2 * Copyright (c) 2015 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 *------------------------------------------------------------------
17 * acl_test.c - test harness plugin
18 *------------------------------------------------------------------
22 #include <vlibapi/api.h>
23 #include <vlibmemory/api.h>
24 #include <vppinfra/error.h>
25 #include <vnet/ip/ip.h>
26 #include <arpa/inet.h>
28 #include <vnet/ip/ip_format_fns.h>
29 #include <vnet/ethernet/ethernet_format_fns.h>
31 #define __plugin_msg_base acl_test_main.msg_id_base
32 #include <vlibapi/vat_helper_macros.h>
34 uword unformat_sw_if_index (unformat_input_t * input, va_list * args);
36 /* Declare message IDs */
37 #include <acl/acl.api_enum.h>
38 #include <acl/acl.api_types.h>
39 #define vl_print(handle, ...)
41 #define vl_endianfun /* define message structures */
42 #include <acl/acl.api.h>
46 /* API message ID base */
51 acl_test_main_t acl_test_main;
53 #define foreach_reply_retval_aclindex_handler \
54 _(acl_add_replace_reply) \
55 _(macip_acl_add_reply) \
56 _(macip_acl_add_replace_reply)
59 static void vl_api_##n##_t_handler \
60 (vl_api_##n##_t * mp) \
62 vat_main_t * vam = acl_test_main.vat_main; \
63 i32 retval = ntohl(mp->retval); \
64 if (vam->async_mode) { \
65 vam->async_errors += (retval < 0); \
67 clib_warning("ACL index: %d", ntohl(mp->acl_index)); \
68 vam->retval = retval; \
69 vam->result_ready = 1; \
72 foreach_reply_retval_aclindex_handler;
75 /* These two ought to be in a library somewhere but they aren't */
77 my_unformat_mac_address (unformat_input_t * input, va_list * args)
79 u8 *a = va_arg (*args, u8 *);
80 return unformat (input, "%x:%x:%x:%x:%x:%x", &a[0], &a[1], &a[2], &a[3],
85 my_format_mac_address (u8 * s, va_list * args)
87 u8 *a = va_arg (*args, u8 *);
88 return format (s, "%02x:%02x:%02x:%02x:%02x:%02x",
89 a[0], a[1], a[2], a[3], a[4], a[5]);
94 static void vl_api_acl_plugin_get_version_reply_t_handler
95 (vl_api_acl_plugin_get_version_reply_t * mp)
97 vat_main_t * vam = acl_test_main.vat_main;
98 clib_warning("ACL plugin version: %d.%d", ntohl(mp->major), ntohl(mp->minor));
99 vam->result_ready = 1;
103 vl_api_acl_plugin_use_hash_lookup_get_reply_t_handler (
104 vl_api_acl_plugin_use_hash_lookup_get_reply_t *mp)
106 vat_main_t *vam = acl_test_main.vat_main;
107 clib_warning ("ACL hash lookups enabled: %d", mp->enable);
108 vam->result_ready = 1;
111 static void vl_api_acl_interface_list_details_t_handler
112 (vl_api_acl_interface_list_details_t * mp)
115 vat_main_t * vam = acl_test_main.vat_main;
117 vl_api_acl_interface_list_details_t_endian(mp);
118 out = format(out, "sw_if_index: %d, count: %d, n_input: %d\n", mp->sw_if_index, mp->count, mp->n_input);
119 out = format(out, " input ");
120 for(i=0; i<mp->count; i++) {
121 if (i == mp->n_input)
122 out = format(out, "\n output ");
123 out = format(out, "%d ", ntohl (mp->acls[i]));
125 out = format(out, "\n");
126 clib_warning("%s", out);
128 vam->result_ready = 1;
131 static void vl_api_macip_acl_interface_list_details_t_handler
132 (vl_api_macip_acl_interface_list_details_t * mp)
134 // NOT YET IMPLEMENTED
138 static void vl_api_acl_interface_etype_whitelist_details_t_handler
139 (vl_api_acl_interface_etype_whitelist_details_t * mp)
142 vat_main_t * vam = acl_test_main.vat_main;
144 vl_api_acl_interface_etype_whitelist_details_t_endian(mp);
145 out = format(out, "sw_if_index: %d, count: %d, n_input: %d\n", mp->sw_if_index, mp->count, mp->n_input);
146 out = format(out, " input ");
147 for(i=0; i<mp->count; i++) {
148 if (i == mp->n_input)
149 out = format(out, "\n output ");
150 out = format(out, "%04x ", ntohs(mp->whitelist[i]));
152 out = format(out, "\n");
153 clib_warning("%s", out);
155 vam->result_ready = 1;
158 static void vl_api_acl_plugin_get_conn_table_max_entries_reply_t_handler
159 (vl_api_acl_plugin_get_conn_table_max_entries_reply_t * mp)
161 vat_main_t * vam = acl_test_main.vat_main;
162 clib_warning("\nConn table max entries: %d",
163 __bswap_64(mp->conn_table_max_entries) );
164 vam->result_ready = 1;
168 vl_api_acl_rule_t_pretty_format (u8 *out, vl_api_acl_rule_t * a)
170 int af = a->src_prefix.address.af ? AF_INET6 : AF_INET;
171 u8 src[INET6_ADDRSTRLEN];
172 u8 dst[INET6_ADDRSTRLEN];
173 inet_ntop(af, &a->src_prefix.address.un, (void *)src, sizeof(src));
174 inet_ntop(af, &a->dst_prefix.address.un, (void *)dst, sizeof(dst));
176 out = format(out, "%s action %d src %s/%d dst %s/%d proto %d sport %d-%d dport %d-%d tcpflags %d mask %d",
177 a->src_prefix.address.af ? "ipv6" : "ipv4", a->is_permit,
178 src, a->src_prefix.len,
179 dst, a->dst_prefix.len,
181 a->srcport_or_icmptype_first, a->srcport_or_icmptype_last,
182 a->dstport_or_icmpcode_first, a->dstport_or_icmpcode_last,
183 a->tcp_flags_value, a->tcp_flags_mask);
189 static void vl_api_acl_details_t_handler
190 (vl_api_acl_details_t * mp)
193 vat_main_t * vam = acl_test_main.vat_main;
194 vl_api_acl_details_t_endian(mp);
196 out = format(0, "acl_index: %d, count: %d\n tag {%s}\n", mp->acl_index, mp->count, mp->tag);
197 for(i=0; i<mp->count; i++) {
198 out = format(out, " ");
199 out = vl_api_acl_rule_t_pretty_format(out, &mp->r[i]);
200 out = format(out, "%s\n", i<mp->count-1 ? "," : "");
202 clib_warning("%s", out);
204 vam->result_ready = 1;
208 vl_api_macip_acl_rule_t_pretty_format (u8 *out, vl_api_macip_acl_rule_t * a)
210 int af = a->src_prefix.address.af ? AF_INET6 : AF_INET;
211 u8 src[INET6_ADDRSTRLEN];
212 inet_ntop(af, &a->src_prefix.address.un, (void *)src, sizeof(src));
214 out = format(out, "%s action %d ip %s/%d mac %U mask %U",
215 a->src_prefix.address.af ? "ipv6" : "ipv4", a->is_permit,
216 src, a->src_prefix.len,
217 my_format_mac_address, a->src_mac,
218 my_format_mac_address, a->src_mac_mask);
223 static void vl_api_macip_acl_details_t_handler
224 (vl_api_macip_acl_details_t * mp)
227 vat_main_t * vam = acl_test_main.vat_main;
228 vl_api_macip_acl_details_t_endian(mp);
229 u8 *out = format(0,"MACIP acl_index: %d, count: %d\n tag {%s}\n", mp->acl_index, mp->count, mp->tag);
230 for(i=0; i<mp->count; i++) {
231 out = format(out, " ");
232 out = vl_api_macip_acl_rule_t_pretty_format(out, &mp->r[i]);
233 out = format(out, "%s\n", i<mp->count-1 ? "," : "");
235 clib_warning("%s", out);
237 vam->result_ready = 1;
240 static void vl_api_macip_acl_interface_get_reply_t_handler
241 (vl_api_macip_acl_interface_get_reply_t * mp)
244 vat_main_t * vam = acl_test_main.vat_main;
245 u8 *out = format(0, "sw_if_index with MACIP ACL count: %d\n", ntohl(mp->count));
246 for(i=0; i<ntohl(mp->count); i++) {
247 out = format(out, " macip_acl_interface_add_del sw_if_index %d add acl %d\n", i, ntohl(mp->acls[i]));
249 out = format(out, "\n");
250 clib_warning("%s", out);
252 vam->result_ready = 1;
255 static void vl_api_acl_plugin_control_ping_reply_t_handler
256 (vl_api_acl_plugin_control_ping_reply_t * mp)
258 vat_main_t *vam = &vat_main;
259 i32 retval = ntohl (mp->retval);
262 vam->async_errors += (retval < 0);
266 vam->retval = retval;
267 vam->result_ready = 1;
271 static int api_acl_plugin_get_version (vat_main_t * vam)
273 acl_test_main_t * sm = &acl_test_main;
274 vl_api_acl_plugin_get_version_t * mp;
275 u32 msg_size = sizeof(*mp);
278 vam->result_ready = 0;
279 mp = vl_msg_api_alloc_as_if_client(msg_size);
280 clib_memset (mp, 0, msg_size);
281 mp->_vl_msg_id = ntohs (VL_API_ACL_PLUGIN_GET_VERSION + sm->msg_id_base);
282 mp->client_index = vam->my_client_index;
287 /* Wait for a reply... */
292 static int api_macip_acl_interface_get (vat_main_t * vam)
294 acl_test_main_t * sm = &acl_test_main;
295 vl_api_acl_plugin_get_version_t * mp;
296 u32 msg_size = sizeof(*mp);
299 vam->result_ready = 0;
300 mp = vl_msg_api_alloc_as_if_client(msg_size);
301 clib_memset (mp, 0, msg_size);
302 mp->_vl_msg_id = ntohs (VL_API_MACIP_ACL_INTERFACE_GET + sm->msg_id_base);
303 mp->client_index = vam->my_client_index;
308 /* Wait for a reply... */
313 #define vec_validate_acl_rules(v, idx) \
315 if (vec_len(v) < idx+1) { \
316 vec_validate(v, idx); \
317 v[idx].is_permit = 0x1; \
318 v[idx].srcport_or_icmptype_last = 0xffff; \
319 v[idx].dstport_or_icmpcode_last = 0xffff; \
324 /* NOT YET IMPLEMENTED */
325 static int api_acl_plugin_control_ping (vat_main_t * vam)
329 static int api_macip_acl_interface_list_dump (vat_main_t * vam)
334 static int api_acl_add_replace (vat_main_t * vam)
336 acl_test_main_t * sm = &acl_test_main;
337 unformat_input_t * i = vam->input;
338 vl_api_acl_add_replace_t * mp;
340 u32 msg_size = sizeof (*mp); /* without the rules */
342 vl_api_acl_rule_t *rules = 0;
345 int n_rules_override = -1;
350 u32 tcpflags, tcpmask;
351 u32 src_prefix_length = 0, dst_prefix_length = 0;
352 ip4_address_t src_v4address, dst_v4address;
353 ip6_address_t src_v6address, dst_v6address;
357 if (!unformat (i, "%d", &acl_index)) {
361 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
363 if (unformat (i, "permit+reflect"))
365 vec_validate_acl_rules(rules, rule_idx);
366 rules[rule_idx].is_permit = 2;
368 else if (unformat (i, "permit"))
370 vec_validate_acl_rules(rules, rule_idx);
371 rules[rule_idx].is_permit = 1;
373 else if (unformat (i, "deny"))
375 vec_validate_acl_rules(rules, rule_idx);
376 rules[rule_idx].is_permit = 0;
378 else if (unformat (i, "count %d", &n_rules_override))
380 /* we will use this later */
382 else if (unformat (i, "action %d", &action))
384 vec_validate_acl_rules(rules, rule_idx);
385 rules[rule_idx].is_permit = action;
387 else if (unformat (i, "src %U/%d",
388 unformat_ip4_address, &src_v4address, &src_prefix_length))
390 vec_validate_acl_rules(rules, rule_idx);
391 memcpy (rules[rule_idx].src_prefix.address.un.ip4, &src_v4address, 4);
392 rules[rule_idx].src_prefix.address.af = ADDRESS_IP4;
393 rules[rule_idx].src_prefix.len = src_prefix_length;
395 else if (unformat (i, "src %U/%d",
396 unformat_ip6_address, &src_v6address, &src_prefix_length))
398 vec_validate_acl_rules(rules, rule_idx);
399 memcpy (rules[rule_idx].src_prefix.address.un.ip6, &src_v6address, 16);
400 rules[rule_idx].src_prefix.address.af = ADDRESS_IP6;
401 rules[rule_idx].src_prefix.len = src_prefix_length;
403 else if (unformat (i, "dst %U/%d",
404 unformat_ip4_address, &dst_v4address, &dst_prefix_length))
406 vec_validate_acl_rules(rules, rule_idx);
407 memcpy (rules[rule_idx].dst_prefix.address.un.ip4, &dst_v4address, 4);
408 rules[rule_idx].dst_prefix.address.af = ADDRESS_IP4;
409 rules[rule_idx].dst_prefix.len = dst_prefix_length;
411 else if (unformat (i, "dst %U/%d",
412 unformat_ip6_address, &dst_v6address, &dst_prefix_length))
414 vec_validate_acl_rules(rules, rule_idx);
415 memcpy (rules[rule_idx].dst_prefix.address.un.ip6, &dst_v6address, 16);
416 rules[rule_idx].dst_prefix.address.af = ADDRESS_IP6;
417 rules[rule_idx].dst_prefix.len = dst_prefix_length;
419 else if (unformat (i, "sport %d-%d", &port1, &port2))
421 vec_validate_acl_rules(rules, rule_idx);
422 rules[rule_idx].srcport_or_icmptype_first = htons(port1);
423 rules[rule_idx].srcport_or_icmptype_last = htons(port2);
425 else if (unformat (i, "sport %d", &port1))
427 vec_validate_acl_rules(rules, rule_idx);
428 rules[rule_idx].srcport_or_icmptype_first = htons(port1);
429 rules[rule_idx].srcport_or_icmptype_last = htons(port1);
431 else if (unformat (i, "dport %d-%d", &port1, &port2))
433 vec_validate_acl_rules(rules, rule_idx);
434 rules[rule_idx].dstport_or_icmpcode_first = htons(port1);
435 rules[rule_idx].dstport_or_icmpcode_last = htons(port2);
437 else if (unformat (i, "dport %d", &port1))
439 vec_validate_acl_rules(rules, rule_idx);
440 rules[rule_idx].dstport_or_icmpcode_first = htons(port1);
441 rules[rule_idx].dstport_or_icmpcode_last = htons(port1);
443 else if (unformat (i, "tcpflags %d %d", &tcpflags, &tcpmask))
445 vec_validate_acl_rules(rules, rule_idx);
446 rules[rule_idx].tcp_flags_value = tcpflags;
447 rules[rule_idx].tcp_flags_mask = tcpmask;
449 else if (unformat (i, "tcpflags %d mask %d", &tcpflags, &tcpmask))
451 vec_validate_acl_rules(rules, rule_idx);
452 rules[rule_idx].tcp_flags_value = tcpflags;
453 rules[rule_idx].tcp_flags_mask = tcpmask;
455 else if (unformat (i, "proto %d", &proto))
457 vec_validate_acl_rules(rules, rule_idx);
458 rules[rule_idx].proto = proto;
460 else if (unformat (i, "tag %s", &tag))
463 else if (unformat (i, ","))
466 vec_validate_acl_rules(rules, rule_idx);
472 /* Construct the API message */
473 vam->result_ready = 0;
476 n_rules = vec_len(rules);
480 if (n_rules_override >= 0)
481 n_rules = n_rules_override;
483 msg_size += n_rules*sizeof(rules[0]);
485 mp = vl_msg_api_alloc_as_if_client(msg_size);
486 clib_memset (mp, 0, msg_size);
487 mp->_vl_msg_id = ntohs (VL_API_ACL_ADD_REPLACE + sm->msg_id_base);
488 mp->client_index = vam->my_client_index;
489 if ((n_rules > 0) && rules)
490 clib_memcpy(mp->r, rules, n_rules*sizeof (vl_api_acl_rule_t));
493 if (vec_len(tag) >= sizeof(mp->tag))
495 tag[sizeof(mp->tag)-1] = 0;
496 vec_set_len (tag, sizeof (mp->tag));
498 clib_memcpy (mp->tag, tag, vec_len (tag));
501 mp->acl_index = ntohl(acl_index);
502 mp->count = htonl(n_rules);
507 /* Wait for a reply... */
