2 * Copyright (c) 2017-2019 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 /** Generate typed init functions for multiple hash table styles... */
17 #include <vppinfra/bihash_16_8.h>
18 #include <vppinfra/bihash_template.h>
20 #include <vppinfra/bihash_template.c>
22 #undef __included_bihash_template_h__
24 #include <vppinfra/bihash_48_8.h>
25 #include <vppinfra/bihash_template.h>
27 #include <vppinfra/bihash_template.c>
28 #include <vnet/session/session_lookup.h>
29 #include <vnet/session/session.h>
30 #include <vnet/session/application.h>
33 * Network namespace index (i.e., fib index) to session lookup table. We
34 * should have one per network protocol type but for now we only support IP4/6
36 static u32 *fib_index_to_table_index[2];
40 typedef CLIB_PACKED (struct {
49 /* align by making this 4 octets even though its a 1-bit field
50 * NOTE: avoid key overlap with other transports that use 5 tuples for
51 * session identification.
57 }) v4_connection_key_t;
59 typedef CLIB_PACKED (struct {
74 }) v6_connection_key_t;
77 typedef clib_bihash_kv_16_8_t session_kv4_t;
78 typedef clib_bihash_kv_48_8_t session_kv6_t;
81 make_v4_ss_kv (session_kv4_t * kv, ip4_address_t * lcl, ip4_address_t * rmt,
82 u16 lcl_port, u16 rmt_port, u8 proto)
84 kv->key[0] = (u64) rmt->as_u32 << 32 | (u64) lcl->as_u32;
85 kv->key[1] = (u64) proto << 32 | (u64) rmt_port << 16 | (u64) lcl_port;
90 make_v4_listener_kv (session_kv4_t * kv, ip4_address_t * lcl, u16 lcl_port,
93 kv->key[0] = (u64) lcl->as_u32;
94 kv->key[1] = (u64) proto << 32 | (u64) lcl_port;
99 make_v4_proxy_kv (session_kv4_t * kv, ip4_address_t * lcl, u8 proto)
101 kv->key[0] = (u64) lcl->as_u32;
102 kv->key[1] = (u64) proto << 32;
107 make_v4_ss_kv_from_tc (session_kv4_t * kv, transport_connection_t * tc)
109 make_v4_ss_kv (kv, &tc->lcl_ip.ip4, &tc->rmt_ip.ip4, tc->lcl_port,
110 tc->rmt_port, tc->proto);
114 make_v6_ss_kv (session_kv6_t * kv, ip6_address_t * lcl, ip6_address_t * rmt,
115 u16 lcl_port, u16 rmt_port, u8 proto)
117 kv->key[0] = lcl->as_u64[0];
118 kv->key[1] = lcl->as_u64[1];
119 kv->key[2] = rmt->as_u64[0];
120 kv->key[3] = rmt->as_u64[1];
121 kv->key[4] = (u64) proto << 32 | (u64) rmt_port << 16 | (u64) lcl_port;
127 make_v6_listener_kv (session_kv6_t * kv, ip6_address_t * lcl, u16 lcl_port,
130 kv->key[0] = lcl->as_u64[0];
131 kv->key[1] = lcl->as_u64[1];
134 kv->key[4] = (u64) proto << 32 | (u64) lcl_port;
140 make_v6_proxy_kv (session_kv6_t * kv, ip6_address_t * lcl, u8 proto)
142 kv->key[0] = lcl->as_u64[0];
143 kv->key[1] = lcl->as_u64[1];
146 kv->key[4] = (u64) proto << 32;
152 make_v6_ss_kv_from_tc (session_kv6_t * kv, transport_connection_t * tc)
154 make_v6_ss_kv (kv, &tc->lcl_ip.ip6, &tc->rmt_ip.ip6, tc->lcl_port,
155 tc->rmt_port, tc->proto);
158 static session_table_t *
159 session_table_get_or_alloc (u8 fib_proto, u8 fib_index)
163 if (vec_len (fib_index_to_table_index[fib_proto]) <= fib_index)
165 st = session_table_alloc ();
166 table_index = session_table_index (st);
167 vec_validate (fib_index_to_table_index[fib_proto], fib_index);
168 fib_index_to_table_index[fib_proto][fib_index] = table_index;
169 st->active_fib_proto = fib_proto;
170 session_table_init (st, fib_proto);
175 table_index = fib_index_to_table_index[fib_proto][fib_index];
176 return session_table_get (table_index);
180 static session_table_t *
181 session_table_get_or_alloc_for_connection (transport_connection_t * tc)
184 fib_proto = transport_connection_fib_proto (tc);
185 return session_table_get_or_alloc (fib_proto, tc->fib_index);
188 static session_table_t *
189 session_table_get_for_connection (transport_connection_t * tc)
191 u32 fib_proto = transport_connection_fib_proto (tc);
192 if (vec_len (fib_index_to_table_index[fib_proto]) <= tc->fib_index)
195 session_table_get (fib_index_to_table_index[fib_proto][tc->fib_index]);
198 static session_table_t *
199 session_table_get_for_fib_index (u32 fib_proto, u32 fib_index)
201 if (vec_len (fib_index_to_table_index[fib_proto]) <= fib_index)
203 return session_table_get (fib_index_to_table_index[fib_proto][fib_index]);
207 session_lookup_get_index_for_fib (u32 fib_proto, u32 fib_index)
209 if (vec_len (fib_index_to_table_index[fib_proto]) <= fib_index)
210 return SESSION_TABLE_INVALID_INDEX;
211 return fib_index_to_table_index[fib_proto][fib_index];
215 * Add transport connection to a session table
217 * Session lookup 5-tuple (src-ip, dst-ip, src-port, dst-port, session-type)
218 * is added to requested session table.
220 * @param tc transport connection to be added
221 * @param value value to be stored
223 * @return non-zero if failure
226 session_lookup_add_connection (transport_connection_t * tc, u64 value)
232 st = session_table_get_or_alloc_for_connection (tc);
237 make_v4_ss_kv_from_tc (&kv4, tc);
239 return clib_bihash_add_del_16_8 (&st->v4_session_hash, &kv4,
244 make_v6_ss_kv_from_tc (&kv6, tc);
246 return clib_bihash_add_del_48_8 (&st->v6_session_hash, &kv6,
252 session_lookup_add_session_endpoint (u32 table_index,
253 session_endpoint_t * sep, u64 value)
259 st = session_table_get (table_index);
264 make_v4_listener_kv (&kv4, &sep->ip.ip4, sep->port,
265 sep->transport_proto);
267 return clib_bihash_add_del_16_8 (&st->v4_session_hash, &kv4, 1);
271 make_v6_listener_kv (&kv6, &sep->ip.ip6, sep->port,
272 sep->transport_proto);
274 return clib_bihash_add_del_48_8 (&st->v6_session_hash, &kv6, 1);
279 session_lookup_del_session_endpoint (u32 table_index,
280 session_endpoint_t * sep)
286 st = session_table_get (table_index);
291 make_v4_listener_kv (&kv4, &sep->ip.ip4, sep->port,
292 sep->transport_proto);
293 return clib_bihash_add_del_16_8 (&st->v4_session_hash, &kv4, 0);
297 make_v6_listener_kv (&kv6, &sep->ip.ip6, sep->port,
298 sep->transport_proto);
299 return clib_bihash_add_del_48_8 (&st->v6_session_hash, &kv6, 0);
304 * Delete transport connection from session table
306 * @param table_index session table index
307 * @param tc transport connection to be removed
309 * @return non-zero if failure
312 session_lookup_del_connection (transport_connection_t * tc)
318 st = session_table_get_for_connection (tc);
323 make_v4_ss_kv_from_tc (&kv4, tc);
324 return clib_bihash_add_del_16_8 (&st->v4_session_hash, &kv4,
329 make_v6_ss_kv_from_tc (&kv6, tc);
330 return clib_bihash_add_del_48_8 (&st->v6_session_hash, &kv6,
336 session_lookup_del_session (session_t * s)
338 transport_connection_t *ts;
339 ts = transport_get_connection (session_get_transport_proto (s),
340 s->connection_index, s->thread_index);
341 if (!ts || (ts->flags & TRANSPORT_CONNECTION_F_NO_LOOKUP))
343 return session_lookup_del_connection (ts);
347 session_lookup_action_index_is_valid (u32 action_index)
349 if (action_index == SESSION_RULES_TABLE_ACTION_ALLOW
350 || action_index == SESSION_RULES_TABLE_INVALID_INDEX)
356 session_lookup_action_to_handle (u32 action_index)
358 switch (action_index)
360 case SESSION_RULES_TABLE_ACTION_DROP:
361 return SESSION_DROP_HANDLE;
362 case SESSION_RULES_TABLE_ACTION_ALLOW:
363 case SESSION_RULES_TABLE_INVALID_INDEX:
364 return SESSION_INVALID_HANDLE;
366 /* application index */
372 session_lookup_app_listen_session (u32 app_index, u8 fib_proto,
376 app = application_get_if_valid (app_index);
380 return app_worker_first_listener (application_get_default_worker (app),
381 fib_proto, transport_proto);
385 session_lookup_action_to_session (u32 action_index, u8 fib_proto,
389 app_index = session_lookup_action_to_handle (action_index);
390 /* Nothing sophisticated for now, action index is app index */
391 return session_lookup_app_listen_session (app_index, fib_proto,
397 session_lookup_rules_table_session4 (session_table_t * st, u8 proto,
398 ip4_address_t * lcl, u16 lcl_port,
399 ip4_address_t * rmt, u16 rmt_port)
401 session_rules_table_t *srt = &st->session_rules[proto];
402 u32 action_index, app_index;
403 action_index = session_rules_table_lookup4 (srt, lcl, rmt, lcl_port,
405 app_index = session_lookup_action_to_handle (action_index);
406 /* Nothing sophisticated for now, action index is app index */
407 return session_lookup_app_listen_session (app_index, FIB_PROTOCOL_IP4,
413 session_lookup_rules_table_session6 (session_table_t * st, u8 proto,
414 ip6_address_t * lcl, u16 lcl_port,
415 ip6_address_t * rmt, u16 rmt_port)
417 session_rules_table_t *srt = &st->session_rules[proto];
418 u32 action_index, app_index;
419 action_index = session_rules_table_lookup6 (srt, lcl, rmt, lcl_port,
421 app_index = session_lookup_action_to_handle (action_index);
422 return session_lookup_app_listen_session (app_index, FIB_PROTOCOL_IP6,
427 * Lookup listener for session endpoint in table
429 * @param table_index table where the endpoint should be looked up
430 * @param sep session endpoint to be looked up
431 * @param use_rules flag that indicates if the session rules of the table
433 * @return invalid handle if nothing is found, the handle of a valid listener
434 * or an action derived handle if a rule is hit
437 session_lookup_endpoint_listener (u32 table_index, session_endpoint_t * sep,
440 session_rules_table_t *srt;
445 st = session_table_get (table_index);
447 return SESSION_INVALID_HANDLE;
453 make_v4_listener_kv (&kv4, &sep->ip.ip4, sep->port,
454 sep->transport_proto);
455 rv = clib_bihash_search_inline_16_8 (&st->v4_session_hash, &kv4);
460 clib_memset (&lcl4, 0, sizeof (lcl4));
461 srt = &st->session_rules[sep->transport_proto];
462 ai = session_rules_table_lookup4 (srt, &lcl4, &sep->ip.ip4, 0,
464 if (session_lookup_action_index_is_valid (ai))
465 return session_lookup_action_to_handle (ai);
473 make_v6_listener_kv (&kv6, &sep->ip.ip6, sep->port,
474 sep->transport_proto);
475 rv = clib_bihash_search_inline_48_8 (&st->v6_session_hash, &kv6);
481 clib_memset (&lcl6, 0, sizeof (lcl6));
482 srt = &st->session_rules[sep->transport_proto];
483 ai = session_rules_table_lookup6 (srt, &lcl6, &sep->ip.ip6, 0,
485 if (session_lookup_action_index_is_valid (ai))
486 return session_lookup_action_to_handle (ai);
489 return SESSION_INVALID_HANDLE;
493 * Look up endpoint in local session table
495 * The result, for now, is an application index and it may in the future
496 * be extended to a more complicated "action object". The only action we
497 * emulate now is "drop" and for that we return a special app index.
