Line data Source code
1 : /*
2 : * node.c - skeleton vpp engine plug-in dual-loop node skeleton
3 : *
4 : * Copyright (c) <current-year> <your-organization>
5 : * Licensed under the Apache License, Version 2.0 (the "License");
6 : * you may not use this file except in compliance with the License.
7 : * You may obtain a copy of the License at:
8 : *
9 : * http://www.apache.org/licenses/LICENSE-2.0
10 : *
11 : * Unless required by applicable law or agreed to in writing, software
12 : * distributed under the License is distributed on an "AS IS" BASIS,
13 : * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 : * See the License for the specific language governing permissions and
15 : * limitations under the License.
16 : */
17 : #include <vlib/vlib.h>
18 : #include <vnet/vnet.h>
19 : #include <vppinfra/error.h>
20 : #include <mactime/mactime.h>
21 : #include <vnet/ip/ip4.h>
22 :
23 : typedef struct
24 : {
25 : u32 next_index;
26 : u32 device_index;
27 : u8 src_mac[6];
28 : u8 device_name[64];
29 : } mactime_trace_t;
30 :
31 : vlib_node_registration_t mactime_node;
32 : vlib_node_registration_t mactime_tx_node;
33 :
34 : #define foreach_mactime_error \
35 : _(OK, "Permitted packets") \
36 : _(STATIC_DROP, "Static drop packets") \
37 : _(RANGE_DROP, "Range drop packets") \
38 : _(QUOTA_DROP, "Data quota drop packets") \
39 : _(DROP_10001, "Dropped UDP DST-port 10001")
40 :
41 : typedef enum
42 : {
43 : #define _(sym,str) MACTIME_ERROR_##sym,
44 : foreach_mactime_error
45 : #undef _
46 : MACTIME_N_ERROR,
47 : } mactime_error_t;
48 :
49 : static char *mactime_error_strings[] = {
50 : #define _(sym,string) string,
51 : foreach_mactime_error
52 : #undef _
53 : };
54 :
55 : typedef enum
56 : {
57 : MACTIME_NEXT_DROP,
58 : MACTIME_NEXT_ETHERNET_INPUT,
59 : MACTIME_N_NEXT,
60 : } mactime_next_t;
61 :
62 : /* packet trace format function */
63 : static u8 *
64 0 : format_mactime_trace (u8 * s, va_list * args)
65 : {
66 0 : CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
67 0 : CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
68 0 : mactime_trace_t *t = va_arg (*args, mactime_trace_t *);
69 :
70 0 : s = format (s, "MACTIME: src mac %U device %s result %s\n",
71 0 : format_mac_address, t->src_mac,
72 0 : (t->device_index != ~0) ? t->device_name : (u8 *) "unknown",
73 0 : t->next_index == MACTIME_NEXT_DROP ? "drop" : "pass");
74 0 : return s;
75 : }
76 :
77 : static uword
78 0 : mactime_node_inline (vlib_main_t * vm,
79 : vlib_node_runtime_t * node, vlib_frame_t * frame,
80 : int is_tx)
81 : {
82 : u32 n_left_from, *from, *to_next;
83 : mactime_next_t next_index;
84 0 : mactime_main_t *mm = &mactime_main;
85 : mactime_device_t *dp;
86 : clib_bihash_kv_8_8_t kv;
87 0 : clib_bihash_8_8_t *lut = &mm->lookup_table;
88 0 : u32 packets_ok = 0;
89 : f64 now;
90 0 : u32 thread_index = vm->thread_index;
91 0 : vnet_main_t *vnm = vnet_get_main ();
92 0 : vnet_interface_main_t *im = &vnm->interface_main;
93 0 : u8 arc = im->output_feature_arc_index;
94 : vnet_feature_config_main_t *fcm;
95 :
96 0 : if (is_tx)
97 0 : fcm = vnet_feature_get_config_main (arc);
98 :
99 0 : now = clib_timebase_now (&mm->timebase);
100 :
101 0 : if (PREDICT_FALSE ((now - mm->sunday_midnight) > 86400.0 * 7.0))
