[mirror_ovs.git] / lib / conntrack-private.h

/*
 * Copyright (c) 2015-2019 Nicira, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at:
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#ifndef CONNTRACK_PRIVATE_H
#define CONNTRACK_PRIVATE_H 1

#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/ip6.h>

#include "cmap.h"
#include "conntrack.h"
#include "ct-dpif.h"
#include "ipf.h"
#include "openvswitch/hmap.h"
#include "openvswitch/list.h"
#include "openvswitch/types.h"
#include "packets.h"
#include "unaligned.h"
#include "dp-packet.h"

struct ct_endpoint {
    union ct_addr addr;
    union {
        ovs_be16 port;
        struct {
            ovs_be16 icmp_id;
            uint8_t icmp_type;
            uint8_t icmp_code;
        };
    };
};

/* Verify that there is no padding in struct ct_endpoint, to facilitate
 * hashing in ct_endpoint_hash_add(). */
BUILD_ASSERT_DECL(sizeof(struct ct_endpoint) == sizeof(union ct_addr) + 4);

/* Changes to this structure need to be reflected in conn_key_hash()
 * and conn_key_cmp(). */
struct conn_key {
    struct ct_endpoint src;
    struct ct_endpoint dst;

    ovs_be16 dl_type;
    uint16_t zone;
    uint8_t nw_proto;
};

/* This is used for alg expectations; an expectation is a
 * context created in preparation for establishing a data
 * connection. The expectation is created by the control
 * connection. */
struct alg_exp_node {
    /* Node in alg_expectations. */
    struct hmap_node node;
    /* Node in alg_expectation_refs. */
    struct hindex_node node_ref;
    /* Key of data connection to be created. */
    struct conn_key key;
    /* Corresponding key of the control connection. */
    struct conn_key master_key;
    /* The NAT replacement address to be used by the data connection. */
    union ct_addr alg_nat_repl_addr;
    /* The data connection inherits the master control
     * connection label and mark. */
    ovs_u128 master_label;
    uint32_t master_mark;
    /* True if for NAT application, the alg replaces the dest address;
     * otherwise, the source address is replaced.  */
    bool nat_rpl_dst;
};

enum OVS_PACKED_ENUM ct_conn_type {
    CT_CONN_TYPE_DEFAULT,
    CT_CONN_TYPE_UN_NAT,
};

struct conn {
    /* Immutable data. */
    struct conn_key key;
    struct conn_key rev_key;
    struct conn_key master_key; /* Only used for orig_tuple support. */
    struct ovs_list exp_node;
    struct cmap_node cm_node;
    struct nat_action_info_t *nat_info;
    char *alg;
    struct conn *nat_conn; /* The NAT 'conn' context, if there is one. */

    /* Mutable data. */
    struct ovs_mutex lock; /* Guards all mutable fields. */
    ovs_u128 label;
    long long expiration;
    uint32_t mark;
    int seq_skew;

    /* Immutable data. */
    int32_t admit_zone; /* The zone for managing zone limit counts. */
    uint32_t zone_limit_seq; /* Used to disambiguate zone limit counts. */

    /* Mutable data. */
    bool seq_skew_dir; /* TCP sequence skew direction due to NATTing of FTP
                        * control messages; true if reply direction. */
    bool cleaned; /* True if cleaned from expiry lists. */

    /* Immutable data. */
    bool alg_related; /* True if alg data connection. */
    enum ct_conn_type conn_type;
};

enum ct_update_res {
    CT_UPDATE_INVALID,
    CT_UPDATE_VALID,
    CT_UPDATE_NEW,
    CT_UPDATE_VALID_NEW,
};

/* Timeouts: all the possible timeout states passed to update_expiration()
 * are listed here. The name will be prefix by CT_TM_ and the value is in
 * milliseconds */
#define CT_TIMEOUTS \
    CT_TIMEOUT(TCP_FIRST_PACKET, 30 * 1000) \
    CT_TIMEOUT(TCP_OPENING, 30 * 1000) \
    CT_TIMEOUT(TCP_ESTABLISHED, 24 * 60 * 60 * 1000) \
    CT_TIMEOUT(TCP_CLOSING, 15 * 60 * 1000) \
    CT_TIMEOUT(TCP_FIN_WAIT, 45 * 1000) \
    CT_TIMEOUT(TCP_CLOSED, 30 * 1000) \
    CT_TIMEOUT(OTHER_FIRST, 60 * 1000) \
    CT_TIMEOUT(OTHER_MULTIPLE, 60 * 1000) \
    CT_TIMEOUT(OTHER_BIDIR, 30 * 1000) \
    CT_TIMEOUT(ICMP_FIRST, 60 * 1000) \
    CT_TIMEOUT(ICMP_REPLY, 30 * 1000)

