2 * Copyright (c) 2016 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
15 #include <vnet/ip/ip.h>
16 #include <vnet/ip/ip_source_and_port_range_check.h>
17 #include <vnet/dpo/load_balance.h>
18 #include <vnet/fib/fib_table.h>
19 #include <vnet/fib/ip4_fib.h>
21 source_range_check_main_t source_range_check_main;
25 * @brief IPv4 Source and Port Range Checking.
27 * This file contains the source code for IPv4 source and port range
33 * @brief The pool of range chack DPOs
35 static protocol_port_range_dpo_t *ppr_dpo_pool;
38 * @brief Dynamically registered DPO type
40 static dpo_type_t ppr_dpo_type;
42 vlib_node_registration_t ip4_source_port_and_range_check_rx;
43 vlib_node_registration_t ip4_source_port_and_range_check_tx;
45 #define foreach_ip4_source_and_port_range_check_error \
46 _(CHECK_FAIL, "ip4 source and port range check bad packets") \
47 _(CHECK_OK, "ip4 source and port range check good packets")
51 #define _(sym,str) IP4_SOURCE_AND_PORT_RANGE_CHECK_ERROR_##sym,
52 foreach_ip4_source_and_port_range_check_error
54 IP4_SOURCE_AND_PORT_RANGE_CHECK_N_ERROR,
55 } ip4_source_and_port_range_check_error_t;
57 static char *ip4_source_and_port_range_check_error_strings[] = {
58 #define _(sym,string) string,
59 foreach_ip4_source_and_port_range_check_error
68 ip4_address_t src_addr;
71 } ip4_source_and_port_range_check_trace_t;
74 format_ip4_source_and_port_range_check_trace (u8 * s, va_list * va)
76 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*va, vlib_main_t *);
77 CLIB_UNUSED (vlib_node_t * node) = va_arg (*va, vlib_node_t *);
78 ip4_source_and_port_range_check_trace_t *t =
79 va_arg (*va, ip4_source_and_port_range_check_trace_t *);
82 s = format (s, "PASS (bypass case)");
84 s = format (s, "fib %d src ip %U %s dst port %d: %s",
85 t->fib_index, format_ip4_address, &t->src_addr,
86 t->is_tcp ? "TCP" : "UDP", (u32) t->port,
87 (t->pass == 1) ? "PASS" : "FAIL");
93 IP4_SOURCE_AND_PORT_RANGE_CHECK_NEXT_DROP,
94 IP4_SOURCE_AND_PORT_RANGE_CHECK_N_NEXT,
95 } ip4_source_and_port_range_check_next_t;
99 check_adj_port_range_x1 (const protocol_port_range_dpo_t * ppr_dpo,
100 u16 dst_port, u32 next)
105 u16x8vec_t sum, sum_equal_diff2;
106 u16 sum_nonzero, sum_equal, winner_mask;
109 if (NULL == ppr_dpo || dst_port == 0)
110 return IP4_SOURCE_AND_PORT_RANGE_CHECK_NEXT_DROP;
112 /* Make the obvious screw-case work. A variant also works w/ no MMX */
113 if (PREDICT_FALSE (dst_port == 65535))
118 i < VLIB_BUFFER_PRE_DATA_SIZE / sizeof (protocol_port_range_t);
121 for (j = 0; j < 8; j++)
122 if (ppr_dpo->blocks[i].low.as_u16[j] == 65535)
125 return IP4_SOURCE_AND_PORT_RANGE_CHECK_NEXT_DROP;
128 key.as_u16x8 = u16x8_splat (dst_port);
130 for (i = 0; i < ppr_dpo->n_used_blocks; i++)
133 u16x8_sub_saturate (ppr_dpo->blocks[i].low.as_u16x8, key.as_u16x8);
135 u16x8_sub_saturate (ppr_dpo->blocks[i].hi.as_u16x8, key.as_u16x8);
136 sum.as_u16x8 = u16x8_add (diff1.as_u16x8, diff2.as_u16x8);
137 sum_equal_diff2.as_u16x8 =
138 u16x8_is_equal (sum.as_u16x8, diff2.as_u16x8);
139 sum_nonzero = ~u16x8_zero_byte_mask (sum.as_u16x8);
140 sum_equal = ~u16x8_zero_byte_mask (sum_equal_diff2.as_u16x8);
141 winner_mask = sum_nonzero & sum_equal;
145 return IP4_SOURCE_AND_PORT_RANGE_CHECK_NEXT_DROP;
148 always_inline protocol_port_range_dpo_t *
149 protocol_port_range_dpo_get (index_t index)
151 return (pool_elt_at_index (ppr_dpo_pool, index));
155 ip4_source_and_port_range_check_inline (vlib_main_t * vm,
156 vlib_node_runtime_t * node,
157 vlib_frame_t * frame, int is_tx)
159 ip4_main_t *im = &ip4_main;
160 u32 n_left_from, *from, *to_next;
162 vlib_node_runtime_t *error_node = node;
163 u32 good_packets = 0;
166 from = vlib_frame_vector_args (frame);
167 n_left_from = frame->n_vectors;
168 next_index = node->cached_next_index;
170 while (n_left_from > 0)
174 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
177 /* while (n_left_from >= 4 && n_left_to_next >= 2) */
179 /* vlib_buffer_t *b0, *b1; */
180 /* ip4_header_t *ip0, *ip1; */
181 /* ip4_fib_mtrie_t *mtrie0, *mtrie1; */
182 /* ip4_fib_mtrie_leaf_t leaf0, leaf1; */
183 /* ip_source_and_port_range_check_config_t *c0, *c1; */
