2 * Copyright (c) 2015 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 *------------------------------------------------------------------
17 * acl_test.c - test harness plugin
18 *------------------------------------------------------------------
22 #include <vlibapi/api.h>
23 #include <vlibmemory/api.h>
24 #include <vppinfra/error.h>
25 #include <vnet/ip/ip.h>
26 #include <arpa/inet.h>
28 #define __plugin_msg_base acl_test_main.msg_id_base
29 #include <vlibapi/vat_helper_macros.h>
31 uword unformat_sw_if_index (unformat_input_t * input, va_list * args);
33 /* Declare message IDs */
34 #include <acl/acl_msg_enum.h>
36 /* define message structures */
38 #include <acl/acl_all_api_h.h>
41 /* define message structures */
43 #include <acl/acl_all_api_h.h>
46 /* instantiate all the print functions we know about */
47 #define vl_print(handle, ...)
49 #include <acl/acl_all_api_h.h>
52 /* Get the API version number. */
53 #define vl_api_version(n,v) static u32 api_version=(v);
54 #include <acl/acl_all_api_h.h>
58 /* API message ID base */
63 acl_test_main_t acl_test_main;
65 #define foreach_standard_reply_retval_handler \
67 _(acl_interface_add_del_reply) \
68 _(macip_acl_interface_add_del_reply) \
69 _(acl_interface_set_acl_list_reply) \
70 _(acl_interface_set_etype_whitelist_reply) \
71 _(macip_acl_del_reply)
73 #define foreach_reply_retval_aclindex_handler \
74 _(acl_add_replace_reply) \
75 _(macip_acl_add_reply) \
76 _(macip_acl_add_replace_reply)
79 static void vl_api_##n##_t_handler \
80 (vl_api_##n##_t * mp) \
82 vat_main_t * vam = acl_test_main.vat_main; \
83 i32 retval = ntohl(mp->retval); \
84 if (vam->async_mode) { \
85 vam->async_errors += (retval < 0); \
87 vam->retval = retval; \
88 vam->result_ready = 1; \
91 foreach_standard_reply_retval_handler;
95 static void vl_api_##n##_t_handler \
96 (vl_api_##n##_t * mp) \
98 vat_main_t * vam = acl_test_main.vat_main; \
99 i32 retval = ntohl(mp->retval); \
100 if (vam->async_mode) { \
101 vam->async_errors += (retval < 0); \
103 clib_warning("ACL index: %d", ntohl(mp->acl_index)); \
104 vam->retval = retval; \
105 vam->result_ready = 1; \
108 foreach_reply_retval_aclindex_handler;
111 /* These two ought to be in a library somewhere but they aren't */
113 my_unformat_mac_address (unformat_input_t * input, va_list * args)
115 u8 *a = va_arg (*args, u8 *);
116 return unformat (input, "%x:%x:%x:%x:%x:%x", &a[0], &a[1], &a[2], &a[3],
121 my_format_mac_address (u8 * s, va_list * args)
123 u8 *a = va_arg (*args, u8 *);
124 return format (s, "%02x:%02x:%02x:%02x:%02x:%02x",
125 a[0], a[1], a[2], a[3], a[4], a[5]);
130 static void vl_api_acl_plugin_get_version_reply_t_handler
131 (vl_api_acl_plugin_get_version_reply_t * mp)
133 vat_main_t * vam = acl_test_main.vat_main;
134 clib_warning("ACL plugin version: %d.%d", ntohl(mp->major), ntohl(mp->minor));
135 vam->result_ready = 1;
138 static void vl_api_acl_interface_list_details_t_handler
139 (vl_api_acl_interface_list_details_t * mp)
142 vat_main_t * vam = acl_test_main.vat_main;
144 vl_api_acl_interface_list_details_t_endian(mp);
145 out = format(out, "sw_if_index: %d, count: %d, n_input: %d\n", mp->sw_if_index, mp->count, mp->n_input);
146 out = format(out, " input ");
147 for(i=0; i<mp->count; i++) {
148 if (i == mp->n_input)
149 out = format(out, "\n output ");
150 out = format(out, "%d ", ntohl (mp->acls[i]));
152 out = format(out, "\n");
153 clib_warning("%s", out);
155 vam->result_ready = 1;
158 static void vl_api_acl_interface_etype_whitelist_details_t_handler
159 (vl_api_acl_interface_etype_whitelist_details_t * mp)
162 vat_main_t * vam = acl_test_main.vat_main;
164 vl_api_acl_interface_etype_whitelist_details_t_endian(mp);
165 out = format(out, "sw_if_index: %d, count: %d, n_input: %d\n", mp->sw_if_index, mp->count, mp->n_input);
166 out = format(out, " input ");
167 for(i=0; i<mp->count; i++) {
168 if (i == mp->n_input)
169 out = format(out, "\n output ");
170 out = format(out, "%04x ", ntohs(mp->whitelist[i]));
172 out = format(out, "\n");
173 clib_warning("%s", out);
175 vam->result_ready = 1;
178 static void vl_api_acl_plugin_get_conn_table_max_entries_reply_t_handler
179 (vl_api_acl_plugin_get_conn_table_max_entries_reply_t * mp)
181 vat_main_t * vam = acl_test_main.vat_main;
182 clib_warning("\nConn table max entries: %d",
183 __bswap_64(mp->conn_table_max_entries) );
184 vam->result_ready = 1;
188 vl_api_acl_rule_t_pretty_format (u8 *out, vl_api_acl_rule_t * a)
190 int af = a->is_ipv6 ? AF_INET6 : AF_INET;
191 u8 src[INET6_ADDRSTRLEN];
192 u8 dst[INET6_ADDRSTRLEN];
193 inet_ntop(af, a->src_ip_addr, (void *)src, sizeof(src));
194 inet_ntop(af, a->dst_ip_addr, (void *)dst, sizeof(dst));
196 out = format(out, "%s action %d src %s/%d dst %s/%d proto %d sport %d-%d dport %d-%d tcpflags %d mask %d",
197 a->is_ipv6 ? "ipv6" : "ipv4", a->is_permit,
198 src, a->src_ip_prefix_len,
199 dst, a->dst_ip_prefix_len,
201 a->srcport_or_icmptype_first, a->srcport_or_icmptype_last,
202 a->dstport_or_icmpcode_first, a->dstport_or_icmpcode_last,
203 a->tcp_flags_value, a->tcp_flags_mask);
209 static void vl_api_acl_details_t_handler
210 (vl_api_acl_details_t * mp)
213 vat_main_t * vam = acl_test_main.vat_main;
214 vl_api_acl_details_t_endian(mp);
216 out = format(0, "acl_index: %d, count: %d\n tag {%s}\n", mp->acl_index, mp->count, mp->tag);
217 for(i=0; i<mp->count; i++) {
218 out = format(out, " ");
219 out = vl_api_acl_rule_t_pretty_format(out, &mp->r[i]);
220 out = format(out, "%s\n", i<mp->count-1 ? "," : "");
222 clib_warning("%s", out);
224 vam->result_ready = 1;
228 vl_api_macip_acl_rule_t_pretty_format (u8 *out, vl_api_macip_acl_rule_t * a)
230 int af = a->is_ipv6 ? AF_INET6 : AF_INET;
231 u8 src[INET6_ADDRSTRLEN];
232 inet_ntop(af, a->src_ip_addr, (void *)src, sizeof(src));
234 out = format(out, "%s action %d ip %s/%d mac %U mask %U",
235 a->is_ipv6 ? "ipv6" : "ipv4", a->is_permit,
236 src, a->src_ip_prefix_len,
237 my_format_mac_address, a->src_mac,
238 my_format_mac_address, a->src_mac_mask);
243 static void vl_api_macip_acl_details_t_handler
244 (vl_api_macip_acl_details_t * mp)
247 vat_main_t * vam = acl_test_main.vat_main;
248 vl_api_macip_acl_details_t_endian(mp);
249 u8 *out = format(0,"MACIP acl_index: %d, count: %d\n tag {%s}\n", mp->acl_index, mp->count, mp->tag);
250 for(i=0; i<mp->count; i++) {
251 out = format(out, " ");
252 out = vl_api_macip_acl_rule_t_pretty_format(out, &mp->r[i]);
253 out = format(out, "%s\n", i<mp->count-1 ? "," : "");
255 clib_warning("%s", out);
257 vam->result_ready = 1;
260 static void vl_api_macip_acl_interface_get_reply_t_handler
261 (vl_api_macip_acl_interface_get_reply_t * mp)
264 vat_main_t * vam = acl_test_main.vat_main;
265 u8 *out = format(0, "sw_if_index with MACIP ACL count: %d\n", ntohl(mp->count));
266 for(i=0; i<ntohl(mp->count); i++) {
267 out = format(out, " macip_acl_interface_add_del sw_if_index %d add acl %d\n", i, ntohl(mp->acls[i]));
269 out = format(out, "\n");
270 clib_warning("%s", out);
272 vam->result_ready = 1;
275 static void vl_api_acl_plugin_control_ping_reply_t_handler
276 (vl_api_acl_plugin_control_ping_reply_t * mp)
278 vat_main_t *vam = &vat_main;
279 i32 retval = ntohl (mp->retval);
282 vam->async_errors += (retval < 0);
286 vam->retval = retval;
287 vam->result_ready = 1;
293 * Table of message reply handlers, must include boilerplate handlers
296 #define foreach_vpe_api_reply_msg \
297 _(ACL_ADD_REPLACE_REPLY, acl_add_replace_reply) \
298 _(ACL_DEL_REPLY, acl_del_reply) \
299 _(ACL_INTERFACE_ADD_DEL_REPLY, acl_interface_add_del_reply) \
300 _(ACL_INTERFACE_SET_ACL_LIST_REPLY, acl_interface_set_acl_list_reply) \
301 _(ACL_INTERFACE_SET_ETYPE_WHITELIST_REPLY, acl_interface_set_etype_whitelist_reply) \
302 _(ACL_INTERFACE_ETYPE_WHITELIST_DETAILS, acl_interface_etype_whitelist_details) \
303 _(ACL_INTERFACE_LIST_DETAILS, acl_interface_list_details) \
304 _(ACL_DETAILS, acl_details) \
305 _(MACIP_ACL_ADD_REPLY, macip_acl_add_reply) \
306 _(MACIP_ACL_ADD_REPLACE_REPLY, macip_acl_add_replace_reply) \
307 _(MACIP_ACL_DEL_REPLY, macip_acl_del_reply) \
308 _(MACIP_ACL_DETAILS, macip_acl_details) \
309 _(MACIP_ACL_INTERFACE_ADD_DEL_REPLY, macip_acl_interface_add_del_reply) \
310 _(MACIP_ACL_INTERFACE_GET_REPLY, macip_acl_interface_get_reply) \
311 _(ACL_PLUGIN_CONTROL_PING_REPLY, acl_plugin_control_ping_reply) \
312 _(ACL_PLUGIN_GET_VERSION_REPLY, acl_plugin_get_version_reply) \
313 _(ACL_PLUGIN_GET_CONN_TABLE_MAX_ENTRIES_REPLY,acl_plugin_get_conn_table_max_entries_reply)
315 static int api_acl_plugin_get_version (vat_main_t * vam)
317 acl_test_main_t * sm = &acl_test_main;
318 vl_api_acl_plugin_get_version_t * mp;
319 u32 msg_size = sizeof(*mp);
322 vam->result_ready = 0;
323 mp = vl_msg_api_alloc_as_if_client(msg_size);
324 clib_memset (mp, 0, msg_size);
325 mp->_vl_msg_id = ntohs (VL_API_ACL_PLUGIN_GET_VERSION + sm->msg_id_base);
326 mp->client_index = vam->my_client_index;
331 /* Wait for a reply... */
336 static int api_macip_acl_interface_get (vat_main_t * vam)
338 acl_test_main_t * sm = &acl_test_main;
339 vl_api_acl_plugin_get_version_t * mp;
340 u32 msg_size = sizeof(*mp);
343 vam->result_ready = 0;
344 mp = vl_msg_api_alloc_as_if_client(msg_size);
345 clib_memset (mp, 0, msg_size);
346 mp->_vl_msg_id = ntohs (VL_API_MACIP_ACL_INTERFACE_GET + sm->msg_id_base);
347 mp->client_index = vam->my_client_index;
352 /* Wait for a reply... */
357 #define vec_validate_acl_rules(v, idx) \
359 if (vec_len(v) < idx+1) { \
360 vec_validate(v, idx); \
361 v[idx].is_permit = 0x1; \
362 v[idx].srcport_or_icmptype_last = 0xffff; \
363 v[idx].dstport_or_icmpcode_last = 0xffff; \
368 static int api_acl_add_replace (vat_main_t * vam)
370 acl_test_main_t * sm = &acl_test_main;
371 unformat_input_t * i = vam->input;
372 vl_api_acl_add_replace_t * mp;
374 u32 msg_size = sizeof (*mp); /* without the rules */
376 vl_api_acl_rule_t *rules = 0;
379 int n_rules_override = -1;
384 u32 tcpflags, tcpmask;
385 u32 src_prefix_length = 0, dst_prefix_length = 0;
386 ip4_address_t src_v4address, dst_v4address;
387 ip6_address_t src_v6address, dst_v6address;
391 if (!unformat (i, "%d", &acl_index)) {
395 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
397 if (unformat (i, "ipv6"))
399 vec_validate_acl_rules(rules, rule_idx);
400 rules[rule_idx].is_ipv6 = 1;
402 else if (unformat (i, "ipv4"))
404 vec_validate_acl_rules(rules, rule_idx);
405 rules[rule_idx].is_ipv6 = 0;
407 else if (unformat (i, "permit+reflect"))
409 vec_validate_acl_rules(rules, rule_idx);
410 rules[rule_idx].is_permit = 2;
412 else if (unformat (i, "permit"))
414 vec_validate_acl_rules(rules, rule_idx);
415 rules[rule_idx].is_permit = 1;
417 else if (unformat (i, "deny"))
419 vec_validate_acl_rules(rules, rule_idx);
420 rules[rule_idx].is_permit = 0;
422 else if (unformat (i, "count %d", &n_rules_override))
424 /* we will use this later */
426 else if (unformat (i, "action %d", &action))
428 vec_validate_acl_rules(rules, rule_idx);
429 rules[rule_idx].is_permit = action;
431 else if (unformat (i, "src %U/%d",
432 unformat_ip4_address, &src_v4address, &src_prefix_length))
434 vec_validate_acl_rules(rules, rule_idx);
435 memcpy (rules[rule_idx].src_ip_addr, &src_v4address, 4);
436 rules[rule_idx].src_ip_prefix_len = src_prefix_length;
437 rules[rule_idx].is_ipv6 = 0;
439 else if (unformat (i, "src %U/%d",
440 unformat_ip6_address, &src_v6address, &src_prefix_length))
442 vec_validate_acl_rules(rules, rule_idx);
443 memcpy (rules[rule_idx].src_ip_addr, &src_v6address, 16);
444 rules[rule_idx].src_ip_prefix_len = src_prefix_length;
445 rules[rule_idx].is_ipv6 = 1;
447 else if (unformat (i, "dst %U/%d",
448 unformat_ip4_address, &dst_v4address, &dst_prefix_length))
450 vec_validate_acl_rules(rules, rule_idx);
451 memcpy (rules[rule_idx].dst_ip_addr, &dst_v4address, 4);
452 rules[rule_idx].dst_ip_prefix_len = dst_prefix_length;
453 rules[rule_idx].is_ipv6 = 0;
455 else if (unformat (i, "dst %U/%d",
456 unformat_ip6_address, &dst_v6address, &dst_prefix_length))
458 vec_validate_acl_rules(rules, rule_idx);
459 memcpy (rules[rule_idx].dst_ip_addr, &dst_v6address, 16);
460 rules[rule_idx].dst_ip_prefix_len = dst_prefix_length;
461 rules[rule_idx].is_ipv6 = 1;
463 else if (unformat (i, "sport %d-%d", &port1, &port2))
465 vec_validate_acl_rules(rules, rule_idx);
466 rules[rule_idx].srcport_or_icmptype_first = htons(port1);
467 rules[rule_idx].srcport_or_icmptype_last = htons(port2);
469 else if (unformat (i, "sport %d", &port1))
471 vec_validate_acl_rules(rules, rule_idx);
472 rules[rule_idx].srcport_or_icmptype_first = htons(port1);
473 rules[rule_idx].srcport_or_icmptype_last = htons(port1);
475 else if (unformat (i, "dport %d-%d", &port1, &port2))
477 vec_validate_acl_rules(rules, rule_idx);
478 rules[rule_idx].dstport_or_icmpcode_first = htons(port1);
479 rules[rule_idx].dstport_or_icmpcode_last = htons(port2);
481 else if (unformat (i, "dport %d", &port1))
483 vec_validate_acl_rules(rules, rule_idx);
484 rules[rule_idx].dstport_or_icmpcode_first = htons(port1);
485 rules[rule_idx].dstport_or_icmpcode_last = htons(port1);
487 else if (unformat (i, "tcpflags %d %d", &tcpflags, &tcpmask))
489 vec_validate_acl_rules(rules, rule_idx);
490 rules[rule_idx].tcp_flags_value = tcpflags;
491 rules[rule_idx].tcp_flags_mask = tcpmask;
493 else if (unformat (i, "tcpflags %d mask %d", &tcpflags, &tcpmask))
495 vec_validate_acl_rules(rules, rule_idx);
496 rules[rule_idx].tcp_flags_value = tcpflags;
497 rules[rule_idx].tcp_flags_mask = tcpmask;
499 else if (unformat (i, "proto %d", &proto))
501 vec_validate_acl_rules(rules, rule_idx);
502 rules[rule_idx].proto = proto;
504 else if (unformat (i, "tag %s", &tag))
507 else if (unformat (i, ","))
510 vec_validate_acl_rules(rules, rule_idx);
516 /* Construct the API message */
517 vam->result_ready = 0;
520 n_rules = vec_len(rules);
524 if (n_rules_override >= 0)
525 n_rules = n_rules_override;
527 msg_size += n_rules*sizeof(rules[0]);
529 mp = vl_msg_api_alloc_as_if_client(msg_size);
530 clib_memset (mp, 0, msg_size);
531 mp->_vl_msg_id = ntohs (VL_API_ACL_ADD_REPLACE + sm->msg_id_base);
532 mp->client_index = vam->my_client_index;
533 if ((n_rules > 0) && rules)
534 clib_memcpy(mp->r, rules, n_rules*sizeof (vl_api_acl_rule_t));
537 if (vec_len(tag) >= sizeof(mp->tag))
539 tag[sizeof(mp->tag)-1] = 0;
540 _vec_len(tag) = sizeof(mp->tag);
542 clib_memcpy(mp->tag, tag, vec_len(tag));
545 mp->acl_index = ntohl(acl_index);
546 mp->count = htonl(n_rules);
551 /* Wait for a reply... */
556 static int api_acl_plugin_get_conn_table_max_entries (vat_main_t * vam)
558 acl_test_main_t * sm = &acl_test_main;
559 vl_api_acl_plugin_get_conn_table_max_entries_t * mp;
560 u32 msg_size = sizeof(*mp);
563 vam->result_ready = 0;
564 mp = vl_msg_api_alloc_as_if_client(msg_size);
565 memset (mp, 0, msg_size);
566 mp->_vl_msg_id = ntohs (VL_API_ACL_PLUGIN_GET_CONN_TABLE_MAX_ENTRIES + sm->msg_id_base);
567 mp->client_index = vam->my_client_index;
572 /* Wait for a reply... */
579 * Read the series of ACL entries from file in the following format:
582 @0.0.0.0/1 131.179.121.0/24 0 : 65535 0 : 65535 0x00/0x00 0x0000/0x0000
583 @128.0.0.0/1 85.54.226.0/23 0 : 65535 0 : 65535 0x00/0x00 0x0000/0x0000
584 @128.0.0.0/1 85.54.48.0/23 0 : 65535 0 : 65535 0x00/0x00 0x0000/0x0000
585 @128.0.0.0/1 31.237.44.0/23 0 : 65535 0 : 65535 0x00/0x00 0x0000/0x0000
586 @0.0.0.0/1 255.84.184.0/23 0 : 65535 0 : 65535 0x00/0x00 0x0000/0x0000
587 @132.92.0.0/16 0.0.0.0/0 0 : 65535 0 : 65535 0x01/0xFF 0x0000/0x0000
593 api_acl_add_replace_from_file (vat_main_t * vam)
596 unformat_input_t * input = vam->input;
597 acl_test_main_t * sm = &acl_test_main;
598 vl_api_acl_add_replace_t * mp;
600 u32 msg_size = sizeof (*mp); /* without the rules */
602 vl_api_acl_rule_t *rules = 0;
606 int append_default_permit = 0;
607 u32 tcpflags = 0, tcpmask = 0;
608 ip4_address_t src_v4address, dst_v4address;
611 char *file_name = NULL;
612 unformat_input_t file_input;
614 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
616 if (unformat (input, "filename %s", &file_name))
618 /* we will use this later */
620 else if (unformat (input, "acl-index %d", &acl_index))
622 /* we will try to replace an existing ACL */
624 else if (unformat (input, "permit+reflect"))
628 else if (unformat (input, "permit"))
632 else if (unformat (input, "append-default-permit"))
634 append_default_permit = 1;
640 fd = open(file_name, O_RDONLY);
643 clib_warning("Could not open file '%s'");
647 /* input from file */
649 unformat_init_clib_file(input, fd);
651 unsigned sport_low, sport_high, dport_low, dport_high;
652 unsigned proto, protomask;
653 u32 src_prefix_length, dst_prefix_length;
654 u32 unused1, unused2;
656 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
658 if (!unformat(input, "@%U/%d\t%U/%d\t%d : %d\t%d : %d\t0x%x/0x%x\t0x%x/0x%x",
659 unformat_ip4_address, &src_v4address, &src_prefix_length,
660 unformat_ip4_address, &dst_v4address, &dst_prefix_length,
661 &sport_low, &sport_high, &dport_low, &dport_high, &proto, &protomask, &unused1, &unused2)) {
662 clib_warning("Error parsing");
667 vec_validate_acl_rules(rules, rule_idx);
669 rules[rule_idx].is_ipv6 = 0;
670 rules[rule_idx].is_permit = is_permit;
671 memcpy (rules[rule_idx].src_ip_addr, &src_v4address, 4);
672 rules[rule_idx].src_ip_prefix_len = src_prefix_length;
673 memcpy (rules[rule_idx].dst_ip_addr, &dst_v4address, 4);
674 rules[rule_idx].dst_ip_prefix_len = dst_prefix_length;
675 rules[rule_idx].srcport_or_icmptype_first = htons(sport_low);
676 rules[rule_idx].srcport_or_icmptype_last = htons(sport_high);
677 rules[rule_idx].dstport_or_icmpcode_first = htons(dport_low);
678 rules[rule_idx].dstport_or_icmpcode_last = htons(dport_high);
679 rules[rule_idx].tcp_flags_value = tcpflags;
680 rules[rule_idx].tcp_flags_mask = tcpmask;
681 rules[rule_idx].proto = proto;
685 if (append_default_permit) {
687 vec_validate_acl_rules(rules, rule_idx);
689 rules[rule_idx].is_ipv6 = 0;
690 rules[rule_idx].is_permit = is_permit == 2 ? 2 : 1;
692 src_v4address.data[0]=0;
693 src_v4address.data[1]=0;
694 src_v4address.data[2]=0;
695 src_v4address.data[3]=0;
696 memcpy (rules[rule_idx].src_ip_addr, &src_v4address, 4);
697 rules[rule_idx].src_ip_prefix_len = 0;
699 dst_v4address.data[0]=0;
