_(ACL_DUMP, acl_dump) \
_(ACL_INTERFACE_LIST_DUMP, acl_interface_list_dump) \
_(MACIP_ACL_ADD, macip_acl_add) \
+_(MACIP_ACL_ADD_REPLACE, macip_acl_add_replace) \
_(MACIP_ACL_DEL, macip_acl_del) \
_(MACIP_ACL_INTERFACE_ADD_DEL, macip_acl_interface_add_del) \
_(MACIP_ACL_DUMP, macip_acl_dump) \
acl_set_heap(acl_main_t *am)
{
if (0 == am->acl_mheap) {
- am->acl_mheap = mheap_alloc (0 /* use VM */ , 2 << 29);
+ am->acl_mheap = mheap_alloc (0 /* use VM */ , am->acl_mheap_size);
mheap_t *h = mheap_header (am->acl_mheap);
h->flags |= MHEAP_FLAG_THREAD_SAFE;
}
}
if (acl_list_index < vec_len(am->input_sw_if_index_vec_by_acl)) {
- if (vec_len(am->input_sw_if_index_vec_by_acl[acl_list_index]) > 0) {
+ if (vec_len(vec_elt_at_index(am->input_sw_if_index_vec_by_acl, acl_list_index)) > 0) {
/* ACL is applied somewhere inbound. Refuse to delete */
return -1;
}
}
if (acl_list_index < vec_len(am->output_sw_if_index_vec_by_acl)) {
- if (vec_len(am->output_sw_if_index_vec_by_acl[acl_list_index]) > 0) {
+ if (vec_len(vec_elt_at_index(am->output_sw_if_index_vec_by_acl, acl_list_index)) > 0) {
/* ACL is applied somewhere outbound. Refuse to delete */
return -1;
}
hash_acl_delete(am, acl_list_index);
/* now we can delete the ACL itself */
- a = &am->acls[acl_list_index];
+ a = pool_elt_at_index (am->acls, acl_list_index);
if (a->rules)
vec_free (a->rules);
rv =
vnet_l2_input_classify_set_tables (sw_if_index, ip4_table_index,
ip6_table_index, ~0);
- clib_warning
- ("ACL enabling on interface sw_if_index %d, setting tables to the following: ip4: %d ip6: %d\n",
- sw_if_index, ip4_table_index, ip6_table_index);
if (rv)
{
acl_classify_add_del_table_tiny (cm, ip6_5tuple_mask,
{
int rv = -1;
acl_main_t *am = &acl_main;
- void *oldheap = acl_set_heap(am);
if (is_add)
{
rv =
rv =
acl_interface_del_inout_acl (sw_if_index, is_input, acl_list_index);
}
- clib_mem_set_heap (oldheap);
return rv;
}
{
macip_match_type_t *mvec = NULL;
macip_match_type_t *mt;
- macip_acl_list_t *a = &am->macip_acls[macip_acl_index];
+ macip_acl_list_t *a = pool_elt_at_index (am->macip_acls, macip_acl_index);
int i;
u32 match_type_index;
u32 last_table;
1);
last_table = mt->table_index;
}
- a->ip4_table_index = ~0;
- a->ip6_table_index = ~0;
+ a->ip4_table_index = last_table;
+ a->ip6_table_index = last_table;
a->l2_table_index = last_table;
/* Populate the classifier tables with rules from the MACIP ACL */
macip_destroy_classify_tables (acl_main_t * am, u32 macip_acl_index)
{
vnet_classify_main_t *cm = &vnet_classify_main;
- macip_acl_list_t *a = &am->macip_acls[macip_acl_index];
+ macip_acl_list_t *a = pool_elt_at_index (am->macip_acls, macip_acl_index);
if (a->ip4_table_index != ~0)
{
macip_acl_rule_t *r;
macip_acl_rule_t *acl_new_rules = 0;
int i;
+
+ if (*acl_list_index != ~0)
+ {
+ /* They supplied some number, let's see if this MACIP ACL exists */
+ if (pool_is_free_index (am->macip_acls, *acl_list_index))
+ {
+ /* tried to replace a non-existent ACL, no point doing anything */
+ clib_warning("acl-plugin-error: Trying to replace nonexistent MACIP ACL %d (tag %s)", *acl_list_index, tag);
+ return -1;
+ }
+ }
+
if (0 == count) {
clib_warning("acl-plugin-warning: Trying to create empty MACIP ACL (tag %s)", tag);
}
r->src_prefixlen = rules[i].src_ip_prefix_len;
}
- /* Get ACL index */
- pool_get_aligned (am->macip_acls, a, CLIB_CACHE_LINE_BYTES);
- memset (a, 0, sizeof (*a));
- /* Will return the newly allocated ACL index */
- *acl_list_index = a - am->macip_acls;
+ if (~0 == *acl_list_index)
+ {
+ /* Get ACL index */
+ pool_get_aligned (am->macip_acls, a, CLIB_CACHE_LINE_BYTES);
+ memset (a, 0, sizeof (*a));
+ /* Will return the newly allocated ACL index */
+ *acl_list_index = a - am->macip_acls;
+ }
+ else
+ {
+ a = pool_elt_at_index (am->macip_acls, *acl_list_index);
+ if (a->rules)
+ {
+ vec_free (a->rules);
+ }
+ macip_destroy_classify_tables (am, *acl_list_index);
+ }
a->rules = acl_new_rules;
a->count = count;
/* No point in deleting MACIP ACL which is not applied */
if (~0 == macip_acl_index)
return -1;
- a = &am->macip_acls[macip_acl_index];
+ a = pool_elt_at_index (am->macip_acls, macip_acl_index);
/* remove the classifier tables off the interface L2 ACL */
rv =
vnet_set_input_acl_intfc (am->vlib_main, sw_if_index, a->ip4_table_index,
return -1;
}
void *oldheap = acl_set_heap(am);
- a = &am->macip_acls[macip_acl_index];
+ a = pool_elt_at_index (am->macip_acls, macip_acl_index);
vec_validate_init_empty (am->macip_acl_by_sw_if_index, sw_if_index, ~0);
+ clib_mem_set_heap (oldheap);
/* If there already a MACIP ACL applied, unapply it */
if (~0 != am->macip_acl_by_sw_if_index[sw_if_index])
macip_acl_interface_del_acl(am, sw_if_index);
am->macip_acl_by_sw_if_index[sw_if_index] = macip_acl_index;
- clib_mem_set_heap (oldheap);
/* Apply the classifier tables for L2 ACLs */
rv =
macip_acl_del_list (u32 acl_list_index)
{
acl_main_t *am = &acl_main;
- void *oldheap = acl_set_heap(am);
macip_acl_list_t *a;
int i;
if (pool_is_free_index (am->macip_acls, acl_list_index))
}
}
+ void *oldheap = acl_set_heap(am);
/* Now that classifier tables are detached, clean them up */
macip_destroy_classify_tables (am, acl_list_index);
/* now we can delete the ACL itself */
- a = &am->macip_acls[acl_list_index];
+ a = pool_elt_at_index (am->macip_acls, acl_list_index);
if (a->rules)
{
vec_free (a->rules);
u32 acl_list_index)
{
acl_main_t *am = &acl_main;
- void *oldheap = acl_set_heap(am);
int rv = -1;
if (is_add)
{
{
rv = macip_acl_interface_del_acl (am, sw_if_index);
}
- clib_mem_set_heap (oldheap);
return rv;
}
copy_acl_rule_to_api_rule (&rules[i], &acl->rules[i]);
}
- clib_warning("Sending acl details for ACL index %d", ntohl(mp->acl_index));
clib_mem_set_heap (oldheap);
vl_msg_api_send_shmem (q, (u8 *) & mp);
}
{
acl_index = ntohl (mp->acl_index);
if (!pool_is_free_index (am->acls, acl_index))
- {
- acl = &am->acls[acl_index];
- send_acl_details (am, q, acl, mp->context);
- }
+ {
+ acl = pool_elt_at_index (am->acls, acl_index);
+ send_acl_details (am, q, acl, mp->context);
+ }
}
if (rv == -1)
/* *INDENT-ON* */
}
+static void
+vl_api_macip_acl_add_replace_t_handler (vl_api_macip_acl_add_replace_t * mp)
+{
+ vl_api_macip_acl_add_replace_reply_t *rmp;
+ acl_main_t *am = &acl_main;
+ int rv;
+ u32 acl_list_index = ntohl (mp->acl_index);
+ u32 acl_count = ntohl (mp->count);
+ u32 expected_len = sizeof(*mp) + acl_count*sizeof(mp->r[0]);
+
+ if (verify_message_len(mp, expected_len, "macip_acl_add_replace")) {
+ rv = macip_acl_add_list (acl_count, mp->r, &acl_list_index, mp->tag);
+ } else {
+ rv = VNET_API_ERROR_INVALID_VALUE;
+ }
+
+ /* *INDENT-OFF* */
+ REPLY_MACRO2(VL_API_MACIP_ACL_ADD_REPLACE_REPLY,
+ ({
+ rmp->acl_index = htonl(acl_list_index);
+ }));
+ /* *INDENT-ON* */
+}
+
static void
vl_api_macip_acl_del_t_handler (vl_api_macip_acl_del_t * mp)
{
{
u32 acl_index = ntohl (mp->acl_index);
if (!pool_is_free_index (am->macip_acls, acl_index))
- {
- acl = &am->macip_acls[acl_index];
- send_macip_acl_details (am, q, acl, mp->context);
- }
+ {
+ acl = pool_elt_at_index (am->macip_acls, acl_index);
+ send_macip_acl_details (am, q, acl, mp->context);
+ }
}
}
};
/* *INDENT-ON* */
-
+static clib_error_t *
+acl_plugin_config (vlib_main_t * vm, unformat_input_t * input)
+{
+ acl_main_t *am = &acl_main;
+ u32 conn_table_hash_buckets;
+ u32 conn_table_hash_memory_size;
+ u32 conn_table_max_entries;
+ u32 main_heap_size;
+ u32 hash_heap_size;
+ u32 hash_lookup_hash_buckets;
+ u32 hash_lookup_hash_memory;
+
+ while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
+ {
+ if (unformat (input, "connection hash buckets %d", &conn_table_hash_buckets))
+ am->fa_conn_table_hash_num_buckets = conn_table_hash_buckets;
+ else if (unformat (input, "connection hash memory %d",
+ &conn_table_hash_memory_size))
+ am->fa_conn_table_hash_memory_size = conn_table_hash_memory_size;
+ else if (unformat (input, "connection count max %d",
+ &conn_table_max_entries))
+ am->fa_conn_table_max_entries = conn_table_max_entries;
+ else if (unformat (input, "main heap size %d",
+ &main_heap_size))
+ am->acl_mheap_size = main_heap_size;
+ else if (unformat (input, "hash lookup heap size %d",
+ &hash_heap_size))
+ am->hash_lookup_mheap_size = hash_heap_size;
+ else if (unformat (input, "hash lookup hash buckets %d",
+ &hash_lookup_hash_buckets))
+ am->hash_lookup_hash_buckets = hash_lookup_hash_buckets;
+ else if (unformat (input, "hash lookup hash memory %d",
+ &hash_lookup_hash_memory))
+ am->hash_lookup_hash_memory = hash_lookup_hash_memory;
+ else
+ return clib_error_return (0, "unknown input '%U'",
+ format_unformat_error, input);
+ }
+ return 0;
+}
+VLIB_CONFIG_FUNCTION (acl_plugin_config, "acl-plugin");
static clib_error_t *
acl_init (vlib_main_t * vm)
acl_setup_fa_nodes();
+ am->acl_mheap_size = ACL_FA_DEFAULT_HEAP_SIZE;
+ am->hash_lookup_mheap_size = ACL_PLUGIN_HASH_LOOKUP_HEAP_SIZE;
+
+ am->hash_lookup_hash_buckets = ACL_PLUGIN_HASH_LOOKUP_HASH_BUCKETS;
+ am->hash_lookup_hash_memory = ACL_PLUGIN_HASH_LOOKUP_HASH_MEMORY;
+
am->session_timeout_sec[ACL_TIMEOUT_TCP_TRANSIENT] = TCP_SESSION_TRANSIENT_TIMEOUT_SEC;
am->session_timeout_sec[ACL_TIMEOUT_TCP_IDLE] = TCP_SESSION_IDLE_TIMEOUT_SEC;
am->session_timeout_sec[ACL_TIMEOUT_UDP_IDLE] = UDP_SESSION_IDLE_TIMEOUT_SEC;