X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fplugins%2Facl%2Facl_test.c;h=a35f050fcba77d77890ee4fbbaf3ae6f78c3c5f6;hb=492a5d0bd;hp=a0e413e16da77a30cc42d0093469fb462ea7d4d7;hpb=cb034b9b374927c7552e36dcbc306d8456b2a0cb;p=vpp.git diff --git a/src/plugins/acl/acl_test.c b/src/plugins/acl/acl_test.c index a0e413e16da..a35f050fcba 100644 --- a/src/plugins/acl/acl_test.c +++ b/src/plugins/acl/acl_test.c @@ -21,36 +21,24 @@ #include #include #include -#include #include #include #include +#define __plugin_msg_base acl_test_main.msg_id_base +#include + uword unformat_sw_if_index (unformat_input_t * input, va_list * args); /* Declare message IDs */ -#include - -/* define message structures */ -#define vl_typedefs -#include -#undef vl_typedefs - -/* define message structures */ -#define vl_endianfun -#include -#undef vl_endianfun - -/* instantiate all the print functions we know about */ +#include +#include #define vl_print(handle, ...) -#define vl_printfun -#include -#undef vl_printfun - -/* Get the API version number. */ -#define vl_api_version(n,v) static u32 api_version=(v); -#include -#undef vl_api_version +#include +#undef vl_print +#define vl_endianfun /* define message structures */ +#include +#undef vl_endianfun typedef struct { /* API message ID base */ @@ -60,32 +48,10 @@ typedef struct { acl_test_main_t acl_test_main; -#define foreach_standard_reply_retval_handler \ -_(acl_del_reply) \ -_(acl_interface_add_del_reply) \ -_(macip_acl_interface_add_del_reply) \ -_(acl_interface_set_acl_list_reply) \ -_(macip_acl_del_reply) - #define foreach_reply_retval_aclindex_handler \ _(acl_add_replace_reply) \ -_(macip_acl_add_reply) - -#define _(n) \ - static void vl_api_##n##_t_handler \ - (vl_api_##n##_t * mp) \ - { \ - vat_main_t * vam = acl_test_main.vat_main; \ - i32 retval = ntohl(mp->retval); \ - if (vam->async_mode) { \ - vam->async_errors += (retval < 0); \ - } else { \ - vam->retval = retval; \ - vam->result_ready = 1; \ - } \ - } -foreach_standard_reply_retval_handler; -#undef _ +_(macip_acl_add_reply) \ +_(macip_acl_add_replace_reply) #define _(n) \ static void vl_api_##n##_t_handler \ @@ -141,9 +107,36 @@ static void vl_api_acl_interface_list_details_t_handler out = format(out, "sw_if_index: %d, count: %d, n_input: %d\n", mp->sw_if_index, mp->count, mp->n_input); out = format(out, " input "); for(i=0; icount; i++) { - out = format(out, "%d ", mp->acls[i]); - if (i == mp->n_input-1) + if (i == mp->n_input) + out = format(out, "\n output "); + out = format(out, "%d ", ntohl (mp->acls[i])); + } + out = format(out, "\n"); + clib_warning("%s", out); + vec_free(out); + vam->result_ready = 1; + } + +static void vl_api_macip_acl_interface_list_details_t_handler +(vl_api_macip_acl_interface_list_details_t * mp) +{ + // NOT YET IMPLEMENTED +} + + +static void vl_api_acl_interface_etype_whitelist_details_t_handler + (vl_api_acl_interface_etype_whitelist_details_t * mp) + { + int i; + vat_main_t * vam = acl_test_main.vat_main; + u8 *out = 0; + vl_api_acl_interface_etype_whitelist_details_t_endian(mp); + out = format(out, "sw_if_index: %d, count: %d, n_input: %d\n", mp->sw_if_index, mp->count, mp->n_input); + out = format(out, " input "); + for(i=0; icount; i++) { + if (i == mp->n_input) out = format(out, "\n output "); + out = format(out, "%04x ", ntohs(mp->whitelist[i])); } out = format(out, "\n"); clib_warning("%s", out); @@ -151,6 +144,14 @@ static void vl_api_acl_interface_list_details_t_handler vam->result_ready = 1; } +static void vl_api_acl_plugin_get_conn_table_max_entries_reply_t_handler + (vl_api_acl_plugin_get_conn_table_max_entries_reply_t * mp) + { + vat_main_t * vam = acl_test_main.vat_main; + clib_warning("\nConn table max entries: %d", + __bswap_64(mp->conn_table_max_entries) ); + vam->result_ready = 1; + } static inline u8 * vl_api_acl_rule_t_pretty_format (u8 *out, vl_api_acl_rule_t * a) @@ -161,14 +162,14 @@ vl_api_acl_rule_t_pretty_format (u8 *out, vl_api_acl_rule_t * a) inet_ntop(af, a->src_ip_addr, (void *)src, sizeof(src)); inet_ntop(af, a->dst_ip_addr, (void *)dst, sizeof(dst)); - out = format(out, "%s action %d src %s/%d dst %s/%d proto %d sport %d-%d dport %d-%d tcpflags %d %d", + out = format(out, "%s action %d src %s/%d dst %s/%d proto %d sport %d-%d dport %d-%d tcpflags %d mask %d", a->is_ipv6 ? "ipv6" : "ipv4", a->is_permit, src, a->src_ip_prefix_len, dst, a->dst_ip_prefix_len, a->proto, a->srcport_or_icmptype_first, a->srcport_or_icmptype_last, a->dstport_or_icmpcode_first, a->dstport_or_icmpcode_last, - a->tcp_flags_mask, a->tcp_flags_value); + a->tcp_flags_value, a->tcp_flags_mask); return(out); } @@ -240,81 +241,41 @@ static void vl_api_macip_acl_interface_get_reply_t_handler vam->result_ready = 1; } - -/* - * Table of message reply handlers, must include boilerplate handlers - * we just generated - */ -#define foreach_vpe_api_reply_msg \ -_(ACL_ADD_REPLACE_REPLY, acl_add_replace_reply) \ -_(ACL_DEL_REPLY, acl_del_reply) \ -_(ACL_INTERFACE_ADD_DEL_REPLY, acl_interface_add_del_reply) \ -_(ACL_INTERFACE_SET_ACL_LIST_REPLY, acl_interface_set_acl_list_reply) \ -_(ACL_INTERFACE_LIST_DETAILS, acl_interface_list_details) \ -_(ACL_DETAILS, acl_details) \ -_(MACIP_ACL_ADD_REPLY, macip_acl_add_reply) \ -_(MACIP_ACL_DEL_REPLY, macip_acl_del_reply) \ -_(MACIP_ACL_DETAILS, macip_acl_details) \ -_(MACIP_ACL_INTERFACE_ADD_DEL_REPLY, macip_acl_interface_add_del_reply) \ -_(MACIP_ACL_INTERFACE_GET_REPLY, macip_acl_interface_get_reply) \ -_(ACL_PLUGIN_GET_VERSION_REPLY, acl_plugin_get_version_reply) - -/* M: construct, but don't yet send a message */ - -#define M(T,t) \ -do { \ - vam->result_ready = 0; \ - mp = vl_msg_api_alloc(sizeof(*mp)); \ - memset (mp, 0, sizeof (*mp)); \ - mp->_vl_msg_id = ntohs (VL_API_##T + sm->msg_id_base); \ - mp->client_index = vam->my_client_index; \ -} while(0); - -#define M2(T,t,n) \ -do { \ - vam->result_ready = 0; \ - mp = vl_msg_api_alloc(sizeof(*mp)+(n)); \ - memset (mp, 0, sizeof (*mp)); \ - mp->_vl_msg_id = ntohs (VL_API_##T + sm->msg_id_base); \ - mp->client_index = vam->my_client_index; \ -} while(0); - -/* S: send a message */ -#define S (vl_msg_api_send_shmem (vam->vl_input_queue, (u8 *)&mp)) - -/* W: wait for results, with timeout */ -#define W \ -do { \ - timeout = vat_time_now (vam) + 1.0; \ - \ - while (vat_time_now (vam) < timeout) { \ - if (vam->result_ready == 1) { \ - return (vam->retval); \ - } \ - } \ - return -99; \ -} while(0); +static void vl_api_acl_plugin_control_ping_reply_t_handler + (vl_api_acl_plugin_control_ping_reply_t * mp) +{ + vat_main_t *vam = &vat_main; + i32 retval = ntohl (mp->retval); + if (vam->async_mode) + { + vam->async_errors += (retval < 0); + } + else + { + vam->retval = retval; + vam->result_ready = 1; + } +} static int api_acl_plugin_get_version (vat_main_t * vam) { acl_test_main_t * sm = &acl_test_main; vl_api_acl_plugin_get_version_t * mp; u32 msg_size = sizeof(*mp); - f64 timeout; + int ret; vam->result_ready = 0; mp = vl_msg_api_alloc_as_if_client(msg_size); - memset (mp, 0, msg_size); + clib_memset (mp, 0, msg_size); mp->_vl_msg_id = ntohs (VL_API_ACL_PLUGIN_GET_VERSION + sm->msg_id_base); mp->client_index = vam->my_client_index; /* send it... */ - S; + S(mp); /* Wait for a reply... */ - W; - - return 0; + W (ret); + return ret; } static int api_macip_acl_interface_get (vat_main_t * vam) @@ -322,21 +283,20 @@ static int api_macip_acl_interface_get (vat_main_t * vam) acl_test_main_t * sm = &acl_test_main; vl_api_acl_plugin_get_version_t * mp; u32 msg_size = sizeof(*mp); - f64 timeout; + int ret; vam->result_ready = 0; mp = vl_msg_api_alloc_as_if_client(msg_size); - memset (mp, 0, msg_size); + clib_memset (mp, 0, msg_size); mp->_vl_msg_id = ntohs (VL_API_MACIP_ACL_INTERFACE_GET + sm->msg_id_base); mp->client_index = vam->my_client_index; /* send it... */ - S; + S(mp); /* Wait for a reply... */ - W; - - return 0; + W (ret); + return ret; } #define vec_validate_acl_rules(v, idx) \ @@ -350,11 +310,20 @@ static int api_macip_acl_interface_get (vat_main_t * vam) } while (0) +/* NOT YET IMPLEMENTED */ +static int api_acl_plugin_control_ping (vat_main_t * vam) +{ + return 0; +} +static int api_macip_acl_interface_list_dump (vat_main_t * vam) +{ + return 0; +} + static int api_acl_add_replace (vat_main_t * vam) { acl_test_main_t * sm = &acl_test_main; unformat_input_t * i = vam->input; - f64 timeout; vl_api_acl_add_replace_t * mp; u32 acl_index = ~0; u32 msg_size = sizeof (*mp); /* without the rules */ @@ -362,6 +331,7 @@ static int api_acl_add_replace (vat_main_t * vam) vl_api_acl_rule_t *rules = 0; int rule_idx = 0; int n_rules = 0; + int n_rules_override = -1; u32 proto = 0; u32 port1 = 0; u32 port2 = 0; @@ -371,6 +341,7 @@ static int api_acl_add_replace (vat_main_t * vam) ip4_address_t src_v4address, dst_v4address; ip6_address_t src_v6address, dst_v6address; u8 *tag = 0; + int ret; if (!unformat (i, "%d", &acl_index)) { /* Just assume -1 */ @@ -398,6 +369,15 @@ static int api_acl_add_replace (vat_main_t * vam) vec_validate_acl_rules(rules, rule_idx); rules[rule_idx].is_permit = 1; } + else if (unformat (i, "deny")) + { + vec_validate_acl_rules(rules, rule_idx); + rules[rule_idx].is_permit = 0; + } + else if (unformat (i, "count %d", &n_rules_override)) + { + /* we will use this later */ + } else if (unformat (i, "action %d", &action)) { vec_validate_acl_rules(rules, rule_idx); @@ -465,6 +445,12 @@ static int api_acl_add_replace (vat_main_t * vam) rules[rule_idx].tcp_flags_value = tcpflags; rules[rule_idx].tcp_flags_mask = tcpmask; } + else if (unformat (i, "tcpflags %d mask %d", &tcpflags, &tcpmask)) + { + vec_validate_acl_rules(rules, rule_idx); + rules[rule_idx].tcp_flags_value = tcpflags; + rules[rule_idx].tcp_flags_mask = tcpmask; + } else if (unformat (i, "proto %d", &proto)) { vec_validate_acl_rules(rules, rule_idx); @@ -490,13 +476,16 @@ static int api_acl_add_replace (vat_main_t * vam) else n_rules = 0; + if (n_rules_override >= 0) + n_rules = n_rules_override; + msg_size += n_rules*sizeof(rules[0]); mp = vl_msg_api_alloc_as_if_client(msg_size); - memset (mp, 0, msg_size); + clib_memset (mp, 0, msg_size); mp->_vl_msg_id = ntohs (VL_API_ACL_ADD_REPLACE + sm->msg_id_base); mp->client_index = vam->my_client_index; - if (n_rules > 0) + if ((n_rules > 0) && rules) clib_memcpy(mp->r, rules, n_rules*sizeof (vl_api_acl_rule_t)); if (tag) { @@ -512,19 +501,239 @@ static int api_acl_add_replace (vat_main_t * vam) mp->count = htonl(n_rules); /* send it... */ - S; + S(mp); /* Wait for a reply... */ - W; + W (ret); + return ret; } -static int api_acl_del (vat_main_t * vam) +static int api_acl_plugin_get_conn_table_max_entries (vat_main_t * vam) +{ + acl_test_main_t * sm = &acl_test_main; + vl_api_acl_plugin_get_conn_table_max_entries_t * mp; + u32 msg_size = sizeof(*mp); + int ret; + + vam->result_ready = 0; + mp = vl_msg_api_alloc_as_if_client(msg_size); + memset (mp, 0, msg_size); + mp->_vl_msg_id = ntohs (VL_API_ACL_PLUGIN_GET_CONN_TABLE_MAX_ENTRIES + sm->msg_id_base); + mp->client_index = vam->my_client_index; + + /* send it... */ + S(mp); + + /* Wait for a reply... */ + W (ret); + return ret; +} + +static int api_acl_stats_intf_counters_enable (vat_main_t * vam) { acl_test_main_t * sm = &acl_test_main; unformat_input_t * i = vam->input; - f64 timeout; + vl_api_acl_stats_intf_counters_enable_t * mp; + u32 msg_size = sizeof(*mp); + int ret; + + vam->result_ready = 0; + mp = vl_msg_api_alloc_as_if_client(msg_size); + memset (mp, 0, msg_size); + mp->_vl_msg_id = ntohs (VL_API_ACL_STATS_INTF_COUNTERS_ENABLE + sm->msg_id_base); + mp->client_index = vam->my_client_index; + mp->enable = 1; + + while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) { + if (unformat (i, "disable")) + mp->enable = 0; + else + break; + } + + /* send it... */ + S(mp); + + /* Wait for a reply... */ + W (ret); + return ret; +} + + +/* + * Read the series of ACL entries from file in the following format: + * + +@0.0.0.0/1 131.179.121.0/24 0 : 65535 0 : 65535 0x00/0x00 0x0000/0x0000 +@128.0.0.0/1 85.54.226.0/23 0 : 65535 0 : 65535 0x00/0x00 0x0000/0x0000 +@128.0.0.0/1 85.54.48.0/23 0 : 65535 0 : 65535 0x00/0x00 0x0000/0x0000 +@128.0.0.0/1 31.237.44.0/23 0 : 65535 0 : 65535 0x00/0x00 0x0000/0x0000 +@0.0.0.0/1 255.84.184.0/23 0 : 65535 0 : 65535 0x00/0x00 0x0000/0x0000 +@132.92.0.0/16 0.0.0.0/0 0 : 65535 0 : 65535 0x01/0xFF 0x0000/0x0000 + + * + */ + +static int +api_acl_add_replace_from_file (vat_main_t * vam) +{ + int ret = -1; + unformat_input_t * input = vam->input; + acl_test_main_t * sm = &acl_test_main; + vl_api_acl_add_replace_t * mp; + u32 acl_index = ~0; + u32 msg_size = sizeof (*mp); /* without the rules */ + + vl_api_acl_rule_t *rules = 0; + int rule_idx = -1; + int n_rules = 0; + int is_permit = 0; + int append_default_permit = 0; + u32 tcpflags = 0, tcpmask = 0; + ip4_address_t src_v4address, dst_v4address; + int fd = -1; + + char *file_name = NULL; + unformat_input_t file_input; + + while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT) + { + if (unformat (input, "filename %s", &file_name)) + { + /* we will use this later */ + } + else if (unformat (input, "acl-index %d", &acl_index)) + { + /* we will try to replace an existing ACL */ + } + else if (unformat (input, "permit+reflect")) + { + is_permit = 2; + } + else if (unformat (input, "permit")) + { + is_permit = 1; + } + else if (unformat (input, "append-default-permit")) + { + append_default_permit = 1; + } + else + break; + } + + fd = open(file_name, O_RDONLY); + if (fd < 0) + { + clib_warning("Could not open file '%s'"); + goto done; + } + + /* input from file */ + input = &file_input; + unformat_init_clib_file(input, fd); + + unsigned sport_low, sport_high, dport_low, dport_high; + unsigned proto, protomask; + u32 src_prefix_length, dst_prefix_length; + u32 unused1, unused2; + + while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT) + { + if (!unformat(input, "@%U/%d\t%U/%d\t%d : %d\t%d : %d\t0x%x/0x%x\t0x%x/0x%x", + unformat_ip4_address, &src_v4address, &src_prefix_length, + unformat_ip4_address, &dst_v4address, &dst_prefix_length, + &sport_low, &sport_high, &dport_low, &dport_high, &proto, &protomask, &unused1, &unused2)) { + clib_warning("Error parsing"); + break; + } + + rule_idx++; + vec_validate_acl_rules(rules, rule_idx); + + rules[rule_idx].is_ipv6 = 0; + rules[rule_idx].is_permit = is_permit; + memcpy (rules[rule_idx].src_ip_addr, &src_v4address, 4); + rules[rule_idx].src_ip_prefix_len = src_prefix_length; + memcpy (rules[rule_idx].dst_ip_addr, &dst_v4address, 4); + rules[rule_idx].dst_ip_prefix_len = dst_prefix_length; + rules[rule_idx].srcport_or_icmptype_first = htons(sport_low); + rules[rule_idx].srcport_or_icmptype_last = htons(sport_high); + rules[rule_idx].dstport_or_icmpcode_first = htons(dport_low); + rules[rule_idx].dstport_or_icmpcode_last = htons(dport_high); + rules[rule_idx].tcp_flags_value = tcpflags; + rules[rule_idx].tcp_flags_mask = tcpmask; + rules[rule_idx].proto = proto; + + } + + if (append_default_permit) { + rule_idx++; + vec_validate_acl_rules(rules, rule_idx); + + rules[rule_idx].is_ipv6 = 0; + rules[rule_idx].is_permit = is_permit == 2 ? 2 : 1; + + src_v4address.data[0]=0; + src_v4address.data[1]=0; + src_v4address.data[2]=0; + src_v4address.data[3]=0; + memcpy (rules[rule_idx].src_ip_addr, &src_v4address, 4); + rules[rule_idx].src_ip_prefix_len = 0; + + dst_v4address.data[0]=0; + dst_v4address.data[1]=0; + dst_v4address.data[2]=0; + dst_v4address.data[3]=0; + memcpy (rules[rule_idx].dst_ip_addr, &dst_v4address, 4); + rules[rule_idx].dst_ip_prefix_len = 0; + + rules[rule_idx].srcport_or_icmptype_first = htons(0); + rules[rule_idx].srcport_or_icmptype_last = htons(65535); + rules[rule_idx].dstport_or_icmpcode_first = htons(0); + rules[rule_idx].dstport_or_icmpcode_last = htons(65535); + rules[rule_idx].tcp_flags_value = 0; + rules[rule_idx].tcp_flags_mask = 0; + rules[rule_idx].proto = 0; + } + + /* Construct the API message */ + + vam->result_ready = 0; + + n_rules = vec_len(rules); + + msg_size += n_rules*sizeof(rules[0]); + + mp = vl_msg_api_alloc_as_if_client(msg_size); + clib_memset (mp, 0, msg_size); + mp->_vl_msg_id = ntohs (VL_API_ACL_ADD_REPLACE + sm->msg_id_base); + mp->client_index = vam->my_client_index; + if (n_rules > 0) + clib_memcpy(mp->r, rules, n_rules*sizeof (vl_api_acl_rule_t)); + mp->acl_index = ntohl(acl_index); + mp->count = htonl(n_rules); + + /* send it... */ + S(mp); + + /* Wait for a reply... */ + W (ret); +done: + if (fd > 0) + close (fd); + vec_free(file_name); + + return ret; +} + + +static int api_acl_del (vat_main_t * vam) +{ + unformat_input_t * i = vam->input; vl_api_acl_del_t * mp; u32 acl_index = ~0; + int ret; if (!unformat (i, "%d", &acl_index)) { errmsg ("missing acl index\n"); @@ -532,23 +741,23 @@ static int api_acl_del (vat_main_t * vam) } /* Construct the API message */ - M(ACL_DEL, acl_del); + M(ACL_DEL, mp); mp->acl_index = ntohl(acl_index); /* send it... */ - S; + S(mp); /* Wait for a reply... */ - W; + W (ret); + return ret; } static int api_macip_acl_del (vat_main_t * vam) { - acl_test_main_t * sm = &acl_test_main; unformat_input_t * i = vam->input; - f64 timeout; vl_api_acl_del_t * mp; u32 acl_index = ~0; + int ret; if (!unformat (i, "%d", &acl_index)) { errmsg ("missing acl index\n"); @@ -556,26 +765,26 @@ static int api_macip_acl_del (vat_main_t * vam) } /* Construct the API message */ - M(MACIP_ACL_DEL, acl_del); + M(MACIP_ACL_DEL, mp); mp->acl_index = ntohl(acl_index); /* send it... */ - S; + S(mp); /* Wait for a reply... */ - W; + W (ret); + return ret; } static int api_acl_interface_add_del (vat_main_t * vam) { - acl_test_main_t * sm = &acl_test_main; unformat_input_t * i = vam->input; - f64 timeout; vl_api_acl_interface_add_del_t * mp; u32 sw_if_index = ~0; u32 acl_index = ~0; u8 is_input = 0; u8 is_add = 0; + int ret; // acl_interface_add_del | sw_if_index acl_index [out] [del] @@ -621,28 +830,28 @@ static int api_acl_interface_add_del (vat_main_t * vam) /* Construct the API message */ - M(ACL_INTERFACE_ADD_DEL, acl_interface_add_del); + M(ACL_INTERFACE_ADD_DEL, mp); mp->acl_index = ntohl(acl_index); mp->sw_if_index = ntohl(sw_if_index); mp->is_add = is_add; mp->is_input = is_input; /* send it... */ - S; + S(mp); /* Wait for a reply... */ - W; + W (ret); + return ret; } static int api_macip_acl_interface_add_del (vat_main_t * vam) { - acl_test_main_t * sm = &acl_test_main; unformat_input_t * i = vam->input; - f64 timeout; vl_api_macip_acl_interface_add_del_t * mp; u32 sw_if_index = ~0; u32 acl_index = ~0; u8 is_add = 0; + int ret; /* Parse args required to build the message */ while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) { @@ -673,29 +882,29 @@ static int api_macip_acl_interface_add_del (vat_main_t * vam) /* Construct the API message */ - M(MACIP_ACL_INTERFACE_ADD_DEL, macip_acl_interface_add_del); + M(MACIP_ACL_INTERFACE_ADD_DEL, mp); mp->acl_index = ntohl(acl_index); mp->sw_if_index = ntohl(sw_if_index); mp->is_add = is_add; /* send it... */ - S; + S(mp); /* Wait for a reply... */ - W; + W (ret); + return ret; } static int api_acl_interface_set_acl_list (vat_main_t * vam) { - acl_test_main_t * sm = &acl_test_main; unformat_input_t * i = vam->input; - f64 timeout; vl_api_acl_interface_set_acl_list_t * mp; u32 sw_if_index = ~0; u32 acl_index = ~0; u32 *inacls = 0; u32 *outacls = 0; u8 is_input = 0; + int ret; // acl_interface_set_acl_list | sw_if_index input [acl-idx list] output [acl-idx list] @@ -728,7 +937,7 @@ static int api_acl_interface_set_acl_list (vat_main_t * vam) } /* Construct the API message */ - M2(ACL_INTERFACE_SET_ACL_LIST, acl_interface_set_acl_list, sizeof(u32) * (vec_len(inacls) + vec_len(outacls))); + M2(ACL_INTERFACE_SET_ACL_LIST, mp, sizeof(u32) * (vec_len(inacls) + vec_len(outacls))); mp->sw_if_index = ntohl(sw_if_index); mp->n_input = vec_len(inacls); mp->count = vec_len(inacls) + vec_len(outacls); @@ -737,20 +946,86 @@ static int api_acl_interface_set_acl_list (vat_main_t * vam) clib_memcpy(mp->acls, inacls, vec_len(inacls)*sizeof(u32)); /* send it... */ - S; + S(mp); + + /* Wait for a reply... */ + W (ret); + return ret; +} + +static int api_acl_interface_set_etype_whitelist (vat_main_t * vam) +{ + unformat_input_t * i = vam->input; + vl_api_acl_interface_set_etype_whitelist_t * mp; + u32 sw_if_index = ~0; + u32 ethertype = ~0; + u16 *etypes_in = 0; + u16 *etypes_out = 0; + u8 is_input = 1; + int ret; + +// acl_interface_set_etype_whitelist | sw_if_index input [ethertype list] output [ethertype list] + + /* Parse args required to build the message */ + while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) { + if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index)) + ; + else if (unformat (i, "sw_if_index %d", &sw_if_index)) + ; + else if (unformat (i, "%x", ðertype)) + { + ethertype = ethertype & 0xffff; + if(is_input) + vec_add1(etypes_in, htons(ethertype)); + else + vec_add1(etypes_out, htons(ethertype)); + } + else if (unformat (i, "input")) + is_input = 1; + else if (unformat (i, "output")) + is_input = 0; + else + break; + } + + if (sw_if_index == ~0) { + errmsg ("missing interface name / explicit sw_if_index number \n"); + return -99; + } + + /* Construct the API message */ + M2(ACL_INTERFACE_SET_ETYPE_WHITELIST, mp, sizeof(u32) * (vec_len(etypes_in) + vec_len(etypes_out))); + mp->sw_if_index = ntohl(sw_if_index); + mp->n_input = vec_len(etypes_in); + mp->count = vec_len(etypes_in) + vec_len(etypes_out); + vec_append(etypes_in, etypes_out); + if (vec_len(etypes_in) > 0) + clib_memcpy(mp->whitelist, etypes_in, vec_len(etypes_in)*sizeof(etypes_in[0])); + + /* send it... */ + S(mp); /* Wait for a reply... */ - W; + W (ret); + return ret; +} + +static void +api_acl_send_control_ping(vat_main_t *vam) +{ + vl_api_acl_plugin_control_ping_t *mp_ping; + + M(ACL_PLUGIN_CONTROL_PING, mp_ping); + S(mp_ping); } static int api_acl_interface_list_dump (vat_main_t * vam) { - acl_test_main_t * sm = &acl_test_main; unformat_input_t * i = vam->input; - f64 timeout; u32 sw_if_index = ~0; vl_api_acl_interface_list_dump_t * mp; + int ret; /* Parse args required to build the message */ while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) { @@ -763,23 +1038,26 @@ static int api_acl_interface_list_dump (vat_main_t * vam) } /* Construct the API message */ - M(ACL_INTERFACE_LIST_DUMP, acl_interface_list_dump); + M(ACL_INTERFACE_LIST_DUMP, mp); mp->sw_if_index = ntohl (sw_if_index); /* send it... */ - S; + S(mp); + + /* Use control ping for synchronization */ + api_acl_send_control_ping(vam); /* Wait for a reply... */ - W; + W (ret); + return ret; } static int api_acl_dump (vat_main_t * vam) { - acl_test_main_t * sm = &acl_test_main; unformat_input_t * i = vam->input; - f64 timeout; u32 acl_index = ~0; vl_api_acl_dump_t * mp; + int ret; /* Parse args required to build the message */ while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) { @@ -790,23 +1068,26 @@ static int api_acl_dump (vat_main_t * vam) } /* Construct the API message */ - M(ACL_DUMP, acl_dump); + M(ACL_DUMP, mp); mp->acl_index = ntohl (acl_index); /* send it... */ - S; + S(mp); + + /* Use control ping for synchronization */ + api_acl_send_control_ping(vam); /* Wait for a reply... */ - W; + W (ret); + return ret; } static int api_macip_acl_dump (vat_main_t * vam) { - acl_test_main_t * sm = &acl_test_main; unformat_input_t * i = vam->input; - f64 timeout; u32 acl_index = ~0; vl_api_acl_dump_t * mp; + int ret; /* Parse args required to build the message */ while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) { @@ -817,16 +1098,53 @@ static int api_macip_acl_dump (vat_main_t * vam) } /* Construct the API message */ - M(MACIP_ACL_DUMP, macip_acl_dump); + M(MACIP_ACL_DUMP, mp); mp->acl_index = ntohl (acl_index); /* send it... */ - S; + S(mp); + + /* Use control ping for synchronization */ + api_acl_send_control_ping(vam); + + /* Wait for a reply... */ + W (ret); + return ret; +} + +static int api_acl_interface_etype_whitelist_dump (vat_main_t * vam) +{ + unformat_input_t * i = vam->input; + u32 sw_if_index = ~0; + vl_api_acl_interface_etype_whitelist_dump_t * mp; + int ret; + + /* Parse args required to build the message */ + while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) { + if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index)) + ; + else if (unformat (i, "sw_if_index %d", &sw_if_index)) + ; + else + break; + } + + /* Construct the API message */ + M(ACL_INTERFACE_ETYPE_WHITELIST_DUMP, mp); + mp->sw_if_index = ntohl (sw_if_index); + + /* send it... */ + S(mp); + + /* Use control ping for synchronization */ + api_acl_send_control_ping(vam); /* Wait for a reply... */ - W; + W (ret); + return ret; } + #define vec_validate_macip_acl_rules(v, idx) \ do { \ if (vec_len(v) < idx+1) { \ @@ -840,13 +1158,13 @@ static int api_macip_acl_add (vat_main_t * vam) { acl_test_main_t * sm = &acl_test_main; unformat_input_t * i = vam->input; - f64 timeout; vl_api_macip_acl_add_t * mp; u32 msg_size = sizeof (*mp); /* without the rules */ vl_api_macip_acl_rule_t *rules = 0; int rule_idx = 0; int n_rules = 0; + int n_rules_override = -1; u32 src_prefix_length = 0; u32 action = 0; ip4_address_t src_v4address; @@ -854,6 +1172,7 @@ static int api_macip_acl_add (vat_main_t * vam) u8 src_mac[6]; u8 *tag = 0; u8 mac_mask_all_1[6] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; + int ret; while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) { @@ -865,7 +1184,7 @@ static int api_macip_acl_add (vat_main_t * vam) else if (unformat (i, "ipv4")) { vec_validate_macip_acl_rules(rules, rule_idx); - rules[rule_idx].is_ipv6 = 1; + rules[rule_idx].is_ipv6 = 0; } else if (unformat (i, "permit")) { @@ -877,22 +1196,38 @@ static int api_macip_acl_add (vat_main_t * vam) vec_validate_macip_acl_rules(rules, rule_idx); rules[rule_idx].is_permit = 0; } + else if (unformat (i, "count %d", &n_rules_override)) + { + /* we will use this later */ + } else if (unformat (i, "action %d", &action)) { vec_validate_macip_acl_rules(rules, rule_idx); rules[rule_idx].is_permit = action; } else if (unformat (i, "ip %U/%d", - unformat_ip4_address, &src_v4address, &src_prefix_length)) + unformat_ip4_address, &src_v4address, &src_prefix_length) || + unformat (i, "ip %U", + unformat_ip4_address, &src_v4address)) { + if (src_prefix_length == 0) + src_prefix_length = 32; vec_validate_macip_acl_rules(rules, rule_idx); memcpy (rules[rule_idx].src_ip_addr, &src_v4address, 4); rules[rule_idx].src_ip_prefix_len = src_prefix_length; rules[rule_idx].is_ipv6 = 0; } + else if (unformat (i, "src")) + { + /* Everything in MACIP is "source" but allow this verbosity */ + } else if (unformat (i, "ip %U/%d", - unformat_ip6_address, &src_v6address, &src_prefix_length)) + unformat_ip6_address, &src_v6address, &src_prefix_length) || + unformat (i, "ip %U", + unformat_ip6_address, &src_v6address)) { + if (src_prefix_length == 0) + src_prefix_length = 128; vec_validate_macip_acl_rules(rules, rule_idx); memcpy (rules[rule_idx].src_ip_addr, &src_v6address, 16); rules[rule_idx].src_ip_prefix_len = src_prefix_length; @@ -928,16 +1263,17 @@ static int api_macip_acl_add (vat_main_t * vam) if(rules) n_rules = vec_len(rules); - else - n_rules = 0; + + if (n_rules_override >= 0) + n_rules = n_rules_override; msg_size += n_rules*sizeof(rules[0]); mp = vl_msg_api_alloc_as_if_client(msg_size); - memset (mp, 0, msg_size); + clib_memset (mp, 0, msg_size); mp->_vl_msg_id = ntohs (VL_API_MACIP_ACL_ADD + sm->msg_id_base); mp->client_index = vam->my_client_index; - if (n_rules > 0) + if ((n_rules > 0) && rules) clib_memcpy(mp->r, rules, n_rules*sizeof (mp->r[0])); if (tag) { @@ -953,72 +1289,172 @@ static int api_macip_acl_add (vat_main_t * vam) mp->count = htonl(n_rules); /* send it... */ - S; + S(mp); /* Wait for a reply... */ - W; + W (ret); + return ret; } -/* - * List of messages that the api test plugin sends, - * and that the data plane plugin processes - */ -#define foreach_vpe_api_msg \ -_(acl_plugin_get_version, "") \ -_(acl_add_replace, " [ [src IP/plen] [dst IP/plen] [sport X-Y] [dport X-Y] [proto P] [tcpflags FL MASK], ... , ...") \ -_(acl_del, "") \ -_(acl_dump, "[]") \ -_(acl_interface_add_del, " | sw_if_index [add|del] [input|output] acl ") \ -_(acl_interface_set_acl_list, " | sw_if_index input [acl-idx list] output [acl-idx list]") \ -_(acl_interface_list_dump, "[ | sw_if_index ]") \ -_(macip_acl_add, "...") \ -_(macip_acl_del, "")\ -_(macip_acl_dump, "[]") \ -_(macip_acl_interface_add_del, " | sw_if_index [add|del] acl ") \ -_(macip_acl_interface_get, "") - - - -void vat_api_hookup (vat_main_t *vam) +static int api_macip_acl_add_replace (vat_main_t * vam) { acl_test_main_t * sm = &acl_test_main; - /* Hook up handlers for replies from the data plane plug-in */ -#define _(N,n) \ - vl_msg_api_set_handlers((VL_API_##N + sm->msg_id_base), \ - #n, \ - vl_api_##n##_t_handler, \ - vl_noop_handler, \ - vl_api_##n##_t_endian, \ - vl_api_##n##_t_print, \ - sizeof(vl_api_##n##_t), 1); - foreach_vpe_api_reply_msg; -#undef _ + unformat_input_t * i = vam->input; + vl_api_macip_acl_add_replace_t * mp; + u32 acl_index = ~0; + u32 msg_size = sizeof (*mp); /* without the rules */ - /* API messages we can send */ -#define _(n,h) hash_set_mem (vam->function_by_name, #n, api_##n); - foreach_vpe_api_msg; -#undef _ + vl_api_macip_acl_rule_t *rules = 0; + int rule_idx = 0; + int n_rules = 0; + int n_rules_override = -1; + u32 src_prefix_length = 0; + u32 action = 0; + ip4_address_t src_v4address; + ip6_address_t src_v6address; + u8 src_mac[6]; + u8 *tag = 0; + u8 mac_mask_all_1[6] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; + int ret; - /* Help strings */ -#define _(n,h) hash_set_mem (vam->help_by_name, #n, h); - foreach_vpe_api_msg; -#undef _ -} + if (!unformat (i, "%d", &acl_index)) { + /* Just assume -1 */ + } -clib_error_t * vat_plugin_register (vat_main_t *vam) -{ - acl_test_main_t * sm = &acl_test_main; - u8 * name; + while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) + { + if (unformat (i, "ipv6")) + { + vec_validate_macip_acl_rules(rules, rule_idx); + rules[rule_idx].is_ipv6 = 1; + } + else if (unformat (i, "ipv4")) + { + vec_validate_macip_acl_rules(rules, rule_idx); + rules[rule_idx].is_ipv6 = 0; + } + else if (unformat (i, "permit")) + { + vec_validate_macip_acl_rules(rules, rule_idx); + rules[rule_idx].is_permit = 1; + } + else if (unformat (i, "deny")) + { + vec_validate_macip_acl_rules(rules, rule_idx); + rules[rule_idx].is_permit = 0; + } + else if (unformat (i, "count %d", &n_rules_override)) + { + /* we will use this later */ + } + else if (unformat (i, "action %d", &action)) + { + vec_validate_macip_acl_rules(rules, rule_idx); + rules[rule_idx].is_permit = action; + } + else if (unformat (i, "ip %U/%d", + unformat_ip4_address, &src_v4address, &src_prefix_length) || + unformat (i, "ip %U", + unformat_ip4_address, &src_v4address)) + { + if (src_prefix_length == 0) + src_prefix_length = 32; + vec_validate_macip_acl_rules(rules, rule_idx); + memcpy (rules[rule_idx].src_ip_addr, &src_v4address, 4); + rules[rule_idx].src_ip_prefix_len = src_prefix_length; + rules[rule_idx].is_ipv6 = 0; + } + else if (unformat (i, "src")) + { + /* Everything in MACIP is "source" but allow this verbosity */ + } + else if (unformat (i, "ip %U/%d", + unformat_ip6_address, &src_v6address, &src_prefix_length) || + unformat (i, "ip %U", + unformat_ip6_address, &src_v6address)) + { + if (src_prefix_length == 0) + src_prefix_length = 128; + vec_validate_macip_acl_rules(rules, rule_idx); + memcpy (rules[rule_idx].src_ip_addr, &src_v6address, 16); + rules[rule_idx].src_ip_prefix_len = src_prefix_length; + rules[rule_idx].is_ipv6 = 1; + } + else if (unformat (i, "mac %U", + my_unformat_mac_address, &src_mac)) + { + vec_validate_macip_acl_rules(rules, rule_idx); + memcpy (rules[rule_idx].src_mac, &src_mac, 6); + memcpy (rules[rule_idx].src_mac_mask, &mac_mask_all_1, 6); + } + else if (unformat (i, "mask %U", + my_unformat_mac_address, &src_mac)) + { + vec_validate_macip_acl_rules(rules, rule_idx); + memcpy (rules[rule_idx].src_mac_mask, &src_mac, 6); + } + else if (unformat (i, "tag %s", &tag)) + { + } + else if (unformat (i, ",")) + { + rule_idx++; + vec_validate_macip_acl_rules(rules, rule_idx); + } + else + break; + } - sm->vat_main = vam; + if (!rules) + { + errmsg ("rule/s required\n"); + return -99; + } + /* Construct the API message */ + vam->result_ready = 0; - name = format (0, "acl_%08x%c", api_version, 0); - sm->msg_id_base = vl_client_get_first_plugin_msg_id ((char *) name); + if(rules) + n_rules = vec_len(rules); - if (sm->msg_id_base != (u16) ~0) - vat_api_hookup (vam); + if (n_rules_override >= 0) + n_rules = n_rules_override; - vec_free(name); + msg_size += n_rules*sizeof(rules[0]); - return 0; + mp = vl_msg_api_alloc_as_if_client(msg_size); + clib_memset (mp, 0, msg_size); + mp->_vl_msg_id = ntohs (VL_API_MACIP_ACL_ADD_REPLACE + sm->msg_id_base); + mp->client_index = vam->my_client_index; + if ((n_rules > 0) && rules) + clib_memcpy(mp->r, rules, n_rules*sizeof (mp->r[0])); + if (tag) + { + if (vec_len(tag) >= sizeof(mp->tag)) + { + tag[sizeof(mp->tag)-1] = 0; + _vec_len(tag) = sizeof(mp->tag); + } + clib_memcpy(mp->tag, tag, vec_len(tag)); + vec_free(tag); + } + + mp->acl_index = ntohl(acl_index); + mp->count = htonl(n_rules); + + /* send it... */ + S(mp); + + /* Wait for a reply... */ + W (ret); + return ret; +} + +#define VL_API_LOCAL_SETUP_MESSAGE_ID_TABLE local_setup_message_id_table +static void local_setup_message_id_table (vat_main_t * vam) +{ + hash_set_mem (vam->function_by_name, "acl_add_replace_from_file", api_acl_add_replace_from_file); + hash_set_mem (vam->help_by_name, "acl_add_replace_from_file", + "filename [permit] [append-default-permit]"); } + +#include