2 * Copyright (c) 2016 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 #include <vnet/vnet.h>
17 #include <vnet/plugin/plugin.h>
19 #include <acl/l2sess.h>
21 #include <vnet/l2/l2_classify.h>
22 #include <vnet/classify/input_acl.h>
24 #include <vlibapi/api.h>
25 #include <vlibmemory/api.h>
26 #include <vlibsocket/api.h>
28 /* define message IDs */
29 #include <acl/acl_msg_enum.h>
31 /* define message structures */
33 #include <acl/acl_all_api_h.h>
36 /* define generated endian-swappers */
38 #include <acl/acl_all_api_h.h>
41 /* instantiate all the print functions we know about */
42 #define vl_print(handle, ...) vlib_cli_output (handle, __VA_ARGS__)
44 #include <acl/acl_all_api_h.h>
47 /* Get the API version number */
48 #define vl_api_version(n,v) static u32 api_version=(v);
49 #include <acl/acl_all_api_h.h>
58 * A handy macro to set up a message reply.
59 * Assumes that the following variables are available:
60 * mp - pointer to request message
61 * rmp - pointer to reply message type
65 #define REPLY_MACRO(t) \
67 unix_shared_memory_queue_t * q = \
68 vl_api_client_index_to_input_queue (mp->client_index); \
72 rmp = vl_msg_api_alloc (sizeof (*rmp)); \
73 rmp->_vl_msg_id = ntohs((t)+sm->msg_id_base); \
74 rmp->context = mp->context; \
75 rmp->retval = ntohl(rv); \
77 vl_msg_api_send_shmem (q, (u8 *)&rmp); \
80 #define REPLY_MACRO2(t, body) \
82 unix_shared_memory_queue_t * q; \
83 rv = vl_msg_api_pd_handler (mp, rv); \
84 q = vl_api_client_index_to_input_queue (mp->client_index); \
88 rmp = vl_msg_api_alloc (sizeof (*rmp)); \
89 rmp->_vl_msg_id = ntohs((t)+am->msg_id_base); \
90 rmp->context = mp->context; \
91 rmp->retval = ntohl(rv); \
92 do {body;} while (0); \
93 vl_msg_api_send_shmem (q, (u8 *)&rmp); \
96 #define REPLY_MACRO3(t, n, body) \
98 unix_shared_memory_queue_t * q; \
99 rv = vl_msg_api_pd_handler (mp, rv); \
100 q = vl_api_client_index_to_input_queue (mp->client_index); \
104 rmp = vl_msg_api_alloc (sizeof (*rmp) + n); \
105 rmp->_vl_msg_id = ntohs((t)+am->msg_id_base); \
106 rmp->context = mp->context; \
107 rmp->retval = ntohl(rv); \
108 do {body;} while (0); \
109 vl_msg_api_send_shmem (q, (u8 *)&rmp); \
113 /* List of message types that this plugin understands */
115 #define foreach_acl_plugin_api_msg \
116 _(ACL_PLUGIN_GET_VERSION, acl_plugin_get_version) \
117 _(ACL_ADD_REPLACE, acl_add_replace) \
118 _(ACL_DEL, acl_del) \
119 _(ACL_INTERFACE_ADD_DEL, acl_interface_add_del) \
120 _(ACL_INTERFACE_SET_ACL_LIST, acl_interface_set_acl_list) \
121 _(ACL_DUMP, acl_dump) \
122 _(ACL_INTERFACE_LIST_DUMP, acl_interface_list_dump) \
123 _(MACIP_ACL_ADD, macip_acl_add) \
124 _(MACIP_ACL_DEL, macip_acl_del) \
125 _(MACIP_ACL_INTERFACE_ADD_DEL, macip_acl_interface_add_del) \
126 _(MACIP_ACL_DUMP, macip_acl_dump) \
127 _(MACIP_ACL_INTERFACE_GET, macip_acl_interface_get)
130 * This routine exists to convince the vlib plugin framework that
131 * we haven't accidentally copied a random .dll into the plugin directory.
133 * Also collects global variable pointers passed from the vpp engine
137 vlib_plugin_register (vlib_main_t * vm, vnet_plugin_handoff_t * h,
140 acl_main_t *am = &acl_main;
141 clib_error_t *error = 0;
144 am->vnet_main = h->vnet_main;
145 am->ethernet_main = h->ethernet_main;
147 l2sess_vlib_plugin_register(vm, h, from_early_init);
154 vl_api_acl_plugin_get_version_t_handler (vl_api_acl_plugin_get_version_t * mp)
156 acl_main_t *am = &acl_main;
157 vl_api_acl_plugin_get_version_reply_t *rmp;
158 int msg_size = sizeof (*rmp);
159 unix_shared_memory_queue_t *q;
161 q = vl_api_client_index_to_input_queue (mp->client_index);
167 rmp = vl_msg_api_alloc (msg_size);
168 memset (rmp, 0, msg_size);
170 ntohs (VL_API_ACL_PLUGIN_GET_VERSION_REPLY + am->msg_id_base);
171 rmp->context = mp->context;
172 rmp->major = htonl (ACL_PLUGIN_VERSION_MAJOR);
173 rmp->minor = htonl (ACL_PLUGIN_VERSION_MINOR);
175 vl_msg_api_send_shmem (q, (u8 *) & rmp);
180 acl_add_list (u32 count, vl_api_acl_rule_t rules[],
181 u32 * acl_list_index, u8 * tag)
183 acl_main_t *am = &acl_main;
186 acl_rule_t *acl_new_rules;
189 if (*acl_list_index != ~0)
191 /* They supplied some number, let's see if this ACL exists */
192 if (pool_is_free_index (am->acls, *acl_list_index))
194 /* tried to replace a non-existent ACL, no point doing anything */
199 /* Create and populate the rules */
200 acl_new_rules = clib_mem_alloc_aligned (sizeof (acl_rule_t) * count,
201 CLIB_CACHE_LINE_BYTES);
204 /* Could not allocate rules. New or existing ACL - bail out regardless */
208 for (i = 0; i < count; i++)
210 r = &acl_new_rules[i];
211 r->is_permit = rules[i].is_permit;
212 r->is_ipv6 = rules[i].is_ipv6;
215 memcpy (&r->src, rules[i].src_ip_addr, sizeof (r->src));
216 memcpy (&r->dst, rules[i].dst_ip_addr, sizeof (r->dst));
220 memcpy (&r->src.ip4, rules[i].src_ip_addr, sizeof (r->src.ip4));
221 memcpy (&r->dst.ip4, rules[i].dst_ip_addr, sizeof (r->dst.ip4));
223 r->src_prefixlen = rules[i].src_ip_prefix_len;
224 r->dst_prefixlen = rules[i].dst_ip_prefix_len;
225 r->proto = rules[i].proto;
226 r->src_port_or_type_first = rules[i].srcport_or_icmptype_first;
227 r->src_port_or_type_last = rules[i].srcport_or_icmptype_last;
228 r->dst_port_or_code_first = rules[i].dstport_or_icmpcode_first;
229 r->dst_port_or_code_last = rules[i].dstport_or_icmpcode_last;
230 r->tcp_flags_value = rules[i].tcp_flags_value;
231 r->tcp_flags_mask = rules[i].tcp_flags_mask;
234 if (~0 == *acl_list_index)
237 pool_get_aligned (am->acls, a, CLIB_CACHE_LINE_BYTES);
