2 * gbp.h : Group Based Policy
4 * Copyright (c) 2018 Cisco and/or its affiliates.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
18 #include <plugins/gbp/gbp.h>
19 #include <plugins/gbp/gbp_bridge_domain.h>
20 #include <plugins/gbp/gbp_route_domain.h>
21 #include <plugins/gbp/gbp_policy_dpo.h>
23 #include <vnet/dpo/load_balance.h>
24 #include <vnet/dpo/drop_dpo.h>
27 * Single contract DB instance
29 gbp_contract_db_t gbp_contract_db;
31 gbp_contract_t *gbp_contract_pool;
33 vlib_log_class_t gc_logger;
35 fib_node_type_t gbp_next_hop_fib_type;
37 gbp_rule_t *gbp_rule_pool;
38 gbp_next_hop_t *gbp_next_hop_pool;
40 #define GBP_CONTRACT_DBG(...) \
41 vlib_log_notice (gc_logger, __VA_ARGS__);
44 gbp_rule_alloc (gbp_rule_action_t action,
45 gbp_hash_mode_t hash_mode, index_t * nhs)
49 pool_get_zero (gbp_rule_pool, gu);
51 gu->gu_hash_mode = hash_mode;
53 gu->gu_action = action;
55 return (gu - gbp_rule_pool);
59 gbp_next_hop_alloc (const ip46_address_t * ip,
60 index_t grd, const mac_address_t * mac, index_t gbd)
62 fib_protocol_t fproto;
65 pool_get_zero (gbp_next_hop_pool, gnh);
67 fib_node_init (&gnh->gnh_node, gbp_next_hop_fib_type);
69 ip46_address_copy (&gnh->gnh_ip, ip);
70 mac_address_copy (&gnh->gnh_mac, mac);
75 FOR_EACH_FIB_IP_PROTOCOL (fproto) gnh->gnh_ai[fproto] = INDEX_INVALID;
77 return (gnh - gbp_next_hop_pool);
80 static inline gbp_next_hop_t *
81 gbp_next_hop_get (index_t gui)
83 return (pool_elt_at_index (gbp_next_hop_pool, gui));
87 gbp_contract_rules_free (index_t * rules)
91 vec_foreach (gui, rules)
93 gbp_policy_node_t pnode;
94 fib_protocol_t fproto;
98 gu = gbp_rule_get (*gui);
100 FOR_EACH_GBP_POLICY_NODE (pnode)
102 FOR_EACH_FIB_IP_PROTOCOL (fproto)
104 dpo_reset (&gu->gu_dpo[pnode][fproto]);
105 dpo_reset (&gu->gu_dpo[pnode][fproto]);
109 vec_foreach (gnhi, gu->gu_nhs)
111 fib_protocol_t fproto;
113 gnh = gbp_next_hop_get (*gnhi);
114 gbp_bridge_domain_unlock (gnh->gnh_bd);
115 gbp_route_domain_unlock (gnh->gnh_rd);
116 gbp_endpoint_child_remove (gnh->gnh_ge, gnh->gnh_sibling);
117 gbp_endpoint_unlock (GBP_ENDPOINT_SRC_RR, gnh->gnh_ge);
119 FOR_EACH_FIB_IP_PROTOCOL (fproto)
121 adj_unlock (gnh->gnh_ai[fproto]);
129 format_gbp_next_hop (u8 * s, va_list * args)
131 index_t gnhi = va_arg (*args, index_t);
134 gnh = gbp_next_hop_get (gnhi);
136 s = format (s, "%U, %U, %U EP:%d",
137 format_mac_address_t, &gnh->gnh_mac,
138 format_gbp_bridge_domain, gnh->gnh_bd,
139 format_ip46_address, &gnh->gnh_ip, IP46_TYPE_ANY, gnh->gnh_ge);
145 format_gbp_rule_action (u8 * s, va_list * args)
147 gbp_rule_action_t action = va_arg (*args, gbp_rule_action_t);
151 #define _(v,a) case GBP_RULE_##v: return (format (s, "%s", a));
152 foreach_gbp_rule_action
156 return (format (s, "unknown"));
160 format_gbp_hash_mode (u8 * s, va_list * args)
162 gbp_hash_mode_t hash_mode = va_arg (*args, gbp_hash_mode_t);
166 #define _(v,a) case GBP_HASH_MODE_##v: return (format (s, "%s", a));
167 foreach_gbp_hash_mode
171 return (format (s, "unknown"));
175 format_gbp_policy_node (u8 * s, va_list * args)
177 gbp_policy_node_t action = va_arg (*args, gbp_policy_node_t);
181 #define _(v,a) case GBP_POLICY_NODE_##v: return (format (s, "%s", a));
182 foreach_gbp_policy_node
186 return (format (s, "unknown"));
190 format_gbp_rule (u8 * s, va_list * args)
192 index_t gui = va_arg (*args, index_t);
193 gbp_policy_node_t pnode;
194 fib_protocol_t fproto;
198 gu = gbp_rule_get (gui);
199 s = format (s, "%U", format_gbp_rule_action, gu->gu_action);
201 switch (gu->gu_action)
203 case GBP_RULE_PERMIT:
206 case GBP_RULE_REDIRECT:
207 s = format (s, ", %U", format_gbp_hash_mode, gu->gu_hash_mode);
211 vec_foreach (gnhi, gu->gu_nhs)
213 s = format (s, "\n [%U]", format_gbp_next_hop, *gnhi);
216 FOR_EACH_GBP_POLICY_NODE (pnode)
218 s = format (s, "\n policy-%U", format_gbp_policy_node, pnode);
220 FOR_EACH_FIB_IP_PROTOCOL (fproto)
222 if (dpo_id_is_valid (&gu->gu_dpo[pnode][fproto]))
225 format (s, "\n %U", format_dpo_id,
226 &gu->gu_dpo[pnode][fproto], 8);
235 gbp_contract_mk_adj (gbp_next_hop_t * gnh, fib_protocol_t fproto)
237 ethernet_header_t *eth;
242 old_ai = gnh->gnh_ai[fproto];
244 vec_validate (rewrite, sizeof (*eth) - 1);
245 eth = (ethernet_header_t *) rewrite;
247 GBP_CONTRACT_DBG ("...mk-adj: %U", format_gbp_next_hop,
248 gnh - gbp_next_hop_pool);
250 ge = gbp_endpoint_get (gnh->gnh_ge);
252 eth->type = clib_host_to_net_u16 ((fproto == FIB_PROTOCOL_IP4 ?
253 ETHERNET_TYPE_IP4 : ETHERNET_TYPE_IP6));
254 mac_address_to_bytes (gbp_route_domain_get_local_mac (), eth->src_address);
255 mac_address_to_bytes (&gnh->gnh_mac, eth->dst_address);
257 gnh->gnh_ai[fproto] =
258 adj_nbr_add_or_lock_w_rewrite (fproto,
259 fib_proto_to_link (fproto),
260 &gnh->gnh_ip, ge->ge_fwd.gef_itf, rewrite);
265 static flow_hash_config_t
266 gbp_contract_mk_lb_hp (gbp_hash_mode_t gu_hash_mode)
268 switch (gu_hash_mode)
270 case GBP_HASH_MODE_SRC_IP:
271 return IP_FLOW_HASH_SRC_ADDR;
272 case GBP_HASH_MODE_DST_IP:
273 return IP_FLOW_HASH_DST_ADDR;
274 case GBP_HASH_MODE_SYMMETRIC:
275 return (IP_FLOW_HASH_SRC_ADDR | IP_FLOW_HASH_DST_ADDR |
276 IP_FLOW_HASH_PROTO | IP_FLOW_HASH_SYMMETRIC);
283 gbp_contract_mk_lb (index_t gui, fib_protocol_t fproto)
285 load_balance_path_t *paths = NULL;
286 gbp_policy_node_t pnode;
292 u32 policy_nodes[] = {
293 [GBP_POLICY_NODE_L2] = gbp_policy_port_node.index,
294 [GBP_POLICY_NODE_IP4] = ip4_gbp_policy_dpo_node.index,
295 [GBP_POLICY_NODE_IP6] = ip6_gbp_policy_dpo_node.index,
298 GBP_CONTRACT_DBG ("..mk-lb: %U", format_gbp_rule, gui);
300 gu = gbp_rule_get (gui);
301 dproto = fib_proto_to_dpo (fproto);
303 if (GBP_RULE_REDIRECT != gu->gu_action)
306 vec_foreach_index (ii, gu->gu_nhs)
308 gnh = gbp_next_hop_get (gu->gu_nhs[ii]);
310 gbp_contract_mk_adj (gnh, FIB_PROTOCOL_IP4);
311 gbp_contract_mk_adj (gnh, FIB_PROTOCOL_IP6);
314 FOR_EACH_GBP_POLICY_NODE (pnode)
316 vec_validate (paths, vec_len (gu->gu_nhs) - 1);
318 vec_foreach_index (ii, gu->gu_nhs)
320 gnh = gbp_next_hop_get (gu->gu_nhs[ii]);
322 paths[ii].path_index = FIB_NODE_INDEX_INVALID;
323 paths[ii].path_weight = 1;
324 dpo_set (&paths[ii].path_dpo, DPO_ADJACENCY,
325 dproto, gnh->gnh_ai[fproto]);
328 if (!dpo_id_is_valid (&gu->gu_dpo[pnode][fproto]))
330 dpo_id_t dpo = DPO_INVALID;
332 dpo_set (&dpo, DPO_LOAD_BALANCE, dproto,
333 load_balance_create (vec_len (paths),
335 gbp_contract_mk_lb_hp
336 (gu->gu_hash_mode)));
337 dpo_stack_from_node (policy_nodes[pnode], &gu->gu_dpo[pnode][fproto],
342 load_balance_multipath_update (&gu->gu_dpo[pnode][fproto],
343 paths, LOAD_BALANCE_FLAG_NONE);
349 gbp_contract_mk_one_lb (index_t gui)
351 gbp_contract_mk_lb (gui, FIB_PROTOCOL_IP4);
352 gbp_contract_mk_lb (gui, FIB_PROTOCOL_IP6);
356 gbp_contract_next_hop_resolve (index_t gui, index_t gnhi)
358 gbp_bridge_domain_t *gbd;
364 gnh = gbp_next_hop_get (gnhi);
365 gbd = gbp_bridge_domain_get (gnh->gnh_bd);
368 vec_add1 (ips, gnh->gnh_ip);
371 * source the endpoint this contract needs to forward via.
372 * give ofrwarding details via the spine proxy. if this EP is known
373 * to us, then since we source here with a low priority, the learned
374 * info will take precedenc.
376 rv = gbp_endpoint_update_and_lock (GBP_ENDPOINT_SRC_RR,
377 gbd->gb_uu_fwd_sw_if_index,
380 gnh->gnh_bd, gnh->gnh_rd, EPG_INVALID,
381 GBP_ENDPOINT_FLAG_NONE, NULL, NULL,
386 gnh->gnh_sibling = gbp_endpoint_child_add (gnh->gnh_ge,
387 gbp_next_hop_fib_type, gnhi);
390 GBP_CONTRACT_DBG ("..resolve: %d: %d: %U", gui, gnhi, format_gbp_next_hop,
398 gbp_contract_rule_resolve (index_t gui)
403 gu = gbp_rule_get (gui);
405 GBP_CONTRACT_DBG ("..resolve: %U", format_gbp_rule, gui);
407 vec_foreach (gnhi, gu->gu_nhs)
409 gbp_contract_next_hop_resolve (gui, *gnhi);
414 gbp_contract_resolve (index_t * guis)
418 vec_foreach (gui, guis)
420 gbp_contract_rule_resolve (*gui);
425 gbp_contract_mk_lbs (index_t * guis)
429 vec_foreach (gui, guis)
431 gbp_contract_mk_one_lb (*gui);
436 gbp_contract_update (epg_id_t src_epg,
437 epg_id_t dst_epg, u32 acl_index, index_t * rules)
439 gbp_main_t *gm = &gbp_main;
445 gbp_contract_key_t key = {
450 if (~0 == gm->gbp_acl_user_id)
452 acl_plugin_exports_init (&gm->acl_plugin);
453 gm->gbp_acl_user_id =
454 gm->acl_plugin.register_user_module ("GBP ACL", "src-epg", "dst-epg");
457 p = hash_get (gbp_contract_db.gc_hash, key.as_u32);
461 gc = gbp_contract_get (gci);
462 gbp_contract_rules_free (gc->gc_rules);
463 gbp_main.acl_plugin.put_lookup_context_index (gc->gc_lc_index);
468 pool_get_zero (gbp_contract_pool, gc);
470 gci = gc - gbp_contract_pool;
471 hash_set (gbp_contract_db.gc_hash, key.as_u32, gci);
474 GBP_CONTRACT_DBG ("update: %U", format_gbp_contract, gci);
476 gc->gc_rules = rules;
477 gbp_contract_resolve (gc->gc_rules);
478 gbp_contract_mk_lbs (gc->gc_rules);
480 gc->gc_acl_index = acl_index;
482 gm->acl_plugin.get_lookup_context_index (gm->gbp_acl_user_id,
485 vec_add1 (acl_vec, gc->gc_acl_index);
486 gm->acl_plugin.set_acl_vec_for_context (gc->gc_lc_index, acl_vec);
493 gbp_contract_delete (epg_id_t src_epg, epg_id_t dst_epg)
495 gbp_contract_key_t key = {
502 p = hash_get (gbp_contract_db.gc_hash, key.as_u32);
505 gc = gbp_contract_get (p[0]);
507 gbp_contract_rules_free (gc->gc_rules);
508 gbp_main.acl_plugin.put_lookup_context_index (gc->gc_lc_index);
510 hash_unset (gbp_contract_db.gc_hash, key.as_u32);
511 pool_put (gbp_contract_pool, gc);
516 return (VNET_API_ERROR_NO_SUCH_ENTRY);
520 gbp_contract_walk (gbp_contract_cb_t cb, void *ctx)
525 pool_foreach(gc, gbp_contract_pool,
533 static clib_error_t *
534 gbp_contract_cli (vlib_main_t * vm,
535 unformat_input_t * input, vlib_cli_command_t * cmd)
537 epg_id_t src_epg_id = EPG_INVALID, dst_epg_id = EPG_INVALID;
541 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
543 if (unformat (input, "add"))
545 else if (unformat (input, "del"))
547 else if (unformat (input, "src-epg %d", &src_epg_id))
549 else if (unformat (input, "dst-epg %d", &dst_epg_id))
