2 * Copyright (c) 2015 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 *------------------------------------------------------------------
17 * acl_test.c - test harness plugin
18 *------------------------------------------------------------------
24 #include <vlibapi/api.h>
25 #include <vlibmemory/api.h>
26 #include <vppinfra/error.h>
27 #include <vnet/ip/ip.h>
28 #include <arpa/inet.h>
30 #include <vnet/ip/ip_format_fns.h>
31 #include <vnet/ethernet/ethernet_format_fns.h>
33 #define __plugin_msg_base acl_test_main.msg_id_base
34 #include <vlibapi/vat_helper_macros.h>
36 uword unformat_sw_if_index (unformat_input_t * input, va_list * args);
38 /* Declare message IDs */
39 #include <acl/acl.api_enum.h>
40 #include <acl/acl.api_types.h>
41 #define vl_endianfun /* define message structures */
42 #include <acl/acl.api.h>
46 /* API message ID base */
51 acl_test_main_t acl_test_main;
53 #define foreach_reply_retval_aclindex_handler \
54 _(acl_add_replace_reply) \
55 _(macip_acl_add_reply) \
56 _(macip_acl_add_replace_reply)
59 static void vl_api_##n##_t_handler \
60 (vl_api_##n##_t * mp) \
62 vat_main_t * vam = acl_test_main.vat_main; \
63 i32 retval = ntohl(mp->retval); \
64 if (vam->async_mode) { \
65 vam->async_errors += (retval < 0); \
67 clib_warning("ACL index: %d", ntohl(mp->acl_index)); \
68 vam->retval = retval; \
69 vam->result_ready = 1; \
72 foreach_reply_retval_aclindex_handler;
75 /* These two ought to be in a library somewhere but they aren't */
77 my_unformat_mac_address (unformat_input_t * input, va_list * args)
79 u8 *a = va_arg (*args, u8 *);
80 return unformat (input, "%x:%x:%x:%x:%x:%x", &a[0], &a[1], &a[2], &a[3],
85 my_format_mac_address (u8 * s, va_list * args)
87 u8 *a = va_arg (*args, u8 *);
88 return format (s, "%02x:%02x:%02x:%02x:%02x:%02x",
89 a[0], a[1], a[2], a[3], a[4], a[5]);
94 static void vl_api_acl_plugin_get_version_reply_t_handler
95 (vl_api_acl_plugin_get_version_reply_t * mp)
97 vat_main_t * vam = acl_test_main.vat_main;
98 clib_warning("ACL plugin version: %d.%d", ntohl(mp->major), ntohl(mp->minor));
99 vam->result_ready = 1;
103 vl_api_acl_plugin_use_hash_lookup_get_reply_t_handler (
104 vl_api_acl_plugin_use_hash_lookup_get_reply_t *mp)
106 vat_main_t *vam = acl_test_main.vat_main;
107 clib_warning ("ACL hash lookups enabled: %d", mp->enable);
108 vam->result_ready = 1;
111 static void vl_api_acl_interface_list_details_t_handler
112 (vl_api_acl_interface_list_details_t * mp)
115 vat_main_t * vam = acl_test_main.vat_main;
117 vl_api_acl_interface_list_details_t_endian (mp, 0 /* from network */);
118 out = format(out, "sw_if_index: %d, count: %d, n_input: %d\n", mp->sw_if_index, mp->count, mp->n_input);
119 out = format(out, " input ");
120 for(i=0; i<mp->count; i++) {
121 if (i == mp->n_input)
122 out = format(out, "\n output ");
123 out = format(out, "%d ", ntohl (mp->acls[i]));
125 out = format(out, "\n");
126 clib_warning("%s", out);
128 vam->result_ready = 1;
131 static void vl_api_macip_acl_interface_list_details_t_handler
132 (vl_api_macip_acl_interface_list_details_t * mp)
134 // NOT YET IMPLEMENTED
138 static void vl_api_acl_interface_etype_whitelist_details_t_handler
139 (vl_api_acl_interface_etype_whitelist_details_t * mp)
142 vat_main_t * vam = acl_test_main.vat_main;
144 vl_api_acl_interface_etype_whitelist_details_t_endian (
145 mp, 0 /* from network */);
146 out = format(out, "sw_if_index: %d, count: %d, n_input: %d\n", mp->sw_if_index, mp->count, mp->n_input);
147 out = format(out, " input ");
148 for(i=0; i<mp->count; i++) {
149 if (i == mp->n_input)
150 out = format(out, "\n output ");
151 out = format(out, "%04x ", ntohs(mp->whitelist[i]));
153 out = format(out, "\n");
154 clib_warning("%s", out);
156 vam->result_ready = 1;
159 static void vl_api_acl_plugin_get_conn_table_max_entries_reply_t_handler
160 (vl_api_acl_plugin_get_conn_table_max_entries_reply_t * mp)
162 vat_main_t * vam = acl_test_main.vat_main;
163 clib_warning ("\nConn table max entries: %d",
164 clib_net_to_host_u64 (mp->conn_table_max_entries));
165 vam->result_ready = 1;
169 vl_api_acl_rule_t_pretty_format (u8 *out, vl_api_acl_rule_t * a)
171 int af = a->src_prefix.address.af ? AF_INET6 : AF_INET;
172 u8 src[INET6_ADDRSTRLEN];
173 u8 dst[INET6_ADDRSTRLEN];
174 inet_ntop(af, &a->src_prefix.address.un, (void *)src, sizeof(src));
175 inet_ntop(af, &a->dst_prefix.address.un, (void *)dst, sizeof(dst));
