X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fplugins%2Facl%2Flookup_context.c;h=28fa9eeaef54d76694b6f9f9877df70923e695cd;hb=989c3c8fbd46ca0a8d9f6d6be3008e1285f3155e;hp=1f70977e593df22a1195c57c08c016637aa56f4b;hpb=915899a827968d4d6534ddb09e3797a58771f922;p=vpp.git diff --git a/src/plugins/acl/lookup_context.c b/src/plugins/acl/lookup_context.c index 1f70977e593..28fa9eeaef5 100644 --- a/src/plugins/acl/lookup_context.c +++ b/src/plugins/acl/lookup_context.c @@ -15,13 +15,23 @@ #include #include -#include #include +#include #include "hash_lookup.h" #include "elog_acl_trace.h" /* check if a given ACL exists */ -u8 acl_plugin_acl_exists (u32 acl_index); +static u8 +acl_plugin_acl_exists (u32 acl_index) +{ + acl_main_t *am = &acl_main; + + if (pool_is_free_index (am->acls, acl_index)) + return 0; + + return 1; +} + static u32 get_acl_user_id(acl_main_t *am, char *user_module_name, char *val1_label, char *val2_label) { @@ -64,12 +74,16 @@ static int acl_lc_index_valid(acl_main_t *am, u32 lc_index) * so you can identify yourself when creating the lookup contexts. */ -u32 acl_plugin_register_user_module (char *user_module_name, char *val1_label, char *val2_label) +static u32 acl_plugin_register_user_module (char *user_module_name, char *val1_label, char *val2_label) { acl_main_t *am = &acl_main; - void *oldheap = acl_plugin_set_heap(); + /* + * Because folks like to call this early on, + * use the global heap, so as to avoid + * initializing the main ACL heap before + * they start using ACLs. + */ u32 user_id = get_acl_user_id(am, user_module_name, val1_label, val2_label); - clib_mem_set_heap (oldheap); return user_id; } @@ -81,7 +95,7 @@ u32 acl_plugin_register_user_module (char *user_module_name, char *val1_label, c * If >= 0 - context id. If < 0 - error code. */ -int acl_plugin_get_lookup_context_index (u32 acl_user_id, u32 val1, u32 val2) +static int acl_plugin_get_lookup_context_index (u32 acl_user_id, u32 val1, u32 val2) { acl_main_t *am = &acl_main; acl_lookup_context_t *acontext; @@ -89,8 +103,11 @@ int acl_plugin_get_lookup_context_index (u32 acl_user_id, u32 val1, u32 val2) if (!acl_user_id_valid(am, acl_user_id)) return VNET_API_ERROR_INVALID_REGISTRATION; - void *oldheap = acl_plugin_set_heap (); - + /* + * The lookup context index allocation is + * an operation done within the global heap, + * so no heap switching necessary. + */ pool_get(am->acl_lookup_contexts, acontext); acontext->acl_indices = 0; @@ -101,7 +118,6 @@ int acl_plugin_get_lookup_context_index (u32 acl_user_id, u32 val1, u32 val2) u32 new_context_id = acontext - am->acl_lookup_contexts; vec_add1(am->acl_users[acl_user_id].lookup_contexts, new_context_id); - clib_mem_set_heap (oldheap); return new_context_id; } @@ -169,9 +185,9 @@ unapply_acl_vec(u32 lc_index, u32 *acls) /* * Release the lookup context index and destroy - * any asssociated data structures. + * any associated data structures. */ -void acl_plugin_put_lookup_context_index (u32 lc_index) +static void acl_plugin_put_lookup_context_index (u32 lc_index) { acl_main_t *am = &acl_main; @@ -199,8 +215,11 @@ void acl_plugin_put_lookup_context_index (u32 lc_index) * Prepare the sequential vector of ACL#s to lookup within a given context. * Any existing list will be overwritten. acl_list is a vector. */ -int acl_plugin_set_acl_vec_for_context (u32 lc_index, u32 *acl_list) +static int acl_plugin_set_acl_vec_for_context (u32 lc_index, u32 *acl_list) { + int rv = 0; + uword *seen_acl_bitmap = 0; + u32 *pacln = 0; acl_main_t *am = &acl_main; acl_lookup_context_t *acontext; if (am->trace_acl) { @@ -216,6 +235,25 @@ int acl_plugin_set_acl_vec_for_context (u32 lc_index, u32 *acl_list) } void *oldheap = acl_plugin_set_heap (); + vec_foreach (pacln, acl_list) + { + if (pool_is_free_index (am->acls, *pacln)) + { + /* ACL is not defined. Can not apply */ + clib_warning ("ERROR: ACL %d not defined", *pacln); + rv = VNET_API_ERROR_NO_SUCH_ENTRY; + goto done; + } + if (clib_bitmap_get (seen_acl_bitmap, *pacln)) + { + /* ACL being applied twice within the list. error. */ + clib_warning ("ERROR: ACL %d being applied twice", *pacln); + rv = VNET_API_ERROR_ENTRY_ALREADY_EXISTS; + goto done; + } + seen_acl_bitmap = clib_bitmap_set (seen_acl_bitmap, *pacln, 1); + } + acontext = pool_elt_at_index(am->acl_lookup_contexts, lc_index); u32 *old_acl_vector = acontext->acl_indices; acontext->acl_indices = vec_dup(acl_list); @@ -226,8 +264,11 @@ int acl_plugin_set_acl_vec_for_context (u32 lc_index, u32 *acl_list) apply_acl_vec(lc_index, acontext->acl_indices); vec_free(old_acl_vector); + +done: + clib_bitmap_free (seen_acl_bitmap); clib_mem_set_heap (oldheap); - return 0; + return rv; } @@ -249,13 +290,13 @@ void acl_plugin_lookup_context_notify_acl_change(u32 acl_num) /* Fill the 5-tuple from the packet */ -void acl_plugin_fill_5tuple (u32 lc_index, vlib_buffer_t * b0, int is_ip6, int is_input, +static void acl_plugin_fill_5tuple (u32 lc_index, vlib_buffer_t * b0, int is_ip6, int is_input, int is_l2_path, fa_5tuple_opaque_t * p5tuple_pkt) { - acl_plugin_fill_5tuple_inline(lc_index, b0, is_ip6, is_input, is_l2_path, p5tuple_pkt); + acl_plugin_fill_5tuple_inline(&acl_main, lc_index, b0, is_ip6, is_input, is_l2_path, p5tuple_pkt); } -int acl_plugin_match_5tuple (u32 lc_index, +static int acl_plugin_match_5tuple (u32 lc_index, fa_5tuple_opaque_t * pkt_5tuple, int is_ip6, u8 * r_action, u32 * r_acl_pos_p, @@ -263,7 +304,7 @@ int acl_plugin_match_5tuple (u32 lc_index, u32 * r_rule_match_p, u32 * trace_bitmap) { - return acl_plugin_match_5tuple_inline (lc_index, pkt_5tuple, is_ip6, r_action, r_acl_pos_p, r_acl_match_p, r_rule_match_p, trace_bitmap); + return acl_plugin_match_5tuple_inline (&acl_main, lc_index, pkt_5tuple, is_ip6, r_action, r_acl_pos_p, r_acl_match_p, r_rule_match_p, trace_bitmap); } @@ -316,3 +357,18 @@ acl_plugin_show_lookup_context (u32 lc_index) } })); } + +void * +acl_plugin_get_p_acl_main(void) +{ + return &acl_main; +} + +clib_error_t *acl_plugin_methods_vtable_init(acl_plugin_methods_t *m) +{ + m->p_acl_main = &acl_main; +#define _(name) m->name = acl_plugin_ ## name; + foreach_acl_plugin_exported_method_name +#undef _ + return 0; +}