2 * gbp.h : Group Based Policy
4 * Copyright (c) 2018 Cisco and/or its affiliates.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
18 #include <plugins/gbp/gbp.h>
19 #include <plugins/gbp/gbp_bridge_domain.h>
20 #include <plugins/gbp/gbp_route_domain.h>
21 #include <plugins/gbp/gbp_policy_dpo.h>
22 #include <plugins/gbp/gbp_contract.h>
24 #include <vnet/dpo/load_balance.h>
25 #include <vnet/dpo/drop_dpo.h>
27 char *gbp_contract_error_strings[] = {
28 #define _(sym,string) string,
29 foreach_gbp_contract_error
34 * Single contract DB instance
36 gbp_contract_db_t gbp_contract_db;
38 gbp_contract_t *gbp_contract_pool;
40 vlib_log_class_t gc_logger;
42 fib_node_type_t gbp_next_hop_fib_type;
44 gbp_rule_t *gbp_rule_pool;
45 gbp_next_hop_t *gbp_next_hop_pool;
47 #define GBP_CONTRACT_DBG(...) \
48 vlib_log_notice (gc_logger, __VA_ARGS__);
50 /* Adjacency packet/byte counters indexed by adjacency index. */
51 vlib_combined_counter_main_t gbp_contract_permit_counters = {
52 .name = "gbp-contracts-permit",
53 .stat_segment_name = "/net/gbp/contract/permit",
56 vlib_combined_counter_main_t gbp_contract_drop_counters = {
57 .name = "gbp-contracts-drop",
58 .stat_segment_name = "/net/gbp/contract/drop",
62 gbp_rule_alloc (gbp_rule_action_t action,
63 gbp_hash_mode_t hash_mode, index_t * nhs)
67 pool_get_zero (gbp_rule_pool, gu);
69 gu->gu_hash_mode = hash_mode;
71 gu->gu_action = action;
73 return (gu - gbp_rule_pool);
77 gbp_next_hop_alloc (const ip46_address_t * ip,
78 index_t grd, const mac_address_t * mac, index_t gbd)
80 fib_protocol_t fproto;
83 pool_get_zero (gbp_next_hop_pool, gnh);
85 fib_node_init (&gnh->gnh_node, gbp_next_hop_fib_type);
87 ip46_address_copy (&gnh->gnh_ip, ip);
88 mac_address_copy (&gnh->gnh_mac, mac);
93 FOR_EACH_FIB_IP_PROTOCOL (fproto) gnh->gnh_ai[fproto] = INDEX_INVALID;
95 return (gnh - gbp_next_hop_pool);
98 static inline gbp_next_hop_t *
99 gbp_next_hop_get (index_t gui)
101 return (pool_elt_at_index (gbp_next_hop_pool, gui));
105 gbp_contract_rules_free (index_t * rules)
109 vec_foreach (gui, rules)
111 gbp_policy_node_t pnode;
112 fib_protocol_t fproto;
116 gu = gbp_rule_get (*gui);
118 FOR_EACH_GBP_POLICY_NODE (pnode)
120 FOR_EACH_FIB_IP_PROTOCOL (fproto)
122 dpo_reset (&gu->gu_dpo[pnode][fproto]);
123 dpo_reset (&gu->gu_dpo[pnode][fproto]);
127 vec_foreach (gnhi, gu->gu_nhs)
129 fib_protocol_t fproto;
131 gnh = gbp_next_hop_get (*gnhi);
132 gbp_bridge_domain_unlock (gnh->gnh_bd);
133 gbp_route_domain_unlock (gnh->gnh_rd);
134 gbp_endpoint_child_remove (gnh->gnh_ge, gnh->gnh_sibling);
135 gbp_endpoint_unlock (GBP_ENDPOINT_SRC_RR, gnh->gnh_ge);
137 FOR_EACH_FIB_IP_PROTOCOL (fproto)
139 adj_unlock (gnh->gnh_ai[fproto]);
147 format_gbp_next_hop (u8 * s, va_list * args)
149 index_t gnhi = va_arg (*args, index_t);
152 gnh = gbp_next_hop_get (gnhi);
154 s = format (s, "%U, %U, %U EP:%d",
155 format_mac_address_t, &gnh->gnh_mac,
156 format_gbp_bridge_domain, gnh->gnh_bd,
157 format_ip46_address, &gnh->gnh_ip, IP46_TYPE_ANY, gnh->gnh_ge);
163 format_gbp_rule_action (u8 * s, va_list * args)
165 gbp_rule_action_t action = va_arg (*args, gbp_rule_action_t);
169 #define _(v,a) case GBP_RULE_##v: return (format (s, "%s", a));
170 foreach_gbp_rule_action
174 return (format (s, "unknown"));
178 format_gbp_hash_mode (u8 * s, va_list * args)
180 gbp_hash_mode_t hash_mode = va_arg (*args, gbp_hash_mode_t);
184 #define _(v,a) case GBP_HASH_MODE_##v: return (format (s, "%s", a));
185 foreach_gbp_hash_mode
189 return (format (s, "unknown"));
193 format_gbp_policy_node (u8 * s, va_list * args)
195 gbp_policy_node_t action = va_arg (*args, gbp_policy_node_t);
199 #define _(v,a) case GBP_POLICY_NODE_##v: return (format (s, "%s", a));
200 foreach_gbp_policy_node
204 return (format (s, "unknown"));
208 format_gbp_rule (u8 * s, va_list * args)
210 index_t gui = va_arg (*args, index_t);
211 gbp_policy_node_t pnode;
212 fib_protocol_t fproto;
216 gu = gbp_rule_get (gui);
217 s = format (s, "%U", format_gbp_rule_action, gu->gu_action);
219 switch (gu->gu_action)
221 case GBP_RULE_PERMIT:
224 case GBP_RULE_REDIRECT:
225 s = format (s, ", %U", format_gbp_hash_mode, gu->gu_hash_mode);
229 vec_foreach (gnhi, gu->gu_nhs)
231 s = format (s, "\n [%U]", format_gbp_next_hop, *gnhi);
234 FOR_EACH_GBP_POLICY_NODE (pnode)
236 s = format (s, "\n policy-%U", format_gbp_policy_node, pnode);
238 FOR_EACH_FIB_IP_PROTOCOL (fproto)
240 if (dpo_id_is_valid (&gu->gu_dpo[pnode][fproto]))
243 format (s, "\n %U", format_dpo_id,
244 &gu->gu_dpo[pnode][fproto], 8);
253 gbp_contract_mk_adj (gbp_next_hop_t * gnh, fib_protocol_t fproto)
255 ethernet_header_t *eth;
260 old_ai = gnh->gnh_ai[fproto];
262 vec_validate (rewrite, sizeof (*eth) - 1);
263 eth = (ethernet_header_t *) rewrite;
265 GBP_CONTRACT_DBG ("...mk-adj: %U", format_gbp_next_hop,
266 gnh - gbp_next_hop_pool);
268 ge = gbp_endpoint_get (gnh->gnh_ge);
270 eth->type = clib_host_to_net_u16 ((fproto == FIB_PROTOCOL_IP4 ?
271 ETHERNET_TYPE_IP4 : ETHERNET_TYPE_IP6));
272 mac_address_to_bytes (gbp_route_domain_get_local_mac (), eth->src_address);
273 mac_address_to_bytes (&gnh->gnh_mac, eth->dst_address);
275 gnh->gnh_ai[fproto] =
276 adj_nbr_add_or_lock_w_rewrite (fproto,
277 fib_proto_to_link (fproto),
279 gbp_itf_get_sw_if_index (ge->
286 static flow_hash_config_t
287 gbp_contract_mk_lb_hp (gbp_hash_mode_t gu_hash_mode)
289 switch (gu_hash_mode)
291 case GBP_HASH_MODE_SRC_IP:
292 return IP_FLOW_HASH_SRC_ADDR;
293 case GBP_HASH_MODE_DST_IP:
294 return IP_FLOW_HASH_DST_ADDR;
295 case GBP_HASH_MODE_SYMMETRIC:
296 return (IP_FLOW_HASH_SRC_ADDR | IP_FLOW_HASH_DST_ADDR |
297 IP_FLOW_HASH_PROTO | IP_FLOW_HASH_SYMMETRIC);
304 gbp_contract_mk_lb (index_t gui, fib_protocol_t fproto)
306 load_balance_path_t *paths = NULL;
307 gbp_policy_node_t pnode;
313 u32 policy_nodes[] = {
314 [GBP_POLICY_NODE_L2] = gbp_policy_port_node.index,
315 [GBP_POLICY_NODE_IP4] = ip4_gbp_policy_dpo_node.index,
316 [GBP_POLICY_NODE_IP6] = ip6_gbp_policy_dpo_node.index,
319 GBP_CONTRACT_DBG ("..mk-lb: %U", format_gbp_rule, gui);
321 gu = gbp_rule_get (gui);
322 dproto = fib_proto_to_dpo (fproto);
324 if (GBP_RULE_REDIRECT != gu->gu_action)
327 vec_foreach_index (ii, gu->gu_nhs)
329 gnh = gbp_next_hop_get (gu->gu_nhs[ii]);
331 gbp_contract_mk_adj (gnh, FIB_PROTOCOL_IP4);
332 gbp_contract_mk_adj (gnh, FIB_PROTOCOL_IP6);
335 FOR_EACH_GBP_POLICY_NODE (pnode)
337 vec_validate (paths, vec_len (gu->gu_nhs) - 1);
339 vec_foreach_index (ii, gu->gu_nhs)
341 gnh = gbp_next_hop_get (gu->gu_nhs[ii]);
343 paths[ii].path_index = FIB_NODE_INDEX_INVALID;
344 paths[ii].path_weight = 1;
345 dpo_set (&paths[ii].path_dpo, DPO_ADJACENCY,
346 dproto, gnh->gnh_ai[fproto]);
349 if (!dpo_id_is_valid (&gu->gu_dpo[pnode][fproto]))
351 dpo_id_t dpo = DPO_INVALID;
353 dpo_set (&dpo, DPO_LOAD_BALANCE, dproto,
354 load_balance_create (vec_len (paths),
356 gbp_contract_mk_lb_hp
357 (gu->gu_hash_mode)));
358 dpo_stack_from_node (policy_nodes[pnode], &gu->gu_dpo[pnode][fproto],
363 load_balance_multipath_update (&gu->gu_dpo[pnode][fproto],
364 paths, LOAD_BALANCE_FLAG_NONE);
370 gbp_contract_mk_one_lb (index_t gui)
372 gbp_contract_mk_lb (gui, FIB_PROTOCOL_IP4);
373 gbp_contract_mk_lb (gui, FIB_PROTOCOL_IP6);
377 gbp_contract_next_hop_resolve (index_t gui, index_t gnhi)
379 gbp_bridge_domain_t *gbd;
385 gnh = gbp_next_hop_get (gnhi);
386 gbd = gbp_bridge_domain_get (gnh->gnh_bd);
389 vec_add1 (ips, gnh->gnh_ip);
392 * source the endpoint this contract needs to forward via.
393 * give ofrwarding details via the spine proxy. if this EP is known
394 * to us, then since we source here with a low priority, the learned
395 * info will take precedenc.
397 rv = gbp_endpoint_update_and_lock (GBP_ENDPOINT_SRC_RR,
398 gbd->gb_uu_fwd_sw_if_index,
401 gnh->gnh_bd, gnh->gnh_rd, SCLASS_INVALID,
402 GBP_ENDPOINT_FLAG_NONE, NULL, NULL,
407 gnh->gnh_sibling = gbp_endpoint_child_add (gnh->gnh_ge,
408 gbp_next_hop_fib_type, gnhi);
411 GBP_CONTRACT_DBG ("..resolve: %d: %d: %U", gui, gnhi, format_gbp_next_hop,
419 gbp_contract_rule_resolve (index_t gui)
424 gu = gbp_rule_get (gui);
426 GBP_CONTRACT_DBG ("..resolve: %U", format_gbp_rule, gui);
428 vec_foreach (gnhi, gu->gu_nhs)
430 gbp_contract_next_hop_resolve (gui, *gnhi);
435 gbp_contract_resolve (index_t * guis)
439 vec_foreach (gui, guis)
441 gbp_contract_rule_resolve (*gui);
446 gbp_contract_mk_lbs (index_t * guis)
450 vec_foreach (gui, guis)
452 gbp_contract_mk_one_lb (*gui);
457 gbp_contract_update (gbp_scope_t scope,
462 u16 * allowed_ethertypes, u32 * stats_index)
464 gbp_main_t *gm = &gbp_main;
470 gbp_contract_key_t key = {
476 if (~0 == gm->gbp_acl_user_id)
478 acl_plugin_exports_init (&gm->acl_plugin);
479 gm->gbp_acl_user_id =
480 gm->acl_plugin.register_user_module ("GBP ACL", "src-epg", "dst-epg");
483 p = hash_get (gbp_contract_db.gc_hash, key.as_u64);
487 gc = gbp_contract_get (gci);
488 gbp_contract_rules_free (gc->gc_rules);
489 gbp_main.acl_plugin.put_lookup_context_index (gc->gc_lc_index);
491 vec_free (gc->gc_allowed_ethertypes);
495 pool_get_zero (gbp_contract_pool, gc);
497 gci = gc - gbp_contract_pool;
498 hash_set (gbp_contract_db.gc_hash, key.as_u64, gci);
500 vlib_validate_combined_counter (&gbp_contract_drop_counters, gci);
501 vlib_zero_combined_counter (&gbp_contract_drop_counters, gci);
502 vlib_validate_combined_counter (&gbp_contract_permit_counters, gci);
503 vlib_zero_combined_counter (&gbp_contract_permit_counters, gci);
506 GBP_CONTRACT_DBG ("update: %U", format_gbp_contract, gci);
508 gc->gc_rules = rules;
509 gc->gc_allowed_ethertypes = allowed_ethertypes;
510 gbp_contract_resolve (gc->gc_rules);
511 gbp_contract_mk_lbs (gc->gc_rules);
513 gc->gc_acl_index = acl_index;
515 gm->acl_plugin.get_lookup_context_index (gm->gbp_acl_user_id,
518 vec_add1 (acl_vec, gc->gc_acl_index);
519 gm->acl_plugin.set_acl_vec_for_context (gc->gc_lc_index, acl_vec);
528 gbp_contract_delete (gbp_scope_t scope, sclass_t sclass, sclass_t dclass)
530 gbp_contract_key_t key = {
538 p = hash_get (gbp_contract_db.gc_hash, key.as_u64);
541 gc = gbp_contract_get (p[0]);
543 gbp_contract_rules_free (gc->gc_rules);
544 gbp_main.acl_plugin.put_lookup_context_index (gc->gc_lc_index);
545 vec_free (gc->gc_allowed_ethertypes);
547 hash_unset (gbp_contract_db.gc_hash, key.as_u64);
548 pool_put (gbp_contract_pool, gc);
553 return (VNET_API_ERROR_NO_SUCH_ENTRY);
557 gbp_contract_walk (gbp_contract_cb_t cb, void *ctx)
562 pool_foreach(gc, gbp_contract_pool,
570 static clib_error_t *
571 gbp_contract_cli (vlib_main_t * vm,
572 unformat_input_t * input, vlib_cli_command_t * cmd)
574 sclass_t sclass = SCLASS_INVALID, dclass = SCLASS_INVALID;
575 u32 acl_index = ~0, stats_index, scope;
578 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
580 if (unformat (input, "add"))
582 else if (unformat (input, "del"))
584 else if (unformat (input, "scope %d", &scope))
586 else if (unformat (input, "sclass %d", &sclass))
588 else if (unformat (input, "dclass %d", &dclass))
590 else if (unformat (input, "acl-index %d", &acl_index))
596 if (SCLASS_INVALID == sclass)
597 return clib_error_return (0, "Source EPG-ID must be specified");
598 if (SCLASS_INVALID == dclass)
599 return clib_error_return (0, "Destination EPG-ID must be specified");
603 gbp_contract_update (scope, sclass, dclass, acl_index,
604 NULL, NULL, &stats_index);
608 gbp_contract_delete (scope, sclass, dclass);
615 * Configure a GBP Contract
618 * @cliexstart{set gbp contract [del] src-epg <ID> dst-epg <ID> acl-index <ACL>}
622 VLIB_CLI_COMMAND (gbp_contract_cli_node, static) =
624 .path = "gbp contract",
626 "gbp contract [del] src-epg <ID> dst-epg <ID> acl-index <ACL>",
627 .function = gbp_contract_cli,
632 format_gbp_contract_key (u8 * s, va_list * args)
634 gbp_contract_key_t *gck = va_arg (*args, gbp_contract_key_t *);
636 s = format (s, "{%d,%d,%d}", gck->gck_scope, gck->gck_src, gck->gck_dst);
642 format_gbp_contract (u8 * s, va_list * args)
644 index_t gci = va_arg (*args, index_t);
645 vlib_counter_t counts;
650 gc = gbp_contract_get (gci);
652 s = format (s, "[%d] %U: acl-index:%d",
653 gci, format_gbp_contract_key, &gc->gc_key, gc->gc_acl_index);
655 s = format (s, "\n rules:");
