Merge branch 'dev' of github.com:alfred-bratterud/IncludeOS into dev

Author: AndreasAakesson

api/net/inet.hpp

@@ -20,7 +20,7 @@
 
 #include <chrono>
 #include <unordered_set>
-
+#include <list>
 #include <net/inet_common.hpp>
 #include <hw/mac_addr.hpp>
 #include <hw/nic.hpp>
@@ -48,6 +48,7 @@ namespace net {
     using resolve_func = delegate<void(typename IPv::addr, Error&)>;
     using Vip_list = std::unordered_set<typename IPV::addr>;
 
+
     ///
     /// NETWORK CONFIGURATION
     ///
@@ -113,6 +114,55 @@ namespace net {
     virtual bool is_valid_source(typename IPV::addr) = 0;
 
 
+    ///
+    /// PACKET FILTERING
+    ///
+
+    using Packetfilter = delegate<typename IPV::IP_packet_ptr(typename IPV::IP_packet_ptr, const Stack&)>;
+
+    struct Filter_chain {
+      std::list<Packetfilter> chain;
+      const char* name;
+
+      typename IPV::IP_packet_ptr operator()(typename IPV::IP_packet_ptr pckt, const Stack& stack) {
+        int i = 0;
+        for (auto filter : chain) {
+          i++;
+          pckt = filter(std::move(pckt), stack);
+          if (pckt == nullptr) {
+            debug("Packet dropped in %s chain, filter %i \n", name, i);
+            // do some logging
+            return nullptr;
+          }
+        }
+        return pckt;
+      }
+
+      Filter_chain(const char* chain_name, std::initializer_list<Packetfilter> filters) :
+        chain{filters},
+        name{chain_name} {}
+    };
+
+    /**
+     * Packet filtering hooks for firewall, NAT, connection tracking etc.
+     **/
+
+    /** Packets pass through prerouting chain before routing decision */
+    virtual Filter_chain& prerouting_chain() = 0;
+
+    /** Packets pass through postrouting chain after routing decision */
+    virtual Filter_chain& postrouting_chain() = 0;
+
+    /** Packets pass through forward chain by forwarder, if enabled */
+    virtual Filter_chain& forward_chain() = 0;
+
+    /** Packets pass through input chain before hitting protocol handlers */
+    virtual Filter_chain& input_chain() = 0;
+
+    /** Packets pass through output chain after exiting protocol handlers */
+    virtual Filter_chain& output_chain() = 0;
+
+
     ///
     /// PROTOCOL OBJECTS
     ///
@@ -182,7 +232,9 @@ namespace net {
     /// ROUTING
     ///
 
-    /** Set an IP forwarding delegate. E.g. used to enable routing */
+    /** Set an IP forwarding delegate. E.g. used to enable routing.
+     *  NOTE: The packet forwarder is expected to call the forward_chain
+     **/
     virtual void set_forward_delg(Forward_delg) = 0;
 
     /** Assign boolean function to determine if we have route to a given IP */

api/net/inet4.hpp

@@ -98,6 +98,7 @@ namespace net {
     /**
      * Set the forwarding delegate used by this stack.
      * If set it will get all incoming packets not intended for this stack.
+     * NOTE: This delegate is expected to call the forward chain
      */
     void set_forward_delg(Forward_delg fwd) override {
       ip4_.set_packet_forwarding(fwd);
@@ -306,6 +307,26 @@ namespace net {
     bool is_valid_source(IP4::addr src) override
     { return is_loopback(src) or src == ip_addr(); }
 
+    /** Packets pass through prerouting chain before routing decision */
+    virtual Filter_chain& prerouting_chain() override
+    { return prerouting_chain_; }
+
+    /** Packets pass through postrouting chain after routing decision */
+    virtual Filter_chain& postrouting_chain() override
+    { return postrouting_chain_; }
+
+    /** Packets pass through postrouting chain after routing decision */
+    virtual Filter_chain& forward_chain() override
+    { return forward_chain_; }
+
+    /** Packets pass through input chain before hitting protocol handlers */
+    virtual Filter_chain& input_chain() override
+    { return input_chain_; }
+
+    /** Packets pass through output chain after exiting protocol handlers */
+    virtual Filter_chain& output_chain() override
+    { return output_chain_; }
+
     /** Initialize with ANY_ADDR */
     Inet4(hw::Nic& nic);
 
@@ -330,6 +351,13 @@ namespace net {
     UDP    udp_;
     TCP    tcp_;
 
