GBP_POLICY_NODE_##v, + foreach_gbp_policy_node +#undef _ +} gbp_policy_node_t; +#define GBP_POLICY_N_NODES (GBP_POLICY_NODE_IP6+1) + +#define FOR_EACH_GBP_POLICY_NODE(pnode) \ + for (pnode = GBP_POLICY_NODE_L2; pnode < GBP_POLICY_N_NODES; pnode++) + +typedef struct gbp_rule_t_ +{ + gbp_rule_action_t gu_action; + gbp_hash_mode_t gu_hash_mode; + index_t *gu_nhs; + + /** + * DPO of the load-balance object used to redirect + */ + dpo_id_t gu_dpo[GBP_POLICY_N_NODES][FIB_PROTOCOL_IP_MAX]; +} gbp_rule_t; + +/** + * A Group Based Policy Contract. + * Determines the ACL that applies to traffic pass between two endpoint groups + */ +typedef struct gbp_contract_t_ +{ + /** + * source and destination EPGs + */ + gbp_contract_key_t gc_key; + + u32 gc_acl_index; + u32 gc_lc_index; + + /** + * The ACL to apply for packets from the source to the destination EPG + */ + index_t *gc_rules; + + /** + * An ethertype whitelist + */ + u16 *gc_allowed_ethertypes; +} gbp_contract_t; + +/** + * EPG src,dst pair to ACL mapping table, aka contract DB + */ +typedef struct gbp_contract_db_t_ +{ + /** + * We can form a u64 key from the pair, so use a simple hash table + */ + uword *gc_hash; +} gbp_contract_db_t; + +extern int gbp_contract_update (gbp_scope_t scope, + sclass_t sclass, + sclass_t dclass, + u32 acl_index, + index_t * rules, + u16 * allowed_ethertypes, u32 * stats_index); +extern int gbp_contract_delete (gbp_scope_t scope, sclass_t sclass, + sclass_t dclass); + +extern index_t gbp_rule_alloc (gbp_rule_action_t action, + gbp_hash_mode_t hash_mode, index_t * nhs); +extern void gbp_rule_free (index_t gui); +extern index_t gbp_next_hop_alloc (const ip46_address_t * ip, + index_t grd, + const mac_address_t * mac, index_t gbd); + +typedef int (*gbp_contract_cb_t) (gbp_contract_t * gbpe, void *ctx); +extern void gbp_contract_walk (gbp_contract_cb_t bgpe, void *ctx); + +extern u8 *format_gbp_rule_action (u8 * s, va_list * args); +extern u8 *format_gbp_contract (u8 * s, va_list * args); + +/** + * DP functions and databases + */ +extern gbp_contract_db_t gbp_contract_db; + +always_inline index_t +gbp_contract_find (gbp_contract_key_t * key) +{ + uword *p; + + p = hash_get (gbp_contract_db.gc_hash, key->as_u64); + + if (NULL != p) + return (p[0]); + + return (INDEX_INVALID); +} + +extern gbp_contract_t *gbp_contract_pool; + +always_inline gbp_contract_t * +gbp_contract_get (index_t gci) +{ + return (pool_elt_at_index (gbp_contract_pool, gci)); +} + +extern gbp_rule_t *gbp_rule_pool; + +always_inline gbp_rule_t * +gbp_rule_get (index_t gui) +{ + return (pool_elt_at_index (gbp_rule_pool, gui)); +} + +extern vlib_combined_counter_main_t gbp_contract_permit_counters; +extern vlib_combined_counter_main_t gbp_contract_drop_counters; + +typedef enum +{ + GBP_CONTRACT_APPLY_L2, + GBP_CONTRACT_APPLY_IP4, + GBP_CONTRACT_APPLY_IP6, +} gbp_contract_apply_type_t; + +static_always_inline gbp_rule_action_t +gbp_contract_apply (vlib_main_t * vm, gbp_main_t * gm, + gbp_contract_key_t * key, vlib_buffer_t * b, + gbp_rule_t ** rule, u32 * intra, u32 * sclass1, + u32 * acl_match, u32 * rule_match, + gbp_contract_error_t * err, + gbp_contract_apply_type_t type) +{ + fa_5tuple_opaque_t fa_5tuple; + const gbp_contract_t *contract; + index_t contract_index; + u32 acl_pos, trace_bitmap; + u16 etype; + u8 ip6, action; + + *rule = 0; + trace_bitmap = 0; + + if (key->gck_src == key->gck_dst) + { + /* intra-epg allowed */ + (*intra)++; + *err = GBP_CONTRACT_ERROR_ALLOW_INTRA; + return GBP_RULE_PERMIT; + } + + if (1 == key->gck_src || 1 == key->gck_dst) + { + /* sclass 1 allowed */ + (*sclass1)++; + *err = GBP_CONTRACT_ERROR_ALLOW_SCLASS_1; + return GBP_RULE_PERMIT; + } + + /* look for contract */ + contract_index = gbp_contract_find (key); + if (INDEX_INVALID == contract_index) + { + *err = GBP_CONTRACT_ERROR_DROP_NO_CONTRACT; + return GBP_RULE_DENY; + } + + contract = gbp_contract_get (contract_index); + + *err = GBP_CONTRACT_ERROR_DROP_CONTRACT; + + switch (type) + { + case GBP_CONTRACT_APPLY_IP4: + ip6 = 0; + break; + case GBP_CONTRACT_APPLY_IP6: + ip6 = 1; + break; + case GBP_CONTRACT_APPLY_L2: + { + /* check ethertype */ + etype = + ((u16 *) (vlib_buffer_get_current (b) + + vnet_buffer (b)->l2.l2_len))[-1]; + + if (~0 == vec_search (contract->gc_allowed_ethertypes, etype)) + { + *err = GBP_CONTRACT_ERROR_DROP_ETHER_TYPE; + goto contract_deny; + } + + switch (clib_net_to_host_u16 (etype)) + { + case ETHERNET_TYPE_IP4: + ip6 = 0; + break; + case ETHERNET_TYPE_IP6: + ip6 = 1; + break; + default: + goto contract_deny; + } + } + break; + } + + /* check ACL */ + action = 0; + acl_plugin_fill_5tuple_inline (gm->acl_plugin.p_acl_main, + contract->gc_lc_index, b, ip6, + GBP_CONTRACT_APPLY_L2 != type /* input */ , + GBP_CONTRACT_APPLY_L2 == type /* l2_path */ , + &fa_5tuple); + acl_plugin_match_5tuple_inline (gm->acl_plugin.p_acl_main, + contract->gc_lc_index, &fa_5tuple, ip6, + &action, &acl_pos, acl_match, rule_match, + &trace_bitmap); + if (action <= 0) + goto contract_deny; + + if (PREDICT_FALSE (*rule_match >= vec_len (contract->gc_rules))) + { + *err = GBP_CONTRACT_ERROR_DROP_NO_RULE; + goto contract_deny; + } + + *rule = gbp_rule_get (contract->gc_rules[*rule_match]); + switch ((*rule)->gu_action) + { + case GBP_RULE_PERMIT: + case GBP_RULE_REDIRECT: + *err = GBP_CONTRACT_ERROR_ALLOW_CONTRACT; + vlib_increment_combined_counter (&gbp_contract_permit_counters, + vm->thread_index, contract_index, 1, + vlib_buffer_length_in_chain (vm, b)); + return (*rule)->gu_action; + case GBP_RULE_DENY: + break; + } + +contract_deny: + vlib_increment_combined_counter (&gbp_contract_drop_counters, + vm->thread_index, contract_index, 1, + vlib_buffer_length_in_chain (vm, b)); + return GBP_RULE_DENY; +} + +#endif /* __GBP_CONTRACT_H__ */ +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ |