classifier-based ACL: refactor + add output ACL

[vpp.git] / src / vnet / ip / ip4_forward.c

diff --git a/src/vnet/ip/ip4_forward.c b/src/vnet/ip/ip4_forward.c
index 3ddf6df..a0f3a4b 100755 (executable)
--- a/src/vnet/ip/ip4_forward.c
+++ b/src/vnet/ip/ip4_forward.c
@@ -1121,6 +1121,13 @@ VNET_FEATURE_INIT (ip4_source_and_port_range_check_tx, static) =
 {
   .arc_name = "ip4-output",
   .node_name = "ip4-source-and-port-range-check-tx",
+  .runs_before = VNET_FEATURES ("ip4-outacl"),
+};
+
+VNET_FEATURE_INIT (ip4_outacl, static) =
+{
+  .arc_name = "ip4-output",
+  .node_name = "ip4-outacl",
   .runs_before = VNET_FEATURES ("ipsec-output-ip4"),
 };
 
@@ -1582,8 +1589,12 @@ ip4_local_inline (vlib_main_t * vm,
 
          /* Treat IP frag packets as "experimental" protocol for now
             until support of IP frag reassembly is implemented */
-         proto0 = ip4_is_fragment (ip0) ? 0xfe : ip0->protocol;
-         proto1 = ip4_is_fragment (ip1) ? 0xfe : ip1->protocol;
+         proto0 =
+           ip4_is_fragment (ip0) ? IP_PROTOCOL_VPP_FRAGMENTATION :
+           ip0->protocol;
+         proto1 =
+           ip4_is_fragment (ip1) ? IP_PROTOCOL_VPP_FRAGMENTATION :
+           ip1->protocol;
 
          if (head_of_feature_arc == 0)
            goto skip_checks;
@@ -1748,7 +1759,9 @@ ip4_local_inline (vlib_main_t * vm,
 
          /* Treat IP frag packets as "experimental" protocol for now
             until support of IP frag reassembly is implemented */
-         proto0 = ip4_is_fragment (ip0) ? 0xfe : ip0->protocol;
+         proto0 =
+           ip4_is_fragment (ip0) ? IP_PROTOCOL_VPP_FRAGMENTATION :
+           ip0->protocol;
 
          if (head_of_feature_arc == 0 || p0->flags & VNET_BUFFER_F_IS_NATED)
            goto skip_check;
@@ -1839,6 +1852,7 @@ VLIB_REGISTER_NODE (ip4_local_node) =
     [IP_LOCAL_NEXT_PUNT] = "ip4-punt",
     [IP_LOCAL_NEXT_UDP_LOOKUP] = "ip4-udp-lookup",
     [IP_LOCAL_NEXT_ICMP] = "ip4-icmp-input",
+    [IP_LOCAL_NEXT_REASSEMBLY] = "ip4-reassembly",
   },
 };
 /* *INDENT-ON* */