2 * Copyright (c) 2017 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 /** Generate typed init functions for multiple hash table styles... */
17 #include <vppinfra/bihash_16_8.h>
18 #include <vppinfra/bihash_template.h>
20 #include <vppinfra/bihash_template.c>
22 #undef __included_bihash_template_h__
24 #include <vppinfra/bihash_48_8.h>
25 #include <vppinfra/bihash_template.h>
27 #include <vppinfra/bihash_template.c>
28 #include <vnet/session/session_lookup.h>
29 #include <vnet/session/session.h>
30 #include <vnet/session/application.h>
33 * External vector of per transport virtual functions table
35 extern transport_proto_vft_t *tp_vfts;
38 * Network namespace index (i.e., fib index) to session lookup table. We
39 * should have one per network protocol type but for now we only support IP4/6
41 static u32 *fib_index_to_table_index[2];
45 typedef CLIB_PACKED (struct {
54 /* align by making this 4 octets even though its a 1-bit field
55 * NOTE: avoid key overlap with other transports that use 5 tuples for
56 * session identification.
62 }) v4_connection_key_t;
64 typedef CLIB_PACKED (struct {
79 }) v6_connection_key_t;
82 typedef clib_bihash_kv_16_8_t session_kv4_t;
83 typedef clib_bihash_kv_48_8_t session_kv6_t;
86 make_v4_ss_kv (session_kv4_t * kv, ip4_address_t * lcl, ip4_address_t * rmt,
87 u16 lcl_port, u16 rmt_port, u8 proto)
89 kv->key[0] = (u64) rmt->as_u32 << 32 | (u64) lcl->as_u32;
90 kv->key[1] = (u64) proto << 32 | (u64) rmt_port << 16 | (u64) lcl_port;
95 make_v4_listener_kv (session_kv4_t * kv, ip4_address_t * lcl, u16 lcl_port,
98 kv->key[0] = (u64) lcl->as_u32;
99 kv->key[1] = (u64) proto << 32 | (u64) lcl_port;
104 make_v4_proxy_kv (session_kv4_t * kv, ip4_address_t * lcl, u8 proto)
106 kv->key[0] = (u64) lcl->as_u32;
107 kv->key[1] = (u64) proto << 32;
112 make_v4_ss_kv_from_tc (session_kv4_t * kv, transport_connection_t * tc)
114 make_v4_ss_kv (kv, &tc->lcl_ip.ip4, &tc->rmt_ip.ip4, tc->lcl_port,
115 tc->rmt_port, tc->proto);
119 make_v6_ss_kv (session_kv6_t * kv, ip6_address_t * lcl, ip6_address_t * rmt,
120 u16 lcl_port, u16 rmt_port, u8 proto)
122 kv->key[0] = lcl->as_u64[0];
123 kv->key[1] = lcl->as_u64[1];
124 kv->key[2] = rmt->as_u64[0];
125 kv->key[3] = rmt->as_u64[1];
126 kv->key[4] = (u64) proto << 32 | (u64) rmt_port << 16 | (u64) lcl_port;
132 make_v6_listener_kv (session_kv6_t * kv, ip6_address_t * lcl, u16 lcl_port,
135 kv->key[0] = lcl->as_u64[0];
136 kv->key[1] = lcl->as_u64[1];
139 kv->key[4] = (u64) proto << 32 | (u64) lcl_port;
145 make_v6_proxy_kv (session_kv6_t * kv, ip6_address_t * lcl, u8 proto)
147 kv->key[0] = lcl->as_u64[0];
148 kv->key[1] = lcl->as_u64[1];
151 kv->key[4] = (u64) proto << 32;
157 make_v6_ss_kv_from_tc (session_kv6_t * kv, transport_connection_t * tc)
159 make_v6_ss_kv (kv, &tc->lcl_ip.ip6, &tc->rmt_ip.ip6, tc->lcl_port,
160 tc->rmt_port, tc->proto);
163 static session_table_t *
164 session_table_get_or_alloc (u8 fib_proto, u8 fib_index)
168 if (vec_len (fib_index_to_table_index[fib_proto]) <= fib_index)
170 st = session_table_alloc ();
171 table_index = session_table_index (st);
172 vec_validate (fib_index_to_table_index[fib_proto], fib_index);
173 fib_index_to_table_index[fib_proto][fib_index] = table_index;
174 st->active_fib_proto = fib_proto;
175 session_table_init (st, fib_proto);
180 table_index = fib_index_to_table_index[fib_proto][fib_index];
181 return session_table_get (table_index);
185 static session_table_t *
186 session_table_get_or_alloc_for_connection (transport_connection_t * tc)
189 fib_proto = transport_connection_fib_proto (tc);
190 return session_table_get_or_alloc (fib_proto, tc->fib_index);
193 static session_table_t *
194 session_table_get_for_connection (transport_connection_t * tc)
196 u32 fib_proto = transport_connection_fib_proto (tc);
197 if (vec_len (fib_index_to_table_index[fib_proto]) <= tc->fib_index)
200 session_table_get (fib_index_to_table_index[fib_proto][tc->fib_index]);
203 static session_table_t *
204 session_table_get_for_fib_index (u32 fib_proto, u32 fib_index)
206 if (vec_len (fib_index_to_table_index[fib_proto]) <= fib_index)
208 return session_table_get (fib_index_to_table_index[fib_proto][fib_index]);
212 session_lookup_get_index_for_fib (u32 fib_proto, u32 fib_index)
214 if (vec_len (fib_index_to_table_index[fib_proto]) <= fib_index)
215 return SESSION_TABLE_INVALID_INDEX;
216 return fib_index_to_table_index[fib_proto][fib_index];
220 * Add transport connection to a session table
222 * Session lookup 5-tuple (src-ip, dst-ip, src-port, dst-port, session-type)
223 * is added to requested session table.
225 * @param tc transport connection to be added
226 * @param value value to be stored
228 * @return non-zero if failure
231 session_lookup_add_connection (transport_connection_t * tc, u64 value)
237 st = session_table_get_or_alloc_for_connection (tc);
242 make_v4_ss_kv_from_tc (&kv4, tc);
244 return clib_bihash_add_del_16_8 (&st->v4_session_hash, &kv4,
249 make_v6_ss_kv_from_tc (&kv6, tc);
251 return clib_bihash_add_del_48_8 (&st->v6_session_hash, &kv6,
257 session_lookup_add_session_endpoint (u32 table_index,
258 session_endpoint_t * sep, u64 value)
264 st = session_table_get (table_index);
269 make_v4_listener_kv (&kv4, &sep->ip.ip4, sep->port,
270 sep->transport_proto);
272 return clib_bihash_add_del_16_8 (&st->v4_session_hash, &kv4, 1);
276 make_v6_listener_kv (&kv6, &sep->ip.ip6, sep->port,
277 sep->transport_proto);
279 return clib_bihash_add_del_48_8 (&st->v6_session_hash, &kv6, 1);
284 session_lookup_del_session_endpoint (u32 table_index,
285 session_endpoint_t * sep)
291 st = session_table_get (table_index);
296 make_v4_listener_kv (&kv4, &sep->ip.ip4, sep->port,
297 sep->transport_proto);
298 return clib_bihash_add_del_16_8 (&st->v4_session_hash, &kv4, 0);
302 make_v6_listener_kv (&kv6, &sep->ip.ip6, sep->port,
303 sep->transport_proto);
304 return clib_bihash_add_del_48_8 (&st->v6_session_hash, &kv6, 0);
309 * Delete transport connection from session table
311 * @param table_index session table index
312 * @param tc transport connection to be removed
314 * @return non-zero if failure
317 session_lookup_del_connection (transport_connection_t * tc)
323 st = session_table_get_for_connection (tc);
328 make_v4_ss_kv_from_tc (&kv4, tc);
329 return clib_bihash_add_del_16_8 (&st->v4_session_hash, &kv4,
334 make_v6_ss_kv_from_tc (&kv6, tc);
335 return clib_bihash_add_del_48_8 (&st->v6_session_hash, &kv6,
341 session_lookup_del_session (stream_session_t * s)
343 transport_proto_t tp = session_get_transport_proto (s);
344 transport_connection_t *ts;
345 ts = tp_vfts[tp].get_connection (s->connection_index, s->thread_index);
346 return session_lookup_del_connection (ts);
350 session_lookup_action_index_is_valid (u32 action_index)
352 if (action_index == SESSION_RULES_TABLE_ACTION_ALLOW
353 || action_index == SESSION_RULES_TABLE_INVALID_INDEX)
359 session_lookup_action_to_handle (u32 action_index)
361 switch (action_index)
363 case SESSION_RULES_TABLE_ACTION_DROP:
364 return SESSION_DROP_HANDLE;
365 case SESSION_RULES_TABLE_ACTION_ALLOW:
366 case SESSION_RULES_TABLE_INVALID_INDEX:
367 return SESSION_INVALID_HANDLE;
369 /* application index */
374 static stream_session_t *
375 session_lookup_app_listen_session (u32 app_index, u8 fib_proto,
379 app = application_get_if_valid (app_index);
383 return app_worker_first_listener (application_get_default_worker (app),
384 fib_proto, transport_proto);
387 static stream_session_t *
388 session_lookup_action_to_session (u32 action_index, u8 fib_proto,
392 app_index = session_lookup_action_to_handle (action_index);
393 /* Nothing sophisticated for now, action index is app index */
394 return session_lookup_app_listen_session (app_index, fib_proto,
400 session_lookup_rules_table_session4 (session_table_t * st, u8 proto,
401 ip4_address_t * lcl, u16 lcl_port,
402 ip4_address_t * rmt, u16 rmt_port)
404 session_rules_table_t *srt = &st->session_rules[proto];
405 u32 action_index, app_index;
406 action_index = session_rules_table_lookup4 (srt, lcl, rmt, lcl_port,
408 app_index = session_lookup_action_to_handle (action_index);
409 /* Nothing sophisticated for now, action index is app index */
410 return session_lookup_app_listen_session (app_index, FIB_PROTOCOL_IP4,
416 session_lookup_rules_table_session6 (session_table_t * st, u8 proto,
417 ip6_address_t * lcl, u16 lcl_port,
418 ip6_address_t * rmt, u16 rmt_port)
420 session_rules_table_t *srt = &st->session_rules[proto];
421 u32 action_index, app_index;
422 action_index = session_rules_table_lookup6 (srt, lcl, rmt, lcl_port,
424 app_index = session_lookup_action_to_handle (action_index);
425 return session_lookup_app_listen_session (app_index, FIB_PROTOCOL_IP6,
430 * Lookup listener for session endpoint in table
432 * @param table_index table where the endpoint should be looked up
433 * @param sep session endpoint to be looked up
434 * @param use_rules flag that indicates if the session rules of the table
436 * @return invalid handle if nothing is found, the handle of a valid listener
437 * or an action derived handle if a rule is hit
440 session_lookup_endpoint_listener (u32 table_index, session_endpoint_t * sep,
443 session_rules_table_t *srt;
448 st = session_table_get (table_index);
450 return SESSION_INVALID_HANDLE;
456 make_v4_listener_kv (&kv4, &sep->ip.ip4, sep->port,
457 sep->transport_proto);
458 rv = clib_bihash_search_inline_16_8 (&st->v4_session_hash, &kv4);
463 clib_memset (&lcl4, 0, sizeof (lcl4));
464 srt = &st->session_rules[sep->transport_proto];
465 ai = session_rules_table_lookup4 (srt, &lcl4, &sep->ip.ip4, 0,
467 if (session_lookup_action_index_is_valid (ai))
468 return session_lookup_action_to_handle (ai);
476 make_v6_listener_kv (&kv6, &sep->ip.ip6, sep->port,
477 sep->transport_proto);
478 rv = clib_bihash_search_inline_48_8 (&st->v6_session_hash, &kv6);
484 clib_memset (&lcl6, 0, sizeof (lcl6));
485 srt = &st->session_rules[sep->transport_proto];
486 ai = session_rules_table_lookup6 (srt, &lcl6, &sep->ip.ip6, 0,
488 if (session_lookup_action_index_is_valid (ai))
489 return session_lookup_action_to_handle (ai);
492 return SESSION_INVALID_HANDLE;
496 * Look up endpoint in local session table
498 * The result, for now, is an application index and it may in the future
499 * be extended to a more complicated "action object". The only action we
500 * emulate now is "drop" and for that we return a special app index.
502 * Lookup logic is to check in order:
503 * - the rules in the table (connect acls)
504 * - session sub-table for a listener
505 * - session sub-table for a local listener (zeroed addr)
507 * @param table_index table where the lookup should be done
508 * @param sep session endpoint to be looked up
509 * @return session handle that can be interpreted as an adjacency
512 session_lookup_local_endpoint (u32 table_index, session_endpoint_t * sep)
514 session_rules_table_t *srt;
519 st = session_table_get (table_index);
521 return SESSION_INVALID_INDEX;
522 ASSERT (st->is_local);
530 * Check if endpoint has special rules associated
532 clib_memset (&lcl4, 0, sizeof (lcl4));
533 srt = &st->session_rules[sep->transport_proto];
534 ai = session_rules_table_lookup4 (srt, &lcl4, &sep->ip.ip4, 0,
536 if (session_lookup_action_index_is_valid (ai))
537 return session_lookup_action_to_handle (ai);
540 * Check if session endpoint is a listener
542 make_v4_listener_kv (&kv4, &sep->ip.ip4, sep->port,
543 sep->transport_proto);
544 rv = clib_bihash_search_inline_16_8 (&st->v4_session_hash, &kv4);
549 * Zero out the ip. Logic is that connect to local ips, say
550 * 127.0.0.1:port, can match 0.0.0.0:port
552 if (ip4_is_local_host (&sep->ip.ip4))
555 rv = clib_bihash_search_inline_16_8 (&st->v4_session_hash, &kv4);
565 * Zero out the port and check if we have proxy
568 rv = clib_bihash_search_inline_16_8 (&st->v4_session_hash, &kv4);
577 clib_memset (&lcl6, 0, sizeof (lcl6));
578 srt = &st->session_rules[sep->transport_proto];
579 ai = session_rules_table_lookup6 (srt, &lcl6, &sep->ip.ip6, 0,
581 if (session_lookup_action_index_is_valid (ai))
582 return session_lookup_action_to_handle (ai);
584 make_v6_listener_kv (&kv6, &sep->ip.ip6, sep->port,
585 sep->transport_proto);
586 rv = clib_bihash_search_inline_48_8 (&st->v6_session_hash, &kv6);
591 * Zero out the ip. Same logic as above.
594 if (ip6_is_local_host (&sep->ip.ip6))
596 kv6.key[0] = kv6.key[1] = 0;
597 rv = clib_bihash_search_inline_48_8 (&st->v6_session_hash, &kv6);
603 kv6.key[0] = kv6.key[1] = 0;
607 * Zero out the port. Same logic as above.
609 kv6.key[4] = kv6.key[5] = 0;
610 rv = clib_bihash_search_inline_48_8 (&st->v6_session_hash, &kv6);
614 return SESSION_INVALID_HANDLE;
617 static inline stream_session_t *
618 session_lookup_listener4_i (session_table_t * st, ip4_address_t * lcl,
619 u16 lcl_port, u8 proto, u8 use_wildcard)
625 * First, try a fully formed listener
627 make_v4_listener_kv (&kv4, lcl, lcl_port, proto);
628 rv = clib_bihash_search_inline_16_8 (&st->v4_session_hash, &kv4);
630 return listen_session_get ((u32) kv4.value);
633 * Zero out the lcl ip and check if any 0/0 port binds have been done
638 rv = clib_bihash_search_inline_16_8 (&st->v4_session_hash, &kv4);
640 return listen_session_get ((u32) kv4.value);
648 * Zero out port and check if we have a proxy set up for our ip
650 make_v4_proxy_kv (&kv4, lcl, proto);
651 rv = clib_bihash_search_inline_16_8 (&st->v4_session_hash, &kv4);
653 return listen_session_get ((u32) kv4.value);
659 session_lookup_listener4 (u32 fib_index, ip4_address_t * lcl, u16 lcl_port,
663 st = session_table_get_for_fib_index (FIB_PROTOCOL_IP4, fib_index);
666 return session_lookup_listener4_i (st, lcl, lcl_port, proto, 0);
669 static stream_session_t *
670 session_lookup_listener6_i (session_table_t * st, ip6_address_t * lcl,
671 u16 lcl_port, u8 proto, u8 ip_wildcard)
676 make_v6_listener_kv (&kv6, lcl, lcl_port, proto);
677 rv = clib_bihash_search_inline_48_8 (&st->v6_session_hash, &kv6);
679 return listen_session_get ((u32) kv6.value);
681 /* Zero out the lcl ip */
684 kv6.key[0] = kv6.key[1] = 0;
685 rv = clib_bihash_search_inline_48_8 (&st->v6_session_hash, &kv6);
687 return listen_session_get ((u32) kv6.value);
691 kv6.key[0] = kv6.key[1] = 0;
694 make_v6_proxy_kv (&kv6, lcl, proto);
695 rv = clib_bihash_search_inline_48_8 (&st->v6_session_hash, &kv6);
697 return listen_session_get ((u32) kv6.value);
702 session_lookup_listener6 (u32 fib_index, ip6_address_t * lcl, u16 lcl_port,
706 st = session_table_get_for_fib_index (FIB_PROTOCOL_IP6, fib_index);
709 return session_lookup_listener6_i (st, lcl, lcl_port, proto, 1);
713 * Lookup listener, exact or proxy (inaddr_any:0) match
716 session_lookup_listener (u32 table_index, session_endpoint_t * sep)
719 st = session_table_get (table_index);
723 return session_lookup_listener4_i (st, &sep->ip.ip4, sep->port,
724 sep->transport_proto, 0);
726 return session_lookup_listener6_i (st, &sep->ip.ip6, sep->port,
727 sep->transport_proto, 0);
732 session_lookup_add_half_open (transport_connection_t * tc, u64 value)
738 st = session_table_get_or_alloc_for_connection (tc);
743 make_v4_ss_kv_from_tc (&kv4, tc);
745 return clib_bihash_add_del_16_8 (&st->v4_half_open_hash, &kv4,
750 make_v6_ss_kv_from_tc (&kv6, tc);
752 return clib_bihash_add_del_48_8 (&st->v6_half_open_hash, &kv6,
758 session_lookup_del_half_open (transport_connection_t * tc)
764 st = session_table_get_for_connection (tc);
769 make_v4_ss_kv_from_tc (&kv4, tc);
770 return clib_bihash_add_del_16_8 (&st->v4_half_open_hash, &kv4,
775 make_v6_ss_kv_from_tc (&kv6, tc);
776 return clib_bihash_add_del_48_8 (&st->v6_half_open_hash, &kv6,
782 session_lookup_half_open_handle (transport_connection_t * tc)
789 st = session_table_get_for_fib_index (transport_connection_fib_proto (tc),
792 return HALF_OPEN_LOOKUP_INVALID_VALUE;
795 make_v4_ss_kv (&kv4, &tc->lcl_ip.ip4, &tc->rmt_ip.ip4, tc->lcl_port,
796 tc->rmt_port, tc->proto);
797 rv = clib_bihash_search_inline_16_8 (&st->v4_half_open_hash, &kv4);
803 make_v6_ss_kv (&kv6, &tc->lcl_ip.ip6, &tc->rmt_ip.ip6, tc->lcl_port,
804 tc->rmt_port, tc->proto);
805 rv = clib_bihash_search_inline_48_8 (&st->v6_half_open_hash, &kv6);
809 return HALF_OPEN_LOOKUP_INVALID_VALUE;
812 transport_connection_t *
813 session_lookup_half_open_connection (u64 handle, u8 proto, u8 is_ip4)
817 if (handle != HALF_OPEN_LOOKUP_INVALID_VALUE)
819 sst = session_type_from_proto_and_ip (proto, is_ip4);
820 return tp_vfts[sst].get_half_open (handle & 0xFFFFFFFF);
826 * Lookup connection with ip4 and transport layer information
828 * This is used on the fast path so it needs to be fast. Thereby,
829 * duplication of code and 'hacks' allowed.
831 * The lookup is incremental and returns whenever something is matched. The
833 * - Try to find an established session
834 * - Try to find a half-open connection
835 * - Try session rules table
836 * - Try to find a fully-formed or local source wildcarded (listener bound to
837 * all interfaces) listener session
840 * @param fib_index index of fib wherein the connection was received
841 * @param lcl local ip4 address
842 * @param rmt remote ip4 address
843 * @param lcl_port local port
844 * @param rmt_port remote port
845 * @param proto transport protocol (e.g., tcp, udp)
846 * @param thread_index thread index for request
847 * @param is_filtered return flag that indicates if connection was filtered.
849 * @return pointer to transport connection, if one is found, 0 otherwise
851 transport_connection_t *
852 session_lookup_connection_wt4 (u32 fib_index, ip4_address_t * lcl,
853 ip4_address_t * rmt, u16 lcl_port,
854 u16 rmt_port, u8 proto, u32 thread_index,
863 st = session_table_get_for_fib_index (FIB_PROTOCOL_IP4, fib_index);
864 if (PREDICT_FALSE (!st))
868 * Lookup session amongst established ones
870 make_v4_ss_kv (&kv4, lcl, rmt, lcl_port, rmt_port, proto);
871 rv = clib_bihash_search_inline_16_8 (&st->v4_session_hash, &kv4);
874 if (PREDICT_FALSE ((u32) (kv4.value >> 32) != thread_index))
876 *result = SESSION_LOOKUP_RESULT_WRONG_THREAD;
879 s = session_get (kv4.value & 0xFFFFFFFFULL, thread_index);
880 return tp_vfts[proto].get_connection (s->connection_index,
885 * Try half-open connections
887 rv = clib_bihash_search_inline_16_8 (&st->v4_half_open_hash, &kv4);
889 return tp_vfts[proto].get_half_open (kv4.value & 0xFFFFFFFF);
892 * Check the session rules table
894 action_index = session_rules_table_lookup4 (&st->session_rules[proto], lcl,
895 rmt, lcl_port, rmt_port);
896 if (session_lookup_action_index_is_valid (action_index))
898 if (action_index == SESSION_RULES_TABLE_ACTION_DROP)
900 *result = SESSION_LOOKUP_RESULT_FILTERED;
903 if ((s = session_lookup_action_to_session (action_index,
904 FIB_PROTOCOL_IP4, proto)))
905 return tp_vfts[proto].get_listener (s->connection_index);
910 * If nothing is found, check if any listener is available
912 s = session_lookup_listener4_i (st, lcl, lcl_port, proto, 1);
914 return tp_vfts[proto].get_listener (s->connection_index);
920 * Lookup connection with ip4 and transport layer information
922 * Not optimized. Lookup logic is identical to that of
923 * @ref session_lookup_connection_wt4
925 * @param fib_index index of the fib wherein the connection was received
926 * @param lcl local ip4 address
927 * @param rmt remote ip4 address
928 * @param lcl_port local port
929 * @param rmt_port remote port
930 * @param proto transport protocol (e.g., tcp, udp)
932 * @return pointer to transport connection, if one is found, 0 otherwise
934 transport_connection_t *
935 session_lookup_connection4 (u32 fib_index, ip4_address_t * lcl,
936 ip4_address_t * rmt, u16 lcl_port, u16 rmt_port,
945 st = session_table_get_for_fib_index (FIB_PROTOCOL_IP4, fib_index);
946 if (PREDICT_FALSE (!st))
950 * Lookup session amongst established ones
952 make_v4_ss_kv (&kv4, lcl, rmt, lcl_port, rmt_port, proto);
953 rv = clib_bihash_search_inline_16_8 (&st->v4_session_hash, &kv4);
956 s = session_get_from_handle (kv4.value);
957 return tp_vfts[proto].get_connection (s->connection_index,
962 * Try half-open connections
964 rv = clib_bihash_search_inline_16_8 (&st->v4_half_open_hash, &kv4);
966 return tp_vfts[proto].get_half_open (kv4.value & 0xFFFFFFFF);
969 * Check the session rules table
971 action_index = session_rules_table_lookup4 (&st->session_rules[proto], lcl,
972 rmt, lcl_port, rmt_port);
973 if (session_lookup_action_index_is_valid (action_index))
975 if (action_index == SESSION_RULES_TABLE_ACTION_DROP)
977 if ((s = session_lookup_action_to_session (action_index,
978 FIB_PROTOCOL_IP4, proto)))
979 return tp_vfts[proto].get_listener (s->connection_index);
984 * If nothing is found, check if any listener is available
986 s = session_lookup_listener4_i (st, lcl, lcl_port, proto, 1);
988 return tp_vfts[proto].get_listener (s->connection_index);
994 * Lookup session with ip4 and transport layer information
996 * Important note: this may look into another thread's pool table and
997 * register as 'peeker'. Caller should call @ref session_pool_remove_peeker as
998 * if needed as soon as possible.
1000 * Lookup logic is similar to that of @ref session_lookup_connection_wt4 but
1001 * this returns a session as opposed to a transport connection and it does not
1002 * try to lookup half-open sessions.
1004 * Typically used by dgram connections
1007 session_lookup_safe4 (u32 fib_index, ip4_address_t * lcl, ip4_address_t * rmt,
1008 u16 lcl_port, u16 rmt_port, u8 proto)
1010 session_table_t *st;
1012 stream_session_t *s;
1016 st = session_table_get_for_fib_index (FIB_PROTOCOL_IP4, fib_index);
1017 if (PREDICT_FALSE (!st))
1021 * Lookup session amongst established ones
1023 make_v4_ss_kv (&kv4, lcl, rmt, lcl_port, rmt_port, proto);
1024 rv = clib_bihash_search_inline_16_8 (&st->v4_session_hash, &kv4);
1026 return session_get_from_handle_safe (kv4.value);
1029 * Check the session rules table
1031 action_index = session_rules_table_lookup4 (&st->session_rules[proto], lcl,
1032 rmt, lcl_port, rmt_port);
1033 if (session_lookup_action_index_is_valid (action_index))
1035 if (action_index == SESSION_RULES_TABLE_ACTION_DROP)
1037 return session_lookup_action_to_session (action_index, FIB_PROTOCOL_IP4,
1042 * If nothing is found, check if any listener is available
1044 if ((s = session_lookup_listener4_i (st, lcl, lcl_port, proto, 1)))
1051 * Lookup connection with ip6 and transport layer information
1053 * This is used on the fast path so it needs to be fast. Thereby,
1054 * duplication of code and 'hacks' allowed.
1056 * The lookup is incremental and returns whenever something is matched. The
1058 * - Try to find an established session
1059 * - Try to find a half-open connection
1060 * - Try session rules table
1061 * - Try to find a fully-formed or local source wildcarded (listener bound to
1062 * all interfaces) listener session
1065 * @param fib_index index of the fib wherein the connection was received
1066 * @param lcl local ip6 address
1067 * @param rmt remote ip6 address
1068 * @param lcl_port local port
1069 * @param rmt_port remote port
1070 * @param proto transport protocol (e.g., tcp, udp)
1071 * @param thread_index thread index for request
1073 * @return pointer to transport connection, if one is found, 0 otherwise
1075 transport_connection_t *
1076 session_lookup_connection_wt6 (u32 fib_index, ip6_address_t * lcl,
1077 ip6_address_t * rmt, u16 lcl_port,
1078 u16 rmt_port, u8 proto, u32 thread_index,
1081 session_table_t *st;
1082 stream_session_t *s;
1087 st = session_table_get_for_fib_index (FIB_PROTOCOL_IP6, fib_index);
1088 if (PREDICT_FALSE (!st))
1091 make_v6_ss_kv (&kv6, lcl, rmt, lcl_port, rmt_port, proto);
1092 rv = clib_bihash_search_inline_48_8 (&st->v6_session_hash, &kv6);
1095 ASSERT ((u32) (kv6.value >> 32) == thread_index);
1096 if (PREDICT_FALSE ((u32) (kv6.value >> 32) != thread_index))
1098 *result = SESSION_LOOKUP_RESULT_WRONG_THREAD;
1101 s = session_get (kv6.value & 0xFFFFFFFFULL, thread_index);
1102 return tp_vfts[proto].get_connection (s->connection_index,
1106 /* Try half-open connections */
1107 rv = clib_bihash_search_inline_48_8 (&st->v6_half_open_hash, &kv6);
1109 return tp_vfts[proto].get_half_open (kv6.value & 0xFFFFFFFF);
1111 /* Check the session rules table */
1112 action_index = session_rules_table_lookup6 (&st->session_rules[proto], lcl,
1113 rmt, lcl_port, rmt_port);
1114 if (session_lookup_action_index_is_valid (action_index))
1116 if (action_index == SESSION_RULES_TABLE_ACTION_DROP)
1118 *result = SESSION_LOOKUP_RESULT_FILTERED;
1121 if ((s = session_lookup_action_to_session (action_index,
1122 FIB_PROTOCOL_IP6, proto)))
1123 return tp_vfts[proto].get_listener (s->connection_index);
1127 /* If nothing is found, check if any listener is available */
1128 s = session_lookup_listener6_i (st, lcl, lcl_port, proto, 1);
1130 return tp_vfts[proto].get_listener (s->connection_index);
1136 * Lookup connection with ip6 and transport layer information
1138 * Not optimized. This is used on the fast path so it needs to be fast.
1139 * Thereby, duplication of code and 'hacks' allowed. Lookup logic is identical
1140 * to that of @ref session_lookup_connection_wt4
1142 * @param fib_index index of the fib wherein the connection was received
1143 * @param lcl local ip6 address
1144 * @param rmt remote ip6 address
1145 * @param lcl_port local port
1146 * @param rmt_port remote port
1147 * @param proto transport protocol (e.g., tcp, udp)
1149 * @return pointer to transport connection, if one is found, 0 otherwise
1151 transport_connection_t *
1152 session_lookup_connection6 (u32 fib_index, ip6_address_t * lcl,
1153 ip6_address_t * rmt, u16 lcl_port, u16 rmt_port,
1156 session_table_t *st;
1157 stream_session_t *s;
1162 st = session_table_get_for_fib_index (FIB_PROTOCOL_IP6, fib_index);
1163 if (PREDICT_FALSE (!st))
1166 make_v6_ss_kv (&kv6, lcl, rmt, lcl_port, rmt_port, proto);
1167 rv = clib_bihash_search_inline_48_8 (&st->v6_session_hash, &kv6);
1170 s = session_get_from_handle (kv6.value);
1171 return tp_vfts[proto].get_connection (s->connection_index,
1175 /* Try half-open connections */
1176 rv = clib_bihash_search_inline_48_8 (&st->v6_half_open_hash, &kv6);
1178 return tp_vfts[proto].get_half_open (kv6.value & 0xFFFFFFFF);
1180 /* Check the session rules table */
1181 action_index = session_rules_table_lookup6 (&st->session_rules[proto], lcl,
1182 rmt, lcl_port, rmt_port);
1183 if (session_lookup_action_index_is_valid (action_index))
1185 if (action_index == SESSION_RULES_TABLE_ACTION_DROP)
1187 if ((s = session_lookup_action_to_session (action_index,
1188 FIB_PROTOCOL_IP6, proto)))
1189 return tp_vfts[proto].get_listener (s->connection_index);
1193 /* If nothing is found, check if any listener is available */
1194 s = session_lookup_listener6_i (st, lcl, lcl_port, proto, 1);
1196 return tp_vfts[proto].get_listener (s->connection_index);
1202 * Lookup session with ip6 and transport layer information
1204 * Important note: this may look into another thread's pool table and
1205 * register as 'peeker'. Caller should call @ref session_pool_remove_peeker as
1206 * if needed as soon as possible.
1208 * Lookup logic is similar to that of @ref session_lookup_connection_wt6 but
1209 * this returns a session as opposed to a transport connection and it does not
1210 * try to lookup half-open sessions.
1212 * Typically used by dgram connections
1215 session_lookup_safe6 (u32 fib_index, ip6_address_t * lcl, ip6_address_t * rmt,
1216 u16 lcl_port, u16 rmt_port, u8 proto)
1218 session_table_t *st;
1220 stream_session_t *s;
1224 st = session_table_get_for_fib_index (FIB_PROTOCOL_IP6, fib_index);
1225 if (PREDICT_FALSE (!st))
1228 make_v6_ss_kv (&kv6, lcl, rmt, lcl_port, rmt_port, proto);
1229 rv = clib_bihash_search_inline_48_8 (&st->v6_session_hash, &kv6);
1231 return session_get_from_handle_safe (kv6.value);
1233 /* Check the session rules table */
1234 action_index = session_rules_table_lookup6 (&st->session_rules[proto], lcl,
1235 rmt, lcl_port, rmt_port);
1236 if (session_lookup_action_index_is_valid (action_index))
1238 if (action_index == SESSION_RULES_TABLE_ACTION_DROP)
1240 return session_lookup_action_to_session (action_index, FIB_PROTOCOL_IP6,
1244 /* If nothing is found, check if any listener is available */
1245 if ((s = session_lookup_listener6_i (st, lcl, lcl_port, proto, 1)))
1251 vnet_session_rule_add_del (session_rule_add_del_args_t * args)
1253 app_namespace_t *app_ns = app_namespace_get (args->appns_index);
1254 session_rules_table_t *srt;
1255 session_table_t *st;
1258 clib_error_t *error;
1261 return clib_error_return_code (0, VNET_API_ERROR_APP_INVALID_NS, 0,
1263 if (args->scope > 3)
1264 return clib_error_return_code (0, VNET_API_ERROR_INVALID_VALUE, 0,
1266 if (args->transport_proto != TRANSPORT_PROTO_TCP
1267 && args->transport_proto != TRANSPORT_PROTO_UDP)
1268 return clib_error_return_code (0, VNET_API_ERROR_INVALID_VALUE, 0,
1269 "invalid transport proto");
1270 if ((args->scope & SESSION_RULE_SCOPE_GLOBAL) || args->scope == 0)
1272 fib_proto = args->table_args.rmt.fp_proto;
1273 fib_index = app_namespace_get_fib_index (app_ns, fib_proto);
1274 st = session_table_get_for_fib_index (fib_proto, fib_index);
1275 srt = &st->session_rules[args->transport_proto];
1276 if ((error = session_rules_table_add_del (srt, &args->table_args)))
1278 clib_error_report (error);
1282 if (args->scope & SESSION_RULE_SCOPE_LOCAL)
1284 clib_memset (&args->table_args.lcl, 0, sizeof (args->table_args.lcl));
1285 args->table_args.lcl.fp_proto = args->table_args.rmt.fp_proto;
1286 args->table_args.lcl_port = 0;
1287 st = app_namespace_get_local_table (app_ns);
1288 srt = &st->session_rules[args->transport_proto];
1289 error = session_rules_table_add_del (srt, &args->table_args);
1295 * Mark (global) tables as pertaining to app ns
1298 session_lookup_set_tables_appns (app_namespace_t * app_ns)
1300 session_table_t *st;
1304 for (fp = 0; fp < ARRAY_LEN (fib_index_to_table_index); fp++)
1306 fib_index = app_namespace_get_fib_index (app_ns, fp);
1307 st = session_table_get_for_fib_index (fp, fib_index);
1309 st->appns_index = app_namespace_index (app_ns);
1314 format_ip4_session_lookup_kvp (u8 * s, va_list * args)
1316 clib_bihash_kv_16_8_t *kvp = va_arg (*args, clib_bihash_kv_16_8_t *);
1317 u32 is_local = va_arg (*args, u32), app_wrk_index, session_index;
1318 v4_connection_key_t *key = (v4_connection_key_t *) kvp->key;
1319 stream_session_t *session;
1320 app_worker_t *app_wrk;
1326 session = session_get_from_handle (kvp->value);
1327 app_wrk = app_worker_get (session->app_wrk_index);
1328 app_name = application_name_from_index (app_wrk->app_index);
1329 str = format (0, "[%U] %U:%d->%U:%d", format_transport_proto_short,
1330 key->proto, format_ip4_address, &key->src,
1331 clib_net_to_host_u16 (key->src_port), format_ip4_address,
1332 &key->dst, clib_net_to_host_u16 (key->dst_port));
1333 s = format (s, "%-40v%-30v", str, app_name);
1337 local_session_parse_handle (kvp->value, &app_wrk_index, &session_index);
1338 app_wrk = app_worker_get (app_wrk_index);
1339 app_name = application_name_from_index (app_wrk->app_index);
1340 str = format (0, "[%U] %U:%d", format_transport_proto_short, key->proto,
1341 format_ip4_address, &key->src,
1342 clib_net_to_host_u16 (key->src_port));
1343 s = format (s, "%-30v%-30v", str, app_name);
1348 typedef struct _ip4_session_table_show_ctx_t
1352 } ip4_session_table_show_ctx_t;
1355 ip4_session_table_show (clib_bihash_kv_16_8_t * kvp, void *arg)
1357 ip4_session_table_show_ctx_t *ctx = arg;
1358 vlib_cli_output (ctx->vm, "%U", format_ip4_session_lookup_kvp, kvp,
1364 session_lookup_show_table_entries (vlib_main_t * vm, session_table_t * table,
1365 u8 type, u8 is_local)
1367 ip4_session_table_show_ctx_t ctx = {
1369 .is_local = is_local,
1372 vlib_cli_output (vm, "%-40s%-30s", "Session", "Application");
1374 vlib_cli_output (vm, "%-30s%-30s", "Listener", "Application");
1379 ip4_session_table_walk (&table->v4_session_hash, ip4_session_table_show,
1383 clib_warning ("not supported");
1387 static clib_error_t *
1388 session_rule_command_fn (vlib_main_t * vm, unformat_input_t * input,
1389 vlib_cli_command_t * cmd)
1391 u32 proto = ~0, lcl_port, rmt_port, action = 0, lcl_plen = 0, rmt_plen = 0;
1392 u32 appns_index, scope = 0;
1393 ip46_address_t lcl_ip, rmt_ip;
1394 u8 is_ip4 = 1, conn_set = 0;
1395 u8 fib_proto, is_add = 1, *ns_id = 0;
1397 app_namespace_t *app_ns;
1398 clib_error_t *error;
1400 clib_memset (&lcl_ip, 0, sizeof (lcl_ip));
1401 clib_memset (&rmt_ip, 0, sizeof (rmt_ip));
1402 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
1404 if (unformat (input, "del"))
1406 else if (unformat (input, "add"))
1408 else if (unformat (input, "appns %_%v%_", &ns_id))
1410 else if (unformat (input, "scope global"))
1411 scope = SESSION_RULE_SCOPE_GLOBAL;
1412 else if (unformat (input, "scope local"))
1413 scope = SESSION_RULE_SCOPE_LOCAL;
1414 else if (unformat (input, "scope all"))
1415 scope = SESSION_RULE_SCOPE_LOCAL | SESSION_RULE_SCOPE_GLOBAL;
1416 else if (unformat (input, "proto %U", unformat_transport_proto, &proto))
1418 else if (unformat (input, "%U/%d %d %U/%d %d", unformat_ip4_address,
1419 &lcl_ip.ip4, &lcl_plen, &lcl_port,
1420 unformat_ip4_address, &rmt_ip.ip4, &rmt_plen,
1426 else if (unformat (input, "%U/%d %d %U/%d %d", unformat_ip6_address,
1427 &lcl_ip.ip6, &lcl_plen, &lcl_port,
1428 unformat_ip6_address, &rmt_ip.ip6, &rmt_plen,
1434 else if (unformat (input, "action %d", &action))
1436 else if (unformat (input, "tag %_%v%_", &tag))
1439 return clib_error_return (0, "unknown input `%U'",
1440 format_unformat_error, input);
1445 vlib_cli_output (vm, "proto must be set");
1448 if (is_add && !conn_set && action == ~0)
1450 vlib_cli_output (vm, "connection and action must be set for add");
1453 if (!is_add && !tag && !conn_set)
1455 vlib_cli_output (vm, "connection or tag must be set for delete");
1458 if (vec_len (tag) > SESSION_RULE_TAG_MAX_LEN)
1460 vlib_cli_output (vm, "tag too long (max u64)");
1466 app_ns = app_namespace_get_from_id (ns_id);
1469 vlib_cli_output (vm, "namespace %v does not exist", ns_id);
1475 app_ns = app_namespace_get_default ();
1477 appns_index = app_namespace_index (app_ns);
1479 fib_proto = is_ip4 ? FIB_PROTOCOL_IP4 : FIB_PROTOCOL_IP6;
1480 session_rule_add_del_args_t args = {
1481 .table_args.lcl.fp_addr = lcl_ip,
1482 .table_args.lcl.fp_len = lcl_plen,
1483 .table_args.lcl.fp_proto = fib_proto,
1484 .table_args.rmt.fp_addr = rmt_ip,
1485 .table_args.rmt.fp_len = rmt_plen,
1486 .table_args.rmt.fp_proto = fib_proto,
1487 .table_args.lcl_port = lcl_port,
1488 .table_args.rmt_port = rmt_port,
1489 .table_args.action_index = action,
1490 .table_args.is_add = is_add,
1491 .table_args.tag = tag,
1492 .appns_index = appns_index,
1495 error = vnet_session_rule_add_del (&args);
1501 VLIB_CLI_COMMAND (session_rule_command, static) =
1503 .path = "session rule",
1504 .short_help = "session rule [add|del] appns <ns_id> proto <proto> "
1505 "<lcl-ip/plen> <lcl-port> <rmt-ip/plen> <rmt-port> action <action>",
1506 .function = session_rule_command_fn,
1511 session_lookup_dump_rules_table (u32 fib_index, u8 fib_proto,
1514 vlib_main_t *vm = vlib_get_main ();
1515 session_rules_table_t *srt;
1516 session_table_t *st;
1517 st = session_table_get_for_fib_index (fib_index, fib_proto);
1518 srt = &st->session_rules[transport_proto];
1519 session_rules_table_cli_dump (vm, srt, fib_proto);
1523 session_lookup_dump_local_rules_table (u32 table_index, u8 fib_proto,
1526 vlib_main_t *vm = vlib_get_main ();
1527 session_rules_table_t *srt;
1528 session_table_t *st;
1529 st = session_table_get (table_index);
1530 srt = &st->session_rules[transport_proto];
1531 session_rules_table_cli_dump (vm, srt, fib_proto);
1534 static clib_error_t *
1535 show_session_rules_command_fn (vlib_main_t * vm, unformat_input_t * input,
1536 vlib_cli_command_t * cmd)
1538 u32 transport_proto = ~0, lcl_port, rmt_port, lcl_plen, rmt_plen;
1539 u32 fib_index, scope = 0;
1540 ip46_address_t lcl_ip, rmt_ip;
1541 u8 is_ip4 = 1, show_one = 0;
1542 app_namespace_t *app_ns;
1543 session_rules_table_t *srt;
1544 session_table_t *st;
1545 u8 *ns_id = 0, fib_proto;
1547 clib_memset (&lcl_ip, 0, sizeof (lcl_ip));
1548 clib_memset (&rmt_ip, 0, sizeof (rmt_ip));
1549 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
1551 if (unformat (input, "%U", unformat_transport_proto, &transport_proto))
1553 else if (unformat (input, "appns %_%v%_", &ns_id))
1555 else if (unformat (input, "scope global"))
1557 else if (unformat (input, "scope local"))
1559 else if (unformat (input, "%U/%d %d %U/%d %d", unformat_ip4_address,
1560 &lcl_ip.ip4, &lcl_plen, &lcl_port,
1561 unformat_ip4_address, &rmt_ip.ip4, &rmt_plen,
1567 else if (unformat (input, "%U/%d %d %U/%d %d", unformat_ip6_address,
1568 &lcl_ip.ip6, &lcl_plen, &lcl_port,
1569 unformat_ip6_address, &rmt_ip.ip6, &rmt_plen,
1576 return clib_error_return (0, "unknown input `%U'",
1577 format_unformat_error, input);
1580 if (transport_proto == ~0)
1582 vlib_cli_output (vm, "transport proto must be set");
1588 app_ns = app_namespace_get_from_id (ns_id);
1591 vlib_cli_output (vm, "appns %v doesn't exist", ns_id);
1597 app_ns = app_namespace_get_default ();
1600 if (scope == 1 || scope == 0)
1602 fib_proto = is_ip4 ? FIB_PROTOCOL_IP4 : FIB_PROTOCOL_IP6;
1603 fib_index = is_ip4 ? app_ns->ip4_fib_index : app_ns->ip6_fib_index;
1604 st = session_table_get_for_fib_index (fib_proto, fib_index);
1608 st = app_namespace_get_local_table (app_ns);
1613 srt = &st->session_rules[transport_proto];
1614 session_rules_table_show_rule (vm, srt, &lcl_ip, lcl_port, &rmt_ip,
1619 vlib_cli_output (vm, "%U rules table", format_transport_proto,
1621 srt = &st->session_rules[transport_proto];
1622 session_rules_table_cli_dump (vm, srt, FIB_PROTOCOL_IP4);
1623 session_rules_table_cli_dump (vm, srt, FIB_PROTOCOL_IP6);
1630 VLIB_CLI_COMMAND (show_session_rules_command, static) =
1632 .path = "show session rules",
1633 .short_help = "show session rules [<proto> appns <id> <lcl-ip/plen> "
1634 "<lcl-port> <rmt-ip/plen> <rmt-port> scope <scope>]",
1635 .function = show_session_rules_command_fn,
1640 session_lookup_init (void)
1643 * Allocate default table and map it to fib_index 0
1645 session_table_t *st = session_table_alloc ();
1646 vec_validate (fib_index_to_table_index[FIB_PROTOCOL_IP4], 0);
1647 fib_index_to_table_index[FIB_PROTOCOL_IP4][0] = session_table_index (st);
1648 st->active_fib_proto = FIB_PROTOCOL_IP4;
1649 session_table_init (st, FIB_PROTOCOL_IP4);
1650 st = session_table_alloc ();
1651 vec_validate (fib_index_to_table_index[FIB_PROTOCOL_IP6], 0);
1652 fib_index_to_table_index[FIB_PROTOCOL_IP6][0] = session_table_index (st);
1653 st->active_fib_proto = FIB_PROTOCOL_IP6;
1654 session_table_init (st, FIB_PROTOCOL_IP6);
1658 * fd.io coding-style-patch-verification: ON
1661 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob