2 * Copyright (c) 2017-2019 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 /** Generate typed init functions for multiple hash table styles... */
17 #include <vppinfra/bihash_16_8.h>
18 #include <vppinfra/bihash_template.h>
20 #include <vppinfra/bihash_template.c>
22 #undef __included_bihash_template_h__
24 #include <vppinfra/bihash_48_8.h>
25 #include <vppinfra/bihash_template.h>
27 #include <vppinfra/bihash_template.c>
28 #include <vnet/session/session_lookup.h>
29 #include <vnet/session/session.h>
30 #include <vnet/session/application.h>
33 * Network namespace index (i.e., fib index) to session lookup table. We
34 * should have one per network protocol type but for now we only support IP4/6
36 static u32 *fib_index_to_table_index[2];
40 typedef CLIB_PACKED (struct {
49 /* align by making this 4 octets even though its a 1-bit field
50 * NOTE: avoid key overlap with other transports that use 5 tuples for
51 * session identification.
57 }) v4_connection_key_t;
59 typedef CLIB_PACKED (struct {
74 }) v6_connection_key_t;
77 typedef clib_bihash_kv_16_8_t session_kv4_t;
78 typedef clib_bihash_kv_48_8_t session_kv6_t;
81 make_v4_ss_kv (session_kv4_t * kv, ip4_address_t * lcl, ip4_address_t * rmt,
82 u16 lcl_port, u16 rmt_port, u8 proto)
84 kv->key[0] = (u64) rmt->as_u32 << 32 | (u64) lcl->as_u32;
85 kv->key[1] = (u64) proto << 32 | (u64) rmt_port << 16 | (u64) lcl_port;
90 make_v4_listener_kv (session_kv4_t * kv, ip4_address_t * lcl, u16 lcl_port,
93 kv->key[0] = (u64) lcl->as_u32;
94 kv->key[1] = (u64) proto << 32 | (u64) lcl_port;
99 make_v4_proxy_kv (session_kv4_t * kv, ip4_address_t * lcl, u8 proto)
101 kv->key[0] = (u64) lcl->as_u32;
102 kv->key[1] = (u64) proto << 32;
107 make_v4_ss_kv_from_tc (session_kv4_t * kv, transport_connection_t * tc)
109 make_v4_ss_kv (kv, &tc->lcl_ip.ip4, &tc->rmt_ip.ip4, tc->lcl_port,
110 tc->rmt_port, tc->proto);
114 make_v6_ss_kv (session_kv6_t * kv, ip6_address_t * lcl, ip6_address_t * rmt,
115 u16 lcl_port, u16 rmt_port, u8 proto)
117 kv->key[0] = lcl->as_u64[0];
118 kv->key[1] = lcl->as_u64[1];
119 kv->key[2] = rmt->as_u64[0];
120 kv->key[3] = rmt->as_u64[1];
121 kv->key[4] = (u64) proto << 32 | (u64) rmt_port << 16 | (u64) lcl_port;
127 make_v6_listener_kv (session_kv6_t * kv, ip6_address_t * lcl, u16 lcl_port,
130 kv->key[0] = lcl->as_u64[0];
131 kv->key[1] = lcl->as_u64[1];
134 kv->key[4] = (u64) proto << 32 | (u64) lcl_port;
140 make_v6_proxy_kv (session_kv6_t * kv, ip6_address_t * lcl, u8 proto)
142 kv->key[0] = lcl->as_u64[0];
143 kv->key[1] = lcl->as_u64[1];
146 kv->key[4] = (u64) proto << 32;
152 make_v6_ss_kv_from_tc (session_kv6_t * kv, transport_connection_t * tc)
154 make_v6_ss_kv (kv, &tc->lcl_ip.ip6, &tc->rmt_ip.ip6, tc->lcl_port,
155 tc->rmt_port, tc->proto);
158 static session_table_t *
159 session_table_get_or_alloc (u8 fib_proto, u32 fib_index)
163 ASSERT (fib_index != ~0);
164 if (vec_len (fib_index_to_table_index[fib_proto]) > fib_index &&
165 fib_index_to_table_index[fib_proto][fib_index] != ~0)
167 table_index = fib_index_to_table_index[fib_proto][fib_index];
168 return session_table_get (table_index);
172 st = session_table_alloc ();
173 table_index = session_table_index (st);
174 vec_validate_init_empty (fib_index_to_table_index[fib_proto], fib_index,
176 fib_index_to_table_index[fib_proto][fib_index] = table_index;
177 st->active_fib_proto = fib_proto;
178 session_table_init (st, fib_proto);
183 static session_table_t *
184 session_table_get_or_alloc_for_connection (transport_connection_t * tc)
187 fib_proto = transport_connection_fib_proto (tc);
188 return session_table_get_or_alloc (fib_proto, tc->fib_index);
191 static session_table_t *
192 session_table_get_for_connection (transport_connection_t * tc)
194 u32 fib_proto = transport_connection_fib_proto (tc);
195 if (vec_len (fib_index_to_table_index[fib_proto]) <= tc->fib_index)
198 session_table_get (fib_index_to_table_index[fib_proto][tc->fib_index]);
201 static session_table_t *
202 session_table_get_for_fib_index (u32 fib_proto, u32 fib_index)
204 if (vec_len (fib_index_to_table_index[fib_proto]) <= fib_index)
206 return session_table_get (fib_index_to_table_index[fib_proto][fib_index]);
210 session_lookup_get_index_for_fib (u32 fib_proto, u32 fib_index)
212 if (vec_len (fib_index_to_table_index[fib_proto]) <= fib_index)
213 return SESSION_TABLE_INVALID_INDEX;
214 return fib_index_to_table_index[fib_proto][fib_index];
218 session_lookup_get_or_alloc_index_for_fib (u32 fib_proto, u32 fib_index)
221 st = session_table_get_or_alloc (fib_proto, fib_index);
222 return session_table_index (st);
226 * Add transport connection to a session table
228 * Session lookup 5-tuple (src-ip, dst-ip, src-port, dst-port, session-type)
229 * is added to requested session table.
