2 * Copyright (c) 2018 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 #ifndef __GBP_CONTRACT_H__
17 #define __GBP_CONTRACT_H__
19 #include <plugins/gbp/gbp.h>
20 #include <plugins/gbp/gbp_types.h>
22 #define foreach_gbp_contract_error \
23 _(ALLOW_NO_SCLASS, "allow-no-sclass") \
24 _(ALLOW_INTRA, "allow-intra-sclass") \
25 _(ALLOW_A_BIT, "allow-a-bit-set") \
26 _(ALLOW_SCLASS_1, "allow-sclass-1") \
27 _(ALLOW_CONTRACT, "allow-contract") \
28 _(DROP_CONTRACT, "drop-contract") \
29 _(DROP_ETHER_TYPE, "drop-ether-type") \
30 _(DROP_NO_CONTRACT, "drop-no-contract") \
31 _(DROP_NO_DCLASS, "drop-no-dclass") \
32 _(DROP_NO_RULE, "drop-no-rule")
36 #define _(sym,str) GBP_CONTRACT_ERROR_##sym,
37 foreach_gbp_contract_error
40 #define GBP_CONTRACT_N_ERROR GBP_CONTRACT_N_ERROR
41 } gbp_contract_error_t;
43 extern char *gbp_contract_error_strings[GBP_CONTRACT_N_ERROR];
46 * The key for an Contract
48 typedef struct gbp_contract_key_t_
54 gbp_scope_t gck_scope;
56 * source and destination EPGs for which the ACL applies
65 typedef struct gbp_next_hop_t_
68 ip46_address_t gnh_ip;
69 mac_address_t gnh_mac;
75 index_t gnh_ai[FIB_PROTOCOL_IP_MAX];
78 #define foreach_gbp_hash_mode \
81 _(SYMMETRIC, "symmetric")
83 typedef enum gbp_hash_mode_t_
85 #define _(v,s) GBP_HASH_MODE_##v,
90 #define foreach_gbp_rule_action \
93 _(REDIRECT, "redirect")
95 typedef enum gbp_rule_action_t_
97 #define _(v,s) GBP_RULE_##v,
98 foreach_gbp_rule_action
102 #define foreach_gbp_policy_node \
107 typedef enum gbp_policy_node_t_
109 #define _(v,s) GBP_POLICY_NODE_##v,
110 foreach_gbp_policy_node
113 #define GBP_POLICY_N_NODES (GBP_POLICY_NODE_IP6+1)
115 #define FOR_EACH_GBP_POLICY_NODE(pnode) \
116 for (pnode = GBP_POLICY_NODE_L2; pnode < GBP_POLICY_N_NODES; pnode++)
118 typedef struct gbp_rule_t_
120 gbp_rule_action_t gu_action;
121 gbp_hash_mode_t gu_hash_mode;
125 * DPO of the load-balance object used to redirect
127 dpo_id_t gu_dpo[GBP_POLICY_N_NODES][FIB_PROTOCOL_IP_MAX];
131 * A Group Based Policy Contract.
132 * Determines the ACL that applies to traffic pass between two endpoint groups
134 typedef struct gbp_contract_t_
137 * source and destination EPGs
139 gbp_contract_key_t gc_key;
145 * The ACL to apply for packets from the source to the destination EPG
150 * An ethertype whitelist
152 u16 *gc_allowed_ethertypes;
156 * EPG src,dst pair to ACL mapping table, aka contract DB
158 typedef struct gbp_contract_db_t_
161 * We can form a u64 key from the pair, so use a simple hash table
166 extern int gbp_contract_update (gbp_scope_t scope,
171 u16 * allowed_ethertypes, u32 * stats_index);
172 extern int gbp_contract_delete (gbp_scope_t scope, sclass_t sclass,
175 extern index_t gbp_rule_alloc (gbp_rule_action_t action,
176 gbp_hash_mode_t hash_mode, index_t * nhs);
177 extern void gbp_rule_free (index_t gui);
178 extern index_t gbp_next_hop_alloc (const ip46_address_t * ip,
180 const mac_address_t * mac, index_t gbd);
182 typedef int (*gbp_contract_cb_t) (gbp_contract_t * gbpe, void *ctx);
183 extern void gbp_contract_walk (gbp_contract_cb_t bgpe, void *ctx);
185 extern u8 *format_gbp_rule_action (u8 * s, va_list * args);
186 extern u8 *format_gbp_contract (u8 * s, va_list * args);
189 * DP functions and databases
191 extern gbp_contract_db_t gbp_contract_db;
193 always_inline index_t
194 gbp_contract_find (gbp_contract_key_t * key)
198 p = hash_get (gbp_contract_db.gc_hash, key->as_u64);
203 return (INDEX_INVALID);
206 extern gbp_contract_t *gbp_contract_pool;
208 always_inline gbp_contract_t *
209 gbp_contract_get (index_t gci)
211 return (pool_elt_at_index (gbp_contract_pool, gci));
214 extern gbp_rule_t *gbp_rule_pool;
216 always_inline gbp_rule_t *
217 gbp_rule_get (index_t gui)
219 return (pool_elt_at_index (gbp_rule_pool, gui));
222 extern vlib_combined_counter_main_t gbp_contract_permit_counters;
223 extern vlib_combined_counter_main_t gbp_contract_drop_counters;
227 GBP_CONTRACT_APPLY_L2,
228 GBP_CONTRACT_APPLY_IP4,
229 GBP_CONTRACT_APPLY_IP6,
230 } gbp_contract_apply_type_t;
232 static_always_inline gbp_rule_action_t
233 gbp_contract_apply (vlib_main_t * vm, gbp_main_t * gm,
234 gbp_contract_key_t * key, vlib_buffer_t * b,
235 gbp_rule_t ** rule, u32 * intra, u32 * sclass1,
236 u32 * acl_match, u32 * rule_match,
237 gbp_contract_error_t * err,
238 gbp_contract_apply_type_t type)
240 fa_5tuple_opaque_t fa_5tuple;
241 const gbp_contract_t *contract;
242 index_t contract_index;
243 u32 acl_pos, trace_bitmap;
250 if (key->gck_src == key->gck_dst)
252 /* intra-epg allowed */
254 *err = GBP_CONTRACT_ERROR_ALLOW_INTRA;
255 return GBP_RULE_PERMIT;
258 if (1 == key->gck_src || 1 == key->gck_dst)
260 /* sclass 1 allowed */
262 *err = GBP_CONTRACT_ERROR_ALLOW_SCLASS_1;
263 return GBP_RULE_PERMIT;
266 /* look for contract */
267 contract_index = gbp_contract_find (key);
268 if (INDEX_INVALID == contract_index)
270 *err = GBP_CONTRACT_ERROR_DROP_NO_CONTRACT;
271 return GBP_RULE_DENY;
274 contract = gbp_contract_get (contract_index);
276 *err = GBP_CONTRACT_ERROR_DROP_CONTRACT;
280 case GBP_CONTRACT_APPLY_IP4:
283 case GBP_CONTRACT_APPLY_IP6:
286 case GBP_CONTRACT_APPLY_L2:
288 /* check ethertype */
290 ((u16 *) (vlib_buffer_get_current (b) +
291 vnet_buffer (b)->l2.l2_len))[-1];
293 if (~0 == vec_search (contract->gc_allowed_ethertypes, etype))
295 *err = GBP_CONTRACT_ERROR_DROP_ETHER_TYPE;
299 switch (clib_net_to_host_u16 (etype))
301 case ETHERNET_TYPE_IP4:
304 case ETHERNET_TYPE_IP6:
316 acl_plugin_fill_5tuple_inline (gm->acl_plugin.p_acl_main,
317 contract->gc_lc_index, b, ip6,
318 GBP_CONTRACT_APPLY_L2 != type /* input */ ,
319 GBP_CONTRACT_APPLY_L2 == type /* l2_path */ ,
321 acl_plugin_match_5tuple_inline (gm->acl_plugin.p_acl_main,
322 contract->gc_lc_index, &fa_5tuple, ip6,
323 &action, &acl_pos, acl_match, rule_match,
328 if (PREDICT_FALSE (*rule_match >= vec_len (contract->gc_rules)))
330 *err = GBP_CONTRACT_ERROR_DROP_NO_RULE;
334 *rule = gbp_rule_get (contract->gc_rules[*rule_match]);
335 switch ((*rule)->gu_action)
337 case GBP_RULE_PERMIT:
338 case GBP_RULE_REDIRECT:
339 *err = GBP_CONTRACT_ERROR_ALLOW_CONTRACT;
340 vlib_increment_combined_counter (&gbp_contract_permit_counters,
341 vm->thread_index, contract_index, 1,
342 vlib_buffer_length_in_chain (vm, b));
343 return (*rule)->gu_action;
349 vlib_increment_combined_counter (&gbp_contract_drop_counters,
350 vm->thread_index, contract_index, 1,
351 vlib_buffer_length_in_chain (vm, b));
352 return GBP_RULE_DENY;
355 #endif /* __GBP_CONTRACT_H__ */
357 * fd.io coding-style-patch-verification: ON
360 * eval: (c-set-style "gnu")