#include <vnet/dpo/dvr_dpo.h>
#include <vnet/dpo/drop_dpo.h>
#include <vnet/vxlan-gbp/vxlan_gbp_packet.h>
+#include <vnet/vxlan-gbp/vxlan_gbp.h>
#include <plugins/gbp/gbp.h>
+#include <plugins/gbp/gbp_policy.h>
#include <plugins/gbp/gbp_policy_dpo.h>
#include <plugins/gbp/gbp_recirc.h>
+#include <plugins/gbp/gbp_contract.h>
#ifndef CLIB_MARCH_VARIANT
/**
void
gbp_policy_dpo_add_or_lock (dpo_proto_t dproto,
- epg_id_t epg, u32 sw_if_index, dpo_id_t * dpo)
+ gbp_scope_t scope,
+ sclass_t sclass, u32 sw_if_index, dpo_id_t * dpo)
{
gbp_policy_dpo_t *gpd;
dpo_id_t parent = DPO_INVALID;
gpd->gpd_proto = dproto;
gpd->gpd_sw_if_index = sw_if_index;
- gpd->gpd_epg = epg;
+ gpd->gpd_sclass = sclass;
+ gpd->gpd_scope = scope;
if (~0 != sw_if_index)
{
gbp_policy_dpo_t *gpd = gbp_policy_dpo_get (index);
vnet_main_t *vnm = vnet_get_main ();
- s = format (s, "gbp-policy-dpo: %U, epg:%d out:%U",
+ s = format (s, "gbp-policy-dpo: %U, scope:%d sclass:%d out:%U",
format_dpo_proto, gpd->gpd_proto,
- gpd->gpd_epg,
+ gpd->gpd_scope, (int) gpd->gpd_sclass,
format_vnet_sw_if_index_name, vnm, gpd->gpd_sw_if_index);
s = format (s, "\n%U", format_white_space, indent + 2);
s = format (s, "%U", format_dpo_id, &gpd->gpd_dpo, indent + 4);
gpd = gbp_policy_dpo_get (original->dpoi_index);
gpd_clone->gpd_proto = gpd->gpd_proto;
- gpd_clone->gpd_epg = gpd->gpd_epg;
+ gpd_clone->gpd_scope = gpd->gpd_scope;
+ gpd_clone->gpd_sclass = gpd->gpd_sclass;
gpd_clone->gpd_sw_if_index = gpd->gpd_sw_if_index;
+ /*
+ * if no interface is provided, grab one from the parent
+ * on which we stack
+ */
+ if (~0 == gpd_clone->gpd_sw_if_index)
+ gpd_clone->gpd_sw_if_index = dpo_get_urpf (parent);
+
dpo_stack (gbp_policy_dpo_type,
gpd_clone->gpd_proto, &gpd_clone->gpd_dpo, parent);
VLIB_INIT_FUNCTION (gbp_policy_dpo_module_init);
#endif /* CLIB_MARCH_VARIANT */
-typedef struct gbp_policy_dpo_trace_t_
-{
- u32 src_epg;
- u32 dst_epg;
- u32 acl_index;
- u32 a_bit;
-} gbp_policy_dpo_trace_t;
-
typedef enum
{
GBP_POLICY_DROP,
{
gbp_main_t *gm = &gbp_main;
u32 n_left_from, next_index, *from, *to_next;
- gbp_rule_t *gu;
+ u32 n_allow_intra, n_allow_a_bit, n_allow_sclass_1;
from = vlib_frame_vector_args (from_frame);
n_left_from = from_frame->n_vectors;
+ n_allow_intra = n_allow_a_bit = n_allow_sclass_1 = 0;
next_index = node->cached_next_index;
while (n_left_from > 0 && n_left_to_next > 0)
{
+ gbp_rule_action_t action0 = GBP_RULE_DENY;
+ u32 acl_match = ~0, rule_match = ~0;
const gbp_policy_dpo_t *gpd0;
- u32 bi0, next0;
+ gbp_contract_error_t err0;
gbp_contract_key_t key0;
