From 27518c2ffd0ef75e973a64870da0e3339f39ccce Mon Sep 17 00:00:00 2001
From: Nick Zavaritsky <nick.zavaritsky@emnify.com>
Date: Thu, 27 Feb 2020 15:54:58 +0000
Subject: geneve gtpu vxlan vxlan-gpe: VRF-aware bypass node
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bypass node MUST NOT intercept a packet if destination IP doesn’t match
a local address.  However IP address interpretation depends on the VRF,
hence bypass node must take that into account.

This patch also factors-out common VTEP management and checking code.

Type: improvement
Signed-off-by: Nick Zavaritsky <nick.zavaritsky@emnify.com>
Change-Id: I5665d94882bbf45d15f8da140c7ada528ec7fa94
---
 src/vnet/ip/ip.h   |   9 ++++
 src/vnet/ip/ip4.h  |  10 ++++
 src/vnet/ip/ip6.h  |  10 ++++
 src/vnet/ip/vtep.c |  55 +++++++++++++++++++++
 src/vnet/ip/vtep.h | 142 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 226 insertions(+)
 create mode 100644 src/vnet/ip/vtep.c
 create mode 100644 src/vnet/ip/vtep.h

(limited to 'src/vnet/ip')

diff --git a/src/vnet/ip/ip.h b/src/vnet/ip/ip.h
index 040e580c3a1..75750c5a192 100644
--- a/src/vnet/ip/ip.h
+++ b/src/vnet/ip/ip.h
@@ -289,6 +289,15 @@ void ip6_prefix_max_address_host_order (ip6_address_t * ip, u8 plen,
 void ip6_preflen_to_mask (u8 pref_len, ip6_address_t * mask);
 u32 ip6_mask_to_preflen (ip6_address_t * mask);
 
+always_inline u32 vlib_buffer_get_ip4_fib_index (vlib_buffer_t * b);
+always_inline u32 vlib_buffer_get_ip6_fib_index (vlib_buffer_t * b);
+always_inline u32
+vlib_buffer_get_ip_fib_index (vlib_buffer_t * b, u8 is_ip4)
+{
+  return (is_ip4 ? vlib_buffer_get_ip4_fib_index
+	  : vlib_buffer_get_ip6_fib_index) (b);
+}
+
 #endif /* included_ip_main_h */
 
 /*
diff --git a/src/vnet/ip/ip4.h b/src/vnet/ip/ip4.h
index bed552b982c..7a42510166f 100644
--- a/src/vnet/ip/ip4.h
+++ b/src/vnet/ip/ip4.h
@@ -410,6 +410,16 @@ vlib_buffer_push_ip4 (vlib_main_t * vm, vlib_buffer_t * b,
 
   return ih;
 }
+
+always_inline u32
+vlib_buffer_get_ip4_fib_index (vlib_buffer_t * b)
+{
+  u32 fib_index, sw_if_index;
+  sw_if_index = vnet_buffer (b)->sw_if_index[VLIB_RX];
+  fib_index = vnet_buffer (b)->sw_if_index[VLIB_TX];
+  return (fib_index == (u32) ~ 0) ?
+    vec_elt (ip4_main.fib_index_by_sw_if_index, sw_if_index) : fib_index;
+}
 #endif /* included_ip_ip4_h */
 
 /*
diff --git a/src/vnet/ip/ip6.h b/src/vnet/ip/ip6.h
index 575c6a0eec5..d12756d421b 100644
--- a/src/vnet/ip/ip6.h
+++ b/src/vnet/ip/ip6.h
@@ -608,6 +608,16 @@ vlib_buffer_push_ip6 (vlib_main_t * vm, vlib_buffer_t * b,
 				      0 /* flow label */ );
 
 }
+
+always_inline u32
+vlib_buffer_get_ip6_fib_index (vlib_buffer_t * b)
+{
+  u32 fib_index, sw_if_index;
+  sw_if_index = vnet_buffer (b)->sw_if_index[VLIB_RX];
+  fib_index = vnet_buffer (b)->sw_if_index[VLIB_TX];
+  return (fib_index == (u32) ~ 0) ?
+    vec_elt (ip6_main.fib_index_by_sw_if_index, sw_if_index) : fib_index;
+}
 #endif /* included_ip_ip6_h */
 