184 /* ip_adjacency_t *adj0 = 0, *adj1 = 0; */
185 /* u32 bi0, next0, adj_index0, pass0, save_next0, fib_index0; */
186 /* u32 bi1, next1, adj_index1, pass1, save_next1, fib_index1; */
187 /* udp_header_t *udp0, *udp1; */
189 /* /\* Prefetch next iteration. *\/ */
191 /* vlib_buffer_t *p2, *p3; */
193 /* p2 = vlib_get_buffer (vm, from[2]); */
194 /* p3 = vlib_get_buffer (vm, from[3]); */
196 /* vlib_prefetch_buffer_header (p2, LOAD); */
197 /* vlib_prefetch_buffer_header (p3, LOAD); */
199 /* CLIB_PREFETCH (p2->data, sizeof (ip0[0]), LOAD); */
200 /* CLIB_PREFETCH (p3->data, sizeof (ip1[0]), LOAD); */
203 /* bi0 = to_next[0] = from[0]; */
204 /* bi1 = to_next[1] = from[1]; */
207 /* n_left_from -= 2; */
208 /* n_left_to_next -= 2; */
210 /* b0 = vlib_get_buffer (vm, bi0); */
211 /* b1 = vlib_get_buffer (vm, bi1); */
214 /* vec_elt (im->fib_index_by_sw_if_index, */
215 /* vnet_buffer (b0)->sw_if_index[VLIB_RX]); */
217 /* vec_elt (im->fib_index_by_sw_if_index, */
218 /* vnet_buffer (b1)->sw_if_index[VLIB_RX]); */
220 /* ip0 = vlib_buffer_get_current (b0); */
221 /* ip1 = vlib_buffer_get_current (b1); */
225 /* c0 = vnet_get_config_data (&tx_cm->config_main, */
226 /* &b0->current_config_index, */
227 /* &next0, sizeof (c0[0])); */
228 /* c1 = vnet_get_config_data (&tx_cm->config_main, */
229 /* &b1->current_config_index, */
230 /* &next1, sizeof (c1[0])); */
234 /* c0 = vnet_get_config_data (&rx_cm->config_main, */
235 /* &b0->current_config_index, */
236 /* &next0, sizeof (c0[0])); */
237 /* c1 = vnet_get_config_data (&rx_cm->config_main, */
238 /* &b1->current_config_index, */
239 /* &next1, sizeof (c1[0])); */
242 /* /\* we can't use the default VRF here... *\/ */
243 /* for (i = 0; i < IP_SOURCE_AND_PORT_RANGE_CHECK_N_PROTOCOLS; i++) */
245 /* ASSERT (c0->fib_index[i] && c1->fib_index[i]); */
251 /* if (ip0->protocol == IP_PROTOCOL_UDP) */
254 /* [IP_SOURCE_AND_PORT_RANGE_CHECK_PROTOCOL_UDP_IN]; */
255 /* if (ip0->protocol == IP_PROTOCOL_TCP) */
258 /* [IP_SOURCE_AND_PORT_RANGE_CHECK_PROTOCOL_TCP_IN]; */
262 /* if (ip0->protocol == IP_PROTOCOL_UDP) */
265 /* [IP_SOURCE_AND_PORT_RANGE_CHECK_PROTOCOL_UDP_OUT]; */
266 /* if (ip0->protocol == IP_PROTOCOL_TCP) */
269 /* [IP_SOURCE_AND_PORT_RANGE_CHECK_PROTOCOL_TCP_OUT]; */
272 /* if (PREDICT_TRUE (fib_index0 != ~0)) */
275 /* mtrie0 = &vec_elt_at_index (im->fibs, fib_index0)->mtrie; */
277 /* leaf0 = IP4_FIB_MTRIE_LEAF_ROOT; */
279 /* leaf0 = ip4_fib_mtrie_lookup_step (mtrie0, leaf0, */
280 /* &ip0->src_address, 0); */
282 /* leaf0 = ip4_fib_mtrie_lookup_step (mtrie0, leaf0, */
283 /* &ip0->src_address, 1); */
285 /* leaf0 = ip4_fib_mtrie_lookup_step (mtrie0, leaf0, */
286 /* &ip0->src_address, 2); */
288 /* leaf0 = ip4_fib_mtrie_lookup_step (mtrie0, leaf0, */
289 /* &ip0->src_address, 3); */
291 /* adj_index0 = ip4_fib_mtrie_leaf_get_adj_index (leaf0); */
293 /* ASSERT (adj_index0 == ip4_fib_lookup_with_table (im, fib_index0, */
294 /* &ip0->src_address, */
296 /* /\* use dflt rt *\/ */
298 /* adj0 = ip_get_adjacency (lm, adj_index0); */
303 /* if (ip1->protocol == IP_PROTOCOL_UDP) */
306 /* [IP_SOURCE_AND_PORT_RANGE_CHECK_PROTOCOL_UDP_IN]; */
307 /* if (ip1->protocol == IP_PROTOCOL_TCP) */
310 /* [IP_SOURCE_AND_PORT_RANGE_CHECK_PROTOCOL_TCP_IN]; */
314 /* if (ip1->protocol == IP_PROTOCOL_UDP) */
317 /* [IP_SOURCE_AND_PORT_RANGE_CHECK_PROTOCOL_UDP_OUT]; */
318 /* if (ip1->protocol == IP_PROTOCOL_TCP) */
321 /* [IP_SOURCE_AND_PORT_RANGE_CHECK_PROTOCOL_TCP_OUT]; */
324 /* if (PREDICT_TRUE (fib_index1 != ~0)) */
327 /* mtrie1 = &vec_elt_at_index (im->fibs, fib_index1)->mtrie; */
329 /* leaf1 = IP4_FIB_MTRIE_LEAF_ROOT; */
331 /* leaf1 = ip4_fib_mtrie_lookup_step (mtrie1, leaf1, */
332 /* &ip1->src_address, 0); */
334 /* leaf1 = ip4_fib_mtrie_lookup_step (mtrie1, leaf1, */
335 /* &ip1->src_address, 1); */
337 /* leaf1 = ip4_fib_mtrie_lookup_step (mtrie1, leaf1, */
338 /* &ip1->src_address, 2); */
340 /* leaf1 = ip4_fib_mtrie_lookup_step (mtrie1, leaf1, */
341 /* &ip1->src_address, 3); */
343 /* adj_index1 = ip4_fib_mtrie_leaf_get_adj_index (leaf1); */
345 /* ASSERT (adj_index1 == ip4_fib_lookup_with_table (im, fib_index1, */
