/*
*------------------------------------------------------------------
* vxlan_api.c - vxlan api
*
* Copyright (c) 2016 Cisco and/or its affiliates.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*------------------------------------------------------------------
*/
#include <vnet/vnet.h>
#include <vlibmemory/api.h>
#include <vnet/interface.h>
#include <vnet/api_errno.h>
#include <vnet/feature/feature.h>
#include <vnet/vxlan/vxlan.h>
#include <vnet/fib/fib_table.h>
#include <vnet/vnet_msg_enum.h>
#define vl_typedefs /* define message structures */
#include <vnet/vnet_all_api_h.h>
#undef vl_typedefs
#define vl_endianfun /* define message structures */
#include <vnet/vnet_all_api_h.h>
#undef vl_endianfun
/* instantiate all the print functions we know about */
#define vl_print(handle, ...) vlib_cli_output (handle, __VA_ARGS__)
#define vl_printfun
#include <vnet/vnet_all_api_h.h>
#undef vl_printfun
#include <vlibapi/api_helper_macros.h>
#define foreach_vpe_api_msg \
_(SW_INTERFACE_SET_VXLAN_BYPASS, sw_interface_set_vxlan_bypass) \
_(VXLAN_ADD_DEL_TUNNEL, vxlan_add_del_tunnel) \
_(VXLAN_TUNNEL_DUMP, vxlan_tunnel_dump)
static void
vl_api_sw_interface_set_vxlan_bypass_t_handler
(vl_api_sw_interface_set_vxlan_bypass_t * mp)
{
vl_api_sw_interface_set_vxlan_bypass_reply_t *rmp;
int rv = 0;
u32 sw_if_index = ntohl (mp->sw_if_index);
VALIDATE_SW_IF_INDEX (mp);
vnet_int_vxlan_bypass_mode (sw_if_index, mp->is_ipv6, mp->enable);
BAD_SW_IF_INDEX_LABEL;
REPLY_MACRO (VL_API_SW_INTERFACE_SET_VXLAN_BYPASS_REPLY);
}
static void vl_api_vxlan_add_del_tunnel_t_handler
(vl_api_vxlan_add_del_tunnel_t * mp)
{
vl_api_vxlan_add_del_tunnel_reply_t *rmp;
int rv = 0;
u32 fib_index;
fib_index = fib_table_find (fib_ip_proto (mp->is_ipv6
@media only all and (prefers-color-scheme: dark) {
.highlight .hll { background-color: #49483e }
.highlight .c { color: #75715e } /* Comment */
.highlight .err { color: #960050; background-color: #1e0010 } /* Error */
.highlight .k { color: #66d9ef } /* Keyword */
.highlight .l { color: #ae81ff } /* Literal */
.highlight .n { color: #f8f8f2 } /* Name */
.highlight .o { color: #f92672 } /* Operator */
.highlight .p { color: #f8f8f2 } /* Punctuation */
.highlight .ch { color: #75715e } /* Comment.Hashbang */
.highlight .cm { color: #75715e } /* Comment.Multiline */
.highlight .cp { color: #75715e } /* Comment.Preproc */
.highlight .cpf { color: #75715e } /* Comment.PreprocFile */
.highlight .c1 { color: #75715e } /* Comment.Single */
.highlight .cs { color: #75715e } /* Comment.Special */
.highlight .gd { color: #f92672 } /* Generic.Deleted */
.highlight .ge { font-style: italic } /* Generic.Emph */
.highlight .gi { color: #a6e22e } /* Generic.Inserted */
.highlight .gs { font-weight: bold } /* Generic.Strong */
.highlight .gu { color: #75715e } /* Generic.Subheading */
.highlight .kc { color: #66d9ef } /* Keyword.Constant */
.highlight .kd { color: #66d9ef } /* Keyword.Declaration */
.highlight .kn { color: #f92672 } /* Keyword.Namespace */
.highlight .kp { color: #66d9ef } /* Keyword.Pseudo */
.highlight .kr { color: #66d9ef } /* Keyword.Reserved */
.highlight .kt { color: #66d9ef } /* Keyword.Type */
.highlight .ld { color: #e6db74 } /* Literal.Date */
.highlight .m { color: #ae81ff } /* Literal.Number */
.highlight .s { color: #e6db74 } /* Literal.String */
.highlight .na { color: #a6e22e } /* Name.Attribute */
.highlight .nb { color: #f8f8f2 } /* Name.Builtin */
.highlight .nc { color: #a6e22e } /* Name.Class */
.highlight .no { color: #66d9ef } /* Name.Constant */
.highlight .nd { color: #a6e22e } /* Name.Decorator */
.highlight .ni { color: #f8f8f2 } /* Name.Entity */
.highlight .ne { color: #a6e22e } /* Name.Exception */
.highlight .nf { color: #a6e22e } /* Name.Function */
.highlight .nl { color: #f8f8f2 } /* Name.Label */
.highlight .nn { color: #f8f8f2 } /* Name.Namespace */
.highlight .nx { color: #a6e22e } /* Name.Other */
.highlight .py { color: #f8f8f2 } /* Name.Property */
.highlight .nt { color: #f92672 } /* Name.Tag */
.highlight .nv { color: #f8f8f2 } /* Name.Variable */
.highlight .ow { color: #f92672 } /* Operator.Word */
.highlight .w { color: #f8f8f2 } /* Text.Whitespace */
.highlight .mb { color: #ae81ff } /* Literal.Number.Bin */