 /*
diff --git a/src/vnet/ip/vtep.c b/src/vnet/ip/vtep.c
new file mode 100644
index 00000000000..d0493f8cd2f
--- /dev/null
+++ b/src/vnet/ip/vtep.c
@@ -0,0 +1,55 @@
+/*
+ * Copyright (c) 2020 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <vnet/ip/vtep.h>
+
+uword
+vtep_addr_ref (vtep_table_t * t, u32 fib_index, ip46_address_t * ip)
+{
+  vtep4_key_t key4 = {.addr = ip->ip4,.fib_index = fib_index };
+  vtep6_key_t key6 = {.addr = ip->ip6,.fib_index = fib_index };
+  uword *vtep = ip46_address_is_ip4 (ip) ?
+    hash_get (t->vtep4, key4.as_u64) : hash_get_mem (t->vtep6, &key6);
+  if (vtep)
+    return ++(*vtep);
+  ip46_address_is_ip4 (ip) ?
+    hash_set (t->vtep4, key4.as_u64, 1) :
+    hash_set_mem_alloc (&t->vtep6, &key6, 1);
+  return 1;
+}
+
+uword
+vtep_addr_unref (vtep_table_t * t, u32 fib_index, ip46_address_t * ip)
+{
+  vtep4_key_t key4 = {.addr = ip->ip4,.fib_index = fib_index };
+  vtep6_key_t key6 = {.addr = ip->ip6,.fib_index = fib_index };
+  uword *vtep = ip46_address_is_ip4 (ip) ?
+    hash_get (t->vtep4, key4.as_u64) : hash_get_mem (t->vtep6, &key6);
+  ALWAYS_ASSERT (vtep);
+  if (--(*vtep) != 0)
+    return *vtep;
+  ip46_address_is_ip4 (ip) ?
+    hash_unset (t->vtep4, key4.as_u64) :
+    hash_unset_mem_free (&t->vtep6, &key6);
+  return 0;
+}
+
+/*
+ * fd.io coding-style-patch-verification: ON
+ *
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */
diff --git a/src/vnet/ip/vtep.h b/src/vnet/ip/vtep.h
new file mode 100644
index 00000000000..703ace18dba
--- /dev/null
+++ b/src/vnet/ip/vtep.h
@@ -0,0 +1,142 @@
+/*
+ * Copyright (c) 2020 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef included_ip_vtep_h
+#define included_ip_vtep_h
+
+#include <vppinfra/hash.h>
+#include <vnet/ip/ip.h>
+#include <vnet/ip/ip4.h>
+#include <vnet/ip/ip6.h>
+
+/**
+ * @brief Tunnel endpoint key (IPv4)
+ *
+ * Tunnel modules maintain a set of vtep4_key_t-s to track local IP
+ * addresses that have tunnels established.  Bypass node consults the
+ * corresponding set to decide whether a packet should bypass normal
+ * processing and go directly to the tunnel protocol handler node.
+ */
+
+/* *INDENT-OFF* */
+typedef CLIB_PACKED
+(struct {
+  union {
+    struct {
+      ip4_address_t addr;
+      u32 fib_index;
+    };
+    u64 as_u64;
+  };
+}) vtep4_key_t;
+/* *INDENT-ON* */
+
+/**
+ * @brief Tunnel endpoint key (IPv6)
+ *
+ * Tunnel modules maintain a set of vtep6_key_t-s to track local IP
+ * addresses that have tunnels established.  Bypass node consults the
+ * corresponding set to decide whether a packet should bypass normal
+ * processing and go directly to the tunnel protocol handler node.
+ */
+
+/* *INDENT-OFF* */
+typedef CLIB_PACKED
+(struct {
+  ip6_address_t addr;
+  u32 fib_index;
+}) vtep6_key_t;
+/* *INDENT-ON* */
+
+typedef struct
+{
+  uword *vtep4;			/* local ip4 VTEPs keyed on their ip4 addr + fib_index */
+  uword *vtep6;			/* local ip6 VTEPs keyed on their ip6 addr + fib_index */
+} vtep_table_t;
+
+always_inline vtep_table_t
+vtep_table_create ()
+{
+  vtep_table_t t = { };
+  t.vtep6 = hash_create_mem (0, sizeof (vtep6_key_t), sizeof (uword));
+  return t;
+}
+
+uword vtep_addr_ref (vtep_table_t * t, u32 fib_index, ip46_address_t * ip);
+uword vtep_addr_unref (vtep_table_t * t, u32 fib_index, ip46_address_t * ip);
+
+always_inline void
+vtep4_key_init (vtep4_key_t * k4)
+{
+  k4->as_u64 = ~((u64) 0);
+}
+
+always_inline void
+vtep6_key_init (vtep6_key_t * k6)
+{
+  ip6_address_set_zero (&k6->addr);
+  k6->fib_index = (u32) ~ 0;
+}
+
+enum
+{
+  VTEP_CHECK_FAIL = 0,
+  VTEP_CHECK_PASS = 1,
+  VTEP_CHECK_PASS_UNCHANGED = 2
+};
+
+always_inline u8
+vtep4_check (vtep_table_t * t, vlib_buffer_t * b0, ip4_header_t * ip40,
+	     vtep4_key_t * last_k4)
+{
+  vtep4_key_t k4;
+  k4.addr.as_u32 = ip40->dst_address.as_u32;
+  k4.fib_index = vlib_buffer_get_ip4_fib_index (b0);
+  if (PREDICT_TRUE (k4.as_u64 == last_k4->as_u64))
+    return VTEP_CHECK_PASS_UNCHANGED;
+  if (PREDICT_FALSE (!hash_get (t->vtep4, k4.as_u64)))
+    return VTEP_CHECK_FAIL;
+  last_k4->as_u64 = k4.as_u64;
+  return VTEP_CHECK_PASS;
+}
+
+always_inline u8
+vtep6_check (vtep_table_t * t, vlib_buffer_t * b0, ip6_header_t * ip60,
+	     vtep6_key_t * last_k6)
+{
+  vtep6_key_t k6;
+  k6.fib_index = vlib_buffer_get_ip6_fib_index (b0);
+  if (PREDICT_TRUE (k6.fib_index == last_k6->fib_index
+		    && ip60->dst_address.as_u64[0] == last_k6->addr.as_u64[0]
+		    && ip60->dst_address.as_u64[1] ==
+		    last_k6->addr.as_u64[1]))
+    {
+      return VTEP_CHECK_PASS_UNCHANGED;
+    }
+  k6.addr = ip60->dst_address;
+  if (PREDICT_FALSE (!hash_get_mem (t->vtep6, &k6)))
+    return VTEP_CHECK_FAIL;
+  *last_k6 = k6;
+  return VTEP_CHECK_PASS;
+}
+#endif /* included_ip_vtep_h */
+
+/*
+ * fd.io coding-style-patch-verification: ON
+ *
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */
-- 
cgit 1.2.3-korg