src/plugins/gbp/gbp_contract.h

   1 /*
   2  * Copyright (c) 2018 Cisco and/or its affiliates.
   3  * Licensed under the Apache License, Version 2.0 (the "License");
   4  * you may not use this file except in compliance with the License.
   5  * You may obtain a copy of the License at:
   6  *
   7  *     http://www.apache.org/licenses/LICENSE-2.0
   8  *
   9  * Unless required by applicable law or agreed to in writing, software
  10  * distributed under the License is distributed on an "AS IS" BASIS,
  11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  12  * See the License for the specific language governing permissions and
  13  * limitations under the License.
  14  */
  15
  16 #ifndef __GBP_CONTRACT_H__
  17 #define __GBP_CONTRACT_H__
  18
  19 #include <plugins/gbp/gbp.h>
  20 #include <plugins/gbp/gbp_types.h>
  21
  22 #define foreach_gbp_contract_error                         \
  23   _(ALLOW_NO_SCLASS,    "allow-no-sclass")                 \
  24   _(ALLOW_INTRA,        "allow-intra-sclass")              \
  25   _(ALLOW_A_BIT,        "allow-a-bit-set")                 \
  26   _(ALLOW_SCLASS_1,     "allow-sclass-1")                  \
  27   _(ALLOW_CONTRACT,     "allow-contract")                  \
  28   _(DROP_CONTRACT,      "drop-contract")                   \
  29   _(DROP_ETHER_TYPE,    "drop-ether-type")                 \
  30   _(DROP_NO_CONTRACT,   "drop-no-contract")                \
  31   _(DROP_NO_DCLASS,     "drop-no-dclass")
  32
  33 typedef enum
  34 {
  35 #define _(sym,str) GBP_CONTRACT_ERROR_##sym,
  36   foreach_gbp_contract_error
  37 #undef _
  38     GBP_CONTRACT_N_ERROR,
  39 #define GBP_CONTRACT_N_ERROR GBP_CONTRACT_N_ERROR
  40 } gbp_contract_error_t;
  41
  42 extern char *gbp_contract_error_strings[GBP_CONTRACT_N_ERROR];
  43
  44 /**
  45  * The key for an Contract
  46  */
  47 typedef struct gbp_contract_key_t_
  48 {
  49   union
  50   {
  51     struct
  52     {
  53       gbp_scope_t gck_scope;
  54       /**
  55        * source and destination EPGs for which the ACL applies
  56        */
  57       sclass_t gck_src;
  58       sclass_t gck_dst;
  59     };
  60     u64 as_u64;
  61   };
  62 } gbp_contract_key_t;
  63
  64 typedef struct gbp_next_hop_t_
  65 {
  66   fib_node_t gnh_node;
  67   ip46_address_t gnh_ip;
  68   mac_address_t gnh_mac;
  69   index_t gnh_gu;
  70   index_t gnh_bd;
  71   index_t gnh_rd;
  72   u32 gnh_ge;
  73   u32 gnh_sibling;
  74   index_t gnh_ai[FIB_PROTOCOL_IP_MAX];
  75 } gbp_next_hop_t;
  76
  77 #define foreach_gbp_hash_mode   \
  78   _(SRC_IP, "src-ip")           \
  79   _(DST_IP, "dst-ip")           \
  80   _(SYMMETRIC, "symmetric")
  81
  82 typedef enum gbp_hash_mode_t_
  83 {
  84 #define _(v,s) GBP_HASH_MODE_##v,
  85   foreach_gbp_hash_mode
  86 #undef _
  87 } gbp_hash_mode_t;
  88
  89 #define foreach_gbp_rule_action   \
  90   _(PERMIT,   "permit")           \
  91   _(DENY,     "deny")             \
  92   _(REDIRECT, "redirect")
  93
  94 typedef enum gbp_rule_action_t_
  95 {
  96 #define _(v,s) GBP_RULE_##v,
  97   foreach_gbp_rule_action
  98 #undef _
  99 } gbp_rule_action_t;
 100
 101 #define foreach_gbp_policy_node   \
 102   _(L2, "L2")                     \
 103   _(IP4, "ip4")                   \
 104   _(IP6, "ip6")
 105
 106 typedef enum gbp_policy_node_t_
 107 {
 108 #define _(v,s) GBP_POLICY_NODE_##v,
 109   foreach_gbp_policy_node
 110 #undef _
 111 } gbp_policy_node_t;
 112 #define GBP_POLICY_N_NODES (GBP_POLICY_NODE_IP6+1)
 113
 114 #define FOR_EACH_GBP_POLICY_NODE(pnode)         \
 115   for (pnode = GBP_POLICY_NODE_L2; pnode < GBP_POLICY_N_NODES; pnode++)
 116
 117 typedef struct gbp_rule_t_
 118 {
 119   gbp_rule_action_t gu_action;
 120   gbp_hash_mode_t gu_hash_mode;
 121   index_t *gu_nhs;
 122
 123   /**
 124    * DPO of the load-balance object used to redirect
 125    */
 126   dpo_id_t gu_dpo[GBP_POLICY_N_NODES][FIB_PROTOCOL_IP_MAX];
 127 } gbp_rule_t;
 128
 129 /**
 130  * A Group Based Policy Contract.
