lib/conntrack-private.h

   1 /*
   2  * Copyright (c) 2015-2019 Nicira, Inc.
   3  *
   4  * Licensed under the Apache License, Version 2.0 (the "License");
   5  * you may not use this file except in compliance with the License.
   6  * You may obtain a copy of the License at:
   7  *
   8  *     http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  * Unless required by applicable law or agreed to in writing, software
  11  * distributed under the License is distributed on an "AS IS" BASIS,
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  * See the License for the specific language governing permissions and
  14  * limitations under the License.
  15  */
  16
  17 #ifndef CONNTRACK_PRIVATE_H
  18 #define CONNTRACK_PRIVATE_H 1
  19
  20 #include <sys/types.h>
  21 #include <netinet/in.h>
  22 #include <netinet/ip6.h>
  23
  24 #include "cmap.h"
  25 #include "conntrack.h"
  26 #include "ct-dpif.h"
  27 #include "ipf.h"
  28 #include "openvswitch/hmap.h"
  29 #include "openvswitch/list.h"
  30 #include "openvswitch/types.h"
  31 #include "packets.h"
  32 #include "unaligned.h"
  33 #include "dp-packet.h"
  34
  35 struct ct_endpoint {
  36     union ct_addr addr;
  37     union {
  38         ovs_be16 port;
  39         struct {
  40             ovs_be16 icmp_id;
  41             uint8_t icmp_type;
  42             uint8_t icmp_code;
  43         };
  44     };
  45 };
  46
  47 /* Verify that there is no padding in struct ct_endpoint, to facilitate
  48  * hashing in ct_endpoint_hash_add(). */
  49 BUILD_ASSERT_DECL(sizeof(struct ct_endpoint) == sizeof(union ct_addr) + 4);
  50
  51 /* Changes to this structure need to be reflected in conn_key_hash()
  52  * and conn_key_cmp(). */
  53 struct conn_key {
  54     struct ct_endpoint src;
  55     struct ct_endpoint dst;
  56
  57     ovs_be16 dl_type;
  58     uint16_t zone;
  59     uint8_t nw_proto;
  60 };
  61
  62 /* Verify that nw_proto stays uint8_t as it's used to index into l4_protos[] */
  63 BUILD_ASSERT_DECL(MEMBER_SIZEOF(struct conn_key, nw_proto) == sizeof(uint8_t));
  64
  65 /* This is used for alg expectations; an expectation is a
  66  * context created in preparation for establishing a data
  67  * connection. The expectation is created by the control
  68  * connection. */
  69 struct alg_exp_node {
  70     /* Node in alg_expectations. */
  71     struct hmap_node node;
  72     /* Node in alg_expectation_refs. */
  73     struct hindex_node node_ref;
  74     /* Key of data connection to be created. */
  75     struct conn_key key;
  76     /* Corresponding key of the control connection. */
  77     struct conn_key parent_key;
  78     /* The NAT replacement address to be used by the data connection. */
  79     union ct_addr alg_nat_repl_addr;
  80     /* The data connection inherits the parent control
  81      * connection label and mark. */
  82     ovs_u128 parent_label;
  83     uint32_t parent_mark;
  84     /* True if for NAT application, the alg replaces the dest address;
  85      * otherwise, the source address is replaced.  */
  86     bool nat_rpl_dst;
  87 };
  88
  89 enum OVS_PACKED_ENUM ct_conn_type {
  90     CT_CONN_TYPE_DEFAULT,
  91     CT_CONN_TYPE_UN_NAT,
  92 };
  93
  94 struct conn {
  95     /* Immutable data. */
  96     struct conn_key key;
  97     struct conn_key rev_key;
  98     struct conn_key parent_key; /* Only used for orig_tuple support. */
  99     struct ovs_list exp_node;
 100     struct cmap_node cm_node;
 101     struct nat_action_info_t *nat_info;
 102     char *alg;
 103     struct conn *nat_conn; /* The NAT 'conn' context, if there is one. */
 104
 105     /* Mutable data. */
 106     struct ovs_mutex lock; /* Guards all mutable fields. */
 107     ovs_u128 label;
 108     long long expiration;
 109     uint32_t mark;
 110     int seq_skew;
 111
 112     /* Immutable data. */
 113     int32_t admit_zone; /* The zone for managing zone limit counts. */
 114     uint32_t zone_limit_seq; /* Used to disambiguate zone limit counts. */
 115
 116     /* Mutable data. */
 117     bool seq_skew_dir; /* TCP sequence skew direction due to NATTing of FTP
 118                         * control messages; true if reply direction. */
 119     bool cleaned; /* True if cleaned from expiry lists. */
 120
 121     /* Immutable data. */
 122     bool alg_related; /* True if alg data connection. */
 123     enum ct_conn_type conn_type;
 124
 125     uint32_t tp_id; /* Timeout policy ID. */
 126 };
 127
 128 enum ct_update_res {
 129     CT_UPDATE_INVALID,
 130     CT_UPDATE_VALID,
 131     CT_UPDATE_NEW,
 132     CT_UPDATE_VALID_NEW,
 133 };
 134
 135 /* Timeouts: all the possible timeout states passed to update_expiration()
 136  * are listed here. The name will be prefix by CT_TM_ and the value is in
 137  * milliseconds */
 138 #define CT_TIMEOUTS \
 139     CT_TIMEOUT(TCP_FIRST_PACKET) \
 140     CT_TIMEOUT(TCP_OPENING) \
 141     CT_TIMEOUT(TCP_ESTABLISHED) \
 142     CT_TIMEOUT(TCP_CLOSING) \
 143     CT_TIMEOUT(TCP_FIN_WAIT) \
 144     CT_TIMEOUT(TCP_CLOSED) \
 145     CT_TIMEOUT(OTHER_FIRST) \
 146     CT_TIMEOUT(OTHER_MULTIPLE) \
 147     CT_TIMEOUT(OTHER_BIDIR) \
 148     CT_TIMEOUT(ICMP_FIRST) \
 149     CT_TIMEOUT(ICMP_REPLY)
 150
 151 enum ct_timeout {
 152 #define CT_TIMEOUT(NAME) CT_TM_##NAME,
 153     CT_TIMEOUTS
 154 #undef CT_TIMEOUT
 155     N_CT_TM
 156 };
 157
 158 struct conntrack {
 159     struct ovs_mutex ct_lock; /* Protects 2 following fields. */
 160     struct cmap conns OVS_GUARDED;
 161     struct ovs_list exp_lists[N_CT_TM] OVS_GUARDED;
 162     struct hmap zone_limits OVS_GUARDED;
 163     struct hmap timeout_policies OVS_GUARDED;
 164     uint32_t hash_basis; /* Salt for hashing a connection key. */
 165     pthread_t clean_thread; /* Periodically cleans up connection tracker. */
 166     struct latch clean_thread_exit; /* To destroy the 'clean_thread'. */
 167
 168     /* Counting connections. */
 169     atomic_count n_conn; /* Number of connections currently tracked. */
 170     atomic_uint n_conn_limit; /* Max connections tracked. */
 171
 172     /* Expectations for application level gateways (created by control
 173      * connections to help create data connections, e.g. for FTP). */
 174     struct ovs_rwlock resources_lock; /* Protects fields below. */
 175     struct hmap alg_expectations OVS_GUARDED; /* Holds struct
 176                                                * alg_exp_nodes. */
 177     struct hindex alg_expectation_refs OVS_GUARDED; /* For lookup from
 178                                                      * control context.  */
 179
 180     struct ipf *ipf; /* Fragmentation handling context. */
 181     uint32_t zone_limit_seq; /* Used to disambiguate zone limit counts. */
 182     atomic_bool tcp_seq_chk; /* Check TCP sequence numbers. */
 183 };
 184
 185 /* Lock acquisition order:
 186  *    1. 'ct_lock'
 187  *    2. 'conn->lock'
 188  *    3. 'resources_lock'
 189  */
 190
 191 extern struct ct_l4_proto ct_proto_tcp;
 192 extern struct ct_l4_proto ct_proto_other;
 193 extern struct ct_l4_proto ct_proto_icmp4;
 194 extern struct ct_l4_proto ct_proto_icmp6;
 195
 196 struct ct_l4_proto {
 197     struct conn *(*new_conn)(struct conntrack *ct, struct dp_packet *pkt,
 198                              long long now, uint32_t tp_id);
 199     bool (*valid_new)(struct dp_packet *pkt);
 200     enum ct_update_res (*conn_update)(struct conntrack *ct, struct conn *conn,
 201                                       struct dp_packet *pkt, bool reply,
 202                                       long long now);
 203     void (*conn_get_protoinfo)(const struct conn *,
 204                                struct ct_dpif_protoinfo *);
 205 };
 206
 207 static inline uint32_t
 208 tcp_payload_length(struct dp_packet *pkt)
 209 {
 210     const char *tcp_payload = dp_packet_get_tcp_payload(pkt);
 211     if (tcp_payload) {
 212         return ((char *) dp_packet_tail(pkt) - dp_packet_l2_pad_size(pkt)
 213                 - tcp_payload);
 214     } else {
 215         return 0;
 216     }
 217 }
 218
 219 #endif /* conntrack-private.h */