.highlight .mf { color: #ae81ff } /* Literal.Number.Float */
.highlight .mh { color: #ae81ff } /* Literal.Number.Hex */
.highlight .mi { color: #ae81ff } /* Literal.Number.Integer */
.highlight .mo { color: #ae81ff } /* Literal.Number.Oct */
.highlight .sa { color: #e6db74 } /* Literal.String.Affix */
.highlight .sb { color: #e6db74 } /* Literal.String.Backtick */
.highlight .sc { color: #e6db74 } /* Literal.String.Char */
.highlight .dl { color: #e6db74 } /* Literal.String.Delimiter */
.highlight .sd { color: #e6db74 } /* Literal.String.Doc */
.highlight .s2 { color: #e6db74 } /* Literal.String.Double */
.highlight .se { color: #ae81ff } /* Literal.String.Escape */
.highlight .sh { color: #e6db74 } /* Literal.String.Heredoc */
.highlight .si { color: #e6db74 } /* Literal.String.Interpol */
.highlight .sx { color: #e6db74 } /* Literal.String.Other */
.highlight .sr { color: #e6db74 } /* Literal.String.Regex */
.highlight .s1 { color: #e6db74 } /* Literal.String.Single */
.highlight .ss { color: #e6db74 } /* Literal.String.Symbol */
.highlight .bp { color: #f8f8f2 } /* Name.Builtin.Pseudo */
.highlight .fm { color: #a6e22e } /* Name.Function.Magic */
.highlight .vc { color: #f8f8f2 } /* Name.Variable.Class */
.highlight .vg { color: #f8f8f2 } /* Name.Variable.Global */
.highlight .vi { color: #f8f8f2 } /* Name.Variable.Instance */
.highlight .vm { color: #f8f8f2 } /* Name.Variable.Magic */
.highlight .il { color: #ae81ff } /* Literal.Number.Integer.Long */
}
@media (prefers-color-scheme: light) {
.highlight .hll { background-color: #ffffcc }
.highlight .c { color: #888888 } /* Comment */
.highlight .err { color: #a61717; background-color: #e3d2d2 } /* Error */
.highlight .k { color: #008800; font-weight: bold } /* Keyword */
.highlight .ch { color: #888888 } /* Comment.Hashbang */
.highlight .cm { color: #888888 } /* Comment.Multiline */
.highlight .cp { color: #cc0000; font-weight: bold } /* Comment.Preproc */
.highlight .cpf { color: #888888 } /* Comment.PreprocFile */
.highlight .c1 { color: #888888 } /* Comment.Single */
.highlight .cs { color: #cc0000; font-weight: bold; background-color: #fff0f0 } /* Comment.Special */
.highlight .gd { color: #000000; background-color: #ffdddd } /* Generic.Deleted */
.highlight .ge { font-style: italic } /* Generic.Emph */
.highlight .gr { color: #aa0000 } /* Generic.Error */
.highlight .gh { color: #333333 } /* Generic.Heading */
.highlight .gi { color: #000000; background-color: #ddffdd } /* Generic.Inserted */
.highlight .go { color: #888888 } /* Generic.Output */
.highlight .gp { color: #555555 } /* Generic.Prompt */
.highlight .gs { font-weight: bold } /* Generic.Strong */
.highlight .gu { color: #666666 } /* Generic.Subheading */
.highlight .gt { color: #aa0000 } /* Generic.Traceback */
.highlight .kc { color: #008800; font-weight: bold } /* Keyword.Constant */
.highlight .kd { color: #008800; font-weight: bold } /* Keyword.Declaration */
.highlight .kn { color: #008800; font-weight: bold } /* Keyword.Namespace */
.highlight .kp { color: #008800 } /* Keyword.Pseudo */
.highlight .kr { color: #008800; font-weight: bold } /* Keyword.Reserved */
.highlight .kt { color: #888888; font-weight: bold } /* Keyword.Type */
.highlight .m { color: #0000DD; font-weight: bold } /* Literal.Number */
.highlight .s { color: #dd2200; background-color: #fff0f0 } /* Literal.String */
.highlight .na { color: #336699 } /* Name.Attribute */
.highlight .nb { color: #003388 } /* Name.Builtin */
.highlight .nc { color: #bb0066; font-weight: bold } /* Name.Class */
.highlight .no { color: #003366; font-weight: bold } /* Name.Constant */
.highlight .nd { color: #555555 } /* Name.Decorator */
.highlight .ne { color: #bb0066; font-weight: bold } /* Name.Exception */
.highlight .nf { color: #0066bb; font-weight: bold } /* Name.Function */
.highlight .nl { color: #336699; font-style: italic } /* Name.Label */
.highlight .nn { color: #bb0066; font-weight: bold } /* Name.Namespace */
.highlight .py { color: #336699; font-weight: bold } /* Name.Property */
.highlight .nt { color: #bb0066; font-weight: bold } /* Name.Tag */
.highlight .nv { color: #336699 } /* Name.Variable */