499 * Lookup logic is to check in order:
500 * - the rules in the table (connect acls)
501 * - session sub-table for a listener
502 * - session sub-table for a local listener (zeroed addr)
504 * @param table_index table where the lookup should be done
505 * @param sep session endpoint to be looked up
506 * @return session handle that can be interpreted as an adjacency
509 session_lookup_local_endpoint (u32 table_index, session_endpoint_t * sep)
511 session_rules_table_t *srt;
516 st = session_table_get (table_index);
518 return SESSION_INVALID_INDEX;
519 ASSERT (st->is_local);
527 * Check if endpoint has special rules associated
529 clib_memset (&lcl4, 0, sizeof (lcl4));
530 srt = &st->session_rules[sep->transport_proto];
531 ai = session_rules_table_lookup4 (srt, &lcl4, &sep->ip.ip4, 0,
533 if (session_lookup_action_index_is_valid (ai))
534 return session_lookup_action_to_handle (ai);
537 * Check if session endpoint is a listener
539 make_v4_listener_kv (&kv4, &sep->ip.ip4, sep->port,
540 sep->transport_proto);
541 rv = clib_bihash_search_inline_16_8 (&st->v4_session_hash, &kv4);
546 * Zero out the ip. Logic is that connect to local ips, say
547 * 127.0.0.1:port, can match 0.0.0.0:port
549 if (ip4_is_local_host (&sep->ip.ip4))
552 rv = clib_bihash_search_inline_16_8 (&st->v4_session_hash, &kv4);
562 * Zero out the port and check if we have proxy
565 rv = clib_bihash_search_inline_16_8 (&st->v4_session_hash, &kv4);
574 clib_memset (&lcl6, 0, sizeof (lcl6));
575 srt = &st->session_rules[sep->transport_proto];
576 ai = session_rules_table_lookup6 (srt, &lcl6, &sep->ip.ip6, 0,
578 if (session_lookup_action_index_is_valid (ai))
579 return session_lookup_action_to_handle (ai);
581 make_v6_listener_kv (&kv6, &sep->ip.ip6, sep->port,
582 sep->transport_proto);
583 rv = clib_bihash_search_inline_48_8 (&st->v6_session_hash, &kv6);
588 * Zero out the ip. Same logic as above.
591 if (ip6_is_local_host (&sep->ip.ip6))
593 kv6.key[0] = kv6.key[1] = 0;
594 rv = clib_bihash_search_inline_48_8 (&st->v6_session_hash, &kv6);
600 kv6.key[0] = kv6.key[1] = 0;
604 * Zero out the port. Same logic as above.
606 kv6.key[4] = kv6.key[5] = 0;
607 rv = clib_bihash_search_inline_48_8 (&st->v6_session_hash, &kv6);
611 return SESSION_INVALID_HANDLE;
614 static inline session_t *
615 session_lookup_listener4_i (session_table_t * st, ip4_address_t * lcl,
616 u16 lcl_port, u8 proto, u8 use_wildcard)
622 * First, try a fully formed listener
624 make_v4_listener_kv (&kv4, lcl, lcl_port, proto);
625 rv = clib_bihash_search_inline_16_8 (&st->v4_session_hash, &kv4);
627 return listen_session_get ((u32) kv4.value);
630 * Zero out the lcl ip and check if any 0/0 port binds have been done
635 rv = clib_bihash_search_inline_16_8 (&st->v4_session_hash, &kv4);
637 return listen_session_get ((u32) kv4.value);
645 * Zero out port and check if we have a proxy set up for our ip
647 make_v4_proxy_kv (&kv4, lcl, proto);
648 rv = clib_bihash_search_inline_16_8 (&st->v4_session_hash, &kv4);
650 return listen_session_get ((u32) kv4.value);
656 session_lookup_listener4 (u32 fib_index, ip4_address_t * lcl, u16 lcl_port,
657 u8 proto, u8 use_wildcard)
660 st = session_table_get_for_fib_index (FIB_PROTOCOL_IP4, fib_index);
663 return session_lookup_listener4_i (st, lcl, lcl_port, proto, use_wildcard);
667 session_lookup_listener6_i (session_table_t * st, ip6_address_t * lcl,
668 u16 lcl_port, u8 proto, u8 ip_wildcard)
673 make_v6_listener_kv (&kv6, lcl, lcl_port, proto);
674 rv = clib_bihash_search_inline_48_8 (&st->v6_session_hash, &kv6);
676 return listen_session_get ((u32) kv6.value);
678 /* Zero out the lcl ip */
681 kv6.key[0] = kv6.key[1] = 0;
682 rv = clib_bihash_search_inline_48_8 (&st->v6_session_hash, &kv6);
684 return listen_session_get ((u32) kv6.value);
688 kv6.key[0] = kv6.key[1] = 0;
691 make_v6_proxy_kv (&kv6, lcl, proto);
692 rv = clib_bihash_search_inline_48_8 (&st->v6_session_hash, &kv6);
694 return listen_session_get ((u32) kv6.value);
699 session_lookup_listener6 (u32 fib_index, ip6_address_t * lcl, u16 lcl_port,
700 u8 proto, u8 use_wildcard)
703 st = session_table_get_for_fib_index (FIB_PROTOCOL_IP6, fib_index);
706 return session_lookup_listener6_i (st, lcl, lcl_port, proto, use_wildcard);
710 * Lookup listener, exact or proxy (inaddr_any:0) match
713 session_lookup_listener (u32 table_index, session_endpoint_t * sep)
716 st = session_table_get (table_index);
720 return session_lookup_listener4_i (st, &sep->ip.ip4, sep->port,
721 sep->transport_proto, 0);
723 return session_lookup_listener6_i (st, &sep->ip.ip6, sep->port,
724 sep->transport_proto, 0);
729 * Lookup listener wildcard match
732 session_lookup_listener_wildcard (u32 table_index, session_endpoint_t * sep)
735 st = session_table_get (table_index);
739 return session_lookup_listener4_i (st, &sep->ip.ip4, sep->port,
740 sep->transport_proto,
741 1 /* use_wildcard */ );
743 return session_lookup_listener6_i (st, &sep->ip.ip6, sep->port,
744 sep->transport_proto,
745 1 /* use_wildcard */ );
