2 * Copyright (c) 2016 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 #include <vlib/vlib.h>
17 #include <vnet/vnet.h>
18 #include <vnet/pg/pg.h>
19 #include <vppinfra/error.h>
20 #include <vnet/feature/feature.h>
21 #include <vnet/ip/ip.h>
22 #include <vppinfra/xxhash.h>
29 } syn_filter4_runtime_t;
36 } syn_filter4_trace_t;
38 /* packet trace format function */
40 format_syn_filter4_trace (u8 * s, va_list * args)
42 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
43 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
44 syn_filter4_trace_t *t = va_arg (*args, syn_filter4_trace_t *);
46 s = format (s, "SYN_FILTER4: next index %d, %s",
47 t->next_index, t->not_a_syn ? "not a syn" : "syn");
48 if (t->not_a_syn == 0)
49 s = format (s, ", filter value %d\n", t->filter_value);
55 static vlib_node_registration_t syn_filter4_node;
57 #define foreach_syn_filter_error \
58 _(THROTTLED, "TCP SYN packet throttle drops") \
59 _(OK, "TCP SYN packets passed")
63 #define _(sym,str) SYN_FILTER_ERROR_##sym,
64 foreach_syn_filter_error
69 static char *syn_filter4_error_strings[] = {
70 #define _(sym,string) string,
71 foreach_syn_filter_error
81 extern vnet_feature_arc_registration_t vnet_feat_arc_ip4_local;
84 syn_filter4_node_fn (vlib_main_t * vm,
85 vlib_node_runtime_t * node, vlib_frame_t * frame)
87 u32 n_left_from, *from, *to_next;
88 syn_filter_next_t next_index;
89 u32 ok_syn_packets = 0;
90 vnet_feature_main_t *fm = &feature_main;
91 u8 arc_index = vnet_feat_arc_ip4_local.feature_arc_index;
92 vnet_feature_config_main_t *cm = &fm->feature_config_mains[arc_index];
93 syn_filter4_runtime_t *rt = (syn_filter4_runtime_t *) node->runtime_data;
94 f64 now = vlib_time_now (vm);
95 /* Shut up spurious gcc warnings. */
96 u8 *c0 = 0, *c1 = 0, *c2 = 0, *c3 = 0;
98 from = vlib_frame_vector_args (frame);
99 n_left_from = frame->n_vectors;
100 next_index = node->cached_next_index;
102 if (now > rt->next_reset)
104 memset (rt->syn_counts, 0, vec_len (rt->syn_counts));
105 rt->next_reset = now + rt->reset_interval;
108 while (n_left_from > 0)
112 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
114 while (n_left_from >= 8 && n_left_to_next >= 4)
116 u32 bi0, bi1, bi2, bi3;
117 vlib_buffer_t *b0, *b1, *b2, *b3;
118 u32 next0, next1, next2, next3;
119 ip4_header_t *ip0, *ip1, *ip2, *ip3;
120 tcp_header_t *tcp0, *tcp1, *tcp2, *tcp3;
121 u32 not_a_syn0 = 1, not_a_syn1 = 1, not_a_syn2 = 1, not_a_syn3 = 1;
122 u64 hash0, hash1, hash2, hash3;
124 /* Prefetch next iteration. */
126 vlib_buffer_t *p4, *p5, *p6, *p7;
128 p4 = vlib_get_buffer (vm, from[4]);
129 p5 = vlib_get_buffer (vm, from[5]);
130 p6 = vlib_get_buffer (vm, from[6]);
131 p7 = vlib_get_buffer (vm, from[7]);
133 vlib_prefetch_buffer_header (p4, LOAD);
134 vlib_prefetch_buffer_header (p5, LOAD);
135 vlib_prefetch_buffer_header (p6, LOAD);
136 vlib_prefetch_buffer_header (p7, LOAD);
138 CLIB_PREFETCH (p4->data, CLIB_CACHE_LINE_BYTES, STORE);
139 CLIB_PREFETCH (p5->data, CLIB_CACHE_LINE_BYTES, STORE);
140 CLIB_PREFETCH (p6->data, CLIB_CACHE_LINE_BYTES, STORE);
141 CLIB_PREFETCH (p7->data, CLIB_CACHE_LINE_BYTES, STORE);
144 /* speculatively enqueue b0 and b1 to the current next frame */
145 to_next[0] = bi0 = from[0];
146 to_next[1] = bi1 = from[1];
147 to_next[2] = bi2 = from[2];
148 to_next[3] = bi3 = from[3];
154 b0 = vlib_get_buffer (vm, bi0);
155 b1 = vlib_get_buffer (vm, bi1);
156 b2 = vlib_get_buffer (vm, bi2);
157 b3 = vlib_get_buffer (vm, bi3);
160 (&cm->config_main, &b0->current_config_index,
161 &next0, 0 /* sizeof (c0[0]) */ );
163 (&cm->config_main, &b1->current_config_index,
164 &next1, 0 /* sizeof (c0[0]) */ );
166 (&cm->config_main, &b2->current_config_index,
167 &next2, 0 /* sizeof (c0[0]) */ );
169 (&cm->config_main, &b3->current_config_index,
170 &next3, 0 /* sizeof (c0[0]) */ );