- gbp_contract_t *gc0;
vlib_buffer_t *b0;
- index_t gci0;
+ gbp_rule_t *rule0;
+ u32 bi0, next0;
bi0 = from[0];
to_next[0] = bi0;
b0 = vlib_get_buffer (vm, bi0);
- gc0 = NULL;
gpd0 = gbp_policy_dpo_get (vnet_buffer (b0)->ip.adj_index[VLIB_TX]);
vnet_buffer (b0)->ip.adj_index[VLIB_TX] = gpd0->gpd_dpo.dpoi_index;
+ /*
+ * Reflection check; in and out on an ivxlan tunnel
+ */
+ if ((~0 != vxlan_gbp_tunnel_by_sw_if_index (gpd0->gpd_sw_if_index))
+ && (vnet_buffer2 (b0)->gbp.flags & VXLAN_GBP_GPFLAGS_R))
+ {
+ goto trace;
+ }
+
if (vnet_buffer2 (b0)->gbp.flags & VXLAN_GBP_GPFLAGS_A)
{
next0 = gpd0->gpd_dpo.dpoi_next_node;
- key0.as_u32 = ~0;
+ key0.as_u64 = ~0;
+ n_allow_a_bit++;
goto trace;
}
- key0.gck_src = vnet_buffer2 (b0)->gbp.src_epg;
- key0.gck_dst = gpd0->gpd_epg;
+ /* zero out the key to ensure the pad space is clear */
+ key0.as_u64 = 0;
+ key0.gck_src = vnet_buffer2 (b0)->gbp.sclass;
- if (EPG_INVALID != key0.gck_src)
- {
- if (PREDICT_FALSE (key0.gck_src == key0.gck_dst))
- {
- /*
- * intra-epg allowed
- */
- next0 = gpd0->gpd_dpo.dpoi_next_node;
- vnet_buffer2 (b0)->gbp.flags |= VXLAN_GBP_GPFLAGS_A;
- }
- else
- {
- gci0 = gbp_contract_find (&key0);
-
- if (INDEX_INVALID != gci0)
- {
- fa_5tuple_opaque_t pkt_5tuple0;
- u8 action0 = 0;
- u32 acl_pos_p0, acl_match_p0;
- u32 rule_match_p0, trace_bitmap0;
- /*
- * tests against the ACL
- */
- gc0 = gbp_contract_get (gci0);
- acl_plugin_fill_5tuple_inline (gm->
- acl_plugin.p_acl_main,
- gc0->gc_lc_index, b0,
- is_ip6,
- /* is_input */ 1,
- /* is_l2_path */ 0,
- &pkt_5tuple0);
- acl_plugin_match_5tuple_inline (gm->
- acl_plugin.p_acl_main,
- gc0->gc_lc_index,
- &pkt_5tuple0, is_ip6,
- &action0, &acl_pos_p0,
- &acl_match_p0,
- &rule_match_p0,
- &trace_bitmap0);
-
- if (action0 > 0)
- {
-
- vnet_buffer2 (b0)->gbp.flags |= VXLAN_GBP_GPFLAGS_A;
- gu = gbp_rule_get (gc0->gc_rules[rule_match_p0]);
-
- switch (gu->gu_action)
- {
- case GBP_RULE_PERMIT:
- next0 = gpd0->gpd_dpo.dpoi_next_node;
- break;
- case GBP_RULE_DENY:
- next0 = 0;
- break;
- case GBP_RULE_REDIRECT:
- next0 = gbp_rule_l3_redirect (gu, b0, is_ip6);
- break;
- }
- }
- }
- }
- }
- else
+ if (SCLASS_INVALID == key0.gck_src)
{
/*
* the src EPG is not set when the packet arrives on an EPG
* uplink interface and we do not need to apply policy
*/
next0 = gpd0->gpd_dpo.dpoi_next_node;
+ goto trace;
}
- trace:
- if (PREDICT_FALSE (b0->flags & VLIB_BUFFER_IS_TRACED))
- {
- gbp_policy_dpo_trace_t *tr;
- tr = vlib_add_trace (vm, node, b0, sizeof (*tr));
- tr->src_epg = key0.gck_src;
- tr->dst_epg = key0.gck_dst;
- tr->acl_index = (gc0 ? gc0->gc_acl_index : ~0);
- tr->a_bit = vnet_buffer2 (b0)->gbp.flags & VXLAN_GBP_GPFLAGS_A;
+ key0.gck_scope = gpd0->gpd_scope;
+ key0.gck_dst = gpd0->gpd_sclass;
+
+ action0 =
+ gbp_contract_apply (vm, gm, &key0, b0, &rule0, &n_allow_intra,
+ &n_allow_sclass_1, &acl_match, &rule_match,
+ &err0,
+ is_ip6 ? GBP_CONTRACT_APPLY_IP6 :
+ GBP_CONTRACT_APPLY_IP4);
+ switch (action0)
+ {
+ case GBP_RULE_PERMIT:
+ next0 = gpd0->gpd_dpo.dpoi_next_node;
+ vnet_buffer2 (b0)->gbp.flags |= VXLAN_GBP_GPFLAGS_A;
+ break;
+ case GBP_RULE_REDIRECT:
+ next0 = gbp_rule_l3_redirect (rule0, b0, is_ip6);
+ vnet_buffer2 (b0)->gbp.flags |= VXLAN_GBP_GPFLAGS_A;
+ break;
+ case GBP_RULE_DENY:
+ next0 = GBP_POLICY_DROP;
+ b0->error = node->errors[err0];
+ break;
}
+ trace:
+ gbp_policy_trace (vm, node, b0, &key0, action0, acl_match,
+ rule_match);
+
vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next,
n_left_to_next, bi0, next0);
}
vlib_put_next_frame (vm, node, next_index, n_left_to_next);
}
- return from_frame->n_vectors;
-}
-
-static u8 *
-format_gbp_policy_dpo_trace (u8 * s, va_list * args)
-{
- CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
- CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
- gbp_policy_dpo_trace_t *t = va_arg (*args, gbp_policy_dpo_trace_t *);
-
- s = format (s, " src-epg:%d dst-epg:%d acl-index:%d a-bit:%d",
- t->src_epg, t->dst_epg, t->acl_index, t->a_bit);
- return s;
+ vlib_node_increment_counter (vm, node->node_index,
+ GBP_CONTRACT_ERROR_ALLOW_INTRA, n_allow_intra);
+ vlib_node_increment_counter (vm, node->node_index,
+ GBP_CONTRACT_ERROR_ALLOW_A_BIT, n_allow_a_bit);
+ vlib_node_increment_counter (vm, node->node_index,
+ GBP_CONTRACT_ERROR_ALLOW_SCLASS_1,
+ n_allow_sclass_1);
+ return from_frame->n_vectors;
}
VLIB_NODE_FN (ip4_gbp_policy_dpo_node) (vlib_main_t * vm,
VLIB_REGISTER_NODE (ip4_gbp_policy_dpo_node) = {
.name = "ip4-gbp-policy-dpo",
.vector_size = sizeof (u32),
- .format_trace = format_gbp_policy_dpo_trace,
+ .format_trace = format_gbp_policy_trace,
+
+ .n_errors = ARRAY_LEN(gbp_contract_error_strings),
+ .error_strings = gbp_contract_error_strings,
+
.n_next_nodes = GBP_POLICY_N_NEXT,
.next_nodes =
{
VLIB_REGISTER_NODE (ip6_gbp_policy_dpo_node) = {
.name = "ip6-gbp-policy-dpo",
.vector_size = sizeof (u32),
- .format_trace = format_gbp_policy_dpo_trace,
+ .format_trace = format_gbp_policy_trace,
+
+ .n_errors = ARRAY_LEN(gbp_contract_error_strings),
+ .error_strings = gbp_contract_error_strings,
+
.n_next_nodes = GBP_POLICY_N_NEXT,
.next_nodes =
{