750 session_lookup_add_half_open (transport_connection_t * tc, u64 value)
756 st = session_table_get_or_alloc_for_connection (tc);
761 make_v4_ss_kv_from_tc (&kv4, tc);
763 return clib_bihash_add_del_16_8 (&st->v4_half_open_hash, &kv4,
768 make_v6_ss_kv_from_tc (&kv6, tc);
770 return clib_bihash_add_del_48_8 (&st->v6_half_open_hash, &kv6,
776 session_lookup_del_half_open (transport_connection_t * tc)
782 st = session_table_get_for_connection (tc);
787 make_v4_ss_kv_from_tc (&kv4, tc);
788 return clib_bihash_add_del_16_8 (&st->v4_half_open_hash, &kv4,
793 make_v6_ss_kv_from_tc (&kv6, tc);
794 return clib_bihash_add_del_48_8 (&st->v6_half_open_hash, &kv6,
800 session_lookup_half_open_handle (transport_connection_t * tc)
807 st = session_table_get_for_fib_index (transport_connection_fib_proto (tc),
810 return HALF_OPEN_LOOKUP_INVALID_VALUE;
813 make_v4_ss_kv (&kv4, &tc->lcl_ip.ip4, &tc->rmt_ip.ip4, tc->lcl_port,
814 tc->rmt_port, tc->proto);
815 rv = clib_bihash_search_inline_16_8 (&st->v4_half_open_hash, &kv4);
821 make_v6_ss_kv (&kv6, &tc->lcl_ip.ip6, &tc->rmt_ip.ip6, tc->lcl_port,
822 tc->rmt_port, tc->proto);
823 rv = clib_bihash_search_inline_48_8 (&st->v6_half_open_hash, &kv6);
827 return HALF_OPEN_LOOKUP_INVALID_VALUE;
830 transport_connection_t *
831 session_lookup_half_open_connection (u64 handle, u8 proto, u8 is_ip4)
833 if (handle != HALF_OPEN_LOOKUP_INVALID_VALUE)
835 u32 sst = session_type_from_proto_and_ip (proto, is_ip4);
836 return transport_get_half_open (sst, handle & 0xFFFFFFFF);
842 * Lookup connection with ip4 and transport layer information
844 * This is used on the fast path so it needs to be fast. Thereby,
845 * duplication of code and 'hacks' allowed.
847 * The lookup is incremental and returns whenever something is matched. The
849 * - Try to find an established session
850 * - Try to find a half-open connection
851 * - Try session rules table
852 * - Try to find a fully-formed or local source wildcarded (listener bound to
853 * all interfaces) listener session
856 * @param fib_index index of fib wherein the connection was received
857 * @param lcl local ip4 address
858 * @param rmt remote ip4 address
859 * @param lcl_port local port
860 * @param rmt_port remote port
861 * @param proto transport protocol (e.g., tcp, udp)
862 * @param thread_index thread index for request
863 * @param is_filtered return flag that indicates if connection was filtered.
865 * @return pointer to transport connection, if one is found, 0 otherwise
867 transport_connection_t *
868 session_lookup_connection_wt4 (u32 fib_index, ip4_address_t * lcl,
869 ip4_address_t * rmt, u16 lcl_port,
870 u16 rmt_port, u8 proto, u32 thread_index,
879 st = session_table_get_for_fib_index (FIB_PROTOCOL_IP4, fib_index);
880 if (PREDICT_FALSE (!st))
884 * Lookup session amongst established ones
886 make_v4_ss_kv (&kv4, lcl, rmt, lcl_port, rmt_port, proto);
887 rv = clib_bihash_search_inline_16_8 (&st->v4_session_hash, &kv4);
890 if (PREDICT_FALSE ((u32) (kv4.value >> 32) != thread_index))
892 *result = SESSION_LOOKUP_RESULT_WRONG_THREAD;
895 s = session_get (kv4.value & 0xFFFFFFFFULL, thread_index);
896 return transport_get_connection (proto, s->connection_index,
901 * Try half-open connections
903 rv = clib_bihash_search_inline_16_8 (&st->v4_half_open_hash, &kv4);
905 return transport_get_half_open (proto, kv4.value & 0xFFFFFFFF);
908 * Check the session rules table
910 action_index = session_rules_table_lookup4 (&st->session_rules[proto], lcl,
911 rmt, lcl_port, rmt_port);
912 if (session_lookup_action_index_is_valid (action_index))
914 if (action_index == SESSION_RULES_TABLE_ACTION_DROP)
916 *result = SESSION_LOOKUP_RESULT_FILTERED;
919 if ((s = session_lookup_action_to_session (action_index,
920 FIB_PROTOCOL_IP4, proto)))
921 return transport_get_listener (proto, s->connection_index);
926 * If nothing is found, check if any listener is available
928 s = session_lookup_listener4_i (st, lcl, lcl_port, proto, 1);
930 return transport_get_listener (proto, s->connection_index);
936 * Lookup connection with ip4 and transport layer information
938 * Not optimized. Lookup logic is identical to that of
939 * @ref session_lookup_connection_wt4
941 * @param fib_index index of the fib wherein the connection was received
942 * @param lcl local ip4 address
943 * @param rmt remote ip4 address
944 * @param lcl_port local port
945 * @param rmt_port remote port
946 * @param proto transport protocol (e.g., tcp, udp)
948 * @return pointer to transport connection, if one is found, 0 otherwise
950 transport_connection_t *
951 session_lookup_connection4 (u32 fib_index, ip4_address_t * lcl,
952 ip4_address_t * rmt, u16 lcl_port, u16 rmt_port,
961 st = session_table_get_for_fib_index (FIB_PROTOCOL_IP4, fib_index);
962 if (PREDICT_FALSE (!st))
966 * Lookup session amongst established ones
968 make_v4_ss_kv (&kv4, lcl, rmt, lcl_port, rmt_port, proto);
969 rv = clib_bihash_search_inline_16_8 (&st->v4_session_hash, &kv4);
972 s = session_get_from_handle (kv4.value);
973 return transport_get_connection (proto, s->connection_index,
978 * Try half-open connections
980 rv = clib_bihash_search_inline_16_8 (&st->v4_half_open_hash, &kv4);
982 return transport_get_half_open (proto, kv4.value & 0xFFFFFFFF);
985 * Check the session rules table
987 action_index = session_rules_table_lookup4 (&st->session_rules[proto], lcl,
988 rmt, lcl_port, rmt_port);
989 if (session_lookup_action_index_is_valid (action_index))
991 if (action_index == SESSION_RULES_TABLE_ACTION_DROP)
993 if ((s = session_lookup_action_to_session (action_index,
994 FIB_PROTOCOL_IP4, proto)))
995 return transport_get_listener (proto, s->connection_index);
1000 * If nothing is found, check if any listener is available
1002 s = session_lookup_listener4_i (st, lcl, lcl_port, proto, 1);
1004 return transport_get_listener (proto, s->connection_index);
1010 * Lookup session with ip4 and transport layer information
1012 * Important note: this may look into another thread's pool table and
1013 * register as 'peeker'. Caller should call @ref session_pool_remove_peeker as
1014 * if needed as soon as possible.
1016 * Lookup logic is similar to that of @ref session_lookup_connection_wt4 but
1017 * this returns a session as opposed to a transport connection and it does not
1018 * try to lookup half-open sessions.
1020 * Typically used by dgram connections
1023 session_lookup_safe4 (u32 fib_index, ip4_address_t * lcl, ip4_address_t * rmt,
1024 u16 lcl_port, u16 rmt_port, u8 proto)
1026 session_table_t *st;
1032 st = session_table_get_for_fib_index (FIB_PROTOCOL_IP4, fib_index);
1033 if (PREDICT_FALSE (!st))
1037 * Lookup session amongst established ones
1039 make_v4_ss_kv (&kv4, lcl, rmt, lcl_port, rmt_port, proto);
1040 rv = clib_bihash_search_inline_16_8 (&st->v4_session_hash, &kv4);
1042 return session_get_from_handle_safe (kv4.value);
1045 * Check the session rules table
1047 action_index = session_rules_table_lookup4 (&st->session_rules[proto], lcl,
1048 rmt, lcl_port, rmt_port);
1049 if (session_lookup_action_index_is_valid (action_index))
1051 if (action_index == SESSION_RULES_TABLE_ACTION_DROP)
1053 return session_lookup_action_to_session (action_index, FIB_PROTOCOL_IP4,
1058 * If nothing is found, check if any listener is available
1060 if ((s = session_lookup_listener4_i (st, lcl, lcl_port, proto, 1)))
1067 * Lookup connection with ip6 and transport layer information
1069 * This is used on the fast path so it needs to be fast. Thereby,
1070 * duplication of code and 'hacks' allowed.
1072 * The lookup is incremental and returns whenever something is matched. The
1074 * - Try to find an established session
1075 * - Try to find a half-open connection
1076 * - Try session rules table
1077 * - Try to find a fully-formed or local source wildcarded (listener bound to
1078 * all interfaces) listener session
1081 * @param fib_index index of the fib wherein the connection was received
1082 * @param lcl local ip6 address
1083 * @param rmt remote ip6 address
1084 * @param lcl_port local port
1085 * @param rmt_port remote port
1086 * @param proto transport protocol (e.g., tcp, udp)
1087 * @param thread_index thread index for request
1089 * @return pointer to transport connection, if one is found, 0 otherwise
1091 transport_connection_t *
1092 session_lookup_connection_wt6 (u32 fib_index, ip6_address_t * lcl,
1093 ip6_address_t * rmt, u16 lcl_port,
1094 u16 rmt_port, u8 proto, u32 thread_index,
1097 session_table_t *st;
1103 st = session_table_get_for_fib_index (FIB_PROTOCOL_IP6, fib_index);
1104 if (PREDICT_FALSE (!st))
1107 make_v6_ss_kv (&kv6, lcl, rmt, lcl_port, rmt_port, proto);
1108 rv = clib_bihash_search_inline_48_8 (&st->v6_session_hash, &kv6);
1111 ASSERT ((u32) (kv6.value >> 32) == thread_index);
1112 if (PREDICT_FALSE ((u32) (kv6.value >> 32) != thread_index))
1114 *result = SESSION_LOOKUP_RESULT_WRONG_THREAD;
1117 s = session_get (kv6.value & 0xFFFFFFFFULL, thread_index);
1118 return transport_get_connection (proto, s->connection_index,
1122 /* Try half-open connections */
1123 rv = clib_bihash_search_inline_48_8 (&st->v6_half_open_hash, &kv6);
1125 return transport_get_half_open (proto, kv6.value & 0xFFFFFFFF);
1127 /* Check the session rules table */
1128 action_index = session_rules_table_lookup6 (&st->session_rules[proto], lcl,
1129 rmt, lcl_port, rmt_port);
1130 if (session_lookup_action_index_is_valid (action_index))
1132 if (action_index == SESSION_RULES_TABLE_ACTION_DROP)
1134 *result = SESSION_LOOKUP_RESULT_FILTERED;
1137 if ((s = session_lookup_action_to_session (action_index,
1138 FIB_PROTOCOL_IP6, proto)))
1139 return transport_get_listener (proto, s->connection_index);
1143 /* If nothing is found, check if any listener is available */
1144 s = session_lookup_listener6_i (st, lcl, lcl_port, proto, 1);
1146 return transport_get_listener (proto, s->connection_index);
1152 * Lookup connection with ip6 and transport layer information
1154 * Not optimized. This is used on the fast path so it needs to be fast.