173 ip0 = vlib_buffer_get_current (b0);
174 if (ip0->protocol != IP_PROTOCOL_TCP)
177 tcp0 = ip4_next_header (ip0);
180 * $$$$ hack: the TCP bitfield flags seem not to compile
183 if (PREDICT_TRUE (!(tcp0->flags & 0x2)))
187 hash0 = clib_xxhash ((u64) ip0->src_address.as_u32);
188 c0 = &rt->syn_counts[hash0 & (_vec_len (rt->syn_counts) - 1)];
189 if (PREDICT_FALSE (*c0 >= 0x80))
191 next0 = SYN_FILTER_NEXT_DROP;
192 b0->error = node->errors[SYN_FILTER_ERROR_THROTTLED];
199 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
200 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
202 syn_filter4_trace_t *t =
203 vlib_add_trace (vm, node, b0, sizeof (*t));
204 t->not_a_syn = not_a_syn0;
205 t->next_index = next0;
206 t->filter_value = not_a_syn0 ? 0 : *c0;
210 ip1 = vlib_buffer_get_current (b1);
211 if (ip1->protocol != IP_PROTOCOL_TCP)
214 tcp1 = ip4_next_header (ip1);
217 * $$$$ hack: the TCP bitfield flags seem not to compile
220 if (PREDICT_TRUE (!(tcp1->flags & 0x2)))
224 hash1 = clib_xxhash ((u64) ip1->src_address.as_u32);
225 c1 = &rt->syn_counts[hash1 & (_vec_len (rt->syn_counts) - 1)];
226 if (PREDICT_FALSE (*c1 >= 0x80))
228 next1 = SYN_FILTER_NEXT_DROP;
229 b1->error = node->errors[SYN_FILTER_ERROR_THROTTLED];
236 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
237 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
239 syn_filter4_trace_t *t =
240 vlib_add_trace (vm, node, b1, sizeof (*t));
241 t->not_a_syn = not_a_syn1;
242 t->next_index = next1;
243 t->filter_value = not_a_syn1 ? 0 : *c1;
247 ip2 = vlib_buffer_get_current (b2);
248 if (ip2->protocol != IP_PROTOCOL_TCP)
251 tcp2 = ip4_next_header (ip2);
254 * $$$$ hack: the TCP bitfield flags seem not to compile
257 if (PREDICT_TRUE (!(tcp2->flags & 0x2)))
261 hash2 = clib_xxhash ((u64) ip2->src_address.as_u32);
262 c2 = &rt->syn_counts[hash2 & (_vec_len (rt->syn_counts) - 1)];
263 if (PREDICT_FALSE (*c2 >= 0x80))
265 next2 = SYN_FILTER_NEXT_DROP;
266 b2->error = node->errors[SYN_FILTER_ERROR_THROTTLED];
273 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
274 && (b2->flags & VLIB_BUFFER_IS_TRACED)))
276 syn_filter4_trace_t *t =
277 vlib_add_trace (vm, node, b2, sizeof (*t));
278 t->not_a_syn = not_a_syn2;
279 t->next_index = next2;
280 t->filter_value = not_a_syn2 ? 0 : *c2;
284 ip3 = vlib_buffer_get_current (b3);
285 if (ip3->protocol != IP_PROTOCOL_TCP)
288 tcp3 = ip4_next_header (ip3);
291 * $$$$ hack: the TCP bitfield flags seem not to compile
294 if (PREDICT_TRUE (!(tcp3->flags & 0x2)))
298 hash3 = clib_xxhash ((u64) ip3->src_address.as_u32);
299 c3 = &rt->syn_counts[hash3 & (_vec_len (rt->syn_counts) - 1)];
300 if (PREDICT_FALSE (*c3 >= 0x80))
302 next3 = SYN_FILTER_NEXT_DROP;
303 b3->error = node->errors[SYN_FILTER_ERROR_THROTTLED];
310 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
311 && (b3->flags & VLIB_BUFFER_IS_TRACED)))
313 syn_filter4_trace_t *t =
314 vlib_add_trace (vm, node, b3, sizeof (*t));
315 t->not_a_syn = not_a_syn3;
316 t->next_index = next3;
317 t->filter_value = not_a_syn3 ? 0 : *c3;
319 vlib_validate_buffer_enqueue_x4 (vm, node, next_index,
320 to_next, n_left_to_next,
322 next0, next1, next2, next3);
325 while (n_left_from > 0 && n_left_to_next > 0)
336 /* speculatively enqueue b0 to the current next frame */
344 b0 = vlib_get_buffer (vm, bi0);
347 (&cm->config_main, &b0->current_config_index,
348 &next0, 0 /* sizeof (c0[0]) */ );
351 ip0 = vlib_buffer_get_current (b0);
352 if (ip0->protocol != IP_PROTOCOL_TCP)
355 tcp0 = ip4_next_header (ip0);
358 * $$$$ hack: the TCP bitfield flags seem not to compile
361 if (PREDICT_TRUE (!(tcp0->flags & 0x2)))
365 hash0 = clib_xxhash ((u64) ip0->src_address.as_u32);
366 c0 = &rt->syn_counts[hash0 & (_vec_len (rt->syn_counts) - 1)];
367 if (PREDICT_FALSE (*c0 >= 0x80))
369 next0 = SYN_FILTER_NEXT_DROP;
