X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=vnet%2Fvnet%2Fmap%2Fmap.h;h=4b3df5f08427c3b903bb6aed0d533e2b153d9aaa;hb=06e3d075760be43dbd61385d3c7861cd5fe44af2;hp=ae58cdb91206bbec0d0625f7fe51af67ac7d8ba1;hpb=cb9cadad578297ffd78fa8a33670bdf1ab669e7e;p=vpp.git diff --git a/vnet/vnet/map/map.h b/vnet/vnet/map/map.h index ae58cdb9120..4b3df5f0842 100644 --- a/vnet/vnet/map/map.h +++ b/vnet/vnet/map/map.h @@ -20,26 +20,28 @@ #define MAP_SKIP_IP6_LOOKUP 1 -typedef enum { +typedef enum +{ MAP_SENDER, MAP_RECEIVER } map_dir_e; -int map_create_domain(ip4_address_t *ip4_prefix, u8 ip4_prefix_len, - ip6_address_t *ip6_prefix, u8 ip6_prefix_len, - ip6_address_t *ip6_src, u8 ip6_src_len, - u8 ea_bits_len, u8 psid_offset, u8 psid_length, - u32 *map_domain_index, u16 mtu, u8 flags); -int map_delete_domain(u32 map_domain_index); -int map_add_del_psid(u32 map_domain_index, u16 psid, ip6_address_t *tep, u8 is_add); -u8 *format_map_trace(u8 *s, va_list *args); -i32 ip4_get_port(ip4_header_t *ip, map_dir_e dir, u16 buffer_len); -i32 ip6_get_port(ip6_header_t *ip6, map_dir_e dir, u16 buffer_len); -u16 ip4_map_get_port (ip4_header_t *ip, map_dir_e dir); - -typedef enum __attribute__ ((__packed__)) { - MAP_DOMAIN_PREFIX = 1 << 0, - MAP_DOMAIN_TRANSLATION = 1 << 1, // The domain uses MAP-T +int map_create_domain (ip4_address_t * ip4_prefix, u8 ip4_prefix_len, + ip6_address_t * ip6_prefix, u8 ip6_prefix_len, + ip6_address_t * ip6_src, u8 ip6_src_len, + u8 ea_bits_len, u8 psid_offset, u8 psid_length, + u32 * map_domain_index, u16 mtu, u8 flags); +int map_delete_domain (u32 map_domain_index); +int map_add_del_psid (u32 map_domain_index, u16 psid, ip6_address_t * tep, + u8 is_add); +u8 *format_map_trace (u8 * s, va_list * args); +i32 ip4_get_port (ip4_header_t * ip, map_dir_e dir, u16 buffer_len); +i32 ip6_get_port (ip6_header_t * ip6, map_dir_e dir, u16 buffer_len); +u16 ip4_map_get_port (ip4_header_t * ip, map_dir_e dir); + +typedef enum __attribute__ ((__packed__)) +{ + MAP_DOMAIN_PREFIX = 1 << 0, MAP_DOMAIN_TRANSLATION = 1 << 1, // The domain uses MAP-T } map_domain_flags_e; /** @@ -55,16 +57,16 @@ typedef enum __attribute__ ((__packed__)) { * In case no structure can be allocated, the fragment is dropped. */ -#define MAP_IP4_REASS_LIFETIME_DEFAULT (100) /* ms */ +#define MAP_IP4_REASS_LIFETIME_DEFAULT (100) /* ms */ #define MAP_IP4_REASS_HT_RATIO_DEFAULT (1.0) -#define MAP_IP4_REASS_POOL_SIZE_DEFAULT 1024 // Number of reassembly structures +#define MAP_IP4_REASS_POOL_SIZE_DEFAULT 1024 // Number of reassembly structures #define MAP_IP4_REASS_BUFFERS_DEFAULT 2048 -#define MAP_IP4_REASS_MAX_FRAGMENTS_PER_REASSEMBLY 5 // Number of fragment per reassembly +#define MAP_IP4_REASS_MAX_FRAGMENTS_PER_REASSEMBLY 5 // Number of fragment per reassembly -#define MAP_IP6_REASS_LIFETIME_DEFAULT (100) /* ms */ +#define MAP_IP6_REASS_LIFETIME_DEFAULT (100) /* ms */ #define MAP_IP6_REASS_HT_RATIO_DEFAULT (1.0) -#define MAP_IP6_REASS_POOL_SIZE_DEFAULT 1024 // Number of reassembly structures +#define MAP_IP6_REASS_POOL_SIZE_DEFAULT 1024 // Number of reassembly structures #define MAP_IP6_REASS_BUFFERS_DEFAULT 2048 #define MAP_IP6_REASS_MAX_FRAGMENTS_PER_REASSEMBLY 5 @@ -78,7 +80,8 @@ typedef enum __attribute__ ((__packed__)) { * This structure _MUST_ be no larger than a single cache line (64 bytes). * If more space is needed make a union of ip6_prefix and *rules, those are mutually exclusive. */ -typedef struct { +typedef struct +{ ip6_address_t ip6_src; ip6_address_t ip6_prefix; ip6_address_t *rules; @@ -107,6 +110,7 @@ typedef struct { /* * Hash key, padded out to 16 bytes for fast compare */ +/* *INDENT-OFF* */ typedef union { CLIB_PACKED (struct { ip4_address_t src; @@ -117,8 +121,10 @@ typedef union { u64 as_u64[2]; u32 as_u32[4]; } map_ip4_reass_key_t; +/* *INDENT-ON* */ -typedef struct { +typedef struct +{ map_ip4_reass_key_t key; f64 ts; #ifdef MAP_IP4_REASS_COUNT_BYTES @@ -136,7 +142,8 @@ typedef struct { /* * MAP domain counters */ -typedef enum { +typedef enum +{ /* Simple counters */ MAP_DOMAIN_IPV4_FRAGMENT = 0, /* Combined counters */ @@ -148,6 +155,7 @@ typedef enum { /* * main_main_t */ +/* *INDENT-OFF* */ typedef union { CLIB_PACKED (struct { ip6_address_t src; @@ -158,6 +166,7 @@ typedef union { u64 as_u64[5]; u32 as_u32[10]; } map_ip6_reass_key_t; +/* *INDENT-OFF* */ typedef struct { u32 pi; //Cached packet or ~0 @@ -190,9 +199,6 @@ typedef struct { vlib_combined_counter_main_t *domain_counters; volatile u32 *counter_lock; - /* Global counters */ - vlib_simple_counter_main_t icmp_relayed; - #ifdef MAP_SKIP_IP6_LOOKUP /* pre-presolve */ u32 adj6_index, adj4_index; @@ -203,11 +209,14 @@ typedef struct { /* Traffic class: zero, copy (~0) or fixed value */ u8 tc; bool tc_copy; - bool sec_check; - bool sec_check_frag; + + bool sec_check; /* Inbound security check */ + bool sec_check_frag; /* Inbound security check for (subsequent) fragments */ + bool icmp6_enabled; /* Send destination unreachable for security check failure */ /* ICMPv6 -> ICMPv4 relay parameters */ - ip4_address_t icmp_src_address; + ip4_address_t icmp4_src_address; + vlib_simple_counter_main_t icmp_relayed; /* convenience */ vlib_main_t *vlib_main; @@ -216,13 +225,13 @@ typedef struct { /* * IPv4 encap and decap reassembly */ - //Conf + /* Configuration */ f32 ip4_reass_conf_ht_ratio; //Size of ht is 2^ceil(log2(ratio*pool_size)) u16 ip4_reass_conf_pool_size; //Max number of allocated reass structures u16 ip4_reass_conf_lifetime_ms; //Time a reassembly struct is considered valid in ms u32 ip4_reass_conf_buffers; //Maximum number of buffers used by ip4 reassembly - //Runtime + /* Runtime */ map_ip4_reass_t *ip4_reass_pool; u8 ip4_reass_ht_log2len; //Hash table size is 2^log2len u16 ip4_reass_allocated; @@ -230,19 +239,22 @@ typedef struct { u16 ip4_reass_fifo_last; volatile u32 *ip4_reass_lock; - //Counters + /* Counters */ u32 ip4_reass_buffered_counter; + bool frag_inner; /* Inner or outer fragmentation */ + bool frag_ignore_df; /* Fragment (outer) packet even if DF is set */ + /* * IPv6 decap reassembly */ - //Conf + /* Configuration */ f32 ip6_reass_conf_ht_ratio; //Size of ht is 2^ceil(log2(ratio*pool_size)) u16 ip6_reass_conf_pool_size; //Max number of allocated reass structures u16 ip6_reass_conf_lifetime_ms; //Time a reassembly struct is considered valid in ms u32 ip6_reass_conf_buffers; //Maximum number of buffers used by ip6 reassembly - //Runtime + /* Runtime */ map_ip6_reass_t *ip6_reass_pool; u8 