178 "%s action %d src %s/%d dst %s/%d proto %d sport %d-%d dport "
179 "%d-%d tcpflags %d mask %d",
180 a->src_prefix.address.af ? "ipv6" : "ipv4", a->is_permit, src,
181 a->src_prefix.len, dst, a->dst_prefix.len, a->proto,
182 a->srcport_or_icmptype_first, a->srcport_or_icmptype_last,
183 a->dstport_or_icmpcode_first, a->dstport_or_icmpcode_last,
184 a->tcp_flags_value, a->tcp_flags_mask);
190 static void vl_api_acl_details_t_handler
191 (vl_api_acl_details_t * mp)
194 vat_main_t * vam = acl_test_main.vat_main;
195 vl_api_acl_details_t_endian (mp, 0 /* from network */);
197 out = format (0, "acl_index: %d, count: %d\n tag {%s}\n",
198 mp->acl_index, mp->count, mp->tag);
199 for(i=0; i<mp->count; i++) {
200 out = format(out, " ");
201 out = vl_api_acl_rule_t_pretty_format(out, &mp->r[i]);
202 out = format(out, "%s\n", i<mp->count-1 ? "," : "");
204 clib_warning("%s", out);
206 vam->result_ready = 1;
210 vl_api_macip_acl_rule_t_pretty_format (u8 *out, vl_api_macip_acl_rule_t * a)
212 int af = a->src_prefix.address.af ? AF_INET6 : AF_INET;
213 u8 src[INET6_ADDRSTRLEN];
214 inet_ntop(af, &a->src_prefix.address.un, (void *)src, sizeof(src));
216 out = format(out, "%s action %d ip %s/%d mac %U mask %U",
217 a->src_prefix.address.af ? "ipv6" : "ipv4", a->is_permit,
218 src, a->src_prefix.len,
219 my_format_mac_address, a->src_mac,
220 my_format_mac_address, a->src_mac_mask);
225 static void vl_api_macip_acl_details_t_handler
226 (vl_api_macip_acl_details_t * mp)
229 vat_main_t * vam = acl_test_main.vat_main;
230 vl_api_macip_acl_details_t_endian (mp, 0 /* from network */);
231 u8 *out = format (0, "MACIP acl_index: %d, count: %d\n tag {%s}\n",
232 mp->acl_index, mp->count, mp->tag);
233 for(i=0; i<mp->count; i++) {
234 out = format(out, " ");
235 out = vl_api_macip_acl_rule_t_pretty_format(out, &mp->r[i]);
236 out = format(out, "%s\n", i<mp->count-1 ? "," : "");
238 clib_warning("%s", out);
240 vam->result_ready = 1;
243 static void vl_api_macip_acl_interface_get_reply_t_handler
244 (vl_api_macip_acl_interface_get_reply_t * mp)
247 vat_main_t * vam = acl_test_main.vat_main;
248 u8 *out = format(0, "sw_if_index with MACIP ACL count: %d\n", ntohl(mp->count));
249 for(i=0; i<ntohl(mp->count); i++) {
250 out = format(out, " macip_acl_interface_add_del sw_if_index %d add acl %d\n", i, ntohl(mp->acls[i]));
252 out = format(out, "\n");
253 clib_warning("%s", out);
255 vam->result_ready = 1;
258 static void vl_api_acl_plugin_control_ping_reply_t_handler
259 (vl_api_acl_plugin_control_ping_reply_t * mp)
261 vat_main_t *vam = &vat_main;
262 i32 retval = ntohl (mp->retval);
265 vam->async_errors += (retval < 0);
269 vam->retval = retval;
270 vam->result_ready = 1;
274 static int api_acl_plugin_get_version (vat_main_t * vam)
276 acl_test_main_t * sm = &acl_test_main;
277 vl_api_acl_plugin_get_version_t * mp;
278 u32 msg_size = sizeof(*mp);
281 vam->result_ready = 0;
282 mp = vl_msg_api_alloc_as_if_client(msg_size);
283 clib_memset (mp, 0, msg_size);
284 mp->_vl_msg_id = ntohs (VL_API_ACL_PLUGIN_GET_VERSION + sm->msg_id_base);
285 mp->client_index = vam->my_client_index;
290 /* Wait for a reply... */
295 static int api_macip_acl_interface_get (vat_main_t * vam)
297 acl_test_main_t * sm = &acl_test_main;
298 vl_api_acl_plugin_get_version_t * mp;
299 u32 msg_size = sizeof(*mp);
302 vam->result_ready = 0;
303 mp = vl_msg_api_alloc_as_if_client(msg_size);
304 clib_memset (mp, 0, msg_size);
305 mp->_vl_msg_id = ntohs (VL_API_MACIP_ACL_INTERFACE_GET + sm->msg_id_base);
306 mp->client_index = vam->my_client_index;
311 /* Wait for a reply... */
316 #define vec_validate_acl_rules(v, idx) \
318 if (vec_len(v) < idx+1) { \
319 vec_validate(v, idx); \
320 v[idx].is_permit = 0x1; \
321 v[idx].srcport_or_icmptype_last = 0xffff; \
322 v[idx].dstport_or_icmpcode_last = 0xffff; \
327 /* NOT YET IMPLEMENTED */
328 static int api_acl_plugin_control_ping (vat_main_t * vam)
332 static int api_macip_acl_interface_list_dump (vat_main_t * vam)
337 static int api_acl_add_replace (vat_main_t * vam)
339 acl_test_main_t * sm = &acl_test_main;
340 unformat_input_t * i = vam->input;
341 vl_api_acl_add_replace_t * mp;
343 u32 msg_size = sizeof (*mp); /* without the rules */
345 vl_api_acl_rule_t *rules = 0;
348 int n_rules_override = -1;
353 u32 tcpflags, tcpmask;
354 u32 src_prefix_length = 0, dst_prefix_length = 0;
