2 * Copyright (c) 2016 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
17 * The data-path object representing dropping the packet
20 #include <vnet/dpo/ip_null_dpo.h>
21 #include <vnet/ip/ip.h>
24 * @brief A representation of the IP_NULL DPO
26 typedef struct ip_null_dpo_t_
29 * @brief The action to take on a packet
31 ip_null_dpo_action_t ind_action;
33 * @brief The next VLIB node
42 * @brief the IP_NULL dpos are shared by all routes, hence they are global.
43 * As the neame implies this is only for IP, hence 2.
45 static ip_null_dpo_t ip_null_dpos[2 * IP_NULL_DPO_ACTION_NUM] = {
47 /* proto ip4, no action */
48 .ind_action = IP_NULL_ACTION_NONE,
51 /* proto ip4, action send unreach */
52 .ind_action = IP_NULL_ACTION_SEND_ICMP_UNREACH,
55 /* proto ip4, action send unreach */
56 .ind_action = IP_NULL_ACTION_SEND_ICMP_PROHIBIT,
59 /* proto ip6, no action */
60 .ind_action = IP_NULL_ACTION_NONE,
63 /* proto ip6, action send unreach */
64 .ind_action = IP_NULL_ACTION_SEND_ICMP_UNREACH,
67 /* proto ip6, action send unreach */
68 .ind_action = IP_NULL_ACTION_SEND_ICMP_PROHIBIT,
73 * @brief Action strings
75 const char *ip_null_action_strings[] = IP_NULL_ACTIONS;
78 ip_null_dpo_add_and_lock (dpo_proto_t proto,
79 ip_null_dpo_action_t action,
84 ASSERT((proto == DPO_PROTO_IP4) ||
85 (proto == DPO_PROTO_IP6));
86 ASSERT(action < IP_NULL_DPO_ACTION_NUM);
88 i = (proto == DPO_PROTO_IP4 ? 0 : 1);
90 dpo_set(dpo, DPO_IP_NULL, proto, (i*IP_NULL_DPO_ACTION_NUM) + action);
93 always_inline const ip_null_dpo_t*
94 ip_null_dpo_get (index_t indi)
96 return (&ip_null_dpos[indi]);
100 ip_null_dpo_lock (dpo_id_t *dpo)
103 * not maintaining a lock count on the ip_null, they are const global and
108 ip_null_dpo_unlock (dpo_id_t *dpo)
113 format_ip_null_dpo (u8 *s, va_list *ap)
115 index_t index = va_arg(*ap, index_t);
116 CLIB_UNUSED(u32 indent) = va_arg(*ap, u32);
117 const ip_null_dpo_t *ind;
120 ind = ip_null_dpo_get(index);
121 proto = (index < IP_NULL_DPO_ACTION_NUM ? DPO_PROTO_IP4 : DPO_PROTO_IP6);
123 return (format(s, "%U-null action:%s",
124 format_dpo_proto, proto,
125 ip_null_action_strings[ind->ind_action]));
128 const static dpo_vft_t ip_null_vft = {
129 .dv_lock = ip_null_dpo_lock,
130 .dv_unlock = ip_null_dpo_unlock,
131 .dv_format = format_ip_null_dpo,
135 * @brief The per-protocol VLIB graph nodes that are assigned to a ip_null
138 * this means that these graph nodes are ones from which a ip_null is the
139 * parent object in the DPO-graph.
141 const static char* const ip4_null_nodes[] =
146 const static char* const ip6_null_nodes[] =
152 const static char* const * const ip_null_nodes[DPO_PROTO_NUM] =
154 [DPO_PROTO_IP4] = ip4_null_nodes,
155 [DPO_PROTO_IP6] = ip6_null_nodes,
158 typedef struct ip_null_dpo_trace_t_
161 } ip_null_dpo_trace_t;
164 * @brief Exit nodes from a IP_NULL
166 typedef enum ip_null_next_t_
174 ip_null_dpo_switch (vlib_main_t * vm,
175 vlib_node_runtime_t * node,
176 vlib_frame_t * frame,
179 u32 n_left_from, next_index, *from, *to_next;
180 static f64 time_last_seed_change = -1e100;
181 static u32 hash_seeds[3];
182 static uword hash_bitmap[256 / BITS (uword)];
185 from = vlib_frame_vector_args (frame);
186 n_left_from = frame->n_vectors;
188 time_now = vlib_time_now (vm);
189 if (time_now - time_last_seed_change > 1e-1)
192 u32 * r = clib_random_buffer_get_data (&vm->random_buffer,
193 sizeof (hash_seeds));
194 for (i = 0; i < ARRAY_LEN (hash_seeds); i++)
195 hash_seeds[i] = r[i];
197 /* Mark all hash keys as been not-seen before. */
198 for (i = 0; i < ARRAY_LEN (hash_bitmap); i++)
201 time_last_seed_change = time_now;
204 next_index = node->cached_next_index;
206 while (n_left_from > 0)
210 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
212 while (n_left_from > 0 && n_left_to_next > 0)
214 u32 a0, b0, c0, m0, drop0;
216 u32 bi0, indi0, next0;
217 const ip_null_dpo_t *ind0;
227 p0 = vlib_get_buffer (vm, bi0);
229 /* lookup dst + src mac */
230 indi0 = vnet_buffer (p0)->ip.adj_index[VLIB_TX];
231 ind0 = ip_null_dpo_get(indi0);
232 next0 = IP_NULL_NEXT_DROP;
235 * rate limit - don't DoS the sender.
