2 * Copyright (c) 2016 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
18 #include <vnet/vnet.h>
19 #include <vnet/plugin/plugin.h>
22 #include <vnet/l2/l2_classify.h>
23 #include <vnet/classify/input_acl.h>
24 #include <vpp/app/version.h>
26 #include <vlibapi/api.h>
27 #include <vlibmemory/api.h>
28 #include <vlibsocket/api.h>
30 /* define message IDs */
31 #include <acl/acl_msg_enum.h>
33 /* define message structures */
35 #include <acl/acl_all_api_h.h>
38 /* define generated endian-swappers */
40 #include <acl/acl_all_api_h.h>
43 /* instantiate all the print functions we know about */
44 #define vl_print(handle, ...) vlib_cli_output (handle, __VA_ARGS__)
46 #include <acl/acl_all_api_h.h>
49 /* Get the API version number */
50 #define vl_api_version(n,v) static u32 api_version=(v);
51 #include <acl/acl_all_api_h.h>
58 #define REPLY_MSG_ID_BASE am->msg_id_base
59 #include <vlibapi/api_helper_macros.h>
61 /* List of message types that this plugin understands */
63 #define foreach_acl_plugin_api_msg \
64 _(ACL_PLUGIN_GET_VERSION, acl_plugin_get_version) \
65 _(ACL_ADD_REPLACE, acl_add_replace) \
67 _(ACL_INTERFACE_ADD_DEL, acl_interface_add_del) \
68 _(ACL_INTERFACE_SET_ACL_LIST, acl_interface_set_acl_list) \
69 _(ACL_DUMP, acl_dump) \
70 _(ACL_INTERFACE_LIST_DUMP, acl_interface_list_dump) \
71 _(MACIP_ACL_ADD, macip_acl_add) \
72 _(MACIP_ACL_DEL, macip_acl_del) \
73 _(MACIP_ACL_INTERFACE_ADD_DEL, macip_acl_interface_add_del) \
74 _(MACIP_ACL_DUMP, macip_acl_dump) \
75 _(MACIP_ACL_INTERFACE_GET, macip_acl_interface_get)
78 VLIB_PLUGIN_REGISTER () = {
79 .version = VPP_BUILD_VER,
80 .description = "Access Control Lists",
85 vl_api_acl_plugin_get_version_t_handler (vl_api_acl_plugin_get_version_t * mp)
87 acl_main_t *am = &acl_main;
88 vl_api_acl_plugin_get_version_reply_t *rmp;
89 int msg_size = sizeof (*rmp);
90 unix_shared_memory_queue_t *q;
92 q = vl_api_client_index_to_input_queue (mp->client_index);
98 rmp = vl_msg_api_alloc (msg_size);
99 memset (rmp, 0, msg_size);
101 ntohs (VL_API_ACL_PLUGIN_GET_VERSION_REPLY + am->msg_id_base);
102 rmp->context = mp->context;
103 rmp->major = htonl (ACL_PLUGIN_VERSION_MAJOR);
104 rmp->minor = htonl (ACL_PLUGIN_VERSION_MINOR);
106 vl_msg_api_send_shmem (q, (u8 *) & rmp);
111 acl_add_list (u32 count, vl_api_acl_rule_t rules[],
112 u32 * acl_list_index, u8 * tag)
114 acl_main_t *am = &acl_main;
117 acl_rule_t *acl_new_rules;
120 if (*acl_list_index != ~0)
122 /* They supplied some number, let's see if this ACL exists */
123 if (pool_is_free_index (am->acls, *acl_list_index))
125 /* tried to replace a non-existent ACL, no point doing anything */
130 /* Create and populate the rules */
131 acl_new_rules = clib_mem_alloc_aligned (sizeof (acl_rule_t) * count,
132 CLIB_CACHE_LINE_BYTES);
135 /* Could not allocate rules. New or existing ACL - bail out regardless */
139 for (i = 0; i < count; i++)
141 r = &acl_new_rules[i];
142 r->is_permit = rules[i].is_permit;
143 r->is_ipv6 = rules[i].is_ipv6;
146 memcpy (&r->src, rules[i].src_ip_addr, sizeof (r->src));
147 memcpy (&r->dst, rules[i].dst_ip_addr, sizeof (r->dst));
151 memcpy (&r->src.ip4, rules[i].src_ip_addr, sizeof (r->src.ip4));
152 memcpy (&r->dst.ip4, rules[i].dst_ip_addr, sizeof (r->dst.ip4));
154 r->src_prefixlen = rules[i].src_ip_prefix_len;
155 r->dst_prefixlen = rules[i].dst_ip_prefix_len;
156 r->proto = rules[i].proto;
157 r->src_port_or_type_first = ntohs ( rules[i].srcport_or_icmptype_first );
158 r->src_port_or_type_last = ntohs ( rules[i].srcport_or_icmptype_last );
159 r->dst_port_or_code_first = ntohs ( rules[i].dstport_or_icmpcode_first );
160 r->dst_port_or_code_last = ntohs ( rules[i].dstport_or_icmpcode_last );
161 r->tcp_flags_value = rules[i].tcp_flags_value;
162 r->tcp_flags_mask = rules[i].tcp_flags_mask;
165 if (~0 == *acl_list_index)
168 pool_get_aligned (am->acls, a, CLIB_CACHE_LINE_BYTES);
169 memset (a, 0, sizeof (*a));
170 /* Will return the newly allocated ACL index */
171 *acl_list_index = a - am->acls;
175 a = am->acls + *acl_list_index;
176 /* Get rid of the old rules */
177 clib_mem_free (a->rules);
179 a->rules = acl_new_rules;
181 memcpy (a->tag, tag, sizeof (a->tag));
187 acl_del_list (u32 acl_list_index)
189 acl_main_t *am = &acl_main;
192 if (pool_is_free_index (am->acls, acl_list_index))
197 /* delete any references to the ACL */
198 for (i = 0; i < vec_len (am->output_acl_vec_by_sw_if_index); i++)
200 for (ii = 0; ii < vec_len (am->output_acl_vec_by_sw_if_index[i]);
203 if (acl_list_index == am->output_acl_vec_by_sw_if_index[i][ii])
205 vec_del1 (am->output_acl_vec_by_sw_if_index[i], ii);
213 for (i = 0; i < vec_len (am->input_acl_vec_by_sw_if_index); i++)
215 for (ii = 0; ii < vec_len (am->input_acl_vec_by_sw_if_index[i]);
218 if (acl_list_index == am->input_acl_vec_by_sw_if_index[i][ii])
220 vec_del1 (am->input_acl_vec_by_sw_if_index[i], ii);
229 /* now we can delete the ACL itself */
230 a = &am->acls[acl_list_index];
233 clib_mem_free (a->rules);
235 pool_put (am->acls, a);
239 /* Some aids in ASCII graphing the content */
245 u8 ip4_5tuple_mask[] =
246 _(" dmac smac etype ")
247 _(ether) __ __ __ __ __ __ v __ __ __ __ __ __ v __ __ v
254 _(" ttl pr checksum ")
263 _("L4 T/U sport dport ")
273 u8 ip6_5tuple_mask[] =
