Rules engine

group rules

Virt rules engine configuration.

LSDN supports a basic firewall filtering. It is possible to set up packet rules matching several criteria (source or destination addresses or ranges, tunnel key ID) and assign them to inbound or outbound queues of a particular virt. Currently, the firewall can only drop matching packets. There is no support for creating custom firewall actions.

lsdn_vr is its own kind of object, tied to a virt. It can either be created preconfigured to match something, or set as empty and configured later.

Rules are evaluated in order of increasing priority. The lower the priority value, the higher the actual priority.

Defines

LSDN_MAX_MATCHES

Maximum number of match targets per rule.

In this implementation, a rule can match on at most two simultaneous objects (e.g. MAC address and IPv4 address).

LSDN_VR_PRIO_MIN

Minimum Virt Rule priority.

LSDN_VR_PRIO_MAX

Upper limit for Virt Rule priority.

Actual priority must be strictly lower than this.

LSDN_PRIO_FORWARD_DST_MAC

Use this priority if you want your rule to take place during forwarding decisions.

Enums

enum lsdn_direction

Virt rule direction.

Values:

LSDN_IN

Inbound rule.

LSDN_OUT

Outbound rule.

enum lsdn_rule_target

Rule target.

Values:

LSDN_MATCH_NONE

Do not match.

LSDN_MATCH_SRC_MAC

Match source MAC.

LSDN_MATCH_DST_MAC

Match destination MAC.

LSDN_MATCH_SRC_IPV4

Match source IPv4 address.

LSDN_MATCH_DST_IPV4

Match destination IPv4 address.

LSDN_MATCH_SRC_IPV6

Match source IPv6 address.

LSDN_MATCH_DST_IPV6

Match destination IPv6 address.

LSDN_MATCH_ENC_KEY_ID

Match tunnel key ID.

LSDN_MATCH_ENC_KEY_SRC_IPV4

Match tunnel source IP address .

LSDN_MATCH_ENC_KEY_SRC_IPV6

Match tunnel source IP address .

LSDN_MATCH_ENC_KEY_DST_IPV4

Match tunnel source IP address .

LSDN_MATCH_ENC_KEY_DST_IPV6

Match tunnel source IP address .

LSDN_MATCH_COUNT

Guard value.

See LSDN_ENUM for details.

Functions

struct lsdn_vr* lsdn_vr_new(struct lsdn_virt * virt, uint16_t prio, enum lsdn_direction dir, struct lsdn_vr_action * a)

Create a virt rule.

Creates a rule with a given priority, to match packets to or from a given virt, and assigns an action when the rule is matched.

Rule created with this function does not match anything. It must be configured through one or more of the lsdn_vr_add_<match> functions.

Return
New lsdn_vr struct.
Parameters
  • virt: Virt to which the rule applies.
  • prio_num: Rule priority. Lower number = higher priority.
  • dir: Inbound or outbound rule.
  • a: Assigned action when rule matches.

void lsdn_vr_free(struct lsdn_vr * vr)

Deallocate a rule.

Parameters
  • vr: Rule to deallocate.

void lsdn_vrs_free_all(struct lsdn_virt * virt)

Deallocate all rules for a virt.

Parameters
  • virt: Virt whose rules will be removed.

void lsdn_vr_add_masked_src_mac(struct lsdn_vr * rule, lsdn_mac_t mask, lsdn_mac_t value)

Configure virt rule to match source MAC with a mask.

Parameters
  • rule: Virt rule.
  • mask: Mask value.
  • value: Match value.

static void lsdn_vr_add_src_mac(struct lsdn_vr * rule, lsdn_mac_t value)

Configure virt rule to match a specified source MAC .

Parameters
  • rule: Pointer to virt rule.
  • value: Match value.

static struct lsdn_vr* lsdn_vr_new_masked_src_mac(struct lsdn_virt * virt, enum lsdn_direction dir, uint16_t prio, lsdn_mac_t value, lsdn_mac_t mask, struct lsdn_vr_action * action)

Create virt rule matching source MAC with a mask.

Return
New lsdn_vr struct.
Parameters
  • virt: LSDN virt.
  • dir: Incoming or outgoing rule.
  • prio: Rule priority.
  • value: Match value.
  • mask: Mask value.
  • action: Rule action.

static struct lsdn_vr* lsdn_vr_new_src_mac(struct lsdn_virt * virt, enum lsdn_direction dir, uint16_t prio, lsdn_mac_t value, struct lsdn_vr_action * action)

Create virt rule matching a specified source MAC .

Return
New lsdn_vr struct.
Parameters
  • virt: LSDN virt.
  • dir: Incoming or outgoing rule.
  • prio: Rule priority.
  • value: Match value.
  • action: Rule action.

void lsdn_vr_add_masked_dst_mac(struct lsdn_vr * rule, lsdn_mac_t mask, lsdn_mac_t value)

Configure virt rule to match destination MAC with a mask.

Parameters
  • rule: Virt rule.
  • mask: Mask value.
  • value: Match value.

static void lsdn_vr_add_dst_mac(struct lsdn_vr * rule, lsdn_mac_t value)

Configure virt rule to match a specified destination MAC .

Parameters
  • rule: Pointer to virt rule.
  • value: Match value.

static struct lsdn_vr* lsdn_vr_new_masked_dst_mac(struct lsdn_virt * virt, enum lsdn_direction dir, uint16_t prio, lsdn_mac_t value, lsdn_mac_t mask, struct lsdn_vr_action * action)

Create virt rule matching destination MAC with a mask.

Return
New lsdn_vr struct.
Parameters
  • virt: LSDN virt.
  • dir: Incoming or outgoing rule.
  • prio: Rule priority.
  • value: Match value.
  • mask: Mask value.
  • action: Rule action.

static struct lsdn_vr* lsdn_vr_new_dst_mac(struct lsdn_virt * virt, enum lsdn_direction dir, uint16_t prio, lsdn_mac_t value, struct lsdn_vr_action * action)

Create virt rule matching a specified destination MAC .

Return
New lsdn_vr struct.
Parameters
  • virt: LSDN virt.
  • dir: Incoming or outgoing rule.
  • prio: Rule priority.
  • value: Match value.
  • action: Rule action.

void lsdn_vr_add_masked_src_ip(struct lsdn_vr * rule, lsdn_ip_t mask, lsdn_ip_t value)

Configure virt rule to match source IP address with a mask.

Parameters
  • rule: Virt rule.
  • mask: Mask value.
  • value: Match value.

static void lsdn_vr_add_src_ip(struct lsdn_vr * rule, lsdn_ip_t value)

Configure virt rule to match a specified source IP .

Parameters
  • rule: Pointer to virt rule.
  • value: Match value.

static struct lsdn_vr* lsdn_vr_new_masked_src_ip(struct lsdn_virt * virt, enum lsdn_direction dir, uint16_t prio, lsdn_ip_t value, lsdn_ip_t mask, struct lsdn_vr_action * action)

Create virt rule matching source IP with a mask.

Return
New lsdn_vr struct.
Parameters
  • virt: LSDN virt.
  • dir: Incoming or outgoing rule.
  • prio: Rule priority.
  • value: Match value.
  • mask: Mask value.
  • action: Rule action.

static struct lsdn_vr* lsdn_vr_new_src_ip(struct lsdn_virt * virt, enum lsdn_direction dir, uint16_t prio, lsdn_ip_t value, struct lsdn_vr_action * action)

Create virt rule matching a specified source IP .

Return
New lsdn_vr struct.
Parameters
  • virt: LSDN virt.
  • dir: Incoming or outgoing rule.
  • prio: Rule priority.
  • value: Match value.
  • action: Rule action.

void lsdn_vr_add_masked_dst_ip(struct lsdn_vr * rule, lsdn_ip_t mask, lsdn_ip_t value)

Configure virt rule to match destination IP address with a mask.

Parameters
  • rule: Virt rule.
  • mask: Mask value.
  • value: Match value.

static void lsdn_vr_add_dst_ip(struct lsdn_vr * rule, lsdn_ip_t value)

Configure virt rule to match a specified destination IP .

Parameters
  • rule: Pointer to virt rule.
  • value: Match value.

static struct lsdn_vr* lsdn_vr_new_masked_dst_ip(struct lsdn_virt * virt, enum lsdn_direction dir, uint16_t prio, lsdn_ip_t value, lsdn_ip_t mask, struct lsdn_vr_action * action)

Create virt rule matching destination IP with a mask.

Return
New lsdn_vr struct.
Parameters
  • virt: LSDN virt.
  • dir: Incoming or outgoing rule.
  • prio: Rule priority.
  • value: Match value.
  • mask: Mask value.
  • action: Rule action.

static struct lsdn_vr* lsdn_vr_new_dst_ip(struct lsdn_virt * virt, enum lsdn_direction dir, uint16_t prio, lsdn_ip_t value, struct lsdn_vr_action * action)

Create virt rule matching a specified destination IP .

Return
New lsdn_vr struct.
Parameters
  • virt: LSDN virt.
  • dir: Incoming or outgoing rule.
  • prio: Rule priority.
  • value: Match value.
  • action: Rule action.

Variables

struct lsdn_vr_action LSDN_VR_DROP

DROP rule action.

Packet matching a rule with this action will be dropped.

struct lsdn_vr
#include <rules.h>

Virt rule.

Represents a packet rule assigned to a virt. The rule has a priority, assigned direction (affecting incoming or outgoing packets), and an action. Usually, the rule will also have match conditions, such as IP or MAC address mask.

See
lsdn_vr_new

See Rules engine.

struct lsdn_vr_action
#include <rules.h>

Virt rule action.

Represents an action to be performed on a packet that matches a rule.

In this version, the only possible action is LSDN_VR_DROP.