/* The smallest of the above values: it is used as an upper bound for the
 * interval between two rounds of cleanup of expired entries */
#define CT_TM_MIN (30 * 1000)

#define CT_TIMEOUT(NAME, VAL) BUILD_ASSERT_DECL(VAL >= CT_TM_MIN);
    CT_TIMEOUTS
#undef CT_TIMEOUT

enum ct_timeout {
#define CT_TIMEOUT(NAME, VALUE) CT_TM_##NAME,
    CT_TIMEOUTS
#undef CT_TIMEOUT
    N_CT_TM
};

struct conntrack {
    struct ovs_mutex ct_lock; /* Protects 2 following fields. */
    struct cmap conns OVS_GUARDED;
    struct ovs_list exp_lists[N_CT_TM] OVS_GUARDED;
    struct hmap zone_limits OVS_GUARDED;
    uint32_t hash_basis; /* Salt for hashing a connection key. */
    pthread_t clean_thread; /* Periodically cleans up connection tracker. */
    struct latch clean_thread_exit; /* To destroy the 'clean_thread'. */

    /* Counting connections. */
    atomic_count n_conn; /* Number of connections currently tracked. */
    atomic_uint n_conn_limit; /* Max connections tracked. */

    /* Expectations for application level gateways (created by control
     * connections to help create data connections, e.g. for FTP). */
    struct ovs_rwlock resources_lock; /* Protects fields below. */
    struct hmap alg_expectations OVS_GUARDED; /* Holds struct
                                               * alg_exp_nodes. */
    struct hindex alg_expectation_refs OVS_GUARDED; /* For lookup from
                                                     * control context.  */

    struct ipf *ipf; /* Fragmentation handling context. */
    uint32_t zone_limit_seq; /* Used to disambiguate zone limit counts. */
    atomic_bool tcp_seq_chk; /* Check TCP sequence numbers. */
};

/* Lock acquisition order:
 *    1. 'ct_lock'
 *    2. 'conn->lock'
 *    3. 'resources_lock'
 */

extern struct ct_l4_proto ct_proto_tcp;
extern struct ct_l4_proto ct_proto_other;
extern struct ct_l4_proto ct_proto_icmp4;
extern struct ct_l4_proto ct_proto_icmp6;

struct ct_l4_proto {
    struct conn *(*new_conn)(struct conntrack *ct, struct dp_packet *pkt,
                             long long now);
    bool (*valid_new)(struct dp_packet *pkt);
    enum ct_update_res (*conn_update)(struct conntrack *ct, struct conn *conn,
                                      struct dp_packet *pkt, bool reply,
                                      long long now);
    void (*conn_get_protoinfo)(const struct conn *,
                               struct ct_dpif_protoinfo *);
};

extern long long ct_timeout_val[];


/* ct_lock must be held. */
static inline void
conn_init_expiration(struct conntrack *ct, struct conn *conn,
                     enum ct_timeout tm, long long now)
{
    conn->expiration = now + ct_timeout_val[tm];
    ovs_list_push_back(&ct->exp_lists[tm], &conn->exp_node);
}

/* The conn entry lock must be held on entry and exit. */
static inline void
conn_update_expiration(struct conntrack *ct, struct conn *conn,
                       enum ct_timeout tm, long long now)
    OVS_NO_THREAD_SAFETY_ANALYSIS
{
    ovs_mutex_unlock(&conn->lock);

    ovs_mutex_lock(&ct->ct_lock);
    ovs_mutex_lock(&conn->lock);
    if (!conn->cleaned) {
        conn->expiration = now + ct_timeout_val[tm];
        ovs_list_remove(&conn->exp_node);
        ovs_list_push_back(&ct->exp_lists[tm], &conn->exp_node);
    }
    ovs_mutex_unlock(&conn->lock);
    ovs_mutex_unlock(&ct->ct_lock);

    ovs_mutex_lock(&conn->lock);
}

static inline uint32_t
tcp_payload_length(struct dp_packet *pkt)
{
    const char *tcp_payload = dp_packet_get_tcp_payload(pkt);
    if (tcp_payload) {
        return ((char *) dp_packet_tail(pkt) - dp_packet_l2_pad_size(pkt)
                - tcp_payload);
    } else {
        return 0;
    }
}