238 memset (a, 0, sizeof (*a));
239 /* Will return the newly allocated ACL index */
240 *acl_list_index = a - am->acls;
244 a = am->acls + *acl_list_index;
245 /* Get rid of the old rules */
246 clib_mem_free (a->rules);
248 a->rules = acl_new_rules;
250 memcpy (a->tag, tag, sizeof (a->tag));
256 acl_del_list (u32 acl_list_index)
258 acl_main_t *am = &acl_main;
261 if (pool_is_free_index (am->acls, acl_list_index))
266 /* delete any references to the ACL */
267 for (i = 0; i < vec_len (am->output_acl_vec_by_sw_if_index); i++)
269 for (ii = 0; ii < vec_len (am->output_acl_vec_by_sw_if_index[i]);
272 if (acl_list_index == am->output_acl_vec_by_sw_if_index[i][ii])
274 vec_del1 (am->output_acl_vec_by_sw_if_index[i], ii);
282 for (i = 0; i < vec_len (am->input_acl_vec_by_sw_if_index); i++)
284 for (ii = 0; ii < vec_len (am->input_acl_vec_by_sw_if_index[i]);
287 if (acl_list_index == am->input_acl_vec_by_sw_if_index[i][ii])
289 vec_del1 (am->input_acl_vec_by_sw_if_index[i], ii);
298 /* now we can delete the ACL itself */
299 a = &am->acls[acl_list_index];
302 clib_mem_free (a->rules);
304 pool_put (am->acls, a);
308 /* Some aids in ASCII graphing the content */
314 u8 ip4_5tuple_mask[] =
315 _(" dmac smac etype ")
316 _(ether) __ __ __ __ __ __ v __ __ __ __ __ __ v __ __ v
323 _(" ttl pr checksum ")
332 _("L4 T/U sport dport ")
342 u8 ip6_5tuple_mask[] =
343 _(" dmac smac etype ")
344 _(ether) __ __ __ __ __ __ v __ __ __ __ __ __ v __ __ v
346 _(0x0000) __ __ __ __
348 _(0x0004) __ __ XX __
350 _(0x0008) XX XX XX XX
351 _(0x000C) XX XX XX XX
352 _(0x0010) XX XX XX XX
353 _(0x0014) XX XX XX XX
355 _(0x0018) XX XX XX XX
356 _(0x001C) XX XX XX XX
357 _(0x0020) XX XX XX XX
358 _(0x0024) XX XX XX XX
359 _("L4T/U sport dport ")
360 _(tcpudp) XX XX XX XX _(padpad) __ __ __ __ _(padeth) __ __;
367 static int count_skip (u8 * p, u32 size)
369 u64 *p64 = (u64 *) p;
370 /* Be tolerant to null pointer */
374 while ((0ULL == *p64) && ((u8 *) p64 - p) < size)
378 return (p64 - (u64 *) p) / 2;
382 acl_classify_add_del_table_big (vnet_classify_main_t * cm, u8 * mask,
383 u32 mask_len, u32 next_table_index,
384 u32 miss_next_index, u32 * table_index,
387 u32 nbuckets = 65536;
388 u32 memory_size = 2 << 30;
389 u32 skip = count_skip (mask, mask_len);
390 u32 match = (mask_len / 16) - skip;
391 u8 *skip_mask_ptr = mask + 16 * skip;
392 u32 current_data_flag = 0;
393 int current_data_offset = 0;
398 return vnet_classify_add_del_table (cm, skip_mask_ptr, nbuckets,
399 memory_size, skip, match,
400 next_table_index, miss_next_index,
401 table_index, current_data_flag,
402 current_data_offset, is_add,
403 1 /* delete_chain */);
407 acl_classify_add_del_table_small (vnet_classify_main_t * cm, u8 * mask,
408 u32 mask_len, u32 next_table_index,
409 u32 miss_next_index, u32 * table_index,
413 u32 memory_size = 2 << 20;
414 u32 skip = count_skip (mask, mask_len);
415 u32 match = (mask_len / 16) - skip;
416 u8 *skip_mask_ptr = mask + 16 * skip;
417 u32 current_data_flag = 0;
418 int current_data_offset = 0;
423 return vnet_classify_add_del_table (cm, skip_mask_ptr, nbuckets,
424 memory_size, skip, match,
425 next_table_index, miss_next_index,
426 table_index, current_data_flag,
427 current_data_offset, is_add,
428 1 /* delete_chain */);
433 acl_unhook_l2_input_classify (acl_main_t * am, u32 sw_if_index)
435 vnet_classify_main_t *cm = &vnet_classify_main;
436 u32 ip4_table_index = ~0;
437 u32 ip6_table_index = ~0;
439 vec_validate_init_empty (am->acl_ip4_input_classify_table_by_sw_if_index,
441 vec_validate_init_empty (am->acl_ip6_input_classify_table_by_sw_if_index,
444 vnet_l2_input_classify_enable_disable (sw_if_index, 0);
446 if (am->acl_ip4_input_classify_table_by_sw_if_index[sw_if_index] != ~0)
449 am->acl_ip4_input_classify_table_by_sw_if_index[sw_if_index];
450 am->acl_ip4_input_classify_table_by_sw_if_index[sw_if_index] = ~0;
451 acl_classify_add_del_table_big (cm, ip4_5tuple_mask,
452 sizeof (ip4_5tuple_mask) - 1, ~0,
453 am->l2_input_classify_next_acl,
454 &ip4_table_index, 0);
456 if (am->acl_ip6_input_classify_table_by_sw_if_index[sw_if_index] != ~0)
459 am->acl_ip6_input_classify_table_by_sw_if_index[sw_if_index];
460 am->acl_ip6_input_classify_table_by_sw_if_index[sw_if_index] = ~0;
461 acl_classify_add_del_table_big (cm, ip6_5tuple_mask,
462 sizeof (ip6_5tuple_mask) - 1, ~0,
463 am->l2_input_classify_next_acl,
464 &ip6_table_index, 0);
471 acl_unhook_l2_output_classify (acl_main_t * am, u32 sw_if_index)
473 vnet_classify_main_t *cm = &vnet_classify_main;
474 u32 ip4_table_index = ~0;
475 u32 ip6_table_index = ~0;
477 vec_validate_init_empty (am->acl_ip4_output_classify_table_by_sw_if_index,
479 vec_validate_init_empty (am->acl_ip6_output_classify_table_by_sw_if_index,
482 vnet_l2_output_classify_enable_disable (sw_if_index, 0);
484 if (am->acl_ip4_output_classify_table_by_sw_if_index[sw_if_index] != ~0)
487 am->acl_ip4_output_classify_table_by_sw_if_index[sw_if_index];
488 am->acl_ip4_output_classify_table_by_sw_if_index[sw_if_index] = ~0;
489 acl_classify_add_del_table_big (cm, ip4_5tuple_mask,
490 sizeof (ip4_5tuple_mask) - 1, ~0,
491 am->l2_output_classify_next_acl,
492 &ip4_table_index, 0);
494 if (am->acl_ip6_output_classify_table_by_sw_if_index[sw_if_index] != ~0)
497 am->acl_ip6_output_classify_table_by_sw_if_index[sw_if_index];
498 am->acl_ip6_output_classify_table_by_sw_if_index[sw_if_index] = ~0;
499 acl_classify_add_del_table_big (cm, ip6_5tuple_mask,
500 sizeof (ip6_5tuple_mask) - 1, ~0,
