2 * Copyright (c) 2016 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
17 /* ICMPv4 invert type for stateful ACL */
18 static const u8 icmp4_invmap[] = {
19 [ICMP4_echo_reply] = ICMP4_echo_request + 1,
20 [ICMP4_timestamp_reply] = ICMP4_timestamp_request + 1,
21 [ICMP4_information_reply] = ICMP4_information_request + 1,
22 [ICMP4_address_mask_reply] = ICMP4_address_mask_request + 1
25 /* Supported ICMPv4 messages for session creation */
26 static const u8 icmp4_valid_new[] = {
27 [ICMP4_echo_request] = 1,
28 [ICMP4_timestamp_request] = 1,
29 [ICMP4_information_request] = 1,
30 [ICMP4_address_mask_request] = 1
33 /* ICMPv6 invert type for stateful ACL */
34 static const u8 icmp6_invmap[] = {
35 [ICMP6_echo_reply - 128] = ICMP6_echo_request + 1,
36 [ICMP6_node_information_response - 128] = ICMP6_node_information_request + 1
39 /* Supported ICMPv6 messages for session creation */
40 static const u8 icmp6_valid_new[] = {
41 [ICMP6_echo_request - 128] = 1,
42 [ICMP6_node_information_request - 128] = 1
45 /* IP4 and IP6 protocol numbers of ICMP */
46 static u8 icmp_protos[] = { IP_PROTOCOL_ICMP, IP_PROTOCOL_ICMP6 };
51 acl_fa_ifc_has_sessions (acl_main_t * am, int sw_if_index0)
53 return am->fa_sessions_hash_is_initialized;
57 acl_fa_ifc_has_in_acl (acl_main_t * am, int sw_if_index0)
59 int it_has = clib_bitmap_get (am->fa_in_acl_on_sw_if_index, sw_if_index0);
64 acl_fa_ifc_has_out_acl (acl_main_t * am, int sw_if_index0)
66 int it_has = clib_bitmap_get (am->fa_out_acl_on_sw_if_index, sw_if_index0);
71 fa_session_get_timeout_type (acl_main_t * am, fa_session_t * sess)
73 /* seen both SYNs and ACKs but not FINs means we are in establshed state */
75 sess->tcp_flags_seen.as_u16 & ((TCP_FLAGS_RSTFINACKSYN << 8) +
76 TCP_FLAGS_RSTFINACKSYN);
77 switch (sess->info.l4.proto)
80 if (((TCP_FLAGS_ACKSYN << 8) + TCP_FLAGS_ACKSYN) == masked_flags)
82 return ACL_TIMEOUT_TCP_IDLE;
86 return ACL_TIMEOUT_TCP_TRANSIENT;
90 return ACL_TIMEOUT_UDP_IDLE;
93 return ACL_TIMEOUT_UDP_IDLE;
98 * Get the idle timeout of a session.