512 static int api_acl_plugin_get_conn_table_max_entries (vat_main_t * vam)
514 acl_test_main_t * sm = &acl_test_main;
515 vl_api_acl_plugin_get_conn_table_max_entries_t * mp;
516 u32 msg_size = sizeof(*mp);
519 vam->result_ready = 0;
520 mp = vl_msg_api_alloc_as_if_client(msg_size);
521 memset (mp, 0, msg_size);
522 mp->_vl_msg_id = ntohs (VL_API_ACL_PLUGIN_GET_CONN_TABLE_MAX_ENTRIES + sm->msg_id_base);
523 mp->client_index = vam->my_client_index;
528 /* Wait for a reply... */
533 static int api_acl_stats_intf_counters_enable (vat_main_t * vam)
535 acl_test_main_t * sm = &acl_test_main;
536 unformat_input_t * i = vam->input;
537 vl_api_acl_stats_intf_counters_enable_t * mp;
538 u32 msg_size = sizeof(*mp);
541 vam->result_ready = 0;
542 mp = vl_msg_api_alloc_as_if_client(msg_size);
543 memset (mp, 0, msg_size);
544 mp->_vl_msg_id = ntohs (VL_API_ACL_STATS_INTF_COUNTERS_ENABLE + sm->msg_id_base);
545 mp->client_index = vam->my_client_index;
548 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
549 if (unformat (i, "disable"))
558 /* Wait for a reply... */
564 api_acl_plugin_use_hash_lookup_set (vat_main_t *vam)
566 acl_test_main_t *sm = &acl_test_main;
567 unformat_input_t *i = vam->input;
568 vl_api_acl_plugin_use_hash_lookup_set_t *mp;
569 u32 msg_size = sizeof (*mp);
572 vam->result_ready = 0;
573 mp = vl_msg_api_alloc_as_if_client (msg_size);
574 memset (mp, 0, msg_size);
576 ntohs (VL_API_ACL_PLUGIN_USE_HASH_LOOKUP_SET + sm->msg_id_base);
577 mp->client_index = vam->my_client_index;
580 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
582 if (unformat (i, "disable"))
584 else if (unformat (i, "enable"))
593 /* Wait for a reply... */
599 api_acl_plugin_use_hash_lookup_get (vat_main_t *vam)
601 acl_test_main_t *sm = &acl_test_main;
602 vl_api_acl_plugin_use_hash_lookup_set_t *mp;
603 u32 msg_size = sizeof (*mp);
606 vam->result_ready = 0;
607 mp = vl_msg_api_alloc_as_if_client (msg_size);
608 memset (mp, 0, msg_size);
610 ntohs (VL_API_ACL_PLUGIN_USE_HASH_LOOKUP_GET + sm->msg_id_base);
611 mp->client_index = vam->my_client_index;
616 /* Wait for a reply... */
622 * Read the series of ACL entries from file in the following format:
625 @0.0.0.0/1 131.179.121.0/24 0 : 65535 0 : 65535 0x00/0x00 0x0000/0x0000
626 @128.0.0.0/1 85.54.226.0/23 0 : 65535 0 : 65535 0x00/0x00 0x0000/0x0000
627 @128.0.0.0/1 85.54.48.0/23 0 : 65535 0 : 65535 0x00/0x00 0x0000/0x0000
628 @128.0.0.0/1 31.237.44.0/23 0 : 65535 0 : 65535 0x00/0x00 0x0000/0x0000
629 @0.0.0.0/1 255.84.184.0/23 0 : 65535 0 : 65535 0x00/0x00 0x0000/0x0000
630 @132.92.0.0/16 0.0.0.0/0 0 : 65535 0 : 65535 0x01/0xFF 0x0000/0x0000
636 api_acl_add_replace_from_file (vat_main_t * vam)
639 unformat_input_t * input = vam->input;
640 acl_test_main_t * sm = &acl_test_main;
641 vl_api_acl_add_replace_t * mp;
643 u32 msg_size = sizeof (*mp); /* without the rules */
645 vl_api_acl_rule_t *rules = 0;
649 int append_default_permit = 0;
650 u32 tcpflags = 0, tcpmask = 0;
651 ip4_address_t src_v4address, dst_v4address;
654 char *file_name = NULL;
655 unformat_input_t file_input;
657 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
659 if (unformat (input, "filename %s", &file_name))
661 /* we will use this later */
663 else if (unformat (input, "acl-index %d", &acl_index))
665 /* we will try to replace an existing ACL */
667 else if (unformat (input, "permit+reflect"))
671 else if (unformat (input, "permit"))
675 else if (unformat (input, "append-default-permit"))
677 append_default_permit = 1;
683 if (file_name == NULL)
686 fd = open(file_name, O_RDONLY);
689 clib_warning("Could not open file '%s'", file_name);
693 /* input from file */
695 unformat_init_clib_file(input, fd);
697 unsigned sport_low, sport_high, dport_low, dport_high;
698 unsigned proto, protomask;
699 u32 src_prefix_length, dst_prefix_length;
700 u32 unused1, unused2;
702 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
704 if (!unformat(input, "@%U/%d\t%U/%d\t%d : %d\t%d : %d\t0x%x/0x%x\t0x%x/0x%x",
705 unformat_ip4_address, &src_v4address, &src_prefix_length,
706 unformat_ip4_address, &dst_v4address, &dst_prefix_length,
707 &sport_low, &sport_high, &dport_low, &dport_high, &proto, &protomask, &unused1, &unused2)) {
708 clib_warning("Error parsing");
713 vec_validate_acl_rules(rules, rule_idx);
715 rules[rule_idx].is_permit = is_permit;
716 memcpy (rules[rule_idx].src_prefix.address.un.ip4, &src_v4address, 4);
717 rules[rule_idx].src_prefix.address.af = ADDRESS_IP4;
718 rules[rule_idx].src_prefix.len = src_prefix_length;
719 memcpy (rules[rule_idx].dst_prefix.address.un.ip4, &dst_v4address, 4);
720 rules[rule_idx].dst_prefix.address.af = ADDRESS_IP4;
721 rules[rule_idx].dst_prefix.len = dst_prefix_length;
722 rules[rule_idx].srcport_or_icmptype_first = htons(sport_low);
723 rules[rule_idx].srcport_or_icmptype_last = htons(sport_high);
724 rules[rule_idx].dstport_or_icmpcode_first = htons(dport_low);
725 rules[rule_idx].dstport_or_icmpcode_last = htons(dport_high);
726 rules[rule_idx].tcp_flags_value = tcpflags;
727 rules[rule_idx].tcp_flags_mask = tcpmask;
728 rules[rule_idx].proto = proto;
732 if (append_default_permit) {
734 vec_validate_acl_rules(rules, rule_idx);
736 rules[rule_idx].is_permit = is_permit == 2 ? 2 : 1;
738 src_v4address.data[0]=0;
739 src_v4address.data[1]=0;
740 src_v4address.data[2]=0;
741 src_v4address.data[3]=0;
742 memcpy (rules[rule_idx].src_prefix.address.un.ip4, &src_v4address, 4);
743 rules[rule_idx].src_prefix.address.af = ADDRESS_IP4;
744 rules[rule_idx].src_prefix.len = 0;
746 dst_v4address.data[0]=0;
747 dst_v4address.data[1]=0;
748 dst_v4address.data[2]=0;
749 dst_v4address.data[3]=0;
750 memcpy (rules[rule_idx].dst_prefix.address.un.ip4, &dst_v4address, 4);
751 rules[rule_idx].dst_prefix.address.af = ADDRESS_IP4;
752 rules[rule_idx].dst_prefix.len = 0;
754 rules[rule_idx].srcport_or_icmptype_first = htons(0);
755 rules[rule_idx].srcport_or_icmptype_last = htons(65535);
756 rules[rule_idx].dstport_or_icmpcode_first = htons(0);
757 rules[rule_idx].dstport_or_icmpcode_last = htons(65535);
758 rules[rule_idx].tcp_flags_value = 0;
759 rules[rule_idx].tcp_flags_mask = 0;
760 rules[rule_idx].proto = 0;
763 /* Construct the API message */
765 vam->result_ready = 0;
767 n_rules = vec_len(rules);
769 msg_size += n_rules*sizeof(rules[0]);
771 mp = vl_msg_api_alloc_as_if_client(msg_size);
772 clib_memset (mp, 0, msg_size);
773 mp->_vl_msg_id = ntohs (VL_API_ACL_ADD_REPLACE + sm->msg_id_base);
774 mp->client_index = vam->my_client_index;
776 clib_memcpy(mp->r, rules, n_rules*sizeof (vl_api_acl_rule_t));
777 mp->acl_index = ntohl(acl_index);
778 mp->count = htonl(n_rules);
783 /* Wait for a reply... */
794 static int api_acl_del (vat_main_t * vam)
796 unformat_input_t * i = vam->input;
797 vl_api_acl_del_t * mp;
801 if (!unformat (i, "%d", &acl_index)) {
802 errmsg ("missing acl index\n");
806 /* Construct the API message */
808 mp->acl_index = ntohl(acl_index);
813 /* Wait for a reply... */
818 static int api_macip_acl_del (vat_main_t * vam)
820 unformat_input_t * i = vam->input;
821 vl_api_acl_del_t * mp;
825 if (!unformat (i, "%d", &acl_index)) {
826 errmsg ("missing acl index\n");
830 /* Construct the API message */
831 M(MACIP_ACL_DEL, mp);
832 mp->acl_index = ntohl(acl_index);
837 /* Wait for a reply... */
842 static int api_acl_interface_add_del (vat_main_t * vam)
844 unformat_input_t * i = vam->input;
845 vl_api_acl_interface_add_del_t * mp;
846 u32 sw_if_index = ~0;
852 // acl_interface_add_del <intfc> | sw_if_index <if-idx> acl_index <acl-idx> [out] [del]
854 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
856 if (unformat (i, "%d", &acl_index))
863 /* Parse args required to build the message */
864 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
865 if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index))
867 else if (unformat (i, "sw_if_index %d", &sw_if_index))
869 else if (unformat (i, "add"))
871 else if (unformat (i, "del"))
873 else if (unformat (i, "acl %d", &acl_index))
875 else if (unformat (i, "input"))
877 else if (unformat (i, "output"))
883 if (sw_if_index == ~0) {
884 errmsg ("missing interface name / explicit sw_if_index number \n");
888 if (acl_index == ~0) {
889 errmsg ("missing ACL index\n");
895 /* Construct the API message */
896 M(ACL_INTERFACE_ADD_DEL, mp);
897 mp->acl_index = ntohl(acl_index);
898 mp->sw_if_index = ntohl(sw_if_index);
900 mp->is_input = is_input;
905 /* Wait for a reply... */
910 static int api_macip_acl_interface_add_del (vat_main_t * vam)
912 unformat_input_t * i = vam->input;
913 vl_api_macip_acl_interface_add_del_t * mp;
914 u32 sw_if_index = ~0;
919 /* Parse args required to build the message */
920 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
921 if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index))
923 else if (unformat (i, "sw_if_index %d", &sw_if_index))
925 else if (unformat (i, "add"))
927 else if (unformat (i, "del"))
929 else if (unformat (i, "acl %d", &acl_index))
935 if (sw_if_index == ~0) {
936 errmsg ("missing interface name / explicit sw_if_index number \n");
940 if (acl_index == ~0) {
941 errmsg ("missing ACL index\n");
947 /* Construct the API message */
948 M(MACIP_ACL_INTERFACE_ADD_DEL, mp);
949 mp->acl_index = ntohl(acl_index);
950 mp->sw_if_index = ntohl(sw_if_index);
956 /* Wait for a reply... */
961 static int api_acl_interface_set_acl_list (vat_main_t * vam)
963 unformat_input_t * i = vam->input;
964 vl_api_acl_interface_set_acl_list_t * mp;
965 u32 sw_if_index = ~0;
972 // acl_interface_set_acl_list <intfc> | sw_if_index <if-idx> input [acl-idx list] output [acl-idx list]
974 /* Parse args required to build the message */
975 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
976 if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index))
978 else if (unformat (i, "sw_if_index %d", &sw_if_index))
980 else if (unformat (i, "%d", &acl_index))
983 vec_add1(inacls, htonl(acl_index));
985 vec_add1(outacls, htonl(acl_index));
987 else if (unformat (i, "acl %d", &acl_index))
989 else if (unformat (i, "input"))
991 else if (unformat (i, "output"))
997 if (sw_if_index == ~0) {
998 errmsg ("missing interface name / explicit sw_if_index number \n");
1002 /* Construct the API message */
1003 M2(ACL_INTERFACE_SET_ACL_LIST, mp, sizeof(u32) * (vec_len(inacls) + vec_len(outacls)));
1004 mp->sw_if_index = ntohl(sw_if_index);
1005 mp->n_input = vec_len(inacls);
1006 mp->count = vec_len(inacls) + vec_len(outacls);
1007 vec_append(inacls, outacls);
1008 if (vec_len(inacls) > 0)
1009 clib_memcpy(mp->acls, inacls, vec_len(inacls)*sizeof(u32));
1014 /* Wait for a reply... */
1019 static int api_acl_interface_set_etype_whitelist (vat_main_t * vam)
1021 unformat_input_t * i = vam->input;
1022 vl_api_acl_interface_set_etype_whitelist_t * mp;
1023 u32 sw_if_index = ~0;
1026 u16 *etypes_out = 0;
1030 // acl_interface_set_etype_whitelist <intfc> | sw_if_index <if-idx> input [ethertype list] output [ethertype list]
1032 /* Parse args required to build the message */
1033 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
1034 if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index))
1036 else if (unformat (i, "sw_if_index %d", &sw_if_index))
1038 else if (unformat (i, "%x", ðertype))
1040 ethertype = ethertype & 0xffff;
1042 vec_add1(etypes_in, htons(ethertype));
1044 vec_add1(etypes_out, htons(ethertype));
1046 else if (unformat (i, "input"))
1048 else if (unformat (i, "output"))
1054 if (sw_if_index == ~0) {
1055 errmsg ("missing interface name / explicit sw_if_index number \n");
1059 /* Construct the API message */
1060 M2(ACL_INTERFACE_SET_ETYPE_WHITELIST, mp, sizeof(u32) * (vec_len(etypes_in) + vec_len(etypes_out)));
1061 mp->sw_if_index = ntohl(sw_if_index);
1062 mp->n_input = vec_len(etypes_in);
1063 mp->count = vec_len(etypes_in) + vec_len(etypes_out);
1064 vec_append(etypes_in, etypes_out);
1065 if (vec_len(etypes_in) > 0)
1066 clib_memcpy(mp->whitelist, etypes_in, vec_len(etypes_in)*sizeof(etypes_in[0]));
1071 /* Wait for a reply... */
1077 api_acl_send_control_ping(vat_main_t *vam)
1079 vl_api_acl_plugin_control_ping_t *mp_ping;
1081 M(ACL_PLUGIN_CONTROL_PING, mp_ping);
1086 static int api_acl_interface_list_dump (vat_main_t * vam)
1088 unformat_input_t * i = vam->input;
1089 u32 sw_if_index = ~0;
1090 vl_api_acl_interface_list_dump_t * mp;
1093 /* Parse args required to build the message */
1094 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
1095 if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index))
1097 else if (unformat (i, "sw_if_index %d", &sw_if_index))
1103 /* Construct the API message */
1104 M(ACL_INTERFACE_LIST_DUMP, mp);
1105 mp->sw_if_index = ntohl (sw_if_index);
1110 /* Use control ping for synchronization */
1111 api_acl_send_control_ping(vam);
1113 /* Wait for a reply... */
1118 static int api_acl_dump (vat_main_t * vam)
1120 unformat_input_t * i = vam->input;
1122 vl_api_acl_dump_t * mp;
1125 /* Parse args required to build the message */
1126 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
1127 if (unformat (i, "%d", &acl_index))
1133 /* Construct the API message */
1135 mp->acl_index = ntohl (acl_index);
1140 /* Use control ping for synchronization */
1141 api_acl_send_control_ping(vam);
1143 /* Wait for a reply... */
1148 static int api_macip_acl_dump (vat_main_t * vam)
1150 unformat_input_t * i = vam->input;
1152 vl_api_acl_dump_t * mp;
1155 /* Parse args required to build the message */
1156 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
1157 if (unformat (i, "%d", &acl_index))
1163 /* Construct the API message */
1164 M(MACIP_ACL_DUMP, mp);
1165 mp->acl_index = ntohl (acl_index);
1170 /* Use control ping for synchronization */
1171 api_acl_send_control_ping(vam);
1173 /* Wait for a reply... */
1178 static int api_acl_interface_etype_whitelist_dump (vat_main_t * vam)
1180 unformat_input_t * i = vam->input;
1181 u32 sw_if_index = ~0;
1182 vl_api_acl_interface_etype_whitelist_dump_t * mp;
1185 /* Parse args required to build the message */
1186 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
1187 if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index))
1189 else if (unformat (i, "sw_if_index %d", &sw_if_index))
1195 /* Construct the API message */
1196 M(ACL_INTERFACE_ETYPE_WHITELIST_DUMP, mp);
1197 mp->sw_if_index = ntohl (sw_if_index);
1202 /* Use control ping for synchronization */
1203 api_acl_send_control_ping(vam);
1205 /* Wait for a reply... */
1211 #define vec_validate_macip_acl_rules(v, idx) \
1213 if (vec_len(v) < idx+1) { \
1214 vec_validate(v, idx); \
1215 v[idx].is_permit = 0x1; \
1220 static int api_macip_acl_add (vat_main_t * vam)
1222 acl_test_main_t * sm = &acl_test_main;
1223 unformat_input_t * i = vam->input;
1224 vl_api_macip_acl_add_t * mp;
1225 u32 msg_size = sizeof (*mp); /* without the rules */
1227 vl_api_macip_acl_rule_t *rules = 0;
1230 int n_rules_override = -1;
1231 u32 src_prefix_length = 0;
1233 ip4_address_t src_v4address;
1234 ip6_address_t src_v6address;
1237 u8 mac_mask_all_1[6] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
1240 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
1242 if (unformat (i, "permit"))
1244 vec_validate_macip_acl_rules(rules, rule_idx);
1245 rules[rule_idx].is_permit = 1;
1247 else if (unformat (i, "deny"))
1249 vec_validate_macip_acl_rules(rules, rule_idx);
1250 rules[rule_idx].is_permit = 0;
1252 else if (unformat (i, "count %d", &n_rules_override))
1254 /* we will use this later */
1256 else if (unformat (i, "action %d", &action))
1258 vec_validate_macip_acl_rules(rules, rule_idx);
1259 rules[rule_idx].is_permit = action;
1261 else if (unformat (i, "ip %U/%d",
1262 unformat_ip4_address, &src_v4address, &src_prefix_length) ||
1263 unformat (i, "ip %U",
1264 unformat_ip4_address, &src_v4address))
1266 if (src_prefix_length == 0)
1267 src_prefix_length = 32;
1268 vec_validate_macip_acl_rules(rules, rule_idx);
1269 memcpy (rules[rule_idx].src_prefix.address.un.ip4, &src_v4address, 4);
1270 rules[rule_idx].src_prefix.address.af = ADDRESS_IP4;
1271 rules[rule_idx].src_prefix.len = src_prefix_length;
1273 else if (unformat (i, "src"))
1275 /* Everything in MACIP is "source" but allow this verbosity */
1277 else if (unformat (i, "ip %U/%d",
1278 unformat_ip6_address, &src_v6address, &src_prefix_length) ||
1279 unformat (i, "ip %U",
1280 unformat_ip6_address, &src_v6address))
1282 if (src_prefix_length == 0)
1283 src_prefix_length = 128;
1284 vec_validate_macip_acl_rules(rules, rule_idx);
1285 memcpy (rules[rule_idx].src_prefix.address.un.ip4, &src_v6address, 4);
1286 rules[rule_idx].src_prefix.address.af = ADDRESS_IP6;
1287 rules[rule_idx].src_prefix.len = src_prefix_length;
1289 else if (unformat (i, "mac %U",
1290 my_unformat_mac_address, &src_mac))
1292 vec_validate_macip_acl_rules(rules, rule_idx);
1293 memcpy (rules[rule_idx].src_mac, &src_mac, 6);
1294 memcpy (rules[rule_idx].src_mac_mask, &mac_mask_all_1, 6);
1296 else if (unformat (i, "mask %U",
1297 my_unformat_mac_address, &src_mac))
1299 vec_validate_macip_acl_rules(rules, rule_idx);
1300 memcpy (rules[rule_idx].src_mac_mask, &src_mac, 6);
1302 else if (unformat (i, "tag %s", &tag))
1305 else if (unformat (i, ","))
1308 vec_validate_macip_acl_rules(rules, rule_idx);
1314 /* Construct the API message */
1315 vam->result_ready = 0;
1318 n_rules = vec_len(rules);
1320 if (n_rules_override >= 0)
1321 n_rules = n_rules_override;
1323 msg_size += n_rules*sizeof(rules[0]);
1325 mp = vl_msg_api_alloc_as_if_client(msg_size);
1326 clib_memset (mp, 0, msg_size);
1327 mp->_vl_msg_id = ntohs (VL_API_MACIP_ACL_ADD + sm->msg_id_base);
1328 mp->client_index = vam->my_client_index;
1329 if ((n_rules > 0) && rules)
1330 clib_memcpy(mp->r, rules, n_rules*sizeof (mp->r[0]));
1333 if (vec_len(tag) >= sizeof(mp->tag))
1335 tag[sizeof(mp->tag)-1] = 0;
1336 vec_set_len (tag, sizeof (mp->tag));
1338 clib_memcpy (mp->tag, tag, vec_len (tag));
1342 mp->count = htonl(n_rules);
1347 /* Wait for a reply... */
1352 static int api_macip_acl_add_replace (vat_main_t * vam)
1354 acl_test_main_t * sm = &acl_test_main;
1355 unformat_input_t * i = vam->input;
1356 vl_api_macip_acl_add_replace_t * mp;
1358 u32 msg_size = sizeof (*mp); /* without the rules */
1360 vl_api_macip_acl_rule_t *rules = 0;
1363 int n_rules_override = -1;
1364 u32 src_prefix_length = 0;
1366 ip4_address_t src_v4address;
1367 ip6_address_t src_v6address;
1370 u8 mac_mask_all_1[6] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
1373 if (!unformat (i, "%d", &acl_index)) {
1374 /* Just assume -1 */
1377 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
1379 if (unformat (i, "permit"))
1381 vec_validate_macip_acl_rules(rules, rule_idx);
1382 rules[rule_idx].is_permit = 1;
1384 else if (unformat (i, "deny"))
1386 vec_validate_macip_acl_rules(rules, rule_idx);
1387 rules[rule_idx].is_permit = 0;
1389 else if (unformat (i, "count %d", &n_rules_override))
1391 /* we will use this later */
1393 else if (unformat (i, "action %d", &action))
1395 vec_validate_macip_acl_rules(rules, rule_idx);
1396 rules[rule_idx].is_permit = action;
1398 else if (unformat (i, "ip %U/%d",
1399 unformat_ip4_address, &src_v4address, &src_prefix_length) ||
1400 unformat (i, "ip %U",
1401 unformat_ip4_address, &src_v4address))
1403 if (src_prefix_length == 0)
1404 src_prefix_length = 32;
1405 vec_validate_macip_acl_rules(rules, rule_idx);
1406 memcpy (rules[rule_idx].src_prefix.address.un.ip4, &src_v4address, 4);
1407 rules[rule_idx].src_prefix.address.af = ADDRESS_IP4;
1408 rules[rule_idx].src_prefix.len = src_prefix_length;
1410 else if (unformat (i, "src"))
1412 /* Everything in MACIP is "source" but allow this verbosity */
1414 else if (unformat (i, "ip %U/%d",
1415 unformat_ip6_address, &src_v6address, &src_prefix_length) ||
1416 unformat (i, "ip %U",
1417 unformat_ip6_address, &src_v6address))
1419 if (src_prefix_length == 0)
1420 src_prefix_length = 128;
1421 vec_validate_macip_acl_rules(rules, rule_idx);
1422 memcpy (rules[rule_idx].src_prefix.address.un.ip4, &src_v6address, 4);
1423 rules[rule_idx].src_prefix.address.af = ADDRESS_IP6;
1424 rules[rule_idx].src_prefix.len = src_prefix_length;
1426 else if (unformat (i, "mac %U",
1427 my_unformat_mac_address, &src_mac))
1429 vec_validate_macip_acl_rules(rules, rule_idx);
1430 memcpy (rules[rule_idx].src_mac, &src_mac, 6);
1431 memcpy (rules[rule_idx].src_mac_mask, &mac_mask_all_1, 6);
1433 else if (unformat (i, "mask %U",
1434 my_unformat_mac_address, &src_mac))
1436 vec_validate_macip_acl_rules(rules, rule_idx);
1437 memcpy (rules[rule_idx].src_mac_mask, &src_mac, 6);
1439 else if (unformat (i, "tag %s", &tag))
1442 else if (unformat (i, ","))
1445 vec_validate_macip_acl_rules(rules, rule_idx);
1453 errmsg ("rule/s required\n");
1456 /* Construct the API message */
1457 vam->result_ready = 0;
1460 n_rules = vec_len(rules);
1462 if (n_rules_override >= 0)
1463 n_rules = n_rules_override;
1465 msg_size += n_rules*sizeof(rules[0]);
1467 mp = vl_msg_api_alloc_as_if_client(msg_size);
1468 clib_memset (mp, 0, msg_size);
1469 mp->_vl_msg_id = ntohs (VL_API_MACIP_ACL_ADD_REPLACE + sm->msg_id_base);
1470 mp->client_index = vam->my_client_index;
1471 if ((n_rules > 0) && rules)
1472 clib_memcpy(mp->r, rules, n_rules*sizeof (mp->r[0]));
1475 if (vec_len(tag) >= sizeof(mp->tag))
1477 tag[sizeof(mp->tag)-1] = 0;
1478 vec_set_len (tag, sizeof (mp->tag));
1480 clib_memcpy (mp->tag, tag, vec_len (tag));
1484 mp->acl_index = ntohl(acl_index);
1485 mp->count = htonl(n_rules);
1490 /* Wait for a reply... */
1495 #define VL_API_LOCAL_SETUP_MESSAGE_ID_TABLE local_setup_message_id_table
1496 static void local_setup_message_id_table (vat_main_t * vam)
1498 hash_set_mem (vam->function_by_name, "acl_add_replace_from_file", api_acl_add_replace_from_file);
1499 hash_set_mem (vam->help_by_name, "acl_add_replace_from_file",
1500 "filename <file> [permit] [append-default-permit]");
1503 #include <acl/acl.api_test.c>