231 * @param tc transport connection to be added
232 * @param value value to be stored
234 * @return non-zero if failure
237 session_lookup_add_connection (transport_connection_t * tc, u64 value)
243 st = session_table_get_or_alloc_for_connection (tc);
248 make_v4_ss_kv_from_tc (&kv4, tc);
250 return clib_bihash_add_del_16_8 (&st->v4_session_hash, &kv4,
255 make_v6_ss_kv_from_tc (&kv6, tc);
257 return clib_bihash_add_del_48_8 (&st->v6_session_hash, &kv6,
263 session_lookup_add_session_endpoint (u32 table_index,
264 session_endpoint_t * sep, u64 value)
270 st = session_table_get (table_index);
275 make_v4_listener_kv (&kv4, &sep->ip.ip4, sep->port,
276 sep->transport_proto);
278 return clib_bihash_add_del_16_8 (&st->v4_session_hash, &kv4, 1);
282 make_v6_listener_kv (&kv6, &sep->ip.ip6, sep->port,
283 sep->transport_proto);
285 return clib_bihash_add_del_48_8 (&st->v6_session_hash, &kv6, 1);
290 session_lookup_del_session_endpoint (u32 table_index,
291 session_endpoint_t * sep)
297 st = session_table_get (table_index);
302 make_v4_listener_kv (&kv4, &sep->ip.ip4, sep->port,
303 sep->transport_proto);
304 return clib_bihash_add_del_16_8 (&st->v4_session_hash, &kv4, 0);
308 make_v6_listener_kv (&kv6, &sep->ip.ip6, sep->port,
309 sep->transport_proto);
310 return clib_bihash_add_del_48_8 (&st->v6_session_hash, &kv6, 0);
315 session_lookup_del_session_endpoint2 (session_endpoint_t * sep)
317 fib_protocol_t fib_proto;
322 fib_proto = sep->is_ip4 ? FIB_PROTOCOL_IP4 : FIB_PROTOCOL_IP6;
323 st = session_table_get_for_fib_index (fib_proto, sep->fib_index);
328 make_v4_listener_kv (&kv4, &sep->ip.ip4, sep->port,
329 sep->transport_proto);
330 return clib_bihash_add_del_16_8 (&st->v4_session_hash, &kv4, 0);
334 make_v6_listener_kv (&kv6, &sep->ip.ip6, sep->port,
335 sep->transport_proto);
336 return clib_bihash_add_del_48_8 (&st->v6_session_hash, &kv6, 0);
341 * Delete transport connection from session table
343 * @param table_index session table index
344 * @param tc transport connection to be removed
346 * @return non-zero if failure
349 session_lookup_del_connection (transport_connection_t * tc)
355 st = session_table_get_for_connection (tc);
360 make_v4_ss_kv_from_tc (&kv4, tc);
361 return clib_bihash_add_del_16_8 (&st->v4_session_hash, &kv4,
366 make_v6_ss_kv_from_tc (&kv6, tc);
367 return clib_bihash_add_del_48_8 (&st->v6_session_hash, &kv6,
373 session_lookup_del_session (session_t * s)
375 transport_connection_t *ts;
376 ts = transport_get_connection (session_get_transport_proto (s),
377 s->connection_index, s->thread_index);
378 if (!ts || (ts->flags & TRANSPORT_CONNECTION_F_NO_LOOKUP))
380 return session_lookup_del_connection (ts);
384 session_lookup_action_index_is_valid (u32 action_index)
386 if (action_index == SESSION_RULES_TABLE_ACTION_ALLOW
387 || action_index == SESSION_RULES_TABLE_INVALID_INDEX)
393 session_lookup_action_to_handle (u32 action_index)
395 switch (action_index)
397 case SESSION_RULES_TABLE_ACTION_DROP:
398 return SESSION_DROP_HANDLE;
399 case SESSION_RULES_TABLE_ACTION_ALLOW:
400 case SESSION_RULES_TABLE_INVALID_INDEX:
401 return SESSION_INVALID_HANDLE;
403 /* application index */
409 session_lookup_app_listen_session (u32 app_index, u8 fib_proto,
413 app = application_get_if_valid (app_index);
417 return app_worker_first_listener (application_get_default_worker (app),
418 fib_proto, transport_proto);
422 session_lookup_action_to_session (u32 action_index, u8 fib_proto,
426 app_index = session_lookup_action_to_handle (action_index);
427 /* Nothing sophisticated for now, action index is app index */
428 return session_lookup_app_listen_session (app_index, fib_proto,
434 session_lookup_rules_table_session4 (session_table_t * st, u8 proto,
435 ip4_address_t * lcl, u16 lcl_port,
436 ip4_address_t * rmt, u16 rmt_port)
438 session_rules_table_t *srt = &st->session_rules[proto];
439 u32 action_index, app_index;
440 action_index = session_rules_table_lookup4 (srt, lcl, rmt, lcl_port,
442 app_index = session_lookup_action_to_handle (action_index);
443 /* Nothing sophisticated for now, action index is app index */
444 return session_lookup_app_listen_session (app_index, FIB_PROTOCOL_IP4,
450 session_lookup_rules_table_session6 (session_table_t * st, u8 proto,
451 ip6_address_t * lcl, u16 lcl_port,
452 ip6_address_t * rmt, u16 rmt_port)
454 session_rules_table_t *srt = &st->session_rules[proto];
455 u32 action_index, app_index;
456 action_index = session_rules_table_lookup6 (srt, lcl, rmt, lcl_port,
458 app_index = session_lookup_action_to_handle (action_index);
459 return session_lookup_app_listen_session (app_index, FIB_PROTOCOL_IP6,
464 * Lookup listener for session endpoint in table
466 * @param table_index table where the endpoint should be looked up
467 * @param sep session endpoint to be looked up
468 * @param use_rules flag that indicates if the session rules of the table
470 * @return invalid handle if nothing is found, the handle of a valid listener
471 * or an action derived handle if a rule is hit
474 session_lookup_endpoint_listener (u32 table_index, session_endpoint_t * sep,
477 session_rules_table_t *srt;
482 st = session_table_get (table_index);
484 return SESSION_INVALID_HANDLE;
490 make_v4_listener_kv (&kv4, &sep->ip.ip4, sep->port,
491 sep->transport_proto);
492 rv = clib_bihash_search_inline_16_8 (&st->v4_session_hash, &kv4);
497 clib_memset (&lcl4, 0, sizeof (lcl4));
498 srt = &st->session_rules[sep->transport_proto];
499 ai = session_rules_table_lookup4 (srt, &lcl4, &sep->ip.ip4, 0,
501 if (session_lookup_action_index_is_valid (ai))
502 return session_lookup_action_to_handle (ai);
510 make_v6_listener_kv (&kv6, &sep->ip.ip6, sep->port,
511 sep->transport_proto);
512 rv = clib_bihash_search_inline_48_8 (&st->v6_session_hash, &kv6);
518 clib_memset (&lcl6, 0, sizeof (lcl6));
519 srt = &st->session_rules[sep->transport_proto];
520 ai = session_rules_table_lookup6 (srt, &lcl6, &sep->ip.ip6, 0,
522 if (session_lookup_action_index_is_valid (ai))
523 return session_lookup_action_to_handle (ai);
526 return SESSION_INVALID_HANDLE;
530 * Look up endpoint in local session table
532 * The result, for now, is an application index and it may in the future
533 * be extended to a more complicated "action object". The only action we
534 * emulate now is "drop" and for that we return a special app index.
536 * Lookup logic is to check in order:
537 * - the rules in the table (connect acls)
538 * - session sub-table for a listener
539 * - session sub-table for a local listener (zeroed addr)
541 * @param table_index table where the lookup should be done
542 * @param sep session endpoint to be looked up
543 * @return session handle that can be interpreted as an adjacency
546 session_lookup_local_endpoint (u32 table_index, session_endpoint_t * sep)
548 session_rules_table_t *srt;
553 st = session_table_get (table_index);
555 return SESSION_INVALID_INDEX;
556 ASSERT (st->is_local);
564 * Check if endpoint has special rules associated
566 clib_memset (&lcl4, 0, sizeof (lcl4));
567 srt = &st->session_rules[sep->transport_proto];
568 ai = session_rules_table_lookup4 (srt, &lcl4, &sep->ip.ip4, 0,
570 if (session_lookup_action_index_is_valid (ai))
571 return session_lookup_action_to_handle (ai);
574 * Check if session endpoint is a listener
576 make_v4_listener_kv (&kv4, &sep->ip.ip4, sep->port,
577 sep->transport_proto);
578 rv = clib_bihash_search_inline_16_8 (&st->v4_session_hash, &kv4);
583 * Zero out the ip. Logic is that connect to local ips, say
584 * 127.0.0.1:port, can match 0.0.0.0:port
586 if (ip4_is_local_host (&sep->ip.ip4))
589 rv = clib_bihash_search_inline_16_8 (&st->v4_session_hash, &kv4);
599 * Zero out the port and check if we have proxy
602 rv = clib_bihash_search_inline_16_8 (&st->v4_session_hash, &kv4);
611 clib_memset (&lcl6, 0, sizeof (lcl6));
612 srt = &st->session_rules[sep->transport_proto];
613 ai = session_rules_table_lookup6 (srt, &lcl6, &sep->ip.ip6, 0,
615 if (session_lookup_action_index_is_valid (ai))
616 return session_lookup_action_to_handle (ai);
618 make_v6_listener_kv (&kv6, &sep->ip.ip6, sep->port,
619 sep->transport_proto);
620 rv = clib_bihash_search_inline_48_8 (&st->v6_session_hash, &kv6);
625 * Zero out the ip. Same logic as above.
628 if (ip6_is_local_host (&sep->ip.ip6))
630 kv6.key[0] = kv6.key[1] = 0;
631 rv = clib_bihash_search_inline_48_8 (&st->v6_session_hash, &kv6);
637 kv6.key[0] = kv6.key[1] = 0;
641 * Zero out the port. Same logic as above.
643 kv6.key[4] = kv6.key[5] = 0;
644 rv = clib_bihash_search_inline_48_8 (&st->v6_session_hash, &kv6);
648 return SESSION_INVALID_HANDLE;
651 static inline session_t *
652 session_lookup_listener4_i (session_table_t * st, ip4_address_t * lcl,
653 u16 lcl_port, u8 proto, u8 use_wildcard)
659 * First, try a fully formed listener
661 make_v4_listener_kv (&kv4, lcl, lcl_port, proto);
662 rv = clib_bihash_search_inline_16_8 (&st->v4_session_hash, &kv4);
664 return listen_session_get ((u32) kv4.value);
667 * Zero out the lcl ip and check if any 0/0 port binds have been done
672 rv = clib_bihash_search_inline_16_8 (&st->v4_session_hash, &kv4);
674 return listen_session_get ((u32) kv4.value);
682 * Zero out port and check if we have a proxy set up for our ip
684 make_v4_proxy_kv (&kv4, lcl, proto);
685 rv = clib_bihash_search_inline_16_8 (&st->v4_session_hash, &kv4);
687 return listen_session_get ((u32) kv4.value);
693 session_lookup_listener4 (u32 fib_index, ip4_address_t * lcl, u16 lcl_port,
694 u8 proto, u8 use_wildcard)
697 st = session_table_get_for_fib_index (FIB_PROTOCOL_IP4, fib_index);
700 return session_lookup_listener4_i (st, lcl, lcl_port, proto, use_wildcard);
704 session_lookup_listener6_i (session_table_t * st, ip6_address_t * lcl,
705 u16 lcl_port, u8 proto, u8 ip_wildcard)
710 make_v6_listener_kv (&kv6, lcl, lcl_port, proto);
711 rv = clib_bihash_search_inline_48_8 (&st->v6_session_hash, &kv6);
713 return listen_session_get ((u32) kv6.value);
715 /* Zero out the lcl ip */
718 kv6.key[0] = kv6.key[1] = 0;
719 rv = clib_bihash_search_inline_48_8 (&st->v6_session_hash, &kv6);
721 return listen_session_get ((u32) kv6.value);
725 kv6.key[0] = kv6.key[1] = 0;
728 make_v6_proxy_kv (&kv6, lcl, proto);
729 rv = clib_bihash_search_inline_48_8 (&st->v6_session_hash, &kv6);
731 return listen_session_get ((u32) kv6.value);
736 session_lookup_listener6 (u32 fib_index, ip6_address_t * lcl, u16 lcl_port,
737 u8 proto, u8 use_wildcard)
740 st = session_table_get_for_fib_index (FIB_PROTOCOL_IP6, fib_index);
743 return session_lookup_listener6_i (st, lcl, lcl_port, proto, use_wildcard);
747 * Lookup listener, exact or proxy (inaddr_any:0) match
750 session_lookup_listener (u32 table_index, session_endpoint_t * sep)
753 st = session_table_get (table_index);
757 return session_lookup_listener4_i (st, &sep->ip.ip4, sep->port,
758 sep->transport_proto, 0);
760 return session_lookup_listener6_i (st, &sep->ip.ip6, sep->port,
761 sep->transport_proto, 0);
766 * Lookup listener wildcard match
769 session_lookup_listener_wildcard (u32 table_index, session_endpoint_t * sep)
772 st = session_table_get (table_index);
776 return session_lookup_listener4_i (st, &sep->ip.ip4, sep->port,
777 sep->transport_proto,
778 1 /* use_wildcard */ );
780 return session_lookup_listener6_i (st, &sep->ip.ip6, sep->port,
781 sep->transport_proto,
782 1 /* use_wildcard */ );
787 session_lookup_add_half_open (transport_connection_t * tc, u64 value)
793 st = session_table_get_or_alloc_for_connection (tc);
798 make_v4_ss_kv_from_tc (&kv4, tc);
800 return clib_bihash_add_del_16_8 (&st->v4_half_open_hash, &kv4,
805 make_v6_ss_kv_from_tc (&kv6, tc);
807 return clib_bihash_add_del_48_8 (&st->v6_half_open_hash, &kv6,
813 session_lookup_del_half_open (transport_connection_t * tc)
819 st = session_table_get_for_connection (tc);
824 make_v4_ss_kv_from_tc (&kv4, tc);
825 return clib_bihash_add_del_16_8 (&st->v4_half_open_hash, &kv4,
830 make_v6_ss_kv_from_tc (&kv6, tc);
831 return clib_bihash_add_del_48_8 (&st->v6_half_open_hash, &kv6,
837 session_lookup_half_open_handle (transport_connection_t * tc)
844 st = session_table_get_for_fib_index (transport_connection_fib_proto (tc),
847 return HALF_OPEN_LOOKUP_INVALID_VALUE;
850 make_v4_ss_kv (&kv4, &tc->lcl_ip.ip4, &tc->rmt_ip.ip4, tc->lcl_port,
851 tc->rmt_port, tc->proto);
852 rv = clib_bihash_search_inline_16_8 (&st->v4_half_open_hash, &kv4);
858 make_v6_ss_kv (&kv6, &tc->lcl_ip.ip6, &tc->rmt_ip.ip6, tc->lcl_port,
859 tc->rmt_port, tc->proto);
860 rv = clib_bihash_search_inline_48_8 (&st->v6_half_open_hash, &kv6);
864 return HALF_OPEN_LOOKUP_INVALID_VALUE;
867 transport_connection_t *
868 session_lookup_half_open_connection (u64 handle, u8 proto, u8 is_ip4)
870 if (handle != HALF_OPEN_LOOKUP_INVALID_VALUE)
872 u32 sst = session_type_from_proto_and_ip (proto, is_ip4);
873 return transport_get_half_open (sst, handle & 0xFFFFFFFF);
879 * Lookup connection with ip4 and transport layer information
881 * This is used on the fast path so it needs to be fast. Thereby,
882 * duplication of code and 'hacks' allowed.
884 * The lookup is incremental and returns whenever something is matched. The
886 * - Try to find an established session
887 * - Try to find a half-open connection
888 * - Try session rules table
889 * - Try to find a fully-formed or local source wildcarded (listener bound to
890 * all interfaces) listener session
893 * @param fib_index index of fib wherein the connection was received
894 * @param lcl local ip4 address
895 * @param rmt remote ip4 address
896 * @param lcl_port local port
897 * @param rmt_port remote port
898 * @param proto transport protocol (e.g., tcp, udp)
899 * @param thread_index thread index for request
900 * @param is_filtered return flag that indicates if connection was filtered.
902 * @return pointer to transport connection, if one is found, 0 otherwise
904 transport_connection_t *
905 session_lookup_connection_wt4 (u32 fib_index, ip4_address_t * lcl,
906 ip4_address_t * rmt, u16 lcl_port,
907 u16 rmt_port, u8 proto, u32 thread_index,
916 st = session_table_get_for_fib_index (FIB_PROTOCOL_IP4, fib_index);
917 if (PREDICT_FALSE (!st))
921 * Lookup session amongst established ones
923 make_v4_ss_kv (&kv4, lcl, rmt, lcl_port, rmt_port, proto);
924 rv = clib_bihash_search_inline_16_8 (&st->v4_session_hash, &kv4);
927 if (PREDICT_FALSE ((u32) (kv4.value >> 32) != thread_index))
929 *result = SESSION_LOOKUP_RESULT_WRONG_THREAD;
932 s = session_get (kv4.value & 0xFFFFFFFFULL, thread_index);
933 return transport_get_connection (proto, s->connection_index,
938 * Try half-open connections
940 rv = clib_bihash_search_inline_16_8 (&st->v4_half_open_hash, &kv4);
942 return transport_get_half_open (proto, kv4.value & 0xFFFFFFFF);
945 * Check the session rules table
947 action_index = session_rules_table_lookup4 (&st->session_rules[proto], lcl,
948 rmt, lcl_port, rmt_port);
949 if (session_lookup_action_index_is_valid (action_index))
951 if (action_index == SESSION_RULES_TABLE_ACTION_DROP)
953 *result = SESSION_LOOKUP_RESULT_FILTERED;
956 if ((s = session_lookup_action_to_session (action_index,
957 FIB_PROTOCOL_IP4, proto)))
958 return transport_get_listener (proto, s->connection_index);
963 * If nothing is found, check if any listener is available
965 s = session_lookup_listener4_i (st, lcl, lcl_port, proto, 1);
967 return transport_get_listener (proto, s->connection_index);
973 * Lookup connection with ip4 and transport layer information
975 * Not optimized. Lookup logic is identical to that of
976 * @ref session_lookup_connection_wt4
978 * @param fib_index index of the fib wherein the connection was received
979 * @param lcl local ip4 address
980 * @param rmt remote ip4 address
981 * @param lcl_port local port
982 * @param rmt_port remote port
983 * @param proto transport protocol (e.g., tcp, udp)
985 * @return pointer to transport connection, if one is found, 0 otherwise
987 transport_connection_t *
988 session_lookup_connection4 (u32 fib_index, ip4_address_t * lcl,
989 ip4_address_t * rmt, u16 lcl_port, u16 rmt_port,
998 st = session_table_get_for_fib_index (FIB_PROTOCOL_IP4, fib_index);
999 if (PREDICT_FALSE (!st))
1003 * Lookup session amongst established ones
1005 make_v4_ss_kv (&kv4, lcl, rmt, lcl_port, rmt_port, proto);
1006 rv = clib_bihash_search_inline_16_8 (&st->v4_session_hash, &kv4);
1009 s = session_get_from_handle (kv4.value);
