/* Some aids in ASCII graphing the content */
#define XX "\377"
#define __ "\000"
-#define DOT1AD "\210\250"
-#define DOT1Q "\201\00"
#define _(x)
#define v
/* *INDENT-OFF* */
u8 dot1q_5tuple_mask[] =
_(" dmac smac dot1q etype ")
- _(ether) __ __ __ __ __ __ v __ __ __ __ __ __ v DOT1Q __ __ v XX XX v
+ _(ether) __ __ __ __ __ __ v __ __ __ __ __ __ v XX XX __ __ v XX XX v
_(padpad) __ __ __ __
_(padpad) __ __ __ __
_(padpad) __ __ __ __
_(padeth) __ __;
u8 dot1ad_5tuple_mask[] =
- _(" dmac smac dot1ad etype ")
- _(ether) __ __ __ __ __ __ v __ __ __ __ __ __ v DOT1AD __ __ DOT1Q __ __ v XX XX v
+ _(" dmac smac dot1ad dot1q etype ")
+ _(ether) __ __ __ __ __ __ v __ __ __ __ __ __ v XX XX __ __ XX XX __ __ v XX XX v
_(padpad) __ __ __ __
_(padpad) __ __ __ __
_(padeth) __ __;
/* *INDENT-ON* */
#undef XX
#undef __
-#undef DOT1AD
-#undef DOT1Q
#undef _
#undef v
}
match = (is_dot1ad) ? dot1ad_5tuple_mask : dot1q_5tuple_mask;
idx = (is_dot1ad) ? 20 : 16;
+ if (is_dot1ad)
+ {
+ /* 802.1ad ethertype */
+ match[12] = 0x88;
+ match[13] = 0xa8;
+ /* 802.1q ethertype */
+ match[16] = 0x81;
+ match[17] = 0x00;
+ }
+ else
+ {
+ /* 802.1q ethertype */
+ match[12] = 0x81;
+ match[13] = 0x00;
+ }
/* add sessions to vlan tables per ethernet_type */
if (is_ip6)
}
vnet_classify_add_del_session (cm, table_index, match, next_acl,
session_idx, 0, 0, 0, 1);
- memset (&match[idx], 0x00, 2);
+ /* reset the mask back to being a mask */
+ match[idx] = 0xff;
+ match[idx + 1] = 0xff;
+ match[12] = 0xff;
+ match[13] = 0xff;
+ if (is_dot1ad)
+ {
+ match[16] = 0xff;
+ match[17] = 0xff;
+ }
}
static int
}
}
+static int
+macip_maybe_apply_unapply_classifier_tables (acl_main_t * am, u32 acl_index,
+ int is_apply)
+{
+ int rv = 0;
+ int rv0 = 0;
+ int i;
+ macip_acl_list_t *a = pool_elt_at_index (am->macip_acls, acl_index);
+
+ for (i = 0; i < vec_len (am->macip_acl_by_sw_if_index); i++)
+ if (vec_elt (am->macip_acl_by_sw_if_index, i) == acl_index)
+ {
+ rv0 = vnet_set_input_acl_intfc (am->vlib_main, i, a->ip4_table_index,
+ a->ip6_table_index, a->l2_table_index,
+ is_apply);
+ /* return the first unhappy outcome but make try to plough through. */
+ rv = rv || rv0;
+ }
+ return rv;
+}
+
static int
macip_acl_add_list (u32 count, vl_api_macip_acl_rule_t rules[],
u32 * acl_list_index, u8 * tag)
macip_acl_rule_t *r;
macip_acl_rule_t *acl_new_rules = 0;
int i;
+ int rv = 0;
if (*acl_list_index != ~0)
{
("acl-plugin-warning: Trying to create empty MACIP ACL (tag %s)",
tag);
}
+ /* if replacing the ACL, unapply the classifier tables first - they will be gone.. */
+ if (~0 != *acl_list_index)
+ rv = macip_maybe_apply_unapply_classifier_tables (am, *acl_list_index, 0);
void *oldheap = acl_set_heap (am);
/* Create and populate the rules */
if (count > 0)
/* Create and populate the classifer tables */
macip_create_classify_tables (am, *acl_list_index);
clib_mem_set_heap (oldheap);
- return 0;
+ /* If the ACL was already applied somewhere, reapply the newly created tables */
+ rv = rv
+ || macip_maybe_apply_unapply_classifier_tables (am, *acl_list_index, 1);
+ return rv;
}
acl_main_t *am = &acl_main;
u32 acl_index = ~0;
- unformat (input, "index %u", &acl_index);
+ (void) unformat (input, "index %u", &acl_index);
acl_plugin_show_acl (am, acl_index);
return error;
}
+
+static clib_error_t *
+acl_show_aclplugin_decode_5tuple_fn (vlib_main_t * vm,
+ unformat_input_t * input,
+ vlib_cli_command_t * cmd)
+{
+ clib_error_t *error = 0;
+ u64 five_tuple[6] = { 0, 0, 0, 0, 0, 0 };
+
+ if (unformat
+ (input, "%llx %llx %llx %llx %llx %llx", &five_tuple[0], &five_tuple[1],
+ &five_tuple[2], &five_tuple[3], &five_tuple[4], &five_tuple[5]))
+ vlib_cli_output (vm, "5-tuple structure decode: %U\n\n",
+ format_acl_plugin_5tuple, five_tuple);
+ else
+ error = clib_error_return (0, "expecting 6 hex integers");
+ return error;
+}
+
+
static clib_error_t *
acl_show_aclplugin_interface_fn (vlib_main_t * vm,
unformat_input_t * input,
acl_main_t *am = &acl_main;
u32 sw_if_index = ~0;
- unformat (input, "sw_if_index %u", &sw_if_index);
+ (void) unformat (input, "sw_if_index %u", &sw_if_index);
int show_acl = unformat (input, "acl");
acl_plugin_show_interface (am, sw_if_index, show_acl);
u32 show_bihash_verbose = 0;
u32 show_session_thread_id = ~0;
u32 show_session_session_index = ~0;
- unformat (input, "thread %u index %u", &show_session_thread_id,
- &show_session_session_index);
- unformat (input, "verbose %u", &show_bihash_verbose);
+ (void) unformat (input, "thread %u index %u", &show_session_thread_id,
+ &show_session_session_index);
+ (void) unformat (input, "verbose %u", &show_bihash_verbose);
acl_plugin_show_sessions (am, show_session_thread_id,
show_session_session_index);
.function = acl_show_aclplugin_acl_fn,
};
+VLIB_CLI_COMMAND (aclplugin_show_decode_5tuple_command, static) = {
+ .path = "show acl-plugin decode 5tuple",
+ .short_help = "show acl-plugin decode 5tuple XXXX XXXX XXXX XXXX XXXX XXXX",
+ .function = acl_show_aclplugin_decode_5tuple_fn,
+};
+
VLIB_CLI_COMMAND (aclplugin_show_interface_command, static) = {
.path = "show acl-plugin interface",
.short_help = "show acl-plugin interface [sw_if_index N] [acl]",
Code Review / vpp.git / blobdiff