lib/conntrack-private.h

   1 /*
   2  * Copyright (c) 2015-2019 Nicira, Inc.
   3  *
   4  * Licensed under the Apache License, Version 2.0 (the "License");
   5  * you may not use this file except in compliance with the License.
   6  * You may obtain a copy of the License at:
   7  *
   8  *     http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  * Unless required by applicable law or agreed to in writing, software
  11  * distributed under the License is distributed on an "AS IS" BASIS,
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  * See the License for the specific language governing permissions and
  14  * limitations under the License.
  15  */
  16
  17 #ifndef CONNTRACK_PRIVATE_H
  18 #define CONNTRACK_PRIVATE_H 1
  19
  20 #include <sys/types.h>
  21 #include <netinet/in.h>
  22 #include <netinet/ip6.h>
  23
  24 #include "cmap.h"
  25 #include "conntrack.h"
  26 #include "ct-dpif.h"
  27 #include "ipf.h"
  28 #include "openvswitch/hmap.h"
  29 #include "openvswitch/list.h"
  30 #include "openvswitch/types.h"
  31 #include "packets.h"
  32 #include "unaligned.h"
  33 #include "dp-packet.h"
  34
  35 struct ct_endpoint {
  36     union ct_addr addr;
  37     union {
  38         ovs_be16 port;
  39         struct {
  40             ovs_be16 icmp_id;
  41             uint8_t icmp_type;
  42             uint8_t icmp_code;
  43         };
  44     };
  45 };
  46
  47 /* Verify that there is no padding in struct ct_endpoint, to facilitate
  48  * hashing in ct_endpoint_hash_add(). */
  49 BUILD_ASSERT_DECL(sizeof(struct ct_endpoint) == sizeof(union ct_addr) + 4);
  50
  51 /* Changes to this structure need to be reflected in conn_key_hash()
  52  * and conn_key_cmp(). */
  53 struct conn_key {
  54     struct ct_endpoint src;
  55     struct ct_endpoint dst;
  56
  57     ovs_be16 dl_type;
  58     uint16_t zone;
  59     uint8_t nw_proto;
  60 };
  61
  62 /* This is used for alg expectations; an expectation is a
  63  * context created in preparation for establishing a data
  64  * connection. The expectation is created by the control
  65  * connection. */
  66 struct alg_exp_node {
  67     /* Node in alg_expectations. */
  68     struct hmap_node node;
  69     /* Node in alg_expectation_refs. */
  70     struct hindex_node node_ref;
  71     /* Key of data connection to be created. */
  72     struct conn_key key;
  73     /* Corresponding key of the control connection. */
  74     struct conn_key master_key;
  75     /* The NAT replacement address to be used by the data connection. */
  76     union ct_addr alg_nat_repl_addr;
  77     /* The data connection inherits the master control
  78      * connection label and mark. */
  79     ovs_u128 master_label;
  80     uint32_t master_mark;
  81     /* True if for NAT application, the alg replaces the dest address;
  82      * otherwise, the source address is replaced.  */
  83     bool nat_rpl_dst;
  84 };
  85
  86 enum OVS_PACKED_ENUM ct_conn_type {
  87     CT_CONN_TYPE_DEFAULT,
  88     CT_CONN_TYPE_UN_NAT,
  89 };
  90
  91 struct conn {
  92     /* Immutable data. */
  93     struct conn_key key;
  94     struct conn_key rev_key;
  95     struct conn_key master_key; /* Only used for orig_tuple support. */
  96     struct ovs_list exp_node;
  97     struct cmap_node cm_node;
  98     struct nat_action_info_t *nat_info;
  99     char *alg;
 100     struct conn *nat_conn; /* The NAT 'conn' context, if there is one. */
 101
 102     /* Mutable data. */
 103     struct ovs_mutex lock; /* Guards all mutable fields. */
 104     ovs_u128 label;
 105     long long expiration;
 106     uint32_t mark;
 107     int seq_skew;
 108
 109     /* Immutable data. */
 110     int32_t admit_zone; /* The zone for managing zone limit counts. */
 111     uint32_t zone_limit_seq; /* Used to disambiguate zone limit counts. */
 112
 113     /* Mutable data. */
 114     bool seq_skew_dir; /* TCP sequence skew direction due to NATTing of FTP
 115                         * control messages; true if reply direction. */
 116     bool cleaned; /* True if cleaned from expiry lists. */
 117
 118     /* Immutable data. */
 119     bool alg_related; /* True if alg data connection. */
 120     enum ct_conn_type conn_type;
 121
 122     uint32_t tp_id; /* Timeout policy ID. */
 123 };
 124
 125 enum ct_update_res {
 126     CT_UPDATE_INVALID,
 127     CT_UPDATE_VALID,
 128     CT_UPDATE_NEW,
 129     CT_UPDATE_VALID_NEW,
 130 };
 131
 132 /* Timeouts: all the possible timeout states passed to update_expiration()
 133  * are listed here. The name will be prefix by CT_TM_ and the value is in
 134  * milliseconds */
 135 #define CT_TIMEOUTS \
 136     CT_TIMEOUT(TCP_FIRST_PACKET) \
 137     CT_TIMEOUT(TCP_OPENING) \
 138     CT_TIMEOUT(TCP_ESTABLISHED) \
 139     CT_TIMEOUT(TCP_CLOSING) \
 140     CT_TIMEOUT(TCP_FIN_WAIT) \
 141     CT_TIMEOUT(TCP_CLOSED) \
 142     CT_TIMEOUT(OTHER_FIRST) \
 143     CT_TIMEOUT(OTHER_MULTIPLE) \
 144     CT_TIMEOUT(OTHER_BIDIR) \
 145     CT_TIMEOUT(ICMP_FIRST) \
 146     CT_TIMEOUT(ICMP_REPLY)
 147
 148 enum ct_timeout {
 149 #define CT_TIMEOUT(NAME) CT_TM_##NAME,
 150     CT_TIMEOUTS
 151 #undef CT_TIMEOUT
 152     N_CT_TM
 153 };
 154
 155 struct conntrack {
 156     struct ovs_mutex ct_lock; /* Protects 2 following fields. */
 157     struct cmap conns OVS_GUARDED;
 158     struct ovs_list exp_lists[N_CT_TM] OVS_GUARDED;
 159     struct hmap zone_limits OVS_GUARDED;
 160     struct hmap timeout_policies OVS_GUARDED;
 161     uint32_t hash_basis; /* Salt for hashing a connection key. */
 162     pthread_t clean_thread; /* Periodically cleans up connection tracker. */
 163     struct latch clean_thread_exit; /* To destroy the 'clean_thread'. */
 164
 165     /* Counting connections. */
 166     atomic_count n_conn; /* Number of connections currently tracked. */
 167     atomic_uint n_conn_limit; /* Max connections tracked. */
 168
 169     /* Expectations for application level gateways (created by control
 170      * connections to help create data connections, e.g. for FTP). */
 171     struct ovs_rwlock resources_lock; /* Protects fields below. */
 172     struct hmap alg_expectations OVS_GUARDED; /* Holds struct
 173                                                * alg_exp_nodes. */
 174     struct hindex alg_expectation_refs OVS_GUARDED; /* For lookup from
 175                                                      * control context.  */
 176
 177     struct ipf *ipf; /* Fragmentation handling context. */
 178     uint32_t zone_limit_seq; /* Used to disambiguate zone limit counts. */
 179     atomic_bool tcp_seq_chk; /* Check TCP sequence numbers. */
 180 };
 181
 182 /* Lock acquisition order:
 183  *    1. 'ct_lock'
 184  *    2. 'conn->lock'
 185  *    3. 'resources_lock'
 186  */
 187
 188 extern struct ct_l4_proto ct_proto_tcp;
 189 extern struct ct_l4_proto ct_proto_other;
 190 extern struct ct_l4_proto ct_proto_icmp4;
 191 extern struct ct_l4_proto ct_proto_icmp6;
 192
 193 struct ct_l4_proto {
 194     struct conn *(*new_conn)(struct conntrack *ct, struct dp_packet *pkt,
 195                              long long now, uint32_t tp_id);
 196     bool (*valid_new)(struct dp_packet *pkt);
 197     enum ct_update_res (*conn_update)(struct conntrack *ct, struct conn *conn,
 198                                       struct dp_packet *pkt, bool reply,
 199                                       long long now);
 200     void (*conn_get_protoinfo)(const struct conn *,
 201                                struct ct_dpif_protoinfo *);
 202 };
 203
 204 static inline uint32_t
 205 tcp_payload_length(struct dp_packet *pkt)
 206 {
 207     const char *tcp_payload = dp_packet_get_tcp_payload(pkt);
 208     if (tcp_payload) {
 209         return ((char *) dp_packet_tail(pkt) - dp_packet_l2_pad_size(pkt)
 210                 - tcp_payload);
 211     } else {
 212         return 0;
 213     }
 214 }
 215
 216 #endif /* conntrack-private.h */