gbp_contract.h

Go to the documentation of this file.

/*
 * Copyright (c) 2018 Cisco and/or its affiliates.
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at:
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#ifndef __GBP_CONTRACT_H__
#define __GBP_CONTRACT_H__

#include <plugins/gbp/gbp.h>
#include <plugins/gbp/gbp_types.h>

#define foreach_gbp_contract_error                         \
  _(ALLOW_NO_SCLASS,    "allow-no-sclass")                 \
  _(ALLOW_INTRA,        "allow-intra-sclass")              \
  _(ALLOW_A_BIT,        "allow-a-bit-set")                 \
  _(ALLOW_SCLASS_1,     "allow-sclass-1")                  \
  _(ALLOW_CONTRACT,     "allow-contract")                  \
  _(DROP_CONTRACT,      "drop-contract")                   \
  _(DROP_ETHER_TYPE,    "drop-ether-type")                 \
  _(DROP_NO_CONTRACT,   "drop-no-contract")                \
  _(DROP_NO_DCLASS,     "drop-no-dclass")

typedef enum
{
#define _(sym,str) GBP_CONTRACT_ERROR_##sym,
  foreach_gbp_contract_error
#undef _
    GBP_CONTRACT_N_ERROR,
#define GBP_CONTRACT_N_ERROR GBP_CONTRACT_N_ERROR
} gbp_contract_error_t;

extern char *gbp_contract_error_strings[GBP_CONTRACT_N_ERROR];

/**
 * The key for an Contract
 */
typedef struct gbp_contract_key_t_
{
  union
  {
    struct
    {
      gbp_scope_t gck_scope;
      /**
       * source and destination EPGs for which the ACL applies
       */
      sclass_t gck_src;
      sclass_t gck_dst;
    };
    u64 as_u64;
  };
} gbp_contract_key_t;

typedef struct gbp_next_hop_t_
{
  fib_node_t gnh_node;
  ip46_address_t gnh_ip;
  mac_address_t gnh_mac;
  index_t gnh_gu;
  index_t gnh_bd;
  index_t gnh_rd;
  u32 gnh_ge;
  u32 gnh_sibling;
  index_t gnh_ai[FIB_PROTOCOL_IP_MAX];
} gbp_next_hop_t;

#define foreach_gbp_hash_mode   \
  _(SRC_IP, "src-ip")           \
  _(DST_IP, "dst-ip")           \
  _(SYMMETRIC, "symmetric")

typedef enum gbp_hash_mode_t_
{
#define _(v,s) GBP_HASH_MODE_##v,
  foreach_gbp_hash_mode
#undef _
} gbp_hash_mode_t;

#define foreach_gbp_rule_action   \
  _(PERMIT,   "permit")           \
  _(DENY,     "deny")             \
  _(REDIRECT, "redirect")

typedef enum gbp_rule_action_t_
{
#define _(v,s) GBP_RULE_##v,
  foreach_gbp_rule_action
#undef _
} gbp_rule_action_t;

#define foreach_gbp_policy_node   \
  _(L2, "L2")                     \
  _(IP4, "ip4")                   \
  _(IP6, "ip6")

typedef enum gbp_policy_node_t_
{
#define _(v,s) GBP_POLICY_NODE_##v,
  foreach_gbp_policy_node
#undef _
} gbp_policy_node_t;
#define GBP_POLICY_N_NODES (GBP_POLICY_NODE_IP6+1)

#define FOR_EACH_GBP_POLICY_NODE(pnode)         \
  for (pnode = GBP_POLICY_NODE_L2; pnode < GBP_POLICY_N_NODES; pnode++)

typedef struct gbp_rule_t_
{
  gbp_rule_action_t gu_action;
  gbp_hash_mode_t gu_hash_mode;
  index_t *gu_nhs;

  /**
   * DPO of the load-balance object used to redirect
   */
  dpo_id_t gu_dpo[GBP_POLICY_N_NODES][FIB_PROTOCOL_IP_MAX];
} gbp_rule_t;

/**
 * A Group Based Policy Contract.
 *  Determines the ACL that applies to traffic pass between two endpoint groups
 */
typedef struct gbp_contract_t_
{
  /**
   * source and destination EPGs
   */
  gbp_contract_key_t gc_key;

  u32 gc_acl_index;
  u32 gc_lc_index;

  /**
   * The ACL to apply for packets from the source to the destination EPG
   */
  index_t *gc_rules;

  /**
   * An ethertype whitelist
   */
  u16 *gc_allowed_ethertypes;
} gbp_contract_t;

/**
 * EPG src,dst pair to ACL mapping table, aka contract DB
 */
typedef struct gbp_contract_db_t_
{
  /**
   * We can form a u64 key from the pair, so use a simple hash table
   */
  uword *gc_hash;
} gbp_contract_db_t;

extern int gbp_contract_update (gbp_scope_t scope,
                                sclass_t sclass,
                                sclass_t dclass,
                                u32 acl_index,
                                index_t * rules,
                                u16 * allowed_ethertypes, u32 * stats_index);
extern int gbp_contract_delete (gbp_scope_t scope, sclass_t sclass,
                                sclass_t dclass);

extern index_t gbp_rule_alloc (gbp_rule_action_t action,
                               gbp_hash_mode_t hash_mode, index_t * nhs);
extern index_t gbp_next_hop_alloc (const ip46_address_t * ip,
                                   index_t grd,
                                   const mac_address_t * mac, index_t gbd);

typedef int (*gbp_contract_cb_t) (gbp_contract_t * gbpe, void *ctx);
extern void gbp_contract_walk (gbp_contract_cb_t bgpe, void *ctx);

extern u8 *format_gbp_contract (u8 * s, va_list * args);

/**
 * DP functions and databases
 */
extern gbp_contract_db_t gbp_contract_db;

always_inline index_t
gbp_contract_find (gbp_contract_key_t * key)
{
  uword *p;

  p = hash_get (gbp_contract_db.gc_hash, key->as_u64);

  if (NULL != p)
    return (p[0]);

  return (INDEX_INVALID);
}

extern gbp_contract_t *gbp_contract_pool;

always_inline gbp_contract_t *
gbp_contract_get (index_t gci)
{
  return (pool_elt_at_index (gbp_contract_pool, gci));
}

extern gbp_rule_t *gbp_rule_pool;

always_inline gbp_rule_t *
gbp_rule_get (index_t gui)
{
  return (pool_elt_at_index (gbp_rule_pool, gui));
}

extern vlib_combined_counter_main_t gbp_contract_permit_counters;
extern vlib_combined_counter_main_t gbp_contract_drop_counters;

typedef enum
{
  GBP_CONTRACT_APPLY_L2,
  GBP_CONTRACT_APPLY_IP4,
  GBP_CONTRACT_APPLY_IP6,
} gbp_contract_apply_type_t;

static_always_inline gbp_rule_action_t
gbp_contract_apply (vlib_main_t * vm, gbp_main_t * gm,
                    gbp_contract_key_t * key, vlib_buffer_t * b,
                    gbp_rule_t ** rule, u32 * intra, u32 * sclass1,
                    gbp_contract_error_t * err,
                    gbp_contract_apply_type_t type)
{
  fa_5tuple_opaque_t fa_5tuple;
  const gbp_contract_t *contract;
  index_t contract_index;
  u32 acl_pos, acl_match, rule_match, trace_bitmap;
  u16 etype;
  u8 ip6, action;

  *rule = 0;

  if (key->gck_src == key->gck_dst)
    {
      /* intra-epg allowed */
      (*intra)++;
      *err = GBP_CONTRACT_ERROR_ALLOW_INTRA;
      return GBP_RULE_PERMIT;
    }

  if (1 == key->gck_src || 1 == key->gck_dst)
    {
      /* sclass 1 allowed */
      (*sclass1)++;
      *err = GBP_CONTRACT_ERROR_ALLOW_SCLASS_1;
      return GBP_RULE_PERMIT;
    }

  /* look for contract */
  contract_index = gbp_contract_find (key);
  if (INDEX_INVALID == contract_index)
    {
      *err = GBP_CONTRACT_ERROR_DROP_NO_CONTRACT;
      return GBP_RULE_DENY;
    }

  contract = gbp_contract_get (contract_index);

  *err = GBP_CONTRACT_ERROR_DROP_CONTRACT;

  switch (type)
    {
    case GBP_CONTRACT_APPLY_IP4:
      ip6 = 0;
      break;
    case GBP_CONTRACT_APPLY_IP6:
      ip6 = 1;
      break;
    case GBP_CONTRACT_APPLY_L2:
      {
        /* check ethertype */
        etype =
          ((u16 *) (vlib_buffer_get_current (b) +
                    vnet_buffer (b)->l2.l2_len))[-1];

        if (~0 == vec_search (contract->gc_allowed_ethertypes, etype))
          {
            *err = GBP_CONTRACT_ERROR_DROP_ETHER_TYPE;
            goto contract_deny;
          }

        switch (clib_net_to_host_u16 (etype))
          {
          case ETHERNET_TYPE_IP4:
            ip6 = 0;
            break;
          case ETHERNET_TYPE_IP6:
            ip6 = 1;
            break;
          default:
            goto contract_deny;
          }
      }
      break;
    }

  /* check ACL */
  action = 0;
  acl_plugin_fill_5tuple_inline (gm->acl_plugin.p_acl_main,
                                 contract->gc_lc_index, b, ip6,
                                 GBP_CONTRACT_APPLY_L2 != type /* input */ ,
                                 GBP_CONTRACT_APPLY_L2 == type /* l2_path */ ,
                                 &fa_5tuple);
  acl_plugin_match_5tuple_inline (gm->acl_plugin.p_acl_main,
                                  contract->gc_lc_index, &fa_5tuple, ip6,
                                  &action, &acl_pos, &acl_match, &rule_match,
                                  &trace_bitmap);
  if (action <= 0)
    goto contract_deny;

  *rule = gbp_rule_get (contract->gc_rules[rule_match]);
  switch ((*rule)->gu_action)
    {
    case GBP_RULE_PERMIT:
    case GBP_RULE_REDIRECT:
      *err = GBP_CONTRACT_ERROR_ALLOW_CONTRACT;
      vlib_increment_combined_counter (&gbp_contract_permit_counters,
                                       vm->thread_index, contract_index, 1,
                                       vlib_buffer_length_in_chain (vm, b));
      return (*rule)->gu_action;
    case GBP_RULE_DENY:
      break;
    }

contract_deny:
  vlib_increment_combined_counter (&gbp_contract_drop_counters,
                                   vm->thread_index, contract_index, 1,
                                   vlib_buffer_length_in_chain (vm, b));
  return GBP_RULE_DENY;
}

#endif /* __GBP_CONTRACT_H__ */
/*
 * fd.io coding-style-patch-verification: ON
 *
 * Local Variables:
 * eval: (c-set-style "gnu")
 * End:
 */