501 am->l2_output_classify_next_acl,
502 &ip6_table_index, 0);
509 acl_hook_l2_input_classify (acl_main_t * am, u32 sw_if_index)
511 vnet_classify_main_t *cm = &vnet_classify_main;
512 u32 ip4_table_index = ~0;
513 u32 ip6_table_index = ~0;
516 /* in case there were previous tables attached */
517 acl_unhook_l2_input_classify (am, sw_if_index);
519 acl_classify_add_del_table_big (cm, ip4_5tuple_mask,
520 sizeof (ip4_5tuple_mask) - 1, ~0,
521 am->l2_input_classify_next_acl,
522 &ip4_table_index, 1);
526 acl_classify_add_del_table_big (cm, ip6_5tuple_mask,
527 sizeof (ip6_5tuple_mask) - 1, ~0,
528 am->l2_input_classify_next_acl,
529 &ip6_table_index, 1);
532 acl_classify_add_del_table_big (cm, ip4_5tuple_mask,
533 sizeof (ip4_5tuple_mask) - 1, ~0,
534 am->l2_input_classify_next_acl,
535 &ip4_table_index, 0);
539 vnet_l2_input_classify_set_tables (sw_if_index, ip4_table_index,
540 ip6_table_index, ~0);
542 ("ACL enabling on interface sw_if_index %d, setting tables to the following: ip4: %d ip6: %d\n",
543 sw_if_index, ip4_table_index, ip6_table_index);
546 acl_classify_add_del_table_big (cm, ip6_5tuple_mask,
547 sizeof (ip6_5tuple_mask) - 1, ~0,
548 am->l2_input_classify_next_acl,
549 &ip6_table_index, 0);
550 acl_classify_add_del_table_big (cm, ip4_5tuple_mask,
551 sizeof (ip4_5tuple_mask) - 1, ~0,
552 am->l2_input_classify_next_acl,
553 &ip4_table_index, 0);
557 am->acl_ip4_input_classify_table_by_sw_if_index[sw_if_index] =
559 am->acl_ip6_input_classify_table_by_sw_if_index[sw_if_index] =
562 vnet_l2_input_classify_enable_disable (sw_if_index, 1);
567 acl_hook_l2_output_classify (acl_main_t * am, u32 sw_if_index)
569 vnet_classify_main_t *cm = &vnet_classify_main;
570 u32 ip4_table_index = ~0;
571 u32 ip6_table_index = ~0;
574 /* in case there were previous tables attached */
575 acl_unhook_l2_output_classify (am, sw_if_index);
577 acl_classify_add_del_table_big (cm, ip4_5tuple_mask,
578 sizeof (ip4_5tuple_mask) - 1, ~0,
579 am->l2_output_classify_next_acl,
580 &ip4_table_index, 1);
584 acl_classify_add_del_table_big (cm, ip6_5tuple_mask,
585 sizeof (ip6_5tuple_mask) - 1, ~0,
586 am->l2_output_classify_next_acl,
587 &ip6_table_index, 1);
590 acl_classify_add_del_table_big (cm, ip4_5tuple_mask,
591 sizeof (ip4_5tuple_mask) - 1, ~0,
592 am->l2_output_classify_next_acl,
593 &ip4_table_index, 0);
597 vnet_l2_output_classify_set_tables (sw_if_index, ip4_table_index,
598 ip6_table_index, ~0);
600 ("ACL enabling on interface sw_if_index %d, setting tables to the following: ip4: %d ip6: %d\n",
601 sw_if_index, ip4_table_index, ip6_table_index);
604 acl_classify_add_del_table_big (cm, ip6_5tuple_mask,
605 sizeof (ip6_5tuple_mask) - 1, ~0,
606 am->l2_output_classify_next_acl,
607 &ip6_table_index, 0);
608 acl_classify_add_del_table_big (cm, ip4_5tuple_mask,
609 sizeof (ip4_5tuple_mask) - 1, ~0,
610 am->l2_output_classify_next_acl,
611 &ip4_table_index, 0);
615 am->acl_ip4_output_classify_table_by_sw_if_index[sw_if_index] =
617 am->acl_ip6_output_classify_table_by_sw_if_index[sw_if_index] =
620 vnet_l2_output_classify_enable_disable (sw_if_index, 1);
626 acl_interface_in_enable_disable (acl_main_t * am, u32 sw_if_index,
632 if (pool_is_free_index (am->vnet_main->interface_main.sw_interfaces,
634 return VNET_API_ERROR_INVALID_SW_IF_INDEX;
638 rv = acl_hook_l2_input_classify (am, sw_if_index);
642 rv = acl_unhook_l2_input_classify (am, sw_if_index);
649 acl_interface_out_enable_disable (acl_main_t * am, u32 sw_if_index,
655 if (pool_is_free_index (am->vnet_main->interface_main.sw_interfaces,
657 return VNET_API_ERROR_INVALID_SW_IF_INDEX;
661 rv = acl_hook_l2_output_classify (am, sw_if_index);
665 rv = acl_unhook_l2_output_classify (am, sw_if_index);
673 acl_interface_add_inout_acl (u32 sw_if_index, u8 is_input, u32 acl_list_index)
675 acl_main_t *am = &acl_main;
678 vec_validate (am->input_acl_vec_by_sw_if_index, sw_if_index);
679 vec_add (am->input_acl_vec_by_sw_if_index[sw_if_index], &acl_list_index,
681 acl_interface_in_enable_disable (am, sw_if_index, 1);
685 vec_validate (am->output_acl_vec_by_sw_if_index, sw_if_index);
686 vec_add (am->output_acl_vec_by_sw_if_index[sw_if_index],
688 acl_interface_out_enable_disable (am, sw_if_index, 1);
694 acl_interface_del_inout_acl (u32 sw_if_index, u8 is_input, u32 acl_list_index)
696 acl_main_t *am = &acl_main;
701 vec_validate (am->input_acl_vec_by_sw_if_index, sw_if_index);
702 for (i = 0; i < vec_len (am->input_acl_vec_by_sw_if_index[sw_if_index]);
705 if (acl_list_index ==
706 am->input_acl_vec_by_sw_if_index[sw_if_index][i])
708 vec_del1 (am->input_acl_vec_by_sw_if_index[sw_if_index], i);
713 if (0 == vec_len (am->input_acl_vec_by_sw_if_index[sw_if_index]))
715 acl_interface_in_enable_disable (am, sw_if_index, 0);
720 vec_validate (am->output_acl_vec_by_sw_if_index, sw_if_index);
722 i < vec_len (am->output_acl_vec_by_sw_if_index[sw_if_index]); i++)
724 if (acl_list_index ==
725 am->output_acl_vec_by_sw_if_index[sw_if_index][i])
727 vec_del1 (am->output_acl_vec_by_sw_if_index[sw_if_index], i);
732 if (0 == vec_len (am->output_acl_vec_by_sw_if_index[sw_if_index]))
734 acl_interface_out_enable_disable (am, sw_if_index, 0);
741 acl_interface_reset_inout_acls (u32 sw_if_index, u8 is_input)
743 acl_main_t *am = &acl_main;
746 acl_interface_in_enable_disable (am, sw_if_index, 0);
747 vec_validate (am->input_acl_vec_by_sw_if_index, sw_if_index);
748 vec_reset_length (am->input_acl_vec_by_sw_if_index[sw_if_index]);
752 acl_interface_out_enable_disable (am, sw_if_index, 0);
753 vec_validate (am->output_acl_vec_by_sw_if_index, sw_if_index);
754 vec_reset_length (am->output_acl_vec_by_sw_if_index[sw_if_index]);
759 acl_interface_add_del_inout_acl (u32 sw_if_index, u8 is_add, u8 is_input,
766 acl_interface_add_inout_acl (sw_if_index, is_input, acl_list_index);
771 acl_interface_del_inout_acl (sw_if_index, is_input, acl_list_index);
778 get_ptr_to_offset (vlib_buffer_t * b0, int offset)
780 u8 *p = vlib_buffer_get_current (b0) + offset;
785 acl_get_l4_proto (vlib_buffer_t * b0, int node_is_ip6)
797 proto = *((u8 *) vlib_buffer_get_current (b0) + proto_offset);
802 acl_match_addr (ip46_address_t * addr1, ip46_address_t * addr2, int prefixlen,
807 /* match any always succeeds */
812 if (memcmp (addr1, addr2, prefixlen / 8))
814 /* If the starting full bytes do not match, no point in bittwidling the thumbs further */
819 u8 b1 = *((u8 *) addr1 + 1 + prefixlen / 8);
820 u8 b2 = *((u8 *) addr2 + 1 + prefixlen / 8);
821 u8 mask0 = (0xff - ((1 << (8 - (prefixlen % 8))) - 1));
822 return (b1 & mask0) == b2;
826 /* The prefix fits into integer number of bytes, so nothing left to do */
832 uint32_t a1 = ntohl (addr1->ip4.as_u32);
833 uint32_t a2 = ntohl (addr2->ip4.as_u32);
834 uint32_t mask0 = 0xffffffff - ((1 << (32 - prefixlen)) - 1);
835 return (a1 & mask0) == a2;
840 acl_match_port (u16 port, u16 port_first, u16 port_last, int is_ip6)
842 return ((port >= port_first) && (port <= port_last));
846 acl_packet_match (acl_main_t * am, u32 acl_index, vlib_buffer_t * b0,
847 u8 * r_action, int *r_is_ip6, u32 * r_acl_match_p,
848 u32 * r_rule_match_p, u32 * trace_bitmap)
850 ethernet_header_t *h0;
853 ip46_address_t src, dst;
864 h0 = vlib_buffer_get_current (b0);
865 type0 = clib_net_to_host_u16 (h0->type);
866 is_ip4 = (type0 == ETHERNET_TYPE_IP4);
867 is_ip6 = (type0 == ETHERNET_TYPE_IP6);
869 if (!(is_ip4 || is_ip6))
873 /* The bunch of hardcoded offsets here is intentional to get rid of them
874 ASAP, when getting to a faster matching code */
877 clib_memcpy (&src.ip4, get_ptr_to_offset (b0, 26), 4);
878 clib_memcpy (&dst.ip4, get_ptr_to_offset (b0, 30), 4);
879 proto = acl_get_l4_proto (b0, 0);
882 *trace_bitmap |= 0x00000001;
884 src_port = *(u8 *) get_ptr_to_offset (b0, 34);
886 dst_port = *(u8 *) get_ptr_to_offset (b0, 35);
891 src_port = (*(u16 *) get_ptr_to_offset (b0, 34));
892 dst_port = (*(u16 *) get_ptr_to_offset (b0, 36));
893 /* UDP gets ability to check on an oddball data byte as a bonus */
894 tcp_flags = *(u8 *) get_ptr_to_offset (b0, 14 + 20 + 13);
897 else /* is_ipv6 implicitly */
899 clib_memcpy (&src, get_ptr_to_offset (b0, 22), 16);
900 clib_memcpy (&dst, get_ptr_to_offset (b0, 38), 16);
901 proto = acl_get_l4_proto (b0, 1);
904 *trace_bitmap |= 0x00000002;
906 src_port = *(u8 *) get_ptr_to_offset (b0, 54);
908 dst_port = *(u8 *) get_ptr_to_offset (b0, 55);
913 src_port = (*(u16 *) get_ptr_to_offset (b0, 54));
914 dst_port = (*(u16 *) get_ptr_to_offset (b0, 56));
915 tcp_flags = *(u8 *) get_ptr_to_offset (b0, 14 + 40 + 13);
918 if (pool_is_free_index (am->acls, acl_index))
921 *r_acl_match_p = acl_index;
923 *r_rule_match_p = -1;
924 /* the ACL does not exist but is used for policy. Block traffic. */
927 a = am->acls + acl_index;
928 for (i = 0; i < a->count; i++)
931 if (is_ip6 != r->is_ipv6)
935 if (!acl_match_addr (&dst, &r->dst, r->dst_prefixlen, is_ip6))
937 if (!acl_match_addr (&src, &r->src, r->src_prefixlen, is_ip6))
941 if (proto != r->proto)
944 (src_port, r->src_port_or_type_first, r->src_port_or_type_last,
948 (dst_port, r->dst_port_or_code_first, r->dst_port_or_code_last,
951 /* No need for check of proto == TCP, since in other rules both fields should be zero, so this match will succeed */
952 if ((tcp_flags & r->tcp_flags_mask) != r->tcp_flags_value)
955 /* everything matches! */
956 *r_action = r->is_permit;
959 *r_acl_match_p = acl_index;
968 input_acl_packet_match (u32 sw_if_index, vlib_buffer_t * b0, u32 * nextp,
969 u32 * acl_match_p, u32 * rule_match_p,
972 acl_main_t *am = &acl_main;
976 vec_validate (am->input_acl_vec_by_sw_if_index, sw_if_index);
977 for (i = 0; i < vec_len (am->input_acl_vec_by_sw_if_index[sw_if_index]);
981 (am, am->input_acl_vec_by_sw_if_index[sw_if_index][i], b0, &action,
982 &is_ip6, acl_match_p, rule_match_p, trace_bitmap))
986 *nextp = am->acl_in_ip6_match_next[action];
990 *nextp = am->acl_in_ip4_match_next[action];
995 if (vec_len (am->input_acl_vec_by_sw_if_index[sw_if_index]) > 0)
997 /* If there are ACLs and none matched, deny by default */
1004 output_acl_packet_match (u32 sw_if_index, vlib_buffer_t * b0, u32 * nextp,
1005 u32 * acl_match_p, u32 * rule_match_p,
1008 acl_main_t *am = &acl_main;
1012 vec_validate (am->output_acl_vec_by_sw_if_index, sw_if_index);
1013 for (i = 0; i < vec_len (am->output_acl_vec_by_sw_if_index[sw_if_index]);
1016 if (acl_packet_match
1017 (am, am->output_acl_vec_by_sw_if_index[sw_if_index][i], b0, &action,
1018 &is_ip6, acl_match_p, rule_match_p, trace_bitmap))
1022 *nextp = am->acl_out_ip6_match_next[action];
1026 *nextp = am->acl_out_ip4_match_next[action];
1031 if (vec_len (am->output_acl_vec_by_sw_if_index[sw_if_index]) > 0)
1033 /* If there are ACLs and none matched, deny by default */
1045 } macip_match_type_t;
1048 macip_find_match_type (macip_match_type_t * mv, u8 * mac_mask, u8 prefix_len,
1054 for (i = 0; i < vec_len (mv); i++)
1056 if ((mv[i].prefix_len == prefix_len) && (mv[i].is_ipv6 == is_ipv6)
1057 && (0 == memcmp (mv[i].mac_mask, mac_mask, 6)))
1067 /* Get metric used to sort match types.