 131  *  Determines the ACL that applies to traffic pass between two endpoint groups
 132  */
 133 typedef struct gbp_contract_t_
 134 {
 135   /**
 136    * source and destination EPGs
 137    */
 138   gbp_contract_key_t gc_key;
 139
 140   u32 gc_acl_index;
 141   u32 gc_lc_index;
 142
 143   /**
 144    * The ACL to apply for packets from the source to the destination EPG
 145    */
 146   index_t *gc_rules;
 147
 148   /**
 149    * An ethertype whitelist
 150    */
 151   u16 *gc_allowed_ethertypes;
 152 } gbp_contract_t;
 153
 154 /**
 155  * EPG src,dst pair to ACL mapping table, aka contract DB
 156  */
 157 typedef struct gbp_contract_db_t_
 158 {
 159   /**
 160    * We can form a u64 key from the pair, so use a simple hash table
 161    */
 162   uword *gc_hash;
 163 } gbp_contract_db_t;
 164
 165 extern int gbp_contract_update (gbp_scope_t scope,
 166                                 sclass_t sclass,
 167                                 sclass_t dclass,
 168                                 u32 acl_index,
 169                                 index_t * rules,
 170                                 u16 * allowed_ethertypes, u32 * stats_index);
 171 extern int gbp_contract_delete (gbp_scope_t scope, sclass_t sclass,
 172                                 sclass_t dclass);
 173
 174 extern index_t gbp_rule_alloc (gbp_rule_action_t action,
 175                                gbp_hash_mode_t hash_mode, index_t * nhs);
 176 extern index_t gbp_next_hop_alloc (const ip46_address_t * ip,
 177                                    index_t grd,
 178                                    const mac_address_t * mac, index_t gbd);
 179
 180 typedef int (*gbp_contract_cb_t) (gbp_contract_t * gbpe, void *ctx);
 181 extern void gbp_contract_walk (gbp_contract_cb_t bgpe, void *ctx);
 182
 183 extern u8 *format_gbp_contract (u8 * s, va_list * args);
 184
 185 /**
 186  * DP functions and databases
 187  */
 188 extern gbp_contract_db_t gbp_contract_db;
 189
 190 always_inline index_t
 191 gbp_contract_find (gbp_contract_key_t * key)
 192 {
 193   uword *p;
 194
 195   p = hash_get (gbp_contract_db.gc_hash, key->as_u64);
 196
 197   if (NULL != p)
 198     return (p[0]);
 199
 200   return (INDEX_INVALID);
 201 }
 202
 203 extern gbp_contract_t *gbp_contract_pool;
 204
 205 always_inline gbp_contract_t *
 206 gbp_contract_get (index_t gci)
 207 {
 208   return (pool_elt_at_index (gbp_contract_pool, gci));
 209 }
 210
 211 extern gbp_rule_t *gbp_rule_pool;
 212
 213 always_inline gbp_rule_t *
 214 gbp_rule_get (index_t gui)
 215 {
 216   return (pool_elt_at_index (gbp_rule_pool, gui));
 217 }
 218
 219 extern vlib_combined_counter_main_t gbp_contract_permit_counters;
 220 extern vlib_combined_counter_main_t gbp_contract_drop_counters;
 221
 222 typedef enum
 223 {
 224   GBP_CONTRACT_APPLY_L2,
 225   GBP_CONTRACT_APPLY_IP4,
 226   GBP_CONTRACT_APPLY_IP6,
 227 } gbp_contract_apply_type_t;
 228
 229 static_always_inline gbp_rule_action_t
 230 gbp_contract_apply (vlib_main_t * vm, gbp_main_t * gm,
 231                     gbp_contract_key_t * key, vlib_buffer_t * b,
 232                     gbp_rule_t ** rule, u32 * intra, u32 * sclass1,
 233                     gbp_contract_error_t * err,
 234                     gbp_contract_apply_type_t type)
 235 {
 236   fa_5tuple_opaque_t fa_5tuple;
 237   const gbp_contract_t *contract;
 238   index_t contract_index;
 239   u32 acl_pos, acl_match, rule_match, trace_bitmap;
 240   u16 etype;
 241   u8 ip6, action;
 242
 243   *rule = 0;
 244
