--- /dev/null
+/*
+ * Copyright (c) 2021 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <vnet/plugin/plugin.h>
+#include <vpp/app/version.h>
+
+#include <hsi/hsi.h>
+#include <vnet/tcp/tcp_types.h>
+
+char *hsi_error_strings[] = {
+#define hsi_error(n, s) s,
+#include <hsi/hsi_error.def>
+#undef hsi_error
+};
+
+typedef enum hsi_input_next_
+{
+ HSI_INPUT_NEXT_UDP_INPUT,
+ HSI_INPUT_NEXT_TCP_INPUT,
+ HSI_INPUT_NEXT_TCP_INPUT_NOLOOKUP,
+ HSI_INPUT_N_NEXT
+} hsi_input_next_t;
+
+#define foreach_hsi4_input_next \
+ _ (UDP_INPUT, "udp4-input") \
+ _ (TCP_INPUT, "tcp4-input") \
+ _ (TCP_INPUT_NOLOOKUP, "tcp4-input-nolookup")
+
+#define foreach_hsi6_input_next \
+ _ (UDP_INPUT, "udp6-input") \
+ _ (TCP_INPUT, "tcp6-input") \
+ _ (TCP_INPUT_NOLOOKUP, "tcp6-input-nolookup")
+
+typedef struct
+{
+ u32 next_node;
+} hsi_trace_t;
+
+static u8 *
+format_hsi_trace (u8 *s, va_list *args)
+{
+ vlib_main_t *vm = va_arg (*args, vlib_main_t *);
+ vlib_node_t *node = va_arg (*args, vlib_node_t *);
+ hsi_trace_t *t = va_arg (*args, hsi_trace_t *);
+ vlib_node_t *nn;
+
+ nn = vlib_get_next_node (vm, node->index, t->next_node);
+ s = format (s, "session %sfound, next node: %v",
+ t->next_node < HSI_INPUT_N_NEXT ? "" : "not ", nn->name);
+ return s;
+}
+
+always_inline u8
+hsi_udp_lookup (vlib_buffer_t *b, void *ip_hdr, u8 is_ip4)
+{
+ udp_header_t *hdr;
+ session_t *s;
+
+ if (is_ip4)
+ {
+ ip4_header_t *ip4 = (ip4_header_t *) ip_hdr;
+ hdr = ip4_next_header (ip4);
+ s = session_lookup_safe4 (
+ vnet_buffer (b)->ip.fib_index, &ip4->dst_address, &ip4->src_address,
+ hdr->dst_port, hdr->src_port, TRANSPORT_PROTO_UDP);
+ }
+ else
+ {
+ ip6_header_t *ip6 = (ip6_header_t *) ip_hdr;
+ hdr = ip6_next_header (ip6);
+ s = session_lookup_safe6 (
+ vnet_buffer (b)->ip.fib_index, &ip6->dst_address, &ip6->src_address,
+ hdr->dst_port, hdr->src_port, TRANSPORT_PROTO_UDP);
+ }
+
+ if (s)
+ {
+ session_pool_remove_peeker (s->thread_index);
+ return 1;
+ }
+
+ return 0;
+}
+
+always_inline transport_connection_t *
+hsi_tcp_lookup (vlib_buffer_t *b, void *ip_hdr, u8 is_ip4)
+{
+ transport_connection_t *tc;
+ tcp_header_t *hdr;
+ u8 result = 0;
+
+ if (is_ip4)
+ {
+ ip4_header_t *ip4 = (ip4_header_t *) ip_hdr;
+ hdr = ip4_next_header (ip4);
+ tc = session_lookup_connection_wt4 (
+ vnet_buffer (b)->ip.fib_index, &ip4->dst_address, &ip4->src_address,
+ hdr->dst_port, hdr->src_port, TRANSPORT_PROTO_TCP,
+ vlib_get_thread_index (), &result);
+ }
+ else
+ {
+ ip6_header_t *ip6 = (ip6_header_t *) ip_hdr;
+ hdr = ip6_next_header (ip6);
+ tc = session_lookup_connection_wt6 (
+ vnet_buffer (b)->ip.fib_index, &ip6->dst_address, &ip6->src_address,
+ hdr->dst_port, hdr->src_port, TRANSPORT_PROTO_TCP,
+ vlib_get_thread_index (), &result);
+ }
+
+ return result == 0 ? tc : 0;
+}
+
+always_inline void
+hsi_lookup_and_update (vlib_buffer_t *b, u32 *next, u8 is_ip4)
+{
+ transport_connection_t *tc;
+ u8 proto, state, have_udp;
+ void *ip_hdr;
+ u32 rw_len;
+
+ rw_len = vnet_buffer (b)->ip.save_rewrite_length;
+ ip_hdr = vlib_buffer_get_current (b) + rw_len;
+
+ if (is_ip4)
+ proto = ((ip4_header_t *) ip_hdr)->protocol;
+ else
+ proto = ((ip6_header_t *) ip_hdr)->protocol;
+
+ switch (proto)
+ {
+ case IP_PROTOCOL_TCP:
+ tc = hsi_tcp_lookup (b, ip_hdr, is_ip4);
+ if (tc)
+ {
+ state = ((tcp_connection_t *) tc)->state;
+ if (state == TCP_STATE_LISTEN)
+ {
+ *next = HSI_INPUT_NEXT_TCP_INPUT;
+ }
+ else if (state == TCP_STATE_SYN_SENT)
+ {
+ *next = HSI_INPUT_NEXT_TCP_INPUT;
+ }
+ else
+ {
+ /* Lookup already done, use result */
+ *next = HSI_INPUT_NEXT_TCP_INPUT_NOLOOKUP;
+ vnet_buffer (b)->tcp.connection_index = tc->c_index;
+ }
+ vlib_buffer_advance (b, rw_len);
+ }
+ else
+ {
+ vnet_feature_next (next, b);
+ }
+ break;
+ case IP_PROTOCOL_UDP:
+ have_udp = hsi_udp_lookup (b, ip_hdr, is_ip4);
+ if (have_udp)
+ {
+ *next = HSI_INPUT_NEXT_UDP_INPUT;
+ vlib_buffer_advance (b, rw_len);
+ }
+ else
+ {
+ vnet_feature_next (next, b);
+ }
+ break;
+ default:
+ vnet_feature_next (next, b);
+ break;
+ }
+}
+
+static void
+hsi_input_trace_frame (vlib_main_t *vm, vlib_node_runtime_t *node,
+ vlib_buffer_t **bufs, u16 *nexts, u32 n_bufs, u8 is_ip4)
+{
+ vlib_buffer_t *b;
+ hsi_trace_t *t;
+ int i;
+
+ for (i = 0; i < n_bufs; i++)
+ {
+ b = bufs[i];
+ if (!(b->flags & VLIB_BUFFER_IS_TRACED))
+ continue;
+ t = vlib_add_trace (vm, node, b, sizeof (*t));
+ t->next_node = nexts[i];
+ }
+}
+
+always_inline uword
+hsi46_input_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
+ vlib_frame_t *frame, int is_ip4)
+{
+ vlib_buffer_t *bufs[VLIB_FRAME_SIZE], **b;
+ u16 nexts[VLIB_FRAME_SIZE], *next;
+ u32 n_left_from, *from;
+
+ from = vlib_frame_vector_args (frame);
+ n_left_from = frame->n_vectors;
+
+ vlib_get_buffers (vm, from, bufs, n_left_from);
+ b = bufs;
+ next = nexts;
+
+ while (n_left_from >= 4)
+ {
+ u32 next0, next1;
+
+ vlib_prefetch_buffer_header (b[2], LOAD);
+ CLIB_PREFETCH (b[2]->data, 2 * CLIB_CACHE_LINE_BYTES, LOAD);
+
+ vlib_prefetch_buffer_header (b[3], LOAD);
+ CLIB_PREFETCH (b[3]->data, 2 * CLIB_CACHE_LINE_BYTES, LOAD);
+
+ hsi_lookup_and_update (b[0], &next0, is_ip4);
+ hsi_lookup_and_update (b[1], &next1, is_ip4);
+
+ next[0] = next0;
+ next[1] = next1;
+
+ b += 2;
+ next += 2;
+ n_left_from -= 2;
+ }
+
+ while (n_left_from)
+ {
+ u32 next0;
+
+ hsi_lookup_and_update (b[0], &next0, is_ip4);
+
+ next[0] = next0;
+
+ b += 1;
+ next += 1;
+ n_left_from -= 1;
+ }
+
+ vlib_buffer_enqueue_to_next (vm, node, from, nexts, frame->n_vectors);
+
+ if (PREDICT_FALSE (node->flags & VLIB_NODE_FLAG_TRACE))
+ hsi_input_trace_frame (vm, node, bufs, nexts, frame->n_vectors, is_ip4);
+
+ return frame->n_vectors;
+}
+
+VLIB_NODE_FN (hsi4_in_node)
+(vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame)
+{
+ return hsi46_input_inline (vm, node, frame, 1 /* is_ip4 */);
+}
+
+VLIB_REGISTER_NODE (hsi4_in_node) = {
+ .name = "hsi4-in",
+ .vector_size = sizeof (u32),
+ .format_trace = format_hsi_trace,
+ .type = VLIB_NODE_TYPE_INTERNAL,
+ .n_errors = HSI_N_ERROR,
+ .error_strings = hsi_error_strings,
+ .n_next_nodes = HSI_INPUT_N_NEXT,
+ .next_nodes = {
+#define _(s, n) [HSI_INPUT_NEXT_##s] = n,
+ foreach_hsi4_input_next
+#undef _
+ },
+};
+
+VNET_FEATURE_INIT (hsi4_in_feature, static) = {
+ .arc_name = "ip4-unicast",
+ .node_name = "hsi4-in",
+ .runs_before = VNET_FEATURES ("ip4-lookup"),
+};
+
+VLIB_NODE_FN (hsi4_out_node)
+(vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame)
+{
+ return hsi46_input_inline (vm, node, frame, 1 /* is_ip4 */);
+}
+
+VLIB_REGISTER_NODE (hsi4_out_node) = {
+ .name = "hsi4-out",
+ .vector_size = sizeof (u32),
+ .format_trace = format_hsi_trace,
+ .type = VLIB_NODE_TYPE_INTERNAL,
+ .n_errors = HSI_N_ERROR,
+ .error_strings = hsi_error_strings,
+ .n_next_nodes = HSI_INPUT_N_NEXT,
+ .next_nodes = {
+#define _(s, n) [HSI_INPUT_NEXT_##s] = n,
+ foreach_hsi4_input_next
+#undef _
+ },
+};
+
+VNET_FEATURE_INIT (hsi4_out_feature, static) = {
+ .arc_name = "ip4-output",
+ .node_name = "hsi4-out",
+ .runs_before = VNET_FEATURES ("interface-output"),
+};
+
+VLIB_NODE_FN (hsi6_in_node)
+(vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame)
+{
+ return hsi46_input_inline (vm, node, frame, 0 /* is_ip4 */);
+}
+
+VLIB_REGISTER_NODE (hsi6_in_node) = {
+ .name = "hsi6-in",
+ .vector_size = sizeof (u32),
+ .format_trace = format_hsi_trace,
+ .type = VLIB_NODE_TYPE_INTERNAL,
+ .n_errors = HSI_N_ERROR,
+ .error_strings = hsi_error_strings,
+ .n_next_nodes = HSI_INPUT_N_NEXT,
+ .next_nodes = {
+#define _(s, n) [HSI_INPUT_NEXT_##s] = n,
+ foreach_hsi6_input_next
+#undef _
+ },
+};
+
+VNET_FEATURE_INIT (hsi6_in_feature, static) = {
+ .arc_name = "ip6-unicast",
+ .node_name = "hsi6-in",
+ .runs_before = VNET_FEATURES ("ip6-lookup"),
+};
+
+VLIB_NODE_FN (hsi6_out_node)
+(vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame)
+{
+ return hsi46_input_inline (vm, node, frame, 0 /* is_ip4 */);
+}
+
+VLIB_REGISTER_NODE (hsi6_out_node) = {
+ .name = "hsi6-out",
+ .vector_size = sizeof (u32),
+ .format_trace = format_hsi_trace,
+ .type = VLIB_NODE_TYPE_INTERNAL,
+ .n_errors = HSI_N_ERROR,
+ .error_strings = hsi_error_strings,
+ .n_next_nodes = HSI_INPUT_N_NEXT,
+ .next_nodes = {
+#define _(s, n) [HSI_INPUT_NEXT_##s] = n,
+ foreach_hsi6_input_next
+#undef _
+ },
+};
+
+VNET_FEATURE_INIT (hsi6_out_feature, static) = {
+ .arc_name = "ip6-output",
+ .node_name = "hsi6-out",
+ .runs_before = VNET_FEATURES ("interface-output"),
+};
+
+VLIB_PLUGIN_REGISTER () = {
+ .version = VPP_BUILD_VER,
+ .description = "Host Stack Intercept (HSI)",
+ .default_disabled = 0,
+};
+
+/*
+ * fd.io coding-style-patch-verification: ON
+ *
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */
Code Review / vpp.git / commitdiff