1068 The more specific and the more often seen - the bigger the metric */
1070 match_type_metric (macip_match_type_t * m)
1072 /* FIXME: count the ones in the MAC mask as well, check how well this heuristic works in real life */
1073 return m->prefix_len + m->is_ipv6 + 10 * m->count;
1077 match_type_compare (macip_match_type_t * m1, macip_match_type_t * m2)
1079 /* Ascending sort based on the metric values */
1080 return match_type_metric (m1) - match_type_metric (m2);
1084 macip_create_classify_tables (acl_main_t * am, u32 macip_acl_index)
1086 macip_match_type_t *mvec = NULL;
1087 macip_match_type_t *mt;
1088 macip_acl_list_t *a = &am->macip_acls[macip_acl_index];
1090 u32 match_type_index;
1093 vnet_classify_main_t *cm = &vnet_classify_main;
1095 /* Count the number of different types of rules */
1096 for (i = 0; i < a->count; i++)
1100 macip_find_match_type (mvec, a->rules[i].src_mac_mask,
1101 a->rules[i].src_prefixlen,
1102 a->rules[i].is_ipv6)))
1104 match_type_index = vec_len (mvec);
1105 vec_validate (mvec, match_type_index);
1106 memcpy (mvec[match_type_index].mac_mask,
1107 a->rules[match_type_index].src_mac_mask, 6);
1108 mvec[match_type_index].prefix_len = a->rules[i].src_prefixlen;
1109 mvec[match_type_index].is_ipv6 = a->rules[i].is_ipv6;
1110 mvec[match_type_index].table_index = ~0;
1112 mvec[match_type_index].count++;
1114 /* Put the most frequently used tables last in the list so we can create classifier tables in reverse order */
1115 vec_sort_with_function (mvec, match_type_compare);
1116 /* Create the classifier tables */
1118 vec_foreach (mt, mvec)
1121 int is6 = a->rules[i].is_ipv6;
1122 int l3_src_offs = is6 ? 22 : 26; /* See the ascii art packet format above to verify these */
1123 memset (mask, 0, sizeof (mask));
1124 memcpy (&mask[6], mt->mac_mask, 6);
1125 for (i = 0; i < (mt->prefix_len / 8); i++)
1127 mask[l3_src_offs + i] = 0xff;
1129 if (mt->prefix_len % 8)
1131 mask[l3_src_offs + (mt->prefix_len / 8)] =
1132 0xff - ((1 << (8 - mt->prefix_len % 8)) - 1);
1134 mask_len = ((l3_src_offs + (mt->prefix_len / 8)) / 16 + 1) * 16;
1135 acl_classify_add_del_table_small (cm, mask, mask_len, last_table,
1136 (~0 == last_table) ? 0 : ~0, &mt->table_index,
1138 last_table = mt->table_index;
1140 a->ip4_table_index = ~0;
1141 a->ip6_table_index = ~0;
1142 a->l2_table_index = last_table;
1144 /* Populate the classifier tables with rules from the MACIP ACL */
1145 for (i = 0; i < a->count; i++)
1149 int is6 = a->rules[i].is_ipv6;
1150 int l3_src_offs = is6 ? 22 : 26; /* See the ascii art packet format above to verify these */
1151 memset (mask, 0, sizeof (mask));
1152 memcpy (&mask[6], a->rules[i].src_mac, 6);
1155 memcpy (&mask[l3_src_offs], &a->rules[i].src_ip_addr.ip6, 16);
1159 memcpy (&mask[l3_src_offs], &a->rules[i].src_ip_addr.ip4, 4);
1162 macip_find_match_type (mvec, a->rules[i].src_mac_mask,
1163 a->rules[i].src_prefixlen,
1164 a->rules[i].is_ipv6);
1165 /* add session to table mvec[match_type_index].table_index; */
1166 vnet_classify_add_del_session (cm, mvec[match_type_index].table_index,
1167 mask, a->rules[i].is_permit ? ~0 : 0, i,
1168 0, action, metadata, 1);
1174 macip_destroy_classify_tables (acl_main_t * am, u32 macip_acl_index)
1176 vnet_classify_main_t *cm = &vnet_classify_main;
1177 macip_acl_list_t *a = &am->macip_acls[macip_acl_index];
1179 if (a->ip4_table_index != ~0)
1181 acl_classify_add_del_table_small (cm, 0, ~0, ~0, ~0, &a->ip4_table_index, 0);
1182 a->ip4_table_index = ~0;
1184 if (a->ip6_table_index != ~0)
1186 acl_classify_add_del_table_small (cm, 0, ~0, ~0, ~0, &a->ip6_table_index, 0);
1187 a->ip6_table_index = ~0;
1189 if (a->l2_table_index != ~0)
1191 acl_classify_add_del_table_small (cm, 0, ~0, ~0, ~0, &a->l2_table_index, 0);
1192 a->l2_table_index = ~0;
1197 macip_acl_add_list (u32 count, vl_api_macip_acl_rule_t rules[],
1198 u32 * acl_list_index, u8 * tag)
1200 acl_main_t *am = &acl_main;
1201 macip_acl_list_t *a;
1202 macip_acl_rule_t *r;
1203 macip_acl_rule_t *acl_new_rules;
1206 /* Create and populate the rules */
1207 acl_new_rules = clib_mem_alloc_aligned (sizeof (macip_acl_rule_t) * count,
1208 CLIB_CACHE_LINE_BYTES);
1211 /* Could not allocate rules. New or existing ACL - bail out regardless */
1215 for (i = 0; i < count; i++)
1217 r = &acl_new_rules[i];
1218 r->is_permit = rules[i].is_permit;
1219 r->is_ipv6 = rules[i].is_ipv6;
1220 memcpy (&r->src_mac, rules[i].src_mac, 6);
1221 memcpy (&r->src_mac_mask, rules[i].src_mac_mask, 6);
1223 memcpy (&r->src_ip_addr, rules[i].src_ip_addr, sizeof (r->src_ip_addr));
1224 r->src_prefixlen = rules[i].src_ip_prefix_len;
1228 pool_get_aligned (am->macip_acls, a, CLIB_CACHE_LINE_BYTES);
1229 memset (a, 0, sizeof (*a));
1230 /* Will return the newly allocated ACL index */
1231 *acl_list_index = a - am->macip_acls;
1233 a->rules = acl_new_rules;
1235 memcpy (a->tag, tag, sizeof (a->tag));
1237 /* Create and populate the classifer tables */
1238 macip_create_classify_tables (am, *acl_list_index);
1244 /* No check for validity of sw_if_index - the callers were supposed to validate */
1247 macip_acl_interface_add_acl (acl_main_t * am, u32 sw_if_index,
1248 u32 macip_acl_index)
1250 macip_acl_list_t *a;
1252 if (pool_is_free_index (am->macip_acls, macip_acl_index))
1256 a = &am->macip_acls[macip_acl_index];
1257 vec_validate_init_empty (am->macip_acl_by_sw_if_index, sw_if_index, ~0);
1258 am->macip_acl_by_sw_if_index[sw_if_index] = macip_acl_index;
1259 /* Apply the classifier tables for L2 ACLs */
1261 vnet_set_input_acl_intfc (am->vlib_main, sw_if_index, a->ip4_table_index,
1262 a->ip6_table_index, a->l2_table_index, 1);
1267 macip_acl_interface_del_acl (acl_main_t * am, u32 sw_if_index)
1270 vec_validate_init_empty (am->macip_acl_by_sw_if_index, sw_if_index, ~0);
1271 am->macip_acl_by_sw_if_index[sw_if_index] = ~0;
1272 /* remove the classifier tables off the interface L2 ACL */
1273 rv = vnet_set_input_acl_intfc (am->vlib_main, sw_if_index, ~0, ~0, ~0, 0);
1278 macip_acl_del_list (u32 acl_list_index)
1280 acl_main_t *am = &acl_main;
1281 macip_acl_list_t *a;
1283 if (pool_is_free_index (am->macip_acls, acl_list_index))
1288 /* delete any references to the ACL */
1289 for (i = 0; i < vec_len (am->macip_acl_by_sw_if_index); i++)
1291 if (am->macip_acl_by_sw_if_index[i] == acl_list_index)
1293 macip_acl_interface_del_acl (am, i);
1297 /* Now that classifier tables are detached, clean them up */
1298 macip_destroy_classify_tables (am, acl_list_index);
1300 /* now we can delete the ACL itself */
1301 a = &am->macip_acls[acl_list_index];
1304 clib_mem_free (a->rules);
1306 pool_put (am->macip_acls, a);
1312 macip_acl_interface_add_del_acl (u32 sw_if_index, u8 is_add,
1315 acl_main_t *am = &acl_main;
1319 rv = macip_acl_interface_add_acl (am, sw_if_index, acl_list_index);
1323 rv = macip_acl_interface_del_acl (am, sw_if_index);
1328 /* API message handler */
1330 vl_api_acl_add_replace_t_handler (vl_api_acl_add_replace_t * mp)
1332 vl_api_acl_add_replace_reply_t *rmp;
1333 acl_main_t *am = &acl_main;
1335 u32 acl_list_index = ntohl (mp->acl_index);
1337 rv = acl_add_list (ntohl (mp->count), mp->r, &acl_list_index, mp->tag);
1340 REPLY_MACRO2(VL_API_ACL_ADD_REPLACE_REPLY,
1342 rmp->acl_index = htonl(acl_list_index);
1348 vl_api_acl_del_t_handler (vl_api_acl_del_t * mp)
1350 acl_main_t *sm = &acl_main;
1351 vl_api_acl_del_reply_t *rmp;
1354 rv = acl_del_list (ntohl (mp->acl_index));
1356 REPLY_MACRO (VL_API_ACL_DEL_REPLY);
1360 vl_api_acl_interface_add_del_t_handler (vl_api_acl_interface_add_del_t * mp)
1362 acl_main_t *sm = &acl_main;
1363 vnet_interface_main_t *im = &sm->vnet_main->interface_main;
1364 u32 sw_if_index = ntohl (mp->sw_if_index);
1365 vl_api_acl_interface_add_del_reply_t *rmp;
1368 if (pool_is_free_index(im->sw_interfaces, sw_if_index))
1369 rv = VNET_API_ERROR_INVALID_SW_IF_INDEX;
1372 acl_interface_add_del_inout_acl (sw_if_index, mp->is_add,
1373 mp->is_input, ntohl (mp->acl_index));
1375 REPLY_MACRO (VL_API_ACL_INTERFACE_ADD_DEL_REPLY);
1379 vl_api_acl_interface_set_acl_list_t_handler
1380 (vl_api_acl_interface_set_acl_list_t * mp)
1382 acl_main_t *sm = &acl_main;
1383 vl_api_acl_interface_set_acl_list_reply_t *rmp;
1386 vnet_interface_main_t *im = &sm->vnet_main->interface_main;
1387 u32 sw_if_index = ntohl (mp->sw_if_index);
1389 if (pool_is_free_index(im->sw_interfaces, sw_if_index))
1390 rv = VNET_API_ERROR_INVALID_SW_IF_INDEX;
1393 acl_interface_reset_inout_acls (sw_if_index, 0);
1394 acl_interface_reset_inout_acls (sw_if_index, 1);
1396 for (i = 0; i < mp->count; i++)
1398 acl_interface_add_del_inout_acl (sw_if_index, 1, (i < mp->n_input),
1399 ntohl (mp->acls[i]));
1403 REPLY_MACRO (VL_API_ACL_INTERFACE_SET_ACL_LIST_REPLY);
1407 copy_acl_rule_to_api_rule (vl_api_acl_rule_t * api_rule, acl_rule_t * r)
1409 api_rule->is_permit = r->is_permit;
1410 api_rule->is_ipv6 = r->is_ipv6;
1413 memcpy (api_rule->src_ip_addr, &r->src, sizeof (r->src));
1414 memcpy (api_rule->dst_ip_addr, &r->dst, sizeof (r->dst));
1418 memcpy (api_rule->src_ip_addr, &r->src.ip4, sizeof (r->src.ip4));
1419 memcpy (api_rule->dst_ip_addr, &r->dst.ip4, sizeof (r->dst.ip4));
1421 api_rule->src_ip_prefix_len = r->src_prefixlen;
1422 api_rule->dst_ip_prefix_len = r->dst_prefixlen;
1423 api_rule->proto = r->proto;
1424 api_rule->srcport_or_icmptype_first = r->src_port_or_type_first;
1425 api_rule->srcport_or_icmptype_last = r->src_port_or_type_last;
1426 api_rule->dstport_or_icmpcode_first = r->dst_port_or_code_first;
1427 api_rule->dstport_or_icmpcode_last = r->dst_port_or_code_last;
1428 api_rule->tcp_flags_mask = r->tcp_flags_mask;
1429 api_rule->tcp_flags_value = r->tcp_flags_value;
1433 send_acl_details (acl_main_t * am, unix_shared_memory_queue_t * q,
1434 acl_list_t * acl, u32 context)
1436 vl_api_acl_details_t *mp;
1437 vl_api_acl_rule_t *rules;
1439 int msg_size = sizeof (*mp) + sizeof (mp->r[0]) * acl->count;
1441 mp = vl_msg_api_alloc (msg_size);
1442 memset (mp, 0, msg_size);
1443 mp->_vl_msg_id = ntohs (VL_API_ACL_DETAILS + am->msg_id_base);
1445 /* fill in the message */
1446 mp->context = context;
1447 mp->count = htonl (acl->count);
1448 mp->acl_index = htonl (acl - am->acls);
1449 memcpy (mp->tag, acl->tag, sizeof (mp->tag));
1450 // clib_memcpy (mp->r, acl->rules, acl->count * sizeof(acl->rules[0]));
1452 for (i = 0; i < acl->count; i++)
1454 copy_acl_rule_to_api_rule (&rules[i], &acl->rules[i]);
1457 clib_warning("Sending acl details for ACL index %d", ntohl(mp->acl_index));
1458 vl_msg_api_send_shmem (q, (u8 *) & mp);
1463 vl_api_acl_dump_t_handler (vl_api_acl_dump_t * mp)
1465 acl_main_t *am = &acl_main;
1470 unix_shared_memory_queue_t *q;
1472 q = vl_api_client_index_to_input_queue (mp->client_index);
1478 if (mp->acl_index == ~0)
1481 /* Just dump all ACLs */
1482 pool_foreach (acl, am->acls,
1484 send_acl_details(am, q, acl, mp->context);
1490 acl_index = ntohl (mp->acl_index);
1491 if (!pool_is_free_index (am->acls, acl_index))
1493 acl = &am->acls[acl_index];
1494 send_acl_details (am, q, acl, mp->context);
1500 /* FIXME API: should we signal an error here at all ? */
1506 send_acl_interface_list_details (acl_main_t * am,
1507 unix_shared_memory_queue_t * q,
1508 u32 sw_if_index, u32 context)
1510 vl_api_acl_interface_list_details_t *mp;
1517 vec_validate (am->input_acl_vec_by_sw_if_index, sw_if_index);
1518 vec_validate (am->output_acl_vec_by_sw_if_index, sw_if_index);
1520 n_input = vec_len (am->input_acl_vec_by_sw_if_index[sw_if_index]);
1521 n_output = vec_len (am->output_acl_vec_by_sw_if_index[sw_if_index]);
1522 count = n_input + n_output;
1524 msg_size = sizeof (*mp);
1525 msg_size += sizeof (mp->acls[0]) * count;
1527 mp = vl_msg_api_alloc (msg_size);
1528 memset (mp, 0, msg_size);
1530 ntohs (VL_API_ACL_INTERFACE_LIST_DETAILS + am->msg_id_base);
1532 /* fill in the message */
1533 mp->context = context;
1534 mp->sw_if_index = htonl (sw_if_index);
1536 mp->n_input = n_input;
1537 for (i = 0; i < n_input; i++)
1539 mp->acls[i] = htonl (am->input_acl_vec_by_sw_if_index[sw_if_index][i]);
1541 for (i = 0; i < n_output; i++)
1543 mp->acls[n_input + i] =
1544 htonl (am->output_acl_vec_by_sw_if_index[sw_if_index][i]);
1547 vl_msg_api_send_shmem (q, (u8 *) & mp);
1551 vl_api_acl_interface_list_dump_t_handler (vl_api_acl_interface_list_dump_t *
1554 acl_main_t *am = &acl_main;
1555 vnet_sw_interface_t *swif;
1556 vnet_interface_main_t *im = &am->vnet_main->interface_main;
1559 unix_shared_memory_queue_t *q;
1561 q = vl_api_client_index_to_input_queue (mp->client_index);
1567 if (mp->sw_if_index == ~0)
1570 pool_foreach (swif, im->sw_interfaces,
1572 send_acl_interface_list_details(am, q, swif->sw_if_index, mp->context);
1578 sw_if_index = ntohl (mp->sw_if_index);
1579 if (!pool_is_free_index(im->sw_interfaces, sw_if_index))
1580 send_acl_interface_list_details (am, q, sw_if_index, mp->context);
1584 /* MACIP ACL API handlers */
1587 vl_api_macip_acl_add_t_handler (vl_api_macip_acl_add_t * mp)
1589 vl_api_macip_acl_add_reply_t *rmp;
1590 acl_main_t *am = &acl_main;
1592 u32 acl_list_index = ~0;
1595 macip_acl_add_list (ntohl (mp->count), mp->r, &acl_list_index, mp->tag);
1598 REPLY_MACRO2(VL_API_MACIP_ACL_ADD_REPLY,
1600 rmp->acl_index = htonl(acl_list_index);
1606 vl_api_macip_acl_del_t_handler (vl_api_macip_acl_del_t * mp)
1608 acl_main_t *sm = &acl_main;
1609 vl_api_macip_acl_del_reply_t *rmp;
1612 rv = macip_acl_del_list (ntohl (mp->acl_index));
1614 REPLY_MACRO (VL_API_MACIP_ACL_DEL_REPLY);
1618 vl_api_macip_acl_interface_add_del_t_handler
1619 (vl_api_macip_acl_interface_add_del_t * mp)
1621 acl_main_t *sm = &acl_main;
1622 vl_api_macip_acl_interface_add_del_reply_t *rmp;
1624 vnet_interface_main_t *im = &sm->vnet_main->interface_main;
1625 u32 sw_if_index = ntohl (mp->sw_if_index);
1627 if (pool_is_free_index(im->sw_interfaces, sw_if_index))
1628 rv = VNET_API_ERROR_INVALID_SW_IF_INDEX;
1631 macip_acl_interface_add_del_acl (ntohl (mp->sw_if_index), mp->is_add,
1632 ntohl (mp->acl_index));
1634 REPLY_MACRO (VL_API_MACIP_ACL_INTERFACE_ADD_DEL_REPLY);
1638 send_macip_acl_details (acl_main_t * am, unix_shared_memory_queue_t * q,
1639 macip_acl_list_t * acl, u32 context)
1641 vl_api_macip_acl_details_t *mp;
1642 vl_api_macip_acl_rule_t *rules;
1643 macip_acl_rule_t *r;
1645 int msg_size = sizeof (*mp) + (acl ? sizeof (mp->r[0]) * acl->count : 0);
1647 mp = vl_msg_api_alloc (msg_size);
1648 memset (mp, 0, msg_size);
1649 mp->_vl_msg_id = ntohs (VL_API_MACIP_ACL_DETAILS + am->msg_id_base);
1651 /* fill in the message */
1652 mp->context = context;
1655 memcpy (mp->tag, acl->tag, sizeof (mp->tag));
1656 mp->count = htonl (acl->count);
1657 mp->acl_index = htonl (acl - am->macip_acls);
1659 for (i = 0; i < acl->count; i++)
1662 rules[i].is_permit = r->is_permit;
1663 rules[i].is_ipv6 = r->is_ipv6;
1664 memcpy (rules[i].src_mac, &r->src_mac, sizeof (r->src_mac));
1665 memcpy (rules[i].src_mac_mask, &r->src_mac_mask,
1666 sizeof (r->src_mac_mask));
1668 memcpy (rules[i].src_ip_addr, &r->src_ip_addr,
1669 sizeof (r->src_ip_addr));
1670 rules[i].src_ip_prefix_len = r->src_prefixlen;
1675 /* No martini, no party - no ACL applied to this interface. */
1680 vl_msg_api_send_shmem (q, (u8 *) & mp);
1685 vl_api_macip_acl_dump_t_handler (vl_api_macip_acl_dump_t * mp)
1687 acl_main_t *am = &acl_main;
1688 macip_acl_list_t *acl;
1690 unix_shared_memory_queue_t *q;
1692 q = vl_api_client_index_to_input_queue (mp->client_index);
1698 if (mp->acl_index == ~0)
1700 /* Just dump all ACLs for now, with sw_if_index = ~0 */
1701 pool_foreach (acl, am->macip_acls, (
1703 send_macip_acl_details (am, q, acl,
1711 u32 acl_index = ntohl (mp->acl_index);
1712 if (!pool_is_free_index (am->macip_acls, acl_index))
1714 acl = &am->macip_acls[acl_index];
1715 send_macip_acl_details (am, q, acl, mp->context);
1721 vl_api_macip_acl_interface_get_t_handler (vl_api_macip_acl_interface_get_t *
1724 acl_main_t *am = &acl_main;
1725 vl_api_macip_acl_interface_get_reply_t *rmp;
1726 u32 count = vec_len (am->macip_acl_by_sw_if_index);
1727 int msg_size = sizeof (*rmp) + sizeof (rmp->acls[0]) * count;
1728 unix_shared_memory_queue_t *q;
1731 q = vl_api_client_index_to_input_queue (mp->client_index);
1737 rmp = vl_msg_api_alloc (msg_size);
1738 memset (rmp, 0, msg_size);
1740 ntohs (VL_API_MACIP_ACL_INTERFACE_GET_REPLY + am->msg_id_base);
1741 rmp->context = mp->context;
1742 rmp->count = htonl (count);
1743 for (i = 0; i < count; i++)
1745 rmp->acls[i] = htonl (am->macip_acl_by_sw_if_index[i]);
1748 vl_msg_api_send_shmem (q, (u8 *) & rmp);
1753 /* Set up the API message handling tables */
1754 static clib_error_t *
1755 acl_plugin_api_hookup (vlib_main_t * vm)
1757 acl_main_t *sm = &acl_main;
1759 vl_msg_api_set_handlers((VL_API_##N + sm->msg_id_base), \
1761 vl_api_##n##_t_handler, \
1763 vl_api_##n##_t_endian, \
1764 vl_api_##n##_t_print, \
1765 sizeof(vl_api_##n##_t), 1);
1766 foreach_acl_plugin_api_msg;
1772 #define vl_msg_name_crc_list
1773 #include <acl/acl_all_api_h.h>
1774 #undef vl_msg_name_crc_list
1777 setup_message_id_table (acl_main_t * sm, api_main_t * am)
1779 #define _(id,n,crc) \
1780 vl_msg_api_add_msg_name_crc (am, #n "_" #crc, id + sm->msg_id_base);
1781 foreach_vl_msg_name_crc_acl;
1786 register_match_action_nexts (u32 next_in_ip4, u32 next_in_ip6,
1787 u32 next_out_ip4, u32 next_out_ip6)
1789 acl_main_t *am = &acl_main;
1790 u32 act = am->n_match_actions;
1791 if (am->n_match_actions == 255)
1795 am->n_match_actions++;
1796 am->acl_in_ip4_match_next[act] = next_in_ip4;
1797 am->acl_in_ip6_match_next[act] = next_in_ip6;
1798 am->acl_out_ip4_match_next[act] = next_out_ip4;
1799 am->acl_out_ip6_match_next[act] = next_out_ip6;
1804 acl_setup_nodes (void)
1806 vlib_main_t *vm = vlib_get_main ();
1807 acl_main_t *am = &acl_main;
1810 n = vlib_get_node_by_name (vm, (u8 *) "l2-input-classify");
1811 am->l2_input_classify_next_acl =
1812 vlib_node_add_next_with_slot (vm, n->index, acl_in_node.index, ~0);
1813 n = vlib_get_node_by_name (vm, (u8 *) "l2-output-classify");
1814 am->l2_output_classify_next_acl =
1815 vlib_node_add_next_with_slot (vm, n->index, acl_out_node.index, ~0);
1817 feat_bitmap_init_next_nodes (vm, acl_in_node.index, L2INPUT_N_FEAT,
1818 l2input_get_feat_names (),
1819 am->acl_in_node_input_next_node_index);
1821 memset (&am->acl_in_ip4_match_next[0], 0,
1822 sizeof (am->acl_in_ip4_match_next));
1823 memset (&am->acl_in_ip6_match_next[0], 0,
1824 sizeof (am->acl_in_ip6_match_next));
1825 memset (&am->acl_out_ip4_match_next[0], 0,
1826 sizeof (am->acl_out_ip4_match_next));
1827 memset (&am->acl_out_ip6_match_next[0], 0,
1828 sizeof (am->acl_out_ip6_match_next));
1829 am->n_match_actions = 0;
1831 register_match_action_nexts (0, 0, 0, 0); /* drop */
1832 register_match_action_nexts (~0, ~0, ~0, ~0); /* permit */
1833 register_match_action_nexts (ACL_IN_L2S_INPUT_IP4_ADD, ACL_IN_L2S_INPUT_IP6_ADD, ACL_OUT_L2S_OUTPUT_IP4_ADD, ACL_OUT_L2S_OUTPUT_IP6_ADD); /* permit + create session */
1838 static clib_error_t *
1839 acl_init (vlib_main_t * vm)
1841 acl_main_t *am = &acl_main;
1842 clib_error_t *error = 0;
1843 memset (am, 0, sizeof (*am));
1845 am->vnet_main = vnet_get_main ();
1847 u8 *name = format (0, "acl_%08x%c", api_version, 0);
1849 /* Ask for a correctly-sized block of API message decode slots */
1850 am->msg_id_base = vl_msg_api_get_msg_ids ((char *) name,
1851 VL_MSG_FIRST_AVAILABLE);
1853 error = acl_plugin_api_hookup (vm);
1856 /* Add our API messages to the global name_crc hash table */
1857 setup_message_id_table (am, &api_main);
1864 VLIB_INIT_FUNCTION (acl_init);
Code Review / vpp.git / blob