[ovs.git] / lib / conntrack.h

/*
 * Copyright (c) 2015, 2016, 2017, 2019 Nicira, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at:
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#ifndef CONNTRACK_H
#define CONNTRACK_H 1

#include <stdbool.h>

#include "cmap.h"
#include "ct-dpif.h"
#include "latch.h"
#include "odp-netlink.h"
#include "openvswitch/hmap.h"
#include "openvswitch/list.h"
#include "openvswitch/thread.h"
#include "openvswitch/types.h"
#include "ovs-atomic.h"
#include "ovs-thread.h"
#include "packets.h"
#include "hindex.h"

/* Userspace connection tracker
 * ============================
 *
 * This is a connection tracking module that keeps all the state in userspace.
 *
 * Usage
 * =====
 *
 *     struct conntrack *ct;
 *
 * Initialization:
 *
 *     ct = conntrack_init();
 *
 * To send a group of packets through the connection tracker:
 *
 *     conntrack_execute(ct, pkt_batch, ...);
 *
 * Thread-safety:
 *
 * conntrack_execute() can be called by multiple threads simultaneoulsy.
 *
 * Shutdown:
 *
 *    1/ Shutdown packet input to the datapath
 *    2/ Destroy PMD threads after quiescence.
 *    3/ conntrack_destroy(ct);
 */

struct dp_packet_batch;

struct conntrack;

union ct_addr {
    ovs_be32 ipv4;
    struct in6_addr ipv6;
};

enum nat_action_e {
    NAT_ACTION_SRC = 1 << 0,
    NAT_ACTION_SRC_PORT = 1 << 1,
    NAT_ACTION_DST = 1 << 2,
    NAT_ACTION_DST_PORT = 1 << 3,
};

struct nat_action_info_t {
    union ct_addr min_addr;
    union ct_addr max_addr;
    uint16_t min_port;
    uint16_t max_port;
    uint16_t nat_action;
};

struct conntrack *conntrack_init(void);
void conntrack_destroy(struct conntrack *);

int conntrack_execute(struct conntrack *ct, struct dp_packet_batch *pkt_batch,
                      ovs_be16 dl_type, bool force, bool commit, uint16_t zone,
                      const uint32_t *setmark,
                      const struct ovs_key_ct_labels *setlabel,
                      ovs_be16 tp_src, ovs_be16 tp_dst, const char *helper,
                      const struct nat_action_info_t *nat_action_info,
                      long long now, uint32_t tp_id);
void conntrack_clear(struct dp_packet *packet);

struct conntrack_dump {
    struct conntrack *ct;
    unsigned bucket;
    struct cmap_position cm_pos;
    bool filter_zone;
    uint16_t zone;
};

struct conntrack_zone_limit {
    int32_t zone;
    uint32_t limit;
    uint32_t count;
    uint32_t zone_limit_seq; /* Used to disambiguate zone limit counts. */
};

struct timeout_policy {
    struct hmap_node node;
    struct ct_dpif_timeout_policy policy;
};

enum {
    INVALID_ZONE = -2,
    DEFAULT_ZONE = -1, /* Default zone for zone limit management. */
    MIN_ZONE = 0,
    MAX_ZONE = 0xFFFF,
};

struct ct_dpif_entry;
struct ct_dpif_tuple;

int conntrack_dump_start(struct conntrack *, struct conntrack_dump *,
                         const uint16_t *pzone, int *);
int conntrack_dump_next(struct conntrack_dump *, struct ct_dpif_entry *);
int conntrack_dump_done(struct conntrack_dump *);

