]>
Commit | Line | Data |
---|---|---|
a489b168 | 1 | /* |
967bb5c5 | 2 | * Copyright (c) 2015-2019 Nicira, Inc. |
a489b168 DDP |
3 | * |
4 | * Licensed under the Apache License, Version 2.0 (the "License"); | |
5 | * you may not use this file except in compliance with the License. | |
6 | * You may obtain a copy of the License at: | |
7 | * | |
8 | * http://www.apache.org/licenses/LICENSE-2.0 | |
9 | * | |
10 | * Unless required by applicable law or agreed to in writing, software | |
11 | * distributed under the License is distributed on an "AS IS" BASIS, | |
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
13 | * See the License for the specific language governing permissions and | |
14 | * limitations under the License. | |
15 | */ | |
16 | ||
17 | #ifndef CONNTRACK_PRIVATE_H | |
18 | #define CONNTRACK_PRIVATE_H 1 | |
19 | ||
20 | #include <sys/types.h> | |
21 | #include <netinet/in.h> | |
22 | #include <netinet/ip6.h> | |
23 | ||
967bb5c5 | 24 | #include "cmap.h" |
a489b168 | 25 | #include "conntrack.h" |
4d4e68ed | 26 | #include "ct-dpif.h" |
967bb5c5 | 27 | #include "ipf.h" |
a489b168 DDP |
28 | #include "openvswitch/hmap.h" |
29 | #include "openvswitch/list.h" | |
30 | #include "openvswitch/types.h" | |
31 | #include "packets.h" | |
32 | #include "unaligned.h" | |
0e71e47f | 33 | #include "dp-packet.h" |
a489b168 | 34 | |
a489b168 | 35 | struct ct_endpoint { |
cda1b109 | 36 | union ct_addr addr; |
b269a122 DDP |
37 | union { |
38 | ovs_be16 port; | |
39 | struct { | |
40 | ovs_be16 icmp_id; | |
41 | uint8_t icmp_type; | |
42 | uint8_t icmp_code; | |
43 | }; | |
44 | }; | |
a489b168 DDP |
45 | }; |
46 | ||
92edd073 DB |
47 | /* Verify that there is no padding in struct ct_endpoint, to facilitate |
48 | * hashing in ct_endpoint_hash_add(). */ | |
cda1b109 | 49 | BUILD_ASSERT_DECL(sizeof(struct ct_endpoint) == sizeof(union ct_addr) + 4); |
92edd073 | 50 | |
bd5e81a0 DB |
51 | /* Changes to this structure need to be reflected in conn_key_hash() |
52 | * and conn_key_cmp(). */ | |
a489b168 DDP |
53 | struct conn_key { |
54 | struct ct_endpoint src; | |
55 | struct ct_endpoint dst; | |
56 | ||
57 | ovs_be16 dl_type; | |
a489b168 | 58 | uint16_t zone; |
bd5e81a0 | 59 | uint8_t nw_proto; |
a489b168 DDP |
60 | }; |
61 | ||
bd5e81a0 DB |
62 | /* This is used for alg expectations; an expectation is a |
63 | * context created in preparation for establishing a data | |
64 | * connection. The expectation is created by the control | |
65 | * connection. */ | |
66 | struct alg_exp_node { | |
4417ca3d | 67 | /* Node in alg_expectations. */ |
bd5e81a0 | 68 | struct hmap_node node; |
4417ca3d DB |
69 | /* Node in alg_expectation_refs. */ |
70 | struct hindex_node node_ref; | |
bd5e81a0 DB |
71 | /* Key of data connection to be created. */ |
72 | struct conn_key key; | |
73 | /* Corresponding key of the control connection. */ | |
f51cf36d | 74 | struct conn_key parent_key; |
bd5e81a0 | 75 | /* The NAT replacement address to be used by the data connection. */ |