346 /* &ip1->src_address, */
348 /* adj1 = ip_get_adjacency (lm, adj_index1); */
352 /* pass0 |= adj0 == 0; */
353 /* pass0 |= ip4_address_is_multicast (&ip0->src_address); */
355 /* ip0->src_address.as_u32 == clib_host_to_net_u32 (0xFFFFFFFF); */
356 /* pass0 |= (ip0->protocol != IP_PROTOCOL_UDP) */
357 /* && (ip0->protocol != IP_PROTOCOL_TCP); */
360 /* pass1 |= adj1 == 0; */
361 /* pass1 |= ip4_address_is_multicast (&ip1->src_address); */
363 /* ip1->src_address.as_u32 == clib_host_to_net_u32 (0xFFFFFFFF); */
364 /* pass1 |= (ip1->protocol != IP_PROTOCOL_UDP) */
365 /* && (ip1->protocol != IP_PROTOCOL_TCP); */
367 /* save_next0 = next0; */
368 /* udp0 = ip4_next_header (ip0); */
369 /* save_next1 = next1; */
370 /* udp1 = ip4_next_header (ip1); */
372 /* if (PREDICT_TRUE (pass0 == 0)) */
374 /* good_packets++; */
375 /* next0 = check_adj_port_range_x1 */
376 /* (adj0, clib_net_to_host_u16 (udp0->dst_port), next0); */
377 /* good_packets -= (save_next0 != next0); */
378 /* b0->error = error_node->errors */
379 /* [IP4_SOURCE_AND_PORT_RANGE_CHECK_ERROR_CHECK_FAIL]; */
382 /* if (PREDICT_TRUE (pass1 == 0)) */
384 /* good_packets++; */
385 /* next1 = check_adj_port_range_x1 */
386 /* (adj1, clib_net_to_host_u16 (udp1->dst_port), next1); */
387 /* good_packets -= (save_next1 != next1); */
388 /* b1->error = error_node->errors */
389 /* [IP4_SOURCE_AND_PORT_RANGE_CHECK_ERROR_CHECK_FAIL]; */
392 /* if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) */
393 /* && (b0->flags & VLIB_BUFFER_IS_TRACED))) */
395 /* ip4_source_and_port_range_check_trace_t *t = */
396 /* vlib_add_trace (vm, node, b0, sizeof (*t)); */
397 /* t->pass = next0 == save_next0; */
398 /* t->bypass = pass0; */
399 /* t->fib_index = fib_index0; */
400 /* t->src_addr.as_u32 = ip0->src_address.as_u32; */
401 /* t->port = (pass0 == 0) ? */
402 /* clib_net_to_host_u16 (udp0->dst_port) : 0; */
403 /* t->is_tcp = ip0->protocol == IP_PROTOCOL_TCP; */
406 /* if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) */
407 /* && (b1->flags & VLIB_BUFFER_IS_TRACED))) */
409 /* ip4_source_and_port_range_check_trace_t *t = */
410 /* vlib_add_trace (vm, node, b1, sizeof (*t)); */
411 /* t->pass = next1 == save_next1; */
412 /* t->bypass = pass1; */
413 /* t->fib_index = fib_index1; */
414 /* t->src_addr.as_u32 = ip1->src_address.as_u32; */
415 /* t->port = (pass1 == 0) ? */
416 /* clib_net_to_host_u16 (udp1->dst_port) : 0; */
417 /* t->is_tcp = ip1->protocol == IP_PROTOCOL_TCP; */
420 /* vlib_validate_buffer_enqueue_x2 (vm, node, next_index, */
421 /* to_next, n_left_to_next, */
422 /* bi0, bi1, next0, next1); */
425 while (n_left_from > 0 && n_left_to_next > 0)
429 ip_source_and_port_range_check_config_t *c0;
430 u32 bi0, next0, lb_index0, pass0, save_next0, fib_index0;
432 const protocol_port_range_dpo_t *ppr_dpo0 = NULL;
443 b0 = vlib_get_buffer (vm, bi0);
444 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
446 fib_index0 = vec_elt (im->fib_index_by_sw_if_index, sw_if_index0);
449 vlib_buffer_advance (b0, sizeof (ethernet_header_t));
451 ip0 = vlib_buffer_get_current (b0);
453 c0 = vnet_feature_next_with_data (sw_if_index0, &next0,
456 /* we can't use the default VRF here... */
457 for (i = 0; i < IP_SOURCE_AND_PORT_RANGE_CHECK_N_PROTOCOLS; i++)
459 ASSERT (c0->fib_index[i]);
465 if (ip0->protocol == IP_PROTOCOL_UDP)
468 [IP_SOURCE_AND_PORT_RANGE_CHECK_PROTOCOL_UDP_IN];
469 if (ip0->protocol == IP_PROTOCOL_TCP)
472 [IP_SOURCE_AND_PORT_RANGE_CHECK_PROTOCOL_TCP_IN];
476 if (ip0->protocol == IP_PROTOCOL_UDP)
479 [IP_SOURCE_AND_PORT_RANGE_CHECK_PROTOCOL_UDP_OUT];
480 if (ip0->protocol == IP_PROTOCOL_TCP)
483 [IP_SOURCE_AND_PORT_RANGE_CHECK_PROTOCOL_TCP_OUT];
486 if (fib_index0 != ~0)
488 lb_index0 = ip4_fib_forwarding_lookup (fib_index0,
492 load_balance_get_bucket_i (load_balance_get (lb_index0), 0);
494 if (ppr_dpo_type == dpo->dpoi_type)
496 ppr_dpo0 = protocol_port_range_dpo_get (dpo->dpoi_index);
499 * else the lookup hit an enty that was no inserted
500 * by this range checker, which is the default route
504 * $$$ which (src,dst) categories should we always pass?
