2 * Copyright (c) 2021 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 #include <vnet/plugin/plugin.h>
17 #include <vpp/app/version.h>
20 #include <vnet/tcp/tcp_types.h>
22 char *hsi_error_strings[] = {
23 #define hsi_error(n, s) s,
24 #include <hsi/hsi_error.def>
28 typedef enum hsi_input_next_
30 HSI_INPUT_NEXT_UDP_INPUT,
31 HSI_INPUT_NEXT_TCP_INPUT,
32 HSI_INPUT_NEXT_TCP_INPUT_NOLOOKUP,
36 #define foreach_hsi4_input_next \
37 _ (UDP_INPUT, "udp4-input") \
38 _ (TCP_INPUT, "tcp4-input") \
39 _ (TCP_INPUT_NOLOOKUP, "tcp4-input-nolookup")
41 #define foreach_hsi6_input_next \
42 _ (UDP_INPUT, "udp6-input") \
43 _ (TCP_INPUT, "tcp6-input") \
44 _ (TCP_INPUT_NOLOOKUP, "tcp6-input-nolookup")
52 format_hsi_trace (u8 *s, va_list *args)
54 vlib_main_t *vm = va_arg (*args, vlib_main_t *);
55 vlib_node_t *node = va_arg (*args, vlib_node_t *);
56 hsi_trace_t *t = va_arg (*args, hsi_trace_t *);
59 nn = vlib_get_next_node (vm, node->index, t->next_node);
60 s = format (s, "session %sfound, next node: %v",
61 t->next_node < HSI_INPUT_N_NEXT ? "" : "not ", nn->name);
66 hsi_udp_lookup (vlib_buffer_t *b, void *ip_hdr, u8 is_ip4)
73 ip4_header_t *ip4 = (ip4_header_t *) ip_hdr;
74 hdr = ip4_next_header (ip4);
75 s = session_lookup_safe4 (
76 vnet_buffer (b)->ip.fib_index, &ip4->dst_address, &ip4->src_address,
77 hdr->dst_port, hdr->src_port, TRANSPORT_PROTO_UDP);
81 ip6_header_t *ip6 = (ip6_header_t *) ip_hdr;
82 hdr = ip6_next_header (ip6);
83 s = session_lookup_safe6 (
84 vnet_buffer (b)->ip.fib_index, &ip6->dst_address, &ip6->src_address,
85 hdr->dst_port, hdr->src_port, TRANSPORT_PROTO_UDP);
91 always_inline transport_connection_t *
92 hsi_tcp_lookup (vlib_buffer_t *b, void *ip_hdr, tcp_header_t **rhdr, u8 is_ip4)
94 transport_connection_t *tc;
100 ip4_header_t *ip4 = (ip4_header_t *) ip_hdr;
101 *rhdr = hdr = ip4_next_header (ip4);
102 tc = session_lookup_connection_wt4 (
103 vnet_buffer (b)->ip.fib_index, &ip4->dst_address, &ip4->src_address,
104 hdr->dst_port, hdr->src_port, TRANSPORT_PROTO_TCP,
105 vlib_get_thread_index (), &result);
109 ip6_header_t *ip6 = (ip6_header_t *) ip_hdr;
110 *rhdr = hdr = ip6_next_header (ip6);
111 tc = session_lookup_connection_wt6 (
112 vnet_buffer (b)->ip.fib_index, &ip6->dst_address, &ip6->src_address,
113 hdr->dst_port, hdr->src_port, TRANSPORT_PROTO_TCP,
114 vlib_get_thread_index (), &result);
117 return result == 0 ? tc : 0;
121 hsi_lookup_and_update (vlib_buffer_t *b, u32 *next, u8 is_ip4, u8 is_input)
123 u8 proto, state, have_udp;
124 tcp_header_t *tcp_hdr = 0;
125 tcp_connection_t *tc;
131 ip_hdr = vlib_buffer_get_current (b);
133 ip_lookup_set_buffer_fib_index (ip4_main.fib_index_by_sw_if_index, b);
135 ip_lookup_set_buffer_fib_index (ip6_main.fib_index_by_sw_if_index, b);
139 rw_len = vnet_buffer (b)->ip.save_rewrite_length;
140 ip_hdr = vlib_buffer_get_current (b) + rw_len;
144 proto = ((ip4_header_t *) ip_hdr)->protocol;
146 proto = ((ip6_header_t *) ip_hdr)->protocol;
150 case IP_PROTOCOL_TCP:
151 tc = (tcp_connection_t *) hsi_tcp_lookup (b, ip_hdr, &tcp_hdr, is_ip4);
155 if (state == TCP_STATE_LISTEN)
157 /* Avoid processing non syn packets that match listener */
158 if (!tcp_syn (tcp_hdr))
160 vnet_feature_next (next, b);
163 *next = HSI_INPUT_NEXT_TCP_INPUT;
165 else if (state == TCP_STATE_SYN_SENT)
167 *next = HSI_INPUT_NEXT_TCP_INPUT;
171 /* Lookup already done, use result */
172 *next = HSI_INPUT_NEXT_TCP_INPUT_NOLOOKUP;
173 vnet_buffer (b)->tcp.connection_index = tc->c_c_index;
175 vlib_buffer_advance (b, rw_len);
179 vnet_feature_next (next, b);
182 case IP_PROTOCOL_UDP:
183 have_udp = hsi_udp_lookup (b, ip_hdr, is_ip4);
186 *next = HSI_INPUT_NEXT_UDP_INPUT;
187 /* Emulate udp-local and consume headers up to udp payload */
188 rw_len += is_ip4 ? sizeof (ip4_header_t) : sizeof (ip6_header_t);
189 rw_len += sizeof (udp_header_t);
190 vlib_buffer_advance (b, rw_len);
194 vnet_feature_next (next, b);
198 vnet_feature_next (next, b);
204 hsi_input_trace_frame (vlib_main_t *vm, vlib_node_runtime_t *node,
205 vlib_buffer_t **bufs, u16 *nexts, u32 n_bufs, u8 is_ip4)
211 for (i = 0; i < n_bufs; i++)
214 if (!(b->flags & VLIB_BUFFER_IS_TRACED))
216 t = vlib_add_trace (vm, node, b, sizeof (*t));
217 t->next_node = nexts[i];
222 hsi46_input_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
223 vlib_frame_t *frame, u8 is_ip4, u8 is_input)
225 vlib_buffer_t *bufs[VLIB_FRAME_SIZE], **b;
226 u16 nexts[VLIB_FRAME_SIZE], *next;
227 u32 n_left_from, *from;
229 from = vlib_frame_vector_args (frame);
230 n_left_from = frame->n_vectors;
232 vlib_get_buffers (vm, from, bufs, n_left_from);
236 while (n_left_from >= 4)
240 vlib_prefetch_buffer_header (b[2], LOAD);
241 CLIB_PREFETCH (b[2]->data, 2 * CLIB_CACHE_LINE_BYTES, LOAD);
243 vlib_prefetch_buffer_header (b[3], LOAD);
244 CLIB_PREFETCH (b[3]->data, 2 * CLIB_CACHE_LINE_BYTES, LOAD);
246 hsi_lookup_and_update (b[0], &next0, is_ip4, is_input);
247 hsi_lookup_and_update (b[1], &next1, is_ip4, is_input);
261 hsi_lookup_and_update (b[0], &next0, is_ip4, is_input);
270 vlib_buffer_enqueue_to_next (vm, node, from, nexts, frame->n_vectors);
272 if (PREDICT_FALSE (node->flags & VLIB_NODE_FLAG_TRACE))
273 hsi_input_trace_frame (vm, node, bufs, nexts, frame->n_vectors, is_ip4);
275 return frame->n_vectors;
278 VLIB_NODE_FN (hsi4_in_node)
279 (vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame)
281 return hsi46_input_inline (vm, node, frame, 1 /* is_ip4 */,
285 VLIB_REGISTER_NODE (hsi4_in_node) = {
287 .vector_size = sizeof (u32),