cda1b109 | 76 | union ct_addr alg_nat_repl_addr; |
f51cf36d | 77 | /* The data connection inherits the parent control |
bd5e81a0 | 78 | * connection label and mark. */ |
f51cf36d BP |
79 | ovs_u128 parent_label; |
80 | uint32_t parent_mark; | |
be38342d DB |
81 | /* True if for NAT application, the alg replaces the dest address; |
82 | * otherwise, the source address is replaced. */ | |
83 | bool nat_rpl_dst; | |
bd5e81a0 DB |
84 | }; |
85 | ||
967bb5c5 DB |
86 | enum OVS_PACKED_ENUM ct_conn_type { |
87 | CT_CONN_TYPE_DEFAULT, | |
88 | CT_CONN_TYPE_UN_NAT, | |
89 | }; | |
90 | ||
a489b168 | 91 | struct conn { |
967bb5c5 | 92 | /* Immutable data. */ |
a489b168 DDP |
93 | struct conn_key key; |
94 | struct conn_key rev_key; | |
f51cf36d | 95 | struct conn_key parent_key; /* Only used for orig_tuple support. */ |
a489b168 | 96 | struct ovs_list exp_node; |
967bb5c5 | 97 | struct cmap_node cm_node; |
286de272 | 98 | struct nat_action_info_t *nat_info; |
bd5e81a0 | 99 | char *alg; |
967bb5c5 DB |
100 | struct conn *nat_conn; /* The NAT 'conn' context, if there is one. */ |
101 | ||
102 | /* Mutable data. */ | |
103 | struct ovs_mutex lock; /* Guards all mutable fields. */ | |
104 | ovs_u128 label; | |
967bb5c5 | 105 | long long expiration; |
5f918a8a | 106 | uint32_t mark; |
967bb5c5 | 107 | int seq_skew; |
a7f33fdb DB |
108 | |
109 | /* Immutable data. */ | |
110 | int32_t admit_zone; /* The zone for managing zone limit counts. */ | |
111 | uint32_t zone_limit_seq; /* Used to disambiguate zone limit counts. */ | |
112 | ||
113 | /* Mutable data. */ | |
967bb5c5 DB |
114 | bool seq_skew_dir; /* TCP sequence skew direction due to NATTing of FTP |
115 | * control messages; true if reply direction. */ | |
5f918a8a | 116 | bool cleaned; /* True if cleaned from expiry lists. */ |
967bb5c5 DB |
117 | |
118 | /* Immutable data. */ | |
119 | bool alg_related; /* True if alg data connection. */ | |
120 | enum ct_conn_type conn_type; | |
2078901a WT |
121 | |
122 | uint32_t tp_id; /* Timeout policy ID. */ | |
a489b168 DDP |
123 | }; |
124 | ||
125 | enum ct_update_res { | |
126 | CT_UPDATE_INVALID, | |
127 | CT_UPDATE_VALID, | |
128 | CT_UPDATE_NEW, | |
a867c010 | 129 | CT_UPDATE_VALID_NEW, |
a489b168 DDP |
130 | }; |
131 | ||
57593fd2 DB |
132 | /* Timeouts: all the possible timeout states passed to update_expiration() |
133 | * are listed here. The name will be prefix by CT_TM_ and the value is in | |
134 | * milliseconds */ | |
135 | #define CT_TIMEOUTS \ | |
2078901a WT |
136 | CT_TIMEOUT(TCP_FIRST_PACKET) \ |
137 | CT_TIMEOUT(TCP_OPENING) \ | |
138 | CT_TIMEOUT(TCP_ESTABLISHED) \ | |
139 | CT_TIMEOUT(TCP_CLOSING) \ | |
140 | CT_TIMEOUT(TCP_FIN_WAIT) \ | |
141 | CT_TIMEOUT(TCP_CLOSED) \ | |
142 | CT_TIMEOUT(OTHER_FIRST) \ | |
143 | CT_TIMEOUT(OTHER_MULTIPLE) \ | |
144 | CT_TIMEOUT(OTHER_BIDIR) \ | |
145 | CT_TIMEOUT(ICMP_FIRST) \ | |
146 | CT_TIMEOUT(ICMP_REPLY) | |
57593fd2 DB |
147 | |
148 | enum ct_timeout { | |
2078901a | 149 | #define CT_TIMEOUT(NAME) CT_TM_##NAME, |
57593fd2 DB |
150 | CT_TIMEOUTS |
151 | #undef CT_TIMEOUT | |
152 | N_CT_TM | |
153 | }; | |
154 | ||
57593fd2 | 155 | struct conntrack { |
967bb5c5 DB |
156 | struct ovs_mutex ct_lock; /* Protects 2 following fields. */ |
157 | struct cmap conns OVS_GUARDED; | |
158 | struct ovs_list exp_lists[N_CT_TM] OVS_GUARDED; | |
a7f33fdb | 159 | struct hmap zone_limits OVS_GUARDED; |
2078901a | 160 | struct hmap timeout_policies OVS_GUARDED; |
967bb5c5 DB |
161 | uint32_t hash_basis; /* Salt for hashing a connection key. */ |
162 | pthread_t clean_thread; /* Periodically cleans up connection tracker. */ | |
163 | struct latch clean_thread_exit; /* To destroy the 'clean_thread'. */ | |
164 | ||
165 | /* Counting connections. */ | |
166 | atomic_count n_conn; /* Number of connections currently tracked. */ | |
167 | atomic_uint n_conn_limit; /* Max connections tracked. */ | |
168 | ||
169 | /* Expectations for application level gateways (created by control | |
170 | * connections to help create data connections, e.g. for FTP). */ | |
171 | struct ovs_rwlock resources_lock; /* Protects fields below. */ | |
172 | struct hmap alg_expectations OVS_GUARDED; /* Holds struct | |
173 | * alg_exp_nodes. */ | |
174 | struct hindex alg_expectation_refs OVS_GUARDED; /* For lookup from | |
175 | * control context. */ | |
57593fd2 | 176 | |
64207120 | 177 | struct ipf *ipf; /* Fragmentation handling context. */ |
a7f33fdb | 178 | uint32_t zone_limit_seq; /* Used to disambiguate zone limit counts. */ |
64207120 | 179 | atomic_bool tcp_seq_chk; /* Check TCP sequence numbers. */ |
57593fd2 DB |
180 | }; |
181 | ||
967bb5c5 DB |
182 | /* Lock acquisition order: |
183 | * 1. 'ct_lock' | |
184 | * 2. 'conn->lock' | |
185 | * 3. 'resources_lock' | |
186 | */ | |
187 | ||
188 | extern struct ct_l4_proto ct_proto_tcp; | |
189 | extern struct ct_l4_proto ct_proto_other; | |
190 | extern struct ct_l4_proto ct_proto_icmp4; | |
191 | extern struct ct_l4_proto ct_proto_icmp6; | |
192 | ||
a489b168 | 193 | struct ct_l4_proto { |
967bb5c5 | 194 | struct conn *(*new_conn)(struct conntrack *ct, struct dp_packet *pkt, |
2078901a | 195 | long long now, uint32_t tp_id); |
a489b168 | 196 | bool (*valid_new)(struct dp_packet *pkt); |
967bb5c5 | 197 | enum ct_update_res (*conn_update)(struct conntrack *ct, struct conn *conn, |
e6ef6cc6 DDP |
198 | struct dp_packet *pkt, bool reply, |
199 | long long now); | |
4d4e68ed DDP |
200 | void (*conn_get_protoinfo)(const struct conn *, |
201 | struct ct_dpif_protoinfo *); | |
a489b168 DDP |
202 | }; |
203 | ||
0e71e47f DB |
204 | static inline uint32_t |
205 | tcp_payload_length(struct dp_packet *pkt) | |
206 | { | |
207 | const char *tcp_payload = dp_packet_get_tcp_payload(pkt); | |
208 | if (tcp_payload) { | |
209 | return ((char *) dp_packet_tail(pkt) - dp_packet_l2_pad_size(pkt) | |
210 | - tcp_payload); | |
211 | } else { | |
212 | return 0; | |
213 | } | |
214 | } | |
215 | ||
a489b168 | 216 | #endif /* conntrack-private.h */ |