.highlight .ow { color: #008800 } /* Operator.Word */
.highlight .w { color: #bbbbbb } /* Text.Whitespace */
.highlight .mb { color: #0000DD; font-weight: bold } /* Literal.Number.Bin */
.highlight .mf { color: #0000DD; font-weight: bold } /* Literal.Number.Float */
.highlight .mh { color: #0000DD; font-weight: bold } /* Literal.Number.Hex */
.highlight .mi { color: #0000DD; font-weight: bold } /* Literal.Number.Integer */
.highlight .mo { color: #0000DD; font-weight: bold } /* Literal.Number.Oct */
.highlight .sa { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Affix */
.highlight .sb { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Backtick */
.highlight .sc { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Char */
.highlight .dl { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Delimiter */
.highlight .sd { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Doc */
.highlight .s2 { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Double */
.highlight .se { color: #0044dd; background-color: #fff0f0 } /* Literal.String.Escape */
.highlight .sh { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Heredoc */
.highlight .si { color: #3333bb; background-color: #fff0f0 } /* Literal.String.Interpol */
.highlight .sx { color: #22bb22; background-color: #f0fff0 } /* Literal.String.Other */
.highlight .sr { color: #008800; background-color: #fff0ff } /* Literal.String.Regex */
.highlight .s1 { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Single */
.highlight .ss { color: #aa6600; background-color: #fff0f0 } /* Literal.String.Symbol */
.highlight .bp { color: #003388 } /* Name.Builtin.Pseudo */
.highlight .fm { color: #0066bb; font-weight: bold } /* Name.Function.Magic */
.highlight .vc { color: #336699 } /* Name.Variable.Class */
.highlight .vg { color: #dd7700 } /* Name.Variable.Global */
.highlight .vi { color: #3333bb } /* Name.Variable.Instance */
.highlight .vm { color: #336699 } /* Name.Variable.Magic */
.highlight .il { color: #0000DD; font-weight: bold } /* Literal.Number.Integer.Long */
}
/*
* Copyright (c) 2016 Cisco and/or its affiliates.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/* ICMPv4 invert type for stateful ACL */
static const u8 icmp4_invmap[] = {
[ICMP4_echo_request] = ICMP4_echo_reply + 1,
[ICMP4_timestamp_request] = ICMP4_timestamp_reply + 1,
[ICMP4_information_request] = ICMP4_information_reply + 1,
[ICMP4_address_mask_request] = ICMP4_address_mask_reply + 1
};
/* Supported ICMPv4 messages for session creation */
static const u8 icmp4_valid_new[] = {
[ICMP4_echo_request] = 1,
[ICMP4_timestamp_request] = 1,
[ICMP4_information_request] = 1,
[ICMP4_address_mask_request] = 1
};
/* ICMPv6 invert type for stateful ACL */
static const u8 icmp6_invmap[] = {
[ICMP6_echo_request - 128] = ICMP6_echo_reply + 1,
[ICMP6_node_information_request - 128] = ICMP6_node_information_response + 1
};
/* Supported ICMPv6 messages for session creation */
static const u8 icmp6_valid_new[] = {
[ICMP6_echo_request - 128] = 1,
[ICMP6_node_information_request - 128] = 1
};
/* IP4 and IP6 protocol numbers of ICMP */
static u8 icmp_protos[] = { IP_PROTOCOL_ICMP, IP_PROTOCOL_ICMP6 };
always_inline int
acl_fa_ifc_has_sessions (acl_main_t * am, int sw_if_index0)
{
return am->fa_sessions_hash_is_initialized;
}
always_inline int
acl_fa_ifc_has_in_acl (acl_main_t * am, int sw_if_index0)
{
int it_has = clib_bitmap_get (am->fa_in_acl_on_sw_if_index, sw_if_index0);
return it_has;
}
always_inline int
acl_fa_ifc_has_out_acl (acl_main_t * am, int sw_if_index0)
{
int it_has = clib_bitmap_get (am->fa_out_acl_on_sw_if_index, sw_if_index0);
return it_has;
}
always_inline int
fa_session_get_timeout_type (acl_main_t * am, fa_session_t * sess)
{
/* seen both SYNs and ACKs but not FINs means we are in established state */
u16 masked_flags =
sess->tcp_flags_seen.as_u16 & ((TCP_FLAGS_RSTFINACKSYN << 8) +
TCP_FLAGS_RSTFINACKSYN);
switch (sess->info.l4.proto)
{
case IPPROTO_TCP:
if (((TCP_FLAGS_ACKSYN << 8) + TCP_FLAGS_ACKSYN) == masked_flags)
{
return ACL_TIMEOUT_TCP_IDLE;
}
else
{
return ACL_TIMEOUT_TCP_TRANSIENT;
}
break;
case IPPROTO_UDP:
return ACL_TIMEOUT_UDP_IDLE;
break;
default:
return ACL_TIMEOUT_UDP_IDLE;
}
}
/*
* Get the idle timeout of a session.