507 pass0 |= ip4_address_is_multicast (&ip0->src_address);
509 ip0->src_address.as_u32 == clib_host_to_net_u32 (0xFFFFFFFF);
510 pass0 |= (ip0->protocol != IP_PROTOCOL_UDP)
511 && (ip0->protocol != IP_PROTOCOL_TCP);
514 udp0 = ip4_next_header (ip0);
516 if (PREDICT_TRUE (pass0 == 0))
519 next0 = check_adj_port_range_x1
520 (ppr_dpo0, clib_net_to_host_u16 (udp0->dst_port), next0);
521 good_packets -= (save_next0 != next0);
522 b0->error = error_node->errors
523 [IP4_SOURCE_AND_PORT_RANGE_CHECK_ERROR_CHECK_FAIL];
526 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
527 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
529 ip4_source_and_port_range_check_trace_t *t =
530 vlib_add_trace (vm, node, b0, sizeof (*t));
531 t->pass = next0 == save_next0;
533 t->fib_index = fib_index0;
534 t->src_addr.as_u32 = ip0->src_address.as_u32;
535 t->port = (pass0 == 0) ?
536 clib_net_to_host_u16 (udp0->dst_port) : 0;
537 t->is_tcp = ip0->protocol == IP_PROTOCOL_TCP;
541 vlib_buffer_advance (b0, -sizeof (ethernet_header_t));
543 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
544 to_next, n_left_to_next,
548 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
552 vlib_node_increment_counter (vm, ip4_source_port_and_range_check_tx.index,
553 IP4_SOURCE_AND_PORT_RANGE_CHECK_ERROR_CHECK_OK,
556 vlib_node_increment_counter (vm, ip4_source_port_and_range_check_rx.index,
557 IP4_SOURCE_AND_PORT_RANGE_CHECK_ERROR_CHECK_OK,
559 return frame->n_vectors;
563 ip4_source_and_port_range_check_rx (vlib_main_t * vm,
564 vlib_node_runtime_t * node,
565 vlib_frame_t * frame)
567 return ip4_source_and_port_range_check_inline (vm, node, frame,
572 ip4_source_and_port_range_check_tx (vlib_main_t * vm,
573 vlib_node_runtime_t * node,
574 vlib_frame_t * frame)
576 return ip4_source_and_port_range_check_inline (vm, node, frame,
580 /* Note: Calling same function for both RX and TX nodes
581 as always checking dst_port, although
582 if this changes can easily make new function
586 VLIB_REGISTER_NODE (ip4_source_port_and_range_check_rx) = {
587 .function = ip4_source_and_port_range_check_rx,
588 .name = "ip4-source-and-port-range-check-rx",
589 .vector_size = sizeof (u32),
591 .n_errors = ARRAY_LEN(ip4_source_and_port_range_check_error_strings),
592 .error_strings = ip4_source_and_port_range_check_error_strings,
594 .n_next_nodes = IP4_SOURCE_AND_PORT_RANGE_CHECK_N_NEXT,
596 [IP4_SOURCE_AND_PORT_RANGE_CHECK_NEXT_DROP] = "error-drop",
599 .format_buffer = format_ip4_header,
600 .format_trace = format_ip4_source_and_port_range_check_trace,
605 VLIB_REGISTER_NODE (ip4_source_port_and_range_check_tx) = {
606 .function = ip4_source_and_port_range_check_tx,
607 .name = "ip4-source-and-port-range-check-tx",
608 .vector_size = sizeof (u32),
610 .n_errors = ARRAY_LEN(ip4_source_and_port_range_check_error_strings),
611 .error_strings = ip4_source_and_port_range_check_error_strings,
613 .n_next_nodes = IP4_SOURCE_AND_PORT_RANGE_CHECK_N_NEXT,
615 [IP4_SOURCE_AND_PORT_RANGE_CHECK_NEXT_DROP] = "error-drop",
618 .format_buffer = format_ip4_header,
619 .format_trace = format_ip4_source_and_port_range_check_trace,
624 set_ip_source_and_port_range_check (vlib_main_t * vm,
626 u32 sw_if_index, u32 is_add)
628 ip_source_and_port_range_check_config_t config;
632 for (i = 0; i < IP_SOURCE_AND_PORT_RANGE_CHECK_N_PROTOCOLS; i++)
634 config.fib_index[i] = fib_index[i];
637 /* For OUT we are in the RX path */
638 if ((fib_index[IP_SOURCE_AND_PORT_RANGE_CHECK_PROTOCOL_TCP_OUT] != ~0) ||
639 (fib_index[IP_SOURCE_AND_PORT_RANGE_CHECK_PROTOCOL_UDP_OUT] != ~0))
641 vnet_feature_enable_disable ("ip4-unicast",
642 "ip4-source-and-port-range-check-rx",
643 sw_if_index, is_add, &config,
647 /* For IN we are in the TX path */
648 if ((fib_index[IP_SOURCE_AND_PORT_RANGE_CHECK_PROTOCOL_TCP_IN] != ~0) ||
649 (fib_index[IP_SOURCE_AND_PORT_RANGE_CHECK_PROTOCOL_UDP_IN] != ~0))
651 vnet_feature_enable_disable ("ip4-output",
652 "ip4-source-and-port-range-check-tx",
653 sw_if_index, is_add, &config,
659 static clib_error_t *
660 set_ip_source_and_port_range_check_fn (vlib_main_t * vm,
661 unformat_input_t * input,
662 vlib_cli_command_t * cmd)
664 vnet_main_t *vnm = vnet_get_main ();
665 ip4_main_t *im = &ip4_main;
666 clib_error_t *error = 0;
668 u32 sw_if_index = ~0;
669 u32 vrf_id[IP_SOURCE_AND_PORT_RANGE_CHECK_N_PROTOCOLS];
670 u32 fib_index[IP_SOURCE_AND_PORT_RANGE_CHECK_N_PROTOCOLS];
677 for (i = 0; i < IP_SOURCE_AND_PORT_RANGE_CHECK_N_PROTOCOLS; i++)
683 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
685 if (unformat (input, "%U", unformat_vnet_sw_interface, vnm,
690 (input, "tcp-out-vrf %d",
691 &vrf_id[IP_SOURCE_AND_PORT_RANGE_CHECK_PROTOCOL_TCP_OUT]))
695 (input, "udp-out-vrf %d",
696 &vrf_id[IP_SOURCE_AND_PORT_RANGE_CHECK_PROTOCOL_UDP_OUT]))
700 (input, "tcp-in-vrf %d",
701 &vrf_id[IP_SOURCE_AND_PORT_RANGE_CHECK_PROTOCOL_TCP_IN]))
705 (input, "udp-in-vrf %d",
706 &vrf_id[IP_SOURCE_AND_PORT_RANGE_CHECK_PROTOCOL_UDP_IN]))
708 else if (unformat (input, "del"))
714 if (sw_if_index == ~0)
715 return clib_error_return (0, "Interface required but not specified");
718 return clib_error_return (0,
719 "TCP or UDP VRF ID required but not specified");
721 for (i = 0; i < IP_SOURCE_AND_PORT_RANGE_CHECK_N_PROTOCOLS; i++)
725 return clib_error_return (0,
726 "TCP, UDP VRF ID should not be 0 (default). Should be distinct VRF for this purpose. ");
730 p = hash_get (im->fib_index_by_table_id, vrf_id[i]);
733 return clib_error_return (0, "Invalid VRF ID %d", vrf_id[i]);
739 set_ip_source_and_port_range_check (vm, fib_index, sw_if_index, is_add);
747 return clib_error_return
749 "set source and port-range on interface returned an unexpected value: %d",
756 * Add the 'ip4-source-and-port-range-check-rx' or
757 * 'ip4-source-and-port-range-check-tx' graph node for a given
758 * interface. 'tcp-out-vrf' and 'udp-out-vrf' will add to
759 * the RX path. 'tcp-in-vrf' and 'udp-in-vrf' will add to
760 * the TX path. A graph node will be inserted into the chain when
761 * the range check is added to the first interface. It will not
762 * be removed from when range check is removed from the last
765 * By adding the range check graph node to the interface, incoming
766 * or outgoing TCP/UDP packets will be validated using the
767 * provided IPv4 FIB table (VRF).
769 * @note 'ip4-source-and-port-range-check-rx' and
770 * 'ip4-source-and-port-range-check-tx' strings are too long, so
771 * they are truncated on the 'show vlib graph' output.
773 * @todo This content needs to be validated and potentially more detail added.
777 * Example of graph node before range checking is enabled:
778 * @cliexstart{show vlib graph ip4-source-and-port-range-check-tx}
780 * ip4-source-and-port-range- error-drop [0]
783 * Example of how to enable range checking on TX:
784 * @cliexcmd{set interface ip source-and-port-range-check GigabitEthernet2/0/0 udp-in-vrf 7}
786 * Example of graph node after range checking is enabled:
787 * @cliexstart{show vlib graph ip4-source-and-port-range-check-tx}
789 * ip4-source-and-port-range- error-drop [0] ip4-rewrite
790 * interface-output [1]
793 * Example of how to display the features enabed on an interface:
794 * @cliexstart{show ip interface features GigabitEthernet2/0/0}
795 * IP feature paths configured on GigabitEthernet2/0/0...