1010 return transport_get_connection (proto, s->connection_index,
1015 * Try half-open connections
1017 rv = clib_bihash_search_inline_16_8 (&st->v4_half_open_hash, &kv4);
1019 return transport_get_half_open (proto, kv4.value & 0xFFFFFFFF);
1022 * Check the session rules table
1024 action_index = session_rules_table_lookup4 (&st->session_rules[proto], lcl,
1025 rmt, lcl_port, rmt_port);
1026 if (session_lookup_action_index_is_valid (action_index))
1028 if (action_index == SESSION_RULES_TABLE_ACTION_DROP)
1030 if ((s = session_lookup_action_to_session (action_index,
1031 FIB_PROTOCOL_IP4, proto)))
1032 return transport_get_listener (proto, s->connection_index);
1037 * If nothing is found, check if any listener is available
1039 s = session_lookup_listener4_i (st, lcl, lcl_port, proto, 1);
1041 return transport_get_listener (proto, s->connection_index);
1047 * Lookup session with ip4 and transport layer information
1049 * Important note: this may look into another thread's pool table and
1050 * register as 'peeker'. Caller should call @ref session_pool_remove_peeker as
1051 * if needed as soon as possible.
1053 * Lookup logic is similar to that of @ref session_lookup_connection_wt4 but
1054 * this returns a session as opposed to a transport connection and it does not
1055 * try to lookup half-open sessions.
1057 * Typically used by dgram connections
1060 session_lookup_safe4 (u32 fib_index, ip4_address_t * lcl, ip4_address_t * rmt,
1061 u16 lcl_port, u16 rmt_port, u8 proto)
1063 session_table_t *st;
1069 st = session_table_get_for_fib_index (FIB_PROTOCOL_IP4, fib_index);
1070 if (PREDICT_FALSE (!st))
1074 * Lookup session amongst established ones
1076 make_v4_ss_kv (&kv4, lcl, rmt, lcl_port, rmt_port, proto);
1077 rv = clib_bihash_search_inline_16_8 (&st->v4_session_hash, &kv4);
1079 return session_get_from_handle_safe (kv4.value);
1082 * Check the session rules table
1084 action_index = session_rules_table_lookup4 (&st->session_rules[proto], lcl,
1085 rmt, lcl_port, rmt_port);
1086 if (session_lookup_action_index_is_valid (action_index))
1088 if (action_index == SESSION_RULES_TABLE_ACTION_DROP)
1090 return session_lookup_action_to_session (action_index, FIB_PROTOCOL_IP4,
1095 * If nothing is found, check if any listener is available
1097 if ((s = session_lookup_listener4_i (st, lcl, lcl_port, proto, 1)))
1104 * Lookup connection with ip6 and transport layer information
1106 * This is used on the fast path so it needs to be fast. Thereby,
1107 * duplication of code and 'hacks' allowed.
1109 * The lookup is incremental and returns whenever something is matched. The
1111 * - Try to find an established session
1112 * - Try to find a half-open connection
1113 * - Try session rules table
1114 * - Try to find a fully-formed or local source wildcarded (listener bound to
1115 * all interfaces) listener session
1118 * @param fib_index index of the fib wherein the connection was received
1119 * @param lcl local ip6 address
1120 * @param rmt remote ip6 address
1121 * @param lcl_port local port
1122 * @param rmt_port remote port
1123 * @param proto transport protocol (e.g., tcp, udp)
1124 * @param thread_index thread index for request
1126 * @return pointer to transport connection, if one is found, 0 otherwise
1128 transport_connection_t *
1129 session_lookup_connection_wt6 (u32 fib_index, ip6_address_t * lcl,
1130 ip6_address_t * rmt, u16 lcl_port,
1131 u16 rmt_port, u8 proto, u32 thread_index,
1134 session_table_t *st;
1140 st = session_table_get_for_fib_index (FIB_PROTOCOL_IP6, fib_index);
1141 if (PREDICT_FALSE (!st))
1144 make_v6_ss_kv (&kv6, lcl, rmt, lcl_port, rmt_port, proto);
1145 rv = clib_bihash_search_inline_48_8 (&st->v6_session_hash, &kv6);
1148 ASSERT ((u32) (kv6.value >> 32) == thread_index);
1149 if (PREDICT_FALSE ((u32) (kv6.value >> 32) != thread_index))
1151 *result = SESSION_LOOKUP_RESULT_WRONG_THREAD;
1154 s = session_get (kv6.value & 0xFFFFFFFFULL, thread_index);
1155 return transport_get_connection (proto, s->connection_index,
1159 /* Try half-open connections */
1160 rv = clib_bihash_search_inline_48_8 (&st->v6_half_open_hash, &kv6);
1162 return transport_get_half_open (proto, kv6.value & 0xFFFFFFFF);
1164 /* Check the session rules table */
1165 action_index = session_rules_table_lookup6 (&st->session_rules[proto], lcl,
1166 rmt, lcl_port, rmt_port);
1167 if (session_lookup_action_index_is_valid (action_index))
1169 if (action_index == SESSION_RULES_TABLE_ACTION_DROP)
1171 *result = SESSION_LOOKUP_RESULT_FILTERED;
1174 if ((s = session_lookup_action_to_session (action_index,
1175 FIB_PROTOCOL_IP6, proto)))
1176 return transport_get_listener (proto, s->connection_index);
1180 /* If nothing is found, check if any listener is available */
1181 s = session_lookup_listener6_i (st, lcl, lcl_port, proto, 1);
1183 return transport_get_listener (proto, s->connection_index);
1189 * Lookup connection with ip6 and transport layer information
1191 * Not optimized. This is used on the fast path so it needs to be fast.
