#include <acl/acl.h>
#include <vnet/l2/l2_classify.h>
-#include <vnet/classify/input_acl.h>
+#include <vnet/classify/in_out_acl.h>
#include <vpp/app/version.h>
#include <vlibapi/api.h>
acl_main_t *am = &acl_main;
vl_api_acl_plugin_get_version_reply_t *rmp;
int msg_size = sizeof (*rmp);
- svm_queue_t *q;
+ vl_api_registration_t *reg;
- q = vl_api_client_index_to_input_queue (mp->client_index);
- if (q == 0)
- {
- return;
- }
+ reg = vl_api_client_index_to_registration (mp->client_index);
+ if (!reg)
+ return;
rmp = vl_msg_api_alloc (msg_size);
memset (rmp, 0, msg_size);
rmp->major = htonl (ACL_PLUGIN_VERSION_MAJOR);
rmp->minor = htonl (ACL_PLUGIN_VERSION_MINOR);
- vl_msg_api_send_shmem (q, (u8 *) & rmp);
+ vl_api_send_msg (reg, (u8 *) rmp);
}
static void
typedef struct
{
u8 is_ipv6;
+ u8 has_egress;
u8 mac_mask[6];
u8 prefix_len;
u32 count;
u32 arp_table_index;
u32 dot1q_table_index;
u32 dot1ad_table_index;
+ /* egress tables */
+ u32 out_table_index;
+ u32 out_arp_table_index;
+ u32 out_dot1q_table_index;
+ u32 out_dot1ad_table_index;
} macip_match_type_t;
static u32
offsetof (ip4_header_t, src_address));
}
+static int
+get_l3_dst_offset (int is6)
+{
+ if (is6)
+ return (sizeof (ethernet_header_t) +
+ offsetof (ip6_header_t, dst_address));
+ else
+ return (sizeof (ethernet_header_t) +
+ offsetof (ip4_header_t, dst_address));
+}
+
+/*
+ * return if the is_permit value also requires to create the egress tables
+ * For backwards compatibility, we keep the is_permit = 1 to only
+ * create the ingress tables, and the new value of 3 will also
+ * create the egress tables based on destination.
+ */
+static int
+macip_permit_also_egress (u8 is_permit)
+{
+ return (is_permit == 3);
+}
+
static int
macip_create_classify_tables (acl_main_t * am, u32 macip_acl_index)
{
int i;
u32 match_type_index;
u32 last_table;
+ u32 out_last_table;
u8 mask[5 * 16];
vnet_classify_main_t *cm = &vnet_classify_main;
a->rules[i].src_mac_mask, 6);
mvec[match_type_index].prefix_len = a->rules[i].src_prefixlen;
mvec[match_type_index].is_ipv6 = a->rules[i].is_ipv6;
+ mvec[match_type_index].has_egress = 0;
mvec[match_type_index].table_index = ~0;
+ mvec[match_type_index].arp_table_index = ~0;
mvec[match_type_index].dot1q_table_index = ~0;
mvec[match_type_index].dot1ad_table_index = ~0;
+ mvec[match_type_index].out_table_index = ~0;
+ mvec[match_type_index].out_arp_table_index = ~0;
+ mvec[match_type_index].out_dot1q_table_index = ~0;
+ mvec[match_type_index].out_dot1ad_table_index = ~0;
}
mvec[match_type_index].count++;
+ mvec[match_type_index].has_egress |=
+ macip_permit_also_egress (a->rules[i].is_permit);
}
/* Put the most frequently used tables last in the list so we can create classifier tables in reverse order */
vec_sort_with_function (mvec, match_type_compare);
/* Create the classifier tables */
last_table = ~0;
+ out_last_table = ~0;
/* First add ARP tables */
vec_foreach (mt, mvec)
{
int mask_len;
int is6 = mt->is_ipv6;
- mt->arp_table_index = ~0;
if (!is6)
{
+ /*
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Destination Address |
+ + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
+ | Source Address |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | EtherType | Hardware Type |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Protocol Type | Hw addr len | Proto addr len|
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Opcode | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
+ | Sender Hardware Address |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Sender Protocol Address |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Target Hardware Address |
+ + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | | TargetProtocolAddress |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
memset (mask, 0, sizeof (mask));
+ /* source MAC address */
memcpy (&mask[6], mt->mac_mask, 6);
memset (&mask[12], 0xff, 2); /* ethernet protocol */
+ /* sender hardware address within ARP */
memcpy (&mask[14 + 8], mt->mac_mask, 6);
-
+ /* sender protocol address within ARP */
for (i = 0; i < (mt->prefix_len / 8); i++)
mask[14 + 14 + i] = 0xff;
if (mt->prefix_len % 8)
(~0 == last_table) ? 0 : ~0,
&mt->arp_table_index, 1);
last_table = mt->arp_table_index;
+ if (mt->has_egress)
+ {
+ /* egress ARP table */
+ memset (mask, 0, sizeof (mask));
+ // memcpy (&mask[0], mt->mac_mask, 6);
+ memset (&mask[12], 0xff, 2); /* ethernet protocol */
+ /* AYXX: FIXME here - can we tighten the ARP-related table more ? */
+ /* mask captures just the destination and the ethertype */
+ mask_len = ((14 +
+ (sizeof (u32x4) -
+ 1)) / sizeof (u32x4)) * sizeof (u32x4);
+ acl_classify_add_del_table_small (cm, mask, mask_len,
+ out_last_table,
+ (~0 == out_last_table) ? 0 : ~0,
+ &mt->out_arp_table_index, 1);
+ out_last_table = mt->out_arp_table_index;
+ }
}
}
/* Now add IP[46] tables */
{
int mask_len;
int is6 = mt->is_ipv6;
- int l3_src_offs = get_l3_src_offset (is6);
+ int l3_src_offs;
+ int l3_dst_offs;
int tags;
u32 *last_tag_table;
+ u32 *out_last_tag_table;
/*
* create chained tables for VLAN (no-tags, dot1q and dot1ad) packets
*/
- l3_src_offs += 8;
for (tags = 2; tags >= 0; tags--)
{
memset (mask, 0, sizeof (mask));
memcpy (&mask[6], mt->mac_mask, 6);
+ l3_src_offs = tags * 4 + get_l3_src_offset (is6);
switch (tags)
{
case 0:
(~0 == last_table) ? 0 : ~0,
last_tag_table, 1);
last_table = *last_tag_table;
-
- memset (&mask[12], 0, sizeof (mask) - 12);
- l3_src_offs -= 4;
+ }
+ if (mt->has_egress)
+ {
+ for (tags = 2; tags >= 0; tags--)
+ {
+ memset (mask, 0, sizeof (mask));
+ /* MAC destination */
+ memcpy (&mask[0], mt->mac_mask, 6);
+ l3_dst_offs = tags * 4 + get_l3_dst_offset (is6);
+ switch (tags)
+ {
+ case 0:
+ default:
+ memset (&mask[12], 0xff, 2); /* ethernet protocol */
+ out_last_tag_table = &mt->out_table_index;
+ break;
+ case 1:
+ memset (&mask[12], 0xff, 2); /* VLAN tag1 */
+ memset (&mask[16], 0xff, 2); /* ethernet protocol */
+ out_last_tag_table = &mt->out_dot1q_table_index;
+ break;
+ case 2:
+ memset (&mask[12], 0xff, 2); /* VLAN tag1 */
+ memset (&mask[16], 0xff, 2); /* VLAN tag2 */
+ memset (&mask[20], 0xff, 2); /* ethernet protocol */
+ out_last_tag_table = &mt->out_dot1ad_table_index;
+ break;
+ }
+ for (i = 0; i < (mt->prefix_len / 8); i++)
+ {
+ mask[l3_dst_offs + i] = 0xff;
+ }
+ if (mt->prefix_len % 8)
+ {
+ mask[l3_dst_offs + (mt->prefix_len / 8)] =
+ 0xff - ((1 << (8 - mt->prefix_len % 8)) - 1);
+ }
+ /*
+ * Round-up the number of bytes needed to store the prefix,
+ * and round up the number of vectors too
+ */
+ mask_len = ((l3_dst_offs + ((mt->prefix_len + 7) / 8) +
+ (sizeof (u32x4) -
+ 1)) / sizeof (u32x4)) * sizeof (u32x4);
+ acl_classify_add_del_table_small (cm, mask, mask_len,
+ out_last_table,
+ (~0 == out_last_table) ? 0 : ~0,
+ out_last_tag_table, 1);
+ out_last_table = *out_last_tag_table;
+ }
}
}
a->ip4_table_index = last_table;
a->ip6_table_index = last_table;
a->l2_table_index = last_table;
+ a->out_ip4_table_index = out_last_table;
+ a->out_ip6_table_index = out_last_table;
+ a->out_l2_table_index = out_last_table;
+
/* Populate the classifier tables with rules from the MACIP ACL */
for (i = 0; i < a->count; i++)
{
u32 action = 0;
u32 metadata = 0;
int is6 = a->rules[i].is_ipv6;
- int l3_src_offs = get_l3_src_offset (is6);
+ int l3_src_offs;
+ int l3_dst_offs;
u32 tag_table;
int tags, eth;
a->rules[i].is_ipv6);
ASSERT (match_type_index != ~0);
- l3_src_offs += 8;
for (tags = 2; tags >= 0; tags--)
{
memset (mask, 0, sizeof (mask));
+ l3_src_offs = tags * 4 + get_l3_src_offset (is6);
memcpy (&mask[6], a->rules[i].src_mac, 6);
switch (tags)
{
mask, a->rules[i].is_permit ? ~0 : 0,
i, 0, action, metadata, 1);
memset (&mask[12], 0, sizeof (mask) - 12);
- l3_src_offs -= 4;
}
/* add ARP table entry too */
mask, a->rules[i].is_permit ? ~0 : 0,
i, 0, action, metadata, 1);
}
+ if (macip_permit_also_egress (a->rules[i].is_permit))
+ {
+ /* Add the egress entry with destination set */
+ for (tags = 2; tags >= 0; tags--)
+ {
+ memset (mask, 0, sizeof (mask));
+ l3_dst_offs = tags * 4 + get_l3_dst_offset (is6);
+ /* src mac in the other direction becomes dst */
+ memcpy (&mask[0], a->rules[i].src_mac, 6);
+ switch (tags)
+ {
+ case 0:
+ default:
+ tag_table = mvec[match_type_index].out_table_index;
+ eth = 12;
+ break;
+ case 1:
+ tag_table = mvec[match_type_index].out_dot1q_table_index;
+ mask[12] = 0x81;
+ mask[13] = 0x00;
+ eth = 16;
+ break;
+ case 2:
+ tag_table = mvec[match_type_index].out_dot1ad_table_index;
+ mask[12] = 0x88;
+ mask[13] = 0xa8;
+ mask[16] = 0x81;
+ mask[17] = 0x00;
+ eth = 20;
+ break;
+ }
+ if (is6)
+ {
+ memcpy (&mask[l3_dst_offs], &a->rules[i].src_ip_addr.ip6,
+ 16);
+ mask[eth] = 0x86;
+ mask[eth + 1] = 0xdd;
+ }
+ else
+ {
+ memcpy (&mask[l3_dst_offs], &a->rules[i].src_ip_addr.ip4,
+ 4);
+ mask[eth] = 0x08;
+ mask[eth + 1] = 0x00;
+ }
+
+ /* add session to table mvec[match_type_index].table_index; */
+ vnet_classify_add_del_session (cm, tag_table,
+ mask,
+ a->rules[i].is_permit ? ~0 : 0,
+ i, 0, action, metadata, 1);
+ // memset (&mask[12], 0, sizeof (mask) - 12);
+ }
+
+ /* add ARP table entry too */
+ if (!is6 && (mvec[match_type_index].out_arp_table_index != ~0))
+ {
+ memset (mask, 0, sizeof (mask));
+ memcpy (&mask[0], a->rules[i].src_mac, 6);
+ mask[12] = 0x08;
+ mask[13] = 0x06;
+ vnet_classify_add_del_session (cm,
+ mvec
+ [match_type_index].out_arp_table_index,
+ mask,
+ a->rules[i].is_permit ? ~0 : 0,
+ i, 0, action, metadata, 1);
+ }
+ }
}
return 0;
}
is_apply);
/* return the first unhappy outcome but make try to plough through. */
rv = rv || rv0;
+ rv0 =
+ vnet_set_output_acl_intfc (am->vlib_main, i, a->out_ip4_table_index,
+ a->out_ip6_table_index,
+ a->out_l2_table_index, is_apply);
+ /* return the first unhappy outcome but make try to plough through. */
+ rv = rv || rv0;
}
return rv;
}
rv =
vnet_set_input_acl_intfc (am->vlib_main, sw_if_index, a->ip4_table_index,
a->ip6_table_index, a->l2_table_index, 0);
+ rv |=
+ vnet_set_output_acl_intfc (am->vlib_main, sw_if_index,
+ a->out_ip4_table_index, a->out_ip6_table_index,
+ a->out_l2_table_index, 0);
/* Unset the MACIP ACL index */
am->macip_acl_by_sw_if_index[sw_if_index] = ~0;
return rv;
rv =
vnet_set_input_acl_intfc (am->vlib_main, sw_if_index, a->ip4_table_index,
a->ip6_table_index, a->l2_table_index, 1);
+ rv |=
+ vnet_set_output_acl_intfc (am->vlib_main, sw_if_index,
+ a->out_ip4_table_index, a->out_ip6_table_index,
+ a->out_l2_table_index, 1);
return rv;
}
}
static void
-send_acl_details (acl_main_t * am, svm_queue_t * q,
+send_acl_details (acl_main_t * am, vl_api_registration_t * reg,
acl_list_t * acl, u32 context)
{
vl_api_acl_details_t *mp;
}
clib_mem_set_heap (oldheap);
- vl_msg_api_send_shmem (q, (u8 *) & mp);
+ vl_api_send_msg (reg, (u8 *) mp);
}
acl_main_t *am = &acl_main;
u32 acl_index;
acl_list_t *acl;
-
int rv = -1;
- svm_queue_t *q;
+ vl_api_registration_t *reg;
- q = vl_api_client_index_to_input_queue (mp->client_index);
- if (q == 0)
- {
- return;
- }
+ reg = vl_api_client_index_to_registration (mp->client_index);
+ if (!reg)
+ return;
if (mp->acl_index == ~0)
{
/* Just dump all ACLs */
pool_foreach (acl, am->acls,
({
- send_acl_details(am, q, acl, mp->context);
+ send_acl_details(am, reg, acl, mp->context);
}));
/* *INDENT-ON* */
}
if (!pool_is_free_index (am->acls, acl_index))
{
acl = pool_elt_at_index (am->acls, acl_index);
- send_acl_details (am, q, acl, mp->context);
+ send_acl_details (am, reg, acl, mp->context);
}
}
static void
send_acl_interface_list_details (acl_main_t * am,
- svm_queue_t * q,
+ vl_api_registration_t * reg,
u32 sw_if_index, u32 context)
{
vl_api_acl_interface_list_details_t *mp;
htonl (am->output_acl_vec_by_sw_if_index[sw_if_index][i]);
}
clib_mem_set_heap (oldheap);
- vl_msg_api_send_shmem (q, (u8 *) & mp);
+ vl_api_send_msg (reg, (u8 *) mp);
}
static void
vnet_interface_main_t *im = &am->vnet_main->interface_main;
u32 sw_if_index;
- svm_queue_t *q;
+ vl_api_registration_t *reg;
- q = vl_api_client_index_to_input_queue (mp->client_index);
- if (q == 0)
- {
- return;
- }
+ reg = vl_api_client_index_to_registration (mp->client_index);
+ if (!reg)
+ return;
if (mp->sw_if_index == ~0)
{
/* *INDENT-OFF* */
pool_foreach (swif, im->sw_interfaces,
({
- send_acl_interface_list_details(am, q, swif->sw_if_index, mp->context);
+ send_acl_interface_list_details(am, reg, swif->sw_if_index, mp->context);
}));
/* *INDENT-ON* */
}
{
sw_if_index = ntohl (mp->sw_if_index);
if (!pool_is_free_index (im->sw_interfaces, sw_if_index))
- send_acl_interface_list_details (am, q, sw_if_index, mp->context);
+ send_acl_interface_list_details (am, reg, sw_if_index, mp->context);
}
}
}
static void
-send_macip_acl_details (acl_main_t * am, svm_queue_t * q,
+send_macip_acl_details (acl_main_t * am, vl_api_registration_t * reg,
macip_acl_list_t * acl, u32 context)
{
vl_api_macip_acl_details_t *mp;
mp->count = 0;
}
- vl_msg_api_send_shmem (q, (u8 *) & mp);
+ vl_api_send_msg (reg, (u8 *) mp);
}
acl_main_t *am = &acl_main;
macip_acl_list_t *acl;
- svm_queue_t *q;
+ vl_api_registration_t *reg;
- q = vl_api_client_index_to_input_queue (mp->client_index);
- if (q == 0)
- {
- return;
- }
+ reg = vl_api_client_index_to_registration (mp->client_index);
+ if (!reg)
+ return;
if (mp->acl_index == ~0)
{
/* Just dump all ACLs for now, with sw_if_index = ~0 */
pool_foreach (acl, am->macip_acls, (
{
- send_macip_acl_details (am, q, acl,
- mp->
- context);}
+ send_macip_acl_details (am, reg,
+ acl,
+ mp->context);
+ }
));
/* *INDENT-ON* */
}
if (!pool_is_free_index (am->macip_acls, acl_index))
{
acl = pool_elt_at_index (am->macip_acls, acl_index);
- send_macip_acl_details (am, q, acl, mp->context);
+ send_macip_acl_details (am, reg, acl, mp->context);
}
}
}
vl_api_macip_acl_interface_get_reply_t *rmp;
u32 count = vec_len (am->macip_acl_by_sw_if_index);
int msg_size = sizeof (*rmp) + sizeof (rmp->acls[0]) * count;
- svm_queue_t *q;
+ vl_api_registration_t *reg;
int i;
- q = vl_api_client_index_to_input_queue (mp->client_index);
- if (q == 0)
- {
- return;
- }
+ reg = vl_api_client_index_to_registration (mp->client_index);
+ if (!reg)
+ return;
rmp = vl_msg_api_alloc (msg_size);
memset (rmp, 0, msg_size);
rmp->acls[i] = htonl (am->macip_acl_by_sw_if_index[i]);
}
- vl_msg_api_send_shmem (q, (u8 *) & rmp);
+ vl_api_send_msg (reg, (u8 *) rmp);
}
static void
send_macip_acl_interface_list_details (acl_main_t * am,
- svm_queue_t * q,
+ vl_api_registration_t * reg,
u32 sw_if_index,
u32 acl_index, u32 context)
{
rmp->sw_if_index = htonl (sw_if_index);
rmp->acls[0] = htonl (acl_index);
- vl_msg_api_send_shmem (q, (u8 *) & rmp);
+ vl_api_send_msg (reg, (u8 *) rmp);
}
static void
vl_api_macip_acl_interface_list_dump_t_handler
(vl_api_macip_acl_interface_list_dump_t * mp)
{
- svm_queue_t *q;
+ vl_api_registration_t *reg;
acl_main_t *am = &acl_main;
u32 sw_if_index = ntohl (mp->sw_if_index);
- q = vl_api_client_index_to_input_queue (mp->client_index);
- if (q == 0)
- {
- return;
- }
+ reg = vl_api_client_index_to_registration (mp->client_index);
+ if (!reg)
+ return;
if (sw_if_index == ~0)
{
{
if (~0 != am->macip_acl_by_sw_if_index[sw_if_index])
{
- send_macip_acl_interface_list_details (am, q, sw_if_index,
+ send_macip_acl_interface_list_details (am, reg, sw_if_index,
am->macip_acl_by_sw_if_index
[sw_if_index],
mp->context);
{
if (vec_len (am->macip_acl_by_sw_if_index) > sw_if_index)
{
- send_macip_acl_interface_list_details (am, q, sw_if_index,
+ send_macip_acl_interface_list_details (am, reg, sw_if_index,
am->macip_acl_by_sw_if_index
[sw_if_index], mp->context);
}
goto done;
}
}
+ if (unformat (input, "event-trace"))
+ {
+ if (!unformat (input, "%u", &val))
+ {
+ error = clib_error_return (0,
+ "expecting trace level, got `%U`",
+ format_unformat_error, input);
+ goto done;
+ }
+ else
+ {
+ am->trace_sessions = val;
+ goto done;
+ }
+ }
goto done;
}
if (unformat (input, "timeout"))
vlib_cli_output (vm,
" ip4_table_index %d, ip6_table_index %d, l2_table_index %d\n",
a->ip4_table_index, a->ip6_table_index, a->l2_table_index);
+ vlib_cli_output (vm,
+ " out_ip4_table_index %d, out_ip6_table_index %d, out_l2_table_index %d\n",
+ a->out_ip4_table_index, a->out_ip6_table_index,
+ a->out_l2_table_index);
for (i = 0; i < vec_len (a->rules); i++)
vlib_cli_output (vm, " rule %d: %U\n", i,
my_macip_acl_rule_t_pretty_format,
static clib_error_t *
acl_show_aclplugin_macip_acl_fn (vlib_main_t * vm,
- unformat_input_t * input,
- vlib_cli_command_t * cmd)
+ unformat_input_t *
+ input, vlib_cli_command_t * cmd)
{
clib_error_t *error = 0;
acl_main_t *am = &acl_main;
static clib_error_t *
acl_show_aclplugin_macip_interface_fn (vlib_main_t * vm,
- unformat_input_t * input,
- vlib_cli_command_t * cmd)
+ unformat_input_t *
+ input, vlib_cli_command_t * cmd)
{
clib_error_t *error = 0;
acl_main_t *am = &acl_main;
static clib_error_t *
acl_show_aclplugin_interface_fn (vlib_main_t * vm,
- unformat_input_t * input,
- vlib_cli_command_t * cmd)
+ unformat_input_t *
+ input, vlib_cli_command_t * cmd)
{
clib_error_t *error = 0;
acl_main_t *am = &acl_main;