Refactor rules table in-memory structure in new NetworkConfig to permit far more rules with better space efficiency.

author: Adam Ierymenko <adam.ierymenko@gmail.com> 2016-04-22 15:40:53 -0700
committer: Adam Ierymenko <adam.ierymenko@gmail.com> 2016-04-22 15:40:53 -0700
commit: d73607430131dd352cf9248f37e76c2618dd39e5 (patch)
tree: 0c8f53ef547bca1e90585e67cc4ac93eb9012146 /include
parent: 368efaa2ba68d87eaba3bce2cbc1714b8e04744c (diff)
download: infinitytier-d73607430131dd352cf9248f37e76c2618dd39e5.tar.gz
infinitytier-d73607430131dd352cf9248f37e76c2618dd39e5.zip
1 files changed, 176 insertions, 43 deletions
diff --git a/include/ZeroTierOne.h b/include/ZeroTierOne.h
index b77cc820..75199195 100644
--- a/include/ZeroTierOne.h
+++ b/include/ZeroTierOne.h
@@ -107,9 +107,9 @@ extern "C" {
 #define ZT_MAX_NETWORK_STATIC_DEVICES 32
 
 /**
- * Maximum number of rules per network (can be increased)
+ * Maximum number of rule table entries per network (can be increased)
  */
-#define ZT_MAX_NETWORK_RULES 64
+#define ZT_MAX_NETWORK_RULES 256
 
 /**
  * Maximum number of multicast group subscriptions per network
@@ -432,102 +432,235 @@ enum ZT_VirtualNetworkType
  */
 enum ZT_VirtualNetworkRuleAction
 {
+	/**
+	 * Drop frame
+	 */
 	ZT_NETWORK_RULE_ACTION_DROP = 0,
-	ZT_NETWORK_RULE_ACTION_ACCEPT = 1
+
+	/**
+	 * Accept and pass frame
+	 */
+	ZT_NETWORK_RULE_ACTION_ACCEPT = 1,
+
+	/**
+	 * Forward a copy of this frame to an observer (in datum.zt[1])
+	 */
+	ZT_NETWORK_RULE_ACTION_TEE = 2,
+
+	/**
+	 * Redirect frame to ZeroTier device in datum.zt[1] regardless of Ethernet addressing or anything else
+	 */
+	ZT_NETWORK_RULE_ACTION_REDIRECT = 3
 };
 
 /**
- * Network flow rule
- *
- * Currently only etherType is supported! Other flags will have no effect
- * until the rules engine is fully implemented.
+ * Datum type (variant) that a rule matches
  */
-typedef struct
+enum ZT_VirtualNetworkRuleMatches
 {
 	/**
-	 * Rule sort order
+	 * Matches all packets (no criteria)
+	 */
+	ZT_NETWORK_RULE_MATCHES_ALL = 0,
+
+	/**
+	 * Source ZeroTier address -- analogous to an Ethernet port ID on a switch
 	 */
-	int ruleNo;
+	ZT_NETWORK_RULE_MATCHES_SOURCE_ZEROTIER_ADDRESS = 1,
 
 	/**
-	 * Source ZeroTier address ("port" on the global virtual switch) (0 == wildcard)
+	 * Destination ZeroTier address -- analogous to an Ethernet port ID on a switch
 	 */
-	uint64_t sourcePort;
+	ZT_NETWORK_RULE_MATCHES_DEST_ZEROTIER_ADDRESS = 2,
 
 	/**
-	 * Destination ZeroTier address ("port" on the global virtual switch) (0 == wildcard)
+	 * Ethernet VLAN ID
 	 */
-	uint64_t destPort;
+	ZT_NETWORK_RULE_MATCHES_VLAN_ID = 3,
+
+	/** 
+	 * Ethernet VLAN PCP
+	 */
+	ZT_NETWORK_RULE_MATCHES_VLAN_PCP = 4,
 
 	/**
-	 * VLAN ID (-1 == wildcard)
+	 * Ethernet VLAN DEI
 	 */
-	int vlanId;
+	ZT_NETWORK_RULE_MATCHES_VLAN_DEI = 5,
 
 	/**
-	 * VLAN PCP (-1 == wildcard)
+	 * Ethernet frame type
 	 */
-	int vlanPcp;
+	ZT_NETWORK_RULE_MATCHES_ETHERTYPE = 6,
 
 	/**
-	 * Ethernet type (-1 == wildcard)
+	 * Source Ethernet MAC address
 	 */
-	int etherType;
+	ZT_NETWORK_RULE_MATCHES_MAC_SOURCE = 7,
 
 	/**
-	 * Source MAC address (least significant 48 bits, host byte order) (0 == wildcard)
+	 * Destination Ethernet MAC address
 	 */
-	uint64_t macSource;
+	ZT_NETWORK_RULE_MATCHES_MAC_DEST = 8,
 
-	/** 
-	 * Destination MAC address (least significant 48 bits, host byte order) (0 == wildcard)
+	/**
+	 * Source IPv4 address
+	 */
+	ZT_NETWORK_RULE_MATCHES_IPV4_SOURCE = 9,
+
+	/**
+	 * Destination IPv4 address
 	 */
-	uint64_t macDest;
+	ZT_NETWORK_RULE_MATCHES_IPV4_DEST = 10,
 
 	/**
-	 * Source IP address (ss_family == 0 for wildcard)
+	 * Source IPv6 address
 	 */
-	struct sockaddr_storage ipSource;
+	ZT_NETWORK_RULE_MATCHES_IPV6_SOURCE = 11,
 
 	/**
-	 * Destination IP address (ss_family == 0 for wildcard)
+	 * Destination IPv6 address
 	 */
-	struct sockaddr_storage ipDest;
+	ZT_NETWORK_RULE_MATCHES_IPV6_DEST = 12,
 
 	/**
-	 * IP type of service (-1 == wildcard)
+	 * IP TOS (type of service)
 	 */
-	int ipTos;
+	ZT_NETWORK_RULE_MATCHES_IP_TOS = 13,
 
 	/**
-	 * IP protocol (-1 == wildcard)
+	 * IP protocol
 	 */
-	int ipProtocol;
+	ZT_NETWORK_RULE_MATCHES_IP_PROTOCOL = 14,
 
 	/**
-	 * IP source port (-1 == wildcard)
+	 * IP source port range (start-end, inclusive)
 	 */
-	int ipSourcePort;
+	ZT_NETWORK_RULE_MATCHES_IP_SOURCE_PORT_RANGE = 15,
 
 	/**
-	 * IP destination port (-1 == wildcard)
+	 * IP destination port range (start-end, inclusive)
 	 */
-	int ipDestPort;
+	ZT_NETWORK_RULE_MATCHES_IP_DEST_PORT_RANGE = 16,
 
 	/**
-	 * Flags to match if set
+	 * Packet characteristic flags
 	 */
-	unsigned long flags;
+	ZT_NETWORK_RULE_MATCHES_FLAGS = 17,
 
 	/**
-	 * Flags to match if NOT set
+	 * Frame size range (start-end, inclusive)
 	 */
-	unsigned long invFlags;
+	ZT_NETWORK_RULE_MATCHES_FRAME_SIZE_RANGE = 18
+};
+
+/**
+ * Network flow rule
+ *
+ * NOTE: Currently (1.1.x) only etherType is supported! Other things will
+ * have no effect until the rules engine is fully implemented.
+ *
+ * Multiple entries in the table can have the same ruleNo. This indicates
+ * a row with multiple matching criteria.
+ *
+ * This gives the table a much more space-efficient compressed representation,
+ * allowing far more rules to be efficiently sent in small netconf structures.
+ */
+typedef struct
+{
+	/**
+	 * Rule number and sort order
+	 *
+	 * Multiple entries in the table can have the same ruleNo. This causes them
+	 * to be matched as an AND together, e.g. both IP source and IP source port.
+	 */
+	uint16_t ruleNo;
+
+	/**
+	 * Field that this rules table entry matches (enum ZT_VirtualNetworkRuleMatches)
+	 */
+	uint8_t matches;
 
 	/** 
-	 * Action if rule matches
+	 * Action if rule matches (enum ZT_VirtualNetworkRuleAction)
 	 */
-	enum ZT_VirtualNetworkRuleAction action;
+	uint8_t action;
+
+	/**
+	 * Union containing the datum for this rule
+	 *
+	 * The rule entry functions like a variant type, with the field of datum
+	 * that is relevant/valid determined by the 'matches' enum.
+	 */
+	union {
+		/**
+		 * IPv6 address in big-endian / network byte order
+		 */
+		uint8_t ipv6[16];
+
+		/**
+		 * Flags (128 possible)
+		 */
+		uint8_t flags[16];
+
+		/**
+		 * IPv4 address in big-endian / network byte order
+		 */
+		uint32_t ipv4;
+
+		/**
+		 * IP port range -- start-end inclusive -- host byte order
+		 */
+		uint16_t port[2];
+
+		/**
+		 * Two possible 40-bit ZeroTier addresses in host byte order (least significant 40 bits of uint64_t)
+		 *
+		 * The first of these ([0]) is used in most cases e.g. matching ZT source
+		 * address. The second is used as the observer for the TEE action.
+		 */
+		uint64_t zt[2];
+
+		/**
+		 * 48-bit Ethernet MAC address in big-endian order
+		 */
+		uint8_t mac[6];
+
+		/**
+		 * VLAN ID in host byte order
+		 */
+		uint16_t vlanId;
+
+		/**
+		 * VLAN PCP (least significant 3 bits)
+		 */
+		uint8_t vlanPcp;
+
+		/**
+		 * VLAN DEI (single bit / boolean)
+		 */
+		uint8_t vlanDei;
+
+		/**
+		 * Ethernet type in host byte order
+		 */
+		uint16_t etherType;
+
+		/**
+		 * IP protocol
+		 */
+		uint8_t ipProtocol;
+
+		/**
+		 * IP type of service
+		 */
+		uint8_t ipTos;
+
+		/**
+		 * Ethernet packet size in host byte order (start-end, inclusive)
+		 */
+		uint16_t frameSize[2];
+	} datum;
 } ZT_VirtualNetworkRule;
 
 /**
author	Adam Ierymenko <adam.ierymenko@gmail.com>	2016-04-22 15:40:53 -0700
committer	Adam Ierymenko <adam.ierymenko@gmail.com>	2016-04-22 15:40:53 -0700
commit	d73607430131dd352cf9248f37e76c2618dd39e5 (patch)
tree	0c8f53ef547bca1e90585e67cc4ac93eb9012146 /include
parent	368efaa2ba68d87eaba3bce2cbc1714b8e04744c (diff)
download	infinitytier-d73607430131dd352cf9248f37e76c2618dd39e5.tar.gz infinitytier-d73607430131dd352cf9248f37e76c2618dd39e5.zip