1192 * Thereby, duplication of code and 'hacks' allowed. Lookup logic is identical
1193 * to that of @ref session_lookup_connection_wt4
1195 * @param fib_index index of the fib wherein the connection was received
1196 * @param lcl local ip6 address
1197 * @param rmt remote ip6 address
1198 * @param lcl_port local port
1199 * @param rmt_port remote port
1200 * @param proto transport protocol (e.g., tcp, udp)
1202 * @return pointer to transport connection, if one is found, 0 otherwise
1204 transport_connection_t *
1205 session_lookup_connection6 (u32 fib_index, ip6_address_t * lcl,
1206 ip6_address_t * rmt, u16 lcl_port, u16 rmt_port,
1209 session_table_t *st;
1215 st = session_table_get_for_fib_index (FIB_PROTOCOL_IP6, fib_index);
1216 if (PREDICT_FALSE (!st))
1219 make_v6_ss_kv (&kv6, lcl, rmt, lcl_port, rmt_port, proto);
1220 rv = clib_bihash_search_inline_48_8 (&st->v6_session_hash, &kv6);
1223 s = session_get_from_handle (kv6.value);
1224 return transport_get_connection (proto, s->connection_index,
1228 /* Try half-open connections */
1229 rv = clib_bihash_search_inline_48_8 (&st->v6_half_open_hash, &kv6);
1231 return transport_get_half_open (proto, kv6.value & 0xFFFFFFFF);
1233 /* Check the session rules table */
1234 action_index = session_rules_table_lookup6 (&st->session_rules[proto], lcl,
1235 rmt, lcl_port, rmt_port);
1236 if (session_lookup_action_index_is_valid (action_index))
1238 if (action_index == SESSION_RULES_TABLE_ACTION_DROP)
1240 if ((s = session_lookup_action_to_session (action_index,
1241 FIB_PROTOCOL_IP6, proto)))
1242 return transport_get_listener (proto, s->connection_index);
1246 /* If nothing is found, check if any listener is available */
1247 s = session_lookup_listener6_i (st, lcl, lcl_port, proto, 1);
1249 return transport_get_listener (proto, s->connection_index);
1255 * Lookup session with ip6 and transport layer information
1257 * Important note: this may look into another thread's pool table and
1258 * register as 'peeker'. Caller should call @ref session_pool_remove_peeker as
1259 * if needed as soon as possible.
1261 * Lookup logic is similar to that of @ref session_lookup_connection_wt6 but
1262 * this returns a session as opposed to a transport connection and it does not
1263 * try to lookup half-open sessions.
1265 * Typically used by dgram connections
1268 session_lookup_safe6 (u32 fib_index, ip6_address_t * lcl, ip6_address_t * rmt,
1269 u16 lcl_port, u16 rmt_port, u8 proto)
1271 session_table_t *st;
1277 st = session_table_get_for_fib_index (FIB_PROTOCOL_IP6, fib_index);
1278 if (PREDICT_FALSE (!st))
1281 make_v6_ss_kv (&kv6, lcl, rmt, lcl_port, rmt_port, proto);
1282 rv = clib_bihash_search_inline_48_8 (&st->v6_session_hash, &kv6);
1284 return session_get_from_handle_safe (kv6.value);
1286 /* Check the session rules table */
1287 action_index = session_rules_table_lookup6 (&st->session_rules[proto], lcl,
1288 rmt, lcl_port, rmt_port);
1289 if (session_lookup_action_index_is_valid (action_index))
1291 if (action_index == SESSION_RULES_TABLE_ACTION_DROP)
1293 return session_lookup_action_to_session (action_index, FIB_PROTOCOL_IP6,
1297 /* If nothing is found, check if any listener is available */
1298 if ((s = session_lookup_listener6_i (st, lcl, lcl_port, proto, 1)))
1303 transport_connection_t *
1304 session_lookup_connection (u32 fib_index, ip46_address_t * lcl,
1305 ip46_address_t * rmt, u16 lcl_port, u16 rmt_port,
1306 u8 proto, u8 is_ip4)
1309 return session_lookup_connection4 (fib_index, &lcl->ip4, &rmt->ip4,
1310 lcl_port, rmt_port, proto);
1312 return session_lookup_connection6 (fib_index, &lcl->ip6, &rmt->ip6,
1313 lcl_port, rmt_port, proto);
1317 vnet_session_rule_add_del (session_rule_add_del_args_t * args)
1319 app_namespace_t *app_ns = app_namespace_get (args->appns_index);
1320 session_rules_table_t *srt;
1321 session_table_t *st;
1327 return VNET_API_ERROR_APP_INVALID_NS;
1329 if (args->scope > 3)
1330 return VNET_API_ERROR_INVALID_VALUE;
1332 if (args->transport_proto != TRANSPORT_PROTO_TCP
1333 && args->transport_proto != TRANSPORT_PROTO_UDP)
1334 return VNET_API_ERROR_INVALID_VALUE;
1336 if ((args->scope & SESSION_RULE_SCOPE_GLOBAL) || args->scope == 0)
1338 fib_proto = args->table_args.rmt.fp_proto;
1339 fib_index = app_namespace_get_fib_index (app_ns, fib_proto);
1340 st = session_table_get_for_fib_index (fib_proto, fib_index);
1341 srt = &st->session_rules[args->transport_proto];
1342 if ((rv = session_rules_table_add_del (srt, &args->table_args)))
1345 if (args->scope & SESSION_RULE_SCOPE_LOCAL)
1347 clib_memset (&args->table_args.lcl, 0, sizeof (args->table_args.lcl));
1348 args->table_args.lcl.fp_proto = args->table_args.rmt.fp_proto;
1349 args->table_args.lcl_port = 0;