656 vec_foreach (gui, gc->gc_rules)
658 s = format (s, "\n %d: %U", *gui, format_gbp_rule, *gui);
661 s = format (s, "\n allowed-ethertypes:");
662 s = format (s, "\n [");
663 vec_foreach (et, gc->gc_allowed_ethertypes)
665 int host_et = clib_net_to_host_u16 (*et);
667 s = format (s, "0x%x, ", host_et);
671 s = format (s, "\n stats:");
672 vlib_get_combined_counter (&gbp_contract_drop_counters, gci, &counts);
673 s = format (s, "\n drop:[%Ld:%Ld]", counts.packets, counts.bytes);
674 vlib_get_combined_counter (&gbp_contract_permit_counters, gci, &counts);
675 s = format (s, "\n permit:[%Ld:%Ld]", counts.packets, counts.bytes);
682 static clib_error_t *
683 gbp_contract_show (vlib_main_t * vm,
684 unformat_input_t * input, vlib_cli_command_t * cmd)
690 src = dst = SCLASS_INVALID;
692 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
694 if (unformat (input, "src %d", &src))
696 else if (unformat (input, "dst %d", &dst))
702 vlib_cli_output (vm, "Contracts:");
705 pool_foreach (gc, gbp_contract_pool,
707 gci = gc - gbp_contract_pool;
709 if (SCLASS_INVALID != src && SCLASS_INVALID != dst)
711 if (gc->gc_key.gck_src == src &&
712 gc->gc_key.gck_dst == dst)
713 vlib_cli_output (vm, " %U", format_gbp_contract, gci);
715 else if (SCLASS_INVALID != src)
717 if (gc->gc_key.gck_src == src)
718 vlib_cli_output (vm, " %U", format_gbp_contract, gci);
720 else if (SCLASS_INVALID != dst)
722 if (gc->gc_key.gck_dst == dst)
723 vlib_cli_output (vm, " %U", format_gbp_contract, gci);
726 vlib_cli_output (vm, " %U", format_gbp_contract, gci);
734 * Show Group Based Policy Contracts
737 * @cliexstart{show gbp contract}
741 VLIB_CLI_COMMAND (gbp_contract_show_node, static) = {
742 .path = "show gbp contract",
743 .short_help = "show gbp contract [src <SRC>] [dst <DST>]\n",
744 .function = gbp_contract_show,
749 gbp_next_hop_get_node (fib_node_index_t index)
753 gnh = gbp_next_hop_get (index);
755 return (&gnh->gnh_node);
759 gbp_next_hop_last_lock_gone (fib_node_t * node)
764 static gbp_next_hop_t *
765 gbp_next_hop_from_fib_node (fib_node_t * node)
767 ASSERT (gbp_next_hop_fib_type == node->fn_type);
768 return ((gbp_next_hop_t *) node);
771 static fib_node_back_walk_rc_t
772 gbp_next_hop_back_walk_notify (fib_node_t * node,
773 fib_node_back_walk_ctx_t * ctx)
777 gnh = gbp_next_hop_from_fib_node (node);
779 gbp_contract_mk_one_lb (gnh->gnh_gu);
781 return (FIB_NODE_BACK_WALK_CONTINUE);
785 * The FIB path's graph node virtual function table
787 static const fib_node_vft_t gbp_next_hop_vft = {
788 .fnv_get = gbp_next_hop_get_node,
789 .fnv_last_lock = gbp_next_hop_last_lock_gone,
790 .fnv_back_walk = gbp_next_hop_back_walk_notify,
791 // .fnv_mem_show = fib_path_memory_show,
794 static clib_error_t *
795 gbp_contract_init (vlib_main_t * vm)
797 gc_logger = vlib_log_register_class ("gbp", "con");
798 gbp_next_hop_fib_type = fib_node_register_new_type (&gbp_next_hop_vft);
803 VLIB_INIT_FUNCTION (gbp_contract_init);
806 * fd.io coding-style-patch-verification: ON
809 * eval: (c-set-style "gnu")