src/vnet/cop/ip4_whitelist.c

   1 /*
   2  * Copyright (c) 2016 Cisco and/or its affiliates.
   3  * Licensed under the Apache License, Version 2.0 (the "License");
   4  * you may not use this file except in compliance with the License.
   5  * You may obtain a copy of the License at:
   6  *
   7  *     http://www.apache.org/licenses/LICENSE-2.0
   8  *
   9  * Unless required by applicable law or agreed to in writing, software
  10  * distributed under the License is distributed on an "AS IS" BASIS,
  11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  12  * See the License for the specific language governing permissions and
  13  * limitations under the License.
  14  */
  15 #include <vnet/cop/cop.h>
  16 #include <vnet/fib/ip4_fib.h>
  17 #include <vnet/dpo/load_balance.h>
  18
  19 typedef struct {
  20   u32 next_index;
  21   u32 sw_if_index;
  22 } ip4_cop_whitelist_trace_t;
  23
  24 /* packet trace format function */
  25 static u8 * format_ip4_cop_whitelist_trace (u8 * s, va_list * args)
  26 {
  27   CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
  28   CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
  29   ip4_cop_whitelist_trace_t * t = va_arg (*args, ip4_cop_whitelist_trace_t *);
  30
  31   s = format (s, "IP4_COP_WHITELIST: sw_if_index %d, next index %d",
  32               t->sw_if_index, t->next_index);
  33   return s;
  34 }
  35
  36 vlib_node_registration_t ip4_cop_whitelist_node;
  37
  38 #define foreach_ip4_cop_whitelist_error                         \
  39 _(DROPPED, "ip4 cop whitelist packets dropped")
  40
  41 typedef enum {
  42 #define _(sym,str) IP4_COP_WHITELIST_ERROR_##sym,
  43   foreach_ip4_cop_whitelist_error
  44 #undef _
  45   IP4_COP_WHITELIST_N_ERROR,
  46 } ip4_cop_whitelist_error_t;
  47
  48 static char * ip4_cop_whitelist_error_strings[] = {
  49 #define _(sym,string) string,
  50   foreach_ip4_cop_whitelist_error
  51 #undef _
  52 };
  53
  54 static uword
  55 ip4_cop_whitelist_node_fn (vlib_main_t * vm,
  56                   vlib_node_runtime_t * node,
  57                   vlib_frame_t * frame)
  58 {
  59   u32 n_left_from, * from, * to_next;
  60   cop_feature_type_t next_index;
  61   cop_main_t *cm = &cop_main;
  62   vlib_combined_counter_main_t * vcm = &load_balance_main.lbm_via_counters;
  63   u32 cpu_index = vm->cpu_index;
  64
  65   from = vlib_frame_vector_args (frame);
  66   n_left_from = frame->n_vectors;
  67   next_index = node->cached_next_index;
  68
  69   while (n_left_from > 0)
  70     {
  71       u32 n_left_to_next;
  72
  73       vlib_get_next_frame (vm, node, next_index,
  74                            to_next, n_left_to_next);
  75
  76       while (n_left_from >= 4 && n_left_to_next >= 2)
  77         {
  78           u32 bi0, bi1;
  79           vlib_buffer_t * b0, * b1;
  80           u32 next0, next1;
  81           u32 sw_if_index0, sw_if_index1;
  82           ip4_header_t * ip0, * ip1;
  83           cop_config_main_t * ccm0, * ccm1;
  84           cop_config_data_t * c0, * c1;
  85           ip4_fib_mtrie_t * mtrie0, * mtrie1;
  86           ip4_fib_mtrie_leaf_t leaf0, leaf1;
  87           u32 lb_index0, lb_index1;
  88           const load_balance_t * lb0, *lb1;
  89           const dpo_id_t *dpo0, *dpo1;
  90
  91           /* Prefetch next iteration. */
  92           {
  93             vlib_buffer_t * p2, * p3;
  94
  95             p2 = vlib_get_buffer (vm, from[2]);
  96             p3 = vlib_get_buffer (vm, from[3]);
  97
  98             vlib_prefetch_buffer_header (p2, LOAD);
  99             vlib_prefetch_buffer_header (p3, LOAD);
 100
 101             CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
 102             CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
 103           }
 104
 105           /* speculatively enqueue b0 and b1 to the current next frame */
 106           to_next[0] = bi0 = from[0];
 107           to_next[1] = bi1 = from[1];
 108           from += 2;
 109           to_next += 2;
 110           n_left_from -= 2;
 111           n_left_to_next -= 2;
 112
 113           b0 = vlib_get_buffer (vm, bi0);
 114           sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
 115
 116           ip0 = vlib_buffer_get_current (b0);
 117
 118           ccm0 = cm->cop_config_mains + VNET_COP_IP4;
 119
 120           c0 = vnet_get_config_data
 121               (&ccm0->config_main,
 122                &vnet_buffer (b0)->cop.current_config_index,
 123                &next0,
 124                sizeof (c0[0]));
 125
 126           mtrie0 = &ip4_fib_get (c0->fib_index)->mtrie;
 127
 128           leaf0 = ip4_fib_mtrie_lookup_step_one (mtrie0, &ip0->src_address);
 129
 130           leaf0 = ip4_fib_mtrie_lookup_step (mtrie0, leaf0,
 131                                              &ip0->src_address, 1);
 132
 133           leaf0 = ip4_fib_mtrie_lookup_step (mtrie0, leaf0,
 134                                              &ip0->src_address, 2);
 135
 136           leaf0 = ip4_fib_mtrie_lookup_step (mtrie0, leaf0,
 137                                              &ip0->src_address, 3);
 138
 139           lb_index0 = ip4_fib_mtrie_leaf_get_adj_index (leaf0);
 140
 141           ASSERT (lb_index0
 142                   == ip4_fib_table_lookup_lb (ip4_fib_get(c0->fib_index),
 143                                                &ip0->src_address));
 144           lb0 = load_balance_get (lb_index0);
 145           dpo0 = load_balance_get_bucket_i(lb0, 0);
 146
 147           if (PREDICT_FALSE(dpo0->dpoi_type != DPO_RECEIVE))
 148             {
 149               b0->error = node->errors[IP4_COP_WHITELIST_ERROR_DROPPED];
 150               next0 = RX_COP_DROP;
 151             }
 152
 153           b1 = vlib_get_buffer (vm, bi1);
 154           sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX];
 155
 156           ip1 = vlib_buffer_get_current (b1);
 157
 158           ccm1 = cm->cop_config_mains + VNET_COP_IP4;
 159
 160           c1 = vnet_get_config_data
 161               (&ccm1->config_main,
 162                &vnet_buffer (b1)->cop.current_config_index,
 163                &next1,
 164                sizeof (c1[0]));
 165           mtrie1 = &ip4_fib_get (c1->fib_index)->mtrie;
 166
 167           leaf1 = ip4_fib_mtrie_lookup_step_one (mtrie1, &ip1->src_address);
 168
 169           leaf1 = ip4_fib_mtrie_lookup_step (mtrie1, leaf1,
 170                                              &ip1->src_address, 1);
 171
 172           leaf1 = ip4_fib_mtrie_lookup_step (mtrie1, leaf1,
 173                                              &ip1->src_address, 2);
 174
 175           leaf1 = ip4_fib_mtrie_lookup_step (mtrie1, leaf1,
 176                                              &ip1->src_address, 3);
 177
 178           lb_index1 = ip4_fib_mtrie_leaf_get_adj_index (leaf1);
 179           ASSERT (lb_index1
 180                   == ip4_fib_table_lookup_lb (ip4_fib_get(c1->fib_index),
 181                                                &ip1->src_address));
 182           lb1 = load_balance_get (lb_index1);
 183           dpo1 = load_balance_get_bucket_i(lb1, 0);
 184
 185           vlib_increment_combined_counter
 186               (vcm, cpu_index, lb_index0, 1,
 187                vlib_buffer_length_in_chain (vm, b0)
 188                + sizeof(ethernet_header_t));
 189
 190           vlib_increment_combined_counter
 191               (vcm, cpu_index, lb_index1, 1,
 192                vlib_buffer_length_in_chain (vm, b1)
 193                + sizeof(ethernet_header_t));
 194
 195
 196           if (PREDICT_FALSE(dpo1->dpoi_type != DPO_RECEIVE))
 197             {
 198               b1->error = node->errors[IP4_COP_WHITELIST_ERROR_DROPPED];
 199               next1 = RX_COP_DROP;
 200             }
 201
 202           if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
 203                             && (b0->flags & VLIB_BUFFER_IS_TRACED)))
 204             {
 205               ip4_cop_whitelist_trace_t *t =
 206                  vlib_add_trace (vm, node, b0, sizeof (*t));
 207               t->sw_if_index = sw_if_index0;
 208               t->next_index = next0;
 209             }
 210
 211           if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
 212                             && (b1->flags & VLIB_BUFFER_IS_TRACED)))
 213             {
 214               ip4_cop_whitelist_trace_t *t =
 215                  vlib_add_trace (vm, node, b1, sizeof (*t));
 216               t->sw_if_index = sw_if_index1;
 217               t->next_index = next1;
 218             }
 219
 220           /* verify speculative enqueues, maybe switch current next frame */
 221           vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
 222                                            to_next, n_left_to_next,
 223                                            bi0, bi1, next0, next1);
 224         }
 225
 226       while (n_left_from > 0 && n_left_to_next > 0)
 227         {