288 .format_trace = format_hsi_trace,
289 .type = VLIB_NODE_TYPE_INTERNAL,
290 .n_errors = HSI_N_ERROR,
291 .error_strings = hsi_error_strings,
292 .n_next_nodes = HSI_INPUT_N_NEXT,
294 #define _(s, n) [HSI_INPUT_NEXT_##s] = n,
295 foreach_hsi4_input_next
300 VNET_FEATURE_INIT (hsi4_in_feature, static) = {
301 .arc_name = "ip4-unicast",
302 .node_name = "hsi4-in",
303 .runs_before = VNET_FEATURES ("ip4-lookup"),
304 .runs_after = VNET_FEATURES ("ip4-full-reassembly-feature"),
307 VLIB_NODE_FN (hsi4_out_node)
308 (vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame)
310 return hsi46_input_inline (vm, node, frame, 1 /* is_ip4 */,
314 VLIB_REGISTER_NODE (hsi4_out_node) = {
316 .vector_size = sizeof (u32),
317 .format_trace = format_hsi_trace,
318 .type = VLIB_NODE_TYPE_INTERNAL,
319 .n_errors = HSI_N_ERROR,
320 .error_strings = hsi_error_strings,
321 .n_next_nodes = HSI_INPUT_N_NEXT,
323 #define _(s, n) [HSI_INPUT_NEXT_##s] = n,
324 foreach_hsi4_input_next
329 VNET_FEATURE_INIT (hsi4_out_feature, static) = {
330 .arc_name = "ip4-output",
331 .node_name = "hsi4-out",
332 .runs_before = VNET_FEATURES ("interface-output"),
335 VLIB_NODE_FN (hsi6_in_node)
336 (vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame)
338 return hsi46_input_inline (vm, node, frame, 0 /* is_ip4 */,
342 VLIB_REGISTER_NODE (hsi6_in_node) = {
344 .vector_size = sizeof (u32),
345 .format_trace = format_hsi_trace,
346 .type = VLIB_NODE_TYPE_INTERNAL,
347 .n_errors = HSI_N_ERROR,
348 .error_strings = hsi_error_strings,
349 .n_next_nodes = HSI_INPUT_N_NEXT,
351 #define _(s, n) [HSI_INPUT_NEXT_##s] = n,
352 foreach_hsi6_input_next
357 VNET_FEATURE_INIT (hsi6_in_feature, static) = {
358 .arc_name = "ip6-unicast",
359 .node_name = "hsi6-in",
360 .runs_before = VNET_FEATURES ("ip6-lookup"),
361 .runs_after = VNET_FEATURES ("ip6-full-reassembly-feature"),
364 VLIB_NODE_FN (hsi6_out_node)
365 (vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame)
367 return hsi46_input_inline (vm, node, frame, 0 /* is_ip4 */,
371 VLIB_REGISTER_NODE (hsi6_out_node) = {
373 .vector_size = sizeof (u32),
374 .format_trace = format_hsi_trace,
375 .type = VLIB_NODE_TYPE_INTERNAL,
376 .n_errors = HSI_N_ERROR,
377 .error_strings = hsi_error_strings,
378 .n_next_nodes = HSI_INPUT_N_NEXT,
380 #define _(s, n) [HSI_INPUT_NEXT_##s] = n,
381 foreach_hsi6_input_next
386 VNET_FEATURE_INIT (hsi6_out_feature, static) = {
387 .arc_name = "ip6-output",
388 .node_name = "hsi6-out",
389 .runs_before = VNET_FEATURES ("interface-output"),
392 VLIB_PLUGIN_REGISTER () = {
393 .version = VPP_BUILD_VER,
394 .description = "Host Stack Intercept (HSI)",
395 .default_disabled = 0,
399 * fd.io coding-style-patch-verification: ON
402 * eval: (c-set-style "gnu")