355 ip4_address_t src_v4address, dst_v4address;
356 ip6_address_t src_v6address, dst_v6address;
360 if (!unformat (i, "%d", &acl_index)) {
364 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
366 if (unformat (i, "permit+reflect"))
368 vec_validate_acl_rules(rules, rule_idx);
369 rules[rule_idx].is_permit = 2;
371 else if (unformat (i, "permit"))
373 vec_validate_acl_rules(rules, rule_idx);
374 rules[rule_idx].is_permit = 1;
376 else if (unformat (i, "deny"))
378 vec_validate_acl_rules(rules, rule_idx);
379 rules[rule_idx].is_permit = 0;
381 else if (unformat (i, "count %d", &n_rules_override))
383 /* we will use this later */
385 else if (unformat (i, "action %d", &action))
387 vec_validate_acl_rules(rules, rule_idx);
388 rules[rule_idx].is_permit = action;
390 else if (unformat (i, "src %U/%d",
391 unformat_ip4_address, &src_v4address, &src_prefix_length))
393 vec_validate_acl_rules(rules, rule_idx);
394 memcpy (rules[rule_idx].src_prefix.address.un.ip4, &src_v4address, 4);
395 rules[rule_idx].src_prefix.address.af = ADDRESS_IP4;
396 rules[rule_idx].src_prefix.len = src_prefix_length;
398 else if (unformat (i, "src %U/%d",
399 unformat_ip6_address, &src_v6address, &src_prefix_length))
401 vec_validate_acl_rules(rules, rule_idx);
402 memcpy (rules[rule_idx].src_prefix.address.un.ip6, &src_v6address, 16);
403 rules[rule_idx].src_prefix.address.af = ADDRESS_IP6;
404 rules[rule_idx].src_prefix.len = src_prefix_length;
406 else if (unformat (i, "dst %U/%d",
407 unformat_ip4_address, &dst_v4address, &dst_prefix_length))
409 vec_validate_acl_rules(rules, rule_idx);
410 memcpy (rules[rule_idx].dst_prefix.address.un.ip4, &dst_v4address, 4);
411 rules[rule_idx].dst_prefix.address.af = ADDRESS_IP4;
412 rules[rule_idx].dst_prefix.len = dst_prefix_length;
414 else if (unformat (i, "dst %U/%d",
415 unformat_ip6_address, &dst_v6address, &dst_prefix_length))
417 vec_validate_acl_rules(rules, rule_idx);
418 memcpy (rules[rule_idx].dst_prefix.address.un.ip6, &dst_v6address, 16);
419 rules[rule_idx].dst_prefix.address.af = ADDRESS_IP6;
420 rules[rule_idx].dst_prefix.len = dst_prefix_length;
422 else if (unformat (i, "sport %d-%d", &port1, &port2))
424 vec_validate_acl_rules(rules, rule_idx);
425 rules[rule_idx].srcport_or_icmptype_first = htons(port1);
426 rules[rule_idx].srcport_or_icmptype_last = htons(port2);
428 else if (unformat (i, "sport %d", &port1))
430 vec_validate_acl_rules(rules, rule_idx);
431 rules[rule_idx].srcport_or_icmptype_first = htons(port1);
432 rules[rule_idx].srcport_or_icmptype_last = htons(port1);
434 else if (unformat (i, "dport %d-%d", &port1, &port2))
436 vec_validate_acl_rules(rules, rule_idx);
437 rules[rule_idx].dstport_or_icmpcode_first = htons(port1);
438 rules[rule_idx].dstport_or_icmpcode_last = htons(port2);
440 else if (unformat (i, "dport %d", &port1))
442 vec_validate_acl_rules(rules, rule_idx);
443 rules[rule_idx].dstport_or_icmpcode_first = htons(port1);
444 rules[rule_idx].dstport_or_icmpcode_last = htons(port1);
446 else if (unformat (i, "tcpflags %d %d", &tcpflags, &tcpmask))
448 vec_validate_acl_rules(rules, rule_idx);
449 rules[rule_idx].tcp_flags_value = tcpflags;
450 rules[rule_idx].tcp_flags_mask = tcpmask;
452 else if (unformat (i, "tcpflags %d mask %d", &tcpflags, &tcpmask))
454 vec_validate_acl_rules(rules, rule_idx);
455 rules[rule_idx].tcp_flags_value = tcpflags;
456 rules[rule_idx].tcp_flags_mask = tcpmask;
458 else if (unformat (i, "proto %d", &proto))
460 vec_validate_acl_rules(rules, rule_idx);
461 rules[rule_idx].proto = proto;
463 else if (unformat (i, "tag %s", &tag))
466 else if (unformat (i, ","))
469 vec_validate_acl_rules(rules, rule_idx);
475 /* Construct the API message */
476 vam->result_ready = 0;
479 n_rules = vec_len(rules);
483 if (n_rules_override >= 0)
484 n_rules = n_rules_override;
486 msg_size += n_rules*sizeof(rules[0]);
488 mp = vl_msg_api_alloc_as_if_client(msg_size);
489 clib_memset (mp, 0, msg_size);
490 mp->_vl_msg_id = ntohs (VL_API_ACL_ADD_REPLACE + sm->msg_id_base);
491 mp->client_index = vam->my_client_index;
492 if ((n_rules > 0) && rules)
493 clib_memcpy(mp->r, rules, n_rules*sizeof (vl_api_acl_rule_t));
496 if (vec_len(tag) >= sizeof(mp->tag))
498 tag[sizeof(mp->tag)-1] = 0;
499 vec_set_len (tag, sizeof (mp->tag));
501 clib_memcpy (mp->tag, tag, vec_len (tag));
504 mp->acl_index = ntohl(acl_index);
505 mp->count = htonl(n_rules);
510 /* Wait for a reply... */
515 static int api_acl_plugin_get_conn_table_max_entries (vat_main_t * vam)
517 acl_test_main_t * sm = &acl_test_main;
518 vl_api_acl_plugin_get_conn_table_max_entries_t * mp;
519 u32 msg_size = sizeof(*mp);
522 vam->result_ready = 0;
523 mp = vl_msg_api_alloc_as_if_client(msg_size);
524 memset (mp, 0, msg_size);
525 mp->_vl_msg_id = ntohs (VL_API_ACL_PLUGIN_GET_CONN_TABLE_MAX_ENTRIES + sm->msg_id_base);
526 mp->client_index = vam->my_client_index;
531 /* Wait for a reply... */
536 static int api_acl_stats_intf_counters_enable (vat_main_t * vam)
538 acl_test_main_t * sm = &acl_test_main;
539 unformat_input_t * i = vam->input;
540 vl_api_acl_stats_intf_counters_enable_t * mp;
541 u32 msg_size = sizeof(*mp);
544 vam->result_ready = 0;
545 mp = vl_msg_api_alloc_as_if_client(msg_size);
546 memset (mp, 0, msg_size);
547 mp->_vl_msg_id = ntohs (VL_API_ACL_STATS_INTF_COUNTERS_ENABLE + sm->msg_id_base);
548 mp->client_index = vam->my_client_index;
551 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
552 if (unformat (i, "disable"))
561 /* Wait for a reply... */
567 api_acl_plugin_use_hash_lookup_set (vat_main_t *vam)
569 acl_test_main_t *sm = &acl_test_main;
570 unformat_input_t *i = vam->input;
571 vl_api_acl_plugin_use_hash_lookup_set_t *mp;
572 u32 msg_size = sizeof (*mp);
575 vam->result_ready = 0;
576 mp = vl_msg_api_alloc_as_if_client (msg_size);
577 memset (mp, 0, msg_size);
579 ntohs (VL_API_ACL_PLUGIN_USE_HASH_LOOKUP_SET + sm->msg_id_base);
580 mp->client_index = vam->my_client_index;
583 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
585 if (unformat (i, "disable"))
587 else if (unformat (i, "enable"))
596 /* Wait for a reply... */
602 api_acl_plugin_use_hash_lookup_get (vat_main_t *vam)
604 acl_test_main_t *sm = &acl_test_main;
605 vl_api_acl_plugin_use_hash_lookup_set_t *mp;
606 u32 msg_size = sizeof (*mp);
609 vam->result_ready = 0;
610 mp = vl_msg_api_alloc_as_if_client (msg_size);
611 memset (mp, 0, msg_size);
613 ntohs (VL_API_ACL_PLUGIN_USE_HASH_LOOKUP_GET + sm->msg_id_base);
614 mp->client_index = vam->my_client_index;
619 /* Wait for a reply... */
625 * Read the series of ACL entries from file in the following format:
628 @0.0.0.0/1 131.179.121.0/24 0 : 65535 0 : 65535 0x00/0x00 0x0000/0x0000
629 @128.0.0.0/1 85.54.226.0/23 0 : 65535 0 : 65535 0x00/0x00 0x0000/0x0000
630 @128.0.0.0/1 85.54.48.0/23 0 : 65535 0 : 65535 0x00/0x00 0x0000/0x0000
631 @128.0.0.0/1 31.237.44.0/23 0 : 65535 0 : 65535 0x00/0x00 0x0000/0x0000
632 @0.0.0.0/1 255.84.184.0/23 0 : 65535 0 : 65535 0x00/0x00 0x0000/0x0000
633 @132.92.0.0/16 0.0.0.0/0 0 : 65535 0 : 65535 0x01/0xFF 0x0000/0x0000
639 api_acl_add_replace_from_file (vat_main_t * vam)
642 unformat_input_t * input = vam->input;
643 acl_test_main_t * sm = &acl_test_main;
644 vl_api_acl_add_replace_t * mp;
646 u32 msg_size = sizeof (*mp); /* without the rules */
648 vl_api_acl_rule_t *rules = 0;
652 int append_default_permit = 0;
653 u32 tcpflags = 0, tcpmask = 0;
654 ip4_address_t src_v4address, dst_v4address;
657 char *file_name = NULL;
658 unformat_input_t file_input;
660 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
662 if (unformat (input, "filename %s", &file_name))
664 /* we will use this later */
666 else if (unformat (input, "acl-index %d", &acl_index))
668 /* we will try to replace an existing ACL */
670 else if (unformat (input, "permit+reflect"))
674 else if (unformat (input, "permit"))
678 else if (unformat (input, "append-default-permit"))
680 append_default_permit = 1;
686 if (file_name == NULL)
689 fd = open(file_name, O_RDONLY);
692 clib_warning("Could not open file '%s'", file_name);
696 /* input from file */
698 unformat_init_clib_file(input, fd);
700 unsigned sport_low, sport_high, dport_low, dport_high;
701 unsigned proto, protomask;
702 u32 src_prefix_length, dst_prefix_length;
703 u32 unused1, unused2;
705 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
707 if (!unformat(input, "@%U/%d\t%U/%d\t%d : %d\t%d : %d\t0x%x/0x%x\t0x%x/0x%x",
708 unformat_ip4_address, &src_v4address, &src_prefix_length,
709 unformat_ip4_address, &dst_v4address, &dst_prefix_length,
710 &sport_low, &sport_high, &dport_low, &dport_high, &proto, &protomask, &unused1, &unused2)) {
711 clib_warning("Error parsing");
716 vec_validate_acl_rules(rules, rule_idx);
718 rules[rule_idx].is_permit = is_permit;
719 memcpy (rules[rule_idx].src_prefix.address.un.ip4, &src_v4address, 4);
720 rules[rule_idx].src_prefix.address.af = ADDRESS_IP4;
721 rules[rule_idx].src_prefix.len = src_prefix_length;
722 memcpy (rules[rule_idx].dst_prefix.address.un.ip4, &dst_v4address, 4);
723 rules[rule_idx].dst_prefix.address.af = ADDRESS_IP4;
724 rules[rule_idx].dst_prefix.len = dst_prefix_length;
725 rules[rule_idx].srcport_or_icmptype_first = htons(sport_low);
726 rules[rule_idx].srcport_or_icmptype_last = htons(sport_high);
727 rules[rule_idx].dstport_or_icmpcode_first = htons(dport_low);
728 rules[rule_idx].dstport_or_icmpcode_last = htons(dport_high);
729 rules[rule_idx].tcp_flags_value = tcpflags;
730 rules[rule_idx].tcp_flags_mask = tcpmask;
731 rules[rule_idx].proto = proto;
735 if (append_default_permit) {
737 vec_validate_acl_rules(rules, rule_idx);
739 rules[rule_idx].is_permit = is_permit == 2 ? 2 : 1;
741 src_v4address.data[0]=0;
742 src_v4address.data[1]=0;
743 src_v4address.data[2]=0;
744 src_v4address.data[3]=0;
745 memcpy (rules[rule_idx].src_prefix.address.un.ip4, &src_v4address, 4);
746 rules[rule_idx].src_prefix.address.af = ADDRESS_IP4;
747 rules[rule_idx].src_prefix.len = 0;
749 dst_v4address.data[0]=0;
750 dst_v4address.data[1]=0;
751 dst_v4address.data[2]=0;
752 dst_v4address.data[3]=0;
753 memcpy (rules[rule_idx].dst_prefix.address.un.ip4, &dst_v4address, 4);
754 rules[rule_idx].dst_prefix.address.af = ADDRESS_IP4;
755 rules[rule_idx].dst_prefix.len = 0;
757 rules[rule_idx].srcport_or_icmptype_first = htons(0);
758 rules[rule_idx].srcport_or_icmptype_last = htons(65535);
759 rules[rule_idx].dstport_or_icmpcode_first = htons(0);
760 rules[rule_idx].dstport_or_icmpcode_last = htons(65535);
761 rules[rule_idx].tcp_flags_value = 0;
762 rules[rule_idx].tcp_flags_mask = 0;
763 rules[rule_idx].proto = 0;
766 /* Construct the API message */
768 vam->result_ready = 0;
770 n_rules = vec_len(rules);
772 msg_size += n_rules*sizeof(rules[0]);
774 mp = vl_msg_api_alloc_as_if_client(msg_size);
775 clib_memset (mp, 0, msg_size);
776 mp->_vl_msg_id = ntohs (VL_API_ACL_ADD_REPLACE + sm->msg_id_base);
777 mp->client_index = vam->my_client_index;
779 clib_memcpy(mp->r, rules, n_rules*sizeof (vl_api_acl_rule_t));
780 mp->acl_index = ntohl(acl_index);
781 mp->count = htonl(n_rules);
786 /* Wait for a reply... */
797 static int api_acl_del (vat_main_t * vam)
799 unformat_input_t * i = vam->input;
800 vl_api_acl_del_t * mp;
804 if (!unformat (i, "%d", &acl_index)) {
805 errmsg ("missing acl index\n");
809 /* Construct the API message */
811 mp->acl_index = ntohl(acl_index);
816 /* Wait for a reply... */
821 static int api_macip_acl_del (vat_main_t * vam)
823 unformat_input_t * i = vam->input;
824 vl_api_acl_del_t * mp;
828 if (!unformat (i, "%d", &acl_index)) {
829 errmsg ("missing acl index\n");
833 /* Construct the API message */
834 M(MACIP_ACL_DEL, mp);
835 mp->acl_index = ntohl(acl_index);
840 /* Wait for a reply... */
845 static int api_acl_interface_add_del (vat_main_t * vam)
847 unformat_input_t * i = vam->input;
848 vl_api_acl_interface_add_del_t * mp;
849 u32 sw_if_index = ~0;
855 // acl_interface_add_del <intfc> | sw_if_index <if-idx> acl_index <acl-idx> [out] [del]
857 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
859 if (unformat (i, "%d", &acl_index))
866 /* Parse args required to build the message */
867 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
868 if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index))
870 else if (unformat (i, "sw_if_index %d", &sw_if_index))
872 else if (unformat (i, "add"))
874 else if (unformat (i, "del"))
876 else if (unformat (i, "acl %d", &acl_index))
878 else if (unformat (i, "input"))
880 else if (unformat (i, "output"))
886 if (sw_if_index == ~0) {
887 errmsg ("missing interface name / explicit sw_if_index number \n");
891 if (acl_index == ~0) {
892 errmsg ("missing ACL index\n");
898 /* Construct the API message */
899 M(ACL_INTERFACE_ADD_DEL, mp);
900 mp->acl_index = ntohl(acl_index);
901 mp->sw_if_index = ntohl(sw_if_index);
903 mp->is_input = is_input;
908 /* Wait for a reply... */
913 static int api_macip_acl_interface_add_del (vat_main_t * vam)
915 unformat_input_t * i = vam->input;
916 vl_api_macip_acl_interface_add_del_t * mp;
917 u32 sw_if_index = ~0;
922 /* Parse args required to build the message */
923 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
924 if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index))
926 else if (unformat (i, "sw_if_index %d", &sw_if_index))
928 else if (unformat (i, "add"))
930 else if (unformat (i, "del"))
932 else if (unformat (i, "acl %d", &acl_index))
938 if (sw_if_index == ~0) {
939 errmsg ("missing interface name / explicit sw_if_index number \n");
943 if (acl_index == ~0) {
944 errmsg ("missing ACL index\n");
950 /* Construct the API message */
951 M(MACIP_ACL_INTERFACE_ADD_DEL, mp);
952 mp->acl_index = ntohl(acl_index);
953 mp->sw_if_index = ntohl(sw_if_index);
959 /* Wait for a reply... */
964 static int api_acl_interface_set_acl_list (vat_main_t * vam)
966 unformat_input_t * i = vam->input;
967 vl_api_acl_interface_set_acl_list_t * mp;
968 u32 sw_if_index = ~0;
975 // acl_interface_set_acl_list <intfc> | sw_if_index <if-idx> input [acl-idx list] output [acl-idx list]
977 /* Parse args required to build the message */
978 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
979 if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index))
981 else if (unformat (i, "sw_if_index %d", &sw_if_index))
983 else if (unformat (i, "%d", &acl_index))
986 vec_add1(inacls, htonl(acl_index));
988 vec_add1(outacls, htonl(acl_index));
990 else if (unformat (i, "acl %d", &acl_index))
992 else if (unformat (i, "input"))
994 else if (unformat (i, "output"))
1000 if (sw_if_index == ~0) {
1001 errmsg ("missing interface name / explicit sw_if_index number \n");
1005 /* Construct the API message */
1006 M2(ACL_INTERFACE_SET_ACL_LIST, mp, sizeof(u32) * (vec_len(inacls) + vec_len(outacls)));
1007 mp->sw_if_index = ntohl(sw_if_index);
1008 mp->n_input = vec_len(inacls);
1009 mp->count = vec_len(inacls) + vec_len(outacls);
1010 vec_append(inacls, outacls);
1011 if (vec_len(inacls) > 0)
1012 clib_memcpy(mp->acls, inacls, vec_len(inacls)*sizeof(u32));
1017 /* Wait for a reply... */
1022 static int api_acl_interface_set_etype_whitelist (vat_main_t * vam)
1024 unformat_input_t * i = vam->input;
1025 vl_api_acl_interface_set_etype_whitelist_t * mp;
1026 u32 sw_if_index = ~0;
1029 u16 *etypes_out = 0;
1033 // acl_interface_set_etype_whitelist <intfc> | sw_if_index <if-idx> input [ethertype list] output [ethertype list]
1035 /* Parse args required to build the message */
1036 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
1037 if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index))
1039 else if (unformat (i, "sw_if_index %d", &sw_if_index))
1041 else if (unformat (i, "%x", ðertype))
1043 ethertype = ethertype & 0xffff;
1045 vec_add1(etypes_in, htons(ethertype));
1047 vec_add1(etypes_out, htons(ethertype));
1049 else if (unformat (i, "input"))
1051 else if (unformat (i, "output"))
1057 if (sw_if_index == ~0) {
1058 errmsg ("missing interface name / explicit sw_if_index number \n");
1062 /* Construct the API message */
1063 M2(ACL_INTERFACE_SET_ETYPE_WHITELIST, mp, sizeof(u32) * (vec_len(etypes_in) + vec_len(etypes_out)));
1064 mp->sw_if_index = ntohl(sw_if_index);
1065 mp->n_input = vec_len(etypes_in);
1066 mp->count = vec_len(etypes_in) + vec_len(etypes_out);
1067 vec_append(etypes_in, etypes_out);
1068 if (vec_len(etypes_in) > 0)
1069 clib_memcpy(mp->whitelist, etypes_in, vec_len(etypes_in)*sizeof(etypes_in[0]));
1074 /* Wait for a reply... */
1080 api_acl_send_control_ping(vat_main_t *vam)
1082 vl_api_acl_plugin_control_ping_t *mp_ping;
1084 M(ACL_PLUGIN_CONTROL_PING, mp_ping);
1089 static int api_acl_interface_list_dump (vat_main_t * vam)
1091 unformat_input_t * i = vam->input;
1092 u32 sw_if_index = ~0;
1093 vl_api_acl_interface_list_dump_t * mp;
1096 /* Parse args required to build the message */
1097 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
1098 if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index))
1100 else if (unformat (i, "sw_if_index %d", &sw_if_index))
1106 /* Construct the API message */
1107 M(ACL_INTERFACE_LIST_DUMP, mp);
1108 mp->sw_if_index = ntohl (sw_if_index);
1113 /* Use control ping for synchronization */
1114 api_acl_send_control_ping(vam);
1116 /* Wait for a reply... */
1121 static int api_acl_dump (vat_main_t * vam)
1123 unformat_input_t * i = vam->input;
1125 vl_api_acl_dump_t * mp;
1128 /* Parse args required to build the message */
1129 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
1130 if (unformat (i, "%d", &acl_index))
1136 /* Construct the API message */
1138 mp->acl_index = ntohl (acl_index);
