From 68501d369c65faa67b4afc5c528e7eb04c097fc4 Mon Sep 17 00:00:00 2001 From: Florin Coras Date: Mon, 7 Jun 2021 11:41:21 -0700 Subject: [PATCH] hsi: host stack intercept plugin Enable selective punting of flows to host stack Type: feature Signed-off-by: Florin Coras Change-Id: Ib31a3abfe3b21a2aa448bfacc4591fa5c840f935 --- MAINTAINERS | 5 + src/plugins/hsi/CMakeLists.txt | 17 ++ src/plugins/hsi/FEATURE.yaml | 8 + src/plugins/hsi/hsi.c | 383 +++++++++++++++++++++++++++++++++++++++++ src/plugins/hsi/hsi.h | 29 ++++ src/plugins/hsi/hsi_error.def | 16 ++ 6 files changed, 458 insertions(+) create mode 100644 src/plugins/hsi/CMakeLists.txt create mode 100644 src/plugins/hsi/FEATURE.yaml create mode 100644 src/plugins/hsi/hsi.c create mode 100644 src/plugins/hsi/hsi.h create mode 100644 src/plugins/hsi/hsi_error.def diff --git a/MAINTAINERS b/MAINTAINERS index fc0439514f4..b259754484d 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -763,6 +763,11 @@ I: bufmon M: Benoît Ganne F: src/plugins/bufmon/ +Plugin - HSI +I: hsi +M: Florin Coras +F: src/plugins/hsi/ + cJSON I: cjson M: Ole Troan diff --git a/src/plugins/hsi/CMakeLists.txt b/src/plugins/hsi/CMakeLists.txt new file mode 100644 index 00000000000..629f5e3762c --- /dev/null +++ b/src/plugins/hsi/CMakeLists.txt @@ -0,0 +1,17 @@ +# Copyright (c) 2021 Cisco and/or its affiliates. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +add_vpp_plugin(hsi + SOURCES + hsi.c +) diff --git a/src/plugins/hsi/FEATURE.yaml b/src/plugins/hsi/FEATURE.yaml new file mode 100644 index 00000000000..d6bf15fc25b --- /dev/null +++ b/src/plugins/hsi/FEATURE.yaml @@ -0,0 +1,8 @@ +--- +name: HSI (Host Stack Intercept) +maintainer: Florin Coras +features: + - Host stack intercept feature +description: "Feature that enables selective punting of flows to the host stack" +state: experimental +properties: [MULTITHREAD] diff --git a/src/plugins/hsi/hsi.c b/src/plugins/hsi/hsi.c new file mode 100644 index 00000000000..bfdb3a07fc2 --- /dev/null +++ b/src/plugins/hsi/hsi.c @@ -0,0 +1,383 @@ +/* + * Copyright (c) 2021 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include +#include + +#include +#include + +char *hsi_error_strings[] = { +#define hsi_error(n, s) s, +#include +#undef hsi_error +}; + +typedef enum hsi_input_next_ +{ + HSI_INPUT_NEXT_UDP_INPUT, + HSI_INPUT_NEXT_TCP_INPUT, + HSI_INPUT_NEXT_TCP_INPUT_NOLOOKUP, + HSI_INPUT_N_NEXT +} hsi_input_next_t; + +#define foreach_hsi4_input_next \ + _ (UDP_INPUT, "udp4-input") \ + _ (TCP_INPUT, "tcp4-input") \ + _ (TCP_INPUT_NOLOOKUP, "tcp4-input-nolookup") + +#define foreach_hsi6_input_next \ + _ (UDP_INPUT, "udp6-input") \ + _ (TCP_INPUT, "tcp6-input") \ + _ (TCP_INPUT_NOLOOKUP, "tcp6-input-nolookup") + +typedef struct +{ + u32 next_node; +} hsi_trace_t; + +static u8 * +format_hsi_trace (u8 *s, va_list *args) +{ + vlib_main_t *vm = va_arg (*args, vlib_main_t *); + vlib_node_t *node = va_arg (*args, vlib_node_t *); + hsi_trace_t *t = va_arg (*args, hsi_trace_t *); + vlib_node_t *nn; + + nn = vlib_get_next_node (vm, node->index, t->next_node); + s = format (s, "session %sfound, next node: %v", + t->next_node < HSI_INPUT_N_NEXT ? "" : "not ", nn->name); + return s; +} + +always_inline u8 +hsi_udp_lookup (vlib_buffer_t *b, void *ip_hdr, u8 is_ip4) +{ + udp_header_t *hdr; + session_t *s; + + if (is_ip4) + { + ip4_header_t *ip4 = (ip4_header_t *) ip_hdr; + hdr = ip4_next_header (ip4); + s = session_lookup_safe4 ( + vnet_buffer (b)->ip.fib_index, &ip4->dst_address, &ip4->src_address, + hdr->dst_port, hdr->src_port, TRANSPORT_PROTO_UDP); + } + else + { + ip6_header_t *ip6 = (ip6_header_t *) ip_hdr; + hdr = ip6_next_header (ip6); + s = session_lookup_safe6 ( + vnet_buffer (b)->ip.fib_index, &ip6->dst_address, &ip6->src_address, + hdr->dst_port, hdr->src_port, TRANSPORT_PROTO_UDP); + } + + if (s) + { + session_pool_remove_peeker (s->thread_index); + return 1; + } + + return 0; +} + +always_inline transport_connection_t * +hsi_tcp_lookup (vlib_buffer_t *b, void *ip_hdr, u8 is_ip4) +{ + transport_connection_t *tc; + tcp_header_t *hdr; + u8 result = 0; + + if (is_ip4) + { + ip4_header_t *ip4 = (ip4_header_t *) ip_hdr; + hdr = ip4_next_header (ip4); + tc = session_lookup_connection_wt4 ( + vnet_buffer (b)->ip.fib_index, &ip4->dst_address, &ip4->src_address, + hdr->dst_port, hdr->src_port, TRANSPORT_PROTO_TCP, + vlib_get_thread_index (), &result); + } + else + { + ip6_header_t *ip6 = (ip6_header_t *) ip_hdr; + hdr = ip6_next_header (ip6); + tc = session_lookup_connection_wt6 ( + vnet_buffer (b)->ip.fib_index, &ip6->dst_address, &ip6->src_address, + hdr->dst_port, hdr->src_port, TRANSPORT_PROTO_TCP, + vlib_get_thread_index (), &result); + } + + return result == 0 ? tc : 0; +} + +always_inline void +hsi_lookup_and_update (vlib_buffer_t *b, u32 *next, u8 is_ip4) +{ + transport_connection_t *tc; + u8 proto, state, have_udp; + void *ip_hdr; + u32 rw_len; + + rw_len = vnet_buffer (b)->ip.save_rewrite_length; + ip_hdr = vlib_buffer_get_current (b) + rw_len; + + if (is_ip4) + proto = ((ip4_header_t *) ip_hdr)->protocol; + else + proto = ((ip6_header_t *) ip_hdr)->protocol; + + switch (proto) + { + case IP_PROTOCOL_TCP: + tc = hsi_tcp_lookup (b, ip_hdr, is_ip4); + if (tc) + { + state = ((tcp_connection_t *) tc)->state; + if (state == TCP_STATE_LISTEN) + { + *next = HSI_INPUT_NEXT_TCP_INPUT; + } + else if (state == TCP_STATE_SYN_SENT) + { + *next = HSI_INPUT_NEXT_TCP_INPUT; + } + else + { + /* Lookup already done, use result */ + *next = HSI_INPUT_NEXT_TCP_INPUT_NOLOOKUP; + vnet_buffer (b)->tcp.connection_index = tc->c_index; + } + vlib_buffer_advance (b, rw_len); + } + else + { + vnet_feature_next (next, b); + } + break; + case IP_PROTOCOL_UDP: + have_udp = hsi_udp_lookup (b, ip_hdr, is_ip4); + if (have_udp) + { + *next = HSI_INPUT_NEXT_UDP_INPUT; + vlib_buffer_advance (b, rw_len); + } + else + { + vnet_feature_next (next, b); + } + break; + default: + vnet_feature_next (next, b); + break; + } +} + +static void +hsi_input_trace_frame (vlib_main_t *vm, vlib_node_runtime_t *node, + vlib_buffer_t **bufs, u16 *nexts, u32 n_bufs, u8 is_ip4) +{ + vlib_buffer_t *b; + hsi_trace_t *t; + int i; + + for (i = 0; i < n_bufs; i++) + { + b = bufs[i]; + if (!(b->flags & VLIB_BUFFER_IS_TRACED)) + continue; + t = vlib_add_trace (vm, node, b, sizeof (*t)); + t->next_node = nexts[i]; + } +} + +always_inline uword +hsi46_input_inline (vlib_main_t *vm, vlib_node_runtime_t *node, + vlib_frame_t *frame, int is_ip4) +{ + vlib_buffer_t *bufs[VLIB_FRAME_SIZE], **b; + u16 nexts[VLIB_FRAME_SIZE], *next; + u32 n_left_from, *from; + + from = vlib_frame_vector_args (frame); + n_left_from = frame->n_vectors; + + vlib_get_buffers (vm, from, bufs, n_left_from); + b = bufs; + next = nexts; + + while (n_left_from >= 4) + { + u32 next0, next1; + + vlib_prefetch_buffer_header (b[2], LOAD); + CLIB_PREFETCH (b[2]->data, 2 * CLIB_CACHE_LINE_BYTES, LOAD); + + vlib_prefetch_buffer_header (b[3], LOAD); + CLIB_PREFETCH (b[3]->data, 2 * CLIB_CACHE_LINE_BYTES, LOAD); + + hsi_lookup_and_update (b[0], &next0, is_ip4); + hsi_lookup_and_update (b[1], &next1, is_ip4); + + next[0] = next0; + next[1] = next1; + + b += 2; + next += 2; + n_left_from -= 2; + } + + while (n_left_from) + { + u32 next0; + + hsi_lookup_and_update (b[0], &next0, is_ip4); + + next[0] = next0; + + b += 1; + next += 1; + n_left_from -= 1; + } + + vlib_buffer_enqueue_to_next (vm, node, from, nexts, frame->n_vectors); + + if (PREDICT_FALSE (node->flags & VLIB_NODE_FLAG_TRACE)) + hsi_input_trace_frame (vm, node, bufs, nexts, frame->n_vectors, is_ip4); + + return frame->n_vectors; +} + +VLIB_NODE_FN (hsi4_in_node) +(vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame) +{ + return hsi46_input_inline (vm, node, frame, 1 /* is_ip4 */); +} + +VLIB_REGISTER_NODE (hsi4_in_node) = { + .name = "hsi4-in", + .vector_size = sizeof (u32), + .format_trace = format_hsi_trace, + .type = VLIB_NODE_TYPE_INTERNAL, + .n_errors = HSI_N_ERROR, + .error_strings = hsi_error_strings, + .n_next_nodes = HSI_INPUT_N_NEXT, + .next_nodes = { +#define _(s, n) [HSI_INPUT_NEXT_##s] = n, + foreach_hsi4_input_next +#undef _ + }, +}; + +VNET_FEATURE_INIT (hsi4_in_feature, static) = { + .arc_name = "ip4-unicast", + .node_name = "hsi4-in", + .runs_before = VNET_FEATURES ("ip4-lookup"), +}; + +VLIB_NODE_FN (hsi4_out_node) +(vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame) +{ + return hsi46_input_inline (vm, node, frame, 1 /* is_ip4 */); +} + +VLIB_REGISTER_NODE (hsi4_out_node) = { + .name = "hsi4-out", + .vector_size = sizeof (u32), + .format_trace = format_hsi_trace, + .type = VLIB_NODE_TYPE_INTERNAL, + .n_errors = HSI_N_ERROR, + .error_strings = hsi_error_strings, + .n_next_nodes = HSI_INPUT_N_NEXT, + .next_nodes = { +#define _(s, n) [HSI_INPUT_NEXT_##s] = n, + foreach_hsi4_input_next +#undef _ + }, +}; + +VNET_FEATURE_INIT (hsi4_out_feature, static) = { + .arc_name = "ip4-output", + .node_name = "hsi4-out", + .runs_before = VNET_FEATURES ("interface-output"), +}; + +VLIB_NODE_FN (hsi6_in_node) +(vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame) +{ + return hsi46_input_inline (vm, node, frame, 0 /* is_ip4 */); +} + +VLIB_REGISTER_NODE (hsi6_in_node) = { + .name = "hsi6-in", + .vector_size = sizeof (u32), + .format_trace = format_hsi_trace, + .type = VLIB_NODE_TYPE_INTERNAL, + .n_errors = HSI_N_ERROR, + .error_strings = hsi_error_strings, + .n_next_nodes = HSI_INPUT_N_NEXT, + .next_nodes = { +#define _(s, n) [HSI_INPUT_NEXT_##s] = n, + foreach_hsi6_input_next +#undef _ + }, +}; + +VNET_FEATURE_INIT (hsi6_in_feature, static) = { + .arc_name = "ip6-unicast", + .node_name = "hsi6-in", + .runs_before = VNET_FEATURES ("ip6-lookup"), +}; + +VLIB_NODE_FN (hsi6_out_node) +(vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame) +{ + return hsi46_input_inline (vm, node, frame, 0 /* is_ip4 */); +} + +VLIB_REGISTER_NODE (hsi6_out_node) = { + .name = "hsi6-out", + .vector_size = sizeof (u32), + .format_trace = format_hsi_trace, + .type = VLIB_NODE_TYPE_INTERNAL, + .n_errors = HSI_N_ERROR, + .error_strings = hsi_error_strings, + .n_next_nodes = HSI_INPUT_N_NEXT, + .next_nodes = { +#define _(s, n) [HSI_INPUT_NEXT_##s] = n, + foreach_hsi6_input_next +#undef _ + }, +}; + +VNET_FEATURE_INIT (hsi6_out_feature, static) = { + .arc_name = "ip6-output", + .node_name = "hsi6-out", + .runs_before = VNET_FEATURES ("interface-output"), +}; + +VLIB_PLUGIN_REGISTER () = { + .version = VPP_BUILD_VER, + .description = "Host Stack Intercept (HSI)", + .default_disabled = 0, +}; + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ diff --git a/src/plugins/hsi/hsi.h b/src/plugins/hsi/hsi.h new file mode 100644 index 00000000000..1eee1565ef1 --- /dev/null +++ b/src/plugins/hsi/hsi.h @@ -0,0 +1,29 @@ +/* + * Copyright (c) 2021 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef SRC_PLUGINS_HSI_HSI_H_ +#define SRC_PLUGINS_HSI_HSI_H_ + +#include + +typedef enum _hsi_error +{ +#define hsi_error(n, s) HSI_ERROR_##n, +#include +#undef hsi_error + HSI_N_ERROR, +} hsi_error_t; + +#endif /* SRC_PLUGINS_HSI_HSI_H_ */ diff --git a/src/plugins/hsi/hsi_error.def b/src/plugins/hsi/hsi_error.def new file mode 100644 index 00000000000..4e9d7f19238 --- /dev/null +++ b/src/plugins/hsi/hsi_error.def @@ -0,0 +1,16 @@ +/* + * Copyright (c) 2021 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +hsi_error (NONE, "no error") \ No newline at end of file -- 2.16.6