- if (PREDICT_FALSE (key0.gck_src == key0.gck_dst))
- {
- /*
- * intra-epg allowed
- */
- next0 =
- vnet_l2_feature_next (b0,
- gpm->l2_output_feat_next
- [is_port_based],
- (is_port_based ?
- L2OUTPUT_FEAT_GBP_POLICY_PORT :
- L2OUTPUT_FEAT_GBP_POLICY_MAC));
- vnet_buffer2 (b0)->gbp.flags |= VXLAN_GBP_GPFLAGS_A;
- n_allow_intra++;
- }
- else if (PREDICT_FALSE (key0.gck_src == 1 || key0.gck_dst == 1))
- {
- /*
- * sclass or dclass 1 allowed
- */
- next0 =
- vnet_l2_feature_next (b0,
- gpm->l2_output_feat_next
- [is_port_based],
- (is_port_based ?
- L2OUTPUT_FEAT_GBP_POLICY_PORT :
- L2OUTPUT_FEAT_GBP_POLICY_MAC));
- vnet_buffer2 (b0)->gbp.flags |= VXLAN_GBP_GPFLAGS_A;
- n_allow_sclass_1++;
- }
- else
- {
- gci0 = gbp_contract_find (&key0);
-
- if (INDEX_INVALID != gci0)
- {
- u32 rule_match_p0, trace_bitmap0;
- fa_5tuple_opaque_t pkt_5tuple0;
- u32 acl_pos_p0, acl_match_p0;
- u8 is_ip60, l2_len0, action0;
- const gbp_rule_t *gu;
- u16 ether_type0;
- const u8 *h0;
-
- vlib_prefetch_combined_counter
- (&gbp_contract_drop_counters, thread_index, gci0);
- vlib_prefetch_combined_counter
- (&gbp_contract_permit_counters, thread_index, gci0);
-
- action0 = 0;
- gc0 = gbp_contract_get (gci0);
- l2_len0 = vnet_buffer (b0)->l2.l2_len;
- h0 = vlib_buffer_get_current (b0);
-
- ether_type0 = *(u16 *) (h0 + l2_len0 - 2);
-
- if (!gbp_policy_is_ethertype_allowed (gc0, ether_type0))
- {
- /*
- * black list model so drop
- */
- b0->error =
- node->errors[GBP_POLICY_ERROR_DROP_ETHER_TYPE];
-
- vlib_increment_combined_counter
- (&gbp_contract_drop_counters,
- thread_index,
- gci0, 1, vlib_buffer_length_in_chain (vm, b0));
-
- goto trace;
- }
-
- if ((ether_type0 ==
- clib_net_to_host_u16 (ETHERNET_TYPE_IP6))
- || (ether_type0 ==
- clib_net_to_host_u16 (ETHERNET_TYPE_IP4)))
- {
- is_ip60 =
- (ether_type0 ==
- clib_net_to_host_u16 (ETHERNET_TYPE_IP6)) ? 1 :
- 0;
- /*
- * tests against the ACL
- */
- acl_plugin_fill_5tuple_inline (gm->
- acl_plugin.p_acl_main,
- gc0->gc_lc_index, b0,
- is_ip60,
- /* is_input */ 0,
- /* is_l2_path */ 1,
- &pkt_5tuple0);
- acl_plugin_match_5tuple_inline (gm->
- acl_plugin.p_acl_main,
- gc0->gc_lc_index,
- &pkt_5tuple0,
- is_ip60, &action0,
- &acl_pos_p0,
- &acl_match_p0,
- &rule_match_p0,
- &trace_bitmap0);
-
- if (action0 > 0)
- {
- vnet_buffer2 (b0)->gbp.flags |=
- VXLAN_GBP_GPFLAGS_A;
- gu =
- gbp_rule_get (gc0->gc_rules[rule_match_p0]);
-
- switch (gu->gu_action)
- {
- case GBP_RULE_PERMIT:
- next0 = vnet_l2_feature_next
- (b0,
- gpm->l2_output_feat_next
- [is_port_based],
- (is_port_based ?
- L2OUTPUT_FEAT_GBP_POLICY_PORT :
- L2OUTPUT_FEAT_GBP_POLICY_MAC));
- break;
- case GBP_RULE_DENY:
- next0 = GBP_POLICY_NEXT_DROP;
- break;
- case GBP_RULE_REDIRECT:
- next0 = gbp_rule_l2_redirect (gu, b0);
- break;
- }
- }
- }
- if (next0 == GBP_POLICY_NEXT_DROP)
- {
- vlib_increment_combined_counter
- (&gbp_contract_drop_counters,
- thread_index,
- gci0, 1, vlib_buffer_length_in_chain (vm, b0));
- b0->error =
- node->errors[GBP_POLICY_ERROR_DROP_CONTRACT];
- }
- else
- {
- vlib_increment_combined_counter
- (&gbp_contract_permit_counters,
- thread_index,
- gci0, 1, vlib_buffer_length_in_chain (vm, b0));
- }
- }
- else
- {
- b0->error =
- node->errors[GBP_POLICY_ERROR_DROP_NO_CONTRACT];
- }
- }