int conntrack_flush(struct conntrack *, const uint16_t *zone);
int conntrack_flush_tuple(struct conntrack *, const struct ct_dpif_tuple *,
                          uint16_t zone);
int conntrack_set_maxconns(struct conntrack *ct, uint32_t maxconns);
int conntrack_get_maxconns(struct conntrack *ct, uint32_t *maxconns);
int conntrack_get_nconns(struct conntrack *ct, uint32_t *nconns);
int conntrack_set_tcp_seq_chk(struct conntrack *ct, bool enabled);
bool conntrack_get_tcp_seq_chk(struct conntrack *ct);
struct ipf *conntrack_ipf_ctx(struct conntrack *ct);
struct conntrack_zone_limit zone_limit_get(struct conntrack *ct,
                                           int32_t zone);
int zone_limit_update(struct conntrack *ct, int32_t zone, uint32_t limit);
int zone_limit_delete(struct conntrack *ct, uint16_t zone);
\f
#endif /* conntrack.h */
Commit	Line	Data
a489b168	1	/*
4ea96698	2	* Copyright (c) 2015, 2016, 2017, 2019 Nicira, Inc.
a489b168 DDP	3	*
	4	* Licensed under the Apache License, Version 2.0 (the "License");
	5	* you may not use this file except in compliance with the License.
	6	* You may obtain a copy of the License at:
	7	*
	8	* http://www.apache.org/licenses/LICENSE-2.0
	9	*
	10	* Unless required by applicable law or agreed to in writing, software
	11	* distributed under the License is distributed on an "AS IS" BASIS,
	12	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	13	* See the License for the specific language governing permissions and
	14	* limitations under the License.
	15	*/
	16
	17	#ifndef CONNTRACK_H
	18	#define CONNTRACK_H 1
	19
	20	#include <stdbool.h>
	21
967bb5c5	22	#include "cmap.h"
2078901a	23	#include "ct-dpif.h"
e6ef6cc6	24	#include "latch.h"
a489b168 DDP	25	#include "odp-netlink.h"
a489b168 DDP	26	#include "openvswitch/hmap.h"
e6ef6cc6	27	#include "openvswitch/list.h"
a489b168 DDP	28	#include "openvswitch/thread.h"
	29	#include "openvswitch/types.h"
	30	#include "ovs-atomic.h"
4cddb1f0 DB	31	#include "ovs-thread.h"
4cddb1f0 DB	32	#include "packets.h"
4417ca3d	33	#include "hindex.h"
a489b168 DDP	34
	35	/* Userspace connection tracker
	36	* ============================
	37	*
	38	* This is a connection tracking module that keeps all the state in userspace.
	39	*
	40	* Usage
	41	* =====
	42	*
967bb5c5	43	* struct conntrack *ct;
a489b168 DDP	44	*
	45	* Initialization:
	46	*
967bb5c5	47	* ct = conntrack_init();
a489b168	48	*
a489b168 DDP	49	* To send a group of packets through the connection tracker:
a489b168 DDP	50	*
967bb5c5	51	* conntrack_execute(ct, pkt_batch, ...);
a489b168	52	*
967bb5c5	53	* Thread-safety:
a489b168 DDP	54	*
a489b168 DDP	55	* conntrack_execute() can be called by multiple threads simultaneoulsy.
967bb5c5 DB	56	*
	57	* Shutdown:
	58	*
	59	* 1/ Shutdown packet input to the datapath
	60	* 2/ Destroy PMD threads after quiescence.
	61	* 3/ conntrack_destroy(ct);
a489b168 DDP	62	*/
	63
	64	struct dp_packet_batch;
	65
	66	struct conntrack;
	67
cda1b109 DB	68	union ct_addr {
	69	ovs_be32 ipv4;
	70	struct in6_addr ipv6;
4cddb1f0 DB	71	};
	72
	73	enum nat_action_e {
	74	NAT_ACTION_SRC = 1 << 0,
	75	NAT_ACTION_SRC_PORT = 1 << 1,
	76	NAT_ACTION_DST = 1 << 2,
	77	NAT_ACTION_DST_PORT = 1 << 3,
	78	};
	79
	80	struct nat_action_info_t {
cda1b109 DB	81	union ct_addr min_addr;
cda1b109 DB	82	union ct_addr max_addr;
4cddb1f0 DB	83	uint16_t min_port;
	84	uint16_t max_port;
	85	uint16_t nat_action;
	86	};
	87
57593fd2	88	struct conntrack *conntrack_init(void);
a489b168 DDP	89	void conntrack_destroy(struct conntrack *);
a489b168 DDP	90
bd7d93f8 DB	91	int conntrack_execute(struct conntrack ct, struct dp_packet_batch pkt_batch,
	92	ovs_be16 dl_type, bool force, bool commit, uint16_t zone,
	93	const uint32_t *setmark,
286de272	94	const struct ovs_key_ct_labels *setlabel,
bd7d93f8	95	ovs_be16 tp_src, ovs_be16 tp_dst, const char *helper,
94053e66	96	const struct nat_action_info_t *nat_action_info,
2078901a	97	long long now, uint32_t tp_id);
1fe178d2	98	void conntrack_clear(struct dp_packet *packet);
4d4e68ed DDP	99
	100	struct conntrack_dump {
	101	struct conntrack *ct;
	102	unsigned bucket;
967bb5c5	103	struct cmap_position cm_pos;
4d4e68ed DDP	104	bool filter_zone;
	105	uint16_t zone;
	106	};
	107
a7f33fdb DB	108	struct conntrack_zone_limit {
	109	int32_t zone;
	110	uint32_t limit;
	111	uint32_t count;
	112	uint32_t zone_limit_seq; /* Used to disambiguate zone limit counts. */
	113	};
	114
2078901a WT	115	struct timeout_policy {
	116	struct hmap_node node;
	117	struct ct_dpif_timeout_policy policy;
	118	};
	119
a7f33fdb DB	120	enum {
	121	INVALID_ZONE = -2,
	122	DEFAULT_ZONE = -1, /* Default zone for zone limit management. */
	123	MIN_ZONE = 0,
	124	MAX_ZONE = 0xFFFF,
	125	};
	126
4d4e68ed	127	struct ct_dpif_entry;
271e48a0	128	struct ct_dpif_tuple;
4d4e68ed DDP	129
4d4e68ed DDP	130	int conntrack_dump_start(struct conntrack , struct conntrack_dump ,
ded30c74	131	const uint16_t pzone, int );
4d4e68ed DDP	132	int conntrack_dump_next(struct conntrack_dump , struct ct_dpif_entry );
4d4e68ed DDP	133	int conntrack_dump_done(struct conntrack_dump *);
5d9cbb4c DDP	134
5d9cbb4c DDP	135	int conntrack_flush(struct conntrack , const uint16_t zone);
271e48a0 YHW	136	int conntrack_flush_tuple(struct conntrack , const struct ct_dpif_tuple ,
271e48a0 YHW	137	uint16_t zone);
c92339ad DB	138	int conntrack_set_maxconns(struct conntrack *ct, uint32_t maxconns);
c92339ad DB	139	int conntrack_get_maxconns(struct conntrack ct, uint32_t maxconns);
875075b3	140	int conntrack_get_nconns(struct conntrack ct, uint32_t nconns);
64207120 DB	141	int conntrack_set_tcp_seq_chk(struct conntrack *ct, bool enabled);
64207120 DB	142	bool conntrack_get_tcp_seq_chk(struct conntrack *ct);
4ea96698	143	struct ipf conntrack_ipf_ctx(struct conntrack ct);
a7f33fdb DB	144	struct conntrack_zone_limit zone_limit_get(struct conntrack *ct,
	145	int32_t zone);
	146	int zone_limit_update(struct conntrack *ct, int32_t zone, uint32_t limit);
	147	int zone_limit_delete(struct conntrack *ct, uint16_t zone);
a489b168	148	\f
a489b168	149	#endif /* conntrack.h */