1143 /* Use control ping for synchronization */
1144 api_acl_send_control_ping(vam);
1146 /* Wait for a reply... */
1151 static int api_macip_acl_dump (vat_main_t * vam)
1153 unformat_input_t * i = vam->input;
1155 vl_api_acl_dump_t * mp;
1158 /* Parse args required to build the message */
1159 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
1160 if (unformat (i, "%d", &acl_index))
1166 /* Construct the API message */
1167 M(MACIP_ACL_DUMP, mp);
1168 mp->acl_index = ntohl (acl_index);
1173 /* Use control ping for synchronization */
1174 api_acl_send_control_ping(vam);
1176 /* Wait for a reply... */
1181 static int api_acl_interface_etype_whitelist_dump (vat_main_t * vam)
1183 unformat_input_t * i = vam->input;
1184 u32 sw_if_index = ~0;
1185 vl_api_acl_interface_etype_whitelist_dump_t * mp;
1188 /* Parse args required to build the message */
1189 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
1190 if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index))
1192 else if (unformat (i, "sw_if_index %d", &sw_if_index))
1198 /* Construct the API message */
1199 M(ACL_INTERFACE_ETYPE_WHITELIST_DUMP, mp);
1200 mp->sw_if_index = ntohl (sw_if_index);
1205 /* Use control ping for synchronization */
1206 api_acl_send_control_ping(vam);
1208 /* Wait for a reply... */
1214 #define vec_validate_macip_acl_rules(v, idx) \
1216 if (vec_len(v) < idx+1) { \
1217 vec_validate(v, idx); \
1218 v[idx].is_permit = 0x1; \
1223 static int api_macip_acl_add (vat_main_t * vam)
1225 acl_test_main_t * sm = &acl_test_main;
1226 unformat_input_t * i = vam->input;
1227 vl_api_macip_acl_add_t * mp;
1228 u32 msg_size = sizeof (*mp); /* without the rules */
1230 vl_api_macip_acl_rule_t *rules = 0;
1233 int n_rules_override = -1;
1234 u32 src_prefix_length = 0;
1236 ip4_address_t src_v4address;
1237 ip6_address_t src_v6address;
1240 u8 mac_mask_all_1[6] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
1243 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
1245 if (unformat (i, "permit"))
1247 vec_validate_macip_acl_rules(rules, rule_idx);
1248 rules[rule_idx].is_permit = 1;
1250 else if (unformat (i, "deny"))
1252 vec_validate_macip_acl_rules(rules, rule_idx);
1253 rules[rule_idx].is_permit = 0;
1255 else if (unformat (i, "count %d", &n_rules_override))
1257 /* we will use this later */
1259 else if (unformat (i, "action %d", &action))
1261 vec_validate_macip_acl_rules(rules, rule_idx);
1262 rules[rule_idx].is_permit = action;
1264 else if (unformat (i, "ip %U/%d",
1265 unformat_ip4_address, &src_v4address, &src_prefix_length) ||
1266 unformat (i, "ip %U",
1267 unformat_ip4_address, &src_v4address))
1269 if (src_prefix_length == 0)
1270 src_prefix_length = 32;
1271 vec_validate_macip_acl_rules(rules, rule_idx);
1272 memcpy (rules[rule_idx].src_prefix.address.un.ip4, &src_v4address, 4);
1273 rules[rule_idx].src_prefix.address.af = ADDRESS_IP4;
1274 rules[rule_idx].src_prefix.len = src_prefix_length;
1276 else if (unformat (i, "src"))
1278 /* Everything in MACIP is "source" but allow this verbosity */
1280 else if (unformat (i, "ip %U/%d",
1281 unformat_ip6_address, &src_v6address, &src_prefix_length) ||
1282 unformat (i, "ip %U",
1283 unformat_ip6_address, &src_v6address))
1285 if (src_prefix_length == 0)
1286 src_prefix_length = 128;
1287 vec_validate_macip_acl_rules(rules, rule_idx);
1288 memcpy (rules[rule_idx].src_prefix.address.un.ip4, &src_v6address, 4);
1289 rules[rule_idx].src_prefix.address.af = ADDRESS_IP6;
1290 rules[rule_idx].src_prefix.len = src_prefix_length;
1292 else if (unformat (i, "mac %U",
1293 my_unformat_mac_address, &src_mac))
1295 vec_validate_macip_acl_rules(rules, rule_idx);
1296 memcpy (rules[rule_idx].src_mac, &src_mac, 6);
1297 memcpy (rules[rule_idx].src_mac_mask, &mac_mask_all_1, 6);
1299 else if (unformat (i, "mask %U",
1300 my_unformat_mac_address, &src_mac))
1302 vec_validate_macip_acl_rules(rules, rule_idx);
1303 memcpy (rules[rule_idx].src_mac_mask, &src_mac, 6);
1305 else if (unformat (i, "tag %s", &tag))
1308 else if (unformat (i, ","))
1311 vec_validate_macip_acl_rules(rules, rule_idx);
1317 /* Construct the API message */
1318 vam->result_ready = 0;
1321 n_rules = vec_len(rules);
1323 if (n_rules_override >= 0)
1324 n_rules = n_rules_override;
1326 msg_size += n_rules*sizeof(rules[0]);
1328 mp = vl_msg_api_alloc_as_if_client(msg_size);
1329 clib_memset (mp, 0, msg_size);
1330 mp->_vl_msg_id = ntohs (VL_API_MACIP_ACL_ADD + sm->msg_id_base);
1331 mp->client_index = vam->my_client_index;
1332 if ((n_rules > 0) && rules)
1333 clib_memcpy(mp->r, rules, n_rules*sizeof (mp->r[0]));
1336 if (vec_len(tag) >= sizeof(mp->tag))
1338 tag[sizeof(mp->tag)-1] = 0;
1339 vec_set_len (tag, sizeof (mp->tag));
1341 clib_memcpy (mp->tag, tag, vec_len (tag));
1345 mp->count = htonl(n_rules);
1350 /* Wait for a reply... */
1355 static int api_macip_acl_add_replace (vat_main_t * vam)
1357 acl_test_main_t * sm = &acl_test_main;
1358 unformat_input_t * i = vam->input;
1359 vl_api_macip_acl_add_replace_t * mp;
1361 u32 msg_size = sizeof (*mp); /* without the rules */
1363 vl_api_macip_acl_rule_t *rules = 0;
1366 int n_rules_override = -1;
1367 u32 src_prefix_length = 0;
1369 ip4_address_t src_v4address;
1370 ip6_address_t src_v6address;
1373 u8 mac_mask_all_1[6] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
1376 if (!unformat (i, "%d", &acl_index)) {
1377 /* Just assume -1 */
1380 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
1382 if (unformat (i, "permit"))
1384 vec_validate_macip_acl_rules(rules, rule_idx);
1385 rules[rule_idx].is_permit = 1;
1387 else if (unformat (i, "deny"))
1389 vec_validate_macip_acl_rules(rules, rule_idx);
1390 rules[rule_idx].is_permit = 0;
1392 else if (unformat (i, "count %d", &n_rules_override))
1394 /* we will use this later */
1396 else if (unformat (i, "action %d", &action))
1398 vec_validate_macip_acl_rules(rules, rule_idx);
1399 rules[rule_idx].is_permit = action;
1401 else if (unformat (i, "ip %U/%d",
1402 unformat_ip4_address, &src_v4address, &src_prefix_length) ||
1403 unformat (i, "ip %U",
1404 unformat_ip4_address, &src_v4address))
1406 if (src_prefix_length == 0)
1407 src_prefix_length = 32;
1408 vec_validate_macip_acl_rules(rules, rule_idx);
1409 memcpy (rules[rule_idx].src_prefix.address.un.ip4, &src_v4address, 4);
1410 rules[rule_idx].src_prefix.address.af = ADDRESS_IP4;
1411 rules[rule_idx].src_prefix.len = src_prefix_length;
1413 else if (unformat (i, "src"))
1415 /* Everything in MACIP is "source" but allow this verbosity */
1417 else if (unformat (i, "ip %U/%d",
1418 unformat_ip6_address, &src_v6address, &src_prefix_length) ||
1419 unformat (i, "ip %U",
1420 unformat_ip6_address, &src_v6address))
1422 if (src_prefix_length == 0)
1423 src_prefix_length = 128;
1424 vec_validate_macip_acl_rules(rules, rule_idx);
1425 memcpy (rules[rule_idx].src_prefix.address.un.ip4, &src_v6address, 4);
1426 rules[rule_idx].src_prefix.address.af = ADDRESS_IP6;
1427 rules[rule_idx].src_prefix.len = src_prefix_length;
1429 else if (unformat (i, "mac %U",
1430 my_unformat_mac_address, &src_mac))
1432 vec_validate_macip_acl_rules(rules, rule_idx);
1433 memcpy (rules[rule_idx].src_mac, &src_mac, 6);
1434 memcpy (rules[rule_idx].src_mac_mask, &mac_mask_all_1, 6);
1436 else if (unformat (i, "mask %U",
1437 my_unformat_mac_address, &src_mac))
1439 vec_validate_macip_acl_rules(rules, rule_idx);
1440 memcpy (rules[rule_idx].src_mac_mask, &src_mac, 6);
1442 else if (unformat (i, "tag %s", &tag))
1445 else if (unformat (i, ","))
1448 vec_validate_macip_acl_rules(rules, rule_idx);
1456 errmsg ("rule/s required\n");
1459 /* Construct the API message */
1460 vam->result_ready = 0;
1463 n_rules = vec_len(rules);
1465 if (n_rules_override >= 0)
1466 n_rules = n_rules_override;
1468 msg_size += n_rules*sizeof(rules[0]);
1470 mp = vl_msg_api_alloc_as_if_client(msg_size);
1471 clib_memset (mp, 0, msg_size);
1472 mp->_vl_msg_id = ntohs (VL_API_MACIP_ACL_ADD_REPLACE + sm->msg_id_base);
1473 mp->client_index = vam->my_client_index;
1474 if ((n_rules > 0) && rules)
1475 clib_memcpy(mp->r, rules, n_rules*sizeof (mp->r[0]));
1478 if (vec_len(tag) >= sizeof(mp->tag))
1480 tag[sizeof(mp->tag)-1] = 0;
1481 vec_set_len (tag, sizeof (mp->tag));
1483 clib_memcpy (mp->tag, tag, vec_len (tag));
1487 mp->acl_index = ntohl(acl_index);
1488 mp->count = htonl(n_rules);
1493 /* Wait for a reply... */
1498 #define VL_API_LOCAL_SETUP_MESSAGE_ID_TABLE local_setup_message_id_table
1499 static void local_setup_message_id_table (vat_main_t * vam)
1501 hash_set_mem (vam->function_by_name, "acl_add_replace_from_file", api_acl_add_replace_from_file);
1502 hash_set_mem (vam->help_by_name, "acl_add_replace_from_file",
1503 "filename <file> [permit] [append-default-permit]");
1506 #include <acl/acl.api_test.c>