1350 st = app_namespace_get_local_table (app_ns);
1351 srt = &st->session_rules[args->transport_proto];
1352 rv = session_rules_table_add_del (srt, &args->table_args);
1358 * Mark (global) tables as pertaining to app ns
1361 session_lookup_set_tables_appns (app_namespace_t * app_ns)
1363 session_table_t *st;
1367 for (fp = 0; fp < ARRAY_LEN (fib_index_to_table_index); fp++)
1369 fib_index = app_namespace_get_fib_index (app_ns, fp);
1370 st = session_table_get_or_alloc (fp, fib_index);
1372 st->appns_index = app_namespace_index (app_ns);
1377 format_ip4_session_lookup_kvp (u8 * s, va_list * args)
1379 clib_bihash_kv_16_8_t *kvp = va_arg (*args, clib_bihash_kv_16_8_t *);
1380 u32 is_local = va_arg (*args, u32);
1381 v4_connection_key_t *key = (v4_connection_key_t *) kvp->key;
1383 app_worker_t *app_wrk;
1389 session = session_get_from_handle (kvp->value);
1390 app_wrk = app_worker_get (session->app_wrk_index);
1391 app_name = application_name_from_index (app_wrk->app_index);
1392 str = format (0, "[%U] %U:%d->%U:%d", format_transport_proto_short,
1393 key->proto, format_ip4_address, &key->src,
1394 clib_net_to_host_u16 (key->src_port), format_ip4_address,
1395 &key->dst, clib_net_to_host_u16 (key->dst_port));
1396 s = format (s, "%-40v%-30v", str, app_name);
1400 session = session_get_from_handle (kvp->value);
1401 app_wrk = app_worker_get (session->app_wrk_index);
1402 app_name = application_name_from_index (app_wrk->app_index);
1403 str = format (0, "[%U] %U:%d", format_transport_proto_short, key->proto,
1404 format_ip4_address, &key->src,
1405 clib_net_to_host_u16 (key->src_port));
1406 s = format (s, "%-30v%-30v", str, app_name);
1411 typedef struct _ip4_session_table_show_ctx_t
1415 } ip4_session_table_show_ctx_t;
1418 ip4_session_table_show (clib_bihash_kv_16_8_t * kvp, void *arg)
1420 ip4_session_table_show_ctx_t *ctx = arg;
1421 vlib_cli_output (ctx->vm, "%U", format_ip4_session_lookup_kvp, kvp,
1427 session_lookup_show_table_entries (vlib_main_t * vm, session_table_t * table,
1428 u8 type, u8 is_local)
1430 ip4_session_table_show_ctx_t ctx = {
1432 .is_local = is_local,
1435 vlib_cli_output (vm, "%-40s%-30s", "Session", "Application");
1437 vlib_cli_output (vm, "%-30s%-30s", "Listener", "Application");
1442 ip4_session_table_walk (&table->v4_session_hash, ip4_session_table_show,
1446 clib_warning ("not supported");
1450 static clib_error_t *
1451 session_rule_command_fn (vlib_main_t * vm, unformat_input_t * input,
1452 vlib_cli_command_t * cmd)
1454 u32 proto = ~0, lcl_port, rmt_port, action = 0, lcl_plen = 0, rmt_plen = 0;
1455 clib_error_t *error = 0;
1456 u32 appns_index, scope = 0;
1457 ip46_address_t lcl_ip, rmt_ip;
1458 u8 is_ip4 = 1, conn_set = 0;
1459 u8 fib_proto, is_add = 1, *ns_id = 0;
1461 app_namespace_t *app_ns;
1464 session_cli_return_if_not_enabled ();
1466 clib_memset (&lcl_ip, 0, sizeof (lcl_ip));
1467 clib_memset (&rmt_ip, 0, sizeof (rmt_ip));
1468 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
1470 if (unformat (input, "del"))
1472 else if (unformat (input, "add"))
1474 else if (unformat (input, "appns %_%v%_", &ns_id))
1476 else if (unformat (input, "scope global"))
1477 scope = SESSION_RULE_SCOPE_GLOBAL;
1478 else if (unformat (input, "scope local"))
1479 scope = SESSION_RULE_SCOPE_LOCAL;
1480 else if (unformat (input, "scope all"))
1481 scope = SESSION_RULE_SCOPE_LOCAL | SESSION_RULE_SCOPE_GLOBAL;
1482 else if (unformat (input, "proto %U", unformat_transport_proto, &proto))
1484 else if (unformat (input, "%U/%d %d %U/%d %d", unformat_ip4_address,
1485 &lcl_ip.ip4, &lcl_plen, &lcl_port,
1486 unformat_ip4_address, &rmt_ip.ip4, &rmt_plen,
1492 else if (unformat (input, "%U/%d %d %U/%d %d", unformat_ip6_address,
1493 &lcl_ip.ip6, &lcl_plen, &lcl_port,
1494 unformat_ip6_address, &rmt_ip.ip6, &rmt_plen,
1500 else if (unformat (input, "action %d", &action))
1502 else if (unformat (input, "tag %_%v%_", &tag))
1506 error = clib_error_return (0, "unknown input `%U'",
1507 format_unformat_error, input);
1514 vlib_cli_output (vm, "proto must be set");
1517 if (is_add && !conn_set && action == ~0)
1519 vlib_cli_output (vm, "connection and action must be set for add");
1522 if (!is_add && !tag && !conn_set)
1524 vlib_cli_output (vm, "connection or tag must be set for delete");
1527 if (vec_len (tag) > SESSION_RULE_TAG_MAX_LEN)
1529 vlib_cli_output (vm, "tag too long (max u64)");
1535 app_ns = app_namespace_get_from_id (ns_id);
1538 vlib_cli_output (vm, "namespace %v does not exist", ns_id);
1544 app_ns = app_namespace_get_default ();
1546 appns_index = app_namespace_index (app_ns);
1548 fib_proto = is_ip4 ? FIB_PROTOCOL_IP4 : FIB_PROTOCOL_IP6;
1549 session_rule_add_del_args_t args = {
1550 .transport_proto = proto,