798 * ip4-source-and-port-range-check-rx
802 * ip4-lookup-multicast
819 VLIB_CLI_COMMAND (set_interface_ip_source_and_port_range_check_command, static) = {
820 .path = "set interface ip source-and-port-range-check",
821 .function = set_ip_source_and_port_range_check_fn,
822 .short_help = "set interface ip source-and-port-range-check <interface> [tcp-out-vrf <table-id>] [udp-out-vrf <table-id>] [tcp-in-vrf <table-id>] [udp-in-vrf <table-id>] [del]",
827 format_ppr_dpo (u8 * s, va_list * args)
829 index_t index = va_arg (*args, index_t);
830 CLIB_UNUSED (u32 indent) = va_arg (*args, u32);
832 protocol_port_range_dpo_t *ppr_dpo;
836 ppr_dpo = protocol_port_range_dpo_get (index);
838 s = format (s, "allow ");
840 for (i = 0; i < ppr_dpo->n_used_blocks; i++)
842 for (j = 0; j < 8; j++)
844 if (ppr_dpo->blocks[i].low.as_u16[j])
847 s = format (s, ", ");
848 if (ppr_dpo->blocks[i].hi.as_u16[j] >
849 (ppr_dpo->blocks[i].low.as_u16[j] + 1))
851 format (s, "%d-%d", (u32) ppr_dpo->blocks[i].low.as_u16[j],
852 (u32) ppr_dpo->blocks[i].hi.as_u16[j] - 1);
854 s = format (s, "%d", ppr_dpo->blocks[i].low.as_u16[j]);
863 ppr_dpo_lock (dpo_id_t * dpo)
868 ppr_dpo_unlock (dpo_id_t * dpo)
872 const static dpo_vft_t ppr_vft = {
873 .dv_lock = ppr_dpo_lock,
874 .dv_unlock = ppr_dpo_unlock,
875 .dv_format = format_ppr_dpo,
878 const static char *const ppr_ip4_nodes[] = {
879 "ip4-source-and-port-range-check-rx",
883 const static char *const *const ppr_nodes[DPO_PROTO_NUM] = {
884 [DPO_PROTO_IP4] = ppr_ip4_nodes,
888 ip4_source_and_port_range_check_init (vlib_main_t * vm)
890 source_range_check_main_t *srm = &source_range_check_main;
893 srm->vnet_main = vnet_get_main ();
895 ppr_dpo_type = dpo_register_new_type (&ppr_vft, ppr_nodes);
900 VLIB_INIT_FUNCTION (ip4_source_and_port_range_check_init);
902 protocol_port_range_dpo_t *
903 protocol_port_range_dpo_alloc (void)
905 protocol_port_range_dpo_t *ppr_dpo;
907 pool_get_aligned (ppr_dpo_pool, ppr_dpo, CLIB_CACHE_LINE_BYTES);
908 memset (ppr_dpo, 0, sizeof (*ppr_dpo));
910 ppr_dpo->n_free_ranges = N_PORT_RANGES_PER_DPO;
917 add_port_range_adjacency (u32 fib_index,
918 ip4_address_t * address,
919 u32 length, u16 * low_ports, u16 * high_ports)
921 protocol_port_range_dpo_t *ppr_dpo;
922 dpo_id_t dpop = DPO_INVALID;
925 fib_node_index_t fei;
927 .fp_proto = FIB_PROTOCOL_IP4,
935 * check to see if we have already sourced this prefix
937 fei = fib_table_lookup_exact_match (fib_index, &pfx);
939 if (FIB_NODE_INDEX_INVALID == fei)
942 * this is a first time add for this prefix.
944 ppr_dpo = protocol_port_range_dpo_alloc ();
949 * the prefix is already there.
950 * check it was sourced by us, and if so get the ragne DPO from it.
952 dpo_id_t dpo = DPO_INVALID;
953 const dpo_id_t *bucket;
955 if (fib_entry_get_dpo_for_source (fei, FIB_SOURCE_SPECIAL, &dpo))
958 * there is existing state. we'll want to add the new ranges to it
961 load_balance_get_bucket_i (load_balance_get (dpo.dpoi_index), 0);
962 ppr_dpo = protocol_port_range_dpo_get (bucket->dpoi_index);
968 * there is no PPR state associated with this prefix,
969 * so we'll need a new DPO
971 ppr_dpo = protocol_port_range_dpo_alloc ();
975 if (vec_len (low_ports) > ppr_dpo->n_free_ranges)
976 return VNET_API_ERROR_EXCEEDED_NUMBER_OF_RANGES_CAPACITY;
980 for (i = 0; i < vec_len (low_ports); i++)
982 for (; j < N_BLOCKS_PER_DPO; j++)
986 if (ppr_dpo->blocks[j].low.as_u16[k] == 0)
988 ppr_dpo->blocks[j].low.as_u16[k] = low_ports[i];
989 ppr_dpo->blocks[j].hi.as_u16[k] = high_ports[i];
996 ppr_dpo->n_used_blocks = j + 1;
999 * add or update the entry in the FIB
1001 dpo_set (&dpop, ppr_dpo_type, DPO_PROTO_IP4, (ppr_dpo - ppr_dpo_pool));
1003 if (FIB_NODE_INDEX_INVALID == fei)
1005 fib_table_entry_special_dpo_add (fib_index,
1008 FIB_ENTRY_FLAG_NONE, &dpop);
1012 fib_entry_special_update (fei,
1014 FIB_ENTRY_FLAG_NONE, &dpop);
1021 remove_port_range_adjacency (u32 fib_index,
1022 ip4_address_t * address,
1023 u32 length, u16 * low_ports, u16 * high_ports)
1025 protocol_port_range_dpo_t *ppr_dpo;
1026 fib_node_index_t fei;
1029 fib_prefix_t pfx = {
1030 .fp_proto = FIB_PROTOCOL_IP4,
1038 * check to see if we have sourced this prefix
1040 fei = fib_table_lookup_exact_match (fib_index, &pfx);
1042 if (FIB_NODE_INDEX_INVALID == fei)
1047 return VNET_API_ERROR_INCORRECT_ADJACENCY_TYPE;
1052 * the prefix is already there.
