Line data Source code
1 : /*
2 : * Copyright (c) 2016 Cisco and/or its affiliates.
3 : * Licensed under the Apache License, Version 2.0 (the "License");
4 : * you may not use this file except in compliance with the License.
5 : * You may obtain a copy of the License at:
6 : *
7 : * http://www.apache.org/licenses/LICENSE-2.0
8 : *
9 : * Unless required by applicable law or agreed to in writing, software
10 : * distributed under the License is distributed on an "AS IS" BASIS,
11 : * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 : * See the License for the specific language governing permissions and
13 : * limitations under the License.
14 : */
15 : #ifndef included_acl_h
16 : #define included_acl_h
17 :
18 : #include <vnet/vnet.h>
19 : #include <vnet/ip/ip.h>
20 : #include <vnet/l2/l2_output.h>
21 :
22 :
23 : #include <vppinfra/hash.h>
24 : #include <vppinfra/error.h>
25 : #include <vppinfra/bitmap.h>
26 : #include <vppinfra/elog.h>
27 : #include <vppinfra/bihash_48_8.h>
28 : #include <vppinfra/bihash_40_8.h>
29 : #include <vppinfra/bihash_16_8.h>
30 : #include <vlib/counter.h>
31 :
32 : #include "types.h"
33 : #include "fa_node.h"
34 : #include "hash_lookup_types.h"
35 : #include "lookup_context.h"
36 :
37 : #define ACL_PLUGIN_VERSION_MAJOR 1
38 : #define ACL_PLUGIN_VERSION_MINOR 4
39 :
40 : #define UDP_SESSION_IDLE_TIMEOUT_SEC 600
41 : #define TCP_SESSION_IDLE_TIMEOUT_SEC (3600*24)
42 : #define TCP_SESSION_TRANSIENT_TIMEOUT_SEC 120
43 :
44 : #define SESSION_PURGATORY_TIMEOUT_USEC 10
45 :
46 : #define ACL_PLUGIN_HASH_LOOKUP_HASH_BUCKETS 65536
47 : #define ACL_PLUGIN_HASH_LOOKUP_HASH_MEMORY (2 << 25)
48 :
49 : extern vlib_node_registration_t acl_in_node;
50 : extern vlib_node_registration_t acl_out_node;
51 :
52 : void input_acl_packet_match(u32 sw_if_index, vlib_buffer_t * b0, u32 *nextp, u32 *acl_match_p, u32 *rule_match_p, u32 *trace_bitmap);
53 : void output_acl_packet_match(u32 sw_if_index, vlib_buffer_t * b0, u32 *nextp, u32 *acl_match_p, u32 *rule_match_p, u32 *trace_bitmap);
54 :
55 : enum acl_timeout_e {
56 : ACL_TIMEOUT_UNUSED = 0,
57 : ACL_TIMEOUT_UDP_IDLE,
58 : ACL_TIMEOUT_TCP_IDLE,
59 : ACL_TIMEOUT_TCP_TRANSIENT,
60 : ACL_N_USER_TIMEOUTS,
61 : ACL_TIMEOUT_PURGATORY = ACL_N_USER_TIMEOUTS, /* a special-case queue for deletion-in-progress sessions */
62 : ACL_N_TIMEOUTS
63 : };
64 :
65 : typedef struct
66 : {
67 : u8 is_permit;
68 : u8 is_ipv6;
69 : u8 src_mac[6];
70 : u8 src_mac_mask[6];
71 : ip46_address_t src_ip_addr;
72 : u8 src_prefixlen;
73 : } macip_acl_rule_t;
74 :
75 : /*
76 : * ACL
77 : */
78 : typedef struct
79 : {
80 : /** Required for pool_get_aligned */
81 : CLIB_CACHE_LINE_ALIGN_MARK(cacheline0);
82 : u8 tag[64];
83 : acl_rule_t *rules;
84 : } acl_list_t;
85 :
86 : typedef struct
87 : {
88 : /** Required for pool_get_aligned */
89 : CLIB_CACHE_LINE_ALIGN_MARK(cacheline0);
90 : u8 tag[64];
91 : u32 count;
92 : macip_acl_rule_t *rules;
93 : /* References to the classifier tables that will enforce the rules */
94 : u32 ip4_table_index;
95 : u32 ip6_table_index;
96 : u32 l2_table_index;
97 : /* outacl classifier tables */
98 : u32 out_ip4_table_index;
99 : u32 out_ip6_table_index;
100 : u32 out_l2_table_index;
101 : } macip_acl_list_t;
102 :
103 : /*
104 : * An element describing a particular configuration fo the mask,
105 : * and how many times it has been used.