274 _(" dmac smac etype ")
275 _(ether) __ __ __ __ __ __ v __ __ __ __ __ __ v __ __ v
277 _(0x0000) __ __ __ __
279 _(0x0004) __ __ XX __
281 _(0x0008) XX XX XX XX
282 _(0x000C) XX XX XX XX
283 _(0x0010) XX XX XX XX
284 _(0x0014) XX XX XX XX
286 _(0x0018) XX XX XX XX
287 _(0x001C) XX XX XX XX
288 _(0x0020) XX XX XX XX
289 _(0x0024) XX XX XX XX
290 _("L4T/U sport dport ")
291 _(tcpudp) XX XX XX XX _(padpad) __ __ __ __ _(padeth) __ __;
298 static int count_skip (u8 * p, u32 size)
300 u64 *p64 = (u64 *) p;
301 /* Be tolerant to null pointer */
305 while ((0ULL == *p64) && ((u8 *) p64 - p) < size)
309 return (p64 - (u64 *) p) / 2;
313 acl_classify_add_del_table_big (vnet_classify_main_t * cm, u8 * mask,
314 u32 mask_len, u32 next_table_index,
315 u32 miss_next_index, u32 * table_index,
318 u32 nbuckets = 65536;
319 u32 memory_size = 2 << 30;
320 u32 skip = count_skip (mask, mask_len);
321 u32 match = (mask_len / 16) - skip;
322 u8 *skip_mask_ptr = mask + 16 * skip;
323 u32 current_data_flag = 0;
324 int current_data_offset = 0;
329 return vnet_classify_add_del_table (cm, skip_mask_ptr, nbuckets,
330 memory_size, skip, match,
331 next_table_index, miss_next_index,
332 table_index, current_data_flag,
333 current_data_offset, is_add,
334 1 /* delete_chain */);
338 acl_classify_add_del_table_small (vnet_classify_main_t * cm, u8 * mask,
339 u32 mask_len, u32 next_table_index,
340 u32 miss_next_index, u32 * table_index,
344 u32 memory_size = 2 << 20;
345 u32 skip = count_skip (mask, mask_len);
346 u32 match = (mask_len / 16) - skip;
347 u8 *skip_mask_ptr = mask + 16 * skip;
348 u32 current_data_flag = 0;
349 int current_data_offset = 0;
354 return vnet_classify_add_del_table (cm, skip_mask_ptr, nbuckets,
355 memory_size, skip, match,
356 next_table_index, miss_next_index,
357 table_index, current_data_flag,
358 current_data_offset, is_add,
359 1 /* delete_chain */);
364 acl_unhook_l2_input_classify (acl_main_t * am, u32 sw_if_index)
366 vnet_classify_main_t *cm = &vnet_classify_main;
367 u32 ip4_table_index = ~0;
368 u32 ip6_table_index = ~0;
370 vec_validate_init_empty (am->acl_ip4_input_classify_table_by_sw_if_index,
372 vec_validate_init_empty (am->acl_ip6_input_classify_table_by_sw_if_index,
375 vnet_l2_input_classify_enable_disable (sw_if_index, 0);
377 if (am->acl_ip4_input_classify_table_by_sw_if_index[sw_if_index] != ~0)
380 am->acl_ip4_input_classify_table_by_sw_if_index[sw_if_index];
381 am->acl_ip4_input_classify_table_by_sw_if_index[sw_if_index] = ~0;
382 acl_classify_add_del_table_big (cm, ip4_5tuple_mask,
383 sizeof (ip4_5tuple_mask) - 1, ~0,
384 am->l2_input_classify_next_acl_ip4,
385 &ip4_table_index, 0);
387 if (am->acl_ip6_input_classify_table_by_sw_if_index[sw_if_index] != ~0)
390 am->acl_ip6_input_classify_table_by_sw_if_index[sw_if_index];
391 am->acl_ip6_input_classify_table_by_sw_if_index[sw_if_index] = ~0;
392 acl_classify_add_del_table_big (cm, ip6_5tuple_mask,
393 sizeof (ip6_5tuple_mask) - 1, ~0,
394 am->l2_input_classify_next_acl_ip6,
395 &ip6_table_index, 0);
402 acl_unhook_l2_output_classify (acl_main_t * am, u32 sw_if_index)
404 vnet_classify_main_t *cm = &vnet_classify_main;
405 u32 ip4_table_index = ~0;
406 u32 ip6_table_index = ~0;
408 vec_validate_init_empty (am->acl_ip4_output_classify_table_by_sw_if_index,
410 vec_validate_init_empty (am->acl_ip6_output_classify_table_by_sw_if_index,
413 vnet_l2_output_classify_enable_disable (sw_if_index, 0);
415 if (am->acl_ip4_output_classify_table_by_sw_if_index[sw_if_index] != ~0)
418 am->acl_ip4_output_classify_table_by_sw_if_index[sw_if_index];
419 am->acl_ip4_output_classify_table_by_sw_if_index[sw_if_index] = ~0;
420 acl_classify_add_del_table_big (cm, ip4_5tuple_mask,
421 sizeof (ip4_5tuple_mask) - 1, ~0,
422 am->l2_output_classify_next_acl_ip4,
423 &ip4_table_index, 0);
425 if (am->acl_ip6_output_classify_table_by_sw_if_index[sw_if_index] != ~0)
428 am->acl_ip6_output_classify_table_by_sw_if_index[sw_if_index];
429 am->acl_ip6_output_classify_table_by_sw_if_index[sw_if_index] = ~0;
430 acl_classify_add_del_table_big (cm, ip6_5tuple_mask,
431 sizeof (ip6_5tuple_mask) - 1, ~0,
432 am->l2_output_classify_next_acl_ip6,
433 &ip6_table_index, 0);
440 acl_hook_l2_input_classify (acl_main_t * am, u32 sw_if_index)
442 vnet_classify_main_t *cm = &vnet_classify_main;
443 u32 ip4_table_index = ~0;
444 u32 ip6_table_index = ~0;
447 /* in case there were previous tables attached */
448 acl_unhook_l2_input_classify (am, sw_if_index);
450 acl_classify_add_del_table_big (cm, ip4_5tuple_mask,
451 sizeof (ip4_5tuple_mask) - 1, ~0,
452 am->l2_input_classify_next_acl_ip4,
453 &ip4_table_index, 1);
457 acl_classify_add_del_table_big (cm, ip6_5tuple_mask,
458 sizeof (ip6_5tuple_mask) - 1, ~0,
459 am->l2_input_classify_next_acl_ip6,
460 &ip6_table_index, 1);
463 acl_classify_add_del_table_big (cm, ip4_5tuple_mask,
464 sizeof (ip4_5tuple_mask) - 1, ~0,
465 am->l2_input_classify_next_acl_ip4,
466 &ip4_table_index, 0);
470 vnet_l2_input_classify_set_tables (sw_if_index, ip4_table_index,
471 ip6_table_index, ~0);
473 ("ACL enabling on interface sw_if_index %d, setting tables to the following: ip4: %d ip6: %d\n",
474 sw_if_index, ip4_table_index, ip6_table_index);
477 acl_classify_add_del_table_big (cm, ip6_5tuple_mask,
478 sizeof (ip6_5tuple_mask) - 1, ~0,
479 am->l2_input_classify_next_acl_ip6,
480 &ip6_table_index, 0);
481 acl_classify_add_del_table_big (cm, ip4_5tuple_mask,
482 sizeof (ip4_5tuple_mask) - 1, ~0,
483 am->l2_input_classify_next_acl_ip4,
484 &ip4_table_index, 0);
488 am->acl_ip4_input_classify_table_by_sw_if_index[sw_if_index] =
490 am->acl_ip6_input_classify_table_by_sw_if_index[sw_if_index] =
493 vnet_l2_input_classify_enable_disable (sw_if_index, 1);
498 acl_hook_l2_output_classify (acl_main_t * am, u32 sw_if_index)
500 vnet_classify_main_t *cm = &vnet_classify_main;
501 u32 ip4_table_index = ~0;
502 u32 ip6_table_index = ~0;
505 /* in case there were previous tables attached */
506 acl_unhook_l2_output_classify (am, sw_if_index);
508 acl_classify_add_del_table_big (cm, ip4_5tuple_mask,
509 sizeof (ip4_5tuple_mask) - 1, ~0,
510 am->l2_output_classify_next_acl_ip4,
511 &ip4_table_index, 1);
515 acl_classify_add_del_table_big (cm, ip6_5tuple_mask,
516 sizeof (ip6_5tuple_mask) - 1, ~0,
517 am->l2_output_classify_next_acl_ip6,
518 &ip6_table_index, 1);
521 acl_classify_add_del_table_big (cm, ip4_5tuple_mask,
522 sizeof (ip4_5tuple_mask) - 1, ~0,
523 am->l2_output_classify_next_acl_ip4,
524 &ip4_table_index, 0);
528 vnet_l2_output_classify_set_tables (sw_if_index, ip4_table_index,
529 ip6_table_index, ~0);
531 ("ACL enabling on interface sw_if_index %d, setting tables to the following: ip4: %d ip6: %d\n",
532 sw_if_index, ip4_table_index, ip6_table_index);
535 acl_classify_add_del_table_big (cm, ip6_5tuple_mask,
536 sizeof (ip6_5tuple_mask) - 1, ~0,
537 am->l2_output_classify_next_acl_ip6,
538 &ip6_table_index, 0);
539 acl_classify_add_del_table_big (cm, ip4_5tuple_mask,
540 sizeof (ip4_5tuple_mask) - 1, ~0,
541 am->l2_output_classify_next_acl_ip4,
542 &ip4_table_index, 0);
546 am->acl_ip4_output_classify_table_by_sw_if_index[sw_if_index] =
548 am->acl_ip6_output_classify_table_by_sw_if_index[sw_if_index] =
551 vnet_l2_output_classify_enable_disable (sw_if_index, 1);
558 acl_interface_in_enable_disable (acl_main_t * am, u32 sw_if_index,
564 if (pool_is_free_index (am->vnet_main->interface_main.sw_interfaces,
566 return VNET_API_ERROR_INVALID_SW_IF_INDEX;
568 acl_fa_enable_disable(sw_if_index, 1, enable_disable);
572 rv = acl_hook_l2_input_classify (am, sw_if_index);
576 rv = acl_unhook_l2_input_classify (am, sw_if_index);
583 acl_interface_out_enable_disable (acl_main_t * am, u32 sw_if_index,
589 if (pool_is_free_index (am->vnet_main->interface_main.sw_interfaces,
591 return VNET_API_ERROR_INVALID_SW_IF_INDEX;
593 acl_fa_enable_disable(sw_if_index, 0, enable_disable);
597 rv = acl_hook_l2_output_classify (am, sw_if_index);
601 rv = acl_unhook_l2_output_classify (am, sw_if_index);
609 acl_interface_add_inout_acl (u32 sw_if_index, u8 is_input, u32 acl_list_index)
611 acl_main_t *am = &acl_main;
614 vec_validate (am->input_acl_vec_by_sw_if_index, sw_if_index);
615 vec_add (am->input_acl_vec_by_sw_if_index[sw_if_index], &acl_list_index,
617 acl_interface_in_enable_disable (am, sw_if_index, 1);
621 vec_validate (am->output_acl_vec_by_sw_if_index, sw_if_index);
622 vec_add (am->output_acl_vec_by_sw_if_index[sw_if_index],
624 acl_interface_out_enable_disable (am, sw_if_index, 1);
630 acl_interface_del_inout_acl (u32 sw_if_index, u8 is_input, u32 acl_list_index)
632 acl_main_t *am = &acl_main;
637 vec_validate (am->input_acl_vec_by_sw_if_index, sw_if_index);
638 for (i = 0; i < vec_len (am->input_acl_vec_by_sw_if_index[sw_if_index]);
641 if (acl_list_index ==
642 am->input_acl_vec_by_sw_if_index[sw_if_index][i])
644 vec_del1 (am->input_acl_vec_by_sw_if_index[sw_if_index], i);
649 if (0 == vec_len (am->input_acl_vec_by_sw_if_index[sw_if_index]))
651 acl_interface_in_enable_disable (am, sw_if_index, 0);
656 vec_validate (am->output_acl_vec_by_sw_if_index, sw_if_index);
658 i < vec_len (am->output_acl_vec_by_sw_if_index[sw_if_index]); i++)
660 if (acl_list_index ==
661 am->output_acl_vec_by_sw_if_index[sw_if_index][i])
663 vec_del1 (am->output_acl_vec_by_sw_if_index[sw_if_index], i);
668 if (0 == vec_len (am->output_acl_vec_by_sw_if_index[sw_if_index]))
670 acl_interface_out_enable_disable (am, sw_if_index, 0);
677 acl_interface_reset_inout_acls (u32 sw_if_index, u8 is_input)
679 acl_main_t *am = &acl_main;
682 acl_interface_in_enable_disable (am, sw_if_index, 0);
683 vec_validate (am->input_acl_vec_by_sw_if_index, sw_if_index);
684 vec_reset_length (am->input_acl_vec_by_sw_if_index[sw_if_index]);
688 acl_interface_out_enable_disable (am, sw_if_index, 0);
689 vec_validate (am->output_acl_vec_by_sw_if_index, sw_if_index);
690 vec_reset_length (am->output_acl_vec_by_sw_if_index[sw_if_index]);
695 acl_interface_add_del_inout_acl (u32 sw_if_index, u8 is_add, u8 is_input,
702 acl_interface_add_inout_acl (sw_if_index, is_input, acl_list_index);
707 acl_interface_del_inout_acl (sw_if_index, is_input, acl_list_index);
721 } macip_match_type_t;
724 macip_find_match_type (macip_match_type_t * mv, u8 * mac_mask, u8 prefix_len,
730 for (i = 0; i < vec_len (mv); i++)
732 if ((mv[i].prefix_len == prefix_len) && (mv[i].is_ipv6 == is_ipv6)
733 && (0 == memcmp (mv[i].mac_mask, mac_mask, 6)))
743 /* Get metric used to sort match types.
744 The more specific and the more often seen - the bigger the metric */
746 match_type_metric (macip_match_type_t * m)
748 /* FIXME: count the ones in the MAC mask as well, check how well this heuristic works in real life */
749 return m->prefix_len + m->is_ipv6 + 10 * m->count;
753 match_type_compare (macip_match_type_t * m1, macip_match_type_t * m2)
755 /* Ascending sort based on the metric values */
756 return match_type_metric (m1) - match_type_metric (m2);
759 /* Get the offset of L3 source within ethernet packet */
761 get_l3_src_offset(int is6)
764 return (sizeof(ethernet_header_t) + offsetof(ip6_header_t, src_address));
766 return (sizeof(ethernet_header_t) + offsetof(ip4_header_t, src_address));
770 macip_create_classify_tables (acl_main_t * am, u32 macip_acl_index)
772 macip_match_type_t *mvec = NULL;
773 macip_match_type_t *mt;
774 macip_acl_list_t *a = &am->macip_acls[macip_acl_index];
776 u32 match_type_index;
779 vnet_classify_main_t *cm = &vnet_classify_main;
781 /* Count the number of different types of rules */
782 for (i = 0; i < a->count; i++)
786 macip_find_match_type (mvec, a->rules[i].src_mac_mask,
787 a->rules[i].src_prefixlen,
788 a->rules[i].is_ipv6)))
790 match_type_index = vec_len (mvec);
791 vec_validate (mvec, match_type_index);
792 memcpy (mvec[match_type_index].mac_mask,
793 a->rules[match_type_index].src_mac_mask, 6);
794 mvec[match_type_index].prefix_len = a->rules[i].src_prefixlen;
795 mvec[match_type_index].is_ipv6 = a->rules[i].is_ipv6;
796 mvec[match_type_index].table_index = ~0;
798 mvec[match_type_index].count++;
800 /* Put the most frequently used tables last in the list so we can create classifier tables in reverse order */
801 vec_sort_with_function (mvec, match_type_compare);
802 /* Create the classifier tables */
804 /* First add ARP tables */
805 vec_foreach (mt, mvec)
808 int is6 = mt->is_ipv6;
810 mt->arp_table_index = ~0;
813 memset (mask, 0, sizeof (mask));
814 memcpy (&mask[6], mt->mac_mask, 6);
815 memset (&mask[12], 0xff, 2); /* ethernet protocol */
816 memcpy (&mask[14 + 8], mt->mac_mask, 6);
818 for (i = 0; i < (mt->prefix_len / 8); i++)
819 mask[14 + 14 + i] = 0xff;
820 if (mt->prefix_len % 8)
821 mask[14 + 14 + (mt->prefix_len / 8)] = 0xff - ((1 << (8 - mt->prefix_len % 8)) - 1);
823 mask_len = ((14 + 14 + ((mt->prefix_len+7) / 8) +
824 (sizeof (u32x4)-1))/sizeof(u32x4)) * sizeof (u32x4);
825 acl_classify_add_del_table_small (cm, mask, mask_len, last_table,
826 (~0 == last_table) ? 0 : ~0, &mt->arp_table_index,
828 last_table = mt->arp_table_index;
831 /* Now add IP[46] tables */
832 vec_foreach (mt, mvec)
835 int is6 = mt->is_ipv6;
836 int l3_src_offs = get_l3_src_offset(is6);
837 memset (mask, 0, sizeof (mask));
838 memcpy (&mask[6], mt->mac_mask, 6);
839 for (i = 0; i < (mt->prefix_len / 8); i++)
841 mask[l3_src_offs + i] = 0xff;
843 if (mt->prefix_len % 8)
845 mask[l3_src_offs + (mt->prefix_len / 8)] =
846 0xff - ((1 << (8 - mt->prefix_len % 8)) - 1);
849 * Round-up the number of bytes needed to store the prefix,
850 * and round up the number of vectors too
852 mask_len = ((l3_src_offs + ((mt->prefix_len+7) / 8) +
853 (sizeof (u32x4)-1))/sizeof(u32x4)) * sizeof (u32x4);
854 acl_classify_add_del_table_small (cm, mask, mask_len, last_table,
855 (~0 == last_table) ? 0 : ~0, &mt->table_index,
857 last_table = mt->table_index;
859 a->ip4_table_index = ~0;
860 a->ip6_table_index = ~0;
861 a->l2_table_index = last_table;
863 /* Populate the classifier tables with rules from the MACIP ACL */
864 for (i = 0; i < a->count; i++)
868 int is6 = a->rules[i].is_ipv6;
869 int l3_src_offs = get_l3_src_offset(is6);
870 memset (mask, 0, sizeof (mask));
871 memcpy (&mask[6], a->rules[i].src_mac, 6);
872 memset (&mask[12], 0xff, 2); /* ethernet protocol */
875 memcpy (&mask[l3_src_offs], &a->rules[i].src_ip_addr.ip6, 16);
881 memcpy (&mask[l3_src_offs], &a->rules[i].src_ip_addr.ip4, 4);
886 macip_find_match_type (mvec, a->rules[i].src_mac_mask,
887 a->rules[i].src_prefixlen,
888 a->rules[i].is_ipv6);
889 /* add session to table mvec[match_type_index].table_index; */
890 vnet_classify_add_del_session (cm, mvec[match_type_index].table_index,
891 mask, a->rules[i].is_permit ? ~0 : 0, i,
892 0, action, metadata, 1);
893 /* add ARP table entry too */
894 if (!is6 && (mvec[match_type_index].arp_table_index != ~0))
896 memset (mask, 0, sizeof (mask));
897 memcpy (&mask[6], a->rules[i].src_mac, 6);
900 memcpy (&mask[14 + 8], a->rules[i].src_mac, 6);
901 memcpy (&mask[14 + 14], &a->rules[i].src_ip_addr.ip4, 4);
902 vnet_classify_add_del_session (cm, mvec[match_type_index].arp_table_index,
903 mask, a->rules[i].is_permit ? ~0 : 0, i,
904 0, action, metadata, 1);
911 macip_destroy_classify_tables (acl_main_t * am, u32 macip_acl_index)
913 vnet_classify_main_t *cm = &vnet_classify_main;
914 macip_acl_list_t *a = &am->macip_acls[macip_acl_index];
916 if (a->ip4_table_index != ~0)
918 acl_classify_add_del_table_small (cm, 0, ~0, ~0, ~0, &a->ip4_table_index, 0);
919 a->ip4_table_index = ~0;
921 if (a->ip6_table_index != ~0)
923 acl_classify_add_del_table_small (cm, 0, ~0, ~0, ~0, &a->ip6_table_index, 0);
924 a->ip6_table_index = ~0;
926 if (a->l2_table_index != ~0)
928 acl_classify_add_del_table_small (cm, 0, ~0, ~0, ~0, &a->l2_table_index, 0);
929 a->l2_table_index = ~0;
934 macip_acl_add_list (u32 count, vl_api_macip_acl_rule_t rules[],
935 u32 * acl_list_index, u8 * tag)
937 acl_main_t *am = &acl_main;
940 macip_acl_rule_t *acl_new_rules;
943 /* Create and populate the rules */
944 acl_new_rules = clib_mem_alloc_aligned (sizeof (macip_acl_rule_t) * count,
945 CLIB_CACHE_LINE_BYTES);
948 /* Could not allocate rules. New or existing ACL - bail out regardless */
952 for (i = 0; i < count; i++)
954 r = &acl_new_rules[i];
955 r->is_permit = rules[i].is_permit;
956 r->is_ipv6 = rules[i].is_ipv6;
957 memcpy (&r->src_mac, rules[i].src_mac, 6);
958 memcpy (&r->src_mac_mask, rules[i].src_mac_mask, 6);
960 memcpy (&r->src_ip_addr.ip6, rules[i].src_ip_addr, 16);
962 memcpy (&r->src_ip_addr.ip4, rules[i].src_ip_addr, 4);
963 r->src_prefixlen = rules[i].src_ip_prefix_len;
967 pool_get_aligned (am->macip_acls, a, CLIB_CACHE_LINE_BYTES);
968 memset (a, 0, sizeof (*a));
969 /* Will return the newly allocated ACL index */
970 *acl_list_index = a - am->macip_acls;
972 a->rules = acl_new_rules;
974 memcpy (a->tag, tag, sizeof (a->tag));
976 /* Create and populate the classifer tables */
977 macip_create_classify_tables (am, *acl_list_index);
983 /* No check for validity of sw_if_index - the callers were supposed to validate */
986 macip_acl_interface_del_acl (acl_main_t * am, u32 sw_if_index)
991 vec_validate_init_empty (am->macip_acl_by_sw_if_index, sw_if_index, ~0);
992 macip_acl_index = am->macip_acl_by_sw_if_index[sw_if_index];
993 /* No point in deleting MACIP ACL which is not applied */
994 if (~0 == macip_acl_index)
996 a = &am->macip_acls[macip_acl_index];
997 /* remove the classifier tables off the interface L2 ACL */
999 vnet_set_input_acl_intfc (am->vlib_main, sw_if_index, a->ip4_table_index,
1000 a->ip6_table_index, a->l2_table_index, 0);
1001 /* Unset the MACIP ACL index */
1002 am->macip_acl_by_sw_if_index[sw_if_index] = ~0;
1006 /* No check for validity of sw_if_index - the callers were supposed to validate */
1009 macip_acl_interface_add_acl (acl_main_t * am, u32 sw_if_index,
1010 u32 macip_acl_index)
1012 macip_acl_list_t *a;
1014 if (pool_is_free_index (am->macip_acls, macip_acl_index))
1018 a = &am->macip_acls[macip_acl_index];
1019 vec_validate_init_empty (am->macip_acl_by_sw_if_index, sw_if_index, ~0);
1020 /* If there already a MACIP ACL applied, unapply it */
1021 if (~0 != am->macip_acl_by_sw_if_index[sw_if_index])
1022 macip_acl_interface_del_acl(am, sw_if_index);
1023 am->macip_acl_by_sw_if_index[sw_if_index] = macip_acl_index;
1024 /* Apply the classifier tables for L2 ACLs */
1026 vnet_set_input_acl_intfc (am->vlib_main, sw_if_index, a->ip4_table_index,
1027 a->ip6_table_index, a->l2_table_index, 1);
1032 macip_acl_del_list (u32 acl_list_index)
1034 acl_main_t *am = &acl_main;
1035 macip_acl_list_t *a;
1037 if (pool_is_free_index (am->macip_acls, acl_list_index))
1042 /* delete any references to the ACL */
1043 for (i = 0; i < vec_len (am->macip_acl_by_sw_if_index); i++)
1045 if (am->macip_acl_by_sw_if_index[i] == acl_list_index)
1047 macip_acl_interface_del_acl (am, i);
1051 /* Now that classifier tables are detached, clean them up */
1052 macip_destroy_classify_tables (am, acl_list_index);
1054 /* now we can delete the ACL itself */
1055 a = &am->macip_acls[acl_list_index];
1058 clib_mem_free (a->rules);
1060 pool_put (am->macip_acls, a);
1066 macip_acl_interface_add_del_acl (u32 sw_if_index, u8 is_add,
1069 acl_main_t *am = &acl_main;
1073 rv = macip_acl_interface_add_acl (am, sw_if_index, acl_list_index);
1077 rv = macip_acl_interface_del_acl (am, sw_if_index);
1083 * If the client does not allocate enough memory for a variable-length
1084 * message, and then proceed to use it as if the full memory allocated,
1085 * absent the check we happily consume that on the VPP side, and go
1086 * along as if nothing happened. However, the resulting
1087 * effects range from just garbage in the API decode
1088 * (because the decoder snoops too far), to potential memory
1091 * This verifies that the actual length of the message is
1092 * at least expected_len, and complains loudly if it is not.
1094 * A failing check here is 100% a software bug on the API user side,
1095 * so we might as well yell.
1098 static int verify_message_len(void *mp, u32 expected_len, char *where)
1100 u32 supplied_len = vl_msg_api_get_msg_length (mp);
1101 if (supplied_len < expected_len) {
1102 clib_warning("%s: Supplied message length %d is less than expected %d",
1103 where, supplied_len, expected_len);
1110 /* API message handler */
1112 vl_api_acl_add_replace_t_handler (vl_api_acl_add_replace_t * mp)
1114 vl_api_acl_add_replace_reply_t *rmp;
1115 acl_main_t *am = &acl_main;
1117 u32 acl_list_index = ntohl (mp->acl_index);
1118 u32 acl_count = ntohl (mp->count);
1119 u32 expected_len = sizeof(*mp) + acl_count*sizeof(mp->r[0]);
1121 if (verify_message_len(mp, expected_len, "acl_add_replace")) {
1122 rv = acl_add_list (acl_count, mp->r, &acl_list_index, mp->tag);
1124 rv = VNET_API_ERROR_INVALID_VALUE;
1128 REPLY_MACRO2(VL_API_ACL_ADD_REPLACE_REPLY,
1130 rmp->acl_index = htonl(acl_list_index);
1136 vl_api_acl_del_t_handler (vl_api_acl_del_t * mp)
1138 acl_main_t *am = &acl_main;
1139 vl_api_acl_del_reply_t *rmp;
1142 rv = acl_del_list (ntohl (mp->acl_index));
1144 REPLY_MACRO (VL_API_ACL_DEL_REPLY);
1148 vl_api_acl_interface_add_del_t_handler (vl_api_acl_interface_add_del_t * mp)
1150 acl_main_t *am = &acl_main;
1151 vnet_interface_main_t *im = &am->vnet_main->interface_main;
1152 u32 sw_if_index = ntohl (mp->sw_if_index);
1153 vl_api_acl_interface_add_del_reply_t *rmp;
1156 if (pool_is_free_index(im->sw_interfaces, sw_if_index))
1157 rv = VNET_API_ERROR_INVALID_SW_IF_INDEX;
1160 acl_interface_add_del_inout_acl (sw_if_index, mp->is_add,
1161 mp->is_input, ntohl (mp->acl_index));
1163 REPLY_MACRO (VL_API_ACL_INTERFACE_ADD_DEL_REPLY);
1167 vl_api_acl_interface_set_acl_list_t_handler
1168 (vl_api_acl_interface_set_acl_list_t * mp)
1170 acl_main_t *am = &acl_main;
1171 vl_api_acl_interface_set_acl_list_reply_t *rmp;
1174 vnet_interface_main_t *im = &am->vnet_main->interface_main;
1175 u32 sw_if_index = ntohl (mp->sw_if_index);
1177 if (pool_is_free_index(im->sw_interfaces, sw_if_index))
1178 rv = VNET_API_ERROR_INVALID_SW_IF_INDEX;
1181 acl_interface_reset_inout_acls (sw_if_index, 0);
1182 acl_interface_reset_inout_acls (sw_if_index, 1);
1184 for (i = 0; i < mp->count; i++)
1186 acl_interface_add_del_inout_acl (sw_if_index, 1, (i < mp->n_input),
1187 ntohl (mp->acls[i]));
1191 REPLY_MACRO (VL_API_ACL_INTERFACE_SET_ACL_LIST_REPLY);
1195 copy_acl_rule_to_api_rule (vl_api_acl_rule_t * api_rule, acl_rule_t * r)
1197 api_rule->is_permit = r->is_permit;
1198 api_rule->is_ipv6 = r->is_ipv6;
1201 memcpy (api_rule->src_ip_addr, &r->src, sizeof (r->src));
1202 memcpy (api_rule->dst_ip_addr, &r->dst, sizeof (r->dst));
1206 memcpy (api_rule->src_ip_addr, &r->src.ip4, sizeof (r->src.ip4));
1207 memcpy (api_rule->dst_ip_addr, &r->dst.ip4, sizeof (r->dst.ip4));
1209 api_rule->src_ip_prefix_len = r->src_prefixlen;
1210 api_rule->dst_ip_prefix_len = r->dst_prefixlen;
1211 api_rule->proto = r->proto;
1212 api_rule->srcport_or_icmptype_first = htons (r->src_port_or_type_first);
1213 api_rule->srcport_or_icmptype_last = htons (r->src_port_or_type_last);
1214 api_rule->dstport_or_icmpcode_first = htons (r->dst_port_or_code_first);
1215 api_rule->dstport_or_icmpcode_last = htons (r->dst_port_or_code_last);
1216 api_rule->tcp_flags_mask = r->tcp_flags_mask;
1217 api_rule->tcp_flags_value = r->tcp_flags_value;
1221 send_acl_details (acl_main_t * am, unix_shared_memory_queue_t * q,
1222 acl_list_t * acl, u32 context)
1224 vl_api_acl_details_t *mp;
1225 vl_api_acl_rule_t *rules;
1227 int msg_size = sizeof (*mp) + sizeof (mp->r[0]) * acl->count;
1229 mp = vl_msg_api_alloc (msg_size);
1230 memset (mp, 0, msg_size);
1231 mp->_vl_msg_id = ntohs (VL_API_ACL_DETAILS + am->msg_id_base);
1233 /* fill in the message */
1234 mp->context = context;
1235 mp->count = htonl (acl->count);
1236 mp->acl_index = htonl (acl - am->acls);
1237 memcpy (mp->tag, acl->tag, sizeof (mp->tag));
1238 // clib_memcpy (mp->r, acl->rules, acl->count * sizeof(acl->rules[0]));
1240 for (i = 0; i < acl->count; i++)
1242 copy_acl_rule_to_api_rule (&rules[i], &acl->rules[i]);
1245 clib_warning("Sending acl details for ACL index %d", ntohl(mp->acl_index));
1246 vl_msg_api_send_shmem (q, (u8 *) & mp);
1251 vl_api_acl_dump_t_handler (vl_api_acl_dump_t * mp)
1253 acl_main_t *am = &acl_main;
1258 unix_shared_memory_queue_t *q;
1260 q = vl_api_client_index_to_input_queue (mp->client_index);
1266 if (mp->acl_index == ~0)
1269 /* Just dump all ACLs */
1270 pool_foreach (acl, am->acls,
1272 send_acl_details(am, q, acl, mp->context);
1278 acl_index = ntohl (mp->acl_index);
1279 if (!pool_is_free_index (am->acls, acl_index))
1281 acl = &am->acls[acl_index];
1282 send_acl_details (am, q, acl, mp->context);
1288 /* FIXME API: should we signal an error here at all ? */
1294 send_acl_interface_list_details (acl_main_t * am,
1295 unix_shared_memory_queue_t * q,
1296 u32 sw_if_index, u32 context)
1298 vl_api_acl_interface_list_details_t *mp;
1305 vec_validate (am->input_acl_vec_by_sw_if_index, sw_if_index);
1306 vec_validate (am->output_acl_vec_by_sw_if_index, sw_if_index);
1308 n_input = vec_len (am->input_acl_vec_by_sw_if_index[sw_if_index]);
1309 n_output = vec_len (am->output_acl_vec_by_sw_if_index[sw_if_index]);
1310 count = n_input + n_output;
1312 msg_size = sizeof (*mp);
1313 msg_size += sizeof (mp->acls[0]) * count;
1315 mp = vl_msg_api_alloc (msg_size);
1316 memset (mp, 0, msg_size);
1318 ntohs (VL_API_ACL_INTERFACE_LIST_DETAILS + am->msg_id_base);
1320 /* fill in the message */
1321 mp->context = context;
1322 mp->sw_if_index = htonl (sw_if_index);
1324 mp->n_input = n_input;
1325 for (i = 0; i < n_input; i++)
1327 mp->acls[i] = htonl (am->input_acl_vec_by_sw_if_index[sw_if_index][i]);
1329 for (i = 0; i < n_output; i++)
1331 mp->acls[n_input + i] =
1332 htonl (am->output_acl_vec_by_sw_if_index[sw_if_index][i]);
1335 vl_msg_api_send_shmem (q, (u8 *) & mp);
1339 vl_api_acl_interface_list_dump_t_handler (vl_api_acl_interface_list_dump_t *
1342 acl_main_t *am = &acl_main;
1343 vnet_sw_interface_t *swif;
1344 vnet_interface_main_t *im = &am->vnet_main->interface_main;
1347 unix_shared_memory_queue_t *q;
1349 q = vl_api_client_index_to_input_queue (mp->client_index);
1355 if (mp->sw_if_index == ~0)
1358 pool_foreach (swif, im->sw_interfaces,
1360 send_acl_interface_list_details(am, q, swif->sw_if_index, mp->context);
1366 sw_if_index = ntohl (mp->sw_if_index);
1367 if (!pool_is_free_index(im->sw_interfaces, sw_if_index))
1368 send_acl_interface_list_details (am, q, sw_if_index, mp->context);
1372 /* MACIP ACL API handlers */
1375 vl_api_macip_acl_add_t_handler (vl_api_macip_acl_add_t * mp)
1377 vl_api_macip_acl_add_reply_t *rmp;
1378 acl_main_t *am = &acl_main;
1380 u32 acl_list_index = ~0;
1381 u32 acl_count = ntohl (mp->count);
1382 u32 expected_len = sizeof(*mp) + acl_count*sizeof(mp->r[0]);
1384 if (verify_message_len(mp, expected_len, "macip_acl_add")) {
1385 rv = macip_acl_add_list (acl_count, mp->r, &acl_list_index, mp->tag);
1387 rv = VNET_API_ERROR_INVALID_VALUE;
1391 REPLY_MACRO2(VL_API_MACIP_ACL_ADD_REPLY,
1393 rmp->acl_index = htonl(acl_list_index);
1399 vl_api_macip_acl_del_t_handler (vl_api_macip_acl_del_t * mp)
1401 acl_main_t *am = &acl_main;
1402 vl_api_macip_acl_del_reply_t *rmp;
1405 rv = macip_acl_del_list (ntohl (mp->acl_index));
1407 REPLY_MACRO (VL_API_MACIP_ACL_DEL_REPLY);
1411 vl_api_macip_acl_interface_add_del_t_handler
1412 (vl_api_macip_acl_interface_add_del_t * mp)
1414 acl_main_t *am = &acl_main;
1415 vl_api_macip_acl_interface_add_del_reply_t *rmp;
1417 vnet_interface_main_t *im = &am->vnet_main->interface_main;
1418 u32 sw_if_index = ntohl (mp->sw_if_index);
1420 if (pool_is_free_index(im->sw_interfaces, sw_if_index))
1421 rv = VNET_API_ERROR_INVALID_SW_IF_INDEX;
1424 macip_acl_interface_add_del_acl (ntohl (mp->sw_if_index), mp->is_add,
1425 ntohl (mp->acl_index));
1427 REPLY_MACRO (VL_API_MACIP_ACL_INTERFACE_ADD_DEL_REPLY);
1431 send_macip_acl_details (acl_main_t * am, unix_shared_memory_queue_t * q,
1432 macip_acl_list_t * acl, u32 context)
1434 vl_api_macip_acl_details_t *mp;
1435 vl_api_macip_acl_rule_t *rules;
1436 macip_acl_rule_t *r;
1438 int msg_size = sizeof (*mp) + (acl ? sizeof (mp->r[0]) * acl->count : 0);
1440 mp = vl_msg_api_alloc (msg_size);
1441 memset (mp, 0, msg_size);
1442 mp->_vl_msg_id = ntohs (VL_API_MACIP_ACL_DETAILS + am->msg_id_base);
1444 /* fill in the message */
1445 mp->context = context;
1448 memcpy (mp->tag, acl->tag, sizeof (mp->tag));
1449 mp->count = htonl (acl->count);
1450 mp->acl_index = htonl (acl - am->macip_acls);
1452 for (i = 0; i < acl->count; i++)
1455 rules[i].is_permit = r->is_permit;
1456 rules[i].is_ipv6 = r->is_ipv6;
1457 memcpy (rules[i].src_mac, &r->src_mac, sizeof (r->src_mac));
1458 memcpy (rules[i].src_mac_mask, &r->src_mac_mask,
1459 sizeof (r->src_mac_mask));
1461 memcpy (rules[i].src_ip_addr, &r->src_ip_addr.ip6,
1462 sizeof (r->src_ip_addr.ip6));
1464 memcpy (rules[i].src_ip_addr, &r->src_ip_addr.ip4,
1465 sizeof (r->src_ip_addr.ip4));
1466 rules[i].src_ip_prefix_len = r->src_prefixlen;
1471 /* No martini, no party - no ACL applied to this interface. */
1476 vl_msg_api_send_shmem (q, (u8 *) & mp);
1481 vl_api_macip_acl_dump_t_handler (vl_api_macip_acl_dump_t * mp)
1483 acl_main_t *am = &acl_main;
1484 macip_acl_list_t *acl;
1486 unix_shared_memory_queue_t *q;
1488 q = vl_api_client_index_to_input_queue (mp->client_index);
1494 if (mp->acl_index == ~0)
1496 /* Just dump all ACLs for now, with sw_if_index = ~0 */
1497 pool_foreach (acl, am->macip_acls, (
1499 send_macip_acl_details (am, q, acl,
1507 u32 acl_index = ntohl (mp->acl_index);
1508 if (!pool_is_free_index (am->macip_acls, acl_index))
1510 acl = &am->macip_acls[acl_index];
1511 send_macip_acl_details (am, q, acl, mp->context);
1517 vl_api_macip_acl_interface_get_t_handler (vl_api_macip_acl_interface_get_t *
1520 acl_main_t *am = &acl_main;
1521 vl_api_macip_acl_interface_get_reply_t *rmp;
1522 u32 count = vec_len (am->macip_acl_by_sw_if_index);
1523 int msg_size = sizeof (*rmp) + sizeof (rmp->acls[0]) * count;
1524 unix_shared_memory_queue_t *q;
1527 q = vl_api_client_index_to_input_queue (mp->client_index);
1533 rmp = vl_msg_api_alloc (msg_size);
1534 memset (rmp, 0, msg_size);
1536 ntohs (VL_API_MACIP_ACL_INTERFACE_GET_REPLY + am->msg_id_base);
1537 rmp->context = mp->context;
1538 rmp->count = htonl (count);
1539 for (i = 0; i < count; i++)
1541 rmp->acls[i] = htonl (am->macip_acl_by_sw_if_index[i]);
1544 vl_msg_api_send_shmem (q, (u8 *) & rmp);
1547 /* Set up the API message handling tables */
1548 static clib_error_t *
1549 acl_plugin_api_hookup (vlib_main_t * vm)
1551 acl_main_t *am = &acl_main;
1553 vl_msg_api_set_handlers((VL_API_##N + am->msg_id_base), \
1555 vl_api_##n##_t_handler, \
1557 vl_api_##n##_t_endian, \
1558 vl_api_##n##_t_print, \
1559 sizeof(vl_api_##n##_t), 1);
1560 foreach_acl_plugin_api_msg;
1566 #define vl_msg_name_crc_list
1567 #include <acl/acl_all_api_h.h>
1568 #undef vl_msg_name_crc_list
1571 setup_message_id_table (acl_main_t * am, api_main_t * apim)
1573 #define _(id,n,crc) \
1574 vl_msg_api_add_msg_name_crc (apim, #n "_" #crc, id + am->msg_id_base);
1575 foreach_vl_msg_name_crc_acl;
1580 acl_setup_fa_nodes (void)
1582 vlib_main_t *vm = vlib_get_main ();
1583 acl_main_t *am = &acl_main;
1584 vlib_node_t *n, *n4, *n6;
1586 n = vlib_get_node_by_name (vm, (u8 *) "l2-input-classify");
1587 n4 = vlib_get_node_by_name (vm, (u8 *) "acl-plugin-in-ip4-l2");
1588 n6 = vlib_get_node_by_name (vm, (u8 *) "acl-plugin-in-ip6-l2");
1591 am->l2_input_classify_next_acl_ip4 =
1592 vlib_node_add_next_with_slot (vm, n->index, n4->index, ~0);
1593 am->l2_input_classify_next_acl_ip6 =
1594 vlib_node_add_next_with_slot (vm, n->index, n6->index, ~0);
1596 feat_bitmap_init_next_nodes (vm, n4->index, L2INPUT_N_FEAT,
1597 l2input_get_feat_names (),
1598 am->fa_acl_in_ip4_l2_node_feat_next_node_index);
1600 feat_bitmap_init_next_nodes (vm, n6->index, L2INPUT_N_FEAT,
1601 l2input_get_feat_names (),
1602 am->fa_acl_in_ip6_l2_node_feat_next_node_index);
1605 n = vlib_get_node_by_name (vm, (u8 *) "l2-output-classify");
1606 n4 = vlib_get_node_by_name (vm, (u8 *) "acl-plugin-out-ip4-l2");
1607 n6 = vlib_get_node_by_name (vm, (u8 *) "acl-plugin-out-ip6-l2");
1609 am->l2_output_classify_next_acl_ip4 =
1610 vlib_node_add_next_with_slot (vm, n->index, n4->index, ~0);
1611 am->l2_output_classify_next_acl_ip6 =
1612 vlib_node_add_next_with_slot (vm, n->index, n6->index, ~0);
1614 feat_bitmap_init_next_nodes (vm, n4->index, L2OUTPUT_N_FEAT,
1615 l2output_get_feat_names (),
1616 am->fa_acl_out_ip4_l2_node_feat_next_node_index);
