adl: move allow/deny list function to plugin

Provide binary API compatibility support for the "cop" APIs until vpp 21.01. Change the deprecation date in map.api to vpp 21.01. Type: refactor Signed-off-by: Dave Barach <dave@barachs.net> Change-Id: I0e60d96de4ae9ae4448f134cf257934126f3b760
2020-07-14 18:30:05 -04:00
parent 9a0f2a5e7f
commit ac0326fc5a
20 changed files with 1387 additions and 725 deletions
@@ -0,0 +1,31 @@
+# Copyright (c) 2020 Cisco Systems and/or its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+add_vpp_plugin(adl
+  SOURCES
+  adl_api.c
+  adl.c
+  adl.h
+  ip4_allowlist.c
+  ip6_allowlist.c
+  node.c
+
+  MULTIARCH_SOURCES
+  node.c
+
+  API_FILES
+  adl.api
+
+  API_TEST_SOURCES
+  adl_test.c
+)
@@ -0,0 +1,11 @@
+---
+name: ADL
+maintainer: Dave Barach <dave@barachs.net>
+features:
+  - v4, v6 non-default FIB src-address lookup
+  - Drop packets which don't hit a receive adjacency
+  - Not widely used
+
+description: "A very simple / fast source-address allow/deny list feature"
+state: experimental
+properties: [API, CLI, MULTITHREAD]
@@ -0,0 +1,63 @@
+/*
+ * Copyright (c) 2020 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+option version = "0.0.1";
+
+import "vnet/interface_types.api";
+
+ /** \brief adl: enable/disable filtration features on an interface
+    @param client_index - opaque cookie to identify the sender
+    @param context - sender context, to match reply w/ request
+    @param sw_if_inded - desired interface
+    @param enable_disable - 1 => enable, 0 => disable
+*/
+
+autoreply define adl_interface_enable_disable
+{
+  u32 client_index;
+  u32 context;
+  vl_api_interface_index_t sw_if_index;
+  bool enable_disable;
+};
+
+/** \brief adl: enable/disable allow list filtration features on an interface
+    Note: the supplied fib_id must match in order to remove the feature!
+
+    @param client_index - opaque cookie to identify the sender
+    @param context - sender context, to match reply w/ request
+    @param sw_if_index - interface handle, physical interfaces only
+    @param fib_id - fib identifier for the allow/deny fib
+    @param ip4 - 1 => enable ip4 filtration, 0=> disable ip4 filtration
+    @param ip6 - 1 => enable ip6 filtration, 0=> disable ip6 filtration
+    @param default_adl -  1 => enable non-ip4, non-ip6 filtration
+                          0 => disable it
+*/
+
+autoreply define adl_allowlist_enable_disable
+{
+  u32 client_index;
+  u32 context;
+  vl_api_interface_index_t sw_if_index;
+  u32 fib_id;
+  bool ip4;
+  bool ip6;
+  bool default_adl;
+};
+
+ /*
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */
@@ -0,0 +1,114 @@
+/*
+ * Copyright (c) 2016,2020 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef __vnet_adl_h__
+#define __vnet_adl_h__
+
+#include <vlib/vlib.h>
+#include <vnet/vnet.h>
+#include <vnet/pg/pg.h>
+
+#include <vppinfra/error.h>
+#include <vppinfra/hash.h>
+#include <vnet/vnet.h>
+#include <vnet/ip/ip.h>
+#include <vnet/l2/l2_input.h>
+#include <vnet/ethernet/ethernet.h>
+#include <vnet/ip/ip4_packet.h>
+#include <vnet/ip/ip6_packet.h>
+
+typedef enum {
+  VNET_ADL_IP4,
+  VNET_ADL_IP6,
+  VNET_ADL_DEFAULT,
+  VNET_N_ADLS,
+} vnet_adl_t;
+
+typedef enum {
+  /* First check src address against allowlist */
+  IP4_RX_ADL_ALLOWLIST,
+  IP6_RX_ADL_ALLOWLIST,
+  DEFAULT_RX_ADL_ALLOWLIST,
+
+  /* Pkts not otherwise dropped go to xxx-input */
+  IP4_RX_ADL_INPUT,
+  IP6_RX_ADL_INPUT,
+  DEFAULT_RX_ADL_INPUT,
+
+  /* Going, going, gone... */
+  RX_ADL_DROP,
+
+  ADL_RX_N_FEATURES,
+} adl_feature_type_t;
+
+typedef struct {
+  vnet_config_main_t config_main;
+  u32 * config_index_by_sw_if_index;
+} adl_config_main_t;
+
+typedef struct {
+  u32 fib_index;
+} adl_config_data_t;
+
+typedef struct {
+  adl_config_main_t adl_config_mains[VNET_N_ADLS];
+
+  u16 msg_id_base;
+
+  /* convenience */
+  vlib_main_t * vlib_main;
+  vnet_main_t * vnet_main;
+} adl_main_t;
+
+extern adl_main_t adl_main;
+
+extern vlib_node_registration_t adl_input_node;
+
+int adl_interface_enable_disable (u32 sw_if_index, int enable_disable);
+
+typedef struct {
+  u32 sw_if_index;
+  u8 ip4;
+  u8 ip6;
+  u8 default_adl;
+  u32 fib_id;
+} adl_allowlist_enable_disable_args_t;
+
+int adl_allowlist_enable_disable (adl_allowlist_enable_disable_args_t *a);
+
+/* Plugin private opaque union type */
+typedef struct {
+    /* MUST be in sync with .../src/vnet/buffer.h */
+    u32 sw_if_index[VLIB_N_RX_TX];
+    i16 l2_hdr_offset;
+    i16 l3_hdr_offset;
+    i16 l4_hdr_offset;
+    u8 feature_arc_index;
+    u8 dont_waste_me;
+    /* end of must be in sync with .../src/vnet/buffer.h */
+    union
+    {
+        /* COP - configurable junk filter(s) */
+        struct
+        {
+            /* Current configuration index. */
+            u32 current_config_index;
+        } adl;
+    };
+} adl_buffer_opaque_t;
+
+#define adl_buffer(b) ((adl_buffer_opaque_t *) (b)->opaque)
+
+#endif /* __vnet_adl_h__ */
@@ -0,0 +1,136 @@
+/*
+ *------------------------------------------------------------------
+ * adl_api.c - adl api
+ *
+ * Copyright (c) 2016,2020 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *------------------------------------------------------------------
+ */
+
+#include <vnet/vnet.h>
+#include <vnet/plugin/plugin.h>
+#include <adl/adl.h>
+
+#include <vlibapi/api.h>
+#include <vlibmemory/api.h>
+#include <vpp/app/version.h>
+
+/* define message IDs */
+#include <vnet/format_fns.h>
+#include <adl/adl.api_enum.h>
+#include <adl/adl.api_types.h>
+
+#define vl_print(handle, ...) vlib_cli_output (handle, __VA_ARGS__)
+
+#define REPLY_MSG_ID_BASE am->msg_id_base
+#include <vlibapi/api_helper_macros.h>
+
+#define foreach_vpe_api_msg                                     \
+_(ADL_INTERFACE_ENABLE_DISABLE, adl_interface_enable_disable)   \
+_(ADL_LIST_ENABLE_DISABLE, adl_allowlist_enable_disable)
+
+/*
+ * Compatibility shim for the core engine cop_interface_enable_disable API,
+ * which will be deprecated in vpp 20.12.
+ */
+int vl_api_cop_interface_enable_disable_callback
+  (u32 sw_if_index, int enable_disable)
+{
+  return adl_interface_enable_disable (sw_if_index, enable_disable);
+}
+
+static void vl_api_adl_interface_enable_disable_t_handler
+  (vl_api_adl_interface_enable_disable_t * mp)
+{
+  adl_main_t *am = &adl_main;
+  vl_api_adl_interface_enable_disable_reply_t *rmp;
+  int rv;
+  u32 sw_if_index = ntohl (mp->sw_if_index);
+  int enable_disable;
+
+  VALIDATE_SW_IF_INDEX (mp);
+
+  enable_disable = (int) mp->enable_disable;
+
+  rv = adl_interface_enable_disable (sw_if_index, enable_disable);
+
+  BAD_SW_IF_INDEX_LABEL;
+
+  REPLY_MACRO (VL_API_ADL_INTERFACE_ENABLE_DISABLE_REPLY);
+}
+
+/*
+ * Compatibility shim for the core engine cop_whitelist_enable_disable API,
+ * which will be deprecated in vpp 20.12.
+ */
+int vl_api_cop_whitelist_enable_disable_callback
+  (adl_allowlist_enable_disable_args_t * a)
+{
+  return adl_allowlist_enable_disable (a);
+}
+
+static void vl_api_adl_allowlist_enable_disable_t_handler
+  (vl_api_adl_allowlist_enable_disable_t * mp)
+{
+  adl_main_t *am = &adl_main;
+  vl_api_adl_allowlist_enable_disable_reply_t *rmp;
+  adl_allowlist_enable_disable_args_t _a, *a = &_a;
+  u32 sw_if_index = ntohl (mp->sw_if_index);
+  int rv;
+
+  VALIDATE_SW_IF_INDEX (mp);
+
+  a->sw_if_index = sw_if_index;
+  a->ip4 = mp->ip4;
+  a->ip6 = mp->ip6;
+  a->default_adl = mp->default_adl;
+  a->fib_id = ntohl (mp->fib_id);
+
+  rv = adl_allowlist_enable_disable (a);
+
+  BAD_SW_IF_INDEX_LABEL;
+
+  REPLY_MACRO (VL_API_ADL_ALLOWLIST_ENABLE_DISABLE_REPLY);
+}
+
+#include <adl/adl.api.c>
+static clib_error_t *
+adl_api_init (vlib_main_t * vm)
+{
+  adl_main_t *am = &adl_main;
+  void register_vl_api_cop_interface_enable_disable_callback (void *);
+  void register_vl_api_cop_whitelist_enable_disable_callback (void *);
+
+  am->vlib_main = vm;
+
+  /* Ask for a correctly-sized block of API message decode slots */
+  am->msg_id_base = setup_message_id_table ();
+
+  /* Set up transitional API callbacks */
+  register_vl_api_cop_interface_enable_disable_callback
+    (vl_api_cop_interface_enable_disable_callback);
+  register_vl_api_cop_whitelist_enable_disable_callback
+    (vl_api_cop_whitelist_enable_disable_callback);
+
+  return 0;
+}
+
+VLIB_INIT_FUNCTION (adl_api_init);
+
+/*
+ * fd.io coding-style-patch-verification: ON
+ *
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */
@@ -0,0 +1,153 @@
+/*
+ * adl.c - adl vpp-api-test plug-in
+ *
+ * Copyright (c) 2020 Cisco Systems and/or affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <vat/vat.h>
+#include <vlibapi/api.h>
+#include <vlibmemory/api.h>
+#include <vppinfra/error.h>
+#include <stdbool.h>
+
+#define __plugin_msg_base adl_test_main.msg_id_base
+#include <vlibapi/vat_helper_macros.h>
+
+uword unformat_sw_if_index (unformat_input_t * input, va_list * args);
+
+/* Declare message IDs */
+#include <adl/adl.api_enum.h>
+#include <adl/adl.api_types.h>
+
+typedef struct
+{
+  /* API message ID base */
+  u16 msg_id_base;
+  vat_main_t *vat_main;
+} adl_test_main_t;
+
+adl_test_main_t adl_test_main;
+
+static int
+api_adl_interface_enable_disable (vat_main_t * vam)
+{
+  unformat_input_t *i = vam->input;
+  int enable_disable = 1;
+  u32 sw_if_index = ~0;
+  vl_api_adl_interface_enable_disable_t *mp;
+  int ret;
+
+  /* Parse args required to build the message */
+  while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
+    {
+      if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index))
+	;
+      else if (unformat (i, "sw_if_index %d", &sw_if_index))
+	;
+      else if (unformat (i, "disable"))
+	enable_disable = 0;
+      else
+	break;
+    }
+
+  if (sw_if_index == ~0)
+    {
+      errmsg ("missing interface name / explicit sw_if_index number \n");
+      return -99;
+    }
+
+  /* Construct the API message */
+  M (ADL_INTERFACE_ENABLE_DISABLE, mp);
+  mp->sw_if_index = ntohl (sw_if_index);
+  mp->enable_disable = enable_disable;
+
+  /* send it... */
+  S (mp);
+
+  /* Wait for a reply... */
+  W (ret);
+  return ret;
+}
+
+static int
+api_adl_allowlist_enable_disable (vat_main_t * vam)
+{
+  unformat_input_t *i = vam->input;
+  u32 sw_if_index = ~0;
+  vl_api_adl_allowlist_enable_disable_t *mp;
+  u32 fib_id = ~0;
+  int ip4 = 0;
+  int ip6 = 0;
+  int default_adl = 0;
+  int ret;
+
+  /* Parse args required to build the message */
+  while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
+    {
+      if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index))
+	;
+      else if (unformat (i, "sw_if_index %d", &sw_if_index))
+	;
+      else if (unformat (i, "fib-id %d", &fib_id))
+	;
+      else if (unformat (i, "ip4"))
+	ip4 = 1;
+      else if (unformat (i, "ip6"))
+	ip6 = 1;
+      else if (unformat (i, "default"))
+	default_adl = 1;
+      else
+	break;
+    }
+
+  if (sw_if_index == ~0)
+    {
+      errmsg ("missing interface name / explicit sw_if_index number \n");
+      return -99;
+    }
+
+  if (fib_id == ~0)
+    {
+      errmsg ("FIB id must be specified...\n");
+      return -99;
+    }
+
+  /* Construct the API message */
+  M (ADL_ALLOWLIST_ENABLE_DISABLE, mp);
+  mp->sw_if_index = ntohl (sw_if_index);
+  mp->fib_id = ntohl (fib_id);
+  mp->ip4 = ip4;
+  mp->ip6 = ip6;
+  mp->default_adl = default_adl;
+
+  /* send it... */
+  S (mp);
+
+  /* Wait for a reply... */
+  W (ret);
+  return ret;
+}
+
+/*
+ * List of messages that the adl test plugin sends,
+ * and that the data plane plugin processes
+ */
+#include <adl/adl.api_test.c>
+
+/*
+ * fd.io coding-style-patch-verification: ON
+ *
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */
@@ -0,0 +1,62 @@
+set term pag off
+
+loop create
+set int ip address loop0 192.168.1.1/24
+set int ip6 table loop0 0
+set int ip address loop0 2001:db01::1/64
+set int state loop0 up
+
+packet-generator new {
+    name ip4
+    limit 100
+    rate 0
+    size 128-128
+    interface loop0
+    node adl-input
+    data { IP4: 1.2.40 -> 3cfd.fed0.b6c8
+           UDP: 192.168.1.2-192.168.1.10 -> 192.168.2.1
+           UDP: 1234 -> 2345
+           incrementing 114
+    }
+}
+
+packet-generator new {
+    name ip6-allow
+    limit 50
+    rate 0
+    size 128-128
+    interface loop0
+    node adl-input
+    data { IP6: 1.2.40 -> 3cfd.fed0.b6c8
+           UDP: 2001:db01::2 -> 2001:db01::1
+           UDP: 1234 -> 2345
+           incrementing 80
+    }
+}
+
+packet-generator new {
+    name ip6-drop
+    limit 50
+    rate 0
+    size 128-128
+    interface loop0
+    node adl-input
+    data { IP6: 1.2.40 -> 3cfd.fed0.b6c8
+           UDP: 2001:db01::3 -> 2001:db01::1
+           UDP: 1234 -> 2345
+           incrementing 80
+    }
+}
+
+ip table 1
+ip route add 192.168.2.1/32 via drop
+ip route add table 1 192.168.1.2/32 via local
+
+ip6 table 1
+ip route add 2001:db01::1/128 via drop
+ip route add table 1 2001:db01::2/128 via local
+
+comment { bin adl_interface_enable_disable loop0 }
+comment { bin adl_allowlist_enable_disable loop0 fib-id 1 ip4 ip6 }
+uncomment {bin cop_interface_enable_disable loop0 }
+uncomment {bin cop_whitelist_enable_disable loop0 fib-id 1 ip4 ip6 }
@@ -0,0 +1,103 @@
+#!/usr/bin/env python3
+
+import unittest
+
+from framework import VppTestCase, VppTestRunner, running_gcov_tests
+from vpp_ip_route import VppIpTable, VppIpRoute, VppRoutePath
+
+
+class TestAdl(VppTestCase):
+    """ Allow/Deny Plugin Unit Test Cases """
+
+    @classmethod
+    def setUpClass(cls):
+        super(TestAdl, cls).setUpClass()
+
+    @classmethod
+    def tearDownClass(cls):
+        super(TestAdl, cls).tearDownClass()
+
+    def setUp(self):
+        super(TestAdl, self).setUp()
+
+    def tearDown(self):
+        super(TestAdl, self).tearDown()
+
+    def test_adl1_unittest(self):
+        """ Plugin API Test """
+        cmds = ["loop create\n",
+                "set int ip address loop0 192.168.1.1/24\n",
+                "set int ip6 table loop0 0\n",
+                "set int ip address loop0 2001:db01::1/64\n",
+                "set int state loop0 up\n",
+                "packet-generator new {\n"
+                " name ip4\n"
+                " limit 100\n"
+                " rate 0\n"
+                " size 128-128\n"
+                " interface loop0\n"
+                " node adl-input\n"
+                " data { IP4: 1.2.40 -> 3cfd.fed0.b6c8\n"
+                "        UDP: 192.168.1.2-192.168.1.10 -> 192.168.2.1\n"
+                "        UDP: 1234 -> 2345\n"
+                "        incrementing 114\n"
+                "       }\n"
+                " }\n",
+                "packet-generator new {\n"
+                " name ip6-allow\n"
+                " limit 50\n"
+                " rate 0\n"
+                " size 128-128\n"
+                " interface loop0\n"
+                " node adl-input\n"
+                " data { IP6: 1.2.40 -> 3cfd.fed0.b6c8\n"
+                "        UDP: 2001:db01::2 -> 2001:db01::1\n"
+                "        UDP: 1234 -> 2345\n"
+                "        incrementing 80\n"
+                "      }\n"
+                " }\n",
+                "packet-generator new {\n"
+                " name ip6-drop\n"
+                " limit 50\n"
+                " rate 0\n"
+                " size 128-128\n"
+                " interface loop0\n"
+                " node adl-input\n"
+                " data { IP6: 1.2.40 -> 3cfd.fed0.b6c8\n"
+                "        UDP: 2001:db01::3 -> 2001:db01::1\n"
+                "        UDP: 1234 -> 2345\n"
+                "        incrementing 80\n"
+                "      }\n"
+                " }\n",
+                "ip table 1\n",
+                "ip route add 192.168.2.1/32 via drop\n",
+                "ip route add table 1 192.168.1.2/32 via local\n",
+                "ip6 table 1\n",
+                "ip route add 2001:db01::1/128 via drop\n",
+                "ip route add table 1 2001:db01::2/128 via local\n",
+                "bin adl_interface_enable_disable loop0\n",
+                "bin adl_allowlist_enable_disable loop0 fib-id 1 ip4 ip6\n",
+                "pa en\n"]
+
+        for cmd in cmds:
+            r = self.vapi.cli_return_response(cmd)
+            if r.retval != 0:
+                if hasattr(r, 'reply'):
+                    self.logger.info(cmd + " FAIL reply " + r.reply)
+                else:
+                    self.logger.info(cmd + " FAIL retval " + str(r.retval))
+
+        total_pkts = self.statistics.get_err_counter(
+            "/err/adl-input/Allow/Deny packets processed")
+
+        self.assertEqual(total_pkts, 200)
+
+        ip4_allow = self.statistics.get_err_counter(
+            "/err/ip4-adl-allowlist/ip4 allowlist allowed")
+        self.assertEqual(ip4_allow, 12)
+        ip6_allow = self.statistics.get_err_counter(
+            "/err/ip6-adl-allowlist/ip6 allowlist allowed")
+        self.assertEqual(ip6_allow, 50)
+
+if __name__ == '__main__':
+    unittest.main(testRunner=VppTestRunner)