 228           u32 bi0;
 229           vlib_buffer_t * b0;
 230           u32 next0;
 231           u32 sw_if_index0;
 232           ip4_header_t * ip0;
 233           cop_config_main_t *ccm0;
 234           cop_config_data_t *c0;
 235           ip4_fib_mtrie_t * mtrie0;
 236           ip4_fib_mtrie_leaf_t leaf0;
 237           u32 lb_index0;
 238           const load_balance_t * lb0;
 239           const dpo_id_t *dpo0;
 240
 241           /* speculatively enqueue b0 to the current next frame */
 242           bi0 = from[0];
 243           to_next[0] = bi0;
 244           from += 1;
 245           to_next += 1;
 246           n_left_from -= 1;
 247           n_left_to_next -= 1;
 248
 249           b0 = vlib_get_buffer (vm, bi0);
 250           sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
 251
 252           ip0 = vlib_buffer_get_current (b0);
 253
 254           ccm0 = cm->cop_config_mains + VNET_COP_IP4;
 255
 256           c0 = vnet_get_config_data
 257               (&ccm0->config_main,
 258                &vnet_buffer (b0)->cop.current_config_index,
 259                &next0,
 260                sizeof (c0[0]));
 261
 262           mtrie0 = &ip4_fib_get (c0->fib_index)->mtrie;
 263
 264           leaf0 = ip4_fib_mtrie_lookup_step_one (mtrie0, &ip0->src_address);
 265
 266           leaf0 = ip4_fib_mtrie_lookup_step (mtrie0, leaf0,
 267                                              &ip0->src_address, 1);
 268
 269           leaf0 = ip4_fib_mtrie_lookup_step (mtrie0, leaf0,
 270                                              &ip0->src_address, 2);
 271
 272           leaf0 = ip4_fib_mtrie_lookup_step (mtrie0, leaf0,
 273                                              &ip0->src_address, 3);
 274
 275           lb_index0 = ip4_fib_mtrie_leaf_get_adj_index (leaf0);
 276
 277           ASSERT (lb_index0
 278                   == ip4_fib_table_lookup_lb (ip4_fib_get(c0->fib_index),
 279                                               &ip0->src_address));
 280
 281           lb0 = load_balance_get (lb_index0);
 282           dpo0 = load_balance_get_bucket_i(lb0, 0);
 283
 284           vlib_increment_combined_counter
 285               (vcm, cpu_index, lb_index0, 1,
 286                vlib_buffer_length_in_chain (vm, b0)
 287                + sizeof(ethernet_header_t));
 288
 289           if (PREDICT_FALSE(dpo0->dpoi_type != DPO_RECEIVE))
 290             {
 291               b0->error = node->errors[IP4_COP_WHITELIST_ERROR_DROPPED];
 292               next0 = RX_COP_DROP;
 293             }
 294
 295           if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
 296                             && (b0->flags & VLIB_BUFFER_IS_TRACED)))
 297             {
 298               ip4_cop_whitelist_trace_t *t =
 299                  vlib_add_trace (vm, node, b0, sizeof (*t));
 300               t->sw_if_index = sw_if_index0;
 301               t->next_index = next0;
 302             }
 303
 304           /* verify speculative enqueue, maybe switch current next frame */
 305           vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
 306                                            to_next, n_left_to_next,
 307                                            bi0, next0);
 308         }
 309
 310       vlib_put_next_frame (vm, node, next_index, n_left_to_next);
 311     }
 312   return frame->n_vectors;
 313 }
 314
 315 VLIB_REGISTER_NODE (ip4_cop_whitelist_node) = {
 316   .function = ip4_cop_whitelist_node_fn,
 317   .name = "ip4-cop-whitelist",
 318   .vector_size = sizeof (u32),
 319   .format_trace = format_ip4_cop_whitelist_trace,
 320   .type = VLIB_NODE_TYPE_INTERNAL,
 321
 322   .n_errors = ARRAY_LEN(ip4_cop_whitelist_error_strings),
 323   .error_strings = ip4_cop_whitelist_error_strings,
 324
 325   .n_next_nodes = COP_RX_N_FEATURES,
 326
 327   /* edit / add dispositions here */
 328   .next_nodes = {
 329     [IP4_RX_COP_WHITELIST] = "ip4-cop-whitelist",
 330     [IP6_RX_COP_WHITELIST] = "ip6-cop-whitelist",
 331     [DEFAULT_RX_COP_WHITELIST] = "default-cop-whitelist",
 332     [IP4_RX_COP_INPUT] = "ip4-input",
 333     [IP6_RX_COP_INPUT] = "ip6-input",
 334     [DEFAULT_RX_COP_INPUT] = "ethernet-input",
 335     [RX_COP_DROP] = "error-drop",
 336   },
 337 };
 338
 339 VLIB_NODE_FUNCTION_MULTIARCH (ip4_cop_whitelist_node, ip4_cop_whitelist_node_fn)
 340
 341 static clib_error_t *
 342 ip4_whitelist_init (vlib_main_t * vm)
 343 {
 344   return 0;
 345 }
 346
 347 VLIB_INIT_FUNCTION (ip4_whitelist_init);