_(acl_interface_add_del_reply) \
_(macip_acl_interface_add_del_reply) \
_(acl_interface_set_acl_list_reply) \
+_(acl_interface_set_etype_whitelist_reply) \
_(macip_acl_del_reply)
#define foreach_reply_retval_aclindex_handler \
vam->result_ready = 1;
}
+static void vl_api_acl_interface_etype_whitelist_details_t_handler
+ (vl_api_acl_interface_etype_whitelist_details_t * mp)
+ {
+ int i;
+ vat_main_t * vam = acl_test_main.vat_main;
+ u8 *out = 0;
+ vl_api_acl_interface_etype_whitelist_details_t_endian(mp);
+ out = format(out, "sw_if_index: %d, count: %d, n_input: %d\n", mp->sw_if_index, mp->count, mp->n_input);
+ out = format(out, " input ");
+ for(i=0; i<mp->count; i++) {
+ if (i == mp->n_input)
+ out = format(out, "\n output ");
+ out = format(out, "%04x ", ntohs(mp->whitelist[i]));
+ }
+ out = format(out, "\n");
+ clib_warning("%s", out);
+ vec_free(out);
+ vam->result_ready = 1;
+ }
+
+
static inline u8 *
vl_api_acl_rule_t_pretty_format (u8 *out, vl_api_acl_rule_t * a)
_(ACL_DEL_REPLY, acl_del_reply) \
_(ACL_INTERFACE_ADD_DEL_REPLY, acl_interface_add_del_reply) \
_(ACL_INTERFACE_SET_ACL_LIST_REPLY, acl_interface_set_acl_list_reply) \
+_(ACL_INTERFACE_SET_ETYPE_WHITELIST_REPLY, acl_interface_set_etype_whitelist_reply) \
+_(ACL_INTERFACE_ETYPE_WHITELIST_DETAILS, acl_interface_etype_whitelist_details) \
_(ACL_INTERFACE_LIST_DETAILS, acl_interface_list_details) \
_(ACL_DETAILS, acl_details) \
_(MACIP_ACL_ADD_REPLY, macip_acl_add_reply) \
vam->result_ready = 0;
mp = vl_msg_api_alloc_as_if_client(msg_size);
- memset (mp, 0, msg_size);
+ clib_memset (mp, 0, msg_size);
mp->_vl_msg_id = ntohs (VL_API_ACL_PLUGIN_GET_VERSION + sm->msg_id_base);
mp->client_index = vam->my_client_index;
vam->result_ready = 0;
mp = vl_msg_api_alloc_as_if_client(msg_size);
- memset (mp, 0, msg_size);
+ clib_memset (mp, 0, msg_size);
mp->_vl_msg_id = ntohs (VL_API_MACIP_ACL_INTERFACE_GET + sm->msg_id_base);
mp->client_index = vam->my_client_index;
msg_size += n_rules*sizeof(rules[0]);
mp = vl_msg_api_alloc_as_if_client(msg_size);
- memset (mp, 0, msg_size);
+ clib_memset (mp, 0, msg_size);
mp->_vl_msg_id = ntohs (VL_API_ACL_ADD_REPLACE + sm->msg_id_base);
mp->client_index = vam->my_client_index;
if ((n_rules > 0) && rules)
return ret;
}
+
+/*
+ * Read the series of ACL entries from file in the following format:
+ *
+
+@0.0.0.0/1 131.179.121.0/24 0 : 65535 0 : 65535 0x00/0x00 0x0000/0x0000
+@128.0.0.0/1 85.54.226.0/23 0 : 65535 0 : 65535 0x00/0x00 0x0000/0x0000
+@128.0.0.0/1 85.54.48.0/23 0 : 65535 0 : 65535 0x00/0x00 0x0000/0x0000
+@128.0.0.0/1 31.237.44.0/23 0 : 65535 0 : 65535 0x00/0x00 0x0000/0x0000
+@0.0.0.0/1 255.84.184.0/23 0 : 65535 0 : 65535 0x00/0x00 0x0000/0x0000
+@132.92.0.0/16 0.0.0.0/0 0 : 65535 0 : 65535 0x01/0xFF 0x0000/0x0000
+
+ *
+ */
+
+static int
+api_acl_add_replace_from_file (vat_main_t * vam)
+{
+ int ret = -1;
+ unformat_input_t * input = vam->input;
+ acl_test_main_t * sm = &acl_test_main;
+ vl_api_acl_add_replace_t * mp;
+ u32 acl_index = ~0;
+ u32 msg_size = sizeof (*mp); /* without the rules */
+
+ vl_api_acl_rule_t *rules = 0;
+ int rule_idx = -1;
+ int n_rules = 0;
+ int is_permit = 0;
+ int append_default_permit = 0;
+ u32 tcpflags = 0, tcpmask = 0;
+ ip4_address_t src_v4address, dst_v4address;
+ int fd = -1;
+
+ char *file_name = NULL;
+ unformat_input_t file_input;
+
+ while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
+ {
+ if (unformat (input, "filename %s", &file_name))
+ {
+ /* we will use this later */
+ }
+ else if (unformat (input, "acl-index %d", &acl_index))
+ {
+ /* we will try to replace an existing ACL */
+ }
+ else if (unformat (input, "permit+reflect"))
+ {
+ is_permit = 2;
+ }
+ else if (unformat (input, "permit"))
+ {
+ is_permit = 1;
+ }
+ else if (unformat (input, "append-default-permit"))
+ {
+ append_default_permit = 1;
+ }
+ else
+ break;
+ }
+
+ fd = open(file_name, O_RDONLY);
+ if (fd < 0)
+ {
+ clib_warning("Could not open file '%s'");
+ goto done;
+ }
+
+ /* input from file */
+ input = &file_input;
+ unformat_init_clib_file(input, fd);
+
+ unsigned sport_low, sport_high, dport_low, dport_high;
+ unsigned proto, protomask;
+ u32 src_prefix_length, dst_prefix_length;
+ u32 unused1, unused2;
+
+ while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
+ {
+ if (!unformat(input, "@%U/%d\t%U/%d\t%d : %d\t%d : %d\t0x%x/0x%x\t0x%x/0x%x",
+ unformat_ip4_address, &src_v4address, &src_prefix_length,
+ unformat_ip4_address, &dst_v4address, &dst_prefix_length,
+ &sport_low, &sport_high, &dport_low, &dport_high, &proto, &protomask, &unused1, &unused2)) {
+ clib_warning("Error parsing");
+ break;
+ }
+
+ rule_idx++;
+ vec_validate_acl_rules(rules, rule_idx);
+
+ rules[rule_idx].is_ipv6 = 0;
+ rules[rule_idx].is_permit = is_permit;
+ memcpy (rules[rule_idx].src_ip_addr, &src_v4address, 4);
+ rules[rule_idx].src_ip_prefix_len = src_prefix_length;
+ memcpy (rules[rule_idx].dst_ip_addr, &dst_v4address, 4);
+ rules[rule_idx].dst_ip_prefix_len = dst_prefix_length;
+ rules[rule_idx].srcport_or_icmptype_first = htons(sport_low);
+ rules[rule_idx].srcport_or_icmptype_last = htons(sport_high);
+ rules[rule_idx].dstport_or_icmpcode_first = htons(dport_low);
+ rules[rule_idx].dstport_or_icmpcode_last = htons(dport_high);
+ rules[rule_idx].tcp_flags_value = tcpflags;
+ rules[rule_idx].tcp_flags_mask = tcpmask;
+ rules[rule_idx].proto = proto;
+
+ }
+
+ if (append_default_permit) {
+ rule_idx++;
+ vec_validate_acl_rules(rules, rule_idx);
+
+ rules[rule_idx].is_ipv6 = 0;
+ rules[rule_idx].is_permit = is_permit == 2 ? 2 : 1;
+
+ src_v4address.data[0]=0;
+ src_v4address.data[1]=0;
+ src_v4address.data[2]=0;
+ src_v4address.data[3]=0;
+ memcpy (rules[rule_idx].src_ip_addr, &src_v4address, 4);
+ rules[rule_idx].src_ip_prefix_len = 0;
+
+ dst_v4address.data[0]=0;
+ dst_v4address.data[1]=0;
+ dst_v4address.data[2]=0;
+ dst_v4address.data[3]=0;
+ memcpy (rules[rule_idx].dst_ip_addr, &dst_v4address, 4);
+ rules[rule_idx].dst_ip_prefix_len = 0;
+
+ rules[rule_idx].srcport_or_icmptype_first = htons(0);
+ rules[rule_idx].srcport_or_icmptype_last = htons(65535);
+ rules[rule_idx].dstport_or_icmpcode_first = htons(0);
+ rules[rule_idx].dstport_or_icmpcode_last = htons(65535);
+ rules[rule_idx].tcp_flags_value = 0;
+ rules[rule_idx].tcp_flags_mask = 0;
+ rules[rule_idx].proto = 0;
+ }
+
+ /* Construct the API message */
+
+ vam->result_ready = 0;
+
+ n_rules = vec_len(rules);
+
+ msg_size += n_rules*sizeof(rules[0]);
+
+ mp = vl_msg_api_alloc_as_if_client(msg_size);
+ clib_memset (mp, 0, msg_size);
+ mp->_vl_msg_id = ntohs (VL_API_ACL_ADD_REPLACE + sm->msg_id_base);
+ mp->client_index = vam->my_client_index;
+ if (n_rules > 0)
+ clib_memcpy(mp->r, rules, n_rules*sizeof (vl_api_acl_rule_t));
+ mp->acl_index = ntohl(acl_index);
+ mp->count = htonl(n_rules);
+
+ /* send it... */
+ S(mp);
+
+ /* Wait for a reply... */
+ W (ret);
+done:
+ if (fd > 0)
+ close (fd);
+ vec_free(file_name);
+
+ return ret;
+}
+
+
static int api_acl_del (vat_main_t * vam)
{
unformat_input_t * i = vam->input;
return ret;
}
+static int api_acl_interface_set_etype_whitelist (vat_main_t * vam)
+{
+ unformat_input_t * i = vam->input;
+ vl_api_acl_interface_set_etype_whitelist_t * mp;
+ u32 sw_if_index = ~0;
+ u32 ethertype = ~0;
+ u16 *etypes_in = 0;
+ u16 *etypes_out = 0;
+ u8 is_input = 1;
+ int ret;
+
+// acl_interface_set_etype_whitelist <intfc> | sw_if_index <if-idx> input [ethertype list] output [ethertype list]
+
+ /* Parse args required to build the message */
+ while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
+ if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index))
+ ;
+ else if (unformat (i, "sw_if_index %d", &sw_if_index))
+ ;
+ else if (unformat (i, "%x", ðertype))
+ {
+ ethertype = ethertype & 0xffff;
+ if(is_input)
+ vec_add1(etypes_in, htons(ethertype));
+ else
+ vec_add1(etypes_out, htons(ethertype));
+ }
+ else if (unformat (i, "input"))
+ is_input = 1;
+ else if (unformat (i, "output"))
+ is_input = 0;
+ else
+ break;
+ }
+
+ if (sw_if_index == ~0) {
+ errmsg ("missing interface name / explicit sw_if_index number \n");
+ return -99;
+ }
+
+ /* Construct the API message */
+ M2(ACL_INTERFACE_SET_ETYPE_WHITELIST, mp, sizeof(u32) * (vec_len(etypes_in) + vec_len(etypes_out)));
+ mp->sw_if_index = ntohl(sw_if_index);
+ mp->n_input = vec_len(etypes_in);
+ mp->count = vec_len(etypes_in) + vec_len(etypes_out);
+ vec_append(etypes_in, etypes_out);
+ if (vec_len(etypes_in) > 0)
+ clib_memcpy(mp->whitelist, etypes_in, vec_len(etypes_in)*sizeof(etypes_in[0]));
+
+ /* send it... */
+ S(mp);
+
+ /* Wait for a reply... */
+ W (ret);
+ return ret;
+}
+
static void
api_acl_send_control_ping(vat_main_t *vam)
{
return ret;
}
+static int api_acl_interface_etype_whitelist_dump (vat_main_t * vam)
+{
+ unformat_input_t * i = vam->input;
+ u32 sw_if_index = ~0;
+ vl_api_acl_interface_etype_whitelist_dump_t * mp;
+ int ret;
+
+ /* Parse args required to build the message */
+ while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
+ if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index))
+ ;
+ else if (unformat (i, "sw_if_index %d", &sw_if_index))
+ ;
+ else
+ break;
+ }
+
+ /* Construct the API message */
+ M(ACL_INTERFACE_ETYPE_WHITELIST_DUMP, mp);
+ mp->sw_if_index = ntohl (sw_if_index);
+
+ /* send it... */
+ S(mp);
+
+ /* Use control ping for synchronization */
+ api_acl_send_control_ping(vam);
+
+ /* Wait for a reply... */
+ W (ret);
+ return ret;
+}
+
+
#define vec_validate_macip_acl_rules(v, idx) \
do { \
if (vec_len(v) < idx+1) { \
msg_size += n_rules*sizeof(rules[0]);
mp = vl_msg_api_alloc_as_if_client(msg_size);
- memset (mp, 0, msg_size);
+ clib_memset (mp, 0, msg_size);
mp->_vl_msg_id = ntohs (VL_API_MACIP_ACL_ADD + sm->msg_id_base);
mp->client_index = vam->my_client_index;
if ((n_rules > 0) && rules)
msg_size += n_rules*sizeof(rules[0]);
mp = vl_msg_api_alloc_as_if_client(msg_size);
- memset (mp, 0, msg_size);
+ clib_memset (mp, 0, msg_size);
mp->_vl_msg_id = ntohs (VL_API_MACIP_ACL_ADD_REPLACE + sm->msg_id_base);
mp->client_index = vam->my_client_index;
if ((n_rules > 0) && rules)
#define foreach_vpe_api_msg \
_(acl_plugin_get_version, "") \
_(acl_add_replace, "<acl-idx> [<ipv4|ipv6> <permit|permit+reflect|deny|action N> [src IP/plen] [dst IP/plen] [sport X-Y] [dport X-Y] [proto P] [tcpflags FL MASK], ... , ...") \
+_(acl_add_replace_from_file, "filename <file> [permit] [append-default-permit]") \
_(acl_del, "<acl-idx>") \
_(acl_dump, "[<acl-idx>]") \
_(acl_interface_add_del, "<intfc> | sw_if_index <if-idx> [add|del] [input|output] acl <acl-idx>") \
_(acl_interface_set_acl_list, "<intfc> | sw_if_index <if-idx> input [acl-idx list] output [acl-idx list]") \
+_(acl_interface_set_etype_whitelist, "<intfc> | sw_if_index <if-idx> input [ethertype list] output [ethertype list]") \
+_(acl_interface_etype_whitelist_dump, "[<intfc> | sw_if_index <if-idx>]") \
_(acl_interface_list_dump, "[<intfc> | sw_if_index <if-idx>]") \
_(macip_acl_add, "...") \
_(macip_acl_add_replace, "<acl-idx> [<ipv4|ipv6> <permit|deny|action N> [count <count>] [src] ip <ipaddress/[plen]> mac <mac> mask <mac_mask>, ... , ...") \