+    // Filter chains
+    Filter_chain prerouting_chain_{"Prerouting", {}};
+    Filter_chain postrouting_chain_{"Postrouting", {}};
+    Filter_chain input_chain_{"Input", {}};
+    Filter_chain output_chain_{"Output", {}};
+    Filter_chain forward_chain_{"Forward", {}};
+
     // we need this to store the cache per-stack
     DNSClient dns_;
     std::string domain_name_;

api/net/ip4/ip4.hpp

@@ -46,7 +46,6 @@ namespace net {
     using IP_packet = PacketIP4;
     using IP_packet_ptr = std::unique_ptr<IP_packet>;
     using downstream_arp = delegate<void(Packet_ptr, IP4::addr)>;
-    using Packet_filter = delegate<IP_packet_ptr(IP_packet_ptr)>;
     using drop_handler = delegate<void(IP_packet_ptr, Direction, Drop_reason)>;
     using PMTU = uint16_t;
 
@@ -94,14 +93,6 @@ namespace net {
     void set_linklayer_out(downstream_arp s)
     { linklayer_out_ = s; }
 
-    /** Assign function to determine which upstream packets gets filtered */
-    void set_upstream_filter(Packet_filter f)
-    { upstream_filter_ = f; }
-
-    /** Assign function to determine which downstream packets gets filtered */
-    void set_downstream_filter(Packet_filter f)
-    { downstream_filter_ = f; }
-
     //
     // Delegate getters
     //
@@ -132,7 +123,7 @@ namespace net {
      *  Source IP *can* be set - if it's not, IP4 will set it
      */
     void transmit(Packet_ptr);
-    void ship(Packet_ptr);
+    void ship(Packet_ptr, addr next_hop = 0);
 
 
     /**
@@ -157,11 +148,11 @@ namespace net {
     uint64_t get_packets_dropped()
     { return packets_dropped_; }
 
-    /**  Default upstream packet filter */
-    IP_packet_ptr filter_upstream(IP_packet_ptr packet);
+    /**  Drop incoming packets invalid according to RFC */
+    IP_packet_ptr drop_invalid_in(IP_packet_ptr packet);
 
-    /**  Default downstream packet filter */
-    IP_packet_ptr filter_downstream(IP_packet_ptr packet);
+    /**  Drop outgoing packets invalid according to RFC */
+    IP_packet_ptr drop_invalid_out(IP_packet_ptr packet);
 
     /**
      *  Path MTU (and Packetization Layered Path MTU Discovery) related methods
@@ -201,10 +192,6 @@ namespace net {
     /** Packet forwarding  */
     Stack::Forward_delg forward_packet_;
 
-    /** Packet filters */
-    Packet_filter upstream_filter_;
-    Packet_filter downstream_filter_;
-
     /** All dropped packets go here */
     drop_handler drop_handler_;
 

src/net/ip4/ip4.cpp

@@ -34,9 +34,7 @@ namespace net {
   packets_rx_       {Statman::get().create(Stat::UINT64, inet.ifname() + ".ip4.packets_rx").get_uint64()},
   packets_tx_       {Statman::get().create(Stat::UINT64, inet.ifname() + ".ip4.packets_tx").get_uint64()},
   packets_dropped_  {Statman::get().create(Stat::UINT32, inet.ifname() + ".ip4.packets_dropped").get_uint32()},
-  stack_            {inet},
-  upstream_filter_  {this, &IP4::filter_upstream},
-  downstream_filter_{this, &IP4::filter_downstream}
+  stack_            {inet}
   {}
 
 
@@ -50,7 +48,7 @@ namespace net {
   }
 
 
-  IP4::IP_packet_ptr IP4::filter_upstream(IP4::IP_packet_ptr packet)
+  IP4::IP_packet_ptr IP4::drop_invalid_in(IP4::IP_packet_ptr packet)
   {
     IP4::Direction up = IP4::Direction::Upstream;
 
@@ -73,7 +71,7 @@ namespace net {
   }
 
 
-  IP4::IP_packet_ptr IP4::filter_downstream(IP4::IP_packet_ptr packet)
+  IP4::IP_packet_ptr IP4::drop_invalid_out(IP4::IP_packet_ptr packet)
   {
     // RFC-1122 3.2.1.7, MUST NOT send packet with TTL of 0
     if (packet->ip_ttl() == 0)
@@ -102,7 +100,12 @@ namespace net {
     // Stat increment packets received
     packets_rx_++;
 
-    packet = upstream_filter_(std::move(packet));
+
+    packet = drop_invalid_in(std::move(packet));
+    if (UNLIKELY(packet == nullptr)) return;
+
+    // Enter prerouting chain
+    packet = stack_.prerouting_chain()(std::move(packet), stack_);
     if (UNLIKELY(packet == nullptr)) return;
 
     // Drop / forward if my ip address doesn't match dest. or broadcast
@@ -122,6 +125,9 @@ namespace net {
       return;
     }
 
+    packet = stack_.input_chain()(std::move(packet), stack_);
+    if (UNLIKELY(packet == nullptr)) return;
+
     // Pass packet to it's respective protocol controller
     switch (packet->ip_protocol()) {
     case Protocol::ICMPv4:
@@ -152,56 +158,62 @@ namespace net {
   void IP4::transmit(Packet_ptr pckt) {
     assert((size_t)pckt->size() > sizeof(header));
 
-    auto ip4_pckt = static_unique_ptr_cast<PacketIP4>(std::move(pckt));
+    auto packet = static_unique_ptr_cast<PacketIP4>(std::move(pckt));
+
+    packet->make_flight_ready();
 
-    ip4_pckt->make_flight_ready();
+    packet = stack_.output_chain()(std::move(packet), stack_);
+    if (UNLIKELY(packet == nullptr)) return;
 
-    ship(std::move(ip4_pckt));
+    ship(std::move(packet));
   }
 
-  void IP4::ship(Packet_ptr pckt)
+  void IP4::ship(Packet_ptr pckt, addr next_hop)
   {
-    auto ip4_pckt = static_unique_ptr_cast<PacketIP4>(std::move(pckt));
+    auto packet = static_unique_ptr_cast<PacketIP4>(std::move(pckt));
 
     // Send loopback packets right back
-    if (UNLIKELY(stack_.is_loopback(ip4_pckt->ip_dst()))) {
+    if (UNLIKELY(stack_.is_loopback(packet->ip_dst()))) {
       debug("<IP4> Destination address is loopback \n");
-      IP4::receive(std::move(ip4_pckt));
+      IP4::receive(std::move(packet));
       return;
     }
 
-    addr next_hop;
+    // Filter illegal egress packets
+    packet = drop_invalid_out(std::move(packet));
+    if (packet == nullptr) return;
 
-    if (ip4_pckt->ip_dst() != IP4::ADDR_BCAST)
-    {
-      // Create local and target subnets
-      addr target = ip4_pckt->ip_dst()  & stack_.netmask();
-      addr local  = stack_.ip_addr() & stack_.netmask();
+    packet = stack_.postrouting_chain()(std::move(packet), stack_);
+    if (UNLIKELY(packet == nullptr)) return;
 
-      // Compare subnets to know where to send packet
-      next_hop = target == local ? ip4_pckt->ip_dst() : stack_.gateway();
 
-      debug("<IP4 TOP> Next hop for %s, (netmask %s, local IP: %s, gateway: %s) == %s\n",
-          ip4_pckt->ip_dst().str().c_str(),
-          stack_.netmask().str().c_str(),
-          stack_.ip_addr().str().c_str(),
-          stack_.gateway().str().c_str(),
-          next_hop.str().c_str());
+    if (next_hop == 0) {
+      if (UNLIKELY(packet->ip_dst() == IP4::ADDR_BCAST)) {
+        next_hop = IP4::ADDR_BCAST;
+      } else {
+        // Create local and target subnets
+        addr target = packet->ip_dst()  & stack_.netmask();
+        addr local  = stack_.ip_addr() & stack_.netmask();
 
-    } else {
-      next_hop = IP4::ADDR_BCAST;
-    }
+        // Compare subnets to know where to send packet
+        next_hop = target == local ? packet->ip_dst() : stack_.gateway();
 
-    // Filter illegal egress packets
-    ip4_pckt = upstream_filter_(std::move(ip4_pckt));
-    if (ip4_pckt == nullptr) return;
+        debug("<IP4 TOP> Next hop for %s, (netmask %s, local IP: %s, gateway: %s) == %s\n",
+              packet->ip_dst().str().c_str(),
+              stack_.netmask().str().c_str(),
+              stack_.ip_addr().str().c_str(),
+              stack_.gateway().str().c_str(),
+              next_hop.str().c_str());
+
+      }
+    }
 
     // Stat increment packets transmitted
     packets_tx_++;
 
-    debug("<IP4> Transmitting packet, layer begin: buf + %li\n", ip4_pckt->layer_begin() - ip4_pckt->buf());
+    debug("<IP4> Transmitting packet, layer begin: buf + %li\n", packet->layer_begin() - packet->buf());
 
-    linklayer_out_(std::move(ip4_pckt), next_hop);
+    linklayer_out_(std::move(packet), next_hop);
   }
 
 } //< namespace net