102 fa_session_get_timeout (acl_main_t * am, fa_session_t * sess)
104 u64 timeout = (am->vlib_main->clib_time.clocks_per_second);
105 if (sess->link_list_id == ACL_TIMEOUT_PURGATORY)
107 timeout /= (1000000 / SESSION_PURGATORY_TIMEOUT_USEC);
111 int timeout_type = fa_session_get_timeout_type (am, sess);
112 timeout *= am->session_timeout_sec[timeout_type];
119 always_inline fa_session_t *
120 get_session_ptr (acl_main_t * am, u16 thread_index, u32 session_index)
122 acl_fa_per_worker_data_t *pw = &am->per_worker_data[thread_index];
123 if (session_index > vec_len (pw->fa_sessions_pool))
128 fa_session_t *sess = (session_index > vec_len (pw->fa_sessions_pool)) ? 0 :
129 pool_elt_at_index (pw->fa_sessions_pool,
135 is_valid_session_ptr (acl_main_t * am, u16 thread_index, fa_session_t * sess)
137 acl_fa_per_worker_data_t *pw = &am->per_worker_data[thread_index];
139 && ((sess - pw->fa_sessions_pool) <
140 pool_len (pw->fa_sessions_pool)));
144 acl_fa_conn_list_add_session (acl_main_t * am, fa_full_session_id_t sess_id,
148 get_session_ptr (am, sess_id.thread_index, sess_id.session_index);
150 sess->deleted ? ACL_TIMEOUT_PURGATORY : fa_session_get_timeout_type (am,
152 uword thread_index = os_get_thread_index ();
153 acl_fa_per_worker_data_t *pw = &am->per_worker_data[thread_index];
154 /* the retrieved session thread index must be necessarily the same as the one in the key */
155 ASSERT (sess->thread_index == sess_id.thread_index);
156 /* the retrieved session thread index must be the same as current thread */
157 ASSERT (sess->thread_index == thread_index);
158 sess->link_enqueue_time = now;
159 sess->link_list_id = list_id;
160 sess->link_next_idx = FA_SESSION_BOGUS_INDEX;
161 sess->link_prev_idx = pw->fa_conn_list_tail[list_id];
162 if (FA_SESSION_BOGUS_INDEX != pw->fa_conn_list_tail[list_id])
164 fa_session_t *prev_sess =
165 get_session_ptr (am, thread_index, pw->fa_conn_list_tail[list_id]);
166 prev_sess->link_next_idx = sess_id.session_index;
167 /* We should never try to link with a session on another thread */
168 ASSERT (prev_sess->thread_index == sess->thread_index);
170 pw->fa_conn_list_tail[list_id] = sess_id.session_index;
172 #ifdef FA_NODE_VERBOSE_DEBUG
174 ("FA-SESSION-DEBUG: add session id %d on thread %d sw_if_index %d",
175 sess_id.session_index, thread_index, sess->sw_if_index);
177 pw->serviced_sw_if_index_bitmap =
178 clib_bitmap_set (pw->serviced_sw_if_index_bitmap, sess->sw_if_index, 1);
180 if (FA_SESSION_BOGUS_INDEX == pw->fa_conn_list_head[list_id])
182 pw->fa_conn_list_head[list_id] = sess_id.session_index;
183 /* set the head expiry time because it is the first element */
184 pw->fa_conn_list_head_expiry_time[list_id] =
185 now + fa_session_get_timeout (am, sess);
190 acl_fa_conn_list_delete_session (acl_main_t * am,
191 fa_full_session_id_t sess_id, u64 now)
193 uword thread_index = os_get_thread_index ();
194 acl_fa_per_worker_data_t *pw = &am->per_worker_data[thread_index];
195 if (thread_index != sess_id.thread_index)
197 /* If another thread attempts to delete the session, fail it. */
198 #ifdef FA_NODE_VERBOSE_DEBUG
199 clib_warning ("thread id in key %d != curr thread index, not deleting");
204 get_session_ptr (am, sess_id.thread_index, sess_id.session_index);
205 u64 next_expiry_time = ~0ULL;
206 /* we should never try to delete the session with another thread index */
207 if (sess->thread_index != os_get_thread_index ())
210 ("Attempting to delete session belonging to thread %d by thread %d",
211 sess->thread_index, thread_index);
213 if (FA_SESSION_BOGUS_INDEX != sess->link_prev_idx)
215 fa_session_t *prev_sess =
216 get_session_ptr (am, thread_index, sess->link_prev_idx);
217 /* the previous session must be in the same list as this one */
218 ASSERT (prev_sess->link_list_id == sess->link_list_id);
219 prev_sess->link_next_idx = sess->link_next_idx;
221 if (FA_SESSION_BOGUS_INDEX != sess->link_next_idx)
223 fa_session_t *next_sess =
224 get_session_ptr (am, thread_index, sess->link_next_idx);
225 /* The next session must be in the same list as the one we are deleting */
226 ASSERT (next_sess->link_list_id == sess->link_list_id);
227 next_sess->link_prev_idx = sess->link_prev_idx;
228 next_expiry_time = now + fa_session_get_timeout (am, next_sess);
230 if (pw->fa_conn_list_head[sess->link_list_id] == sess_id.session_index)
232 pw->fa_conn_list_head[sess->link_list_id] = sess->link_next_idx;
233 pw->fa_conn_list_head_expiry_time[sess->link_list_id] =
236 if (pw->fa_conn_list_tail[sess->link_list_id] == sess_id.session_index)
238 pw->fa_conn_list_tail[sess->link_list_id] = sess->link_prev_idx;
244 acl_fa_restart_timer_for_session (acl_main_t * am, u64 now,
245 fa_full_session_id_t sess_id)
247 if (acl_fa_conn_list_delete_session (am, sess_id, now))
249 acl_fa_conn_list_add_session (am, sess_id, now);
255 * Our thread does not own this connection, so we can not delete
256 * The session. To avoid the complicated signaling, we simply
257 * pick the list waiting time to be the shortest of the timeouts.
258 * This way we do not have to do anything special, and let
259 * the regular requeue check take care of everything.
267 acl_fa_track_session (acl_main_t * am, int is_input, u32 sw_if_index, u64 now,
268 fa_session_t * sess, fa_5tuple_t * pkt_5tuple)
270 sess->last_active_time = now;
271 if (pkt_5tuple->pkt.tcp_flags_valid)
273 sess->tcp_flags_seen.as_u8[is_input] |= pkt_5tuple->pkt.tcp_flags;
279 reverse_l4_u64_fastpath (u64 l4, int is_ip6)
281 fa_session_l4_key_t l4i = {.as_u64 = l4 };
282 fa_session_l4_key_t l4o;
284 l4o.port[1] = l4i.port[0];
285 l4o.port[0] = l4i.port[1];
287 l4o.non_port_l4_data = l4i.non_port_l4_data;
288 l4o.is_input = 1 - l4i.is_input;
293 reverse_l4_u64_slowpath (u64 l4, int is_ip6)
295 fa_session_l4_key_t l4i = {.as_u64 = l4 };
296 fa_session_l4_key_t l4o;
298 if (l4i.proto == icmp_protos[is_ip6])
300 static const u8 *icmp_invmap[] = { icmp4_invmap, icmp6_invmap };
301 static const u8 *icmp_valid_new[] =
302 { icmp4_valid_new, icmp6_valid_new };
303 static const u8 icmp_invmap_size[] = { sizeof (icmp4_invmap),
304 sizeof (icmp6_invmap)
306 static const u8 icmp_valid_new_size[] = { sizeof (icmp4_valid_new),
307 sizeof (icmp6_valid_new)
309 int type = is_ip6 ? l4i.port[0] - 128 : l4i.port[0];
311 l4o.non_port_l4_data = l4i.non_port_l4_data;
312 l4o.port[0] = l4i.port[0];
313 l4o.port[1] = l4i.port[1];
317 * ONLY ICMP messages defined in icmp4_valid_new/icmp6_valid_new table
318 * are allowed to create stateful ACL.
319 * The other messages will be forwarded without creating a reverse session.
322 if (type >= 0 && (type <= icmp_valid_new_size[is_ip6])
323 && (icmp_valid_new[is_ip6][type])
324 && (type <= icmp_invmap_size[is_ip6]) && icmp_invmap[is_ip6][type])
327 * we set the inverse direction and correct the port,
328 * if it is okay to add the reverse session.
329 * If not, then the same session will be added twice
330 * to bihash, which is the same as adding just one session.
332 l4o.is_input = 1 - l4i.is_input;
333 l4o.port[0] = icmp_invmap[is_ip6][type] - 1;
339 return reverse_l4_u64_fastpath (l4, is_ip6);
343 reverse_l4_u64 (u64 l4, int is_ip6)
345 fa_session_l4_key_t l4i = {.as_u64 = l4 };
347 if (PREDICT_FALSE (l4i.is_slowpath))
349 return reverse_l4_u64_slowpath (l4, is_ip6);
353 return reverse_l4_u64_fastpath (l4, is_ip6);
358 reverse_session_add_del (acl_main_t * am, const int is_ip6,
359 clib_bihash_kv_40_8_t * pkv, int is_add)
361 clib_bihash_kv_40_8_t kv2;
362 /* the first 4xu64 is two addresses, so just swap them */
363 kv2.key[0] = pkv->key[2];
364 kv2.key[1] = pkv->key[3];
365 kv2.key[2] = pkv->key[0];
366 kv2.key[3] = pkv->key[1];
367 /* the last u64 needs special treatment (ports, etc.) */
368 kv2.key[4] = reverse_l4_u64 (pkv->key[4], is_ip6);
369 kv2.value = pkv->value;
370 clib_bihash_add_del_40_8 (&am->fa_sessions_hash, &kv2, is_add);
374 acl_fa_deactivate_session (acl_main_t * am, u32 sw_if_index,
375 fa_full_session_id_t sess_id)
378 get_session_ptr (am, sess_id.thread_index, sess_id.session_index);
379 ASSERT (sess->thread_index == os_get_thread_index ());
380 clib_bihash_add_del_40_8 (&am->fa_sessions_hash, &sess->info.kv, 0);
382 reverse_session_add_del (am, sess->info.pkt.is_ip6, &sess->info.kv, 0);
384 clib_smp_atomic_add (&am->fa_session_total_deactivations, 1);
388 acl_fa_put_session (acl_main_t * am, u32 sw_if_index,
389 fa_full_session_id_t sess_id)
391 if (sess_id.thread_index != os_get_thread_index ())
394 ("Attempting to delete session belonging to thread %d by thread %d",
395 sess_id.thread_index, os_get_thread_index ());
397 void *oldheap = clib_mem_set_heap (am->acl_mheap);
398 acl_fa_per_worker_data_t *pw = &am->per_worker_data[sess_id.thread_index];
399 pool_put_index (pw->fa_sessions_pool, sess_id.session_index);
400 /* Deleting from timer structures not needed,
401 as the caller must have dealt with the timers. */
402 vec_validate (pw->fa_session_dels_by_sw_if_index, sw_if_index);
403 clib_mem_set_heap (oldheap);
404 clib_smp_atomic_add (&pw->fa_session_dels_by_sw_if_index[sw_if_index], 1);
405 clib_smp_atomic_add (&am->fa_session_total_dels, 1);
409 acl_fa_two_stage_delete_session (acl_main_t * am, u32 sw_if_index,
410 fa_full_session_id_t sess_id, u64 now)
413 get_session_ptr (am, sess_id.thread_index, sess_id.session_index);
416 acl_fa_put_session (am, sw_if_index, sess_id);
421 acl_fa_deactivate_session (am, sw_if_index, sess_id);
422 acl_fa_conn_list_add_session (am, sess_id, now);
428 acl_fa_can_add_session (acl_main_t * am, int is_input, u32 sw_if_index)
431 curr_sess_count = am->fa_session_total_adds - am->fa_session_total_dels;
432 return (curr_sess_count + vec_len (vlib_mains) <
433 am->fa_conn_table_max_entries);
438 acl_fa_try_recycle_session (acl_main_t * am, int is_input, u16 thread_index,
439 u32 sw_if_index, u64 now)
441 /* try to recycle a TCP transient session */
442 acl_fa_per_worker_data_t *pw = &am->per_worker_data[thread_index];
443 fa_full_session_id_t volatile sess_id;
446 /* clean up sessions from purgatory, if we can */
447 sess_id.session_index = pw->fa_conn_list_head[ACL_TIMEOUT_PURGATORY];
448 while ((FA_SESSION_BOGUS_INDEX != sess_id.session_index)
449 && n_recycled < am->fa_max_deleted_sessions_per_interval)
451 sess_id.thread_index = thread_index;
453 get_session_ptr (am, sess_id.thread_index, sess_id.session_index);
454 if (sess->link_enqueue_time + fa_session_get_timeout (am, sess) < now)
456 acl_fa_conn_list_delete_session (am, sess_id, now);
457 /* interface that needs the sessions may not be the interface of the session. */
458 acl_fa_put_session (am, sess->sw_if_index, sess_id);
462 break; /* too early to try to recycle from here, bail out */
463 sess_id.session_index = pw->fa_conn_list_head[ACL_TIMEOUT_PURGATORY];
465 sess_id.session_index = pw->fa_conn_list_head[ACL_TIMEOUT_TCP_TRANSIENT];
466 if (FA_SESSION_BOGUS_INDEX != sess_id.session_index)
468 sess_id.thread_index = thread_index;
469 acl_fa_conn_list_delete_session (am, sess_id, now);
470 acl_fa_deactivate_session (am, sw_if_index, sess_id);
471 /* this goes to purgatory list */
472 acl_fa_conn_list_add_session (am, sess_id, now);
477 always_inline fa_session_t *
478 acl_fa_add_session (acl_main_t * am, int is_input, int is_ip6,
479 u32 sw_if_index, u64 now, fa_5tuple_t * p5tuple,
480 u16 current_policy_epoch)
482 clib_bihash_kv_40_8_t *pkv = &p5tuple->kv;
483 clib_bihash_kv_40_8_t kv;
484 fa_full_session_id_t f_sess_id;
485 uword thread_index = os_get_thread_index ();
486 void *oldheap = clib_mem_set_heap (am->acl_mheap);
487 acl_fa_per_worker_data_t *pw = &am->per_worker_data[thread_index];
489 f_sess_id.thread_index = thread_index;
492 pool_get_aligned (pw->fa_sessions_pool, sess, CLIB_CACHE_LINE_BYTES);
493 f_sess_id.session_index = sess - pw->fa_sessions_pool;
494 f_sess_id.intf_policy_epoch = current_policy_epoch;
496 kv.key[0] = pkv->key[0];
497 kv.key[1] = pkv->key[1];
498 kv.key[2] = pkv->key[2];
499 kv.key[3] = pkv->key[3];
500 kv.key[4] = pkv->key[4];
501 kv.value = f_sess_id.as_u64;
504 clib_error ("Adding session with invalid value");
507 memcpy (sess, pkv, sizeof (pkv->key));
508 sess->last_active_time = now;
509 sess->sw_if_index = sw_if_index;
510 sess->tcp_flags_seen.as_u16 = 0;
511 sess->thread_index = thread_index;
512 sess->link_list_id = ACL_TIMEOUT_UNUSED;
513 sess->link_prev_idx = FA_SESSION_BOGUS_INDEX;
514 sess->link_next_idx = FA_SESSION_BOGUS_INDEX;
517 acl_fa_conn_list_add_session (am, f_sess_id, now);
519 ASSERT (am->fa_sessions_hash_is_initialized == 1);
521 reverse_session_add_del (am, is_ip6, &kv, 1);
522 clib_bihash_add_del_40_8 (&am->fa_sessions_hash, &kv, 1);
524 vec_validate (pw->fa_session_adds_by_sw_if_index, sw_if_index);
525 clib_mem_set_heap (oldheap);
526 clib_smp_atomic_add (&pw->fa_session_adds_by_sw_if_index[sw_if_index], 1);
527 clib_smp_atomic_add (&am->fa_session_total_adds, 1);
532 acl_fa_find_session (acl_main_t * am, u32 sw_if_index0, fa_5tuple_t * p5tuple,
533 clib_bihash_kv_40_8_t * pvalue_sess)
535 return (clib_bihash_search_inline_2_40_8
536 (&am->fa_sessions_hash, &p5tuple->kv, pvalue_sess) == 0);
540 * fd.io coding-style-patch-verification: ON
543 * eval: (c-set-style "gnu")