102 0 : mm->sunday_midnight = clib_timebase_find_sunday_midnight (now);
103 :
104 0 : from = vlib_frame_vector_args (frame);
105 0 : n_left_from = frame->n_vectors;
106 0 : next_index = node->cached_next_index;
107 :
108 0 : while (n_left_from > 0)
109 : {
110 : u32 n_left_to_next;
111 :
112 0 : vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
113 :
114 0 : while (n_left_from > 0 && n_left_to_next > 0)
115 : {
116 : u32 bi0;
117 : vlib_buffer_t *b0;
118 : u32 next0;
119 : u32 device_index0;
120 : u32 len0;
121 : ethernet_header_t *en0;
122 0 : int has_dynamic_range_allow = 0;
123 : int i;
124 :
125 : /* speculatively enqueue b0 to the current next frame */
126 0 : bi0 = from[0];
127 0 : to_next[0] = bi0;
128 0 : from += 1;
129 0 : to_next += 1;
130 0 : n_left_from -= 1;
131 0 : n_left_to_next -= 1;
132 :
133 0 : b0 = vlib_get_buffer (vm, bi0);
134 :
135 : /* Set next0 to e.g. interface-tx */
136 0 : if (is_tx)
137 0 : vnet_get_config_data (&fcm->config_main,
138 : &b0->current_config_index, &next0,
139 : /* # bytes of config data */ 0);
140 : else
141 0 : next0 = MACTIME_NEXT_ETHERNET_INPUT;
142 :
143 0 : vlib_buffer_advance (b0, -(word) vnet_buffer (b0)->l2_hdr_offset);
144 :
145 0 : len0 = vlib_buffer_length_in_chain (vm, b0);
146 0 : en0 = vlib_buffer_get_current (b0);
147 0 : kv.key = 0;
148 0 : if (is_tx)
149 0 : clib_memcpy_fast (&kv.key, en0->dst_address, 6);
150 : else
151 0 : clib_memcpy_fast (&kv.key, en0->src_address, 6);
152 :
153 : /* Lookup the src/dst mac address */
154 0 : if (clib_bihash_search_8_8 (lut, &kv, &kv) < 0)
155 : {
156 : /* Create a table entry... */
157 0 : mactime_send_create_entry_message
158 : (is_tx ? en0->dst_address : en0->src_address);
159 :
160 : /* and let this packet pass */
161 0 : device_index0 = ~0;
162 0 : dp = 0;
163 0 : packets_ok++;
164 0 : goto trace0;
165 : }
166 : else
167 0 : device_index0 = kv.value;
168 :
169 0 : dp = pool_elt_at_index (mm->devices, device_index0);
170 :
171 : /* Known device, check for an always-on traffic quota */
172 0 : if ((dp->flags & MACTIME_DEVICE_FLAG_DYNAMIC_ALLOW)
173 0 : && PREDICT_FALSE (dp->data_quota))
174 : {
175 : vlib_counter_t device_current_count;
176 0 : vlib_get_combined_counter (&mm->allow_counters,
177 0 : dp - mm->devices,
178 : &device_current_count);
179 0 : if (device_current_count.bytes >= dp->data_quota)
180 : {
181 0 : next0 = MACTIME_NEXT_DROP;
182 0 : b0->error = node->errors[MACTIME_ERROR_QUOTA_DROP];
183 0 : vlib_increment_combined_counter
184 0 : (&mm->drop_counters, thread_index, dp - mm->devices, 1,
185 : len0);
186 0 : goto trace0;
187 : }
188 : }
189 :
190 : /* Static drop / allow? */
191 0 : if (PREDICT_FALSE
192 : (dp->flags &
193 : (MACTIME_DEVICE_FLAG_STATIC_DROP
194 : | MACTIME_DEVICE_FLAG_STATIC_ALLOW)))
195 : {
196 0 : if (dp->flags & MACTIME_DEVICE_FLAG_STATIC_DROP)
197 : {
198 0 : next0 = MACTIME_NEXT_DROP;
199 0 : b0->error = node->errors[MACTIME_ERROR_STATIC_DROP];
200 0 : vlib_increment_combined_counter
201 0 : (&mm->drop_counters, thread_index, dp - mm->devices, 1,
202 : len0);
203 : }
204 : else /* note next0 set to allow */
205 : {
206 : /*
207 : * Special-case mini-ACL for a certain species of
208 : * home security DVR which likes to "call home."
209 : */
210 0 : if (PREDICT_FALSE
211 : (dp->flags & MACTIME_DEVICE_FLAG_DROP_UDP_10001))
212 : {
213 0 : ip4_header_t *ip = (void *) (((u8 *) en0) + 14);
214 0 : udp_header_t *udp = (udp_header_t *) (ip + 1);
215 0 : if (ip->protocol != IP_PROTOCOL_UDP)
216 0 : goto pass;
217 0 : if (clib_net_to_host_u16 (udp->dst_port) == 10001 ||
218 0 : clib_net_to_host_u16 (udp->dst_port) == 9603)
219 : {
220 0 : next0 = MACTIME_NEXT_DROP;
221 0 : b0->error = node->errors[MACTIME_ERROR_DROP_10001];
222 : }
223 : else
224 0 : goto pass;
225 : }
226 : else
227 : {
228 0 : pass:
229 0 : vlib_increment_combined_counter
230 0 : (&mm->allow_counters, thread_index, dp - mm->devices,
231 : 1, len0);
232 0 : packets_ok++;
233 : }
234 : }
235 0 : goto trace0;
236 : }
237 :
238 : /* Known device, see if traffic allowed at the moment */
239 0 : for (i = 0; i < vec_len (dp->ranges); i++)
240 : {
241 0 : clib_timebase_range_t *r = dp->ranges + i;
242 : f64 start0, end0;
243 :
244 0 : start0 = r->start + mm->sunday_midnight;
245 0 : end0 = r->end + mm->sunday_midnight;
246 0 : if (dp->flags & MACTIME_DEVICE_FLAG_DYNAMIC_ALLOW_QUOTA)
247 0 : has_dynamic_range_allow = 1;
248 :
249 : /* Packet within time range */
250 0 : if (now >= start0 && now <= end0)
251 : {
252 : /* And it's a drop range, drop it */
253 0 : if (dp->flags & MACTIME_DEVICE_FLAG_DYNAMIC_DROP)
254 : {
255 0 : vlib_increment_combined_counter
256 : (&mm->drop_counters, thread_index,
257 0 : dp - mm->devices, 1, len0);
258 0 : next0 = MACTIME_NEXT_DROP;
259 0 : b0->error = node->errors[MACTIME_ERROR_RANGE_DROP];
260 0 : goto trace0;
261 : }
262 : /* Quota-check allow range? */
263 0 : else if (has_dynamic_range_allow)
264 : {
265 0 : if (dp->data_used_in_range + len0 >= dp->data_quota)
266 : {
267 0 : next0 = MACTIME_NEXT_DROP;
268 0 : b0->error = node->errors[MACTIME_ERROR_QUOTA_DROP];
269 0 : vlib_increment_combined_counter
270 : (&mm->drop_counters, thread_index,
271 0 : dp - mm->devices, 1, len0);
272 0 : goto trace0;
273 : }
274 : else
275 : {
276 0 : dp->data_used_in_range += len0;
277 0 : goto allow0;
278 : }
279 : }
280 : else
281 : { /* it's an allow range, allow it */
282 0 : allow0:
283 0 : vlib_increment_combined_counter
284 : (&mm->allow_counters, thread_index,
285 0 : dp - mm->devices, 1, len0);
286 0 : packets_ok++;
287 0 : goto trace0;
288 : }
289 : }
290 : }
291 : /*
292 : * Didn't hit a range, so *drop* if allow configured, or
293 : * *allow* if drop configured.
294 : */
295 0 : if (dp->flags & MACTIME_DEVICE_FLAG_DYNAMIC_ALLOW)
296 : {
297 0 : next0 = MACTIME_NEXT_DROP;
298 0 : b0->error = node->errors[MACTIME_ERROR_STATIC_DROP];
299 0 : vlib_increment_combined_counter
300 0 : (&mm->drop_counters, thread_index, dp - mm->devices, 1, len0);
301 : }
302 : else /* DYNAMIC_DROP, DYNAMIC_RANGE_ALLOW_QUOTA */
303 : {
304 0 : vlib_increment_combined_counter
305 0 : (&mm->allow_counters, thread_index, dp - mm->devices, 1,
306 : len0);
307 : /* Clear the data quota accumulater */
308 0 : dp->data_used_in_range = 0;
309 0 : packets_ok++;
310 : }
311 :
312 0 : trace0:
313 0 : if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
314 : && (b0->flags & VLIB_BUFFER_IS_TRACED)))
315 : {
316 0 : mactime_trace_t *t = vlib_add_trace (vm, node, b0, sizeof (*t));
317 0 : clib_memcpy_fast (t->src_mac, en0->src_address,
318 : sizeof (t->src_mac));
319 :
320 0 : t->next_index = next0;
321 0 : t->device_index = device_index0;
322 :
323 0 : if (dp)
324 : {
325 0 : clib_memcpy_fast (t->device_name, dp->device_name,
326 : ARRAY_LEN (t->device_name));
327 0 : t->device_name[ARRAY_LEN (t->device_name) - 1] = 0;
328 : }
329 : }
330 :
331 : /* verify speculative enqueue, maybe switch current next frame */
332 0 : vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
333 : to_next, n_left_to_next,
334 : bi0, next0);
335 : }
336 :
337 0 : vlib_put_next_frame (vm, node, next_index, n_left_to_next);
338 : }
339 :
340 0 : vlib_node_increment_counter (vm, node->node_index,
341 : MACTIME_ERROR_OK, packets_ok);
342 0 : return frame->n_vectors;
343 : }
344 :
345 : static uword
346 0 : mactime_node_fn (vlib_main_t * vm,
347 : vlib_node_runtime_t * node, vlib_frame_t * frame)
348 : {
349 0 : return mactime_node_inline (vm, node, frame, 0 /* is_tx */ );
350 : }
351 :
352 : /* *INDENT-OFF* */
353 84024 : VLIB_REGISTER_NODE (mactime_node) =
354 : {
355 : .function = mactime_node_fn,
356 : .name = "mactime",
357 : .vector_size = sizeof (u32),
358 : .format_trace = format_mactime_trace,
359 : .type = VLIB_NODE_TYPE_INTERNAL,
360 :
361 : .n_errors = ARRAY_LEN(mactime_error_strings),
362 : .error_strings = mactime_error_strings,
363 :
364 : .n_next_nodes = MACTIME_N_NEXT,
365 :
366 : /* edit / add dispositions here */
367 : .next_nodes =
368 : {
369 : [MACTIME_NEXT_ETHERNET_INPUT] = "ethernet-input",
370 : [MACTIME_NEXT_DROP] = "error-drop",
371 : },
372 : };
373 : /* *INDENT-ON* */
374 :
375 : static uword
376 0 : mactime_tx_node_fn (vlib_main_t * vm,
377 : vlib_node_runtime_t * node, vlib_frame_t * frame)
378 : {
379 0 : return mactime_node_inline (vm, node, frame, 1 /* is_tx */ );
380 : }
381 :
382 : /* *INDENT-OFF* */
383 84024 : VLIB_REGISTER_NODE (mactime_tx_node) =
384 : {
385 : .function = mactime_tx_node_fn,
386 : .name = "mactime-tx",
387 : .vector_size = sizeof (u32),
388 : .format_trace = format_mactime_trace,
389 : .type = VLIB_NODE_TYPE_INTERNAL,
390 :
391 : .n_errors = ARRAY_LEN(mactime_error_strings),
392 : .error_strings = mactime_error_strings,
393 :
394 : .n_next_nodes = MACTIME_N_NEXT,
395 :
396 : /* edit / add dispositions here */
397 : .next_nodes =
398 : {
399 : [MACTIME_NEXT_DROP] = "error-drop",
400 : [MACTIME_NEXT_ETHERNET_INPUT] = "ethernet-input", /* notused */
401 : },
402 : };
403 : /* *INDENT-ON* */
404 :
405 : /*
406 : * fd.io coding-style-patch-verification: ON
407 : *
408 : * Local Variables:
409 : * eval: (c-set-style "gnu")
410 : * End:
411 : */
|