1155 * Thereby, duplication of code and 'hacks' allowed. Lookup logic is identical
1156 * to that of @ref session_lookup_connection_wt4
1158 * @param fib_index index of the fib wherein the connection was received
1159 * @param lcl local ip6 address
1160 * @param rmt remote ip6 address
1161 * @param lcl_port local port
1162 * @param rmt_port remote port
1163 * @param proto transport protocol (e.g., tcp, udp)
1165 * @return pointer to transport connection, if one is found, 0 otherwise
1167 transport_connection_t *
1168 session_lookup_connection6 (u32 fib_index, ip6_address_t * lcl,
1169 ip6_address_t * rmt, u16 lcl_port, u16 rmt_port,
1172 session_table_t *st;
1178 st = session_table_get_for_fib_index (FIB_PROTOCOL_IP6, fib_index);
1179 if (PREDICT_FALSE (!st))
1182 make_v6_ss_kv (&kv6, lcl, rmt, lcl_port, rmt_port, proto);
1183 rv = clib_bihash_search_inline_48_8 (&st->v6_session_hash, &kv6);
1186 s = session_get_from_handle (kv6.value);
1187 return transport_get_connection (proto, s->connection_index,
1191 /* Try half-open connections */
1192 rv = clib_bihash_search_inline_48_8 (&st->v6_half_open_hash, &kv6);
1194 return transport_get_half_open (proto, kv6.value & 0xFFFFFFFF);
1196 /* Check the session rules table */
1197 action_index = session_rules_table_lookup6 (&st->session_rules[proto], lcl,
1198 rmt, lcl_port, rmt_port);
1199 if (session_lookup_action_index_is_valid (action_index))
1201 if (action_index == SESSION_RULES_TABLE_ACTION_DROP)
1203 if ((s = session_lookup_action_to_session (action_index,
1204 FIB_PROTOCOL_IP6, proto)))
1205 return transport_get_listener (proto, s->connection_index);
1209 /* If nothing is found, check if any listener is available */
1210 s = session_lookup_listener6_i (st, lcl, lcl_port, proto, 1);
1212 return transport_get_listener (proto, s->connection_index);
1218 * Lookup session with ip6 and transport layer information
1220 * Important note: this may look into another thread's pool table and
1221 * register as 'peeker'. Caller should call @ref session_pool_remove_peeker as
1222 * if needed as soon as possible.
1224 * Lookup logic is similar to that of @ref session_lookup_connection_wt6 but
1225 * this returns a session as opposed to a transport connection and it does not
1226 * try to lookup half-open sessions.
1228 * Typically used by dgram connections
1231 session_lookup_safe6 (u32 fib_index, ip6_address_t * lcl, ip6_address_t * rmt,
1232 u16 lcl_port, u16 rmt_port, u8 proto)
1234 session_table_t *st;
1240 st = session_table_get_for_fib_index (FIB_PROTOCOL_IP6, fib_index);
1241 if (PREDICT_FALSE (!st))
1244 make_v6_ss_kv (&kv6, lcl, rmt, lcl_port, rmt_port, proto);
1245 rv = clib_bihash_search_inline_48_8 (&st->v6_session_hash, &kv6);
1247 return session_get_from_handle_safe (kv6.value);
1249 /* Check the session rules table */
1250 action_index = session_rules_table_lookup6 (&st->session_rules[proto], lcl,
1251 rmt, lcl_port, rmt_port);
1252 if (session_lookup_action_index_is_valid (action_index))
1254 if (action_index == SESSION_RULES_TABLE_ACTION_DROP)
1256 return session_lookup_action_to_session (action_index, FIB_PROTOCOL_IP6,
1260 /* If nothing is found, check if any listener is available */
1261 if ((s = session_lookup_listener6_i (st, lcl, lcl_port, proto, 1)))
1267 vnet_session_rule_add_del (session_rule_add_del_args_t * args)
1269 app_namespace_t *app_ns = app_namespace_get (args->appns_index);
1270 session_rules_table_t *srt;
1271 session_table_t *st;
1277 return VNET_API_ERROR_APP_INVALID_NS;
1279 if (args->scope > 3)
1280 return VNET_API_ERROR_INVALID_VALUE;
1282 if (args->transport_proto != TRANSPORT_PROTO_TCP
1283 && args->transport_proto != TRANSPORT_PROTO_UDP)
1284 return VNET_API_ERROR_INVALID_VALUE;
1286 if ((args->scope & SESSION_RULE_SCOPE_GLOBAL) || args->scope == 0)
1288 fib_proto = args->table_args.rmt.fp_proto;
1289 fib_index = app_namespace_get_fib_index (app_ns, fib_proto);
1290 st = session_table_get_for_fib_index (fib_proto, fib_index);
1291 srt = &st->session_rules[args->transport_proto];
1292 if ((rv = session_rules_table_add_del (srt, &args->table_args)))
1295 if (args->scope & SESSION_RULE_SCOPE_LOCAL)
1297 clib_memset (&args->table_args.lcl, 0, sizeof (args->table_args.lcl));
1298 args->table_args.lcl.fp_proto = args->table_args.rmt.fp_proto;
1299 args->table_args.lcl_port = 0;
1300 st = app_namespace_get_local_table (app_ns);
1301 srt = &st->session_rules[args->transport_proto];
1302 rv = session_rules_table_add_del (srt, &args->table_args);
1308 * Mark (global) tables as pertaining to app ns