1551 .table_args.lcl.fp_addr = lcl_ip,
1552 .table_args.lcl.fp_len = lcl_plen,
1553 .table_args.lcl.fp_proto = fib_proto,
1554 .table_args.rmt.fp_addr = rmt_ip,
1555 .table_args.rmt.fp_len = rmt_plen,
1556 .table_args.rmt.fp_proto = fib_proto,
1557 .table_args.lcl_port = lcl_port,
1558 .table_args.rmt_port = rmt_port,
1559 .table_args.action_index = action,
1560 .table_args.is_add = is_add,
1561 .table_args.tag = tag,
1562 .appns_index = appns_index,
1565 if ((rv = vnet_session_rule_add_del (&args)))
1566 error = clib_error_return (0, "rule add del returned %u", rv);
1575 VLIB_CLI_COMMAND (session_rule_command, static) =
1577 .path = "session rule",
1578 .short_help = "session rule [add|del] appns <ns_id> proto <proto> "
1579 "<lcl-ip/plen> <lcl-port> <rmt-ip/plen> <rmt-port> action <action>",
1580 .function = session_rule_command_fn,
1585 session_lookup_dump_rules_table (u32 fib_index, u8 fib_proto,
1588 vlib_main_t *vm = vlib_get_main ();
1589 session_rules_table_t *srt;
1590 session_table_t *st;
1591 st = session_table_get_for_fib_index (fib_index, fib_proto);
1592 srt = &st->session_rules[transport_proto];
1593 session_rules_table_cli_dump (vm, srt, fib_proto);
1597 session_lookup_dump_local_rules_table (u32 table_index, u8 fib_proto,
1600 vlib_main_t *vm = vlib_get_main ();
1601 session_rules_table_t *srt;
1602 session_table_t *st;
1603 st = session_table_get (table_index);
1604 srt = &st->session_rules[transport_proto];
1605 session_rules_table_cli_dump (vm, srt, fib_proto);
1608 static clib_error_t *
1609 show_session_rules_command_fn (vlib_main_t * vm, unformat_input_t * input,
1610 vlib_cli_command_t * cmd)
1612 u32 transport_proto = ~0, lcl_port, rmt_port, lcl_plen, rmt_plen;
1613 u32 fib_index, scope = 0;
1614 ip46_address_t lcl_ip, rmt_ip;
1615 u8 is_ip4 = 1, show_one = 0;
1616 app_namespace_t *app_ns;
1617 session_rules_table_t *srt;
1618 session_table_t *st;
1619 u8 *ns_id = 0, fib_proto;
1621 session_cli_return_if_not_enabled ();
1623 clib_memset (&lcl_ip, 0, sizeof (lcl_ip));
1624 clib_memset (&rmt_ip, 0, sizeof (rmt_ip));
1625 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
1627 if (unformat (input, "%U", unformat_transport_proto, &transport_proto))
1629 else if (unformat (input, "appns %_%v%_", &ns_id))
1631 else if (unformat (input, "scope global"))
1633 else if (unformat (input, "scope local"))
1635 else if (unformat (input, "%U/%d %d %U/%d %d", unformat_ip4_address,
1636 &lcl_ip.ip4, &lcl_plen, &lcl_port,
1637 unformat_ip4_address, &rmt_ip.ip4, &rmt_plen,
1643 else if (unformat (input, "%U/%d %d %U/%d %d", unformat_ip6_address,
1644 &lcl_ip.ip6, &lcl_plen, &lcl_port,
1645 unformat_ip6_address, &rmt_ip.ip6, &rmt_plen,
1652 return clib_error_return (0, "unknown input `%U'",
1653 format_unformat_error, input);
1656 if (transport_proto == ~0)
1658 vlib_cli_output (vm, "transport proto must be set");
1664 app_ns = app_namespace_get_from_id (ns_id);
1667 vlib_cli_output (vm, "appns %v doesn't exist", ns_id);
1673 app_ns = app_namespace_get_default ();
1676 if (scope == 1 || scope == 0)
1678 fib_proto = is_ip4 ? FIB_PROTOCOL_IP4 : FIB_PROTOCOL_IP6;
1679 fib_index = is_ip4 ? app_ns->ip4_fib_index : app_ns->ip6_fib_index;
1680 st = session_table_get_for_fib_index (fib_proto, fib_index);
1684 st = app_namespace_get_local_table (app_ns);
1689 srt = &st->session_rules[transport_proto];
1690 session_rules_table_show_rule (vm, srt, &lcl_ip, lcl_port, &rmt_ip,
1695 vlib_cli_output (vm, "%U rules table", format_transport_proto,
1697 srt = &st->session_rules[transport_proto];
1698 session_rules_table_cli_dump (vm, srt, FIB_PROTOCOL_IP4);
1699 session_rules_table_cli_dump (vm, srt, FIB_PROTOCOL_IP6);
1706 VLIB_CLI_COMMAND (show_session_rules_command, static) =
1708 .path = "show session rules",
1709 .short_help = "show session rules [<proto> appns <id> <lcl-ip/plen> "
1710 "<lcl-port> <rmt-ip/plen> <rmt-port> scope <scope>]",
1711 .function = show_session_rules_command_fn,
1716 session_lookup_init (void)
1719 * Allocate default table and map it to fib_index 0
1721 session_table_t *st = session_table_alloc ();
1722 vec_validate (fib_index_to_table_index[FIB_PROTOCOL_IP4], 0);
1723 fib_index_to_table_index[FIB_PROTOCOL_IP4][0] = session_table_index (st);
1724 st->active_fib_proto = FIB_PROTOCOL_IP4;
1725 session_table_init (st, FIB_PROTOCOL_IP4);
1726 st = session_table_alloc ();
1727 vec_validate (fib_index_to_table_index[FIB_PROTOCOL_IP6], 0);
1728 fib_index_to_table_index[FIB_PROTOCOL_IP6][0] = session_table_index (st);
1729 st->active_fib_proto = FIB_PROTOCOL_IP6;
1730 session_table_init (st, FIB_PROTOCOL_IP6);
1734 * fd.io coding-style-patch-verification: ON
1737 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob