2 * Copyright (c) 2015 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 *------------------------------------------------------------------
17 * acl_test.c - test harness plugin
18 *------------------------------------------------------------------
22 #include <vlibapi/api.h>
23 #include <vlibmemory/api.h>
24 #include <vppinfra/error.h>
25 #include <vnet/ip/ip.h>
26 #include <arpa/inet.h>
28 #include <vnet/ip/ip_format_fns.h>
29 #include <vnet/ethernet/ethernet_format_fns.h>
31 #define __plugin_msg_base acl_test_main.msg_id_base
32 #include <vlibapi/vat_helper_macros.h>
34 uword unformat_sw_if_index (unformat_input_t * input, va_list * args);
36 /* Declare message IDs */
37 #include <acl/acl.api_enum.h>
38 #include <acl/acl.api_types.h>
39 #define vl_print(handle, ...)
40 #include <acl/manual_fns.h>
42 #define vl_endianfun /* define message structures */
43 #include <acl/acl.api.h>
47 /* API message ID base */
52 acl_test_main_t acl_test_main;
54 #define foreach_reply_retval_aclindex_handler \
55 _(acl_add_replace_reply) \
56 _(macip_acl_add_reply) \
57 _(macip_acl_add_replace_reply)
60 static void vl_api_##n##_t_handler \
61 (vl_api_##n##_t * mp) \
63 vat_main_t * vam = acl_test_main.vat_main; \
64 i32 retval = ntohl(mp->retval); \
65 if (vam->async_mode) { \
66 vam->async_errors += (retval < 0); \
68 clib_warning("ACL index: %d", ntohl(mp->acl_index)); \
69 vam->retval = retval; \
70 vam->result_ready = 1; \
73 foreach_reply_retval_aclindex_handler;
76 /* These two ought to be in a library somewhere but they aren't */
78 my_unformat_mac_address (unformat_input_t * input, va_list * args)
80 u8 *a = va_arg (*args, u8 *);
81 return unformat (input, "%x:%x:%x:%x:%x:%x", &a[0], &a[1], &a[2], &a[3],
86 my_format_mac_address (u8 * s, va_list * args)
88 u8 *a = va_arg (*args, u8 *);
89 return format (s, "%02x:%02x:%02x:%02x:%02x:%02x",
90 a[0], a[1], a[2], a[3], a[4], a[5]);
95 static void vl_api_acl_plugin_get_version_reply_t_handler
96 (vl_api_acl_plugin_get_version_reply_t * mp)
98 vat_main_t * vam = acl_test_main.vat_main;
99 clib_warning("ACL plugin version: %d.%d", ntohl(mp->major), ntohl(mp->minor));
100 vam->result_ready = 1;
103 static void vl_api_acl_interface_list_details_t_handler
104 (vl_api_acl_interface_list_details_t * mp)
107 vat_main_t * vam = acl_test_main.vat_main;
109 vl_api_acl_interface_list_details_t_endian(mp);
110 out = format(out, "sw_if_index: %d, count: %d, n_input: %d\n", mp->sw_if_index, mp->count, mp->n_input);
111 out = format(out, " input ");
112 for(i=0; i<mp->count; i++) {
113 if (i == mp->n_input)
114 out = format(out, "\n output ");
115 out = format(out, "%d ", ntohl (mp->acls[i]));
117 out = format(out, "\n");
118 clib_warning("%s", out);
120 vam->result_ready = 1;
123 static void vl_api_macip_acl_interface_list_details_t_handler
124 (vl_api_macip_acl_interface_list_details_t * mp)
126 // NOT YET IMPLEMENTED
130 static void vl_api_acl_interface_etype_whitelist_details_t_handler
131 (vl_api_acl_interface_etype_whitelist_details_t * mp)
134 vat_main_t * vam = acl_test_main.vat_main;
136 vl_api_acl_interface_etype_whitelist_details_t_endian(mp);
137 out = format(out, "sw_if_index: %d, count: %d, n_input: %d\n", mp->sw_if_index, mp->count, mp->n_input);
138 out = format(out, " input ");
139 for(i=0; i<mp->count; i++) {
140 if (i == mp->n_input)
141 out = format(out, "\n output ");
142 out = format(out, "%04x ", ntohs(mp->whitelist[i]));
144 out = format(out, "\n");
145 clib_warning("%s", out);
147 vam->result_ready = 1;
150 static void vl_api_acl_plugin_get_conn_table_max_entries_reply_t_handler
151 (vl_api_acl_plugin_get_conn_table_max_entries_reply_t * mp)
153 vat_main_t * vam = acl_test_main.vat_main;
154 clib_warning("\nConn table max entries: %d",
155 __bswap_64(mp->conn_table_max_entries) );
156 vam->result_ready = 1;
160 vl_api_acl_rule_t_pretty_format (u8 *out, vl_api_acl_rule_t * a)
162 int af = a->src_prefix.address.af ? AF_INET6 : AF_INET;
163 u8 src[INET6_ADDRSTRLEN];
164 u8 dst[INET6_ADDRSTRLEN];
165 inet_ntop(af, &a->src_prefix.address.un, (void *)src, sizeof(src));
166 inet_ntop(af, &a->dst_prefix.address.un, (void *)dst, sizeof(dst));
168 out = format(out, "%s action %d src %s/%d dst %s/%d proto %d sport %d-%d dport %d-%d tcpflags %d mask %d",
169 a->src_prefix.address.af ? "ipv6" : "ipv4", a->is_permit,
170 src, a->src_prefix.len,
171 dst, a->dst_prefix.len,
173 a->srcport_or_icmptype_first, a->srcport_or_icmptype_last,
174 a->dstport_or_icmpcode_first, a->dstport_or_icmpcode_last,
175 a->tcp_flags_value, a->tcp_flags_mask);
181 static void vl_api_acl_details_t_handler
182 (vl_api_acl_details_t * mp)
185 vat_main_t * vam = acl_test_main.vat_main;
186 vl_api_acl_details_t_endian(mp);
188 out = format(0, "acl_index: %d, count: %d\n tag {%s}\n", mp->acl_index, mp->count, mp->tag);
189 for(i=0; i<mp->count; i++) {
190 out = format(out, " ");
191 out = vl_api_acl_rule_t_pretty_format(out, &mp->r[i]);
192 out = format(out, "%s\n", i<mp->count-1 ? "," : "");
194 clib_warning("%s", out);
196 vam->result_ready = 1;
200 vl_api_macip_acl_rule_t_pretty_format (u8 *out, vl_api_macip_acl_rule_t * a)
202 int af = a->src_prefix.address.af ? AF_INET6 : AF_INET;
203 u8 src[INET6_ADDRSTRLEN];
204 inet_ntop(af, &a->src_prefix.address.un, (void *)src, sizeof(src));
206 out = format(out, "%s action %d ip %s/%d mac %U mask %U",
207 a->src_prefix.address.af ? "ipv6" : "ipv4", a->is_permit,
208 src, a->src_prefix.len,
209 my_format_mac_address, a->src_mac,
210 my_format_mac_address, a->src_mac_mask);
215 static void vl_api_macip_acl_details_t_handler
216 (vl_api_macip_acl_details_t * mp)
219 vat_main_t * vam = acl_test_main.vat_main;
220 vl_api_macip_acl_details_t_endian(mp);
221 u8 *out = format(0,"MACIP acl_index: %d, count: %d\n tag {%s}\n", mp->acl_index, mp->count, mp->tag);
222 for(i=0; i<mp->count; i++) {
223 out = format(out, " ");
224 out = vl_api_macip_acl_rule_t_pretty_format(out, &mp->r[i]);
225 out = format(out, "%s\n", i<mp->count-1 ? "," : "");
227 clib_warning("%s", out);
229 vam->result_ready = 1;
232 static void vl_api_macip_acl_interface_get_reply_t_handler
233 (vl_api_macip_acl_interface_get_reply_t * mp)
236 vat_main_t * vam = acl_test_main.vat_main;
237 u8 *out = format(0, "sw_if_index with MACIP ACL count: %d\n", ntohl(mp->count));
238 for(i=0; i<ntohl(mp->count); i++) {
239 out = format(out, " macip_acl_interface_add_del sw_if_index %d add acl %d\n", i, ntohl(mp->acls[i]));
241 out = format(out, "\n");
242 clib_warning("%s", out);
244 vam->result_ready = 1;
247 static void vl_api_acl_plugin_control_ping_reply_t_handler
248 (vl_api_acl_plugin_control_ping_reply_t * mp)
250 vat_main_t *vam = &vat_main;
251 i32 retval = ntohl (mp->retval);
254 vam->async_errors += (retval < 0);
258 vam->retval = retval;
259 vam->result_ready = 1;
263 static int api_acl_plugin_get_version (vat_main_t * vam)
265 acl_test_main_t * sm = &acl_test_main;
266 vl_api_acl_plugin_get_version_t * mp;
267 u32 msg_size = sizeof(*mp);
270 vam->result_ready = 0;
271 mp = vl_msg_api_alloc_as_if_client(msg_size);
272 clib_memset (mp, 0, msg_size);
273 mp->_vl_msg_id = ntohs (VL_API_ACL_PLUGIN_GET_VERSION + sm->msg_id_base);
274 mp->client_index = vam->my_client_index;
279 /* Wait for a reply... */
284 static int api_macip_acl_interface_get (vat_main_t * vam)
286 acl_test_main_t * sm = &acl_test_main;
287 vl_api_acl_plugin_get_version_t * mp;
288 u32 msg_size = sizeof(*mp);
291 vam->result_ready = 0;
292 mp = vl_msg_api_alloc_as_if_client(msg_size);
293 clib_memset (mp, 0, msg_size);
294 mp->_vl_msg_id = ntohs (VL_API_MACIP_ACL_INTERFACE_GET + sm->msg_id_base);
295 mp->client_index = vam->my_client_index;
300 /* Wait for a reply... */
305 #define vec_validate_acl_rules(v, idx) \
307 if (vec_len(v) < idx+1) { \
308 vec_validate(v, idx); \
309 v[idx].is_permit = 0x1; \
310 v[idx].srcport_or_icmptype_last = 0xffff; \
311 v[idx].dstport_or_icmpcode_last = 0xffff; \
316 /* NOT YET IMPLEMENTED */
317 static int api_acl_plugin_control_ping (vat_main_t * vam)
321 static int api_macip_acl_interface_list_dump (vat_main_t * vam)
326 static int api_acl_add_replace (vat_main_t * vam)
328 acl_test_main_t * sm = &acl_test_main;
329 unformat_input_t * i = vam->input;
330 vl_api_acl_add_replace_t * mp;
332 u32 msg_size = sizeof (*mp); /* without the rules */
334 vl_api_acl_rule_t *rules = 0;
337 int n_rules_override = -1;
342 u32 tcpflags, tcpmask;
343 u32 src_prefix_length = 0, dst_prefix_length = 0;
344 ip4_address_t src_v4address, dst_v4address;
345 ip6_address_t src_v6address, dst_v6address;
349 if (!unformat (i, "%d", &acl_index)) {
353 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
355 if (unformat (i, "permit+reflect"))
357 vec_validate_acl_rules(rules, rule_idx);
358 rules[rule_idx].is_permit = 2;
360 else if (unformat (i, "permit"))
362 vec_validate_acl_rules(rules, rule_idx);
363 rules[rule_idx].is_permit = 1;
365 else if (unformat (i, "deny"))
367 vec_validate_acl_rules(rules, rule_idx);
368 rules[rule_idx].is_permit = 0;
370 else if (unformat (i, "count %d", &n_rules_override))
372 /* we will use this later */
374 else if (unformat (i, "action %d", &action))
376 vec_validate_acl_rules(rules, rule_idx);
377 rules[rule_idx].is_permit = action;
379 else if (unformat (i, "src %U/%d",
380 unformat_ip4_address, &src_v4address, &src_prefix_length))
382 vec_validate_acl_rules(rules, rule_idx);
383 memcpy (rules[rule_idx].src_prefix.address.un.ip4, &src_v4address, 4);
384 rules[rule_idx].src_prefix.address.af = ADDRESS_IP4;
385 rules[rule_idx].src_prefix.len = src_prefix_length;
387 else if (unformat (i, "src %U/%d",
388 unformat_ip6_address, &src_v6address, &src_prefix_length))
390 vec_validate_acl_rules(rules, rule_idx);
391 memcpy (rules[rule_idx].src_prefix.address.un.ip6, &src_v6address, 16);
392 rules[rule_idx].src_prefix.address.af = ADDRESS_IP6;
393 rules[rule_idx].src_prefix.len = src_prefix_length;
395 else if (unformat (i, "dst %U/%d",
396 unformat_ip4_address, &dst_v4address, &dst_prefix_length))
398 vec_validate_acl_rules(rules, rule_idx);
399 memcpy (rules[rule_idx].dst_prefix.address.un.ip4, &dst_v4address, 4);
400 rules[rule_idx].dst_prefix.address.af = ADDRESS_IP4;
401 rules[rule_idx].dst_prefix.len = dst_prefix_length;
403 else if (unformat (i, "dst %U/%d",
404 unformat_ip6_address, &dst_v6address, &dst_prefix_length))
406 vec_validate_acl_rules(rules, rule_idx);
407 memcpy (rules[rule_idx].dst_prefix.address.un.ip6, &dst_v6address, 16);
408 rules[rule_idx].dst_prefix.address.af = ADDRESS_IP6;
409 rules[rule_idx].dst_prefix.len = dst_prefix_length;
411 else if (unformat (i, "sport %d-%d", &port1, &port2))
413 vec_validate_acl_rules(rules, rule_idx);
414 rules[rule_idx].srcport_or_icmptype_first = htons(port1);
415 rules[rule_idx].srcport_or_icmptype_last = htons(port2);
417 else if (unformat (i, "sport %d", &port1))
419 vec_validate_acl_rules(rules, rule_idx);
420 rules[rule_idx].srcport_or_icmptype_first = htons(port1);
421 rules[rule_idx].srcport_or_icmptype_last = htons(port1);
423 else if (unformat (i, "dport %d-%d", &port1, &port2))
425 vec_validate_acl_rules(rules, rule_idx);
426 rules[rule_idx].dstport_or_icmpcode_first = htons(port1);
427 rules[rule_idx].dstport_or_icmpcode_last = htons(port2);
429 else if (unformat (i, "dport %d", &port1))
431 vec_validate_acl_rules(rules, rule_idx);
432 rules[rule_idx].dstport_or_icmpcode_first = htons(port1);
433 rules[rule_idx].dstport_or_icmpcode_last = htons(port1);
435 else if (unformat (i, "tcpflags %d %d", &tcpflags, &tcpmask))
437 vec_validate_acl_rules(rules, rule_idx);
438 rules[rule_idx].tcp_flags_value = tcpflags;
439 rules[rule_idx].tcp_flags_mask = tcpmask;
441 else if (unformat (i, "tcpflags %d mask %d", &tcpflags, &tcpmask))
443 vec_validate_acl_rules(rules, rule_idx);
444 rules[rule_idx].tcp_flags_value = tcpflags;
445 rules[rule_idx].tcp_flags_mask = tcpmask;
447 else if (unformat (i, "proto %d", &proto))
449 vec_validate_acl_rules(rules, rule_idx);
450 rules[rule_idx].proto = proto;
452 else if (unformat (i, "tag %s", &tag))
455 else if (unformat (i, ","))
458 vec_validate_acl_rules(rules, rule_idx);
464 /* Construct the API message */
465 vam->result_ready = 0;
468 n_rules = vec_len(rules);
472 if (n_rules_override >= 0)
473 n_rules = n_rules_override;
475 msg_size += n_rules*sizeof(rules[0]);
477 mp = vl_msg_api_alloc_as_if_client(msg_size);
478 clib_memset (mp, 0, msg_size);
479 mp->_vl_msg_id = ntohs (VL_API_ACL_ADD_REPLACE + sm->msg_id_base);
480 mp->client_index = vam->my_client_index;
481 if ((n_rules > 0) && rules)
482 clib_memcpy(mp->r, rules, n_rules*sizeof (vl_api_acl_rule_t));
485 if (vec_len(tag) >= sizeof(mp->tag))
487 tag[sizeof(mp->tag)-1] = 0;
488 _vec_len(tag) = sizeof(mp->tag);
490 clib_memcpy(mp->tag, tag, vec_len(tag));
493 mp->acl_index = ntohl(acl_index);
494 mp->count = htonl(n_rules);
499 /* Wait for a reply... */
504 static int api_acl_plugin_get_conn_table_max_entries (vat_main_t * vam)
506 acl_test_main_t * sm = &acl_test_main;
507 vl_api_acl_plugin_get_conn_table_max_entries_t * mp;
508 u32 msg_size = sizeof(*mp);
511 vam->result_ready = 0;
512 mp = vl_msg_api_alloc_as_if_client(msg_size);
513 memset (mp, 0, msg_size);
514 mp->_vl_msg_id = ntohs (VL_API_ACL_PLUGIN_GET_CONN_TABLE_MAX_ENTRIES + sm->msg_id_base);
515 mp->client_index = vam->my_client_index;
520 /* Wait for a reply... */
525 static int api_acl_stats_intf_counters_enable (vat_main_t * vam)
527 acl_test_main_t * sm = &acl_test_main;
528 unformat_input_t * i = vam->input;
529 vl_api_acl_stats_intf_counters_enable_t * mp;
530 u32 msg_size = sizeof(*mp);
533 vam->result_ready = 0;
534 mp = vl_msg_api_alloc_as_if_client(msg_size);
535 memset (mp, 0, msg_size);
536 mp->_vl_msg_id = ntohs (VL_API_ACL_STATS_INTF_COUNTERS_ENABLE + sm->msg_id_base);
537 mp->client_index = vam->my_client_index;
540 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
541 if (unformat (i, "disable"))
550 /* Wait for a reply... */
557 * Read the series of ACL entries from file in the following format:
560 @0.0.0.0/1 131.179.121.0/24 0 : 65535 0 : 65535 0x00/0x00 0x0000/0x0000
561 @128.0.0.0/1 85.54.226.0/23 0 : 65535 0 : 65535 0x00/0x00 0x0000/0x0000
562 @128.0.0.0/1 85.54.48.0/23 0 : 65535 0 : 65535 0x00/0x00 0x0000/0x0000
563 @128.0.0.0/1 31.237.44.0/23 0 : 65535 0 : 65535 0x00/0x00 0x0000/0x0000
564 @0.0.0.0/1 255.84.184.0/23 0 : 65535 0 : 65535 0x00/0x00 0x0000/0x0000
565 @132.92.0.0/16 0.0.0.0/0 0 : 65535 0 : 65535 0x01/0xFF 0x0000/0x0000
571 api_acl_add_replace_from_file (vat_main_t * vam)
574 unformat_input_t * input = vam->input;
575 acl_test_main_t * sm = &acl_test_main;
576 vl_api_acl_add_replace_t * mp;
578 u32 msg_size = sizeof (*mp); /* without the rules */
580 vl_api_acl_rule_t *rules = 0;
584 int append_default_permit = 0;
585 u32 tcpflags = 0, tcpmask = 0;
586 ip4_address_t src_v4address, dst_v4address;
589 char *file_name = NULL;
590 unformat_input_t file_input;
592 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
594 if (unformat (input, "filename %s", &file_name))
596 /* we will use this later */
598 else if (unformat (input, "acl-index %d", &acl_index))
600 /* we will try to replace an existing ACL */
602 else if (unformat (input, "permit+reflect"))
606 else if (unformat (input, "permit"))
610 else if (unformat (input, "append-default-permit"))
612 append_default_permit = 1;
618 if (file_name == NULL)
621 fd = open(file_name, O_RDONLY);
624 clib_warning("Could not open file '%s'", file_name);
628 /* input from file */
630 unformat_init_clib_file(input, fd);
632 unsigned sport_low, sport_high, dport_low, dport_high;
633 unsigned proto, protomask;
634 u32 src_prefix_length, dst_prefix_length;
635 u32 unused1, unused2;
637 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
639 if (!unformat(input, "@%U/%d\t%U/%d\t%d : %d\t%d : %d\t0x%x/0x%x\t0x%x/0x%x",
640 unformat_ip4_address, &src_v4address, &src_prefix_length,
641 unformat_ip4_address, &dst_v4address, &dst_prefix_length,
642 &sport_low, &sport_high, &dport_low, &dport_high, &proto, &protomask, &unused1, &unused2)) {
643 clib_warning("Error parsing");
648 vec_validate_acl_rules(rules, rule_idx);
650 rules[rule_idx].is_permit = is_permit;
651 memcpy (rules[rule_idx].src_prefix.address.un.ip4, &src_v4address, 4);
652 rules[rule_idx].src_prefix.address.af = ADDRESS_IP4;
653 rules[rule_idx].src_prefix.len = src_prefix_length;
654 memcpy (rules[rule_idx].dst_prefix.address.un.ip4, &dst_v4address, 4);
655 rules[rule_idx].dst_prefix.address.af = ADDRESS_IP4;
656 rules[rule_idx].dst_prefix.len = dst_prefix_length;
657 rules[rule_idx].srcport_or_icmptype_first = htons(sport_low);
658 rules[rule_idx].srcport_or_icmptype_last = htons(sport_high);
659 rules[rule_idx].dstport_or_icmpcode_first = htons(dport_low);
660 rules[rule_idx].dstport_or_icmpcode_last = htons(dport_high);
661 rules[rule_idx].tcp_flags_value = tcpflags;
662 rules[rule_idx].tcp_flags_mask = tcpmask;
663 rules[rule_idx].proto = proto;
667 if (append_default_permit) {
669 vec_validate_acl_rules(rules, rule_idx);
671 rules[rule_idx].is_permit = is_permit == 2 ? 2 : 1;
673 src_v4address.data[0]=0;
674 src_v4address.data[1]=0;
675 src_v4address.data[2]=0;
676 src_v4address.data[3]=0;
677 memcpy (rules[rule_idx].src_prefix.address.un.ip4, &src_v4address, 4);
678 rules[rule_idx].src_prefix.address.af = ADDRESS_IP4;
679 rules[rule_idx].src_prefix.len = 0;
681 dst_v4address.data[0]=0;
682 dst_v4address.data[1]=0;
683 dst_v4address.data[2]=0;
684 dst_v4address.data[3]=0;
685 memcpy (rules[rule_idx].dst_prefix.address.un.ip4, &dst_v4address, 4);
686 rules[rule_idx].dst_prefix.address.af = ADDRESS_IP4;
687 rules[rule_idx].dst_prefix.len = 0;
689 rules[rule_idx].srcport_or_icmptype_first = htons(0);
690 rules[rule_idx].srcport_or_icmptype_last = htons(65535);
691 rules[rule_idx].dstport_or_icmpcode_first = htons(0);
692 rules[rule_idx].dstport_or_icmpcode_last = htons(65535);
693 rules[rule_idx].tcp_flags_value = 0;
694 rules[rule_idx].tcp_flags_mask = 0;
695 rules[rule_idx].proto = 0;
698 /* Construct the API message */
700 vam->result_ready = 0;
702 n_rules = vec_len(rules);
704 msg_size += n_rules*sizeof(rules[0]);
706 mp = vl_msg_api_alloc_as_if_client(msg_size);
707 clib_memset (mp, 0, msg_size);
708 mp->_vl_msg_id = ntohs (VL_API_ACL_ADD_REPLACE + sm->msg_id_base);
709 mp->client_index = vam->my_client_index;
711 clib_memcpy(mp->r, rules, n_rules*sizeof (vl_api_acl_rule_t));
712 mp->acl_index = ntohl(acl_index);
713 mp->count = htonl(n_rules);
718 /* Wait for a reply... */
729 static int api_acl_del (vat_main_t * vam)
731 unformat_input_t * i = vam->input;
732 vl_api_acl_del_t * mp;
736 if (!unformat (i, "%d", &acl_index)) {
737 errmsg ("missing acl index\n");
741 /* Construct the API message */
743 mp->acl_index = ntohl(acl_index);
748 /* Wait for a reply... */
753 static int api_macip_acl_del (vat_main_t * vam)
755 unformat_input_t * i = vam->input;
756 vl_api_acl_del_t * mp;
760 if (!unformat (i, "%d", &acl_index)) {
761 errmsg ("missing acl index\n");
765 /* Construct the API message */
766 M(MACIP_ACL_DEL, mp);
767 mp->acl_index = ntohl(acl_index);
772 /* Wait for a reply... */
777 static int api_acl_interface_add_del (vat_main_t * vam)
779 unformat_input_t * i = vam->input;
780 vl_api_acl_interface_add_del_t * mp;
781 u32 sw_if_index = ~0;
787 // acl_interface_add_del <intfc> | sw_if_index <if-idx> acl_index <acl-idx> [out] [del]
789 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
791 if (unformat (i, "%d", &acl_index))
798 /* Parse args required to build the message */
799 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
800 if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index))
802 else if (unformat (i, "sw_if_index %d", &sw_if_index))
804 else if (unformat (i, "add"))
806 else if (unformat (i, "del"))
808 else if (unformat (i, "acl %d", &acl_index))
810 else if (unformat (i, "input"))
812 else if (unformat (i, "output"))
818 if (sw_if_index == ~0) {
819 errmsg ("missing interface name / explicit sw_if_index number \n");
823 if (acl_index == ~0) {
824 errmsg ("missing ACL index\n");
830 /* Construct the API message */
831 M(ACL_INTERFACE_ADD_DEL, mp);
832 mp->acl_index = ntohl(acl_index);
833 mp->sw_if_index = ntohl(sw_if_index);
835 mp->is_input = is_input;
840 /* Wait for a reply... */
845 static int api_macip_acl_interface_add_del (vat_main_t * vam)
847 unformat_input_t * i = vam->input;
848 vl_api_macip_acl_interface_add_del_t * mp;
849 u32 sw_if_index = ~0;
854 /* Parse args required to build the message */
855 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
856 if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index))
858 else if (unformat (i, "sw_if_index %d", &sw_if_index))
860 else if (unformat (i, "add"))
862 else if (unformat (i, "del"))
864 else if (unformat (i, "acl %d", &acl_index))
870 if (sw_if_index == ~0) {
871 errmsg ("missing interface name / explicit sw_if_index number \n");
875 if (acl_index == ~0) {
876 errmsg ("missing ACL index\n");
882 /* Construct the API message */
883 M(MACIP_ACL_INTERFACE_ADD_DEL, mp);