551 else if (unformat (input, "acl-index %d", &acl_index))
557 if (EPG_INVALID == src_epg_id)
558 return clib_error_return (0, "Source EPG-ID must be specified");
559 if (EPG_INVALID == dst_epg_id)
560 return clib_error_return (0, "Destination EPG-ID must be specified");
564 gbp_contract_update (src_epg_id, dst_epg_id, acl_index, NULL);
568 gbp_contract_delete (src_epg_id, dst_epg_id);
575 * Configure a GBP Contract
578 * @cliexstart{set gbp contract [del] src-epg <ID> dst-epg <ID> acl-index <ACL>}
582 VLIB_CLI_COMMAND (gbp_contract_cli_node, static) =
584 .path = "gbp contract",
586 "gbp contract [del] src-epg <ID> dst-epg <ID> acl-index <ACL>",
587 .function = gbp_contract_cli,
592 format_gbp_contract_key (u8 * s, va_list * args)
594 gbp_contract_key_t *gck = va_arg (*args, gbp_contract_key_t *);
596 s = format (s, "{%d,%d}", gck->gck_src, gck->gck_dst);
602 format_gbp_contract (u8 * s, va_list * args)
604 index_t gci = va_arg (*args, index_t);
608 gc = gbp_contract_get (gci);
610 s = format (s, "%U: acl-index:%d",
611 format_gbp_contract_key, &gc->gc_key, gc->gc_acl_index);
613 vec_foreach (gui, gc->gc_rules)
615 s = format (s, "\n %d: %U", *gui, format_gbp_rule, *gui);
621 static clib_error_t *
622 gbp_contract_show (vlib_main_t * vm,
623 unformat_input_t * input, vlib_cli_command_t * cmd)
627 vlib_cli_output (vm, "Contracts:");
630 pool_foreach_index (gci, gbp_contract_pool,
632 vlib_cli_output (vm, " [%d] %U", gci, format_gbp_contract, gci);
640 * Show Group Based Policy Contracts
643 * @cliexstart{show gbp contract}
647 VLIB_CLI_COMMAND (gbp_contract_show_node, static) = {
648 .path = "show gbp contract",
649 .short_help = "show gbp contract\n",
650 .function = gbp_contract_show,
655 gbp_next_hop_get_node (fib_node_index_t index)
659 gnh = gbp_next_hop_get (index);
661 return (&gnh->gnh_node);
665 gbp_next_hop_last_lock_gone (fib_node_t * node)
670 static gbp_next_hop_t *
671 gbp_next_hop_from_fib_node (fib_node_t * node)
673 ASSERT (gbp_next_hop_fib_type == node->fn_type);
674 return ((gbp_next_hop_t *) node);
677 static fib_node_back_walk_rc_t
678 gbp_next_hop_back_walk_notify (fib_node_t * node,
679 fib_node_back_walk_ctx_t * ctx)
683 gnh = gbp_next_hop_from_fib_node (node);
685 gbp_contract_mk_one_lb (gnh->gnh_gu);
687 return (FIB_NODE_BACK_WALK_CONTINUE);
691 * The FIB path's graph node virtual function table
693 static const fib_node_vft_t gbp_next_hop_vft = {
694 .fnv_get = gbp_next_hop_get_node,
695 .fnv_last_lock = gbp_next_hop_last_lock_gone,
696 .fnv_back_walk = gbp_next_hop_back_walk_notify,
697 // .fnv_mem_show = fib_path_memory_show,
700 static clib_error_t *
701 gbp_contract_init (vlib_main_t * vm)
703 gc_logger = vlib_log_register_class ("gbp", "con");
704 gbp_next_hop_fib_type = fib_node_register_new_type (&gbp_next_hop_vft);
709 VLIB_INIT_FUNCTION (gbp_contract_init);
712 * fd.io coding-style-patch-verification: ON
715 * eval: (c-set-style "gnu")