1053 * check it was sourced by us
1055 dpo_id_t dpo = DPO_INVALID;
1056 const dpo_id_t *bucket;
1058 if (fib_entry_get_dpo_for_source (fei, FIB_SOURCE_SPECIAL, &dpo))
1061 * there is existing state. we'll want to add the new ranges to it
1064 load_balance_get_bucket_i (load_balance_get (dpo.dpoi_index), 0);
1065 ppr_dpo = protocol_port_range_dpo_get (bucket->dpoi_index);
1073 return VNET_API_ERROR_INCORRECT_ADJACENCY_TYPE;
1077 for (i = 0; i < vec_len (low_ports); i++)
1079 for (j = 0; j < N_BLOCKS_PER_DPO; j++)
1081 for (k = 0; k < 8; k++)
1083 if (low_ports[i] == ppr_dpo->blocks[j].low.as_u16[k] &&
1084 high_ports[i] == ppr_dpo->blocks[j].hi.as_u16[k])
1086 ppr_dpo->blocks[j].low.as_u16[k] =
1087 ppr_dpo->blocks[j].hi.as_u16[k] = 0;
1095 ppr_dpo->n_free_ranges = 0;
1097 /* Have we deleted all ranges yet? */
1098 for (i = 0; i < N_BLOCKS_PER_DPO; i++)
1100 for (j = 0; j < 8; j++)
1102 if (ppr_dpo->blocks[j].low.as_u16[i] == 0)
1103 ppr_dpo->n_free_ranges++;
1107 if (N_PORT_RANGES_PER_DPO == ppr_dpo->n_free_ranges)
1109 /* Yes, lose the adjacency... */
1110 fib_table_entry_special_remove (fib_index, &pfx, FIB_SOURCE_SPECIAL);
1115 * compact the ranges down to a contiguous block
1123 // This will be moved to another file and implemented post API freeze.
1125 ip6_source_and_port_range_check_add_del (ip6_address_t * address,
1129 u16 * high_ports, int is_add)
1133 fib_index = fib_table_find (FIB_PROTOCOL_IP4, vrf_id);
1135 ASSERT (~0 != fib_index);
1137 fib_table_unlock (fib_index, FIB_PROTOCOL_IP4, FIB_SOURCE_CLASSIFY);
1143 ip4_source_and_port_range_check_add_del (ip4_address_t * address,
1147 u16 * high_ports, int is_add)
1151 fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4, vrf_id,
1152 FIB_SOURCE_CLASSIFY);
1156 remove_port_range_adjacency (fib_index, address, length,
1157 low_ports, high_ports);
1161 add_port_range_adjacency (fib_index, address, length,
1162 low_ports, high_ports);
1168 static clib_error_t *
1169 ip_source_and_port_range_check_command_fn (vlib_main_t * vm,
1170 unformat_input_t * input,
1171 vlib_cli_command_t * cmd)
1174 u16 *high_ports = 0;
1177 ip4_address_t ip4_addr;
1178 ip6_address_t ip6_addr; //This function will be moved to generic impl when v6 done.
1182 int is_add = 1, ip_ver = ~0;
1186 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
1188 if (unformat (input, "%U/%d", unformat_ip4_address, &ip4_addr, &length))
1192 (input, "%U/%d", unformat_ip6_address, &ip6_addr, &length))
1194 else if (unformat (input, "vrf %d", &vrf_id))
1196 else if (unformat (input, "del"))
1198 else if (unformat (input, "port %d", &tmp))
1200 if (tmp == 0 || tmp > 65535)
1201 return clib_error_return (0, "port %d out of range", tmp);
1203 this_hi = this_low + 1;
1204 vec_add1 (low_ports, this_low);
1205 vec_add1 (high_ports, this_hi);
1207 else if (unformat (input, "range %d - %d", &tmp, &tmp2))
1210 return clib_error_return (0, "ports %d and %d out of order",
1212 if (tmp == 0 || tmp > 65535)
1213 return clib_error_return (0, "low port %d out of range", tmp);
1214 if (tmp2 == 0 || tmp2 > 65535)
1215 return clib_error_return (0, "high port %d out of range", tmp2);
1218 vec_add1 (low_ports, this_low);
1219 vec_add1 (high_ports, this_hi);
1226 return clib_error_return (0, " <address>/<mask> not specified");
1229 return clib_error_return (0, " VRF ID required, not specified");
1231 if (vec_len (low_ports) == 0)
1232 return clib_error_return (0,
1233 " Both VRF ID and range/port must be set for a protocol.");
1236 return clib_error_return (0, " VRF ID can not be 0 (default).");
1240 rv = ip4_source_and_port_range_check_add_del
1241 (&ip4_addr, length, vrf_id, low_ports, high_ports, is_add);
1243 return clib_error_return (0, " IPv6 in subsequent patch");
1250 case VNET_API_ERROR_INCORRECT_ADJACENCY_TYPE:
1251 return clib_error_return
1252 (0, " Incorrect adjacency for add/del operation");
1254 case VNET_API_ERROR_EXCEEDED_NUMBER_OF_PORTS_CAPACITY:
1255 return clib_error_return (0, " Too many ports in add/del operation");
1257 case VNET_API_ERROR_EXCEEDED_NUMBER_OF_RANGES_CAPACITY:
1258 return clib_error_return
1259 (0, " Too many ranges requested for add operation");
1262 return clib_error_return (0, " returned an unexpected value: %d", rv);
1269 * This command adds an IP Subnet and range of ports to be validated
1270 * by an IP FIB table (VRF).
1272 * @todo This is incomplete. This needs a detailed description and a
1273 * practical example.
1276 * Example of how to add an IPv4 subnet and single port to an IPv4 FIB table:
1277 * @cliexcmd{set ip source-and-port-range-check vrf 7 172.16.1.0/24 port 23}
1278 * Example of how to add an IPv4 subnet and range of ports to an IPv4 FIB table:
1279 * @cliexcmd{set ip source-and-port-range-check vrf 7 172.16.1.0/24 range 23 - 100}
1280 * Example of how to delete an IPv4 subnet and single port from an IPv4 FIB table:
1281 * @cliexcmd{set ip source-and-port-range-check vrf 7 172.16.1.0/24 port 23 del}
1282 * Example of how to delete an IPv4 subnet and range of ports from an IPv4 FIB table:
1283 * @cliexcmd{set ip source-and-port-range-check vrf 7 172.16.1.0/24 range 23 - 100 del}
1286 VLIB_CLI_COMMAND (ip_source_and_port_range_check_command, static) = {
1287 .path = "set ip source-and-port-range-check",
1288 .function = ip_source_and_port_range_check_command_fn,
1290 "set ip source-and-port-range-check vrf <table-id> <ip-addr>/<mask> {port nn | range <nn> - <nn>} [del]",
1295 static clib_error_t *
1296 show_source_and_port_range_check_fn (vlib_main_t * vm,
1297 unformat_input_t * input,
1298 vlib_cli_command_t * cmd)
1300 protocol_port_range_dpo_t *ppr_dpo;
1306 fib_prefix_t pfx = {
1307 .fp_proto = FIB_PROTOCOL_IP4,
1311 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
1313 if (unformat (input, "%U", unformat_ip4_address, &pfx.fp_addr.ip4))
1315 else if (unformat (input, "vrf %d", &vrf_id))
1317 else if (unformat (input, "port %d", &port))
1324 return clib_error_return (0, "<address> not specified");
1327 return clib_error_return (0, "VRF ID required, not specified");
1329 fib_index = fib_table_find (FIB_PROTOCOL_IP4, vrf_id);
1330 if (~0 == fib_index)
1331 return clib_error_return (0, "VRF %d not found", vrf_id);
1334 * find the longest prefix match on the address requested,
1335 * check it was sourced by us
1337 dpo_id_t dpo = DPO_INVALID;
1338 const dpo_id_t *bucket;
1340 if (!fib_entry_get_dpo_for_source (fib_table_lookup (fib_index, &pfx),
1341 FIB_SOURCE_SPECIAL, &dpo))
1346 vlib_cli_output (vm, "%U: src address drop", format_ip4_address,
1351 bucket = load_balance_get_bucket_i (load_balance_get (dpo.dpoi_index), 0);
1352 ppr_dpo = protocol_port_range_dpo_get (bucket->dpoi_index);
1357 rv = check_adj_port_range_x1 (ppr_dpo, (u16) port, 1234);
1359 vlib_cli_output (vm, "%U port %d PASS", format_ip4_address,
1360 &pfx.fp_addr.ip4, port);
1362 vlib_cli_output (vm, "%U port %d FAIL", format_ip4_address,
1363 &pfx.fp_addr.ip4, port);
1370 s = format (0, "%U: ", format_ip4_address, &pfx.fp_addr.ip4);
1372 for (i = 0; i < N_BLOCKS_PER_DPO; i++)
1374 for (j = 0; j < 8; j++)
1376 if (ppr_dpo->blocks[i].low.as_u16[j])
1377 s = format (s, "%d - %d ",
1378 (u32) ppr_dpo->blocks[i].low.as_u16[j],
1379 (u32) ppr_dpo->blocks[i].hi.as_u16[j]);
1382 vlib_cli_output (vm, "%s", s);
1390 * Display the range of ports being validated by an IPv4 FIB for a given
1391 * IP or subnet, or test if a given IP and port are being validated.
1393 * @todo This is incomplete. This needs a detailed description and a
1394 * practical example.
1397 * Example of how to display the set of ports being validated for a given
1399 * @cliexstart{show ip source-and-port-range-check vrf 7 172.16.2.0}
1400 * 172.16.2.0: 23 - 101
1402 * Example of how to test to determine of a given Pv4 address and port
1403 * are being validated:
1404 * @cliexstart{show ip source-and-port-range-check vrf 7 172.16.2.2 port 23}
1405 * 172.16.2.2 port 23 PASS
1407 * @cliexstart{show ip source-and-port-range-check vrf 7 172.16.2.2 port 250}
1408 * 172.16.2.2 port 250 FAIL
1412 VLIB_CLI_COMMAND (show_source_and_port_range_check, static) = {
1413 .path = "show ip source-and-port-range-check",
1414 .function = show_source_and_port_range_check_fn,
1416 "show ip source-and-port-range-check vrf <table-id> <ip-addr> [port <n>]",
1421 * fd.io coding-style-patch-verification: ON
1424 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob