[mirror_ovs.git] / lib / conntrack-private.h

/*
 * Copyright (c) 2015-2019 Nicira, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at:
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#ifndef CONNTRACK_PRIVATE_H
#define CONNTRACK_PRIVATE_H 1

#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/ip6.h>

#include "cmap.h"
#include "conntrack.h"
#include "ct-dpif.h"
#include "ipf.h"
#include "openvswitch/hmap.h"
#include "openvswitch/list.h"
#include "openvswitch/types.h"
#include "packets.h"
#include "unaligned.h"
#include "dp-packet.h"

struct ct_endpoint {
    union ct_addr addr;
    union {
        ovs_be16 port;
        struct {
            ovs_be16 icmp_id;
            uint8_t icmp_type;
            uint8_t icmp_code;
        };
    };
};

/* Verify that there is no padding in struct ct_endpoint, to facilitate
 * hashing in ct_endpoint_hash_add(). */
BUILD_ASSERT_DECL(sizeof(struct ct_endpoint) == sizeof(union ct_addr) + 4);

/* Changes to this structure need to be reflected in conn_key_hash()
 * and conn_key_cmp(). */
struct conn_key {
    struct ct_endpoint src;
    struct ct_endpoint dst;

    ovs_be16 dl_type;
    uint16_t zone;
    uint8_t nw_proto;
};

/* This is used for alg expectations; an expectation is a
 * context created in preparation for establishing a data
 * connection. The expectation is created by the control
 * connection. */
struct alg_exp_node {
    /* Node in alg_expectations. */
    struct hmap_node node;
    /* Node in alg_expectation_refs. */
    struct hindex_node node_ref;
    /* Key of data connection to be created. */
    struct conn_key key;
    /* Corresponding key of the control connection. */
    struct conn_key parent_key;
    /* The NAT replacement address to be used by the data connection. */
    union ct_addr alg_nat_repl_addr;
    /* The data connection inherits the parent control
     * connection label and mark. */
    ovs_u128 parent_label;
    uint32_t parent_mark;
    /* True if for NAT application, the alg replaces the dest address;
     * otherwise, the source address is replaced.  */
    bool nat_rpl_dst;
};

enum OVS_PACKED_ENUM ct_conn_type {
    CT_CONN_TYPE_DEFAULT,
    CT_CONN_TYPE_UN_NAT,
};

struct conn {
    /* Immutable data. */
    struct conn_key key;
    struct conn_key rev_key;
    struct conn_key parent_key; /* Only used for orig_tuple support. */
    struct ovs_list exp_node;
    struct cmap_node cm_node;
    struct nat_action_info_t *nat_info;
    char *alg;
    struct conn *nat_conn; /* The NAT 'conn' context, if there is one. */

    /* Mutable data. */
    struct ovs_mutex lock; /* Guards all mutable fields. */
    ovs_u128 label;
    long long expiration;
    uint32_t mark;
    int seq_skew;

    /* Immutable data. */
    int32_t admit_zone; /* The zone for managing zone limit counts. */
    uint32_t zone_limit_seq; /* Used to disambiguate zone limit counts. */

    /* Mutable data. */
    bool seq_skew_dir; /* TCP sequence skew direction due to NATTing of FTP
                        * control messages; true if reply direction. */
    bool cleaned; /* True if cleaned from expiry lists. */

    /* Immutable data. */
    bool alg_related; /* True if alg data connection. */
    enum ct_conn_type conn_type;

    uint32_t tp_id; /* Timeout policy ID. */
};

enum ct_update_res {
    CT_UPDATE_INVALID,
    CT_UPDATE_VALID,
    CT_UPDATE_NEW,
    CT_UPDATE_VALID_NEW,
};

/* Timeouts: all the possible timeout states passed to update_expiration()
 * are listed here. The name will be prefix by CT_TM_ and the value is in
 * milliseconds */
#define CT_TIMEOUTS \
    CT_TIMEOUT(TCP_FIRST_PACKET) \
    CT_TIMEOUT(TCP_OPENING) \
    CT_TIMEOUT(TCP_ESTABLISHED) \
    CT_TIMEOUT(TCP_CLOSING) \
    CT_TIMEOUT(TCP_FIN_WAIT) \
    CT_TIMEOUT(TCP_CLOSED) \
    CT_TIMEOUT(OTHER_FIRST) \
    CT_TIMEOUT(OTHER_MULTIPLE) \
    CT_TIMEOUT(OTHER_BIDIR) \
    CT_TIMEOUT(ICMP_FIRST) \
    CT_TIMEOUT(ICMP_REPLY)

enum ct_timeout {
#define CT_TIMEOUT(NAME) CT_TM_##NAME,
    CT_TIMEOUTS
#undef CT_TIMEOUT
    N_CT_TM
};

struct conntrack {
    struct ovs_mutex ct_lock; /* Protects 2 following fields. */
    struct cmap conns OVS_GUARDED;
    struct ovs_list exp_lists[N_CT_TM] OVS_GUARDED;
    struct hmap zone_limits OVS_GUARDED;
    struct hmap timeout_policies OVS_GUARDED;
    uint32_t hash_basis; /* Salt for hashing a connection key. */
    pthread_t clean_thread; /* Periodically cleans up connection tracker. */
    struct latch clean_thread_exit; /* To destroy the 'clean_thread'. */

    /* Counting connections. */
    atomic_count n_conn; /* Number of connections currently tracked. */
    atomic_uint n_conn_limit; /* Max connections tracked. */

    /* Expectations for application level gateways (created by control
     * connections to help create data connections, e.g. for FTP). */
    struct ovs_rwlock resources_lock; /* Protects fields below. */
    struct hmap alg_expectations OVS_GUARDED; /* Holds struct
                                               * alg_exp_nodes. */
    struct hindex alg_expectation_refs OVS_GUARDED; /* For lookup from
                                                     * control context.  */

    struct ipf *ipf; /* Fragmentation handling context. */
    uint32_t zone_limit_seq; /* Used to disambiguate zone limit counts. */
    atomic_bool tcp_seq_chk; /* Check TCP sequence numbers. */
};

/* Lock acquisition order:
 *    1. 'ct_lock'
 *    2. 'conn->lock'
 *    3. 'resources_lock'
 */

extern struct ct_l4_proto ct_proto_tcp;
extern struct ct_l4_proto ct_proto_other;
extern struct ct_l4_proto ct_proto_icmp4;
extern struct ct_l4_proto ct_proto_icmp6;

struct ct_l4_proto {
    struct conn *(*new_conn)(struct conntrack *ct, struct dp_packet *pkt,
                             long long now, uint32_t tp_id);
    bool (*valid_new)(struct dp_packet *pkt);
    enum ct_update_res (*conn_update)(struct conntrack *ct, struct conn *conn,
                                      struct dp_packet *pkt, bool reply,
                                      long long now);
    void (*conn_get_protoinfo)(const struct conn *,
                               struct ct_dpif_protoinfo *);
};

static inline uint32_t
tcp_payload_length(struct dp_packet *pkt)
{
    const char *tcp_payload = dp_packet_get_tcp_payload(pkt);
    if (tcp_payload) {
        return ((char *) dp_packet_tail(pkt) - dp_packet_l2_pad_size(pkt)
                - tcp_payload);
    } else {
        return 0;
    }
}

#endif /* conntrack-private.h */
Commit	Line	Data
a489b168	1	/*
967bb5c5	2	* Copyright (c) 2015-2019 Nicira, Inc.
a489b168 DDP	3	*
	4	* Licensed under the Apache License, Version 2.0 (the "License");
	5	* you may not use this file except in compliance with the License.
	6	* You may obtain a copy of the License at:
	7	*
	8	* http://www.apache.org/licenses/LICENSE-2.0
	9	*
	10	* Unless required by applicable law or agreed to in writing, software
	11	* distributed under the License is distributed on an "AS IS" BASIS,
	12	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	13	* See the License for the specific language governing permissions and
	14	* limitations under the License.
	15	*/
	16
	17	#ifndef CONNTRACK_PRIVATE_H
	18	#define CONNTRACK_PRIVATE_H 1
	19
	20	#include <sys/types.h>
	21	#include <netinet/in.h>
	22	#include <netinet/ip6.h>
	23
967bb5c5	24	#include "cmap.h"
a489b168	25	#include "conntrack.h"
4d4e68ed	26	#include "ct-dpif.h"
967bb5c5	27	#include "ipf.h"
a489b168 DDP	28	#include "openvswitch/hmap.h"
	29	#include "openvswitch/list.h"
	30	#include "openvswitch/types.h"
	31	#include "packets.h"
	32	#include "unaligned.h"
0e71e47f	33	#include "dp-packet.h"
a489b168	34
a489b168	35	struct ct_endpoint {
cda1b109	36	union ct_addr addr;
b269a122 DDP	37	union {
	38	ovs_be16 port;
	39	struct {
	40	ovs_be16 icmp_id;
	41	uint8_t icmp_type;
	42	uint8_t icmp_code;
	43	};
	44	};
a489b168 DDP	45	};
a489b168 DDP	46
92edd073 DB	47	/* Verify that there is no padding in struct ct_endpoint, to facilitate
92edd073 DB	48	* hashing in ct_endpoint_hash_add(). */
cda1b109	49	BUILD_ASSERT_DECL(sizeof(struct ct_endpoint) == sizeof(union ct_addr) + 4);
92edd073	50
bd5e81a0 DB	51	/* Changes to this structure need to be reflected in conn_key_hash()
bd5e81a0 DB	52	* and conn_key_cmp(). */
a489b168 DDP	53	struct conn_key {
	54	struct ct_endpoint src;
	55	struct ct_endpoint dst;
	56
	57	ovs_be16 dl_type;
a489b168	58	uint16_t zone;
bd5e81a0	59	uint8_t nw_proto;
a489b168 DDP	60	};
a489b168 DDP	61
bd5e81a0 DB	62	/* This is used for alg expectations; an expectation is a
	63	* context created in preparation for establishing a data
	64	* connection. The expectation is created by the control
	65	* connection. */
	66	struct alg_exp_node {
4417ca3d	67	/* Node in alg_expectations. */
bd5e81a0	68	struct hmap_node node;
4417ca3d DB	69	/* Node in alg_expectation_refs. */
4417ca3d DB	70	struct hindex_node node_ref;
bd5e81a0 DB	71	/* Key of data connection to be created. */
	72	struct conn_key key;
	73	/* Corresponding key of the control connection. */
f51cf36d	74	struct conn_key parent_key;
bd5e81a0	75	/* The NAT replacement address to be used by the data connection. */
cda1b109	76	union ct_addr alg_nat_repl_addr;
f51cf36d	77	/* The data connection inherits the parent control
bd5e81a0	78	* connection label and mark. */
f51cf36d BP	79	ovs_u128 parent_label;
f51cf36d BP	80	uint32_t parent_mark;
be38342d DB	81	/* True if for NAT application, the alg replaces the dest address;
	82	* otherwise, the source address is replaced. */
	83	bool nat_rpl_dst;
bd5e81a0 DB	84	};
bd5e81a0 DB	85
967bb5c5 DB	86	enum OVS_PACKED_ENUM ct_conn_type {
	87	CT_CONN_TYPE_DEFAULT,
	88	CT_CONN_TYPE_UN_NAT,
	89	};
	90
a489b168	91	struct conn {
967bb5c5	92	/* Immutable data. */
a489b168 DDP	93	struct conn_key key;
a489b168 DDP	94	struct conn_key rev_key;
f51cf36d	95	struct conn_key parent_key; /* Only used for orig_tuple support. */
a489b168	96	struct ovs_list exp_node;
967bb5c5	97	struct cmap_node cm_node;
286de272	98	struct nat_action_info_t *nat_info;
bd5e81a0	99	char *alg;
967bb5c5 DB	100	struct conn nat_conn; / The NAT 'conn' context, if there is one. */
	101
	102	/* Mutable data. */
	103	struct ovs_mutex lock; /* Guards all mutable fields. */
	104	ovs_u128 label;
967bb5c5	105	long long expiration;
5f918a8a	106	uint32_t mark;
967bb5c5	107	int seq_skew;
a7f33fdb DB	108
	109	/* Immutable data. */
	110	int32_t admit_zone; /* The zone for managing zone limit counts. */
	111	uint32_t zone_limit_seq; /* Used to disambiguate zone limit counts. */
	112
	113	/* Mutable data. */
967bb5c5 DB	114	bool seq_skew_dir; /* TCP sequence skew direction due to NATTing of FTP
967bb5c5 DB	115	* control messages; true if reply direction. */
5f918a8a	116	bool cleaned; /* True if cleaned from expiry lists. */
967bb5c5 DB	117
	118	/* Immutable data. */
	119	bool alg_related; /* True if alg data connection. */
	120	enum ct_conn_type conn_type;
2078901a WT	121
2078901a WT	122	uint32_t tp_id; /* Timeout policy ID. */
a489b168 DDP	123	};
	124
	125	enum ct_update_res {
	126	CT_UPDATE_INVALID,
	127	CT_UPDATE_VALID,
	128	CT_UPDATE_NEW,
a867c010	129	CT_UPDATE_VALID_NEW,
a489b168 DDP	130	};
a489b168 DDP	131
57593fd2 DB	132	/* Timeouts: all the possible timeout states passed to update_expiration()
	133	* are listed here. The name will be prefix by CT_TM_ and the value is in
	134	* milliseconds */
	135	#define CT_TIMEOUTS \
2078901a WT	136	CT_TIMEOUT(TCP_FIRST_PACKET) \
	137	CT_TIMEOUT(TCP_OPENING) \
	138	CT_TIMEOUT(TCP_ESTABLISHED) \
	139	CT_TIMEOUT(TCP_CLOSING) \
	140	CT_TIMEOUT(TCP_FIN_WAIT) \
	141	CT_TIMEOUT(TCP_CLOSED) \
	142	CT_TIMEOUT(OTHER_FIRST) \
	143	CT_TIMEOUT(OTHER_MULTIPLE) \
	144	CT_TIMEOUT(OTHER_BIDIR) \
	145	CT_TIMEOUT(ICMP_FIRST) \
	146	CT_TIMEOUT(ICMP_REPLY)
57593fd2 DB	147
57593fd2 DB	148	enum ct_timeout {
2078901a	149	#define CT_TIMEOUT(NAME) CT_TM_##NAME,
57593fd2 DB	150	CT_TIMEOUTS
	151	#undef CT_TIMEOUT
	152	N_CT_TM
	153	};
	154
57593fd2	155	struct conntrack {
967bb5c5 DB	156	struct ovs_mutex ct_lock; /* Protects 2 following fields. */
	157	struct cmap conns OVS_GUARDED;
	158	struct ovs_list exp_lists[N_CT_TM] OVS_GUARDED;
a7f33fdb	159	struct hmap zone_limits OVS_GUARDED;
2078901a	160	struct hmap timeout_policies OVS_GUARDED;
967bb5c5 DB	161	uint32_t hash_basis; /* Salt for hashing a connection key. */
	162	pthread_t clean_thread; /* Periodically cleans up connection tracker. */
	163	struct latch clean_thread_exit; /* To destroy the 'clean_thread'. */
	164
	165	/* Counting connections. */
	166	atomic_count n_conn; /* Number of connections currently tracked. */
	167	atomic_uint n_conn_limit; /* Max connections tracked. */
	168
	169	/* Expectations for application level gateways (created by control
	170	* connections to help create data connections, e.g. for FTP). */
	171	struct ovs_rwlock resources_lock; /* Protects fields below. */
	172	struct hmap alg_expectations OVS_GUARDED; /* Holds struct
	173	* alg_exp_nodes. */
	174	struct hindex alg_expectation_refs OVS_GUARDED; /* For lookup from
	175	* control context. */
57593fd2	176
64207120	177	struct ipf ipf; / Fragmentation handling context. */
a7f33fdb	178	uint32_t zone_limit_seq; /* Used to disambiguate zone limit counts. */
64207120	179	atomic_bool tcp_seq_chk; /* Check TCP sequence numbers. */
57593fd2 DB	180	};
57593fd2 DB	181
967bb5c5 DB	182	/* Lock acquisition order:
	183	* 1. 'ct_lock'
	184	* 2. 'conn->lock'
	185	* 3. 'resources_lock'
	186	*/
	187
	188	extern struct ct_l4_proto ct_proto_tcp;
	189	extern struct ct_l4_proto ct_proto_other;
	190	extern struct ct_l4_proto ct_proto_icmp4;
	191	extern struct ct_l4_proto ct_proto_icmp6;
	192
a489b168	193	struct ct_l4_proto {
967bb5c5	194	struct conn (new_conn)(struct conntrack ct, struct dp_packet pkt,
2078901a	195	long long now, uint32_t tp_id);
a489b168	196	bool (valid_new)(struct dp_packet pkt);
967bb5c5	197	enum ct_update_res (conn_update)(struct conntrack ct, struct conn *conn,
e6ef6cc6 DDP	198	struct dp_packet *pkt, bool reply,
e6ef6cc6 DDP	199	long long now);
4d4e68ed DDP	200	void (conn_get_protoinfo)(const struct conn ,
4d4e68ed DDP	201	struct ct_dpif_protoinfo *);
a489b168 DDP	202	};
a489b168 DDP	203
0e71e47f DB	204	static inline uint32_t
	205	tcp_payload_length(struct dp_packet *pkt)
	206	{
	207	const char *tcp_payload = dp_packet_get_tcp_payload(pkt);
	208	if (tcp_payload) {
	209	return ((char *) dp_packet_tail(pkt) - dp_packet_l2_pad_size(pkt)
	210	- tcp_payload);
	211	} else {
	212	return 0;
	213	}
	214	}
	215
a489b168	216	#endif /* conntrack-private.h */