1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
|
/*
* Copyright (c) 2013 Cisco and/or its affiliates.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/**
* Group Base Policy (GBP) defines:
* - endpoints: typically a VM or container that is connected to the
* virtual switch/router (i.e. to VPP)
* - endpoint-group: (EPG) a collection of endpoints
* - policy: rules determining which traffic can pass between EPGs a.k.a
* a 'contract'
*
* Here, policy is implemented via an ACL.
* EPG classification for transit packets is determined by:
* - source EPG: from the packet's input interface
* - destination EPG: from the packet's destination IP address.
*
*/
#ifndef included_vnet_gbp_h
#define included_vnet_gbp_h
#include <vlib/vlib.h>
#include <vnet/vnet.h>
#include <vnet/ip/ip.h>
typedef u32 epg_id_t;
#define EPG_INVALID (~0)
/**
* The key for an Endpoint
*/
typedef struct gbp_endpoint_key_t_
{
/**
* The interface on which the EP is connected
*/
u32 gek_sw_if_index;
/**
* The IP[46] address of the endpoint
*/
ip46_address_t gek_ip;
} gbp_endpoint_key_t;
/**
* A Group Based Policy Endpoint.
* This is typcially a VM on the local compute node for which policy must be
* locally applied
*/
typedef struct gbp_endpoint_t_
{
/**
* The endpoint's interface and IP address
*/
gbp_endpoint_key_t *ge_key;
/**
* The endpoint's designated EPG
*/
epg_id_t ge_epg_id;
} gbp_endpoint_t;
extern void gbp_endpoint_update (u32 sw_if_index,
const ip46_address_t * ip, epg_id_t epg_id);
extern void gbp_endpoint_delete (u32 sw_if_index, const ip46_address_t * ip);
typedef int (*gbp_endpoint_cb_t) (gbp_endpoint_t * gbpe, void *ctx);
extern void gbp_endpoint_walk (gbp_endpoint_cb_t bgpe, void *ctx);
/**
* The key for an Contract
*/
typedef struct gbp_contract_key_t_
{
union
{
struct
{
/**
* source and destination EPGs for which the ACL applies
*/
epg_id_t gck_src;
epg_id_t gck_dst;
};
u64 as_u64;
};
} gbp_contract_key_t;
/**
* A Group Based Policy Contract.
* Determines the ACL that applies to traffic pass between two endpoint groups
*/
typedef struct gbp_contract_t_
{
/**
* source and destination EPGs
*/
gbp_contract_key_t gc_key;
/**
* The ACL to apply for packets from the source to the destination EPG
*/
u32 gc_acl_index;;
} gbp_contract_t;
extern void gbp_contract_update (epg_id_t src_epg,
epg_id_t dst_epg, u32 acl_index);
extern void gbp_contract_delete (epg_id_t src_epg, epg_id_t dst_epg);
typedef int (*gbp_contract_cb_t) (gbp_contract_t * gbpe, void *ctx);
extern void gbp_contract_walk (gbp_contract_cb_t bgpe, void *ctx);
#endif
/*
* fd.io coding-style-patch-verification: ON
*
* Local Variables:
* eval: (c-set-style "gnu")
* End:
*/
|