243 ip4_header_t *ip0 = vlib_buffer_get_current (p0);
245 a0 ^= ip0->dst_address.data_u32;
246 b0 ^= ip0->src_address.data_u32;
248 hash_v3_finalize32 (a0, b0, c0);
252 ip6_header_t *ip0 = vlib_buffer_get_current (p0);
254 a0 ^= ip0->dst_address.as_u32[0];
255 b0 ^= ip0->src_address.as_u32[0];
256 c0 ^= ip0->src_address.as_u32[1];
258 hash_v3_mix32 (a0, b0, c0);
260 a0 ^= ip0->dst_address.as_u32[1];
261 b0 ^= ip0->src_address.as_u32[2];
262 c0 ^= ip0->src_address.as_u32[3];
264 hash_v3_finalize32 (a0, b0, c0);
267 c0 &= BITS (hash_bitmap) - 1;
268 c0 = c0 / BITS (uword);
269 m0 = (uword) 1 << (c0 % BITS (uword));
271 bm0 = hash_bitmap[c0];
272 drop0 = (bm0 & m0) != 0;
274 /* Mark it as seen. */
275 hash_bitmap[c0] = bm0 | m0;
277 if (PREDICT_FALSE(!drop0))
282 * There's a trade-off here. This conditinal statement
283 * versus a graph node per-condition. Given the number
284 * expect number of packets to reach a null route is 0
285 * we favour the run-time cost over the graph complexity
287 if (IP_NULL_ACTION_SEND_ICMP_UNREACH == ind0->ind_action)
289 next0 = IP_NULL_NEXT_ICMP;
290 icmp4_error_set_vnet_buffer(
292 ICMP4_destination_unreachable,
293 ICMP4_destination_unreachable_destination_unreachable_host,
296 else if (IP_NULL_ACTION_SEND_ICMP_PROHIBIT == ind0->ind_action)
298 next0 = IP_NULL_NEXT_ICMP;
299 icmp4_error_set_vnet_buffer(
301 ICMP4_destination_unreachable,
302 ICMP4_destination_unreachable_host_administratively_prohibited,
308 if (IP_NULL_ACTION_SEND_ICMP_UNREACH == ind0->ind_action)
310 next0 = IP_NULL_NEXT_ICMP;
311 icmp6_error_set_vnet_buffer(
313 ICMP6_destination_unreachable,
314 ICMP6_destination_unreachable_no_route_to_destination,
317 else if (IP_NULL_ACTION_SEND_ICMP_PROHIBIT == ind0->ind_action)
319 next0 = IP_NULL_NEXT_ICMP;
320 icmp6_error_set_vnet_buffer(
322 ICMP6_destination_unreachable,
323 ICMP6_destination_unreachable_destination_administratively_prohibited,
329 if (PREDICT_FALSE (p0->flags & VLIB_BUFFER_IS_TRACED))
331 ip_null_dpo_trace_t *tr = vlib_add_trace (vm, node, p0,
333 tr->ind_index = indi0;
335 vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next,
336 n_left_to_next, bi0, next0);
339 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
342 return frame->n_vectors;
346 format_ip_null_dpo_trace (u8 * s, va_list * args)
348 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
349 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
350 ip_null_dpo_trace_t *t = va_arg (*args, ip_null_dpo_trace_t *);
352 s = format (s, "%U", format_ip_null_dpo, t->ind_index, 0);
357 ip4_null_dpo_switch (vlib_main_t * vm,
358 vlib_node_runtime_t * node,
359 vlib_frame_t * frame)
361 return (ip_null_dpo_switch(vm, node, frame, 1));
367 VLIB_REGISTER_NODE (ip4_null_dpo_node) = {
368 .function = ip4_null_dpo_switch,
370 .vector_size = sizeof (u32),
372 .format_trace = format_ip_null_dpo_trace,
373 .n_next_nodes = IP_NULL_NEXT_NUM,
375 [IP_NULL_NEXT_DROP] = "ip4-drop",
376 [IP_NULL_NEXT_ICMP] = "ip4-icmp-error",
381 ip6_null_dpo_switch (vlib_main_t * vm,
382 vlib_node_runtime_t * node,
383 vlib_frame_t * frame)
385 return (ip_null_dpo_switch(vm, node, frame, 0));
391 VLIB_REGISTER_NODE (ip6_null_dpo_node) = {
392 .function = ip6_null_dpo_switch,
394 .vector_size = sizeof (u32),
396 .format_trace = format_ip_null_dpo_trace,
397 .n_next_nodes = IP_NULL_NEXT_NUM,
399 [IP_NULL_NEXT_DROP] = "ip6-drop",
400 [IP_NULL_NEXT_ICMP] = "ip6-icmp-error",
405 ip_null_dpo_module_init (void)
407 dpo_register(DPO_IP_NULL, &ip_null_vft, ip_null_nodes);