1 /* Hey Emacs use -*- mode: C -*- */
3 * Copyright (c) 2016 Cisco and/or its affiliates.
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at:
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 This file defines the vpp control-plane API messages
19 used to control the ACL plugin
22 option version = "1.0.1";
24 /** \brief Get the plugin version
25 @param client_index - opaque cookie to identify the sender
26 @param context - sender context, to match reply w/ request
29 define acl_plugin_get_version
35 /** \brief Reply to get the plugin version
36 @param context - returned sender context, to match reply w/ request
37 @param major - Incremented every time a known breaking behavior change is introduced
38 @param minor - Incremented with small changes, may be used to avoid buggy versions
41 define acl_plugin_get_version_reply
48 /** \brief Control ping from client to api server request
49 @param client_index - opaque cookie to identify the sender
50 @param context - sender context, to match reply w/ request
52 define acl_plugin_control_ping
58 /** \brief Control ping from the client to the server response
59 @param client_index - opaque cookie to identify the sender
60 @param context - sender context, to match reply w/ request
61 @param retval - return code for the request
62 @param vpe_pid - the pid of the vpe, returned by the server
64 define acl_plugin_control_ping_reply
72 /** \brief Get Connection table max entries
73 @param client_index - opaque cookie to identify the sender
74 @param context - sender context, to match reply w/ request
77 define acl_plugin_get_conn_table_max_entries
83 /** \brief Reply to get connection table max entries
84 @param context - sender context, to match reply w/ request
85 @param conn_table_max_entries - the value of maximum entries of connection table
87 define acl_plugin_get_conn_table_max_entries_reply
90 u64 conn_table_max_entries;
93 /** \brief Access List Rule entry
94 @param is_permit - deny (0), permit (1), or permit+reflect(2) action on this rule.
95 @param is_ipv6 - IP addresses in this rule are IPv6 (1) or IPv4 (0)
96 @param src_ip_addr - Source prefix value
97 @param src_ip_prefix_len - Source prefix length
98 @param dst_ip_addr - Destination prefix value
99 @param dst_ip_prefix_len - Destination prefix length
100 @param proto - L4 protocol (http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml)
101 @param srcport_or_icmptype_first - beginning of source port or ICMP4/6 type range
102 @param srcport_or_icmptype_last - end of source port or ICMP4/6 type range
103 @param dstport_or_icmpcode_first - beginning of destination port or ICMP4/6 code range
104 @param dstport_or_icmpcode_last - end of destination port or ICMP4/6 code range
105 @param tcp_flags_mask - if proto==6, match masked TCP flags with this value
106 @param tcp_flags_value - if proto==6, mask to AND the TCP flags in the packet with
109 typeonly manual_print define acl_rule
114 u8 src_ip_prefix_len;
116 u8 dst_ip_prefix_len;
118 * L4 protocol. IANA number. 1 = ICMP, 58 = ICMPv6, 6 = TCP, 17 = UDP.
119 * 0 => ignore L4 and ignore the ports/tcpflags when matching.
123 * If the L4 protocol is TCP or UDP, the below
124 * hold ranges of ports, else if the L4 is ICMP/ICMPv6
125 * they hold ranges of ICMP(v6) types/codes.
127 * Ranges are inclusive, i.e. to match "any" TCP/UDP port,
128 * use first=0,last=65535. For ICMP(v6),
129 * use first=0,last=255.
131 u16 srcport_or_icmptype_first;
132 u16 srcport_or_icmptype_last;
133 u16 dstport_or_icmpcode_first;
134 u16 dstport_or_icmpcode_last;
136 * for proto = 6, this matches if the
137 * TCP flags in the packet, ANDed with tcp_flags_mask,
138 * is equal to tcp_flags_value.
144 /** \brief MACIP Access List Rule entry
145 @param is_permit - deny (0), permit (1) action on this rule.
146 @param is_ipv6 - IP addresses in this rule are IPv6 (1) or IPv4 (0)
147 @param src_mac - match masked source MAC address against this value
148 @param src_mac_mask - AND source MAC address with this value before matching
149 @param src_ip_addr - Source prefix value
150 @param src_ip_prefix_len - Source prefix length
153 typeonly manual_print define macip_acl_rule
158 * The source mac of the packet ANDed with src_mac_mask.
159 * The source ip[46] address in the packet is matched
160 * against src_ip_addr, with src_ip_prefix_len set to 0.
