#include <vnet/fib/fib_table.h>
#include <vnet/fib/ip4_fib.h>
+source_range_check_main_t source_range_check_main;
+
/**
* @file
* @brief IPv4 Source and Port Range Checking.
check_adj_port_range_x1 (const protocol_port_range_dpo_t * ppr_dpo,
u16 dst_port, u32 next)
{
- u16x8vec_t key;
- u16x8vec_t diff1;
- u16x8vec_t diff2;
- u16x8vec_t sum, sum_equal_diff2;
- u16 sum_nonzero, sum_equal, winner_mask;
+#ifdef CLIB_HAVE_VEC128
+ u16x8 key = u16x8_splat (dst_port);
+#endif
int i;
if (NULL == ppr_dpo || dst_port == 0)
return IP4_SOURCE_AND_PORT_RANGE_CHECK_NEXT_DROP;
- /* Make the obvious screw-case work. A variant also works w/ no MMX */
- if (PREDICT_FALSE (dst_port == 65535))
- {
- int j;
- for (i = 0;
- i < VLIB_BUFFER_PRE_DATA_SIZE / sizeof (protocol_port_range_t);
- i++)
+ for (i = 0; i < ppr_dpo->n_used_blocks; i++)
+#ifdef CLIB_HAVE_VEC128
+ if (!u16x8_is_all_zero ((ppr_dpo->blocks[i].low.as_u16x8 <= key) &
+ (ppr_dpo->blocks[i].hi.as_u16x8 >= key)))
+ return next;
+#else
+ {
+ for (int j = 0; j < 8; j++)
{
- for (j = 0; j < 8; j++)
- if (ppr_dpo->blocks[i].low.as_u16[j] == 65535)
- return next;
+ if ((ppr_dpo->blocks[i].low.as_u16[j] <= dst_port) &&
+ (ppr_dpo->blocks[i].hi.as_u16[j] >= dst_port))
+ return next;
}
- return IP4_SOURCE_AND_PORT_RANGE_CHECK_NEXT_DROP;
- }
+ };
+#endif
- key.as_u16x8 = u16x8_splat (dst_port);
-
- for (i = 0; i < ppr_dpo->n_used_blocks; i++)
- {
- diff1.as_u16x8 =
- u16x8_sub_saturate (ppr_dpo->blocks[i].low.as_u16x8, key.as_u16x8);
- diff2.as_u16x8 =
- u16x8_sub_saturate (ppr_dpo->blocks[i].hi.as_u16x8, key.as_u16x8);
- sum.as_u16x8 = u16x8_add (diff1.as_u16x8, diff2.as_u16x8);
- sum_equal_diff2.as_u16x8 =
- u16x8_is_equal (sum.as_u16x8, diff2.as_u16x8);
- sum_nonzero = ~u16x8_zero_byte_mask (sum.as_u16x8);
- sum_equal = ~u16x8_zero_byte_mask (sum_equal_diff2.as_u16x8);
- winner_mask = sum_nonzero & sum_equal;
- if (winner_mask)
- return next;
- }
return IP4_SOURCE_AND_PORT_RANGE_CHECK_NEXT_DROP;
}
ip0 = vlib_buffer_get_current (b0);
- c0 = vnet_feature_next_with_data (sw_if_index0, &next0,
- b0, sizeof (c0[0]));
+ c0 = vnet_feature_next_with_data (&next0, b0, sizeof (c0[0]));
/* we can't use the default VRF here... */
for (i = 0; i < IP_SOURCE_AND_PORT_RANGE_CHECK_N_PROTOCOLS; i++)
if this changes can easily make new function
*/
-/* *INDENT-OFF* */
VLIB_REGISTER_NODE (ip4_source_port_and_range_check_rx) = {
.function = ip4_source_and_port_range_check_rx,
.name = "ip4-source-and-port-range-check-rx",
.n_next_nodes = IP4_SOURCE_AND_PORT_RANGE_CHECK_N_NEXT,
.next_nodes = {
- [IP4_SOURCE_AND_PORT_RANGE_CHECK_NEXT_DROP] = "error-drop",
+ [IP4_SOURCE_AND_PORT_RANGE_CHECK_NEXT_DROP] = "ip4-drop",
},
.format_buffer = format_ip4_header,
.format_trace = format_ip4_source_and_port_range_check_trace,
};
-/* *INDENT-ON* */
-/* *INDENT-OFF* */
VLIB_REGISTER_NODE (ip4_source_port_and_range_check_tx) = {
.function = ip4_source_and_port_range_check_tx,
.name = "ip4-source-and-port-range-check-tx",
.n_next_nodes = IP4_SOURCE_AND_PORT_RANGE_CHECK_N_NEXT,
.next_nodes = {
- [IP4_SOURCE_AND_PORT_RANGE_CHECK_NEXT_DROP] = "error-drop",
+ [IP4_SOURCE_AND_PORT_RANGE_CHECK_NEXT_DROP] = "ip4-drop",
},
.format_buffer = format_ip4_header,
.format_trace = format_ip4_source_and_port_range_check_trace,
};
-/* *INDENT-ON* */
int
set_ip_source_and_port_range_check (vlib_main_t * vm,
* Example of graph node before range checking is enabled:
* @cliexstart{show vlib graph ip4-source-and-port-range-check-tx}
* Name Next Previous
- * ip4-source-and-port-range- error-drop [0]
+ * ip4-source-and-port-range- ip4-drop [0]
* @cliexend
*
* Example of how to enable range checking on TX:
- * @cliexcmd{set interface ip source-and-port-range-check GigabitEthernet2/0/0 udp-in-vrf 7}
+ * @cliexcmd{set interface ip source-and-port-range-check GigabitEthernet2/0/0
+ * udp-in-vrf 7}
*
* Example of graph node after range checking is enabled:
* @cliexstart{show vlib graph ip4-source-and-port-range-check-tx}
* Name Next Previous
- * ip4-source-and-port-range- error-drop [0] ip4-rewrite
+ * ip4-source-and-port-range- ip4-drop [0] ip4-rewrite
* interface-output [1]
* @cliexend
*
- * Example of how to display the features enabed on an interface:
+ * Example of how to display the features enabled on an interface:
* @cliexstart{show ip interface features GigabitEthernet2/0/0}
* IP feature paths configured on GigabitEthernet2/0/0...
*
* @cliexend
* @endparblock
?*/
-/* *INDENT-OFF* */
VLIB_CLI_COMMAND (set_interface_ip_source_and_port_range_check_command, static) = {
.path = "set interface ip source-and-port-range-check",
.function = set_ip_source_and_port_range_check_fn,
.short_help = "set interface ip source-and-port-range-check <interface> [tcp-out-vrf <table-id>] [udp-out-vrf <table-id>] [tcp-in-vrf <table-id>] [udp-in-vrf <table-id>] [del]",
};
-/* *INDENT-ON* */
static u8 *
format_ppr_dpo (u8 * s, va_list * args)
protocol_port_range_dpo_t *ppr_dpo;
pool_get_aligned (ppr_dpo_pool, ppr_dpo, CLIB_CACHE_LINE_BYTES);
- memset (ppr_dpo, 0, sizeof (*ppr_dpo));
+ clib_memset (ppr_dpo, 0, sizeof (*ppr_dpo));
ppr_dpo->n_free_ranges = N_PORT_RANGES_PER_DPO;
u16 * low_ports,
u16 * high_ports, int is_add)
{
- uint32_t fib_index;
+ u32 fib_index;
fib_index = fib_table_find (FIB_PROTOCOL_IP4, vrf_id);
* Example of how to delete an IPv4 subnet and range of ports from an IPv4 FIB table:
* @cliexcmd{set ip source-and-port-range-check vrf 7 172.16.1.0/24 range 23 - 100 del}
?*/
-/* *INDENT-OFF* */
VLIB_CLI_COMMAND (ip_source_and_port_range_check_command, static) = {
.path = "set ip source-and-port-range-check",
.function = ip_source_and_port_range_check_command_fn,
.short_help =
"set ip source-and-port-range-check vrf <table-id> <ip-addr>/<mask> {port nn | range <nn> - <nn>} [del]",
};
-/* *INDENT-ON* */
static clib_error_t *
* @cliexstart{show ip source-and-port-range-check vrf 7 172.16.2.0}
* 172.16.2.0: 23 - 101
* @cliexend
- * Example of how to test to determine of a given Pv4 address and port
+ * Example of how to test to determine of a given iPv4 address and port
* are being validated:
* @cliexstart{show ip source-and-port-range-check vrf 7 172.16.2.2 port 23}
* 172.16.2.2 port 23 PASS
* 172.16.2.2 port 250 FAIL
* @cliexend
?*/
-/* *INDENT-OFF* */
VLIB_CLI_COMMAND (show_source_and_port_range_check, static) = {
.path = "show ip source-and-port-range-check",
.function = show_source_and_port_range_check_fn,
.short_help =
"show ip source-and-port-range-check vrf <table-id> <ip-addr> [port <n>]",
};
-/* *INDENT-ON* */
/*
* fd.io coding-style-patch-verification: ON