1311 session_lookup_set_tables_appns (app_namespace_t * app_ns)
1313 session_table_t *st;
1317 for (fp = 0; fp < ARRAY_LEN (fib_index_to_table_index); fp++)
1319 fib_index = app_namespace_get_fib_index (app_ns, fp);
1320 st = session_table_get_or_alloc (fp, fib_index);
1322 st->appns_index = app_namespace_index (app_ns);
1327 format_ip4_session_lookup_kvp (u8 * s, va_list * args)
1329 clib_bihash_kv_16_8_t *kvp = va_arg (*args, clib_bihash_kv_16_8_t *);
1330 u32 is_local = va_arg (*args, u32);
1331 v4_connection_key_t *key = (v4_connection_key_t *) kvp->key;
1333 app_worker_t *app_wrk;
1339 session = session_get_from_handle (kvp->value);
1340 app_wrk = app_worker_get (session->app_wrk_index);
1341 app_name = application_name_from_index (app_wrk->app_index);
1342 str = format (0, "[%U] %U:%d->%U:%d", format_transport_proto_short,
1343 key->proto, format_ip4_address, &key->src,
1344 clib_net_to_host_u16 (key->src_port), format_ip4_address,
1345 &key->dst, clib_net_to_host_u16 (key->dst_port));
1346 s = format (s, "%-40v%-30v", str, app_name);
1350 session = session_get_from_handle (kvp->value);
1351 app_wrk = app_worker_get (session->app_wrk_index);
1352 app_name = application_name_from_index (app_wrk->app_index);
1353 str = format (0, "[%U] %U:%d", format_transport_proto_short, key->proto,
1354 format_ip4_address, &key->src,
1355 clib_net_to_host_u16 (key->src_port));
1356 s = format (s, "%-30v%-30v", str, app_name);
1361 typedef struct _ip4_session_table_show_ctx_t
1365 } ip4_session_table_show_ctx_t;
1368 ip4_session_table_show (clib_bihash_kv_16_8_t * kvp, void *arg)
1370 ip4_session_table_show_ctx_t *ctx = arg;
1371 vlib_cli_output (ctx->vm, "%U", format_ip4_session_lookup_kvp, kvp,
1377 session_lookup_show_table_entries (vlib_main_t * vm, session_table_t * table,
1378 u8 type, u8 is_local)
1380 ip4_session_table_show_ctx_t ctx = {
1382 .is_local = is_local,
1385 vlib_cli_output (vm, "%-40s%-30s", "Session", "Application");
1387 vlib_cli_output (vm, "%-30s%-30s", "Listener", "Application");
1392 ip4_session_table_walk (&table->v4_session_hash, ip4_session_table_show,
1396 clib_warning ("not supported");
1400 static clib_error_t *
1401 session_rule_command_fn (vlib_main_t * vm, unformat_input_t * input,
1402 vlib_cli_command_t * cmd)
1404 u32 proto = ~0, lcl_port, rmt_port, action = 0, lcl_plen = 0, rmt_plen = 0;
1405 u32 appns_index, scope = 0;
1406 ip46_address_t lcl_ip, rmt_ip;
1407 u8 is_ip4 = 1, conn_set = 0;
1408 u8 fib_proto, is_add = 1, *ns_id = 0;
1410 app_namespace_t *app_ns;
1413 session_cli_return_if_not_enabled ();
1415 clib_memset (&lcl_ip, 0, sizeof (lcl_ip));
1416 clib_memset (&rmt_ip, 0, sizeof (rmt_ip));
1417 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
1419 if (unformat (input, "del"))
1421 else if (unformat (input, "add"))
1423 else if (unformat (input, "appns %_%v%_", &ns_id))
1425 else if (unformat (input, "scope global"))
1426 scope = SESSION_RULE_SCOPE_GLOBAL;
1427 else if (unformat (input, "scope local"))
1428 scope = SESSION_RULE_SCOPE_LOCAL;
1429 else if (unformat (input, "scope all"))
1430 scope = SESSION_RULE_SCOPE_LOCAL | SESSION_RULE_SCOPE_GLOBAL;
1431 else if (unformat (input, "proto %U", unformat_transport_proto, &proto))
1433 else if (unformat (input, "%U/%d %d %U/%d %d", unformat_ip4_address,
1434 &lcl_ip.ip4, &lcl_plen, &lcl_port,
1435 unformat_ip4_address, &rmt_ip.ip4, &rmt_plen,
1441 else if (unformat (input, "%U/%d %d %U/%d %d", unformat_ip6_address,
1442 &lcl_ip.ip6, &lcl_plen, &lcl_port,
1443 unformat_ip6_address, &rmt_ip.ip6, &rmt_plen,
1449 else if (unformat (input, "action %d", &action))
1451 else if (unformat (input, "tag %_%v%_", &tag))
1454 return clib_error_return (0, "unknown input `%U'",
1455 format_unformat_error, input);
1460 vlib_cli_output (vm, "proto must be set");
1463 if (is_add && !conn_set && action == ~0)
1465 vlib_cli_output (vm, "connection and action must be set for add");
1468 if (!is_add && !tag && !conn_set)
1470 vlib_cli_output (vm, "connection or tag must be set for delete");
1473 if (vec_len (tag) > SESSION_RULE_TAG_MAX_LEN)
1475 vlib_cli_output (vm, "tag too long (max u64)");
1481 app_ns = app_namespace_get_from_id (ns_id);
1484 vlib_cli_output (vm, "namespace %v does not exist", ns_id);
1490 app_ns = app_namespace_get_default ();
1492 appns_index = app_namespace_index (app_ns);
1494 fib_proto = is_ip4 ? FIB_PROTOCOL_IP4 : FIB_PROTOCOL_IP6;
1495 session_rule_add_del_args_t args = {
1496 .transport_proto = proto,
1497 .table_args.lcl.fp_addr = lcl_ip,
1498 .table_args.lcl.fp_len = lcl_plen,
1499 .table_args.lcl.fp_proto = fib_proto,
1500 .table_args.rmt.fp_addr = rmt_ip,
1501 .table_args.rmt.fp_len = rmt_plen,
1502 .table_args.rmt.fp_proto = fib_proto,
1503 .table_args.lcl_port = lcl_port,
1504 .table_args.rmt_port = rmt_port,
1505 .table_args.action_index = action,
1506 .table_args.is_add = is_add,
1507 .table_args.tag = tag,
1508 .appns_index = appns_index,
1511 if ((rv = vnet_session_rule_add_del (&args)))
1512 return clib_error_return (0, "rule add del returned %u", rv);
1519 VLIB_CLI_COMMAND (session_rule_command, static) =
1521 .path = "session rule",
1522 .short_help = "session rule [add|del] appns <ns_id> proto <proto> "
1523 "<lcl-ip/plen> <lcl-port> <rmt-ip/plen> <rmt-port> action <action>",
1524 .function = session_rule_command_fn,
1529 session_lookup_dump_rules_table (u32 fib_index, u8 fib_proto,
1532 vlib_main_t *vm = vlib_get_main ();
1533 session_rules_table_t *srt;
1534 session_table_t *st;
1535 st = session_table_get_for_fib_index (fib_index, fib_proto);
1536 srt = &st->session_rules[transport_proto];
1537 session_rules_table_cli_dump (vm, srt, fib_proto);
1541 session_lookup_dump_local_rules_table (u32 table_index, u8 fib_proto,
1544 vlib_main_t *vm = vlib_get_main ();
1545 session_rules_table_t *srt;
1546 session_table_t *st;
1547 st = session_table_get (table_index);
1548 srt = &st->session_rules[transport_proto];
1549 session_rules_table_cli_dump (vm, srt, fib_proto);
1552 static clib_error_t *
1553 show_session_rules_command_fn (vlib_main_t * vm, unformat_input_t * input,
1554 vlib_cli_command_t * cmd)
1556 u32 transport_proto = ~0, lcl_port, rmt_port, lcl_plen, rmt_plen;
1557 u32 fib_index, scope = 0;
1558 ip46_address_t lcl_ip, rmt_ip;
1559 u8 is_ip4 = 1, show_one = 0;
1560 app_namespace_t *app_ns;
1561 session_rules_table_t *srt;
1562 session_table_t *st;
1563 u8 *ns_id = 0, fib_proto;
1565 session_cli_return_if_not_enabled ();
1567 clib_memset (&lcl_ip, 0, sizeof (lcl_ip));
1568 clib_memset (&rmt_ip, 0, sizeof (rmt_ip));
1569 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
1571 if (unformat (input, "%U", unformat_transport_proto, &transport_proto))
1573 else if (unformat (input, "appns %_%v%_", &ns_id))
1575 else if (unformat (input, "scope global"))
1577 else if (unformat (input, "scope local"))
1579 else if (unformat (input, "%U/%d %d %U/%d %d", unformat_ip4_address,
1580 &lcl_ip.ip4, &lcl_plen, &lcl_port,
1581 unformat_ip4_address, &rmt_ip.ip4, &rmt_plen,
1587 else if (unformat (input, "%U/%d %d %U/%d %d", unformat_ip6_address,
1588 &lcl_ip.ip6, &lcl_plen, &lcl_port,
1589 unformat_ip6_address, &rmt_ip.ip6, &rmt_plen,
1596 return clib_error_return (0, "unknown input `%U'",
1597 format_unformat_error, input);
1600 if (transport_proto == ~0)
1602 vlib_cli_output (vm, "transport proto must be set");
1608 app_ns = app_namespace_get_from_id (ns_id);
1611 vlib_cli_output (vm, "appns %v doesn't exist", ns_id);
1617 app_ns = app_namespace_get_default ();
1620 if (scope == 1 || scope == 0)
1622 fib_proto = is_ip4 ? FIB_PROTOCOL_IP4 : FIB_PROTOCOL_IP6;
1623 fib_index = is_ip4 ? app_ns->ip4_fib_index : app_ns->ip6_fib_index;
1624 st = session_table_get_for_fib_index (fib_proto, fib_index);
1628 st = app_namespace_get_local_table (app_ns);
1633 srt = &st->session_rules[transport_proto];
1634 session_rules_table_show_rule (vm, srt, &lcl_ip, lcl_port, &rmt_ip,
1639 vlib_cli_output (vm, "%U rules table", format_transport_proto,
1641 srt = &st->session_rules[transport_proto];
1642 session_rules_table_cli_dump (vm, srt, FIB_PROTOCOL_IP4);
1643 session_rules_table_cli_dump (vm, srt, FIB_PROTOCOL_IP6);
1650 VLIB_CLI_COMMAND (show_session_rules_command, static) =
1652 .path = "show session rules",
1653 .short_help = "show session rules [<proto> appns <id> <lcl-ip/plen> "
1654 "<lcl-port> <rmt-ip/plen> <rmt-port> scope <scope>]",
1655 .function = show_session_rules_command_fn,
1660 session_lookup_init (void)
1663 * Allocate default table and map it to fib_index 0
1665 session_table_t *st = session_table_alloc ();
1666 vec_validate (fib_index_to_table_index[FIB_PROTOCOL_IP4], 0);
1667 fib_index_to_table_index[FIB_PROTOCOL_IP4][0] = session_table_index (st);
1668 st->active_fib_proto = FIB_PROTOCOL_IP4;
1669 session_table_init (st, FIB_PROTOCOL_IP4);
1670 st = session_table_alloc ();
1671 vec_validate (fib_index_to_table_index[FIB_PROTOCOL_IP6], 0);
1672 fib_index_to_table_index[FIB_PROTOCOL_IP6][0] = session_table_index (st);
1673 st->active_fib_proto = FIB_PROTOCOL_IP6;
1674 session_table_init (st, FIB_PROTOCOL_IP6);
1678 * fd.io coding-style-patch-verification: ON
1681 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob