+static void
+print_clib_warning_and_reset (vlib_main_t * vm, u8 * out0)
+{
+ clib_warning ("%v", out0);
+ vec_reset_length (out0);
+}
+
+static void
+print_cli_and_reset (vlib_main_t * vm, u8 * out0)
+{
+ vlib_cli_output (vm, "%v", out0);
+ vec_reset_length (out0);
+}
+
+typedef void (*acl_vector_print_func_t) (vlib_main_t * vm, u8 * out0);
+
+static void
+acl_print_acl_x (acl_vector_print_func_t vpr, vlib_main_t * vm,
+ acl_main_t * am, int acl_index)
+{
+ acl_rule_t *r;
+ acl_rule_t *acl_rules = am->acls[acl_index].rules;
+ u8 *out0 = format (0, "acl-index %u count %u tag {%s}\n", acl_index,
+ vec_len (acl_rules), am->acls[acl_index].tag);
+ int j;
+ vpr (vm, out0);
+ for (j = 0; j < vec_len (acl_rules); j++)
+ {
+ r = &acl_rules[j];
+ out0 = format (out0, " %9d: %s ", j, r->is_ipv6 ? "ipv6" : "ipv4");
+ out0 = format_acl_action (out0, r->is_permit);
+ out0 = format (out0, " src %U/%d", format_ip46_address, &r->src,
+ r->is_ipv6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4,
+ r->src_prefixlen);
+ out0 =
+ format (out0, " dst %U/%d", format_ip46_address, &r->dst,
+ r->is_ipv6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4, r->dst_prefixlen);
+ out0 = format (out0, " proto %d", r->proto);
+ out0 = format (out0, " sport %d", r->src_port_or_type_first);
+ if (r->src_port_or_type_first != r->src_port_or_type_last)
+ {
+ out0 = format (out0, "-%d", r->src_port_or_type_last);
+ }
+ out0 = format (out0, " dport %d", r->dst_port_or_code_first);
+ if (r->dst_port_or_code_first != r->dst_port_or_code_last)
+ {
+ out0 = format (out0, "-%d", r->dst_port_or_code_last);
+ }
+ if (r->tcp_flags_mask || r->tcp_flags_value)
+ {
+ out0 =
+ format (out0, " tcpflags %d mask %d", r->tcp_flags_value,
+ r->tcp_flags_mask);
+ }
+ out0 = format (out0, "\n");
+ vpr (vm, out0);
+ }
+}
+
+static void
+ vl_api_acl_plugin_get_conn_table_max_entries_t_handler
+ (vl_api_acl_plugin_get_conn_table_max_entries_t * mp)
+{
+ acl_main_t *am = &acl_main;
+ vl_api_acl_plugin_get_conn_table_max_entries_reply_t *rmp;
+ int msg_size = sizeof (*rmp);
+ vl_api_registration_t *rp;
+
+ rp = vl_api_client_index_to_registration (mp->client_index);
+ if (rp == 0)
+ return;
+
+ rmp = vl_msg_api_alloc (msg_size);
+ memset (rmp, 0, msg_size);
+ rmp->_vl_msg_id =
+ ntohs (VL_API_ACL_PLUGIN_GET_CONN_TABLE_MAX_ENTRIES_REPLY +
+ am->msg_id_base);
+ rmp->context = mp->context;
+ rmp->conn_table_max_entries = __bswap_64 (am->fa_conn_table_max_entries);
+
+ vl_api_send_msg (rp, (u8 *) rmp);
+}
+
+static void
+acl_print_acl (vlib_main_t * vm, acl_main_t * am, int acl_index)
+{
+ acl_print_acl_x (print_cli_and_reset, vm, am, acl_index);
+}
+
+static void
+warning_acl_print_acl (vlib_main_t * vm, acl_main_t * am, int acl_index)
+{
+ acl_print_acl_x (print_clib_warning_and_reset, vm, am, acl_index);
+}
+
+static void
+increment_policy_epoch (acl_main_t * am, u32 sw_if_index, int is_input)
+{
+
+ u32 **ppolicy_epoch_by_swi =
+ is_input ? &am->input_policy_epoch_by_sw_if_index :
+ &am->output_policy_epoch_by_sw_if_index;
+ vec_validate (*ppolicy_epoch_by_swi, sw_if_index);
+
+ u32 *p_epoch = vec_elt_at_index ((*ppolicy_epoch_by_swi), sw_if_index);
+ *p_epoch =
+ ((1 + *p_epoch) & FA_POLICY_EPOCH_MASK) +
+ (is_input * FA_POLICY_EPOCH_IS_INPUT);
+}
+
+static void
+try_increment_acl_policy_epoch (acl_main_t * am, u32 acl_num, int is_input)
+{
+ u32 ***p_swi_vec_by_acl = is_input ? &am->input_sw_if_index_vec_by_acl
+ : &am->output_sw_if_index_vec_by_acl;
+ if (acl_num < vec_len (*p_swi_vec_by_acl))
+ {
+ u32 *p_swi;
+ vec_foreach (p_swi, (*p_swi_vec_by_acl)[acl_num])
+ {
+ increment_policy_epoch (am, *p_swi, is_input);
+ }
+
+ }
+}
+
+static void
+policy_notify_acl_change (acl_main_t * am, u32 acl_num)
+{
+ try_increment_acl_policy_epoch (am, acl_num, 0);
+ try_increment_acl_policy_epoch (am, acl_num, 1);
+}
+
+
+static void
+validate_and_reset_acl_counters (acl_main_t * am, u32 acl_index)
+{
+ int i;
+ /* counters are set as vectors [acl#] pointing to vectors of [acl rule] */
+ acl_plugin_counter_lock (am);
+
+ int old_len = vec_len (am->combined_acl_counters);
+
+ vec_validate (am->combined_acl_counters, acl_index);
+
+ for (i = old_len; i < vec_len (am->combined_acl_counters); i++)
+ {
+ am->combined_acl_counters[i].name = 0;
+ /* filled in once only */
+ am->combined_acl_counters[i].stat_segment_name = (void *)
+ format (0, "/acl/%d/matches%c", i, 0);
+ i32 rule_count = vec_len (am->acls[i].rules);
+ /* Validate one extra so we always have at least one counter for an ACL */
+ vlib_validate_combined_counter (&am->combined_acl_counters[i],
+ rule_count);
+ vlib_clear_combined_counters (&am->combined_acl_counters[i]);
+ }
+
+ /* (re)validate for the actual ACL that is getting added/updated */
+ i32 rule_count = vec_len (am->acls[acl_index].rules);
+ /* Validate one extra so we always have at least one counter for an ACL */
+ vlib_validate_combined_counter (&am->combined_acl_counters[acl_index],
+ rule_count);
+ vlib_clear_combined_counters (&am->combined_acl_counters[acl_index]);
+ acl_plugin_counter_unlock (am);
+}
+
+static int
+acl_api_ip4_invalid_prefix (void *ip4_pref_raw, u8 ip4_prefix_len)
+{
+ ip4_address_t ip4_addr;
+ ip4_address_t ip4_mask;
+ ip4_address_t ip4_masked_addr;
+
+ memcpy (&ip4_addr, ip4_pref_raw, sizeof (ip4_addr));
+ ip4_preflen_to_mask (ip4_prefix_len, &ip4_mask);
+ ip4_masked_addr.as_u32 = ip4_addr.as_u32 & ip4_mask.as_u32;
+ int ret = (ip4_masked_addr.as_u32 != ip4_addr.as_u32);
+ if (ret)
+ {
+ clib_warning
+ ("inconsistent addr %U for prefix len %d; (%U when masked)",
+ format_ip4_address, ip4_pref_raw, ip4_prefix_len, format_ip4_address,
+ &ip4_masked_addr);
+ }
+ return ret;
+}
+
+static int
+acl_api_ip6_invalid_prefix (void *ip6_pref_raw, u8 ip6_prefix_len)
+{
+ ip6_address_t ip6_addr;
+ ip6_address_t ip6_mask;
+ ip6_address_t ip6_masked_addr;
+
+ memcpy (&ip6_addr, ip6_pref_raw, sizeof (ip6_addr));
+ ip6_preflen_to_mask (ip6_prefix_len, &ip6_mask);
+ ip6_masked_addr.as_u64[0] = ip6_addr.as_u64[0] & ip6_mask.as_u64[0];
+ ip6_masked_addr.as_u64[1] = ip6_addr.as_u64[1] & ip6_mask.as_u64[1];
+ int ret = ((ip6_masked_addr.as_u64[0] != ip6_addr.as_u64[0])
+ || (ip6_masked_addr.as_u64[1] != ip6_addr.as_u64[1]));
+ if (ret)
+ {
+ clib_warning
+ ("inconsistent addr %U for prefix len %d; (%U when masked)",
+ format_ip6_address, ip6_pref_raw, ip6_prefix_len, format_ip6_address,
+ &ip6_masked_addr);
+ }
+ return ret;
+}
+