*/
always_inline u64
fa_session_get_timeout (acl_main_t * am, fa_session_t * sess)
{
u64 timeout = (am->vlib_main->clib_time.clocks_per_second);
if (sess->link_list_id == ACL_TIMEOUT_PURGATORY)
{
timeout /= (1000000 / SESSION_PURGATORY_TIMEOUT_USEC);
}
else
{
int timeout_type = fa_session_get_timeout_type (am, sess);
timeout *= am->session_timeout_sec[timeout_type];
}
return timeout;
}
always_inline fa_session_t *
get_session_ptr_no_check (acl_main_t * am, u16 thread_index,
u32 session_index)
{
acl_fa_per_worker_data_t *pw = &am->per_worker_data[thread_index];
return pool_elt_at_index (pw->fa_sessions_pool, session_index);
}
always_inline fa_session_t *
get_session_ptr (acl_main_t * am, u16 thread_index, u32 session_index)
{
acl_fa_per_worker_data_t *pw = &am->per_worker_data[thread_index];
if (PREDICT_FALSE (session_index >= vec_len (pw->fa_sessions_pool)))
return 0;
return pool_elt_at_index (pw->fa_sessions_pool, session_index);
}
always_inline int
is_valid_session_ptr (acl_main_t * am, u16 thread_index, fa_session_t * sess)
{
acl_fa_per_worker_data_t *pw = &am->per_worker_data[thread_index];
return ((sess != 0)
&& ((sess - pw->fa_sessions_pool) <
pool_len (pw->fa_sessions_pool)));
}
always_inline void
acl_fa_conn_list_add_session (acl_main_t * am, fa_full_session_id_t sess_id,
u64 now)
{
fa_session_t *sess =
get_session_ptr (am, sess_id.thread_index, sess_id.session_index);
u8 list_id =
sess->deleted ? ACL_TIMEOUT_PURGATORY : fa_session_get_timeout_type (am,
sess);
uword thread_index = os_get_thread_index ();
acl_fa_per_worker_data_t *pw = &am->per_worker_data[thread_index];
/* the retrieved session thread index must be necessarily the same as the one in the key */
ASSERT (sess->thread_index == sess_id.thread_index);
/* the retrieved session thread index must be the same as current thread */
ASSERT (sess->thread_index == thread_index);
sess->link_enqueue_time = now;
sess->link_list_id = list_id;
sess->link_next_idx = FA_SESSION_BOGUS_INDEX;
sess->link_prev_idx = pw->fa_conn_list_tail[list_id];
if (FA_SESSION_BOGUS_INDEX != pw->fa_conn_list_tail[list_id])
{
fa_session_t *prev_sess =
get_session_ptr (am, thread_index, pw->fa_conn_list_tail[list_id]);
prev_sess->link_next_idx = sess_id.session_index;
/* We should never try to link with a session on another thread */
ASSERT (prev_sess->thread_index == sess->thread_index);
}
pw->fa_conn_list_tail[list_id] = sess_id.session_index;
#ifdef FA_NODE_VERBOSE_DEBUG
clib_warning
("FA-SESSION-DEBUG: add session id %d on thread %d sw_if_index %d",
sess_id.session_index, thread_index, sess->sw_if_index);
#endif
pw->serviced_sw_if_index_bitmap =
clib_bitmap_set (pw->serviced_sw_if_index_bitmap, sess->sw_if_index, 1);
if (FA_SESSION_BOGUS_INDEX == pw->fa_conn_list_head[list_id])
{
pw->fa_conn_list_head[list_id] = sess_id.session_index;
/* set the head expiry time because it is the first element */
pw->fa_conn_list_head_expiry_time[list_id] =
now + fa_session_get_timeout (am, sess);
}
}
static int
acl_fa_conn_list_delete_session (acl_main_t * am,
fa_full_session_id_t sess_id, u64 now)
{
uword thread_index = os_get_thread_index ();
acl_fa_per_worker_data_t *pw = &am->per_worker_data[thread_index];
if (thread_index != sess_id.thread_index)
{
/* If another thread attempts to delete the session, fail it. */
#ifdef FA_NODE_VERBOSE_DEBUG
clib_warning ("thread id in key %d != curr thread index, not deleting");
#endif
return 0;
}
fa_session_t *sess =
get_session_ptr (am, sess_id.thread_index, sess_id.session_index);
u64 next_expiry_time = ~0ULL;