ip6_reass_ht_log2len; //Hash table size is 2^log2len u16 ip6_reass_allocated; @@ -250,31 +262,32 @@ typedef struct { u16 ip6_reass_fifo_last; volatile u32 *ip6_reass_lock; - //Counters + /* Counters */ u32 ip6_reass_buffered_counter; } map_main_t; /* - * TODO: Remove SEC_CHECK / TRANSLATED_4TO6 / TRANSLATED_6TO4 + * MAP Error counters/messages */ #define foreach_map_error \ /* Must be first. */ \ _(NONE, "valid MAP packets") \ _(BAD_PROTOCOL, "bad protocol") \ - _(WRONG_ICMP_TYPE, "wrong icmp type") \ _(SEC_CHECK, "security check failed") \ _(ENCAP_SEC_CHECK, "encap security check failed") \ _(DECAP_SEC_CHECK, "decap security check failed") \ _(ICMP, "unable to translate ICMP") \ _(ICMP_RELAY, "unable to relay ICMP") \ _(UNKNOWN, "unknown") \ + _(NO_BINDING, "no binding") \ _(NO_DOMAIN, "no domain") \ _(FRAGMENTED, "packet is a fragment") \ _(FRAGMENT_MEMORY, "could not cache fragment") \ _(FRAGMENT_MALFORMED, "fragment has unexpected format")\ _(FRAGMENT_DROPPED, "dropped cached fragment") \ - _(MALFORMED, "malformed packet") + _(MALFORMED, "malformed packet") \ + _(DF_SET, "can't fragment, DF set") typedef enum { #define _(sym,str) MAP_ERROR_##sym, @@ -292,18 +305,18 @@ typedef struct { map_main_t map_main; -vlib_node_registration_t ip4_map_node; -vlib_node_registration_t ip6_map_node; +extern vlib_node_registration_t ip4_map_node; +extern vlib_node_registration_t ip6_map_node; -vlib_node_registration_t ip4_map_t_node; -vlib_node_registration_t ip4_map_t_fragmented_node; -vlib_node_registration_t ip4_map_t_tcp_udp_node; -vlib_node_registration_t ip4_map_t_icmp_node; +extern vlib_node_registration_t ip4_map_t_node; +extern vlib_node_registration_t ip4_map_t_fragmented_node; +extern vlib_node_registration_t ip4_map_t_tcp_udp_node; +extern vlib_node_registration_t ip4_map_t_icmp_node; -vlib_node_registration_t ip6_map_t_node; -vlib_node_registration_t ip6_map_t_fragmented_node; -vlib_node_registration_t ip6_map_t_tcp_udp_node; -vlib_node_registration_t ip6_map_t_icmp_node; +extern vlib_node_registration_t ip6_map_t_node; +extern vlib_node_registration_t ip6_map_t_fragmented_node; +extern vlib_node_registration_t ip6_map_t_tcp_udp_node; +extern vlib_node_registration_t ip6_map_t_icmp_node; /* * map_get_pfx @@ -392,6 +405,12 @@ ip6_map_get_domain (u32 adj_index, ip4_address_t *addr, map_main_t *mm = &map_main; ip4_main_t *im4 = &ip4_main; ip_lookup_main_t *lm4 = &ip4_main.lookup_main; + + /* + * Disable direct MAP domain lookup on decap, until the security check is updated to verify IPv4 SA. + * (That's done implicitly when MAP domain is looked up in the IPv4 FIB) + */ +#ifdef MAP_NONSHARED_DOMAIN_ENABLED ip_lookup_main_t *lm6 = &ip6_main.lookup_main; ip_adjacency_t *adj = ip_get_adjacency(lm6, adj_index); ASSERT(adj); @@ -400,6 +419,7 @@ ip6_map_get_domain (u32 adj_index, ip4_address_t *addr, *map_domain_index = p[0]; if (p[0] != ~0) return pool_elt_at_index(mm->domains, p[0]); +#endif u32 ai = ip4_fib_lookup_with_table(im4, 0, addr, 0); ip_adjacency_t *adj4 = ip_get_adjacency (lm4, ai); @@ -554,3 +574,11 @@ map_send_all_to_node(vlib_main_t *vm, u32 *pi_vector, vlib_put_next_frame(vm, node, next_index, n_left_to_next); } } + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */