2 * Copyright (c) 2015 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 *------------------------------------------------------------------
17 * acl_test.c - test harness plugin
18 *------------------------------------------------------------------
22 #include <vlibapi/api.h>
23 #include <vlibmemory/api.h>
24 #include <vppinfra/error.h>
25 #include <vnet/ip/ip.h>
26 #include <arpa/inet.h>
28 #define __plugin_msg_base acl_test_main.msg_id_base
29 #include <vlibapi/vat_helper_macros.h>
31 uword unformat_sw_if_index (unformat_input_t * input, va_list * args);
33 /* Declare message IDs */
34 #include <acl/acl_msg_enum.h>
36 /* define message structures */
38 #include <acl/acl_all_api_h.h>
41 /* define message structures */
43 #include <acl/acl_all_api_h.h>
46 /* instantiate all the print functions we know about */
47 #define vl_print(handle, ...)
49 #include <acl/acl_all_api_h.h>
52 /* Get the API version number. */
53 #define vl_api_version(n,v) static u32 api_version=(v);
54 #include <acl/acl_all_api_h.h>
58 /* API message ID base */
63 acl_test_main_t acl_test_main;
65 #define foreach_standard_reply_retval_handler \
67 _(acl_interface_add_del_reply) \
68 _(macip_acl_interface_add_del_reply) \
69 _(acl_interface_set_acl_list_reply) \
70 _(acl_interface_set_etype_whitelist_reply) \
71 _(macip_acl_del_reply) \
72 _(acl_stats_intf_counters_enable_reply)
74 #define foreach_reply_retval_aclindex_handler \
75 _(acl_add_replace_reply) \
76 _(macip_acl_add_reply) \
77 _(macip_acl_add_replace_reply)
80 static void vl_api_##n##_t_handler \
81 (vl_api_##n##_t * mp) \
83 vat_main_t * vam = acl_test_main.vat_main; \
84 i32 retval = ntohl(mp->retval); \
85 if (vam->async_mode) { \
86 vam->async_errors += (retval < 0); \
88 vam->retval = retval; \
89 vam->result_ready = 1; \
92 foreach_standard_reply_retval_handler;
96 static void vl_api_##n##_t_handler \
97 (vl_api_##n##_t * mp) \
99 vat_main_t * vam = acl_test_main.vat_main; \
100 i32 retval = ntohl(mp->retval); \
101 if (vam->async_mode) { \
102 vam->async_errors += (retval < 0); \
104 clib_warning("ACL index: %d", ntohl(mp->acl_index)); \
105 vam->retval = retval; \
106 vam->result_ready = 1; \
109 foreach_reply_retval_aclindex_handler;
112 /* These two ought to be in a library somewhere but they aren't */
114 my_unformat_mac_address (unformat_input_t * input, va_list * args)
116 u8 *a = va_arg (*args, u8 *);
117 return unformat (input, "%x:%x:%x:%x:%x:%x", &a[0], &a[1], &a[2], &a[3],
122 my_format_mac_address (u8 * s, va_list * args)
124 u8 *a = va_arg (*args, u8 *);
125 return format (s, "%02x:%02x:%02x:%02x:%02x:%02x",
126 a[0], a[1], a[2], a[3], a[4], a[5]);
131 static void vl_api_acl_plugin_get_version_reply_t_handler
132 (vl_api_acl_plugin_get_version_reply_t * mp)
134 vat_main_t * vam = acl_test_main.vat_main;
135 clib_warning("ACL plugin version: %d.%d", ntohl(mp->major), ntohl(mp->minor));
136 vam->result_ready = 1;
139 static void vl_api_acl_interface_list_details_t_handler
140 (vl_api_acl_interface_list_details_t * mp)
143 vat_main_t * vam = acl_test_main.vat_main;
145 vl_api_acl_interface_list_details_t_endian(mp);
146 out = format(out, "sw_if_index: %d, count: %d, n_input: %d\n", mp->sw_if_index, mp->count, mp->n_input);
147 out = format(out, " input ");
148 for(i=0; i<mp->count; i++) {
149 if (i == mp->n_input)
150 out = format(out, "\n output ");
151 out = format(out, "%d ", ntohl (mp->acls[i]));
153 out = format(out, "\n");
154 clib_warning("%s", out);
156 vam->result_ready = 1;
159 static void vl_api_acl_interface_etype_whitelist_details_t_handler
160 (vl_api_acl_interface_etype_whitelist_details_t * mp)
163 vat_main_t * vam = acl_test_main.vat_main;
165 vl_api_acl_interface_etype_whitelist_details_t_endian(mp);
166 out = format(out, "sw_if_index: %d, count: %d, n_input: %d\n", mp->sw_if_index, mp->count, mp->n_input);
167 out = format(out, " input ");
168 for(i=0; i<mp->count; i++) {
169 if (i == mp->n_input)
170 out = format(out, "\n output ");
171 out = format(out, "%04x ", ntohs(mp->whitelist[i]));
173 out = format(out, "\n");
174 clib_warning("%s", out);
176 vam->result_ready = 1;
179 static void vl_api_acl_plugin_get_conn_table_max_entries_reply_t_handler
180 (vl_api_acl_plugin_get_conn_table_max_entries_reply_t * mp)
182 vat_main_t * vam = acl_test_main.vat_main;
183 clib_warning("\nConn table max entries: %d",
184 __bswap_64(mp->conn_table_max_entries) );
185 vam->result_ready = 1;
189 vl_api_acl_rule_t_pretty_format (u8 *out, vl_api_acl_rule_t * a)
191 int af = a->is_ipv6 ? AF_INET6 : AF_INET;
192 u8 src[INET6_ADDRSTRLEN];
193 u8 dst[INET6_ADDRSTRLEN];
194 inet_ntop(af, a->src_ip_addr, (void *)src, sizeof(src));
195 inet_ntop(af, a->dst_ip_addr, (void *)dst, sizeof(dst));
197 out = format(out, "%s action %d src %s/%d dst %s/%d proto %d sport %d-%d dport %d-%d tcpflags %d mask %d",
198 a->is_ipv6 ? "ipv6" : "ipv4", a->is_permit,
199 src, a->src_ip_prefix_len,
200 dst, a->dst_ip_prefix_len,
202 a->srcport_or_icmptype_first, a->srcport_or_icmptype_last,
203 a->dstport_or_icmpcode_first, a->dstport_or_icmpcode_last,
204 a->tcp_flags_value, a->tcp_flags_mask);
210 static void vl_api_acl_details_t_handler
211 (vl_api_acl_details_t * mp)
214 vat_main_t * vam = acl_test_main.vat_main;
215 vl_api_acl_details_t_endian(mp);
217 out = format(0, "acl_index: %d, count: %d\n tag {%s}\n", mp->acl_index, mp->count, mp->tag);
218 for(i=0; i<mp->count; i++) {
219 out = format(out, " ");
220 out = vl_api_acl_rule_t_pretty_format(out, &mp->r[i]);
221 out = format(out, "%s\n", i<mp->count-1 ? "," : "");
223 clib_warning("%s", out);
225 vam->result_ready = 1;
229 vl_api_macip_acl_rule_t_pretty_format (u8 *out, vl_api_macip_acl_rule_t * a)
231 int af = a->is_ipv6 ? AF_INET6 : AF_INET;
232 u8 src[INET6_ADDRSTRLEN];
233 inet_ntop(af, a->src_ip_addr, (void *)src, sizeof(src));
235 out = format(out, "%s action %d ip %s/%d mac %U mask %U",
236 a->is_ipv6 ? "ipv6" : "ipv4", a->is_permit,
237 src, a->src_ip_prefix_len,
238 my_format_mac_address, a->src_mac,
239 my_format_mac_address, a->src_mac_mask);
244 static void vl_api_macip_acl_details_t_handler
245 (vl_api_macip_acl_details_t * mp)
248 vat_main_t * vam = acl_test_main.vat_main;
249 vl_api_macip_acl_details_t_endian(mp);
250 u8 *out = format(0,"MACIP acl_index: %d, count: %d\n tag {%s}\n", mp->acl_index, mp->count, mp->tag);
251 for(i=0; i<mp->count; i++) {
252 out = format(out, " ");
253 out = vl_api_macip_acl_rule_t_pretty_format(out, &mp->r[i]);
254 out = format(out, "%s\n", i<mp->count-1 ? "," : "");
256 clib_warning("%s", out);
258 vam->result_ready = 1;
261 static void vl_api_macip_acl_interface_get_reply_t_handler
262 (vl_api_macip_acl_interface_get_reply_t * mp)
265 vat_main_t * vam = acl_test_main.vat_main;
266 u8 *out = format(0, "sw_if_index with MACIP ACL count: %d\n", ntohl(mp->count));
267 for(i=0; i<ntohl(mp->count); i++) {
268 out = format(out, " macip_acl_interface_add_del sw_if_index %d add acl %d\n", i, ntohl(mp->acls[i]));
270 out = format(out, "\n");
271 clib_warning("%s", out);
273 vam->result_ready = 1;
276 static void vl_api_acl_plugin_control_ping_reply_t_handler
277 (vl_api_acl_plugin_control_ping_reply_t * mp)
279 vat_main_t *vam = &vat_main;
280 i32 retval = ntohl (mp->retval);
283 vam->async_errors += (retval < 0);
287 vam->retval = retval;
288 vam->result_ready = 1;
294 * Table of message reply handlers, must include boilerplate handlers
297 #define foreach_vpe_api_reply_msg \
298 _(ACL_ADD_REPLACE_REPLY, acl_add_replace_reply) \
299 _(ACL_DEL_REPLY, acl_del_reply) \
300 _(ACL_INTERFACE_ADD_DEL_REPLY, acl_interface_add_del_reply) \
301 _(ACL_INTERFACE_SET_ACL_LIST_REPLY, acl_interface_set_acl_list_reply) \
302 _(ACL_INTERFACE_SET_ETYPE_WHITELIST_REPLY, acl_interface_set_etype_whitelist_reply) \
303 _(ACL_INTERFACE_ETYPE_WHITELIST_DETAILS, acl_interface_etype_whitelist_details) \
304 _(ACL_INTERFACE_LIST_DETAILS, acl_interface_list_details) \
305 _(ACL_DETAILS, acl_details) \
306 _(MACIP_ACL_ADD_REPLY, macip_acl_add_reply) \
307 _(MACIP_ACL_ADD_REPLACE_REPLY, macip_acl_add_replace_reply) \
308 _(MACIP_ACL_DEL_REPLY, macip_acl_del_reply) \
309 _(MACIP_ACL_DETAILS, macip_acl_details) \
310 _(MACIP_ACL_INTERFACE_ADD_DEL_REPLY, macip_acl_interface_add_del_reply) \
311 _(MACIP_ACL_INTERFACE_GET_REPLY, macip_acl_interface_get_reply) \
312 _(ACL_PLUGIN_CONTROL_PING_REPLY, acl_plugin_control_ping_reply) \
313 _(ACL_PLUGIN_GET_VERSION_REPLY, acl_plugin_get_version_reply) \
314 _(ACL_PLUGIN_GET_CONN_TABLE_MAX_ENTRIES_REPLY,acl_plugin_get_conn_table_max_entries_reply) \
315 _(ACL_STATS_INTF_COUNTERS_ENABLE_REPLY, acl_stats_intf_counters_enable_reply)
317 static int api_acl_plugin_get_version (vat_main_t * vam)
319 acl_test_main_t * sm = &acl_test_main;
320 vl_api_acl_plugin_get_version_t * mp;
321 u32 msg_size = sizeof(*mp);
324 vam->result_ready = 0;
325 mp = vl_msg_api_alloc_as_if_client(msg_size);
326 clib_memset (mp, 0, msg_size);
327 mp->_vl_msg_id = ntohs (VL_API_ACL_PLUGIN_GET_VERSION + sm->msg_id_base);
328 mp->client_index = vam->my_client_index;
333 /* Wait for a reply... */
338 static int api_macip_acl_interface_get (vat_main_t * vam)
340 acl_test_main_t * sm = &acl_test_main;
341 vl_api_acl_plugin_get_version_t * mp;
342 u32 msg_size = sizeof(*mp);
345 vam->result_ready = 0;
346 mp = vl_msg_api_alloc_as_if_client(msg_size);
347 clib_memset (mp, 0, msg_size);
348 mp->_vl_msg_id = ntohs (VL_API_MACIP_ACL_INTERFACE_GET + sm->msg_id_base);
349 mp->client_index = vam->my_client_index;
354 /* Wait for a reply... */
359 #define vec_validate_acl_rules(v, idx) \
361 if (vec_len(v) < idx+1) { \
362 vec_validate(v, idx); \
363 v[idx].is_permit = 0x1; \
364 v[idx].srcport_or_icmptype_last = 0xffff; \
365 v[idx].dstport_or_icmpcode_last = 0xffff; \
370 static int api_acl_add_replace (vat_main_t * vam)
372 acl_test_main_t * sm = &acl_test_main;
373 unformat_input_t * i = vam->input;
374 vl_api_acl_add_replace_t * mp;
376 u32 msg_size = sizeof (*mp); /* without the rules */
378 vl_api_acl_rule_t *rules = 0;
381 int n_rules_override = -1;
386 u32 tcpflags, tcpmask;
387 u32 src_prefix_length = 0, dst_prefix_length = 0;
388 ip4_address_t src_v4address, dst_v4address;
389 ip6_address_t src_v6address, dst_v6address;
393 if (!unformat (i, "%d", &acl_index)) {
397 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
399 if (unformat (i, "ipv6"))
401 vec_validate_acl_rules(rules, rule_idx);
402 rules[rule_idx].is_ipv6 = 1;
404 else if (unformat (i, "ipv4"))
406 vec_validate_acl_rules(rules, rule_idx);
407 rules[rule_idx].is_ipv6 = 0;
409 else if (unformat (i, "permit+reflect"))
411 vec_validate_acl_rules(rules, rule_idx);
412 rules[rule_idx].is_permit = 2;
414 else if (unformat (i, "permit"))
416 vec_validate_acl_rules(rules, rule_idx);
417 rules[rule_idx].is_permit = 1;
419 else if (unformat (i, "deny"))
421 vec_validate_acl_rules(rules, rule_idx);
422 rules[rule_idx].is_permit = 0;
424 else if (unformat (i, "count %d", &n_rules_override))
426 /* we will use this later */
428 else if (unformat (i, "action %d", &action))
430 vec_validate_acl_rules(rules, rule_idx);
431 rules[rule_idx].is_permit = action;
433 else if (unformat (i, "src %U/%d",
434 unformat_ip4_address, &src_v4address, &src_prefix_length))
436 vec_validate_acl_rules(rules, rule_idx);
437 memcpy (rules[rule_idx].src_ip_addr, &src_v4address, 4);
438 rules[rule_idx].src_ip_prefix_len = src_prefix_length;
439 rules[rule_idx].is_ipv6 = 0;
441 else if (unformat (i, "src %U/%d",
442 unformat_ip6_address, &src_v6address, &src_prefix_length))
444 vec_validate_acl_rules(rules, rule_idx);
445 memcpy (rules[rule_idx].src_ip_addr, &src_v6address, 16);
446 rules[rule_idx].src_ip_prefix_len = src_prefix_length;
447 rules[rule_idx].is_ipv6 = 1;
449 else if (unformat (i, "dst %U/%d",
450 unformat_ip4_address, &dst_v4address, &dst_prefix_length))
452 vec_validate_acl_rules(rules, rule_idx);
453 memcpy (rules[rule_idx].dst_ip_addr, &dst_v4address, 4);
454 rules[rule_idx].dst_ip_prefix_len = dst_prefix_length;
455 rules[rule_idx].is_ipv6 = 0;
457 else if (unformat (i, "dst %U/%d",
458 unformat_ip6_address, &dst_v6address, &dst_prefix_length))
460 vec_validate_acl_rules(rules, rule_idx);
461 memcpy (rules[rule_idx].dst_ip_addr, &dst_v6address, 16);
462 rules[rule_idx].dst_ip_prefix_len = dst_prefix_length;
463 rules[rule_idx].is_ipv6 = 1;
465 else if (unformat (i, "sport %d-%d", &port1, &port2))
467 vec_validate_acl_rules(rules, rule_idx);
468 rules[rule_idx].srcport_or_icmptype_first = htons(port1);
469 rules[rule_idx].srcport_or_icmptype_last = htons(port2);
471 else if (unformat (i, "sport %d", &port1))
473 vec_validate_acl_rules(rules, rule_idx);
474 rules[rule_idx].srcport_or_icmptype_first = htons(port1);
475 rules[rule_idx].srcport_or_icmptype_last = htons(port1);
477 else if (unformat (i, "dport %d-%d", &port1, &port2))
479 vec_validate_acl_rules(rules, rule_idx);
480 rules[rule_idx].dstport_or_icmpcode_first = htons(port1);
481 rules[rule_idx].dstport_or_icmpcode_last = htons(port2);
483 else if (unformat (i, "dport %d", &port1))
485 vec_validate_acl_rules(rules, rule_idx);
486 rules[rule_idx].dstport_or_icmpcode_first = htons(port1);
487 rules[rule_idx].dstport_or_icmpcode_last = htons(port1);
489 else if (unformat (i, "tcpflags %d %d", &tcpflags, &tcpmask))
491 vec_validate_acl_rules(rules, rule_idx);
492 rules[rule_idx].tcp_flags_value = tcpflags;
493 rules[rule_idx].tcp_flags_mask = tcpmask;
495 else if (unformat (i, "tcpflags %d mask %d", &tcpflags, &tcpmask))
497 vec_validate_acl_rules(rules, rule_idx);
498 rules[rule_idx].tcp_flags_value = tcpflags;
499 rules[rule_idx].tcp_flags_mask = tcpmask;
501 else if (unformat (i, "proto %d", &proto))
503 vec_validate_acl_rules(rules, rule_idx);
504 rules[rule_idx].proto = proto;
506 else if (unformat (i, "tag %s", &tag))
509 else if (unformat (i, ","))
512 vec_validate_acl_rules(rules, rule_idx);
518 /* Construct the API message */
519 vam->result_ready = 0;
522 n_rules = vec_len(rules);
526 if (n_rules_override >= 0)
527 n_rules = n_rules_override;
529 msg_size += n_rules*sizeof(rules[0]);
531 mp = vl_msg_api_alloc_as_if_client(msg_size);
532 clib_memset (mp, 0, msg_size);
533 mp->_vl_msg_id = ntohs (VL_API_ACL_ADD_REPLACE + sm->msg_id_base);
534 mp->client_index = vam->my_client_index;
535 if ((n_rules > 0) && rules)
536 clib_memcpy(mp->r, rules, n_rules*sizeof (vl_api_acl_rule_t));
539 if (vec_len(tag) >= sizeof(mp->tag))
541 tag[sizeof(mp->tag)-1] = 0;
542 _vec_len(tag) = sizeof(mp->tag);
544 clib_memcpy(mp->tag, tag, vec_len(tag));
547 mp->acl_index = ntohl(acl_index);
548 mp->count = htonl(n_rules);
553 /* Wait for a reply... */
558 static int api_acl_plugin_get_conn_table_max_entries (vat_main_t * vam)
560 acl_test_main_t * sm = &acl_test_main;
561 vl_api_acl_plugin_get_conn_table_max_entries_t * mp;
562 u32 msg_size = sizeof(*mp);
565 vam->result_ready = 0;
566 mp = vl_msg_api_alloc_as_if_client(msg_size);
567 memset (mp, 0, msg_size);
568 mp->_vl_msg_id = ntohs (VL_API_ACL_PLUGIN_GET_CONN_TABLE_MAX_ENTRIES + sm->msg_id_base);
569 mp->client_index = vam->my_client_index;
574 /* Wait for a reply... */
579 static int api_acl_stats_intf_counters_enable (vat_main_t * vam)
581 acl_test_main_t * sm = &acl_test_main;
582 unformat_input_t * i = vam->input;
583 vl_api_acl_stats_intf_counters_enable_t * mp;
584 u32 msg_size = sizeof(*mp);
587 vam->result_ready = 0;
588 mp = vl_msg_api_alloc_as_if_client(msg_size);
589 memset (mp, 0, msg_size);
590 mp->_vl_msg_id = ntohs (VL_API_ACL_STATS_INTF_COUNTERS_ENABLE + sm->msg_id_base);
591 mp->client_index = vam->my_client_index;
594 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
595 if (unformat (i, "disable"))
604 /* Wait for a reply... */
611 * Read the series of ACL entries from file in the following format:
614 @0.0.0.0/1 131.179.121.0/24 0 : 65535 0 : 65535 0x00/0x00 0x0000/0x0000
615 @128.0.0.0/1 85.54.226.0/23 0 : 65535 0 : 65535 0x00/0x00 0x0000/0x0000
616 @128.0.0.0/1 85.54.48.0/23 0 : 65535 0 : 65535 0x00/0x00 0x0000/0x0000
617 @128.0.0.0/1 31.237.44.0/23 0 : 65535 0 : 65535 0x00/0x00 0x0000/0x0000
618 @0.0.0.0/1 255.84.184.0/23 0 : 65535 0 : 65535 0x00/0x00 0x0000/0x0000
619 @132.92.0.0/16 0.0.0.0/0 0 : 65535 0 : 65535 0x01/0xFF 0x0000/0x0000
625 api_acl_add_replace_from_file (vat_main_t * vam)
628 unformat_input_t * input = vam->input;
629 acl_test_main_t * sm = &acl_test_main;
630 vl_api_acl_add_replace_t * mp;
632 u32 msg_size = sizeof (*mp); /* without the rules */
634 vl_api_acl_rule_t *rules = 0;
638 int append_default_permit = 0;
639 u32 tcpflags = 0, tcpmask = 0;
640 ip4_address_t src_v4address, dst_v4address;
643 char *file_name = NULL;
644 unformat_input_t file_input;
646 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
648 if (unformat (input, "filename %s", &file_name))
650 /* we will use this later */
652 else if (unformat (input, "acl-index %d", &acl_index))
654 /* we will try to replace an existing ACL */
656 else if (unformat (input, "permit+reflect"))
660 else if (unformat (input, "permit"))
664 else if (unformat (input, "append-default-permit"))
666 append_default_permit = 1;
672 fd = open(file_name, O_RDONLY);
675 clib_warning("Could not open file '%s'");
679 /* input from file */
681 unformat_init_clib_file(input, fd);
683 unsigned sport_low, sport_high, dport_low, dport_high;
684 unsigned proto, protomask;
685 u32 src_prefix_length, dst_prefix_length;
686 u32 unused1, unused2;
688 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
690 if (!unformat(input, "@%U/%d\t%U/%d\t%d : %d\t%d : %d\t0x%x/0x%x\t0x%x/0x%x",
691 unformat_ip4_address, &src_v4address, &src_prefix_length,
692 unformat_ip4_address, &dst_v4address, &dst_prefix_length,
693 &sport_low, &sport_high, &dport_low, &dport_high, &proto, &protomask, &unused1, &unused2)) {
694 clib_warning("Error parsing");
699 vec_validate_acl_rules(rules, rule_idx);
701 rules[rule_idx].is_ipv6 = 0;
702 rules[rule_idx].is_permit = is_permit;
703 memcpy (rules[rule_idx].src_ip_addr, &src_v4address, 4);
704 rules[rule_idx].src_ip_prefix_len = src_prefix_length;
705 memcpy (rules[rule_idx].dst_ip_addr, &dst_v4address, 4);
706 rules[rule_idx].dst_ip_prefix_len = dst_prefix_length;
707 rules[rule_idx].srcport_or_icmptype_first = htons(sport_low);
708 rules[rule_idx].srcport_or_icmptype_last = htons(sport_high);
709 rules[rule_idx].dstport_or_icmpcode_first = htons(dport_low);
710 rules[rule_idx].dstport_or_icmpcode_last = htons(dport_high);
711 rules[rule_idx].tcp_flags_value = tcpflags;
712 rules[rule_idx].tcp_flags_mask = tcpmask;
713 rules[rule_idx].proto = proto;
717 if (append_default_permit) {
719 vec_validate_acl_rules(rules, rule_idx);
721 rules[rule_idx].is_ipv6 = 0;
722 rules[rule_idx].is_permit = is_permit == 2 ? 2 : 1;
724 src_v4address.data[0]=0;
725 src_v4address.data[1]=0;
726 src_v4address.data[2]=0;
727 src_v4address.data[3]=0;
728 memcpy (rules[rule_idx].src_ip_addr, &src_v4address, 4);
729 rules[rule_idx].src_ip_prefix_len = 0;
731 dst_v4address.data[0]=0;
732 dst_v4address.data[1]=0;
733 dst_v4address.data[2]=0;
734 dst_v4address.data[3]=0;
735 memcpy (rules[rule_idx].dst_ip_addr, &dst_v4address, 4);
736 rules[rule_idx].dst_ip_prefix_len = 0;
738 rules[rule_idx].srcport_or_icmptype_first = htons(0);
739 rules[rule_idx].srcport_or_icmptype_last = htons(65535);
740 rules[rule_idx].dstport_or_icmpcode_first = htons(0);
741 rules[rule_idx].dstport_or_icmpcode_last = htons(65535);
742 rules[rule_idx].tcp_flags_value = 0;
743 rules[rule_idx].tcp_flags_mask = 0;
744 rules[rule_idx].proto = 0;
747 /* Construct the API message */
749 vam->result_ready = 0;
751 n_rules = vec_len(rules);
753 msg_size += n_rules*sizeof(rules[0]);
755 mp = vl_msg_api_alloc_as_if_client(msg_size);
756 clib_memset (mp, 0, msg_size);
757 mp->_vl_msg_id = ntohs (VL_API_ACL_ADD_REPLACE + sm->msg_id_base);
758 mp->client_index = vam->my_client_index;
760 clib_memcpy(mp->r, rules, n_rules*sizeof (vl_api_acl_rule_t));
761 mp->acl_index = ntohl(acl_index);
762 mp->count = htonl(n_rules);
767 /* Wait for a reply... */
778 static int api_acl_del (vat_main_t * vam)
780 unformat_input_t * i = vam->input;
781 vl_api_acl_del_t * mp;
785 if (!unformat (i, "%d", &acl_index)) {
786 errmsg ("missing acl index\n");
790 /* Construct the API message */
792 mp->acl_index = ntohl(acl_index);
797 /* Wait for a reply... */
802 static int api_macip_acl_del (vat_main_t * vam)
804 unformat_input_t * i = vam->input;
805 vl_api_acl_del_t * mp;
809 if (!unformat (i, "%d", &acl_index)) {
810 errmsg ("missing acl index\n");
814 /* Construct the API message */
815 M(MACIP_ACL_DEL, mp);
816 mp->acl_index = ntohl(acl_index);
821 /* Wait for a reply... */
826 static int api_acl_interface_add_del (vat_main_t * vam)
828 unformat_input_t * i = vam->input;
829 vl_api_acl_interface_add_del_t * mp;
830 u32 sw_if_index = ~0;
836 // acl_interface_add_del <intfc> | sw_if_index <if-idx> acl_index <acl-idx> [out] [del]
838 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
840 if (unformat (i, "%d", &acl_index))
847 /* Parse args required to build the message */
848 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
849 if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index))
851 else if (unformat (i, "sw_if_index %d", &sw_if_index))
853 else if (unformat (i, "add"))
855 else if (unformat (i, "del"))
857 else if (unformat (i, "acl %d", &acl_index))
859 else if (unformat (i, "input"))
861 else if (unformat (i, "output"))
867 if (sw_if_index == ~0) {
868 errmsg ("missing interface name / explicit sw_if_index number \n");
872 if (acl_index == ~0) {
873 errmsg ("missing ACL index\n");
879 /* Construct the API message */
880 M(ACL_INTERFACE_ADD_DEL, mp);
881 mp->acl_index = ntohl(acl_index);
882 mp->sw_if_index = ntohl(sw_if_index);
884 mp->is_input = is_input;
889 /* Wait for a reply... */
894 static int api_macip_acl_interface_add_del (vat_main_t * vam)
896 unformat_input_t * i = vam->input;
897 vl_api_macip_acl_interface_add_del_t * mp;
898 u32 sw_if_index = ~0;
903 /* Parse args required to build the message */
904 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
905 if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index))
907 else if (unformat (i, "sw_if_index %d", &sw_if_index))
909 else if (unformat (i, "add"))
911 else if (unformat (i, "del"))
913 else if (unformat (i, "acl %d", &acl_index))
919 if (sw_if_index == ~0) {
920 errmsg ("missing interface name / explicit sw_if_index number \n");
924 if (acl_index == ~0) {
925 errmsg ("missing ACL index\n");
931 /* Construct the API message */
932 M(MACIP_ACL_INTERFACE_ADD_DEL, mp);
933 mp->acl_index = ntohl(acl_index);
934 mp->sw_if_index = ntohl(sw_if_index);
940 /* Wait for a reply... */
945 static int api_acl_interface_set_acl_list (vat_main_t * vam)
947 unformat_input_t * i = vam->input;
948 vl_api_acl_interface_set_acl_list_t * mp;
949 u32 sw_if_index = ~0;
956 // acl_interface_set_acl_list <intfc> | sw_if_index <if-idx> input [acl-idx list] output [acl-idx list]
958 /* Parse args required to build the message */
959 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
960 if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index))
962 else if (unformat (i, "sw_if_index %d", &sw_if_index))
964 else if (unformat (i, "%d", &acl_index))
967 vec_add1(inacls, htonl(acl_index));
969 vec_add1(outacls, htonl(acl_index));
971 else if (unformat (i, "acl %d", &acl_index))
973 else if (unformat (i, "input"))
975 else if (unformat (i, "output"))
981 if (sw_if_index == ~0) {
982 errmsg ("missing interface name / explicit sw_if_index number \n");
986 /* Construct the API message */
987 M2(ACL_INTERFACE_SET_ACL_LIST, mp, sizeof(u32) * (vec_len(inacls) + vec_len(outacls)));
988 mp->sw_if_index = ntohl(sw_if_index);
989 mp->n_input = vec_len(inacls);
990 mp->count = vec_len(inacls) + vec_len(outacls);
991 vec_append(inacls, outacls);
992 if (vec_len(inacls) > 0)
993 clib_memcpy(mp->acls, inacls, vec_len(inacls)*sizeof(u32));
998 /* Wait for a reply... */
1003 static int api_acl_interface_set_etype_whitelist (vat_main_t * vam)
1005 unformat_input_t * i = vam->input;
1006 vl_api_acl_interface_set_etype_whitelist_t * mp;
1007 u32 sw_if_index = ~0;
1010 u16 *etypes_out = 0;
1014 // acl_interface_set_etype_whitelist <intfc> | sw_if_index <if-idx> input [ethertype list] output [ethertype list]
1016 /* Parse args required to build the message */
1017 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
1018 if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index))
1020 else if (unformat (i, "sw_if_index %d", &sw_if_index))
1022 else if (unformat (i, "%x", ðertype))
1024 ethertype = ethertype & 0xffff;
1026 vec_add1(etypes_in, htons(ethertype));
1028 vec_add1(etypes_out, htons(ethertype));
1030 else if (unformat (i, "input"))
1032 else if (unformat (i, "output"))
1038 if (sw_if_index == ~0) {
1039 errmsg ("missing interface name / explicit sw_if_index number \n");
1043 /* Construct the API message */
1044 M2(ACL_INTERFACE_SET_ETYPE_WHITELIST, mp, sizeof(u32) * (vec_len(etypes_in) + vec_len(etypes_out)));
1045 mp->sw_if_index = ntohl(sw_if_index);
1046 mp->n_input = vec_len(etypes_in);
1047 mp->count = vec_len(etypes_in) + vec_len(etypes_out);
1048 vec_append(etypes_in, etypes_out);
1049 if (vec_len(etypes_in) > 0)
1050 clib_memcpy(mp->whitelist, etypes_in, vec_len(etypes_in)*sizeof(etypes_in[0]));
1055 /* Wait for a reply... */
1061 api_acl_send_control_ping(vat_main_t *vam)
1063 vl_api_acl_plugin_control_ping_t *mp_ping;
1065 M(ACL_PLUGIN_CONTROL_PING, mp_ping);
1070 static int api_acl_interface_list_dump (vat_main_t * vam)
1072 unformat_input_t * i = vam->input;
1073 u32 sw_if_index = ~0;
1074 vl_api_acl_interface_list_dump_t * mp;
1077 /* Parse args required to build the message */
1078 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
1079 if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index))
1081 else if (unformat (i, "sw_if_index %d", &sw_if_index))
1087 /* Construct the API message */
1088 M(ACL_INTERFACE_LIST_DUMP, mp);
1089 mp->sw_if_index = ntohl (sw_if_index);
1094 /* Use control ping for synchronization */
1095 api_acl_send_control_ping(vam);
1097 /* Wait for a reply... */
1102 static int api_acl_dump (vat_main_t * vam)
1104 unformat_input_t * i = vam->input;
1106 vl_api_acl_dump_t * mp;
1109 /* Parse args required to build the message */
1110 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
1111 if (unformat (i, "%d", &acl_index))
1117 /* Construct the API message */
1119 mp->acl_index = ntohl (acl_index);
1124 /* Use control ping for synchronization */
1125 api_acl_send_control_ping(vam);
1127 /* Wait for a reply... */
1132 static int api_macip_acl_dump (vat_main_t * vam)
1134 unformat_input_t * i = vam->input;
1136 vl_api_acl_dump_t * mp;
1139 /* Parse args required to build the message */
1140 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
1141 if (unformat (i, "%d", &acl_index))
1147 /* Construct the API message */
1148 M(MACIP_ACL_DUMP, mp);
1149 mp->acl_index = ntohl (acl_index);
1154 /* Use control ping for synchronization */
1155 api_acl_send_control_ping(vam);
1157 /* Wait for a reply... */
1162 static int api_acl_interface_etype_whitelist_dump (vat_main_t * vam)
1164 unformat_input_t * i = vam->input;
1165 u32 sw_if_index = ~0;
1166 vl_api_acl_interface_etype_whitelist_dump_t * mp;
1169 /* Parse args required to build the message */
1170 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
1171 if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index))
1173 else if (unformat (i, "sw_if_index %d", &sw_if_index))
1179 /* Construct the API message */
1180 M(ACL_INTERFACE_ETYPE_WHITELIST_DUMP, mp);
1181 mp->sw_if_index = ntohl (sw_if_index);
1186 /* Use control ping for synchronization */
1187 api_acl_send_control_ping(vam);
1189 /* Wait for a reply... */
1195 #define vec_validate_macip_acl_rules(v, idx) \
1197 if (vec_len(v) < idx+1) { \
1198 vec_validate(v, idx); \
1199 v[idx].is_permit = 0x1; \
1204 static int api_macip_acl_add (vat_main_t * vam)
1206 acl_test_main_t * sm = &acl_test_main;
1207 unformat_input_t * i = vam->input;
1208 vl_api_macip_acl_add_t * mp;
1209 u32 msg_size = sizeof (*mp); /* without the rules */
1211 vl_api_macip_acl_rule_t *rules = 0;
1214 int n_rules_override = -1;
1215 u32 src_prefix_length = 0;
1217 ip4_address_t src_v4address;
1218 ip6_address_t src_v6address;
1221 u8 mac_mask_all_1[6] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
1224 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
1226 if (unformat (i, "ipv6"))
1228 vec_validate_macip_acl_rules(rules, rule_idx);
1229 rules[rule_idx].is_ipv6 = 1;
1231 else if (unformat (i, "ipv4"))
1233 vec_validate_macip_acl_rules(rules, rule_idx);
1234 rules[rule_idx].is_ipv6 = 0;
1236 else if (unformat (i, "permit"))
1238 vec_validate_macip_acl_rules(rules, rule_idx);
1239 rules[rule_idx].is_permit = 1;
1241 else if (unformat (i, "deny"))
1243 vec_validate_macip_acl_rules(rules, rule_idx);
1244 rules[rule_idx].is_permit = 0;
1246 else if (unformat (i, "count %d", &n_rules_override))
1248 /* we will use this later */
1250 else if (unformat (i, "action %d", &action))
1252 vec_validate_macip_acl_rules(rules, rule_idx);
1253 rules[rule_idx].is_permit = action;
1255 else if (unformat (i, "ip %U/%d",
1256 unformat_ip4_address, &src_v4address, &src_prefix_length) ||
1257 unformat (i, "ip %U",
1258 unformat_ip4_address, &src_v4address))
1260 if (src_prefix_length == 0)
1261 src_prefix_length = 32;
1262 vec_validate_macip_acl_rules(rules, rule_idx);
1263 memcpy (rules[rule_idx].src_ip_addr, &src_v4address, 4);
1264 rules[rule_idx].src_ip_prefix_len = src_prefix_length;
1265 rules[rule_idx].is_ipv6 = 0;
1267 else if (unformat (i, "src"))
1269 /* Everything in MACIP is "source" but allow this verbosity */
1271 else if (unformat (i, "ip %U/%d",
1272 unformat_ip6_address, &src_v6address, &src_prefix_length) ||
1273 unformat (i, "ip %U",
1274 unformat_ip6_address, &src_v6address))
1276 if (src_prefix_length == 0)
1277 src_prefix_length = 128;
1278 vec_validate_macip_acl_rules(rules, rule_idx);
1279 memcpy (rules[rule_idx].src_ip_addr, &src_v6address, 16);
1280 rules[rule_idx].src_ip_prefix_len = src_prefix_length;
1281 rules[rule_idx].is_ipv6 = 1;
1283 else if (unformat (i, "mac %U",
1284 my_unformat_mac_address, &src_mac))
1286 vec_validate_macip_acl_rules(rules, rule_idx);
1287 memcpy (rules[rule_idx].src_mac, &src_mac, 6);
1288 memcpy (rules[rule_idx].src_mac_mask, &mac_mask_all_1, 6);
1290 else if (unformat (i, "mask %U",
1291 my_unformat_mac_address, &src_mac))
1293 vec_validate_macip_acl_rules(rules, rule_idx);
1294 memcpy (rules[rule_idx].src_mac_mask, &src_mac, 6);
1296 else if (unformat (i, "tag %s", &tag))
1299 else if (unformat (i, ","))
1302 vec_validate_macip_acl_rules(rules, rule_idx);
1308 /* Construct the API message */
1309 vam->result_ready = 0;
1312 n_rules = vec_len(rules);
1314 if (n_rules_override >= 0)
1315 n_rules = n_rules_override;
1317 msg_size += n_rules*sizeof(rules[0]);
1319 mp = vl_msg_api_alloc_as_if_client(msg_size);
1320 clib_memset (mp, 0, msg_size);
1321 mp->_vl_msg_id = ntohs (VL_API_MACIP_ACL_ADD + sm->msg_id_base);
1322 mp->client_index = vam->my_client_index;
1323 if ((n_rules > 0) && rules)
1324 clib_memcpy(mp->r, rules, n_rules*sizeof (mp->r[0]));
1327 if (vec_len(tag) >= sizeof(mp->tag))
1329 tag[sizeof(mp->tag)-1] = 0;
1330 _vec_len(tag) = sizeof(mp->tag);
1332 clib_memcpy(mp->tag, tag, vec_len(tag));
1336 mp->count = htonl(n_rules);
1341 /* Wait for a reply... */
1346 static int api_macip_acl_add_replace (vat_main_t * vam)
1348 acl_test_main_t * sm = &acl_test_main;
1349 unformat_input_t * i = vam->input;
1350 vl_api_macip_acl_add_replace_t * mp;
1352 u32 msg_size = sizeof (*mp); /* without the rules */
1354 vl_api_macip_acl_rule_t *rules = 0;
1357 int n_rules_override = -1;
1358 u32 src_prefix_length = 0;
1360 ip4_address_t src_v4address;
1361 ip6_address_t src_v6address;
1364 u8 mac_mask_all_1[6] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
1367 if (!unformat (i, "%d", &acl_index)) {
1368 /* Just assume -1 */
1371 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
1373 if (unformat (i, "ipv6"))
1375 vec_validate_macip_acl_rules(rules, rule_idx);
1376 rules[rule_idx].is_ipv6 = 1;
1378 else if (unformat (i, "ipv4"))
1380 vec_validate_macip_acl_rules(rules, rule_idx);
1381 rules[rule_idx].is_ipv6 = 0;
1383 else if (unformat (i, "permit"))
1385 vec_validate_macip_acl_rules(rules, rule_idx);
1386 rules[rule_idx].is_permit = 1;
1388 else if (unformat (i, "deny"))
1390 vec_validate_macip_acl_rules(rules, rule_idx);
1391 rules[rule_idx].is_permit = 0;
1393 else if (unformat (i, "count %d", &n_rules_override))
1395 /* we will use this later */
1397 else if (unformat (i, "action %d", &action))
1399 vec_validate_macip_acl_rules(rules, rule_idx);
1400 rules[rule_idx].is_permit = action;
1402 else if (unformat (i, "ip %U/%d",
1403 unformat_ip4_address, &src_v4address, &src_prefix_length) ||
1404 unformat (i, "ip %U",
1405 unformat_ip4_address, &src_v4address))
1407 if (src_prefix_length == 0)
1408 src_prefix_length = 32;
1409 vec_validate_macip_acl_rules(rules, rule_idx);
1410 memcpy (rules[rule_idx].src_ip_addr, &src_v4address, 4);
1411 rules[rule_idx].src_ip_prefix_len = src_prefix_length;
1412 rules[rule_idx].is_ipv6 = 0;
1414 else if (unformat (i, "src"))
1416 /* Everything in MACIP is "source" but allow this verbosity */
1418 else if (unformat (i, "ip %U/%d",
1419 unformat_ip6_address, &src_v6address, &src_prefix_length) ||
1420 unformat (i, "ip %U",
1421 unformat_ip6_address, &src_v6address))
1423 if (src_prefix_length == 0)
1424 src_prefix_length = 128;
1425 vec_validate_macip_acl_rules(rules, rule_idx);
1426 memcpy (rules[rule_idx].src_ip_addr, &src_v6address, 16);
1427 rules[rule_idx].src_ip_prefix_len = src_prefix_length;
1428 rules[rule_idx].is_ipv6 = 1;
1430 else if (unformat (i, "mac %U",
1431 my_unformat_mac_address, &src_mac))
1433 vec_validate_macip_acl_rules(rules, rule_idx);
1434 memcpy (rules[rule_idx].src_mac, &src_mac, 6);
1435 memcpy (rules[rule_idx].src_mac_mask, &mac_mask_all_1, 6);
1437 else if (unformat (i, "mask %U",
1438 my_unformat_mac_address, &src_mac))
1440 vec_validate_macip_acl_rules(rules, rule_idx);
1441 memcpy (rules[rule_idx].src_mac_mask, &src_mac, 6);
1443 else if (unformat (i, "tag %s", &tag))
1446 else if (unformat (i, ","))
1449 vec_validate_macip_acl_rules(rules, rule_idx);
1457 errmsg ("rule/s required\n");
1460 /* Construct the API message */
1461 vam->result_ready = 0;
1464 n_rules = vec_len(rules);
1466 if (n_rules_override >= 0)
1467 n_rules = n_rules_override;
1469 msg_size += n_rules*sizeof(rules[0]);
1471 mp = vl_msg_api_alloc_as_if_client(msg_size);
1472 clib_memset (mp, 0, msg_size);
1473 mp->_vl_msg_id = ntohs (VL_API_MACIP_ACL_ADD_REPLACE + sm->msg_id_base);
1474 mp->client_index = vam->my_client_index;
1475 if ((n_rules > 0) && rules)
1476 clib_memcpy(mp->r, rules, n_rules*sizeof (mp->r[0]));
1479 if (vec_len(tag) >= sizeof(mp->tag))
1481 tag[sizeof(mp->tag)-1] = 0;
1482 _vec_len(tag) = sizeof(mp->tag);
1484 clib_memcpy(mp->tag, tag, vec_len(tag));
1488 mp->acl_index = ntohl(acl_index);
1489 mp->count = htonl(n_rules);
1494 /* Wait for a reply... */
1500 * List of messages that the api test plugin sends,
1501 * and that the data plane plugin processes
1503 #define foreach_vpe_api_msg \
1504 _(acl_plugin_get_version, "") \
1505 _(acl_add_replace, "<acl-idx> [<ipv4|ipv6> <permit|permit+reflect|deny|action N> [src IP/plen] [dst IP/plen] [sport X-Y] [dport X-Y] [proto P] [tcpflags FL MASK], ... , ...") \
1506 _(acl_add_replace_from_file, "filename <file> [permit] [append-default-permit]") \
1507 _(acl_del, "<acl-idx>") \
1508 _(acl_dump, "[<acl-idx>]") \
1509 _(acl_interface_add_del, "<intfc> | sw_if_index <if-idx> [add|del] [input|output] acl <acl-idx>") \
1510 _(acl_interface_set_acl_list, "<intfc> | sw_if_index <if-idx> input [acl-idx list] output [acl-idx list]") \
1511 _(acl_interface_set_etype_whitelist, "<intfc> | sw_if_index <if-idx> input [ethertype list] output [ethertype list]") \
1512 _(acl_interface_etype_whitelist_dump, "[<intfc> | sw_if_index <if-idx>]") \
1513 _(acl_interface_list_dump, "[<intfc> | sw_if_index <if-idx>]") \
1514 _(macip_acl_add, "...") \
1515 _(macip_acl_add_replace, "<acl-idx> [<ipv4|ipv6> <permit|deny|action N> [count <count>] [src] ip <ipaddress/[plen]> mac <mac> mask <mac_mask>, ... , ...") \
1516 _(macip_acl_del, "<acl-idx>")\
1517 _(macip_acl_dump, "[<acl-idx>]") \
1518 _(macip_acl_interface_add_del, "<intfc> | sw_if_index <if-idx> [add|del] acl <acl-idx>") \
1519 _(macip_acl_interface_get, "") \
1520 _(acl_plugin_get_conn_table_max_entries, "") \
1521 _(acl_stats_intf_counters_enable, "[disable]")
1525 void acl_api_hookup (vat_main_t *vam)
1527 acl_test_main_t * sm = &acl_test_main;
1528 /* Hook up handlers for replies from the data plane plug-in */
1530 vl_msg_api_set_handlers((VL_API_##N + sm->msg_id_base), \
1532 vl_api_##n##_t_handler, \
1534 vl_api_##n##_t_endian, \
1535 vl_api_##n##_t_print, \
1536 sizeof(vl_api_##n##_t), 1);
1537 foreach_vpe_api_reply_msg;
1540 /* API messages we can send */
1541 #define _(n,h) hash_set_mem (vam->function_by_name, #n, api_##n);
1542 foreach_vpe_api_msg;
1546 #define _(n,h) hash_set_mem (vam->help_by_name, #n, h);
1547 foreach_vpe_api_msg;
1551 VAT_PLUGIN_REGISTER(acl);
Code Review / vpp.git / blob