700 dst_v4address.data[1]=0;
701 dst_v4address.data[2]=0;
702 dst_v4address.data[3]=0;
703 memcpy (rules[rule_idx].dst_ip_addr, &dst_v4address, 4);
704 rules[rule_idx].dst_ip_prefix_len = 0;
706 rules[rule_idx].srcport_or_icmptype_first = htons(0);
707 rules[rule_idx].srcport_or_icmptype_last = htons(65535);
708 rules[rule_idx].dstport_or_icmpcode_first = htons(0);
709 rules[rule_idx].dstport_or_icmpcode_last = htons(65535);
710 rules[rule_idx].tcp_flags_value = 0;
711 rules[rule_idx].tcp_flags_mask = 0;
712 rules[rule_idx].proto = 0;
715 /* Construct the API message */
717 vam->result_ready = 0;
719 n_rules = vec_len(rules);
721 msg_size += n_rules*sizeof(rules[0]);
723 mp = vl_msg_api_alloc_as_if_client(msg_size);
724 clib_memset (mp, 0, msg_size);
725 mp->_vl_msg_id = ntohs (VL_API_ACL_ADD_REPLACE + sm->msg_id_base);
726 mp->client_index = vam->my_client_index;
728 clib_memcpy(mp->r, rules, n_rules*sizeof (vl_api_acl_rule_t));
729 mp->acl_index = ntohl(acl_index);
730 mp->count = htonl(n_rules);
735 /* Wait for a reply... */
746 static int api_acl_del (vat_main_t * vam)
748 unformat_input_t * i = vam->input;
749 vl_api_acl_del_t * mp;
753 if (!unformat (i, "%d", &acl_index)) {
754 errmsg ("missing acl index\n");
758 /* Construct the API message */
760 mp->acl_index = ntohl(acl_index);
765 /* Wait for a reply... */
770 static int api_macip_acl_del (vat_main_t * vam)
772 unformat_input_t * i = vam->input;
773 vl_api_acl_del_t * mp;
777 if (!unformat (i, "%d", &acl_index)) {
778 errmsg ("missing acl index\n");
782 /* Construct the API message */
783 M(MACIP_ACL_DEL, mp);
784 mp->acl_index = ntohl(acl_index);
789 /* Wait for a reply... */
794 static int api_acl_interface_add_del (vat_main_t * vam)
796 unformat_input_t * i = vam->input;
797 vl_api_acl_interface_add_del_t * mp;
798 u32 sw_if_index = ~0;
804 // acl_interface_add_del <intfc> | sw_if_index <if-idx> acl_index <acl-idx> [out] [del]
806 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
808 if (unformat (i, "%d", &acl_index))
815 /* Parse args required to build the message */
816 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
817 if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index))
819 else if (unformat (i, "sw_if_index %d", &sw_if_index))
821 else if (unformat (i, "add"))
823 else if (unformat (i, "del"))
825 else if (unformat (i, "acl %d", &acl_index))
827 else if (unformat (i, "input"))
829 else if (unformat (i, "output"))
835 if (sw_if_index == ~0) {
836 errmsg ("missing interface name / explicit sw_if_index number \n");
840 if (acl_index == ~0) {
841 errmsg ("missing ACL index\n");
847 /* Construct the API message */
848 M(ACL_INTERFACE_ADD_DEL, mp);
849 mp->acl_index = ntohl(acl_index);
850 mp->sw_if_index = ntohl(sw_if_index);
852 mp->is_input = is_input;
857 /* Wait for a reply... */
862 static int api_macip_acl_interface_add_del (vat_main_t * vam)
864 unformat_input_t * i = vam->input;
865 vl_api_macip_acl_interface_add_del_t * mp;
866 u32 sw_if_index = ~0;
871 /* Parse args required to build the message */
872 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
873 if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index))
875 else if (unformat (i, "sw_if_index %d", &sw_if_index))
877 else if (unformat (i, "add"))
879 else if (unformat (i, "del"))
881 else if (unformat (i, "acl %d", &acl_index))
887 if (sw_if_index == ~0) {
888 errmsg ("missing interface name / explicit sw_if_index number \n");
892 if (acl_index == ~0) {
893 errmsg ("missing ACL index\n");
899 /* Construct the API message */
900 M(MACIP_ACL_INTERFACE_ADD_DEL, mp);
901 mp->acl_index = ntohl(acl_index);
902 mp->sw_if_index = ntohl(sw_if_index);
908 /* Wait for a reply... */
913 static int api_acl_interface_set_acl_list (vat_main_t * vam)
915 unformat_input_t * i = vam->input;
916 vl_api_acl_interface_set_acl_list_t * mp;
917 u32 sw_if_index = ~0;
924 // acl_interface_set_acl_list <intfc> | sw_if_index <if-idx> input [acl-idx list] output [acl-idx list]
926 /* Parse args required to build the message */
927 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
928 if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index))
930 else if (unformat (i, "sw_if_index %d", &sw_if_index))
932 else if (unformat (i, "%d", &acl_index))
935 vec_add1(inacls, htonl(acl_index));
937 vec_add1(outacls, htonl(acl_index));
939 else if (unformat (i, "acl %d", &acl_index))
941 else if (unformat (i, "input"))
943 else if (unformat (i, "output"))
949 if (sw_if_index == ~0) {
950 errmsg ("missing interface name / explicit sw_if_index number \n");
954 /* Construct the API message */
955 M2(ACL_INTERFACE_SET_ACL_LIST, mp, sizeof(u32) * (vec_len(inacls) + vec_len(outacls)));
956 mp->sw_if_index = ntohl(sw_if_index);
957 mp->n_input = vec_len(inacls);
958 mp->count = vec_len(inacls) + vec_len(outacls);
959 vec_append(inacls, outacls);
960 if (vec_len(inacls) > 0)
961 clib_memcpy(mp->acls, inacls, vec_len(inacls)*sizeof(u32));
966 /* Wait for a reply... */
971 static int api_acl_interface_set_etype_whitelist (vat_main_t * vam)
973 unformat_input_t * i = vam->input;
974 vl_api_acl_interface_set_etype_whitelist_t * mp;
975 u32 sw_if_index = ~0;
982 // acl_interface_set_etype_whitelist <intfc> | sw_if_index <if-idx> input [ethertype list] output [ethertype list]
984 /* Parse args required to build the message */
985 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
986 if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index))
988 else if (unformat (i, "sw_if_index %d", &sw_if_index))
990 else if (unformat (i, "%x", ðertype))
992 ethertype = ethertype & 0xffff;
994 vec_add1(etypes_in, htons(ethertype));
996 vec_add1(etypes_out, htons(ethertype));
998 else if (unformat (i, "input"))
1000 else if (unformat (i, "output"))
1006 if (sw_if_index == ~0) {
1007 errmsg ("missing interface name / explicit sw_if_index number \n");
1011 /* Construct the API message */
1012 M2(ACL_INTERFACE_SET_ETYPE_WHITELIST, mp, sizeof(u32) * (vec_len(etypes_in) + vec_len(etypes_out)));
1013 mp->sw_if_index = ntohl(sw_if_index);
1014 mp->n_input = vec_len(etypes_in);
1015 mp->count = vec_len(etypes_in) + vec_len(etypes_out);
1016 vec_append(etypes_in, etypes_out);
1017 if (vec_len(etypes_in) > 0)
1018 clib_memcpy(mp->whitelist, etypes_in, vec_len(etypes_in)*sizeof(etypes_in[0]));
1023 /* Wait for a reply... */
1029 api_acl_send_control_ping(vat_main_t *vam)
1031 vl_api_acl_plugin_control_ping_t *mp_ping;
1033 M(ACL_PLUGIN_CONTROL_PING, mp_ping);
1038 static int api_acl_interface_list_dump (vat_main_t * vam)
1040 unformat_input_t * i = vam->input;
1041 u32 sw_if_index = ~0;
1042 vl_api_acl_interface_list_dump_t * mp;
1045 /* Parse args required to build the message */
1046 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
1047 if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index))
1049 else if (unformat (i, "sw_if_index %d", &sw_if_index))
1055 /* Construct the API message */
1056 M(ACL_INTERFACE_LIST_DUMP, mp);
1057 mp->sw_if_index = ntohl (sw_if_index);
1062 /* Use control ping for synchronization */
1063 api_acl_send_control_ping(vam);
1065 /* Wait for a reply... */
1070 static int api_acl_dump (vat_main_t * vam)
1072 unformat_input_t * i = vam->input;
1074 vl_api_acl_dump_t * mp;
1077 /* Parse args required to build the message */
1078 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
1079 if (unformat (i, "%d", &acl_index))
1085 /* Construct the API message */
1087 mp->acl_index = ntohl (acl_index);
1092 /* Use control ping for synchronization */
1093 api_acl_send_control_ping(vam);
1095 /* Wait for a reply... */
1100 static int api_macip_acl_dump (vat_main_t * vam)
1102 unformat_input_t * i = vam->input;
1104 vl_api_acl_dump_t * mp;
1107 /* Parse args required to build the message */
1108 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
1109 if (unformat (i, "%d", &acl_index))
1115 /* Construct the API message */
1116 M(MACIP_ACL_DUMP, mp);
1117 mp->acl_index = ntohl (acl_index);
1122 /* Use control ping for synchronization */
1123 api_acl_send_control_ping(vam);
1125 /* Wait for a reply... */
1130 static int api_acl_interface_etype_whitelist_dump (vat_main_t * vam)
1132 unformat_input_t * i = vam->input;
1133 u32 sw_if_index = ~0;
1134 vl_api_acl_interface_etype_whitelist_dump_t * mp;
1137 /* Parse args required to build the message */
1138 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
1139 if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index))
1141 else if (unformat (i, "sw_if_index %d", &sw_if_index))
1147 /* Construct the API message */
1148 M(ACL_INTERFACE_ETYPE_WHITELIST_DUMP, mp);
1149 mp->sw_if_index = ntohl (sw_if_index);
1154 /* Use control ping for synchronization */
1155 api_acl_send_control_ping(vam);
1157 /* Wait for a reply... */
1163 #define vec_validate_macip_acl_rules(v, idx) \
1165 if (vec_len(v) < idx+1) { \
1166 vec_validate(v, idx); \
1167 v[idx].is_permit = 0x1; \
1172 static int api_macip_acl_add (vat_main_t * vam)
1174 acl_test_main_t * sm = &acl_test_main;
1175 unformat_input_t * i = vam->input;
1176 vl_api_macip_acl_add_t * mp;
1177 u32 msg_size = sizeof (*mp); /* without the rules */
1179 vl_api_macip_acl_rule_t *rules = 0;
1182 int n_rules_override = -1;
1183 u32 src_prefix_length = 0;
1185 ip4_address_t src_v4address;
1186 ip6_address_t src_v6address;
1189 u8 mac_mask_all_1[6] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
1192 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
1194 if (unformat (i, "ipv6"))
1196 vec_validate_macip_acl_rules(rules, rule_idx);
1197 rules[rule_idx].is_ipv6 = 1;
1199 else if (unformat (i, "ipv4"))
1201 vec_validate_macip_acl_rules(rules, rule_idx);
1202 rules[rule_idx].is_ipv6 = 0;
1204 else if (unformat (i, "permit"))
1206 vec_validate_macip_acl_rules(rules, rule_idx);
1207 rules[rule_idx].is_permit = 1;
1209 else if (unformat (i, "deny"))
1211 vec_validate_macip_acl_rules(rules, rule_idx);
1212 rules[rule_idx].is_permit = 0;
1214 else if (unformat (i, "count %d", &n_rules_override))
1216 /* we will use this later */
1218 else if (unformat (i, "action %d", &action))
1220 vec_validate_macip_acl_rules(rules, rule_idx);
1221 rules[rule_idx].is_permit = action;
1223 else if (unformat (i, "ip %U/%d",
1224 unformat_ip4_address, &src_v4address, &src_prefix_length) ||
1225 unformat (i, "ip %U",
1226 unformat_ip4_address, &src_v4address))
1228 if (src_prefix_length == 0)
1229 src_prefix_length = 32;
1230 vec_validate_macip_acl_rules(rules, rule_idx);
1231 memcpy (rules[rule_idx].src_ip_addr, &src_v4address, 4);
1232 rules[rule_idx].src_ip_prefix_len = src_prefix_length;
1233 rules[rule_idx].is_ipv6 = 0;
1235 else if (unformat (i, "src"))
1237 /* Everything in MACIP is "source" but allow this verbosity */
1239 else if (unformat (i, "ip %U/%d",
1240 unformat_ip6_address, &src_v6address, &src_prefix_length) ||
1241 unformat (i, "ip %U",
1242 unformat_ip6_address, &src_v6address))
1244 if (src_prefix_length == 0)
1245 src_prefix_length = 128;
1246 vec_validate_macip_acl_rules(rules, rule_idx);
1247 memcpy (rules[rule_idx].src_ip_addr, &src_v6address, 16);
1248 rules[rule_idx].src_ip_prefix_len = src_prefix_length;
1249 rules[rule_idx].is_ipv6 = 1;
1251 else if (unformat (i, "mac %U",
1252 my_unformat_mac_address, &src_mac))
1254 vec_validate_macip_acl_rules(rules, rule_idx);
1255 memcpy (rules[rule_idx].src_mac, &src_mac, 6);
1256 memcpy (rules[rule_idx].src_mac_mask, &mac_mask_all_1, 6);
1258 else if (unformat (i, "mask %U",
1259 my_unformat_mac_address, &src_mac))
1261 vec_validate_macip_acl_rules(rules, rule_idx);
1262 memcpy (rules[rule_idx].src_mac_mask, &src_mac, 6);
1264 else if (unformat (i, "tag %s", &tag))
1267 else if (unformat (i, ","))
1270 vec_validate_macip_acl_rules(rules, rule_idx);
1276 /* Construct the API message */
1277 vam->result_ready = 0;
1280 n_rules = vec_len(rules);
1282 if (n_rules_override >= 0)
1283 n_rules = n_rules_override;
1285 msg_size += n_rules*sizeof(rules[0]);
1287 mp = vl_msg_api_alloc_as_if_client(msg_size);
1288 clib_memset (mp, 0, msg_size);
1289 mp->_vl_msg_id = ntohs (VL_API_MACIP_ACL_ADD + sm->msg_id_base);
1290 mp->client_index = vam->my_client_index;
1291 if ((n_rules > 0) && rules)
1292 clib_memcpy(mp->r, rules, n_rules*sizeof (mp->r[0]));
1295 if (vec_len(tag) >= sizeof(mp->tag))
1297 tag[sizeof(mp->tag)-1] = 0;
1298 _vec_len(tag) = sizeof(mp->tag);
1300 clib_memcpy(mp->tag, tag, vec_len(tag));
1304 mp->count = htonl(n_rules);
1309 /* Wait for a reply... */
1314 static int api_macip_acl_add_replace (vat_main_t * vam)
1316 acl_test_main_t * sm = &acl_test_main;
1317 unformat_input_t * i = vam->input;
1318 vl_api_macip_acl_add_replace_t * mp;
1320 u32 msg_size = sizeof (*mp); /* without the rules */
1322 vl_api_macip_acl_rule_t *rules = 0;
1325 int n_rules_override = -1;
1326 u32 src_prefix_length = 0;
1328 ip4_address_t src_v4address;
1329 ip6_address_t src_v6address;
1332 u8 mac_mask_all_1[6] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
1335 if (!unformat (i, "%d", &acl_index)) {
1336 /* Just assume -1 */
1339 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
1341 if (unformat (i, "ipv6"))
1343 vec_validate_macip_acl_rules(rules, rule_idx);
1344 rules[rule_idx].is_ipv6 = 1;
1346 else if (unformat (i, "ipv4"))
1348 vec_validate_macip_acl_rules(rules, rule_idx);
1349 rules[rule_idx].is_ipv6 = 0;
1351 else if (unformat (i, "permit"))
1353 vec_validate_macip_acl_rules(rules, rule_idx);
1354 rules[rule_idx].is_permit = 1;
1356 else if (unformat (i, "deny"))
1358 vec_validate_macip_acl_rules(rules, rule_idx);
1359 rules[rule_idx].is_permit = 0;
1361 else if (unformat (i, "count %d", &n_rules_override))
1363 /* we will use this later */
1365 else if (unformat (i, "action %d", &action))
1367 vec_validate_macip_acl_rules(rules, rule_idx);
1368 rules[rule_idx].is_permit = action;
1370 else if (unformat (i, "ip %U/%d",
1371 unformat_ip4_address, &src_v4address, &src_prefix_length) ||
1372 unformat (i, "ip %U",
1373 unformat_ip4_address, &src_v4address))
1375 if (src_prefix_length == 0)
1376 src_prefix_length = 32;
1377 vec_validate_macip_acl_rules(rules, rule_idx);
1378 memcpy (rules[rule_idx].src_ip_addr, &src_v4address, 4);
1379 rules[rule_idx].src_ip_prefix_len = src_prefix_length;
1380 rules[rule_idx].is_ipv6 = 0;
1382 else if (unformat (i, "src"))
1384 /* Everything in MACIP is "source" but allow this verbosity */
1386 else if (unformat (i, "ip %U/%d",
1387 unformat_ip6_address, &src_v6address, &src_prefix_length) ||
1388 unformat (i, "ip %U",
1389 unformat_ip6_address, &src_v6address))
1391 if (src_prefix_length == 0)
1392 src_prefix_length = 128;
1393 vec_validate_macip_acl_rules(rules, rule_idx);
1394 memcpy (rules[rule_idx].src_ip_addr, &src_v6address, 16);
1395 rules[rule_idx].src_ip_prefix_len = src_prefix_length;
1396 rules[rule_idx].is_ipv6 = 1;
1398 else if (unformat (i, "mac %U",
1399 my_unformat_mac_address, &src_mac))
1401 vec_validate_macip_acl_rules(rules, rule_idx);
1402 memcpy (rules[rule_idx].src_mac, &src_mac, 6);
1403 memcpy (rules[rule_idx].src_mac_mask, &mac_mask_all_1, 6);
1405 else if (unformat (i, "mask %U",
1406 my_unformat_mac_address, &src_mac))
1408 vec_validate_macip_acl_rules(rules, rule_idx);
1409 memcpy (rules[rule_idx].src_mac_mask, &src_mac, 6);
1411 else if (unformat (i, "tag %s", &tag))
1414 else if (unformat (i, ","))
1417 vec_validate_macip_acl_rules(rules, rule_idx);
1425 errmsg ("rule/s required\n");
1428 /* Construct the API message */
1429 vam->result_ready = 0;
1432 n_rules = vec_len(rules);
1434 if (n_rules_override >= 0)
1435 n_rules = n_rules_override;
1437 msg_size += n_rules*sizeof(rules[0]);
1439 mp = vl_msg_api_alloc_as_if_client(msg_size);
1440 clib_memset (mp, 0, msg_size);
1441 mp->_vl_msg_id = ntohs (VL_API_MACIP_ACL_ADD_REPLACE + sm->msg_id_base);
1442 mp->client_index = vam->my_client_index;
1443 if ((n_rules > 0) && rules)
1444 clib_memcpy(mp->r, rules, n_rules*sizeof (mp->r[0]));
1447 if (vec_len(tag) >= sizeof(mp->tag))
1449 tag[sizeof(mp->tag)-1] = 0;
1450 _vec_len(tag) = sizeof(mp->tag);
1452 clib_memcpy(mp->tag, tag, vec_len(tag));
1456 mp->acl_index = ntohl(acl_index);
1457 mp->count = htonl(n_rules);
1462 /* Wait for a reply... */
1468 * List of messages that the api test plugin sends,
1469 * and that the data plane plugin processes
1471 #define foreach_vpe_api_msg \
1472 _(acl_plugin_get_version, "") \
1473 _(acl_add_replace, "<acl-idx> [<ipv4|ipv6> <permit|permit+reflect|deny|action N> [src IP/plen] [dst IP/plen] [sport X-Y] [dport X-Y] [proto P] [tcpflags FL MASK], ... , ...") \
1474 _(acl_add_replace_from_file, "filename <file> [permit] [append-default-permit]") \
1475 _(acl_del, "<acl-idx>") \
1476 _(acl_dump, "[<acl-idx>]") \
1477 _(acl_interface_add_del, "<intfc> | sw_if_index <if-idx> [add|del] [input|output] acl <acl-idx>") \
1478 _(acl_interface_set_acl_list, "<intfc> | sw_if_index <if-idx> input [acl-idx list] output [acl-idx list]") \
1479 _(acl_interface_set_etype_whitelist, "<intfc> | sw_if_index <if-idx> input [ethertype list] output [ethertype list]") \
1480 _(acl_interface_etype_whitelist_dump, "[<intfc> | sw_if_index <if-idx>]") \
1481 _(acl_interface_list_dump, "[<intfc> | sw_if_index <if-idx>]") \
1482 _(macip_acl_add, "...") \
1483 _(macip_acl_add_replace, "<acl-idx> [<ipv4|ipv6> <permit|deny|action N> [count <count>] [src] ip <ipaddress/[plen]> mac <mac> mask <mac_mask>, ... , ...") \
1484 _(macip_acl_del, "<acl-idx>")\
1485 _(macip_acl_dump, "[<acl-idx>]") \
1486 _(macip_acl_interface_add_del, "<intfc> | sw_if_index <if-idx> [add|del] acl <acl-idx>") \
1487 _(macip_acl_interface_get, "") \
1488 _(acl_plugin_get_conn_table_max_entries, "")
1492 void acl_api_hookup (vat_main_t *vam)
1494 acl_test_main_t * sm = &acl_test_main;
1495 /* Hook up handlers for replies from the data plane plug-in */
1497 vl_msg_api_set_handlers((VL_API_##N + sm->msg_id_base), \
1499 vl_api_##n##_t_handler, \
1501 vl_api_##n##_t_endian, \
1502 vl_api_##n##_t_print, \
1503 sizeof(vl_api_##n##_t), 1);
1504 foreach_vpe_api_reply_msg;
1507 /* API messages we can send */
1508 #define _(n,h) hash_set_mem (vam->function_by_name, #n, api_##n);
1509 foreach_vpe_api_msg;
1513 #define _(n,h) hash_set_mem (vam->help_by_name, #n, h);
1514 foreach_vpe_api_msg;
1518 VAT_PLUGIN_REGISTER(acl);