#include <plugins/acl/acl.h>
#include <plugins/acl/fa_node.h>
-#include <plugins/acl/public_inlines.h>
#include <vlib/unix/plugin.h>
+#include <plugins/acl/public_inlines.h>
#include "hash_lookup.h"
#include "elog_acl_trace.h"
/* check if a given ACL exists */
-u8 acl_plugin_acl_exists (u32 acl_index);
+static u8
+acl_plugin_acl_exists (u32 acl_index)
+{
+ acl_main_t *am = &acl_main;
+
+ if (pool_is_free_index (am->acls, acl_index))
+ return 0;
+
+ return 1;
+}
+
static u32 get_acl_user_id(acl_main_t *am, char *user_module_name, char *val1_label, char *val2_label)
{
* so you can identify yourself when creating the lookup contexts.
*/
-u32 acl_plugin_register_user_module (char *user_module_name, char *val1_label, char *val2_label)
+static u32 acl_plugin_register_user_module (char *user_module_name, char *val1_label, char *val2_label)
{
acl_main_t *am = &acl_main;
+ void *oldheap = acl_plugin_set_heap();
u32 user_id = get_acl_user_id(am, user_module_name, val1_label, val2_label);
+ clib_mem_set_heap (oldheap);
return user_id;
}
* If >= 0 - context id. If < 0 - error code.
*/
-int acl_plugin_get_lookup_context_index (u32 acl_user_id, u32 val1, u32 val2)
+static int acl_plugin_get_lookup_context_index (u32 acl_user_id, u32 val1, u32 val2)
{
acl_main_t *am = &acl_main;
acl_lookup_context_t *acontext;
if (!acl_user_id_valid(am, acl_user_id))
return VNET_API_ERROR_INVALID_REGISTRATION;
+ void *oldheap = acl_plugin_set_heap ();
+
+
pool_get(am->acl_lookup_contexts, acontext);
acontext->acl_indices = 0;
acontext->context_user_id = acl_user_id;
u32 new_context_id = acontext - am->acl_lookup_contexts;
vec_add1(am->acl_users[acl_user_id].lookup_contexts, new_context_id);
+
+ clib_mem_set_heap (oldheap);
return new_context_id;
}
* Release the lookup context index and destroy
* any asssociated data structures.
*/
-void acl_plugin_put_lookup_context_index (u32 lc_index)
+static void acl_plugin_put_lookup_context_index (u32 lc_index)
{
acl_main_t *am = &acl_main;
+
elog_acl_cond_trace_X1(am, (am->trace_acl), "LOOKUP-CONTEXT: put-context lc_index %d", "i4", lc_index);
if (!acl_lc_index_valid(am, lc_index)) {
clib_warning("BUG: lc_index %d is not valid", lc_index);
return;
}
+
+ void *oldheap = acl_plugin_set_heap ();
acl_lookup_context_t *acontext = pool_elt_at_index(am->acl_lookup_contexts, lc_index);
u32 index = vec_search(am->acl_users[acontext->context_user_id].lookup_contexts, lc_index);
unlock_acl_vec(lc_index, acontext->acl_indices);
vec_free(acontext->acl_indices);
pool_put(am->acl_lookup_contexts, acontext);
+ clib_mem_set_heap (oldheap);
}
/*
* Prepare the sequential vector of ACL#s to lookup within a given context.
* Any existing list will be overwritten. acl_list is a vector.
*/
-int acl_plugin_set_acl_vec_for_context (u32 lc_index, u32 *acl_list)
+static int acl_plugin_set_acl_vec_for_context (u32 lc_index, u32 *acl_list)
{
+ int rv = 0;
+ uword *seen_acl_bitmap = 0;
+ u32 *pacln = 0;
acl_main_t *am = &acl_main;
acl_lookup_context_t *acontext;
if (am->trace_acl) {
clib_warning("BUG: lc_index %d is not valid", lc_index);
return -1;
}
+ void *oldheap = acl_plugin_set_heap ();
+
+ vec_foreach (pacln, acl_list)
+ {
+ if (pool_is_free_index (am->acls, *pacln))
+ {
+ /* ACL is not defined. Can not apply */
+ clib_warning ("ERROR: ACL %d not defined", *pacln);
+ rv = VNET_API_ERROR_NO_SUCH_ENTRY;
+ goto done;
+ }
+ if (clib_bitmap_get (seen_acl_bitmap, *pacln))
+ {
+ /* ACL being applied twice within the list. error. */
+ clib_warning ("ERROR: ACL %d being applied twice", *pacln);
+ rv = VNET_API_ERROR_ENTRY_ALREADY_EXISTS;
+ goto done;
+ }
+ seen_acl_bitmap = clib_bitmap_set (seen_acl_bitmap, *pacln, 1);
+ }
+
acontext = pool_elt_at_index(am->acl_lookup_contexts, lc_index);
u32 *old_acl_vector = acontext->acl_indices;
acontext->acl_indices = vec_dup(acl_list);
apply_acl_vec(lc_index, acontext->acl_indices);
vec_free(old_acl_vector);
- return 0;
+
+done:
+ clib_bitmap_free (seen_acl_bitmap);
+ clib_mem_set_heap (oldheap);
+ return rv;
}
/* Fill the 5-tuple from the packet */
-void acl_plugin_fill_5tuple (u32 lc_index, vlib_buffer_t * b0, int is_ip6, int is_input,
+static void acl_plugin_fill_5tuple (u32 lc_index, vlib_buffer_t * b0, int is_ip6, int is_input,
int is_l2_path, fa_5tuple_opaque_t * p5tuple_pkt)
{
- acl_plugin_fill_5tuple_inline(lc_index, b0, is_ip6, is_input, is_l2_path, p5tuple_pkt);
+ acl_plugin_fill_5tuple_inline(&acl_main, lc_index, b0, is_ip6, is_input, is_l2_path, p5tuple_pkt);
}
-int acl_plugin_match_5tuple (u32 lc_index,
+static int acl_plugin_match_5tuple (u32 lc_index,
fa_5tuple_opaque_t * pkt_5tuple,
int is_ip6, u8 * r_action,
u32 * r_acl_pos_p,
u32 * r_rule_match_p,
u32 * trace_bitmap)
{
- return acl_plugin_match_5tuple_inline (lc_index, pkt_5tuple, is_ip6, r_action, r_acl_pos_p, r_acl_match_p, r_rule_match_p, trace_bitmap);
+ return acl_plugin_match_5tuple_inline (&acl_main, lc_index, pkt_5tuple, is_ip6, r_action, r_acl_pos_p, r_acl_match_p, r_rule_match_p, trace_bitmap);
}
}
}));
}
+
+void *
+acl_plugin_get_p_acl_main(void)
+{
+ return &acl_main;
+}
+
+clib_error_t *acl_plugin_methods_vtable_init(acl_plugin_methods_t *m)
+{
+ m->p_acl_main = &acl_main;
+#define _(name) m->name = acl_plugin_ ## name;
+ foreach_acl_plugin_exported_method_name
+#undef _
+ return 0;
+}