2 * Copyright (c) 2018 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 #include <plugins/acl/acl.h>
17 #include <plugins/acl/fa_node.h>
18 #include <vlib/unix/plugin.h>
19 #include <plugins/acl/public_inlines.h>
20 #include "hash_lookup.h"
21 #include "elog_acl_trace.h"
23 /* check if a given ACL exists */
25 acl_plugin_acl_exists (u32 acl_index)
27 acl_main_t *am = &acl_main;
29 if (pool_is_free_index (am->acls, acl_index))
36 static u32 get_acl_user_id(acl_main_t *am, char *user_module_name, char *val1_label, char *val2_label)
38 acl_lookup_context_user_t *auser;
40 pool_foreach (auser, am->acl_users,
42 if (0 == strcmp(auser->user_module_name, user_module_name)) {
43 return (auser - am->acl_users);
47 pool_get(am->acl_users, auser);
48 auser->user_module_name = user_module_name;
49 auser->val1_label = val1_label;
50 auser->val2_label = val2_label;
51 return (auser - am->acl_users);
54 static int acl_user_id_valid(acl_main_t *am, u32 acl_user_id)
57 if (pool_is_free_index (am->acl_users, acl_user_id))
63 static int acl_lc_index_valid(acl_main_t *am, u32 lc_index)
66 if (pool_is_free_index (am->acl_lookup_contexts, lc_index))
73 * If you are using ACL plugin, get this unique ID first,
74 * so you can identify yourself when creating the lookup contexts.
77 static u32 acl_plugin_register_user_module (char *user_module_name, char *val1_label, char *val2_label)
79 acl_main_t *am = &acl_main;
81 * Because folks like to call this early on,
82 * use the global heap, so as to avoid
83 * initializing the main ACL heap before
84 * they start using ACLs.
86 u32 user_id = get_acl_user_id(am, user_module_name, val1_label, val2_label);
91 * Allocate a new lookup context index.
92 * Supply the id assigned to your module during registration,
93 * and two values of your choice identifying instances
94 * of use within your module. They are useful for debugging.
95 * If >= 0 - context id. If < 0 - error code.
98 static int acl_plugin_get_lookup_context_index (u32 acl_user_id, u32 val1, u32 val2)
100 acl_main_t *am = &acl_main;
101 acl_lookup_context_t *acontext;
103 if (!acl_user_id_valid(am, acl_user_id))
104 return VNET_API_ERROR_INVALID_REGISTRATION;
107 * The lookup context index allocation is
108 * an operation done within the global heap,
109 * so no heap switching necessary.
112 pool_get(am->acl_lookup_contexts, acontext);
113 acontext->acl_indices = 0;
114 acontext->context_user_id = acl_user_id;
115 acontext->user_val1 = val1;
116 acontext->user_val2 = val2;
118 u32 new_context_id = acontext - am->acl_lookup_contexts;
119 vec_add1(am->acl_users[acl_user_id].lookup_contexts, new_context_id);
121 return new_context_id;
125 lock_acl(acl_main_t *am, u32 acl, u32 lc_index)
127 vec_validate(am->lc_index_vec_by_acl, acl);
128 elog_acl_cond_trace_X2(am, (am->trace_acl), "lock acl %d in lc_index %d", "i4i4", acl, lc_index);
129 vec_add1(am->lc_index_vec_by_acl[acl], lc_index);
133 lock_acl_vec(u32 lc_index, u32 *acls)
136 acl_main_t *am = &acl_main;
137 for(i=0; i<vec_len(acls); i++) {
138 lock_acl(am, acls[i], lc_index);
143 unlock_acl(acl_main_t *am, u32 acl, u32 lc_index)
145 vec_validate(am->lc_index_vec_by_acl, acl);
146 elog_acl_cond_trace_X2(am, (am->trace_acl), "unlock acl %d in lc_index %d", "i4i4", acl, lc_index);
147 u32 index = vec_search(am->lc_index_vec_by_acl[acl], lc_index);
149 vec_del1(am->lc_index_vec_by_acl[acl], index);
151 clib_warning("BUG: can not unlock acl %d lc_index %d", acl, lc_index);
155 unlock_acl_vec(u32 lc_index, u32 *acls)
158 acl_main_t *am = &acl_main;
159 for(i=0; i<vec_len(acls); i++)
160 unlock_acl(am, acls[i], lc_index);
165 apply_acl_vec(u32 lc_index, u32 *acls)
168 acl_main_t *am = &acl_main;
170 for(i=0; i<vec_len(acls); i++)
171 hash_acl_apply(am, lc_index, acls[i], i);
176 unapply_acl_vec(u32 lc_index, u32 *acls)
179 acl_main_t *am = &acl_main;
180 if (vec_len(acls) == 0)
182 for(i=vec_len(acls); i > 0; i--)
183 hash_acl_unapply(am, lc_index, acls[i-1]);
187 * Release the lookup context index and destroy
188 * any associated data structures.
190 static void acl_plugin_put_lookup_context_index (u32 lc_index)
192 acl_main_t *am = &acl_main;
194 elog_acl_cond_trace_X1(am, (am->trace_acl), "LOOKUP-CONTEXT: put-context lc_index %d", "i4", lc_index);
195 if (!acl_lc_index_valid(am, lc_index)) {
196 clib_warning("BUG: lc_index %d is not valid", lc_index);
200 void *oldheap = acl_plugin_set_heap ();
201 acl_lookup_context_t *acontext = pool_elt_at_index(am->acl_lookup_contexts, lc_index);
203 u32 index = vec_search(am->acl_users[acontext->context_user_id].lookup_contexts, lc_index);
206 vec_del1(am->acl_users[acontext->context_user_id].lookup_contexts, index);
207 unapply_acl_vec(lc_index, acontext->acl_indices);
208 unlock_acl_vec(lc_index, acontext->acl_indices);
209 vec_free(acontext->acl_indices);
210 pool_put(am->acl_lookup_contexts, acontext);
211 clib_mem_set_heap (oldheap);
215 * Prepare the sequential vector of ACL#s to lookup within a given context.
216 * Any existing list will be overwritten. acl_list is a vector.
218 static int acl_plugin_set_acl_vec_for_context (u32 lc_index, u32 *acl_list)
221 uword *seen_acl_bitmap = 0;
223 acl_main_t *am = &acl_main;
224 acl_lookup_context_t *acontext;
227 elog_acl_cond_trace_X1(am, (1), "LOOKUP-CONTEXT: set-acl-list lc_index %d", "i4", lc_index);
228 for(i=0; i<vec_len(acl_list); i++) {
229 elog_acl_cond_trace_X2(am, (1), " acl-list[%d]: %d", "i4i4", i, acl_list[i]);
232 if (!acl_lc_index_valid(am, lc_index)) {
233 clib_warning("BUG: lc_index %d is not valid", lc_index);
236 void *oldheap = acl_plugin_set_heap ();
238 vec_foreach (pacln, acl_list)
240 if (pool_is_free_index (am->acls, *pacln))
242 /* ACL is not defined. Can not apply */
243 clib_warning ("ERROR: ACL %d not defined", *pacln);
244 rv = VNET_API_ERROR_NO_SUCH_ENTRY;
247 if (clib_bitmap_get (seen_acl_bitmap, *pacln))
249 /* ACL being applied twice within the list. error. */
250 clib_warning ("ERROR: ACL %d being applied twice", *pacln);
251 rv = VNET_API_ERROR_ENTRY_ALREADY_EXISTS;
254 seen_acl_bitmap = clib_bitmap_set (seen_acl_bitmap, *pacln, 1);
257 acontext = pool_elt_at_index(am->acl_lookup_contexts, lc_index);
258 u32 *old_acl_vector = acontext->acl_indices;
259 acontext->acl_indices = vec_dup(acl_list);
261 unapply_acl_vec(lc_index, old_acl_vector);
262 unlock_acl_vec(lc_index, old_acl_vector);
263 lock_acl_vec(lc_index, acontext->acl_indices);
264 apply_acl_vec(lc_index, acontext->acl_indices);
266 vec_free(old_acl_vector);
269 clib_bitmap_free (seen_acl_bitmap);
270 clib_mem_set_heap (oldheap);
275 void acl_plugin_lookup_context_notify_acl_change(u32 acl_num)
277 acl_main_t *am = &acl_main;
278 if (acl_plugin_acl_exists(acl_num)) {
279 if (hash_acl_exists(am, acl_num)) {
280 /* this is a modification, clean up the older entries */
281 hash_acl_delete(am, acl_num);
283 hash_acl_add(am, acl_num);
285 /* this is a deletion notification */
286 hash_acl_delete(am, acl_num);
291 /* Fill the 5-tuple from the packet */
293 static void acl_plugin_fill_5tuple (u32 lc_index, vlib_buffer_t * b0, int is_ip6, int is_input,
294 int is_l2_path, fa_5tuple_opaque_t * p5tuple_pkt)
296 acl_plugin_fill_5tuple_inline(&acl_main, lc_index, b0, is_ip6, is_input, is_l2_path, p5tuple_pkt);
299 static int acl_plugin_match_5tuple (u32 lc_index,
300 fa_5tuple_opaque_t * pkt_5tuple,
301 int is_ip6, u8 * r_action,
304 u32 * r_rule_match_p,
307 return acl_plugin_match_5tuple_inline (&acl_main, lc_index, pkt_5tuple, is_ip6, r_action, r_acl_pos_p, r_acl_match_p, r_rule_match_p, trace_bitmap);
312 acl_plugin_show_lookup_user (u32 user_index)
314 acl_main_t *am = &acl_main;
315 vlib_main_t *vm = am->vlib_main;
316 acl_lookup_context_user_t *auser;
318 pool_foreach (auser, am->acl_users,
320 u32 curr_user_index = (auser - am->acl_users);
321 if (user_index == ~0 || (curr_user_index == user_index)) {
322 vlib_cli_output (vm, "index %d:%s:%s:%s", curr_user_index, auser->user_module_name, auser->val1_label, auser->val2_label);
329 acl_plugin_show_lookup_context (u32 lc_index)
331 acl_main_t *am = &acl_main;
332 vlib_main_t *vm = am->vlib_main;
333 acl_lookup_context_t *acontext;
334 // clib_warning("LOOKUP-CONTEXT: lc_index %d acl_list [ %U ]", lc_index, format_vec32, acl_list, "%d");
335 if (!am->acl_lookup_contexts)
337 vlib_cli_output(vm, "ACL lookup contexts are not initialized");
341 pool_foreach (acontext, am->acl_lookup_contexts,
343 u32 curr_lc_index = (acontext - am->acl_lookup_contexts);
344 if ((lc_index == ~0) || (curr_lc_index == lc_index)) {
345 if (acl_user_id_valid(am, acontext->context_user_id)) {
346 acl_lookup_context_user_t *auser = pool_elt_at_index(am->acl_users, acontext->context_user_id);
347 vlib_cli_output (vm, "index %d:%s %s: %d %s: %d, acl_indices: %U",
348 curr_lc_index, auser->user_module_name, auser->val1_label,
349 acontext->user_val1, auser->val2_label, acontext->user_val2,
350 format_vec32, acontext->acl_indices, "%d");
352 vlib_cli_output (vm, "index %d: user_id: %d user_val1: %d user_val2: %d, acl_indices: %U",
353 curr_lc_index, acontext->context_user_id,
354 acontext->user_val1, acontext->user_val2,
355 format_vec32, acontext->acl_indices, "%d");
362 acl_plugin_get_p_acl_main(void)
367 clib_error_t *acl_plugin_methods_vtable_init(acl_plugin_methods_t *m)
369 m->p_acl_main = &acl_main;
370 #define _(name) m->name = acl_plugin_ ## name;
371 foreach_acl_plugin_exported_method_name
Code Review / vpp.git / blob