From 7055e26952e0dee3a01422e9ae733f8996e81608 Mon Sep 17 00:00:00 2001 From: Dave Barach Date: Mon, 18 Jun 2018 13:16:39 -0400 Subject: Driver level time-based src mac filter Change-Id: I062d7653e00d77e73a61d8841e01ab4a159b6404 Signed-off-by: Dave Barach --- src/configure.ac | 1 + src/plugins/Makefile.am | 4 + src/plugins/mactime.am | 36 +++ src/plugins/mactime/mactime.api | 88 ++++++ src/plugins/mactime/mactime.c | 533 ++++++++++++++++++++++++++++++++ src/plugins/mactime/mactime.h | 113 +++++++ src/plugins/mactime/mactime_all_api_h.h | 19 ++ src/plugins/mactime/mactime_msg_enum.h | 31 ++ src/plugins/mactime/mactime_test.c | 311 +++++++++++++++++++ src/plugins/mactime/node.c | 363 ++++++++++++++++++++++ src/vpp/api/api_main.c | 1 + 11 files changed, 1500 insertions(+) create mode 100644 src/plugins/mactime.am create mode 100644 src/plugins/mactime/mactime.api create mode 100644 src/plugins/mactime/mactime.c create mode 100644 src/plugins/mactime/mactime.h create mode 100644 src/plugins/mactime/mactime_all_api_h.h create mode 100644 src/plugins/mactime/mactime_msg_enum.h create mode 100644 src/plugins/mactime/mactime_test.c create mode 100644 src/plugins/mactime/node.c diff --git a/src/configure.ac b/src/configure.ac index 428e15d3f45..2b6db9503a8 100644 --- a/src/configure.ac +++ b/src/configure.ac @@ -310,6 +310,7 @@ PLUGIN_ENABLED(ixge) PLUGIN_ENABLED(l2e) PLUGIN_ENABLED(lacp) PLUGIN_ENABLED(lb) +PLUGIN_ENABLED(mactime) PLUGIN_ENABLED(marvell) PLUGIN_ENABLED(memif) PLUGIN_ENABLED(pppoe) diff --git a/src/plugins/Makefile.am b/src/plugins/Makefile.am index 971b263a630..9c891c54b3c 100644 --- a/src/plugins/Makefile.am +++ b/src/plugins/Makefile.am @@ -83,6 +83,10 @@ if ENABLE_LB_PLUGIN include lb.am endif +if ENABLE_MACTIME_PLUGIN +include mactime.am +endif + if ENABLE_MARVELL_PLUGIN include marvell.am endif diff --git a/src/plugins/mactime.am b/src/plugins/mactime.am new file mode 100644 index 00000000000..46225f6e3b1 --- /dev/null +++ b/src/plugins/mactime.am @@ -0,0 +1,36 @@ + +# Copyright (c) +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +vppapitestplugins_LTLIBRARIES += mactime_test_plugin.la +vppplugins_LTLIBRARIES += mactime_plugin.la + +mactime_plugin_la_SOURCES = \ + mactime/node.c \ + mactime/mactime.c \ + mactime/mactime.h \ + mactime/mactime_all_api_h.h \ + mactime/mactime_msg_enum.h + +API_FILES += mactime/mactime.api + +nobase_apiinclude_HEADERS += \ + mactime/mactime_all_api_h.h \ + mactime/mactime_msg_enum.h \ + mactime/mactime.api.h + +mactime_test_plugin_la_SOURCES = \ + mactime/mactime_test.c \ + mactime/mactime.api.h + +# vi:syntax=automake diff --git a/src/plugins/mactime/mactime.api b/src/plugins/mactime/mactime.api new file mode 100644 index 00000000000..7cad7828fe4 --- /dev/null +++ b/src/plugins/mactime/mactime.api @@ -0,0 +1,88 @@ +/* + * Copyright (c) 2018 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/** \file + This file defines vpp mactime control-plane API messages +*/ +option version = "1.0.0"; + +/** \brief api to enable or disable the time-based src mac filter on + an interface +*/ + +autoreply define mactime_enable_disable +{ + u32 client_index; /**< client index, from api_main */ + u32 context; /**< application context */ + u8 enable_disable; /**< enable=1, disable=0 */ + u32 sw_if_index; /**< the interface handle */ +}; + +/** \brief a time range structure + * times are in double-precision fp seconds since 1/1/1970, + * which was a Thursday. + */ +typeonly define time_range +{ + f64 start; /**< start of the time range */ + f64 end; /**< end of the time range */ +}; + +/** \brief configure per src-mac time ranges + * + * Usage: + * to create a static allow entry: + * set mac_address, device_name, is_add=1, and allow=1. + * + * to create a static drop entry: + * set mac_address, device_name, is_add=1, and drop=1. + * + * to create a (time-range-based) dynamic allow entry: + * set mac_address, device_name, is_add=1, set allow=1. + * set count = number of ranges + * set each range start/end in seconds since Sunday began + * As in: start/end >= 0.0 && start/end < 7.0 *86400.0 + * + * to create a (time-range-based) dynamic drop entry: + * Same procedure to create a dynamic allow entry, + * set drop=1 instead of allow=1 + * + * to delete a per src-mac entry (of any kind) + * set mac_address, is_add=0 + * note: deletes all ranges. + * + * See mactime_test.c:api_mactime_add_del_range(...) for + * a working example. + */ + +autoreply define mactime_add_del_range +{ + u32 client_index; /**< client index, from api_main */ + u32 context; /**< application context */ + u8 is_add; /**< add=1, del=0 */ + u8 drop; /**< drop flag */ + u8 allow; /**< allow flag */ + u8 mac_address[6]; /**< src mac address */ + u8 device_name[64]; /**< device name */ + u32 count; /**< number of time ranges to follow */ + /** time ranges, in seconds since Sunday began */ + vl_api_time_range_t ranges[count]; +}; + +/* + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ diff --git a/src/plugins/mactime/mactime.c b/src/plugins/mactime/mactime.c new file mode 100644 index 00000000000..d442d3ec08c --- /dev/null +++ b/src/plugins/mactime/mactime.c @@ -0,0 +1,533 @@ +/* + * mactime.c - time-based src mac address filtration + * + * Copyright (c) 2018 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include +#include +#include + +#include +#include +#include + +/* define message IDs */ +#include + +/* define message structures */ +#define vl_typedefs +#include +#undef vl_typedefs + +/* define generated endian-swappers */ +#define vl_endianfun +#include +#undef vl_endianfun + +/* instantiate all the print functions we know about */ +#define vl_print(handle, ...) vlib_cli_output (handle, __VA_ARGS__) +#define vl_printfun +#include +#undef vl_printfun + +/* Get the API version number */ +#define vl_api_version(n,v) static u32 api_version=(v); +#include +#undef vl_api_version + +#define REPLY_MSG_ID_BASE mm->msg_id_base +#include + +mactime_main_t mactime_main; + +/** \file time-base src-mac filter device-input feature arc implementation + */ + +/* List of message types that this plugin understands */ + +#define foreach_mactime_plugin_api_msg \ +_(MACTIME_ENABLE_DISABLE, mactime_enable_disable) \ +_(MACTIME_ADD_DEL_RANGE, mactime_add_del_range) + +static void +feature_init (mactime_main_t * mm) +{ + if (mm->feature_initialized == 0) + { + /* Create the lookup table */ + clib_bihash_init_8_8 (&mm->lookup_table, "mactime lookup table", + mm->lookup_table_num_buckets, + mm->lookup_table_memory_size); + clib_timebase_init (&mm->timebase, mm->timezone_offset, + CLIB_TIMEBASE_DAYLIGHT_USA); + mm->allow_counters.name = "allow"; + mm->allow_counters.stat_segment_name = "/mactime/allow"; + mm->drop_counters.name = "drop"; + mm->drop_counters.stat_segment_name = "/mactime/drop"; + mm->feature_initialized = 1; + } +} + +/** Action function shared between message handler and debug CLI +*/ +int +mactime_enable_disable (mactime_main_t * mm, u32 sw_if_index, + int enable_disable) +{ + vnet_sw_interface_t *sw; + int rv = 0; + + feature_init (mm); + + /* Utterly wrong? */ + if (pool_is_free_index (mm->vnet_main->interface_main.sw_interfaces, + sw_if_index)) + return VNET_API_ERROR_INVALID_SW_IF_INDEX; + + /* Not a physical port? */ + sw = vnet_get_sw_interface (mm->vnet_main, sw_if_index); + if (sw->type != VNET_SW_INTERFACE_TYPE_HARDWARE) + return VNET_API_ERROR_INVALID_SW_IF_INDEX; + + vnet_feature_enable_disable ("device-input", "mactime", + sw_if_index, enable_disable, 0, 0); + return rv; +} + +static clib_error_t * +mactime_enable_disable_command_fn (vlib_main_t * vm, + unformat_input_t * input, + vlib_cli_command_t * cmd) +{ + mactime_main_t *mm = &mactime_main; + u32 sw_if_index = ~0; + int enable_disable = 1; + + int rv; + + while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT) + { + if (unformat (input, "disable")) + enable_disable = 0; + else if (unformat (input, "%U", unformat_vnet_sw_interface, + mm->vnet_main, &sw_if_index)) + ; + else + break; + } + + if (sw_if_index == ~0) + return clib_error_return (0, "Please specify an interface..."); + + rv = mactime_enable_disable (mm, sw_if_index, enable_disable); + + switch (rv) + { + case 0: + break; + + case VNET_API_ERROR_INVALID_SW_IF_INDEX: + return clib_error_return + (0, "Invalid interface, only works on physical ports"); + break; + + case VNET_API_ERROR_UNIMPLEMENTED: + return clib_error_return (0, + "Device driver doesn't support redirection"); + break; + + default: + return clib_error_return (0, "mactime_enable_disable returned %d", rv); + } + return 0; +} + +/* *INDENT-OFF* */ +VLIB_CLI_COMMAND (mactime_enable_disable_command, static) = +{ + .path = "mactime enable-disable", + .short_help = + "mactime enable-disable [disable]", + .function = mactime_enable_disable_command_fn, +}; +/* *INDENT-ON* */ + + +/** Enable / disable time-base src mac filtration on an interface + */ + +static void vl_api_mactime_enable_disable_t_handler + (vl_api_mactime_enable_disable_t * mp) +{ + vl_api_mactime_enable_disable_reply_t *rmp; + mactime_main_t *mm = &mactime_main; + int rv; + + rv = mactime_enable_disable (mm, ntohl (mp->sw_if_index), + (int) (mp->enable_disable)); + + REPLY_MACRO (VL_API_MACTIME_ENABLE_DISABLE_REPLY); +} + +/** Add or delete static / dynamic accept/drop configuration for a src mac + */ + +static void