370 b0->error = node->errors[SYN_FILTER_ERROR_THROTTLED];
378 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
379 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
381 syn_filter4_trace_t *t =
382 vlib_add_trace (vm, node, b0, sizeof (*t));
383 t->not_a_syn = not_a_syn0;
384 t->next_index = next0;
385 t->filter_value = not_a_syn0 ? 0 : *c0;
388 /* verify speculative enqueue, maybe switch current next frame */
389 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
390 to_next, n_left_to_next,
394 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
397 vlib_node_increment_counter (vm, syn_filter4_node.index,
398 SYN_FILTER_ERROR_OK, ok_syn_packets);
399 return frame->n_vectors;
403 VLIB_REGISTER_NODE (syn_filter4_node, static) =
405 .function = syn_filter4_node_fn,
406 .name = "syn-filter-4",
407 .vector_size = sizeof (u32),
408 .format_trace = format_syn_filter4_trace,
409 .type = VLIB_NODE_TYPE_INTERNAL,
411 .runtime_data_bytes = sizeof (syn_filter4_runtime_t),
412 .n_errors = ARRAY_LEN(syn_filter4_error_strings),
413 .error_strings = syn_filter4_error_strings,
415 .n_next_nodes = SYN_FILTER_N_NEXT,
417 /* edit / add dispositions here */
419 [SYN_FILTER_NEXT_DROP] = "error-drop",
424 VLIB_NODE_FUNCTION_MULTIARCH (syn_filter4_node, syn_filter4_node_fn);
427 VNET_FEATURE_INIT (syn_filter_4, static) =
429 .arc_name = "ip4-local",
430 .node_name = "syn-filter-4",
431 .runs_before = VNET_FEATURES("ip4-local-end-of-arc"),
436 syn_filter_enable_disable (u32 sw_if_index, int enable_disable)
438 vnet_main_t *vnm = vnet_get_main ();
439 vnet_sw_interface_t *sw;
443 if (pool_is_free_index (vnm->interface_main.sw_interfaces, sw_if_index))
444 return VNET_API_ERROR_INVALID_SW_IF_INDEX;
446 /* Not a physical port? */
447 sw = vnet_get_sw_interface (vnm, sw_if_index);
448 if (sw->type != VNET_SW_INTERFACE_TYPE_HARDWARE)
449 return VNET_API_ERROR_INVALID_SW_IF_INDEX;
453 syn_filter4_runtime_t *rt;
457 rt = vlib_node_get_runtime_data (this_vlib_main, syn_filter4_node.index);
458 vec_validate (rt->syn_counts, 1023);
460 * Given perfect disperson / optimal hashing results:
461 * Allow 128k (successful) syns/sec. 1024, buckets each of which
462 * absorb 128 syns before filtering. Reset table once a second.
463 * Reality bites, lets try resetting once every 100ms.
465 rt->reset_interval = 0.1; /* reset interval in seconds */
470 rv = vnet_feature_enable_disable ("ip4-local", "syn-filter-4",
471 sw_if_index, enable_disable, 0, 0);
476 static clib_error_t *
477 syn_filter_enable_disable_command_fn (vlib_main_t * vm,
478 unformat_input_t * input,
479 vlib_cli_command_t * cmd)
481 vnet_main_t *vnm = vnet_get_main ();
482 u32 sw_if_index = ~0;
483 int enable_disable = 1;
486 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
488 if (unformat (input, "disable"))
490 else if (unformat (input, "%U", unformat_vnet_sw_interface,
497 if (sw_if_index == ~0)
498 return clib_error_return (0, "Please specify an interface...");
500 rv = syn_filter_enable_disable (sw_if_index, enable_disable);
507 case VNET_API_ERROR_INVALID_SW_IF_INDEX:
508 return clib_error_return
509 (0, "Invalid interface, only works on physical ports");
512 case VNET_API_ERROR_UNIMPLEMENTED:
513 return clib_error_return (0,
514 "Device driver doesn't support redirection");
517 case VNET_API_ERROR_INVALID_VALUE:
518 return clib_error_return (0, "feature arc not found");
520 case VNET_API_ERROR_INVALID_VALUE_2:
521 return clib_error_return (0, "feature node not found");
524 return clib_error_return (0, "syn_filter_enable_disable returned %d",
531 VLIB_CLI_COMMAND (sr_content_command, static) =
533 .path = "ip syn filter",
534 .short_help = "ip syn filter <interface-name> [disable]",
535 .function = syn_filter_enable_disable_command_fn,
540 * fd.io coding-style-patch-verification: ON
543 * eval: (c-set-style "gnu")