/* we should never try to delete the session with another thread index */
if (sess->thread_index != os_get_thread_index ())
{
clib_error
("Attempting to delete session belonging to thread %d by thread %d",
sess->thread_index, thread_index);
}
if (FA_SESSION_BOGUS_INDEX != sess->link_prev_idx)
{
fa_session_t *prev_sess =
get_session_ptr (am, thread_index, sess->link_prev_idx);
/* the previous session must be in the same list as this one */
ASSERT (prev_sess->link_list_id == sess->link_list_id);
prev_sess->link_next_idx = sess->link_next_idx;
}
if (FA_SESSION_BOGUS_INDEX != sess->link_next_idx)
{
fa_session_t *next_sess =
get_session_ptr (am, thread_index, sess->link_next_idx);
/* The next session must be in the same list as the one we are deleting */
ASSERT (next_sess->link_list_id == sess->link_list_id);
next_sess->link_prev_idx = sess->link_prev_idx;
next_expiry_time = now + fa_session_get_timeout (am, next_sess);
}
if (pw->fa_conn_list_head[sess->link_list_id] == sess_id.session_index)
{
pw->fa_conn_list_head[sess->link_list_id] = sess->link_next_idx;
pw->fa_conn_list_head_expiry_time[sess->link_list_id] =
next_expiry_time;
}
if (pw->fa_conn_list_tail[sess->link_list_id] == sess_id.session_index)
{
pw->fa_conn_list_tail[sess->link_list_id] = sess->link_prev_idx;
}
return 1;
}
always_inline int
acl_fa_restart_timer_for_session (acl_main_t * am, u64 now,
fa_full_session_id_t sess_id)
{
if (acl_fa_conn_list_delete_session (am, sess_id, now))
{
acl_fa_conn_list_add_session (am, sess_id, now);
return 1;
}
else
{
/*
* Our thread does not own this connection, so we can not requeue
* The session. So we post the signal to the owner.
*/
aclp_post_session_change_request (am, sess_id.thread_index,
sess_id.session_index,
ACL_FA_REQ_SESS_RESCHEDULE);
return 0;
}
}
always_inline int
is_ip6_5tuple (fa_5tuple_t * p5t)
{
return (p5t->l3_zero_pad[0] | p5t->
l3_zero_pad[1] | p5t->l3_zero_pad[2] | p5t->l3_zero_pad[3] | p5t->
l3_zero_pad[4] | p5t->l3_zero_pad[5]) != 0;
}
always_inline u8
acl_fa_track_session (acl_main_t * am, int is_input, u32 sw_if_index, u64 now,
fa_session_t * sess, fa_5tuple_t * pkt_5tuple,
u32 pkt_len)
{
sess->last_active_time = now;
u8 old_flags = sess->tcp_flags_seen.as_u8[is_input];
u8 new_flags = old_flags | pkt_5tuple->pkt.tcp_flags;
int flags_need_update = pkt_5tuple->pkt.tcp_flags_valid
&& (old_flags != new_flags);
if (PREDICT_FALSE (flags_need_update))
{
sess->tcp_flags_seen.as_u8[is_input] = new_flags;
}
return 3;
}
always_inline u64
reverse_l4_u64_fastpath (u64 l4, int is_ip6)
{
fa_session_l4_key_t l4i = {.as_u64 = l4 };
fa_session_l4_key_t l4o;
l4o.port[1] = l4i.port[0];
l4o.port[0] = l4i.port[1];
l4o.non_port_l4_data = l4i.non_port_l4_data;
l4o.l4_flags = l4i.l4_flags ^ FA_SK_L4_FLAG_IS_INPUT;
return l4o.as_u64;
}
always_inline int
reverse_l4_u64_slowpath_valid (u64 l4, int is_ip6, u64 * out)
{
fa_session_l4_key_t l4i = {.as_u64 = l4 };
fa_session_l4_key_t l4o;
if (l4i.proto == icmp_protos[is_ip6])
{
static const u8 *icmp_invmap[] = { icmp4_invmap, icmp6_invmap };
static const u8 *icmp_valid_new[] =
{ icmp4_valid_new, icmp6_valid_new };
static const u8 icmp_invmap_size[] = { sizeof (icmp4_invmap),
sizeof (icmp6_invmap)
};
static const u8 icmp_valid_new_size[] = { sizeof (icmp4_valid_new),
sizeof (icmp6_valid_new)
};
int type = is_ip6 ? l4i.port[0] - 128 : l4i.port[0];
l4o.non_port_l4_data = l4i.non_port_l4_data;
l4o.port[0] = l4i.port[0];
l4o.port[1] = l4i.port[1];
/*
* ONLY ICMP messages defined in icmp4_valid_new/icmp6_valid_new table
* are allowed to create stateful ACL.
* The other messages will be forwarded without creating a reverse session.
*/
int valid_reverse_sess = (type >= 0
&& (type <= icmp_valid_new_size[is_ip6])
&& (icmp_valid_new[is_ip6][type])
&& (type <= icmp_invmap_size[is_ip6])
&& icmp_invmap[is_ip6][type]);
if (valid_reverse_sess)
{
l4o.l4_flags = l4i.l4_flags ^ FA_SK_L4_FLAG_IS_INPUT;
l4o.port[0] = icmp_invmap[is_ip6][type] - 1;
}
*out = l4o.as_u64;
return valid_reverse_sess;
}
else
*out = reverse_l4_u64_fastpath (l4, is_ip6);
return 1;
}
always_inline void
reverse_session_add_del_ip6 (acl_main_t * am,
clib_bihash_kv_40_8_t * pkv, int is_add)
{
clib_bihash_kv_40_8_t kv2;
kv2.key[0] = pkv->key[2];
kv2.key[1] = pkv->key[3];
kv2.key[2] = pkv->key[0];
kv2.key[3] = pkv->key[1];
/* the last u64 needs special treatment (ports, etc.) so we do it last */
kv2.value = pkv->value;
if (PREDICT_FALSE (is_session_l4_key_u64_slowpath (pkv->key[4])))
{
if (reverse_l4_u64_slowpath_valid (pkv->key[4], 1, &kv2.key[4]))
clib_bihash_add_del_40_8 (&am->fa_ip6_sessions_hash, &kv2, is_add);
}
else
{
kv2.key[4] = reverse_l4_u64_fastpath (pkv->key[4], 1);
clib_bihash_add_del_40_8 (&am->fa_ip6_sessions_hash, &kv2, is_add);
}
}
always_inline void
reverse_session_add_del_ip4 (acl_main_t * am,
clib_bihash_kv_16_8_t * pkv, int is_add)
{
clib_bihash_kv_16_8_t kv2;
kv2.key[0] =
((pkv->key[0] & 0xffffffff) << 32) | ((pkv->key[0] >> 32) & 0xffffffff);
/* the last u64 needs special treatment (ports, etc.) so we do it last */
kv2.value = pkv->value;
if (PREDICT_FALSE (is_session_l4_key_u64_slowpath (pkv->key[1])))
{
if (reverse_l4_u64_slowpath_valid (pkv->key[1], 0, &kv2.key[1]))
clib_bihash_add_del_16_8 (&am->fa_ip4_sessions_hash, &kv2, is_add);
}
else
{
kv2.key[1] = reverse_l4_u64_fastpath (pkv->key[1], 0);
clib_bihash_add_del_16_8 (&am->fa_ip4_sessions_hash, &kv2, is_add);
}
}
always_inline void
acl_fa_deactivate_session (acl_main_t * am, u32 sw_if_index,
fa_full_session_id_t sess_id)
{
fa_session_t *sess =
get_session_ptr (am, sess_id.thread_index, sess_id.session_index);
ASSERT (sess->thread_index == os_get_thread_index ());
void *oldheap = clib_mem_set_heap (am->acl_mheap);
if (sess->is_ip6)
{
clib_bihash_add_del_40_8 (&am->fa_ip6_sessions_hash,
&sess->info.kv_40_8, 0);
reverse_session_add_del_ip6 (am, &sess->info.kv_40_8, 0);
}
else
{
clib_bihash_add_del_16_8 (&am->fa_ip4_sessions_hash,
&sess->info.kv_16_8, 0);
reverse_session_add_del_ip4 (am, &sess->info.kv_16_8, 0);
}
sess->deleted = 1;
clib_atomic_fetch_add (&am->fa_session_total_deactivations, 1);
clib_mem_set_heap (oldheap);
}
always_inline void
acl_fa_put_session (acl_main_t * am, u32 sw_if_index,
fa_full_session_id_t sess_id)
{
if (sess_id.thread_index != os_get_thread_index ())
{
clib_error
("Attempting to delete session belonging to thread %d by thread %d",
sess_id.thread_index, os_get_thread_index ());
}
void *oldheap = clib_mem_set_heap (am->acl_mheap);
acl_fa_per_worker_data_t *pw = &am->per_worker_data[sess_id.thread_index];
pool_put_index (pw->fa_sessions_pool, sess_id.session_index);
/* Deleting from timer structures not needed,
as the caller must have dealt with the timers. */
vec_validate (pw->fa_session_dels_by_sw_if_index, sw_if_index);
clib_mem_set_heap (oldheap);
pw->fa_session_dels_by_sw_if_index[sw_if_index]++;
clib_atomic_fetch_add (&am->fa_session_total_dels, 1);
}
always_inline int
acl_fa_two_stage_delete_session (acl_main_t * am, u32 sw_if_index,
fa_full_session_id_t sess_id, u64 now)
{
fa_session_t *sess =
get_session_ptr (am, sess_id.thread_index, sess_id.session_index);
if (sess->deleted)
{
acl_fa_put_session (am, sw_if_index, sess_id);
return 1;
}
else
{
acl_fa_deactivate_session (am, sw_if_index, sess_id);
acl_fa_conn_list_add_session (am, sess_id, now);
return 0;
}
}
always_inline int
acl_fa_can_add_session (acl_main_t * am, int is_input, u32 sw_if_index)
{
u64 curr_sess_count;
curr_sess_count = am->fa_session_total_adds - am->fa_session_total_dels;
return (curr_sess_count + vec_len (vlib_mains) <
am->fa_conn_table_max_entries);
}
always_inline void
acl_fa_try_recycle_session (acl_main_t * am, int is_input, u16 thread_index,
u32 sw_if_index, u64 now)
{
/* try to recycle a TCP transient session */
acl_fa_per_worker_data_t *pw = &am->per_worker_data[thread_index];
fa_full_session_id_t volatile sess_id;
int n_recycled = 0;
/* clean up sessions from purgatory, if we can */
sess_id.session_index = pw->fa_conn_list_head[ACL_TIMEOUT_PURGATORY];
while ((FA_SESSION_BOGUS_INDEX != sess_id.session_index)
&& n_recycled < am->fa_max_deleted_sessions_per_interval)
{
sess_id.thread_index = thread_index;
fa_session_t *sess =
get_session_ptr (am, sess_id.thread_index, sess_id.session_index);
if (sess->link_enqueue_time + fa_session_get_timeout (am, sess) < now)
{
acl_fa_conn_list_delete_session (am, sess_id, now);
/* interface that needs the sessions may not be the interface of the session. */
acl_fa_put_session (am, sess->sw_if_index, sess_id);
n_recycled++;
}
else
break; /* too early to try to recycle from here, bail out */
sess_id.session_index = pw->fa_conn_list_head[ACL_TIMEOUT_PURGATORY];
}
sess_id.session_index = pw->fa_conn_list_head[ACL_TIMEOUT_TCP_TRANSIENT];
if (FA_SESSION_BOGUS_INDEX != sess_id.session_index)
{
sess_id.thread_index = thread_index;
acl_fa_conn_list_delete_session (am, sess_id, now);
acl_fa_deactivate_session (am, sw_if_index, sess_id);
/* this goes to purgatory list */
acl_fa_conn_list_add_session (am, sess_id, now);
}
}
always_inline fa_full_session_id_t
acl_fa_add_session (acl_main_t * am, int is_input, int is_ip6,
u32 sw_if_index, u64 now, fa_5tuple_t * p5tuple,
u16 current_policy_epoch)
{
fa_full_session_id_t f_sess_id;
uword thread_index = os_get_thread_index ();
void *oldheap = clib_mem_set_heap (am->acl_mheap);
acl_fa_per_worker_data_t *pw = &am->per_worker_data[thread_index];
f_sess_id.thread_index = thread_index;
fa_session_t *sess;
if (f_sess_id.as_u64 == ~0)
{
clib_error ("Adding session with invalid value");
}
pool_get_aligned (pw->fa_sessions_pool, sess, CLIB_CACHE_LINE_BYTES);
f_sess_id.session_index = sess - pw->fa_sessions_pool;
f_sess_id.intf_policy_epoch = current_policy_epoch;
if (is_ip6)
{
sess->info.kv_40_8.key[0] = p5tuple->kv_40_8.key[0];
sess->info.kv_40_8.key[1] = p5tuple->kv_40_8.key[1];
sess->info.kv_40_8.key[2] = p5tuple->kv_40_8.key[2];
sess->info.kv_40_8.key[3] = p5tuple->kv_40_8.key[3];
sess->info.kv_40_8.key[4] = p5tuple->kv_40_8.key[4];
sess->info.kv_40_8.value = f_sess_id.as_u64;
}
else
{
sess->info.kv_16_8.key[0] = p5tuple->kv_16_8.key[0];
sess->info.kv_16_8.key[1] = p5tuple->kv_16_8.key[1];
sess->info.kv_16_8.value = f_sess_id.as_u64;
}
sess->last_active_time = now;
sess->sw_if_index = sw_if_index;
sess->tcp_flags_seen.as_u16 = 0;
sess->thread_index = thread_index;
sess->link_list_id = ACL_TIMEOUT_UNUSED;
sess->link_prev_idx = FA_SESSION_BOGUS_INDEX;
sess->link_next_idx = FA_SESSION_BOGUS_INDEX;
sess->deleted = 0;
sess->is_ip6 = is_ip6;
acl_fa_conn_list_add_session (am, f_sess_id, now);
ASSERT (am->fa_sessions_hash_is_initialized == 1);
if (is_ip6)
{
reverse_session_add_del_ip6 (am, &sess->info.kv_40_8, 1);
clib_bihash_add_del_40_8 (&am->fa_ip6_sessions_hash,
&sess->info.kv_40_8, 1);
}
else
{
reverse_session_add_del_ip4 (am, &sess->info.kv_16_8, 1);
clib_bihash_add_del_16_8 (&am->fa_ip4_sessions_hash,
&sess->info.kv_16_8, 1);
}
vec_validate (pw->fa_session_adds_by_sw_if_index, sw_if_index);
clib_mem_set_heap (oldheap);
pw->fa_session_adds_by_sw_if_index[sw_if_index]++;
clib_atomic_fetch_add (&am->fa_session_total_adds, 1);
return f_sess_id;
}
always_inline int
acl_fa_find_session (acl_main_t * am, int is_ip6, u32 sw_if_index0,
fa_5tuple_t * p5tuple, u64 * pvalue_sess)
{
int res = 0;
if (is_ip6)
{
clib_bihash_kv_40_8_t kv_result;
res = (clib_bihash_search_inline_2_40_8
(&am->fa_ip6_sessions_hash, &p5tuple->kv_40_8, &kv_result) == 0);
*pvalue_sess = kv_result.value;
}
else
{
clib_bihash_kv_16_8_t kv_result;
res = (clib_bihash_search_inline_2_16_8
(&am->fa_ip4_sessions_hash, &p5tuple->kv_16_8, &kv_result) == 0);
*pvalue_sess = kv_result.value;
}
return res;
}
always_inline u64
acl_fa_make_session_hash (acl_main_t * am, int is_ip6, u32 sw_if_index0,
fa_5tuple_t * p5tuple)
{
if (is_ip6)
return clib_bihash_hash_40_8 (&p5tuple->kv_40_8);
else
return clib_bihash_hash_16_8 (&p5tuple->kv_16_8);
}
always_inline void
acl_fa_prefetch_session_bucket_for_hash (acl_main_t * am, int is_ip6,
u64 hash)
{
if (is_ip6)
clib_bihash_prefetch_bucket_40_8 (&am->fa_ip6_sessions_hash, hash);
else
clib_bihash_prefetch_bucket_16_8 (&am->fa_ip4_sessions_hash, hash);
}
always_inline void
acl_fa_prefetch_session_data_for_hash (acl_main_t * am, int is_ip6, u64 hash)
{
if (is_ip6)
clib_bihash_prefetch_data_40_8 (&am->fa_ip6_sessions_hash, hash);
else
clib_bihash_prefetch_data_16_8 (&am->fa_ip4_sessions_hash, hash);
}
always_inline int
acl_fa_find_session_with_hash (acl_main_t * am, int is_ip6, u32 sw_if_index0,
u64 hash, fa_5tuple_t * p5tuple,
u64 * pvalue_sess)
{
int res = 0;
if (is_ip6)
{
clib_bihash_kv_40_8_t kv_result;
kv_result.value = ~0ULL;
res = (clib_bihash_search_inline_2_with_hash_40_8
(&am->fa_ip6_sessions_hash, hash, &p5tuple->kv_40_8,
&kv_result) == 0);
*pvalue_sess = kv_result.value;
}
else
{
clib_bihash_kv_16_8_t kv_result;
kv_result.value = ~0ULL;
res = (clib_bihash_search_inline_2_with_hash_16_8
(&am->fa_ip4_sessions_hash, hash, &p5tuple->kv_16_8,
&kv_result) == 0);
*pvalue_sess = kv_result.value;
}
return res;
}
/*
* fd.io coding-style-patch-verification: ON
*
* Local Variables:
* eval: (c-set-style "gnu")
* End:
*/