vl_api_mactime_add_del_range_t_handler + (vl_api_mactime_add_del_range_t * mp) +{ + mactime_main_t *mm = &mactime_main; + vl_api_mactime_add_del_range_reply_t *rmp; + mactime_device_t *dp; + clib_bihash_kv_8_8_t kv; + int found = 1; + clib_bihash_8_8_t *lut = &mm->lookup_table; + int i, rv = 0; + + feature_init (mm); + + memset (&kv, 0, sizeof (kv)); + memcpy (&kv.key, mp->mac_address, sizeof (mp->mac_address)); + + /* See if we have a lookup table entry for this src mac address */ + if (clib_bihash_search_8_8 (lut, &kv, &kv) < 0) + found = 0; + + /* Add an entry? */ + if (mp->is_add) + { + /* Create the device entry? */ + if (found == 0) + { + pool_get (mm->devices, dp); + memset (dp, 0, sizeof (*dp)); + vlib_validate_simple_counter (&mm->allow_counters, + dp - mm->devices); + vlib_zero_simple_counter (&mm->allow_counters, dp - mm->devices); + vlib_validate_simple_counter (&mm->drop_counters, dp - mm->devices); + vlib_zero_simple_counter (&mm->drop_counters, dp - mm->devices); + mp->device_name[ARRAY_LEN (mp->device_name) - 1] = 0; + dp->device_name = format (0, "%s", mp->device_name); + memcpy (dp->mac_address, mp->mac_address, sizeof (mp->mac_address)); + for (i = 0; i < clib_net_to_host_u32 (mp->count); i++) + { + clib_timebase_range_t _r, *r = &_r; + r->start = mp->ranges[i].start; + r->end = mp->ranges[i].end; + vec_add1 (dp->ranges, r[0]); + } + /* If we found some time ranges */ + if (i) + { + /* Set allow/drop based on msg flags */ + if (mp->drop) + dp->flags = MACTIME_DEVICE_FLAG_DYNAMIC_DROP; + if (mp->allow) + dp->flags = MACTIME_DEVICE_FLAG_DYNAMIC_ALLOW; + } + else + { + /* no ranges, it's a static allow/drop */ + if (mp->drop) + dp->flags = MACTIME_DEVICE_FLAG_STATIC_DROP; + if (mp->allow) + dp->flags = MACTIME_DEVICE_FLAG_STATIC_ALLOW; + } + + /* Add the hash table entry */ + kv.value = dp - mm->devices; + clib_bihash_add_del_8_8 (lut, &kv, 1 /* is_add */ ); + } + else /* add more ranges */ + { + dp = pool_elt_at_index (mm->devices, kv.value); + for (i = 0; i < clib_net_to_host_u32 (mp->count); i++) + { + clib_timebase_range_t _r, *r = &_r; + r->start = mp->ranges[i].start; + r->end = mp->ranges[i].end; + vec_add1 (dp->ranges, r[0]); + } + } + } + else /* delete case */ + { + if (found == 0) + { + rv = VNET_API_ERROR_NO_SUCH_ENTRY; + goto reply; + } + + /* find the device entry */ + dp = pool_elt_at_index (mm->devices, kv.value); + + /* Remove it from the lookup table */ + clib_bihash_add_del_8_8 (lut, &kv, 0 /* is_add */ ); + vec_free (dp->ranges); + pool_put (mm->devices, dp); + } + +reply: + REPLY_MACRO (VL_API_MACTIME_ADD_DEL_RANGE_REPLY); +} + +/* Set up the API message handling tables */ +static clib_error_t * +mactime_plugin_api_hookup (vlib_main_t * vm) +{ + mactime_main_t *mm = &mactime_main; +#define _(N,n) \ + vl_msg_api_set_handlers((VL_API_##N + mm->msg_id_base), \ + #n, \ + vl_api_##n##_t_handler, \ + vl_noop_handler, \ + vl_api_##n##_t_endian, \ + vl_api_##n##_t_print, \ + sizeof(vl_api_##n##_t), 1); + foreach_mactime_plugin_api_msg; +#undef _ + + return 0; +} + +#define vl_msg_name_crc_list +#include +#undef vl_msg_name_crc_list + +static void +setup_message_id_table (mactime_main_t * mm, api_main_t * am) +{ +#define _(id,n,crc) vl_msg_api_add_msg_name_crc (am, #n #crc, id + mm->msg_id_base); + foreach_vl_msg_name_crc_mactime; +#undef _ +} + +static clib_error_t * +mactime_init (vlib_main_t * vm) +{ + mactime_main_t *mm = &mactime_main; + clib_error_t *error = 0; + u8 *name; + + mm->vlib_main = vm; + mm->vnet_main = vnet_get_main (); + + name = format (0, "mactime_%08x%c", api_version, 0); + + /* Ask for a correctly-sized block of API message decode slots */ + mm->msg_id_base = vl_msg_api_get_msg_ids + ((char *) name, VL_MSG_FIRST_AVAILABLE); + + error = mactime_plugin_api_hookup (vm); + + /* Add our API messages to the global name_crc hash table */ + setup_message_id_table (mm, &api_main); + + vec_free (name); + + mm->lookup_table_num_buckets = MACTIME_NUM_BUCKETS; + mm->lookup_table_memory_size = MACTIME_MEMORY_SIZE; + mm->timezone_offset = -5; /* US EST / EDT */ + return error; +} + +VLIB_INIT_FUNCTION (mactime_init); + +static clib_error_t * +mactime_config (vlib_main_t * vm, unformat_input_t * input) +{ + mactime_main_t *mm = &mactime_main; + + while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT) + { + if (unformat (input, "lookup-table-buckets %u", + &mm->lookup_table_num_buckets)) + ; + else if (unformat (input, "lookup-table-memory %U", + unformat_memory_size, &mm->lookup_table_memory_size)) + ; + else if (unformat (input, "timezone_offset %d", &mm->timezone_offset)) + ; + else + { + return clib_error_return (0, "unknown input '%U'", + format_unformat_error, input); + } + } + return 0; +} + +VLIB_CONFIG_FUNCTION (mactime_config, "mactime"); + +/* *INDENT-OFF* */ +VNET_FEATURE_INIT (mactime, static) = +{ + .arc_name = "device-input", + .node_name = "mactime", + .runs_before = VNET_FEATURES ("ethernet-input"), +}; +/* *INDENT-ON */ + +/* *INDENT-OFF* */ +VLIB_PLUGIN_REGISTER () = +{ + .version = VPP_BUILD_VER, + .description = "Time-based MAC source-address filter", +}; +/* *INDENT-ON* */ + +static u8 * +format_mac_address (u8 * s, va_list * args) +{ + u8 *a = va_arg (*args, u8 *); + return format (s, "%02x:%02x:%02x:%02x:%02x:%02x", + a[0], a[1], a[2], a[3], a[4], a[5]); +} + +static clib_error_t * +show_mactime_command_fn (vlib_main_t * vm, + unformat_input_t * input, vlib_cli_command_t * cmd) +{ + mactime_main_t *mm = &mactime_main; + mactime_device_t *dp; + u8 *macstring = 0; + char *status_string; + u32 *pool_indices = 0; + int verbose = 0; + int current_status = 99; + int i; + f64 now; + u64 allow, drop; + + now = clib_timebase_now (&mm->timebase); + + if (PREDICT_FALSE ((now - mm->sunday_midnight) > 86400.0 * 7.0)) + mm->sunday_midnight = clib_timebase_find_sunday_midnight (now); + + if (unformat (input, "verbose %d", &verbose)) + ; + + if (unformat (input, "verbose")) + verbose = 1; + + if (verbose) + vlib_cli_output (vm, "Time now: %U", format_clib_timebase_time, now); + + /* *INDENT-OFF* */ + pool_foreach (dp, mm->devices, + ({ + vec_add1 (pool_indices, dp - mm->devices); + })); + /* *INDENT-ON* */ + + vlib_cli_output (vm, "%-15s %20s %16s %10s %10s", + "Device Name", "MAC address", "Current Status", "Allow", + "Drop"); + + for (i = 0; i < vec_len (pool_indices); i++) + { + dp = pool_elt_at_index (mm->devices, pool_indices[i]); + + /* Check dynamic ranges */ + for (i = 0; i < vec_len (dp->ranges); i++) + { + clib_timebase_range_t *r = dp->ranges + i; + f64 start0, end0; + + start0 = r->start + mm->sunday_midnight; + end0 = r->end + mm->sunday_midnight; + if (verbose > 1) + vlib_cli_output (vm, " Range %d: %U - %U", i, + format_clib_timebase_time, start0, + format_clib_timebase_time, end0); + + if (now >= start0 && now <= end0) + { + if (dp->flags & MACTIME_DEVICE_FLAG_DYNAMIC_ALLOW) + current_status = 3; + else + current_status = 2; + if (verbose) + { + vlib_cli_output (vm, " Time in range %d:", i); + vlib_cli_output (vm, " %U - %U", + format_clib_timebase_time, start0, + format_clib_timebase_time, end0); + } + goto print; + } + } + if (verbose && i) + vlib_cli_output (vm, " No range match."); + if (dp->flags & MACTIME_DEVICE_FLAG_STATIC_DROP) + current_status = 0; + if (dp->flags & MACTIME_DEVICE_FLAG_STATIC_ALLOW) + current_status = 1; + if (dp->flags & MACTIME_DEVICE_FLAG_DYNAMIC_ALLOW) + current_status = 2; + if (dp->flags & MACTIME_DEVICE_FLAG_DYNAMIC_DROP) + current_status = 3; + + print: + vec_reset_length (macstring); + macstring = format (0, "%U", format_mac_address, dp->mac_address); + switch (current_status) + { + case 0: + status_string = "static drop"; + break; + case 1: + status_string = "static allow"; + break; + case 2: + status_string = "dynamic drop"; + break; + case 3: + status_string = "dynamic allow"; + break; + default: + status_string = "code bug!"; + break; + } + allow = vlib_get_simple_counter (&mm->allow_counters, dp - mm->devices); + drop = vlib_get_simple_counter (&mm->drop_counters, dp - mm->devices); + vlib_cli_output (vm, "%-15s %20s %16s %10lld %10lld", + dp->device_name, macstring, status_string, + allow, drop); + } + + vec_free (macstring); + vec_free (pool_indices); + + return 0; +} + +/* *INDENT-OFF* */ +VLIB_CLI_COMMAND (show_mactime_command, static) = +{ + .path = "show mactime", + .short_help = "show mactime [verbose]", + .function = show_mactime_command_fn, +}; +/* *INDENT-ON* */ + + + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ diff --git a/src/plugins/mactime/mactime.h b/src/plugins/mactime/mactime.h new file mode 100644 index 00000000000..6890ca286c3 --- /dev/null +++ b/src/plugins/mactime/mactime.h @@ -0,0 +1,113 @@ + +/* + * mactime.h - time-based src mac address filtration + * + * Copyright (c) + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#ifndef __included_mactime_h__ +#define __included_mactime_h__ + +#include +#include +#include +#include + +#include +#include +#include +#include + +#define MACTIME_RANGE_TYPE_DROP 0 +#define MACTIME_RANGE_TYPE_ALLOW 1 + +typedef struct +{ + u8 *device_name; + u8 mac_address[6]; + u32 flags; + clib_timebase_range_t *ranges; +} mactime_device_t; + +/** Always drop packets from this device */ +#define MACTIME_DEVICE_FLAG_STATIC_DROP (1<<0) +#define MACTIME_DEVICE_FLAG_STATIC_ALLOW (1<<1) +#define MACTIME_DEVICE_FLAG_DYNAMIC_DROP (1<<2) +#define MACTIME_DEVICE_FLAG_DYNAMIC_ALLOW (1<<3) + +typedef struct +{ + union + { + u8 mac_address[6]; + u64 as_u64; + }; +} mactime_key_t; + +typedef struct +{ + /* API message ID base */ + u16 msg_id_base; + + /* Timebase */ + clib_timebase_t timebase; + + /* cached sunday midnight */ + f64 sunday_midnight; + + /* Lookup table */ + clib_bihash_8_8_t lookup_table; + + /* Device table */ + mactime_device_t *devices; + + /* Counters */ + vlib_simple_counter_main_t allow_counters; + vlib_simple_counter_main_t drop_counters; + + /* config parameters */ + u32 lookup_table_num_buckets; + uword lookup_table_memory_size; + i32 timezone_offset; + + /* Once-only data structure create flag */ + int feature_initialized; + + /* convenience */ + vlib_main_t *vlib_main; + vnet_main_t *vnet_main; + ethernet_main_t *ethernet_main; +} mactime_main_t; + +/* size for an hgw use-case */ +#define MACTIME_NUM_BUCKETS 128 +#define MACTIME_MEMORY_SIZE (256<<10) + +extern mactime_main_t mactime_main; + +extern vlib_node_registration_t mactime_node; + +/* Periodic function events */ +#define MACTIME_EVENT1 1 +#define MACTIME_EVENT2 2 +#define MACTIME_EVENT_PERIODIC_ENABLE_DISABLE 3 + +#endif /* __included_mactime_h__ */ + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ diff --git a/src/plugins/mactime/mactime_all_api_h.h b/src/plugins/mactime/mactime_all_api_h.h new file mode 100644 index 00000000000..f3bd6731ecb --- /dev/null +++ b/src/plugins/mactime/mactime_all_api_h.h @@ -0,0 +1,19 @@ + +/* + * mactime_all_api_h.h - skeleton vpp engine plug-in api #include file + * + * Copyright (c) + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +/* Include the generated file, see BUILT_SOURCES in Makefile.am */ +#include diff --git a/src/plugins/mactime/mactime_msg_enum.h b/src/plugins/mactime/mactime_msg_enum.h new file mode 100644 index 00000000000..2a2bc81139a --- /dev/null +++ b/src/plugins/mactime/mactime_msg_enum.h @@ -0,0 +1,31 @@ + +/* + * mactime_msg_enum.h - skeleton vpp engine plug-in message enumeration + * + * Copyright (c) + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#ifndef included_mactime_msg_enum_h +#define included_mactime_msg_enum_h + +#include + +#define vl_msg_id(n,h) n, +typedef enum { +#include + /* We'll want to know how many messages IDs we need... */ + VL_MSG_FIRST_AVAILABLE, +} vl_msg_id_t; +#undef vl_msg_id + +#endif /* included_mactime_msg_enum_h */ diff --git a/src/plugins/mactime/mactime_test.c b/src/plugins/mactime/mactime_test.c new file mode 100644 index 00000000000..9ba28da2fc3 --- /dev/null +++ b/src/plugins/mactime/mactime_test.c @@ -0,0 +1,311 @@ +/* + * mactime.c - skeleton vpp-api-test plug-in + * + * Copyright (c) + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#include +#include +#include +#include +#include + +uword vat_unformat_sw_if_index (unformat_input_t * input, va_list * args); + +/* Declare message IDs */ +#include + +/* define message structures */ +#define vl_typedefs +#include +#undef vl_typedefs + +/* declare message handlers for each api */ + +#define vl_endianfun /* define message structures */ +#include +#undef vl_endianfun + +/* instantiate all the print functions we know about */ +#define vl_print(handle, ...) +#define vl_printfun +#include +#undef vl_printfun + +/* Get the API version number. */ +#define vl_api_version(n,v) static u32 api_version=(v); +#include +#undef vl_api_version + +typedef struct +{ + /* API message ID base */ + u16 msg_id_base; + vat_main_t *vat_main; +} mactime_test_main_t; + +mactime_test_main_t mactime_test_main; + +#define __plugin_msg_base mactime_test_main.msg_id_base +#include + +#define foreach_standard_reply_retval_handler \ +_(mactime_enable_disable_reply) \ +_(mactime_add_del_range_reply) + +#define _(n) \ + static void vl_api_##n##_t_handler \ + (vl_api_##n##_t * mp) \ + { \ + vat_main_t * vam = mactime_test_main.vat_main; \ + i32 retval = ntohl(mp->retval); \ + if (vam->async_mode) { \ + vam->async_errors += (retval < 0); \ + } else { \ + vam->retval = retval; \ + vam->result_ready = 1; \ + } \ + } +foreach_standard_reply_retval_handler; +#undef _ + +static u8 * +format_mac_address (u8 * s, va_list * args) +{ + u8 *a = va_arg (*args, u8 *); + return format (s, "%02x:%02x:%02x:%02x:%02x:%02x", + a[0], a[1], a[2], a[3], a[4], a[5]); +} + +static uword +unformat_mac_address (unformat_input_t * input, va_list * args) +{ + u8 *a = va_arg (*args, u8 *); + return unformat (input, "%x:%x:%x:%x:%x:%x", &a[0], &a[1], &a[2], &a[3], + &a[4], &a[5]); +} + +/* + * Table of message reply handlers, must include boilerplate handlers + * we just generated + */ +#define foreach_vpe_api_reply_msg \ +_(MACTIME_ENABLE_DISABLE_REPLY, mactime_enable_disable_reply) \ +_(MACTIME_ADD_DEL_RANGE_REPLY, mactime_add_del_range_reply) + +static int +api_mactime_enable_disable (vat_main_t * vam) +{ + unformat_input_t *i = vam->input; + int enable_disable = 1; + u32 sw_if_index = ~0; + vl_api_mactime_enable_disable_t *mp; + int ret; + + /* Parse args required to build the message */ + while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) + { + if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index)) + ; + else if (unformat (i, "sw_if_index %d", &sw_if_index)) + ; + else if (unformat (i, "disable")) + enable_disable = 0; + else + break; + } + + if (sw_if_index == ~0) + { + errmsg ("missing interface name / explicit sw_if_index number \n"); + return -99; + } + + /* Construct the API message */ + M (MACTIME_ENABLE_DISABLE, mp); + mp->sw_if_index = ntohl (sw_if_index); + mp->enable_disable = enable_disable; + + /* send it... */ + S (mp); + + /* Wait for a reply... */ + W (ret); + return ret; +} + +static int +api_mactime_add_del_range (vat_main_t * vam) +{ + unformat_input_t *i = vam->input; + vl_api_mactime_add_del_range_t *mp; + u8 mac_address[8]; + u8 *device_name = 0; + clib_timebase_range_t *rp = 0; + int name_set = 0; + int mac_set = 0; + u8 is_add = 1; + u8 allow = 0; + u8 drop = 0; + int ret; + int ii; + + /* Parse args required to build the message */ + while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) + { + if (unformat (i, "name %s", &device_name)) + { + vec_add1 (device_name, 0); + name_set = 1; + } + else if (unformat (i, "allow-range %U", + unformat_clib_timebase_range_vector, &rp)) + allow = 1; + else if (unformat (i, "drop-range %U", + unformat_clib_timebase_range_vector, &rp)) + drop = 1; + else if (unformat (i, "allow-static")) + allow = 1; + else if (unformat (i, "drop-static")) + drop = 1; + else if (unformat (i, "mac %U", unformat_mac_address, mac_address)) + mac_set = 1; + else if (unformat (i, "del")) + is_add = 0; + else + break; + } + + /* Sanity checks */ + if (mac_set == 0) + { + vec_free (rp); + vec_free (device_name); + errmsg ("mac address required, not set\n"); + return -99; + } + + /* allow-range / drop-range parse errors cause this condition */ + if (is_add && allow == 0 && drop == 0) + { + vec_free (rp); + vec_free (device_name); + errmsg ("neither allow nor drop set, parse error...\n"); + } + + /* Unlikely, but check anyhow */ + if (vec_len (device_name) > ARRAY_LEN (mp->device_name)) + { + vec_free (rp); + vec_free (device_name); + errmsg ("device name too long, max %d\n", ARRAY_LEN (mp->device_name)); + return -99; + } + + /* Cough up a device name if none set */ + if (name_set == 0) + { + device_name = format (0, "mac %U%c", format_mac_address, + mac_address, 0); + } + + /* Construct the API message */ + M2 (MACTIME_ADD_DEL_RANGE, mp, sizeof (rp[0]) * vec_len (rp)); + mp->is_add = is_add; + mp->drop = drop; + mp->allow = allow; + memcpy (mp->mac_address, mac_address, sizeof (mp->mac_address)); + memcpy (mp->device_name, device_name, vec_len (device_name)); + mp->count = clib_host_to_net_u32 (vec_len (rp)); + + for (ii = 0; ii < vec_len (rp); ii++) + { + mp->ranges[ii].start = rp[ii].start; + mp->ranges[ii].end = rp[ii].end; + } + + vec_free (rp); + vec_free (device_name); + + /* send it... */ + S (mp); + + /* Wait for a reply... */ + W (ret); + return ret; +} + +/* + * List of messages that the api test plugin sends, + * and that the data plane plugin processes + */ +#define foreach_vpe_api_msg \ +_(mactime_enable_disable, " [disable]") \ +_(mactime_add_del_range, \ + "name mac allow drop\n" \ + "allow-range Mon - Fri 9:00 - 17:00") + +static void +mactime_api_hookup (vat_main_t * vam) +{ + mactime_test_main_t *sm = &mactime_test_main; + /* Hook up handlers for replies from the data plane plug-in */ +#define _(N,n) \ + vl_msg_api_set_handlers((VL_API_##N + sm->msg_id_base), \ + #n, \ + vl_api_##n##_t_handler, \ + vl_noop_handler, \ + vl_api_##n##_t_endian, \ + vl_api_##n##_t_print, \ + sizeof(vl_api_##n##_t), 1); + foreach_vpe_api_reply_msg; +#undef _ + + /* API messages we can send */ +#define _(n,h) hash_set_mem (vam->function_by_name, #n, api_##n); + foreach_vpe_api_msg; +#undef _ + + /* Help strings */ +#define _(n,h) hash_set_mem (vam->help_by_name, #n, h); + foreach_vpe_api_msg; +#undef _ +} + +clib_error_t * +vat_plugin_register (vat_main_t * vam) +{ + mactime_test_main_t *sm = &mactime_test_main; + u8 *name; + + sm->vat_main = vam; + + /* Ask the vpp engine for the first assigned message-id */ + name = format (0, "mactime_%08x%c", api_version, 0); + sm->msg_id_base = vl_client_get_first_plugin_msg_id ((char *) name); + + if (sm->msg_id_base != (u16) ~ 0) + mactime_api_hookup (vam); + + vec_free (name); + + return 0; +} + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ diff --git a/src/plugins/mactime/node.c b/src/plugins/mactime/node.c new file mode 100644 index 00000000000..b112a7251cf --- /dev/null +++ b/src/plugins/mactime/node.c @@ -0,0 +1,363 @@ +/* + * node.c - skeleton vpp engine plug-in dual-loop node skeleton + * + * Copyright (c) + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#include +#include +#include +#include +#include + +typedef struct +{ + u32 next_index; + u32 device_index; + u8 src_mac[6]; + u8 device_name[64]; +} mactime_trace_t; + +static u8 * +format_mac_address (u8 * s, va_list * args) +{ + u8 *a = va_arg (*args, u8 *); + return format (s, "%02x:%02x:%02x:%02x:%02x:%02x", + a[0], a[1], a[2], a[3], a[4], a[5]); +} + +vlib_node_registration_t mactime_node; + +#define foreach_mactime_error \ +_(DROP, "Dropped packets") \ +_(OK, "Permitted packets") + +typedef enum +{ +#define _(sym,str) MACTIME_ERROR_##sym, + foreach_mactime_error +#undef _ + MACTIME_N_ERROR, +} mactime_error_t; + +static char *mactime_error_strings[] = { +#define _(sym,string) string, + foreach_mactime_error +#undef _ +}; + +typedef enum +{ + MACTIME_NEXT_ETHERNET_INPUT, + MACTIME_NEXT_DROP, + MACTIME_N_NEXT, +} mactime_next_t; + +/* packet trace format function */ +static u8 * +format_mactime_trace (u8 * s, va_list * args) +{ + CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *); + CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *); + mactime_trace_t *t = va_arg (*args, mactime_trace_t *); + + s = format (s, "MACTIME: src mac %U device %s result %s\n", + format_mac_address, t->src_mac, + (t->device_index != ~0) ? t->device_name : (u8 *) "unknown", + t->next_index == MACTIME_NEXT_ETHERNET_INPUT ? "pass" : "drop"); + return s; +} + +static uword +mactime_node_fn (vlib_main_t * vm, + vlib_node_runtime_t * node, vlib_frame_t * frame) +{ + u32 n_left_from, *from, *to_next; + mactime_next_t next_index; + mactime_main_t *mm = &mactime_main; + mactime_device_t *dp; + clib_bihash_kv_8_8_t kv; + clib_bihash_8_8_t *lut = &mm->lookup_table; + u32 packets_ok = 0, packets_dropped = 0; + f64 now; + u32 thread_index = vm->thread_index; + + now = clib_timebase_now (&mm->timebase); + + if (PREDICT_FALSE ((now - mm->sunday_midnight) > 86400.0 * 7.0)) + mm->sunday_midnight = clib_timebase_find_sunday_midnight (now); + + from = vlib_frame_vector_args (frame); + n_left_from = frame->n_vectors; + next_index = node->cached_next_index; + + while (n_left_from > 0) + { + u32 n_left_to_next; + + vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next); + +#if 0 + while (n_left_from >= 4 && n_left_to_next >= 2) + { + u32 next0 = MACTIME_NEXT_INTERFACE_OUTPUT; + u32 next1 = MACTIME_NEXT_INTERFACE_OUTPUT; + u32 sw_if_index0, sw_if_index1; + u8 tmp0[6], tmp1[6]; + ethernet_header_t *en0, *en1; + u32 bi0, bi1; + vlib_buffer_t *b0, *b1; + + /* Prefetch next iteration. */ + { + vlib_buffer_t *p2, *p3; + + p2 = vlib_get_buffer (vm, from[2]); + p3 = vlib_get_buffer (vm, from[3]); + + vlib_prefetch_buffer_header (p2, LOAD); + vlib_prefetch_buffer_header (p3, LOAD); + + CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE); + CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE); + } + + /* speculatively enqueue b0 and b1 to the current next frame */ + to_next[0] = bi0 = from[0]; + to_next[1] = bi1 = from[1]; + from += 2; + to_next += 2; + n_left_from -= 2; + n_left_to_next -= 2; + + b0 = vlib_get_buffer (vm, bi0); + b1 = vlib_get_buffer (vm, bi1); + + ASSERT (b0->current_data == 0); + ASSERT (b1->current_data == 0); + + en0 = vlib_buffer_get_current (b0); + en1 = vlib_buffer_get_current (b1); + + sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX]; + sw_if_index1 = vnet_buffer (b1)->sw_if_index[VLIB_RX]; + + /* Send pkt back out the RX interface */ + vnet_buffer (b0)->sw_if_index[VLIB_TX] = sw_if_index0; + vnet_buffer (b1)->sw_if_index[VLIB_TX] = sw_if_index1; + + if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE))) + { + if (b0->flags & VLIB_BUFFER_IS_TRACED) + { + mactime_trace_t *t = + vlib_add_trace (vm, node, b0, sizeof (*t)); + t->sw_if_index = sw_if_index0; + t->next_index = next0; + clib_memcpy (t->new_src_mac, en0->src_address, + sizeof (t->new_src_mac)); + clib_memcpy (t->new_dst_mac, en0->dst_address, + sizeof (t->new_dst_mac)); + } + if (b1->flags & VLIB_BUFFER_IS_TRACED) + { + mactime_trace_t *t = + vlib_add_trace (vm, node, b1, sizeof (*t)); + t->sw_if_index = sw_if_index1; + t->next_index = next1; + clib_memcpy (t->new_src_mac, en1->src_address, + sizeof (t->new_src_mac)); + clib_memcpy (t->new_dst_mac, en1->dst_address, + sizeof (t->new_dst_mac)); + } + } + + /* verify speculative enqueues, maybe switch current next frame */ + vlib_validate_buffer_enqueue_x2 (vm, node, next_index, + to_next, n_left_to_next, + bi0, bi1, next0, next1); + } +#endif /* dual loop */ + + while (n_left_from > 0 && n_left_to_next > 0) + { + u32 bi0; + vlib_buffer_t *b0; + u32 next0 = MACTIME_NEXT_ETHERNET_INPUT; + u32 device_index0; + ethernet_header_t *en0; + int i; + + /* speculatively enqueue b0 to the current next frame */ + bi0 = from[0]; + to_next[0] = bi0; + from += 1; + to_next += 1; + n_left_from -= 1; + n_left_to_next -= 1; + + b0 = vlib_get_buffer (vm, bi0); + + vlib_buffer_advance (b0, -(word) vnet_buffer (b0)->l2_hdr_offset); + + en0 = vlib_buffer_get_current (b0); + kv.key = 0; + clib_memcpy (&kv.key, en0->src_address, 6); + + + /* Lookup the src mac address */ + if (clib_bihash_search_8_8 (lut, &kv, &kv) < 0) + { + device_index0 = ~0; + dp = 0; + goto trace0; + } + else + device_index0 = kv.value; + + dp = pool_elt_at_index (mm->devices, device_index0); + + /* Static drop / allow? */ + if (PREDICT_FALSE + (dp->flags & + (MACTIME_DEVICE_FLAG_STATIC_DROP + | MACTIME_DEVICE_FLAG_STATIC_ALLOW))) + { + if (dp->flags & MACTIME_DEVICE_FLAG_STATIC_DROP) + { + next0 = MACTIME_NEXT_DROP; + vlib_increment_simple_counter + (&mm->drop_counters, thread_index, dp - mm->devices, 1); + packets_dropped++; + } + else /* note next0 set to allow */ + { + vlib_increment_simple_counter + (&mm->allow_counters, thread_index, dp - mm->devices, 1); + packets_ok++; + } + goto trace0; + } + + /* Known device, see if traffic allowed at the moment */ + for (i = 0; i < vec_len (dp->ranges); i++) + { + clib_timebase_range_t *r = dp->ranges + i; + f64 start0, end0; + + start0 = r->start + mm->sunday_midnight; + end0 = r->end + mm->sunday_midnight; + /* Packet within time range */ + if (now >= start0 && now <= end0) + { + /* And it's a drop range, drop it */ + if (dp->flags & MACTIME_DEVICE_FLAG_DYNAMIC_DROP) + { + vlib_increment_simple_counter + (&mm->drop_counters, thread_index, + dp - mm->devices, 1); + packets_dropped++; + next0 = MACTIME_NEXT_DROP; + } + else /* it's an allow range, allow it */ + { + vlib_increment_simple_counter + (&mm->allow_counters, thread_index, + dp - mm->devices, 1); + packets_ok++; + } + goto trace0; + } + } + /* + * Didn't hit a range, so *drop* if allow configured, or + * *allow* if drop configured. + */ + if (dp->flags & MACTIME_DEVICE_FLAG_DYNAMIC_ALLOW) + { + next0 = MACTIME_NEXT_DROP; + vlib_increment_simple_counter + (&mm->drop_counters, thread_index, dp - mm->devices, 1); + packets_dropped++; + } + else + { + vlib_increment_simple_counter + (&mm->allow_counters, thread_index, dp - mm->devices, 1); + packets_ok++; + } + + trace0: + if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) + && (b0->flags & VLIB_BUFFER_IS_TRACED))) + { + mactime_trace_t *t = vlib_add_trace (vm, node, b0, sizeof (*t)); + clib_memcpy (t->src_mac, en0->src_address, sizeof (t->src_mac)); + + t->next_index = next0; + t->device_index = device_index0; + + if (dp) + { + clib_memcpy (t->device_name, dp->device_name, + ARRAY_LEN (t->device_name)); + t->device_name[ARRAY_LEN (t->device_name) - 1] = 0; + } + } + + /* verify speculative enqueue, maybe switch current next frame */ + vlib_validate_buffer_enqueue_x1 (vm, node, next_index, + to_next, n_left_to_next, + bi0, next0); + } + + vlib_put_next_frame (vm, node, next_index, n_left_to_next); + } + + vlib_node_increment_counter (vm, mactime_node.index, + MACTIME_ERROR_DROP, packets_dropped); + vlib_node_increment_counter (vm, mactime_node.index, + MACTIME_ERROR_OK, packets_ok); + return frame->n_vectors; +} + +/* *INDENT-OFF* */ +VLIB_REGISTER_NODE (mactime_node) = +{ + .function = mactime_node_fn, + .name = "mactime", + .vector_size = sizeof (u32), + .format_trace = format_mactime_trace, + .type = VLIB_NODE_TYPE_INTERNAL, + + .n_errors = ARRAY_LEN(mactime_error_strings), + .error_strings = mactime_error_strings, + + .n_next_nodes = MACTIME_N_NEXT, + + /* edit / add dispositions here */ + .next_nodes = + { + [MACTIME_NEXT_ETHERNET_INPUT] = "ethernet-input", + [MACTIME_NEXT_DROP] = "error-drop", + }, +}; +/* *INDENT-ON* */ + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ diff --git a/src/vpp/api/api_main.c b/src/vpp/api/api_main.c index f8805714202..0e05d3ed78e 100644 --- a/src/vpp/api/api_main.c +++ b/src/vpp/api/api_main.c @@ -276,6 +276,7 @@ vl_client_get_first_plugin_msg_id (const char *plugin_name) uword unformat_sw_if_index (unformat_input_t * input, va_list * args) { + void *vam_unused = va_arg (*args, void *); u32 *result = va_arg (*args, u32 *); vnet_main_t *vnm = vnet_get_main (); u32 sw_if_index = ~0; -- cgit 1.2.3-korg