pcn-firewall: update connection tracking module

this commit introduces the same connection tracking
module used by pcn-iptables

Main features:
- avoid double lookup by ordering hashmap keys
- avoid to call bpf_ktime_get_ns() by introducing
   a customized timestamp written by control plane

Signed-off-by: Matteo Bertrone <m.bertrone@gmail.com>

Author: mbertrone

src/services/pcn-firewall/src/Chain.cpp

@@ -244,8 +244,6 @@ void Chain::updateChain() {
     if (j == 1)
       second = true;
 
-    std::cout << "++++Conntrack Map empty " << conntrack_map.empty() << std::endl;
-
     // Looping through conntrack
     if (!conntrack_map.empty() && conntrack_break ^ second) {
       // At least one rule requires a matching on conntrack, so it can be

src/services/pcn-firewall/src/Firewall.h

@@ -49,6 +49,8 @@ struct ct_k {
 struct ct_v {
   uint64_t ttl;
   uint8_t state;
+  uint8_t ipRev;
+  uint8_t portRev;
   uint32_t sequence;
 } __attribute__((packed));
 
@@ -143,7 +145,9 @@ class Firewall : public FirewallBase {
 
     polycube::service::ProgramType getProgramType();
 
-   public:
+    std::mutex program_mutex_;
+
+  public:
     Program(const std::string &code, const int &index,
             const ChainNameEnum &direction, Firewall &outer);
     virtual ~Program();
@@ -289,6 +293,13 @@ class Firewall : public FirewallBase {
                          Firewall &outer);
     ~ConntrackTableUpdate();
     std::string getCode();
+
+    void updateTimestamp();
+    void updateTimestampTimer();
+    void quitAndJoin();
+
+    std::thread timestamp_update_thread_;
+    std::atomic<bool> quit_thread_;
   };
 
   /*==========================

src/services/pcn-firewall/src/SessionTable.cpp

@@ -83,8 +83,6 @@ std::shared_ptr<spdlog::logger> SessionTable::logger() {
 
 std::string SessionTable::state_from_number_to_string(int state) {
   switch (state) {
-  case (WILDCARD):
-    return "WILDCARD";
   case (NEW):
     return "NEW";
   case (ESTABLISHED):
@@ -93,8 +91,10 @@ std::string SessionTable::state_from_number_to_string(int state) {
     return "SYN_SENT";
   case (SYN_RECV):
     return "SYN_RECV";
-  case (FIN_WAIT):
-    return "FIN_WAIT";
+  case (FIN_WAIT_1):
+    return "FIN_WAIT_1";
+  case (FIN_WAIT_2):
+    return "FIN_WAIT_2";
   case (LAST_ACK):
     return "LAST_ACK";
   case (TIME_WAIT):
@@ -105,9 +105,6 @@ std::string SessionTable::state_from_number_to_string(int state) {
 
 uint32_t SessionTable::from_ttl_to_eta(uint64_t ttl, uint16_t state,
                                        uint16_t l4proto) {
-  if (state == WILDCARD) {
-    return -1;
-  }
   if (state == NEW) {
     if (l4proto == IPPROTO_UDP) {
       ttl = ttl - UDP_NEW_TIMEOUT;
@@ -128,7 +125,7 @@ uint32_t SessionTable::from_ttl_to_eta(uint64_t ttl, uint16_t state,
   if (state == SYN_RECV) {
     ttl = ttl - TCP_SYN_RECV;
   }
-  if (state == FIN_WAIT) {
+  if (state == FIN_WAIT_1 || state == FIN_WAIT_2) {
     ttl = ttl - TCP_FIN_WAIT;
   }
   if (state == LAST_ACK) {
@@ -146,6 +143,8 @@ uint32_t SessionTable::from_ttl_to_eta(uint64_t ttl, uint16_t state,
   } else {
     return uptime_seconds - ttl;
   }
+
+return 0;
 }
 
 //uint64_t SessionTable::hex_string_to_uint64(const std::string &str) {

src/services/pcn-firewall/src/SessionTable.h

@@ -33,14 +33,14 @@
 #define TCP_TIME_WAIT 120000000000
 
 enum {
-  WILDCARD,
   NEW,
   ESTABLISHED,
   RELATED,
   INVALID,
   SYN_SENT,
   SYN_RECV,
-  FIN_WAIT,
+  FIN_WAIT_1,
+  FIN_WAIT_2,
   LAST_ACK,
   TIME_WAIT
 };

src/services/pcn-firewall/src/Utils.cpp

@@ -18,13 +18,13 @@
 #include "Firewall.h"
 
 int Firewall::protocol_from_string_to_int(const std::string &proto) {
-  if (proto == "TCP")
+  if (proto == "TCP" || proto == "tcp")
     return IPPROTO_TCP;
-  if (proto == "UDP")
+  if (proto == "UDP" || proto == "udp")
     return IPPROTO_UDP;
-  if (proto == "ICMP")
+  if (proto == "ICMP" || proto == "icmp")
     return IPPROTO_ICMP;
-  if (proto == "GRE")
+  if (proto == "GRE" || proto == "gre")
     return IPPROTO_GRE;
   else
     throw std::runtime_error("Protocol not supported.");
@@ -43,13 +43,13 @@ void Firewall::replaceAll(std::string &str, const std::string &from,
 }
 
 int ChainRule::protocol_from_string_to_int(const std::string &proto) {
-  if (proto == "TCP")
+  if (proto == "TCP" || proto == "tcp")
     return IPPROTO_TCP;
-  if (proto == "UDP")
+  if (proto == "UDP" || proto == "udp")
     return IPPROTO_UDP;
-  if (proto == "ICMP")
+  if (proto == "ICMP" || proto == "icmp")
     return IPPROTO_ICMP;
-  if (proto == "GRE")
+  if (proto == "GRE" || proto == "gre")
     return IPPROTO_GRE;
 
   throw std::runtime_error("Protocol not supported.");
@@ -207,15 +207,14 @@ int ChainRule::ActionEnum_to_int(const ActionEnum &action) {
 }
 
 static int ChainRuleConntrackEnum_to_int(const ConntrackstatusEnum &status) {
-  // 0 is reserved for "wildcard"
   if (status == ConntrackstatusEnum::NEW) {
-    return 1;
+    return 0;
   } else if (status == ConntrackstatusEnum::ESTABLISHED) {
-    return 2;
+    return 1;
   } else if (status == ConntrackstatusEnum::RELATED) {
-    return 3;
+    return 2;
   } else if (status == ConntrackstatusEnum::INVALID) {
-    return 4;
+    return 3;
   }
 }
 
@@ -482,46 +481,40 @@ bool Chain::portFromRulesToMap(
 }
 
 bool Chain::conntrackFromRulesToMap(
-    std::map<uint8_t, std::vector<uint64_t>> &statusMap,
-    const std::vector<std::shared_ptr<ChainRule>> &rules) {
-  std::vector<uint16_t> dontCareRules;
+        std::map<uint8_t, std::vector<uint64_t>> &statusMap,
+        const std::vector<std::shared_ptr<ChainRule>> &rules) {
+  std::vector<uint8_t> statesVector({NEW, ESTABLISHED, RELATED, INVALID});
+  uint32_t rule_id;
+  uint8_t rule_state;
+  bool conntrackRulePresent = false;
 
-  uint32_t ruleId;
-  uint8_t status;
   for (auto const &rule : rules) {
     try {
-      ruleId = rule->getId();
-      status = ChainRuleConntrackEnum_to_int(rule->getConntrack());
-
-    } catch (std::runtime_error re) {
-      // Not set: don't care rule.
-      dontCareRules.push_back(ruleId);
-      continue;
-    }
-
-    auto it = statusMap.find(status);
-    if (it == statusMap.end()) {
-      // First entry
-      std::vector<uint64_t> bitVector(
-          FROM_NRULES_TO_NELEMENTS(Firewall::maxRules));
-      SET_BIT(bitVector[ruleId / 63], ruleId % 63);
-      statusMap.insert(
-          std::pair<uint8_t, std::vector<uint64_t>>(status, bitVector));
-    } else {
-      SET_BIT((it->second)[ruleId / 63], ruleId % 63);
+      rule_state = ChainRuleConntrackEnum_to_int(rule->getConntrack());
+      conntrackRulePresent = true;
+    } catch (...) {
     }
   }
-  // Don't care rules are in all entries. Anyway, this loop is useless if there
-  // are no rules at all requiring matching on this field.
-  if (statusMap.size() != 0 && dontCareRules.size() != 0) {
+
+  if (!conntrackRulePresent)
+    return false;
+
+  for (uint8_t state : statesVector) {
     std::vector<uint64_t> bitVector(
-        FROM_NRULES_TO_NELEMENTS(Firewall::maxRules));
-    statusMap.insert(std::pair<uint8_t, std::vector<uint64_t>>(0, bitVector));
-    for (auto const &ruleNumber : dontCareRules) {
-      for (auto &statusMapEntry : statusMap) {
-        SET_BIT((statusMapEntry.second)[ruleNumber / 63], ruleNumber % 63);
+            FROM_NRULES_TO_NELEMENTS(Firewall::maxRules));
+    for (auto const &rule : rules) {
+      try {
+        rule_id = rule->getId();
+        rule_state = ChainRuleConntrackEnum_to_int(rule->getConntrack());
+        if (rule_state == state)
+          SET_BIT(bitVector[rule_id / 63], rule_id % 63);
+      } catch (std::runtime_error re) {
+        // wildcard rule, set bit to 1
+        SET_BIT(bitVector[rule_id / 63], rule_id % 63);
       }
     }
+    statusMap.insert(
+            std::pair<uint8_t, std::vector<uint64_t>>(state, bitVector));
   }
 
   return false;

src/services/pcn-firewall/src/datapaths/Firewall_ChainForwarder_dp.c

@@ -22,6 +22,7 @@ static int handle_rx(struct CTXTYPE *ctx, struct pkt_metadata *md) {
   pcn_log(ctx, LOG_DEBUG, "[_CHAIN_NAME][ChainForwarder]: Receiving packet");
 #if defined(_INGRESS_LOGIC)
 #if _NR_ELEMENTS_INGRESS > 0
+    pcn_log(ctx, LOG_DEBUG, "[_CHAIN_NAME][ChainForwarder]: calling INGRESS chain _NEXT_HOP_INGRESS_1");
     call_ingress_program(ctx, _NEXT_HOP_INGRESS_1);
 #endif
     pcn_log(ctx, LOG_DEBUG, "[_CHAIN_NAME][ChainForwarder]: No ingress chain");
@@ -30,6 +31,7 @@ static int handle_rx(struct CTXTYPE *ctx, struct pkt_metadata *md) {
 
 #if defined(_EGRESS_LOGIC)
 #if _NR_ELEMENTS_EGRESS > 0
+    pcn_log(ctx, LOG_DEBUG, "[_CHAIN_NAME][ChainForwarder]: calling EGRESS chain _NEXT_HOP_EGRESS_1");
     call_egress_program(ctx, _NEXT_HOP_EGRESS_1);
 #endif
     pcn_log(ctx, LOG_DEBUG, "[_CHAIN_NAME][ChainForwarder]: No egress chain");