#endif /* conntrack-private.h */
Commit	Line	Data
a489b168	1	/*
967bb5c5	2	* Copyright (c) 2015-2019 Nicira, Inc.
a489b168 DDP	3	*
	4	* Licensed under the Apache License, Version 2.0 (the "License");
	5	* you may not use this file except in compliance with the License.
	6	* You may obtain a copy of the License at:
	7	*
	8	* http://www.apache.org/licenses/LICENSE-2.0
	9	*
	10	* Unless required by applicable law or agreed to in writing, software
	11	* distributed under the License is distributed on an "AS IS" BASIS,
	12	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	13	* See the License for the specific language governing permissions and
	14	* limitations under the License.
	15	*/
	16
	17	#ifndef CONNTRACK_PRIVATE_H
	18	#define CONNTRACK_PRIVATE_H 1
	19
	20	#include <sys/types.h>
	21	#include <netinet/in.h>
	22	#include <netinet/ip6.h>
	23
967bb5c5	24	#include "cmap.h"
a489b168	25	#include "conntrack.h"
4d4e68ed	26	#include "ct-dpif.h"
967bb5c5	27	#include "ipf.h"
a489b168 DDP	28	#include "openvswitch/hmap.h"
	29	#include "openvswitch/list.h"
	30	#include "openvswitch/types.h"
	31	#include "packets.h"
	32	#include "unaligned.h"
0e71e47f	33	#include "dp-packet.h"
a489b168	34
a489b168	35	struct ct_endpoint {
cda1b109	36	union ct_addr addr;
b269a122 DDP	37	union {
	38	ovs_be16 port;
	39	struct {
	40	ovs_be16 icmp_id;
	41	uint8_t icmp_type;
	42	uint8_t icmp_code;
	43	};
	44	};
a489b168 DDP	45	};
a489b168 DDP	46
92edd073 DB	47	/* Verify that there is no padding in struct ct_endpoint, to facilitate
92edd073 DB	48	* hashing in ct_endpoint_hash_add(). */
cda1b109	49	BUILD_ASSERT_DECL(sizeof(struct ct_endpoint) == sizeof(union ct_addr) + 4);
92edd073	50
bd5e81a0 DB	51	/* Changes to this structure need to be reflected in conn_key_hash()
bd5e81a0 DB	52	* and conn_key_cmp(). */
a489b168 DDP	53	struct conn_key {
	54	struct ct_endpoint src;
	55	struct ct_endpoint dst;
	56
	57	ovs_be16 dl_type;
a489b168	58	uint16_t zone;
bd5e81a0	59	uint8_t nw_proto;
a489b168 DDP	60	};
a489b168 DDP	61
bd5e81a0 DB	62	/* This is used for alg expectations; an expectation is a
	63	* context created in preparation for establishing a data
	64	* connection. The expectation is created by the control
	65	* connection. */
	66	struct alg_exp_node {
4417ca3d	67	/* Node in alg_expectations. */
bd5e81a0	68	struct hmap_node node;
4417ca3d DB	69	/* Node in alg_expectation_refs. */
4417ca3d DB	70	struct hindex_node node_ref;
bd5e81a0 DB	71	/* Key of data connection to be created. */
	72	struct conn_key key;
	73	/* Corresponding key of the control connection. */
	74	struct conn_key master_key;
	75	/* The NAT replacement address to be used by the data connection. */
cda1b109	76	union ct_addr alg_nat_repl_addr;
bd5e81a0 DB	77	/* The data connection inherits the master control
	78	* connection label and mark. */
	79	ovs_u128 master_label;
	80	uint32_t master_mark;
be38342d DB	81	/* True if for NAT application, the alg replaces the dest address;
	82	* otherwise, the source address is replaced. */
	83	bool nat_rpl_dst;
bd5e81a0 DB	84	};
bd5e81a0 DB	85
967bb5c5 DB	86	enum OVS_PACKED_ENUM ct_conn_type {
	87	CT_CONN_TYPE_DEFAULT,
	88	CT_CONN_TYPE_UN_NAT,
	89	};
	90
a489b168	91	struct conn {
967bb5c5	92	/* Immutable data. */
a489b168 DDP	93	struct conn_key key;
a489b168 DDP	94	struct conn_key rev_key;
967bb5c5	95	struct conn_key master_key; /* Only used for orig_tuple support. */
a489b168	96	struct ovs_list exp_node;
967bb5c5	97	struct cmap_node cm_node;
286de272	98	struct nat_action_info_t *nat_info;
bd5e81a0	99	char *alg;
967bb5c5 DB	100	struct conn nat_conn; / The NAT 'conn' context, if there is one. */
	101
	102	/* Mutable data. */
	103	struct ovs_mutex lock; /* Guards all mutable fields. */
	104	ovs_u128 label;
967bb5c5	105	long long expiration;
5f918a8a	106	uint32_t mark;
967bb5c5	107	int seq_skew;
a7f33fdb DB	108
	109	/* Immutable data. */
	110	int32_t admit_zone; /* The zone for managing zone limit counts. */
	111	uint32_t zone_limit_seq; /* Used to disambiguate zone limit counts. */
	112
	113	/* Mutable data. */
967bb5c5 DB	114	bool seq_skew_dir; /* TCP sequence skew direction due to NATTing of FTP
967bb5c5 DB	115	* control messages; true if reply direction. */
5f918a8a	116	bool cleaned; /* True if cleaned from expiry lists. */
967bb5c5 DB	117
	118	/* Immutable data. */
	119	bool alg_related; /* True if alg data connection. */
	120	enum ct_conn_type conn_type;
a489b168 DDP	121	};
	122
	123	enum ct_update_res {
	124	CT_UPDATE_INVALID,
	125	CT_UPDATE_VALID,
	126	CT_UPDATE_NEW,
a867c010	127	CT_UPDATE_VALID_NEW,
a489b168 DDP	128	};
a489b168 DDP	129
57593fd2 DB	130	/* Timeouts: all the possible timeout states passed to update_expiration()
	131	* are listed here. The name will be prefix by CT_TM_ and the value is in
	132	* milliseconds */
	133	#define CT_TIMEOUTS \
	134	CT_TIMEOUT(TCP_FIRST_PACKET, 30 * 1000) \
	135	CT_TIMEOUT(TCP_OPENING, 30 * 1000) \
	136	CT_TIMEOUT(TCP_ESTABLISHED, 24 * 60 * 60 * 1000) \
	137	CT_TIMEOUT(TCP_CLOSING, 15 * 60 * 1000) \
	138	CT_TIMEOUT(TCP_FIN_WAIT, 45 * 1000) \
	139	CT_TIMEOUT(TCP_CLOSED, 30 * 1000) \
	140	CT_TIMEOUT(OTHER_FIRST, 60 * 1000) \
	141	CT_TIMEOUT(OTHER_MULTIPLE, 60 * 1000) \
	142	CT_TIMEOUT(OTHER_BIDIR, 30 * 1000) \
	143	CT_TIMEOUT(ICMP_FIRST, 60 * 1000) \
	144	CT_TIMEOUT(ICMP_REPLY, 30 * 1000)
	145
	146	/* The smallest of the above values: it is used as an upper bound for the
	147	* interval between two rounds of cleanup of expired entries */
	148	#define CT_TM_MIN (30 * 1000)
	149
	150	#define CT_TIMEOUT(NAME, VAL) BUILD_ASSERT_DECL(VAL >= CT_TM_MIN);
	151	CT_TIMEOUTS
	152	#undef CT_TIMEOUT
	153
	154	enum ct_timeout {
	155	#define CT_TIMEOUT(NAME, VALUE) CT_TM_##NAME,
	156	CT_TIMEOUTS
	157	#undef CT_TIMEOUT
	158	N_CT_TM
	159	};
	160
57593fd2	161	struct conntrack {
967bb5c5 DB	162	struct ovs_mutex ct_lock; /* Protects 2 following fields. */
	163	struct cmap conns OVS_GUARDED;
	164	struct ovs_list exp_lists[N_CT_TM] OVS_GUARDED;
a7f33fdb	165	struct hmap zone_limits OVS_GUARDED;
967bb5c5 DB	166	uint32_t hash_basis; /* Salt for hashing a connection key. */
	167	pthread_t clean_thread; /* Periodically cleans up connection tracker. */
	168	struct latch clean_thread_exit; /* To destroy the 'clean_thread'. */
	169
	170	/* Counting connections. */
	171	atomic_count n_conn; /* Number of connections currently tracked. */
	172	atomic_uint n_conn_limit; /* Max connections tracked. */
	173
	174	/* Expectations for application level gateways (created by control
	175	* connections to help create data connections, e.g. for FTP). */
	176	struct ovs_rwlock resources_lock; /* Protects fields below. */
	177	struct hmap alg_expectations OVS_GUARDED; /* Holds struct
	178	* alg_exp_nodes. */
	179	struct hindex alg_expectation_refs OVS_GUARDED; /* For lookup from
	180	* control context. */
57593fd2	181
64207120	182	struct ipf ipf; / Fragmentation handling context. */
a7f33fdb	183	uint32_t zone_limit_seq; /* Used to disambiguate zone limit counts. */
64207120	184	atomic_bool tcp_seq_chk; /* Check TCP sequence numbers. */
57593fd2 DB	185	};
57593fd2 DB	186
967bb5c5 DB	187	/* Lock acquisition order:
	188	* 1. 'ct_lock'
	189	* 2. 'conn->lock'
	190	* 3. 'resources_lock'
	191	*/
	192
	193	extern struct ct_l4_proto ct_proto_tcp;
	194	extern struct ct_l4_proto ct_proto_other;
	195	extern struct ct_l4_proto ct_proto_icmp4;
	196	extern struct ct_l4_proto ct_proto_icmp6;
	197
a489b168	198	struct ct_l4_proto {
967bb5c5	199	struct conn (new_conn)(struct conntrack ct, struct dp_packet pkt,
e6ef6cc6	200	long long now);
a489b168	201	bool (valid_new)(struct dp_packet pkt);
967bb5c5	202	enum ct_update_res (conn_update)(struct conntrack ct, struct conn *conn,
e6ef6cc6 DDP	203	struct dp_packet *pkt, bool reply,
e6ef6cc6 DDP	204	long long now);
4d4e68ed DDP	205	void (conn_get_protoinfo)(const struct conn ,
4d4e68ed DDP	206	struct ct_dpif_protoinfo *);
a489b168 DDP	207	};
a489b168 DDP	208
a489b168 DDP	209	extern long long ct_timeout_val[];
a489b168 DDP	210
967bb5c5 DB	211
967bb5c5 DB	212	/* ct_lock must be held. */
a489b168	213	static inline void
967bb5c5 DB	214	conn_init_expiration(struct conntrack ct, struct conn conn,
967bb5c5 DB	215	enum ct_timeout tm, long long now)
a489b168 DDP	216	{
a489b168 DDP	217	conn->expiration = now + ct_timeout_val[tm];
967bb5c5	218	ovs_list_push_back(&ct->exp_lists[tm], &conn->exp_node);
e6ef6cc6 DDP	219	}
e6ef6cc6 DDP	220
967bb5c5	221	/* The conn entry lock must be held on entry and exit. */
e6ef6cc6	222	static inline void
967bb5c5	223	conn_update_expiration(struct conntrack ct, struct conn conn,
e6ef6cc6	224	enum ct_timeout tm, long long now)
967bb5c5	225	OVS_NO_THREAD_SAFETY_ANALYSIS
e6ef6cc6	226	{
967bb5c5 DB	227	ovs_mutex_unlock(&conn->lock);
	228
	229	ovs_mutex_lock(&ct->ct_lock);
	230	ovs_mutex_lock(&conn->lock);
5f918a8a DB	231	if (!conn->cleaned) {
	232	conn->expiration = now + ct_timeout_val[tm];
	233	ovs_list_remove(&conn->exp_node);
	234	ovs_list_push_back(&ct->exp_lists[tm], &conn->exp_node);
	235	}
967bb5c5 DB	236	ovs_mutex_unlock(&conn->lock);
	237	ovs_mutex_unlock(&ct->ct_lock);
	238
	239	ovs_mutex_lock(&conn->lock);
a489b168 DDP	240	}
a489b168 DDP	241
0e71e47f DB	242	static inline uint32_t
	243	tcp_payload_length(struct dp_packet *pkt)
	244	{
	245	const char *tcp_payload = dp_packet_get_tcp_payload(pkt);
	246	if (tcp_payload) {
	247	return ((char *) dp_packet_tail(pkt) - dp_packet_l2_pad_size(pkt)
	248	- tcp_payload);
	249	} else {
	250	return 0;
	251	}
	252	}
	253
a489b168	254	#endif /* conntrack-private.h */