u32 * r_rule_match_p, u32 * trace_bitmap)
{
int i;
- acl_list_t *a;
acl_rule_t *r;
+ acl_rule_t *acl_rules;
if (pool_is_free_index (am->acls, acl_index))
{
/* the ACL does not exist but is used for policy. Block traffic. */
return 0;
}
- a = am->acls + acl_index;
- for (i = 0; i < a->count; i++)
+ acl_rules = am->acls[acl_index].rules;
+ for (i = 0; i < vec_len(acl_rules); i++)
{
- r = a->rules + i;
+ r = &acl_rules[i];
if (is_ip6 != r->is_ipv6)
{
continue;
}
+always_inline int
+acl_plugin_match_5tuple_inline_and_count (void *p_acl_main, u32 lc_index,
+ fa_5tuple_opaque_t * pkt_5tuple,
+ int is_ip6, u8 * r_action,
+ u32 * r_acl_pos_p,
+ u32 * r_acl_match_p,
+ u32 * r_rule_match_p,
+ u32 * trace_bitmap,
+ u32 packet_size)
+{
+ acl_main_t *am = p_acl_main;
+ int ret = 0;
+ fa_5tuple_t * pkt_5tuple_internal = (fa_5tuple_t *)pkt_5tuple;
+ pkt_5tuple_internal->pkt.lc_index = lc_index;
+ if (PREDICT_TRUE(am->use_hash_acl_matching)) {
+ if (PREDICT_FALSE(pkt_5tuple_internal->pkt.is_nonfirst_fragment)) {
+ /*
+ * tuplemerge does not take fragments into account,
+ * and in general making fragments first class citizens has
+ * proved more overhead than it's worth - so just fall back to linear
+ * matching in that case.
+ */
+ ret = linear_multi_acl_match_5tuple(p_acl_main, lc_index, pkt_5tuple_internal, is_ip6, r_action,
+ r_acl_pos_p, r_acl_match_p, r_rule_match_p, trace_bitmap);
+ } else {
+ ret = hash_multi_acl_match_5tuple(p_acl_main, lc_index, pkt_5tuple_internal, is_ip6, r_action,
+ r_acl_pos_p, r_acl_match_p, r_rule_match_p, trace_bitmap);
+ }
+ } else {
+ ret = linear_multi_acl_match_5tuple(p_acl_main, lc_index, pkt_5tuple_internal, is_ip6, r_action,
+ r_acl_pos_p, r_acl_match_p, r_rule_match_p, trace_bitmap);
+ }
+ if (PREDICT_TRUE(ret)) {
+ u16 thread_index = os_get_thread_index ();
+ vlib_increment_combined_counter(am->combined_acl_counters + *r_acl_match_p, thread_index, *r_rule_match_p, 1, packet_size);
+ }
+ return ret;
+}
+
+
+
#endif