106 : */
107 : typedef struct
108 : {
109 : /** Required for pool_get_aligned */
110 : CLIB_CACHE_LINE_ALIGN_MARK(cacheline0);
111 : fa_5tuple_t mask;
112 : u32 refcount;
113 : u8 from_tm;
114 : } ace_mask_type_entry_t;
115 :
116 : typedef struct {
117 : /* API message ID base */
118 : u16 msg_id_base;
119 :
120 : /* The pool of users of ACL lookup contexts */
121 : acl_lookup_context_user_t *acl_users;
122 : /* The pool of ACL lookup contexts */
123 : acl_lookup_context_t *acl_lookup_contexts;
124 :
125 : acl_list_t *acls; /* Pool of ACLs */
126 : hash_acl_info_t *hash_acl_infos; /* corresponding hash matching housekeeping info */
127 : clib_bihash_48_8_t acl_lookup_hash; /* ACL lookup hash table. */
128 : u32 hash_lookup_hash_buckets;
129 : uword hash_lookup_hash_memory;
130 :
131 : int acl_lookup_hash_initialized;
132 : /*
133 : applied_hash_ace_entry_t **input_hash_entry_vec_by_sw_if_index;
134 : applied_hash_ace_entry_t **output_hash_entry_vec_by_sw_if_index;
135 : applied_hash_acl_info_t *input_applied_hash_acl_info_by_sw_if_index;
136 : applied_hash_acl_info_t *output_applied_hash_acl_info_by_sw_if_index;
137 : */
138 : applied_hash_ace_entry_t **hash_entry_vec_by_lc_index;
139 : applied_hash_acl_info_t *applied_hash_acl_info_by_lc_index;
140 :
141 : /* Corresponding lookup context indices for in/out lookups per sw_if_index */
142 : u32 *input_lc_index_by_sw_if_index;
143 : u32 *output_lc_index_by_sw_if_index;
144 : /* context user id for interface ACLs */
145 : u32 interface_acl_user_id;
146 :
147 : macip_acl_list_t *macip_acls; /* Pool of MAC-IP ACLs */
148 :
149 : /* ACLs associated with interfaces */
150 : u32 **input_acl_vec_by_sw_if_index;
151 : u32 **output_acl_vec_by_sw_if_index;
152 :
153 : /* interfaces on which given ACLs are applied */
154 : u32 **input_sw_if_index_vec_by_acl;
155 : u32 **output_sw_if_index_vec_by_acl;
156 :
157 : /* bitmaps 1=sw_if_index has in/out ACL processing enabled */
158 : uword *in_acl_on_sw_if_index;
159 : uword *out_acl_on_sw_if_index;
160 :
161 : /* lookup contexts where a given ACL is used */
162 : u32 **lc_index_vec_by_acl;
163 :
164 : /* input and output policy epochs by interface */
165 : u32 *input_policy_epoch_by_sw_if_index;
166 : u32 *output_policy_epoch_by_sw_if_index;
167 :
168 : /* whether we need to take the epoch of the session into account */
169 : int reclassify_sessions;
170 :
171 :
172 :
173 : /* Total count of interface+direction pairs enabled */
174 : u32 fa_total_enabled_count;
175 :
176 : /* Do we use hash-based ACL matching or linear */
177 : int use_hash_acl_matching;
178 :
179 : /* Do we use the TupleMerge for hash ACLs or not */
180 : int use_tuple_merge;
181 :
182 : /* Max collision vector length before splitting the tuple */
183 : #define TM_SPLIT_THRESHOLD 39
184 : int tuple_merge_split_threshold;
185 :
186 : /* a pool of all mask types present in all ACEs */
187 : ace_mask_type_entry_t *ace_mask_type_pool;
188 :
189 : /* vec of vectors of all info of all mask types present in ACEs contained in each lc_index */
190 : hash_applied_mask_info_t **hash_applied_mask_info_vec_by_lc_index;
191 :
192 : /*
193 : * Classify tables used to grab the packets for the ACL check,
194 : * and serving as the 5-tuple session tables at the same time
195 : */