 245   if (key->gck_src == key->gck_dst)
 246     {
 247       /* intra-epg allowed */
 248       (*intra)++;
 249       *err = GBP_CONTRACT_ERROR_ALLOW_INTRA;
 250       return GBP_RULE_PERMIT;
 251     }
 252
 253   if (1 == key->gck_src || 1 == key->gck_dst)
 254     {
 255       /* sclass 1 allowed */
 256       (*sclass1)++;
 257       *err = GBP_CONTRACT_ERROR_ALLOW_SCLASS_1;
 258       return GBP_RULE_PERMIT;
 259     }
 260
 261   /* look for contract */
 262   contract_index = gbp_contract_find (key);
 263   if (INDEX_INVALID == contract_index)
 264     {
 265       *err = GBP_CONTRACT_ERROR_DROP_NO_CONTRACT;
 266       return GBP_RULE_DENY;
 267     }
 268
 269   contract = gbp_contract_get (contract_index);
 270
 271   *err = GBP_CONTRACT_ERROR_DROP_CONTRACT;
 272
 273   switch (type)
 274     {
 275     case GBP_CONTRACT_APPLY_IP4:
 276       ip6 = 0;
 277       break;
 278     case GBP_CONTRACT_APPLY_IP6:
 279       ip6 = 1;
 280       break;
 281     case GBP_CONTRACT_APPLY_L2:
 282       {
 283         /* check ethertype */
 284         etype =
 285           ((u16 *) (vlib_buffer_get_current (b) +
 286                     vnet_buffer (b)->l2.l2_len))[-1];
 287
 288         if (~0 == vec_search (contract->gc_allowed_ethertypes, etype))
 289           {
 290             *err = GBP_CONTRACT_ERROR_DROP_ETHER_TYPE;
 291             goto contract_deny;
 292           }
 293
 294         switch (clib_net_to_host_u16 (etype))
 295           {
 296           case ETHERNET_TYPE_IP4:
 297             ip6 = 0;
 298             break;
 299           case ETHERNET_TYPE_IP6:
 300             ip6 = 1;
 301             break;
 302           default:
 303             goto contract_deny;
 304           }
 305       }
 306       break;
 307     }
 308
 309   /* check ACL */
 310   action = 0;
 311   acl_plugin_fill_5tuple_inline (gm->acl_plugin.p_acl_main,
 312                                  contract->gc_lc_index, b, ip6,
 313                                  0 /* is_input */ ,
 314                                  GBP_CONTRACT_APPLY_L2 ==
 315                                  type /* is_l2_path */ , &fa_5tuple);
 316   acl_plugin_match_5tuple_inline (gm->acl_plugin.p_acl_main,
 317                                   contract->gc_lc_index, &fa_5tuple, ip6,
 318                                   &action, &acl_pos, &acl_match, &rule_match,
 319                                   &trace_bitmap);
 320   if (action <= 0)
 321     goto contract_deny;
 322
 323   *rule = gbp_rule_get (contract->gc_rules[rule_match]);
 324   switch ((*rule)->gu_action)
 325     {
 326     case GBP_RULE_PERMIT:
 327     case GBP_RULE_REDIRECT:
 328       *err = GBP_CONTRACT_ERROR_ALLOW_CONTRACT;
 329       vlib_increment_combined_counter (&gbp_contract_permit_counters,
 330                                        vm->thread_index, contract_index, 1,
 331                                        vlib_buffer_length_in_chain (vm, b));
 332       return (*rule)->gu_action;
 333     case GBP_RULE_DENY:
 334       break;
 335     }
 336
 337 contract_deny:
 338   vlib_increment_combined_counter (&gbp_contract_drop_counters,
 339                                    vm->thread_index, contract_index, 1,
 340                                    vlib_buffer_length_in_chain (vm, b));
 341   return GBP_RULE_DENY;
 342 }
 343
 344 #endif /* __GBP_CONTRACT_H__ */
 345 /*
 346  * fd.io coding-style-patch-verification: ON
 347  *
 348  * Local Variables:
 349  * eval: (c-set-style "gnu")
 350  * End:
 351  */