162 * For better performance, minimize the number of
163 * (src_mac_mask, src_ip_prefix_len) combinations
169 u8 src_ip_prefix_len;
172 /** \brief Replace an existing ACL in-place or create a new ACL
173 @param client_index - opaque cookie to identify the sender
174 @param context - sender context, to match reply w/ request
175 @param acl_index - an existing ACL entry (0..0xfffffffe) to replace, or 0xffffffff to make new ACL
176 @param tag - a string value stored along with the ACL, for descriptive purposes
177 @param count - number of ACL rules
178 @r - Rules for this access-list
181 manual_print manual_endian define acl_add_replace
185 u32 acl_index; /* ~0 to add, existing ACL# to replace */
186 u8 tag[64]; /* What gets in here gets out in the corresponding tag field when dumping the ACLs. */
188 vl_api_acl_rule_t r[count];
191 /** \brief Reply to add/replace ACL
192 @param context - returned sender context, to match reply w/ request
193 @param acl_index - index of the updated or newly created ACL
194 @param retval 0 - no error
197 define acl_add_replace_reply
204 /** \brief Delete an ACL
205 @param client_index - opaque cookie to identify the sender
206 @param context - sender context, to match reply w/ request
207 @param acl_index - ACL index to delete
210 autoreply manual_print define acl_del
217 /* acl_interface_add_del(_reply) to be deprecated in lieu of acl_interface_set_acl_list */
218 /** \brief Use acl_interface_set_acl_list instead
219 Append/remove an ACL index to/from the list of ACLs checked for an interface
220 @param client_index - opaque cookie to identify the sender
221 @param context - sender context, to match reply w/ request
222 @param is_add - add or delete the ACL index from the list
223 @param is_input - check the ACL on input (1) or output (0)
224 @param sw_if_index - the interface to alter the list of ACLs on
225 @param acl_index - index of ACL for the operation
228 autoreply manual_print define acl_interface_add_del
234 * is_input = 0 => ACL applied on interface egress
235 * is_input = 1 => ACL applied on interface ingress
242 /** \brief Set the vector of input/output ACLs checked for an interface
243 @param client_index - opaque cookie to identify the sender
244 @param context - sender context, to match reply w/ request
245 @param sw_if_index - the interface to alter the list of ACLs on
246 @param count - total number of ACL indices in the vector
247 @param n_input - this many first elements correspond to input ACLs, the rest - output
248 @param acls - vector of ACL indices
251 autoreply manual_print define acl_interface_set_acl_list
257 u8 n_input; /* First n_input ACLs are set as a list of input ACLs, the rest are applied as output */
261 /** \brief Reply to set the ACL list on an interface
262 @param context - returned sender context, to match reply w/ request
263 @param retval 0 - no error
266 /** \brief Dump the specific ACL contents or all of the ACLs' contents
267 @param client_index - opaque cookie to identify the sender
268 @param context - sender context, to match reply w/ request
269 @param acl_index - ACL index to dump, ~0 to dump all ACLs
276 u32 acl_index; /* ~0 for all ACLs */
279 /** \brief Details about a single ACL contents
280 @param context - returned sender context, to match reply w/ request
281 @param acl_index - ACL index whose contents are being sent in this message
282 @param tag - Descriptive tag value which was supplied at ACL creation
283 @param count - Number of rules in this ACL
284 @param r - Array of rules within this ACL
287 manual_endian manual_print define acl_details
291 u8 tag[64]; /* Same blob that was supplied to us when creating the ACL, one hopes. */
293 vl_api_acl_rule_t r[count];
296 /** \brief Dump the list(s) of ACL applied to specific or all interfaces
297 @param client_index - opaque cookie to identify the sender
298 @param context - sender context, to match reply w/ request
299 @param sw_if_index - interface to dump the ACL list for
302 define acl_interface_list_dump
306 u32 sw_if_index; /* ~0 for all interfaces */
309 /** \brief Details about a single ACL contents
310 @param context - returned sender context, to match reply w/ request
311 @param sw_if_index - interface for which the list of ACLs is applied
312 @param count - total length of acl indices vector
313 @param n_input - this many of indices in the beginning are input ACLs, the rest - output
314 @param acls - the vector of ACL indices
317 define acl_interface_list_details
326 /** \brief Add a MACIP ACL
327 @param client_index - opaque cookie to identify the sender
328 @param context - sender context, to match reply w/ request
329 @param tag - descriptive value for this MACIP ACL
330 @param count - number of rules in this MACIP ACL
331 @param r - vector of MACIP ACL rules
334 manual_endian manual_print define macip_acl_add
340 vl_api_macip_acl_rule_t r[count];
343 /** \brief Reply to add MACIP ACL
344 @param context - returned sender context, to match reply w/ request
345 @param acl_index - index of the newly created MACIP ACL
346 @param retval 0 - no error
349 define macip_acl_add_reply
356 /** \brief Add/Replace a MACIP ACL
357 @param client_index - opaque cookie to identify the sender
358 @param context - sender context, to match reply w/ request
359 @param acl_index - an existing MACIP ACL entry (0..0xfffffffe) to replace, or 0xffffffff to make new MACIP ACL
360 @param tag - descriptive value for this MACIP ACL
361 @param count - number of rules in this MACIP ACL
362 @param r - vector of MACIP ACL rules
365 manual_endian manual_print define macip_acl_add_replace
369 u32 acl_index; /* ~0 to add, existing MACIP ACL# to replace */
372 vl_api_macip_acl_rule_t r[count];
375 /** \brief Reply to add/replace MACIP ACL
376 @param context - returned sender context, to match reply w/ request
377 @param acl_index - index of the newly created MACIP ACL
378 @param retval 0 - no error
381 define macip_acl_add_replace_reply
388 /** \brief Delete a MACIP ACL
389 @param client_index - opaque cookie to identify the sender
390 @param context - sender context, to match reply w/ request
391 @param acl_index - MACIP ACL index to delete
394 autoreply manual_print define macip_acl_del
401 /** \brief Add or delete a MACIP ACL to/from interface
402 @param client_index - opaque cookie to identify the sender
403 @param context - sender context, to match reply w/ request
404 @param is_add - add (1) or delete (0) MACIP ACL from being used on an interface
405 @param sw_if_index - interface to apply the action to
406 @param acl_index - MACIP ACL index
409 autoreply manual_print define macip_acl_interface_add_del
414 /* MACIP ACLs are always input */
419 /** \brief Dump one or all defined MACIP ACLs
420 @param client_index - opaque cookie to identify the sender
421 @param context - sender context, to match reply w/ request
422 @param acl_index - MACIP ACL index or ~0 to dump all MACIP ACLs
425 define macip_acl_dump
429 u32 acl_index; /* ~0 for all ACLs */
432 /** \brief Details about one MACIP ACL
433 @param context - returned sender context, to match reply w/ request
434 @param acl_index - index of this MACIP ACL
435 @param tag - descriptive tag which was supplied during the creation
436 @param count - length of the vector of MACIP ACL rules
437 @param r - rules comprising this MACIP ACL
440 manual_endian manual_print define macip_acl_details
446 vl_api_macip_acl_rule_t r[count];
449 /** \brief Get the vector of MACIP ACL IDs applied to the interfaces
450 @param client_index - opaque cookie to identify the sender
451 @param context - sender context, to match reply w/ request
454 define macip_acl_interface_get
460 /** \brief Reply with the vector of MACIP ACLs by sw_if_index
461 @param context - returned sender context, to match reply w/ request
462 @param count - total number of elements in the vector
463 @param acls - the vector of active MACIP ACL indices per sw_if_index
466 define macip_acl_interface_get_reply
473 /** \brief Dump the list(s) of MACIP ACLs applied to specific or all interfaces
474 @param client_index - opaque cookie to identify the sender
475 @param context - sender context, to match reply w/ request
476 @param sw_if_index - interface to dump the MACIP ACL list for
479 define macip_acl_interface_list_dump
483 u32 sw_if_index; /* ~0 for all interfaces */
486 /** \brief Details about a single MACIP ACL contents
487 @param context - returned sender context, to match reply w/ request
488 @param sw_if_index - interface for which the list of MACIP ACLs is applied
489 @param count - total length of acl indices vector
490 @param acls - the vector of MACIP ACL indices
493 define macip_acl_interface_list_details
501 /** \brief Set the ethertype whitelists on an interface. Takes effect when applying ACLs on the interface, so must be given prior.
502 @param client_index - opaque cookie to identify the sender
503 @param context - sender context, to match reply w/ request
504 @param sw_if_index - the interface to alter the list of ACLs on
505 @param count - total number of whitelisted ethertypes in the vector
506 @param n_input - this many first elements correspond to input whitelisted ethertypes, the rest - output
507 @param whitelist - vector of whitelisted ethertypes
510 autoreply manual_print define acl_interface_set_etype_whitelist
515 u8 count; /* Total number of ethertypes in the whitelist */
516 u8 n_input; /* first n_input ethertypes are input, the rest - output */
517 u16 whitelist[count];
520 /** \brief Dump the list(s) of Ethertype whitelists applied to specific or all interfaces
521 @param client_index - opaque cookie to identify the sender
522 @param context - sender context, to match reply w/ request
523 @param sw_if_index - interface to dump the ethertype whitelist for
526 define acl_interface_etype_whitelist_dump
530 u32 sw_if_index; /* ~0 for all interfaces */
533 /** \brief Details about ethertype whitelist on a single interface
534 @param context - returned sender context, to match reply w/ request
535 @param sw_if_index - interface for which the list of MACIP ACLs is applied
536 @param count - total number of whitelisted ethertypes in the vector
537 @param n_input - this many first elements correspond to input whitelisted ethertypes, the rest - output
538 @param whitelist - vector of whitelisted ethertypes
541 define acl_interface_etype_whitelist_details
546 u8 n_input; /* first n_input ethertypes are input, the rest - output */
547 u16 whitelist[count];
550 /** \brief Enable or disable incrementing ACL counters in stats segment by interface processing
551 @param client_index - opaque cookie to identify the sender
552 @param context - sender context, to match reply w/ request
553 @param enable - whether to enable or disable incrementing the counters
556 autoreply define acl_stats_intf_counters_enable