884 mp->acl_index = ntohl(acl_index);
885 mp->sw_if_index = ntohl(sw_if_index);
891 /* Wait for a reply... */
896 static int api_acl_interface_set_acl_list (vat_main_t * vam)
898 unformat_input_t * i = vam->input;
899 vl_api_acl_interface_set_acl_list_t * mp;
900 u32 sw_if_index = ~0;
907 // acl_interface_set_acl_list <intfc> | sw_if_index <if-idx> input [acl-idx list] output [acl-idx list]
909 /* Parse args required to build the message */
910 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
911 if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index))
913 else if (unformat (i, "sw_if_index %d", &sw_if_index))
915 else if (unformat (i, "%d", &acl_index))
918 vec_add1(inacls, htonl(acl_index));
920 vec_add1(outacls, htonl(acl_index));
922 else if (unformat (i, "acl %d", &acl_index))
924 else if (unformat (i, "input"))
926 else if (unformat (i, "output"))
932 if (sw_if_index == ~0) {
933 errmsg ("missing interface name / explicit sw_if_index number \n");
937 /* Construct the API message */
938 M2(ACL_INTERFACE_SET_ACL_LIST, mp, sizeof(u32) * (vec_len(inacls) + vec_len(outacls)));
939 mp->sw_if_index = ntohl(sw_if_index);
940 mp->n_input = vec_len(inacls);
941 mp->count = vec_len(inacls) + vec_len(outacls);
942 vec_append(inacls, outacls);
943 if (vec_len(inacls) > 0)
944 clib_memcpy(mp->acls, inacls, vec_len(inacls)*sizeof(u32));
949 /* Wait for a reply... */
954 static int api_acl_interface_set_etype_whitelist (vat_main_t * vam)
956 unformat_input_t * i = vam->input;
957 vl_api_acl_interface_set_etype_whitelist_t * mp;
958 u32 sw_if_index = ~0;
965 // acl_interface_set_etype_whitelist <intfc> | sw_if_index <if-idx> input [ethertype list] output [ethertype list]
967 /* Parse args required to build the message */
968 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
969 if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index))
971 else if (unformat (i, "sw_if_index %d", &sw_if_index))
973 else if (unformat (i, "%x", ðertype))
975 ethertype = ethertype & 0xffff;
977 vec_add1(etypes_in, htons(ethertype));
979 vec_add1(etypes_out, htons(ethertype));
981 else if (unformat (i, "input"))
983 else if (unformat (i, "output"))
989 if (sw_if_index == ~0) {
990 errmsg ("missing interface name / explicit sw_if_index number \n");
994 /* Construct the API message */
995 M2(ACL_INTERFACE_SET_ETYPE_WHITELIST, mp, sizeof(u32) * (vec_len(etypes_in) + vec_len(etypes_out)));
996 mp->sw_if_index = ntohl(sw_if_index);
997 mp->n_input = vec_len(etypes_in);
998 mp->count = vec_len(etypes_in) + vec_len(etypes_out);
999 vec_append(etypes_in, etypes_out);
1000 if (vec_len(etypes_in) > 0)
1001 clib_memcpy(mp->whitelist, etypes_in, vec_len(etypes_in)*sizeof(etypes_in[0]));
1006 /* Wait for a reply... */
1012 api_acl_send_control_ping(vat_main_t *vam)
1014 vl_api_acl_plugin_control_ping_t *mp_ping;
1016 M(ACL_PLUGIN_CONTROL_PING, mp_ping);
1021 static int api_acl_interface_list_dump (vat_main_t * vam)
1023 unformat_input_t * i = vam->input;
1024 u32 sw_if_index = ~0;
1025 vl_api_acl_interface_list_dump_t * mp;
1028 /* Parse args required to build the message */
1029 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
1030 if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index))
1032 else if (unformat (i, "sw_if_index %d", &sw_if_index))
1038 /* Construct the API message */
1039 M(ACL_INTERFACE_LIST_DUMP, mp);
1040 mp->sw_if_index = ntohl (sw_if_index);
1045 /* Use control ping for synchronization */
1046 api_acl_send_control_ping(vam);
1048 /* Wait for a reply... */
1053 static int api_acl_dump (vat_main_t * vam)
1055 unformat_input_t * i = vam->input;
1057 vl_api_acl_dump_t * mp;
1060 /* Parse args required to build the message */
1061 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
1062 if (unformat (i, "%d", &acl_index))
1068 /* Construct the API message */
1070 mp->acl_index = ntohl (acl_index);
1075 /* Use control ping for synchronization */
1076 api_acl_send_control_ping(vam);
1078 /* Wait for a reply... */
1083 static int api_macip_acl_dump (vat_main_t * vam)
1085 unformat_input_t * i = vam->input;
1087 vl_api_acl_dump_t * mp;
1090 /* Parse args required to build the message */
1091 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
1092 if (unformat (i, "%d", &acl_index))
1098 /* Construct the API message */
1099 M(MACIP_ACL_DUMP, mp);
1100 mp->acl_index = ntohl (acl_index);
1105 /* Use control ping for synchronization */
1106 api_acl_send_control_ping(vam);
1108 /* Wait for a reply... */
1113 static int api_acl_interface_etype_whitelist_dump (vat_main_t * vam)
1115 unformat_input_t * i = vam->input;
1116 u32 sw_if_index = ~0;
1117 vl_api_acl_interface_etype_whitelist_dump_t * mp;
1120 /* Parse args required to build the message */
1121 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
1122 if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index))
1124 else if (unformat (i, "sw_if_index %d", &sw_if_index))
1130 /* Construct the API message */
1131 M(ACL_INTERFACE_ETYPE_WHITELIST_DUMP, mp);
1132 mp->sw_if_index = ntohl (sw_if_index);
1137 /* Use control ping for synchronization */
1138 api_acl_send_control_ping(vam);
1140 /* Wait for a reply... */
1146 #define vec_validate_macip_acl_rules(v, idx) \
1148 if (vec_len(v) < idx+1) { \
1149 vec_validate(v, idx); \
1150 v[idx].is_permit = 0x1; \
1155 static int api_macip_acl_add (vat_main_t * vam)
1157 acl_test_main_t * sm = &acl_test_main;
1158 unformat_input_t * i = vam->input;
1159 vl_api_macip_acl_add_t * mp;
1160 u32 msg_size = sizeof (*mp); /* without the rules */
1162 vl_api_macip_acl_rule_t *rules = 0;
1165 int n_rules_override = -1;
1166 u32 src_prefix_length = 0;
1168 ip4_address_t src_v4address;
1169 ip6_address_t src_v6address;
1172 u8 mac_mask_all_1[6] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
1175 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
1177 if (unformat (i, "permit"))
1179 vec_validate_macip_acl_rules(rules, rule_idx);
1180 rules[rule_idx].is_permit = 1;
1182 else if (unformat (i, "deny"))
1184 vec_validate_macip_acl_rules(rules, rule_idx);
1185 rules[rule_idx].is_permit = 0;
1187 else if (unformat (i, "count %d", &n_rules_override))
1189 /* we will use this later */
1191 else if (unformat (i, "action %d", &action))
1193 vec_validate_macip_acl_rules(rules, rule_idx);
1194 rules[rule_idx].is_permit = action;
1196 else if (unformat (i, "ip %U/%d",
1197 unformat_ip4_address, &src_v4address, &src_prefix_length) ||
1198 unformat (i, "ip %U",
1199 unformat_ip4_address, &src_v4address))
1201 if (src_prefix_length == 0)
1202 src_prefix_length = 32;
1203 vec_validate_macip_acl_rules(rules, rule_idx);
1204 memcpy (rules[rule_idx].src_prefix.address.un.ip4, &src_v4address, 4);
1205 rules[rule_idx].src_prefix.address.af = ADDRESS_IP4;
1206 rules[rule_idx].src_prefix.len = src_prefix_length;
1208 else if (unformat (i, "src"))
1210 /* Everything in MACIP is "source" but allow this verbosity */
1212 else if (unformat (i, "ip %U/%d",
1213 unformat_ip6_address, &src_v6address, &src_prefix_length) ||
1214 unformat (i, "ip %U",
1215 unformat_ip6_address, &src_v6address))
1217 if (src_prefix_length == 0)
1218 src_prefix_length = 128;
1219 vec_validate_macip_acl_rules(rules, rule_idx);
1220 memcpy (rules[rule_idx].src_prefix.address.un.ip4, &src_v6address, 4);
1221 rules[rule_idx].src_prefix.address.af = ADDRESS_IP6;
1222 rules[rule_idx].src_prefix.len = src_prefix_length;
1224 else if (unformat (i, "mac %U",
1225 my_unformat_mac_address, &src_mac))
1227 vec_validate_macip_acl_rules(rules, rule_idx);
1228 memcpy (rules[rule_idx].src_mac, &src_mac, 6);
1229 memcpy (rules[rule_idx].src_mac_mask, &mac_mask_all_1, 6);
1231 else if (unformat (i, "mask %U",
1232 my_unformat_mac_address, &src_mac))
1234 vec_validate_macip_acl_rules(rules, rule_idx);
1235 memcpy (rules[rule_idx].src_mac_mask, &src_mac, 6);
1237 else if (unformat (i, "tag %s", &tag))
1240 else if (unformat (i, ","))
1243 vec_validate_macip_acl_rules(rules, rule_idx);
1249 /* Construct the API message */
1250 vam->result_ready = 0;
1253 n_rules = vec_len(rules);
1255 if (n_rules_override >= 0)
1256 n_rules = n_rules_override;
1258 msg_size += n_rules*sizeof(rules[0]);
1260 mp = vl_msg_api_alloc_as_if_client(msg_size);
1261 clib_memset (mp, 0, msg_size);
1262 mp->_vl_msg_id = ntohs (VL_API_MACIP_ACL_ADD + sm->msg_id_base);
1263 mp->client_index = vam->my_client_index;
1264 if ((n_rules > 0) && rules)
1265 clib_memcpy(mp->r, rules, n_rules*sizeof (mp->r[0]));
1268 if (vec_len(tag) >= sizeof(mp->tag))
1270 tag[sizeof(mp->tag)-1] = 0;
1271 _vec_len(tag) = sizeof(mp->tag);
1273 clib_memcpy(mp->tag, tag, vec_len(tag));
1277 mp->count = htonl(n_rules);
1282 /* Wait for a reply... */
1287 static int api_macip_acl_add_replace (vat_main_t * vam)
1289 acl_test_main_t * sm = &acl_test_main;
1290 unformat_input_t * i = vam->input;
1291 vl_api_macip_acl_add_replace_t * mp;
1293 u32 msg_size = sizeof (*mp); /* without the rules */
1295 vl_api_macip_acl_rule_t *rules = 0;
1298 int n_rules_override = -1;
1299 u32 src_prefix_length = 0;
1301 ip4_address_t src_v4address;
1302 ip6_address_t src_v6address;
1305 u8 mac_mask_all_1[6] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
1308 if (!unformat (i, "%d", &acl_index)) {
1309 /* Just assume -1 */
1312 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
1314 if (unformat (i, "permit"))
1316 vec_validate_macip_acl_rules(rules, rule_idx);
1317 rules[rule_idx].is_permit = 1;
1319 else if (unformat (i, "deny"))
1321 vec_validate_macip_acl_rules(rules, rule_idx);
1322 rules[rule_idx].is_permit = 0;
1324 else if (unformat (i, "count %d", &n_rules_override))
1326 /* we will use this later */
1328 else if (unformat (i, "action %d", &action))
1330 vec_validate_macip_acl_rules(rules, rule_idx);
1331 rules[rule_idx].is_permit = action;
1333 else if (unformat (i, "ip %U/%d",
1334 unformat_ip4_address, &src_v4address, &src_prefix_length) ||
1335 unformat (i, "ip %U",
1336 unformat_ip4_address, &src_v4address))
1338 if (src_prefix_length == 0)
1339 src_prefix_length = 32;
1340 vec_validate_macip_acl_rules(rules, rule_idx);
1341 memcpy (rules[rule_idx].src_prefix.address.un.ip4, &src_v4address, 4);
1342 rules[rule_idx].src_prefix.address.af = ADDRESS_IP4;
1343 rules[rule_idx].src_prefix.len = src_prefix_length;
1345 else if (unformat (i, "src"))
1347 /* Everything in MACIP is "source" but allow this verbosity */
1349 else if (unformat (i, "ip %U/%d",
1350 unformat_ip6_address, &src_v6address, &src_prefix_length) ||
1351 unformat (i, "ip %U",
1352 unformat_ip6_address, &src_v6address))
1354 if (src_prefix_length == 0)
1355 src_prefix_length = 128;
1356 vec_validate_macip_acl_rules(rules, rule_idx);
1357 memcpy (rules[rule_idx].src_prefix.address.un.ip4, &src_v6address, 4);
1358 rules[rule_idx].src_prefix.address.af = ADDRESS_IP6;
1359 rules[rule_idx].src_prefix.len = src_prefix_length;
1361 else if (unformat (i, "mac %U",
1362 my_unformat_mac_address, &src_mac))
1364 vec_validate_macip_acl_rules(rules, rule_idx);
1365 memcpy (rules[rule_idx].src_mac, &src_mac, 6);
1366 memcpy (rules[rule_idx].src_mac_mask, &mac_mask_all_1, 6);
1368 else if (unformat (i, "mask %U",
1369 my_unformat_mac_address, &src_mac))
1371 vec_validate_macip_acl_rules(rules, rule_idx);
1372 memcpy (rules[rule_idx].src_mac_mask, &src_mac, 6);
1374 else if (unformat (i, "tag %s", &tag))
1377 else if (unformat (i, ","))
1380 vec_validate_macip_acl_rules(rules, rule_idx);
1388 errmsg ("rule/s required\n");
1391 /* Construct the API message */
1392 vam->result_ready = 0;
1395 n_rules = vec_len(rules);
1397 if (n_rules_override >= 0)
1398 n_rules = n_rules_override;
1400 msg_size += n_rules*sizeof(rules[0]);
1402 mp = vl_msg_api_alloc_as_if_client(msg_size);
1403 clib_memset (mp, 0, msg_size);
1404 mp->_vl_msg_id = ntohs (VL_API_MACIP_ACL_ADD_REPLACE + sm->msg_id_base);
1405 mp->client_index = vam->my_client_index;
1406 if ((n_rules > 0) && rules)
1407 clib_memcpy(mp->r, rules, n_rules*sizeof (mp->r[0]));
1410 if (vec_len(tag) >= sizeof(mp->tag))
1412 tag[sizeof(mp->tag)-1] = 0;
1413 _vec_len(tag) = sizeof(mp->tag);
1415 clib_memcpy(mp->tag, tag, vec_len(tag));
1419 mp->acl_index = ntohl(acl_index);
1420 mp->count = htonl(n_rules);
1425 /* Wait for a reply... */
1430 #define VL_API_LOCAL_SETUP_MESSAGE_ID_TABLE local_setup_message_id_table
1431 static void local_setup_message_id_table (vat_main_t * vam)
1433 hash_set_mem (vam->function_by_name, "acl_add_replace_from_file", api_acl_add_replace_from_file);
1434 hash_set_mem (vam->help_by_name, "acl_add_replace_from_file",
1435 "filename <file> [permit] [append-default-permit]");
1438 #include <acl/acl.api_test.c>