X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fplugins%2Facl%2Facl.c;h=57940fcccd784cb161021a3ca935f06b083fa3d1;hb=refs%2Fchanges%2F40%2F11340%2F2;hp=314380bcf8f944fd8e69bdb620ac5c2bba415109;hpb=94f9a6de3f706243d138e05b63fef1d5c8174f6c;p=vpp.git diff --git a/src/plugins/acl/acl.c b/src/plugins/acl/acl.c index 314380bcf8f..57940fcccd7 100644 --- a/src/plugins/acl/acl.c +++ b/src/plugins/acl/acl.c @@ -129,6 +129,13 @@ acl_set_heap (acl_main_t * am) return oldheap; } +void * +acl_plugin_set_heap () +{ + acl_main_t *am = &acl_main; + return acl_set_heap (am); +} + void acl_plugin_acl_set_validate_heap (acl_main_t * am, int on) { @@ -2156,8 +2163,12 @@ macip_acl_add_list (u32 count, vl_api_macip_acl_rule_t rules[], return rv; } - -/* No check for validity of sw_if_index - the callers were supposed to validate */ +/* No check that sw_if_index denotes a valid interface - the callers + * were supposed to validate. + * + * That said, if sw_if_index corresponds to an interface that exists at all, + * this function must return errors accordingly if the ACL is not applied. + */ static int macip_acl_interface_del_acl (acl_main_t * am, u32 sw_if_index) @@ -2166,16 +2177,15 @@ macip_acl_interface_del_acl (acl_main_t * am, u32 sw_if_index) u32 macip_acl_index; macip_acl_list_t *a; + /* The vector is too short - MACIP ACL is not applied */ + if (sw_if_index >= vec_len (am->macip_acl_by_sw_if_index)) + return VNET_API_ERROR_NO_SUCH_ENTRY; + macip_acl_index = am->macip_acl_by_sw_if_index[sw_if_index]; /* No point in deleting MACIP ACL which is not applied */ if (~0 == macip_acl_index) return VNET_API_ERROR_NO_SUCH_ENTRY; - void *oldheap = acl_set_heap (am); - vec_validate_init_empty (am->macip_acl_by_sw_if_index, sw_if_index, ~0); - vec_validate_init_empty (am->sw_if_index_vec_by_macip_acl, macip_acl_index, - ~0); - clib_mem_set_heap (oldheap); a = pool_elt_at_index (am->macip_acls, macip_acl_index); /* remove the classifier tables off the interface L2 ACL */ rv = @@ -2187,7 +2197,11 @@ macip_acl_interface_del_acl (acl_main_t * am, u32 sw_if_index) a->out_l2_table_index, 0); /* Unset the MACIP ACL index */ am->macip_acl_by_sw_if_index[sw_if_index] = ~0; - am->sw_if_index_vec_by_macip_acl[macip_acl_index] = ~0; + /* macip_acl_interface_add_acl did a vec_add1() to this previously, so [sw_if_index] should be valid */ + u32 index = vec_search (am->sw_if_index_vec_by_macip_acl[macip_acl_index], + sw_if_index); + if (index != ~0) + vec_del1 (am->sw_if_index_vec_by_macip_acl[macip_acl_index], index); return rv; } @@ -2206,14 +2220,13 @@ macip_acl_interface_add_acl (acl_main_t * am, u32 sw_if_index, void *oldheap = acl_set_heap (am); a = pool_elt_at_index (am->macip_acls, macip_acl_index); vec_validate_init_empty (am->macip_acl_by_sw_if_index, sw_if_index, ~0); - vec_validate_init_empty (am->sw_if_index_vec_by_macip_acl, macip_acl_index, - ~0); + vec_validate (am->sw_if_index_vec_by_macip_acl, macip_acl_index); + vec_add1 (am->sw_if_index_vec_by_macip_acl[macip_acl_index], sw_if_index); clib_mem_set_heap (oldheap); /* If there already a MACIP ACL applied, unapply it */ if (~0 != am->macip_acl_by_sw_if_index[sw_if_index]) macip_acl_interface_del_acl (am, sw_if_index); am->macip_acl_by_sw_if_index[sw_if_index] = macip_acl_index; - am->sw_if_index_vec_by_macip_acl[macip_acl_index] = sw_if_index; /* Apply the classifier tables for L2 ACLs */ rv = @@ -3404,8 +3417,10 @@ acl_show_aclplugin_macip_acl_fn (vlib_main_t * vm, macip_acl_print (am, i); if (i < vec_len (am->sw_if_index_vec_by_macip_acl)) { - vlib_cli_output (vm, " applied on sw_if_index: %d\n", - vec_elt (am->sw_if_index_vec_by_macip_acl, i)); + vlib_cli_output (vm, " applied on sw_if_index(s): %U\n", + format_vec32, + vec_elt (am->sw_if_index_vec_by_macip_acl, i), + "%d"); } }