196 : u32 *acl_ip4_input_classify_table_by_sw_if_index;
197 : u32 *acl_ip6_input_classify_table_by_sw_if_index;
198 : u32 *acl_ip4_output_classify_table_by_sw_if_index;
199 : u32 *acl_ip6_output_classify_table_by_sw_if_index;
200 :
201 : u32 *acl_dot1q_input_classify_table_by_sw_if_index;
202 : u32 *acl_dot1ad_input_classify_table_by_sw_if_index;
203 : u32 *acl_dot1q_output_classify_table_by_sw_if_index;
204 : u32 *acl_dot1ad_output_classify_table_by_sw_if_index;
205 :
206 : u32 *acl_etype_input_classify_table_by_sw_if_index;
207 : u32 *acl_etype_output_classify_table_by_sw_if_index;
208 :
209 : u16 **input_etype_whitelist_by_sw_if_index;
210 : u16 **output_etype_whitelist_by_sw_if_index;
211 :
212 : /* MACIP (input) ACLs associated with the interfaces */
213 : u32 *macip_acl_by_sw_if_index;
214 :
215 : /* Vector of interfaces on which given MACIP ACLs are applied */
216 : u32 **sw_if_index_vec_by_macip_acl;
217 :
218 : /* bitmaps when set the processing is enabled on the interface */
219 : uword *fa_in_acl_on_sw_if_index;
220 : uword *fa_out_acl_on_sw_if_index;
221 : /* bihash holding all of the sessions */
222 : int fa_sessions_hash_is_initialized;
223 : clib_bihash_40_8_t fa_ip6_sessions_hash;
224 : clib_bihash_16_8_t fa_ip4_sessions_hash;
225 : /* The process node which orchestrates the cleanup */
226 : u32 fa_cleaner_node_index;
227 : /* FA session timeouts, in seconds */
228 : u32 session_timeout_sec[ACL_N_TIMEOUTS];
229 : /* total session adds/dels */
230 : u64 fa_session_total_adds;
231 : u64 fa_session_total_dels;
232 : /* how many sessions went into purgatory */
233 : u64 fa_session_total_deactivations;
234 :
235 : /* EH values that we can skip over */
236 : uword *fa_ipv6_known_eh_bitmap;
237 :
238 : /* whether to match L4 ACEs with ports on the non-initial fragment */
239 : int l4_match_nonfirst_fragment;
240 :
241 : /* conn table per-interface conn table parameters */
242 : u32 fa_conn_table_hash_num_buckets;
243 : uword fa_conn_table_hash_memory_size;
244 : u64 fa_conn_table_max_entries;
245 :
246 : int trace_sessions;
247 : int trace_acl;
248 :
249 : /*
250 : * If the cleaner has to delete more than this number
251 : * of connections, it halves the sleep time.
252 : */
253 :
254 : #define ACL_FA_DEFAULT_MAX_DELETED_SESSIONS_PER_INTERVAL 100
255 : u64 fa_max_deleted_sessions_per_interval;
256 :
257 : /*
258 : * If the cleaner deletes less than these connections,
259 : * it increases the wait time by the "increment"
260 : */
261 :
262 : #define ACL_FA_DEFAULT_MIN_DELETED_SESSIONS_PER_INTERVAL 1
263 : u64 fa_min_deleted_sessions_per_interval;
264 :
265 : #define ACL_FA_DEFAULT_CLEANER_WAIT_TIME_INCREMENT 0.1
266 : f64 fa_cleaner_wait_time_increment;
267 :
268 : u64 fa_current_cleaner_timer_wait_interval;
269 :
270 : int fa_interrupt_generation;
271 :
272 : /* per-worker data related t conn management */
273 : acl_fa_per_worker_data_t *per_worker_data;
274 :
275 : /* Configured session timeout */
276 : u64 session_timeout[ACL_N_TIMEOUTS];
277 :
278 :
279 : /* Counters for the cleaner thread */
280 :
281 : #define foreach_fa_cleaner_counter \
282 : _(fa_cleaner_cnt_delete_by_sw_index, "delete_by_sw_index events") \
283 : _(fa_cleaner_cnt_delete_by_sw_index_ok, "delete_by_sw_index handled ok") \
284 : _(fa_cleaner_cnt_unknown_event, "unknown events received") \
285 : _(fa_cleaner_cnt_timer_restarted, "session idle timers restarted") \
286 : _(fa_cleaner_cnt_wait_with_timeout, "event wait with timeout called") \
287 : _(fa_cleaner_cnt_wait_without_timeout, "event wait w/o timeout called") \
288 : _(fa_cleaner_cnt_event_cycles, "total event cycles") \
289 : /* end of counters */
290 : #define _(id, desc) u32 id;
291 : foreach_fa_cleaner_counter
292 : #undef _
293 :
294 : /* convenience */
295 : vlib_main_t * vlib_main;
296 : vnet_main_t * vnet_main;
297 : /* logging */
298 : vlib_log_class_t log_default;
299 : /* acl counters exposed via stats segment */
300 : volatile u32 *acl_counter_lock;
301 : vlib_combined_counter_main_t *combined_acl_counters;
302 : /* enable/disable ACL counters for interface processing */
303 : u32 interface_acl_counters_enabled;
304 : } acl_main_t;
305 :
306 : #define acl_log_err(...) \
307 : vlib_log(VLIB_LOG_LEVEL_ERR, acl_main.log_default, __VA_ARGS__)
308 : #define acl_log_warn(...) \
309 : vlib_log(VLIB_LOG_LEVEL_WARNING, acl_main.log_default, __VA_ARGS__)
310 : #define acl_log_notice(...) \
311 : vlib_log(VLIB_LOG_LEVEL_NOTICE, acl_main.log_default, __VA_ARGS__)
312 : #define acl_log_info(...) \
313 : vlib_log(VLIB_LOG_LEVEL_INFO, acl_main.log_default, __VA_ARGS__)
314 :
315 :
316 : static inline void
317 2585 : acl_plugin_counter_lock (acl_main_t * am)
318 : {
319 2585 : if (am->acl_counter_lock)
320 2585 : while (clib_atomic_test_and_set (am->acl_counter_lock))
321 : /* zzzz */ ;
322 2585 : }
323 :
324 : static inline void
325 2585 : acl_plugin_counter_unlock (acl_main_t * am)
326 : {
327 2585 : if (am->acl_counter_lock)
328 2585 : clib_atomic_release (am->acl_counter_lock);
329 2585 : }
330 :
331 :
332 : #define foreach_acl_eh \
333 : _(HOPBYHOP , 0 , "IPv6ExtHdrHopByHop") \
334 : _(ROUTING , 43 , "IPv6ExtHdrRouting") \
335 : _(DESTOPT , 60 , "IPv6ExtHdrDestOpt") \
336 : _(FRAGMENT , 44 , "IPv6ExtHdrFragment") \
337 : _(MOBILITY , 135, "Mobility Header") \
338 : _(HIP , 139, "Experimental use Host Identity Protocol") \
339 : _(SHIM6 , 140, "Shim6 Protocol") \
340 : _(EXP1 , 253, "Use for experimentation and testing") \
341 : _(EXP2 , 254, "Use for experimentation and testing")
342 :
343 : /*
344 :
345 : "No Next Header" is not a header.
346 : Also, Fragment header needs special processing.
347 :
348 : _(NONEXT , 59 , "NoNextHdr") \
349 :
350 :
351 : ESP is hiding its internal format, so no point in trying to go past it.
352 :
353 : _(ESP , 50 , "EncapsulatingSecurityPayload") \
354 :
355 :
356 : AH has a special treatment of its length, it is in 32-bit words, not 64-bit words like the rest.
357 :
358 : _(AUTH , 51 , "Authentication Header") \
359 :
360 :
361 : */
362 :
363 :
364 : typedef enum {
365 : #define _(N, v, s) ACL_EH_##N = v,
366 : foreach_acl_eh
367 : #undef _
368 : } acl_eh_t;
369 :
370 :
371 :
372 : extern acl_main_t acl_main;
373 :
374 : typedef enum {
375 : ACL_FA_REQ_SESS_RESCHEDULE = 0,
376 : ACL_FA_N_REQ,
377 : } acl_fa_sess_req_t;
378 :
379 : void aclp_post_session_change_request(acl_main_t *am, u32 target_thread, u32 target_session, acl_fa_sess_req_t request_type);
380 : void aclp_swap_wip_and_pending_session_change_requests(acl_main_t *am, u32 target_thread);
381 :
382 : #endif
|