1618 feat_bitmap_init_next_nodes (vm, n6->index, L2OUTPUT_N_FEAT,
1619 l2output_get_feat_names (),
1620 am->fa_acl_out_ip6_l2_node_feat_next_node_index);
1624 acl_set_timeout_sec(int timeout_type, u32 value)
1626 acl_main_t *am = &acl_main;
1627 clib_time_t *ct = &am->vlib_main->clib_time;
1629 if (timeout_type < ACL_N_TIMEOUTS) {
1630 am->session_timeout_sec[timeout_type] = value;
1632 clib_warning("Unknown timeout type %d", timeout_type);
1635 am->session_timeout[timeout_type] = (u64)(((f64)value)/ct->seconds_per_clock);
1639 acl_set_session_max_entries(u32 value)
1641 acl_main_t *am = &acl_main;
1642 am->fa_conn_table_max_entries = value;
1646 acl_set_skip_ipv6_eh(u32 eh, u32 value)
1648 acl_main_t *am = &acl_main;
1649 if ((eh < 256) && (value < 2))
1651 am->fa_ipv6_known_eh_bitmap = clib_bitmap_set(am->fa_ipv6_known_eh_bitmap, eh, value);
1659 static clib_error_t *
1660 acl_sw_interface_add_del (vnet_main_t * vnm, u32 sw_if_index, u32 is_add)
1662 acl_main_t *am = &acl_main;
1664 vlib_process_signal_event (am->vlib_main, am->fa_cleaner_node_index,
1665 ACL_FA_CLEANER_DELETE_BY_SW_IF_INDEX, sw_if_index);
1666 /* also unapply any ACLs in case the users did not do so. */
1667 macip_acl_interface_del_acl(am, sw_if_index);
1668 acl_interface_reset_inout_acls (sw_if_index, 0);
1669 acl_interface_reset_inout_acls (sw_if_index, 1);
1674 VNET_SW_INTERFACE_ADD_DEL_FUNCTION (acl_sw_interface_add_del);
1676 static clib_error_t *
1677 acl_set_aclplugin_fn (vlib_main_t * vm,
1678 unformat_input_t * input,
1679 vlib_cli_command_t * cmd)
1681 clib_error_t *error = 0;
1685 uword memory_size = 0;
1686 acl_main_t *am = &acl_main;
1688 if (unformat (input, "skip-ipv6-extension-header %u %u", &eh_val, &val)) {
1689 if(!acl_set_skip_ipv6_eh(eh_val, val)) {
1690 error = clib_error_return(0, "expecting eh=0..255, value=0..1");
1694 if (unformat (input, "l4-match-nonfirst-fragment %u", &val))
1696 am->l4_match_nonfirst_fragment = (val != 0);
1699 if (unformat (input, "session")) {
1700 if (unformat (input, "clear")) {
1701 acl_main_t *am = &acl_main;
1702 vlib_process_signal_event (am->vlib_main, am->fa_cleaner_node_index,
1703 ACL_FA_CLEANER_DELETE_BY_SW_IF_INDEX, ~0);
1706 if (unformat (input, "table")) {
1707 /* The commands here are for tuning/testing. No user-serviceable parts inside */
1708 if (unformat (input, "max-entries")) {
1709 if (!unformat(input, "%u", &val)) {
1710 error = clib_error_return(0,
1711 "expecting maximum number of entries, got `%U`",
1712 format_unformat_error, input);
1715 acl_set_session_max_entries(val);
1719 if (unformat (input, "hash-table-buckets")) {
1720 if (!unformat(input, "%u", &val)) {
1721 error = clib_error_return(0,
1722 "expecting maximum number of hash table buckets, got `%U`",
1723 format_unformat_error, input);
1726 am->fa_conn_table_hash_num_buckets = val;
1730 if (unformat (input, "hash-table-memory")) {
1731 if (!unformat(input, "%U", unformat_memory_size, &memory_size)) {
1732 error = clib_error_return(0,
1733 "expecting maximum amount of hash table memory, got `%U`",
1734 format_unformat_error, input);
1737 am->fa_conn_table_hash_memory_size = memory_size;
1743 if (unformat (input, "timeout")) {
1744 if (unformat(input, "udp")) {
1745 if(unformat(input, "idle")) {
1746 if (!unformat(input, "%u", &timeout)) {
1747 error = clib_error_return(0,
1748 "expecting timeout value in seconds, got `%U`",
1749 format_unformat_error, input);
1752 acl_set_timeout_sec(ACL_TIMEOUT_UDP_IDLE, timeout);
1757 if (unformat(input, "tcp")) {
1758 if(unformat(input, "idle")) {
1759 if (!unformat(input, "%u", &timeout)) {
1760 error = clib_error_return(0,
1761 "expecting timeout value in seconds, got `%U`",
1762 format_unformat_error, input);
1765 acl_set_timeout_sec(ACL_TIMEOUT_TCP_IDLE, timeout);
1769 if(unformat(input, "transient")) {
1770 if (!unformat(input, "%u", &timeout)) {
1771 error = clib_error_return(0,
1772 "expecting timeout value in seconds, got `%U`",
1773 format_unformat_error, input);
1776 acl_set_timeout_sec(ACL_TIMEOUT_TCP_TRANSIENT, timeout);
1788 static clib_error_t *
1789 acl_show_aclplugin_fn (vlib_main_t * vm,
1790 unformat_input_t * input,
1791 vlib_cli_command_t * cmd)
1793 clib_error_t *error = 0;
1794 acl_main_t *am = &acl_main;
1795 vnet_interface_main_t *im = &am->vnet_main->interface_main;
1797 vnet_sw_interface_t *swif;
1799 if (unformat (input, "sessions"))
1802 pool_foreach (swif, im->sw_interfaces,
1804 u32 sw_if_index = swif->sw_if_index;
1805 u64 n_adds = sw_if_index < vec_len(am->fa_session_adds_by_sw_if_index) ? am->fa_session_adds_by_sw_if_index[sw_if_index] : 0;
1806 u64 n_dels = sw_if_index < vec_len(am->fa_session_dels_by_sw_if_index) ? am->fa_session_dels_by_sw_if_index[sw_if_index] : 0;
1807 out0 = format(out0, "sw_if_index %d: add %lu - del %lu = %lu\n", sw_if_index, n_adds, n_dels, n_adds - n_dels);
1809 out0 = format(out0, "\n\nConn cleaner thread counters:\n");
1810 #define _(cnt, desc) out0 = format(out0, " %20lu: %s\n", am->cnt, desc);
1811 foreach_fa_cleaner_counter;
1813 vlib_cli_output(vm, "\n\n%s\n\n", out0);
1814 vlib_cli_output(vm, "Sessions per interval: min %lu max %lu increment: %f ms current: %f ms",
1815 am->fa_min_deleted_sessions_per_interval, am->fa_max_deleted_sessions_per_interval,
1816 am->fa_cleaner_wait_time_increment * 1000.0, ((f64)am->fa_current_cleaner_timer_wait_interval) * 1000.0/(f64)vm->clib_time.clocks_per_second);
1825 VLIB_CLI_COMMAND (aclplugin_set_command, static) = {
1826 .path = "set acl-plugin",
1827 .short_help = "set acl-plugin session timeout {{udp idle}|tcp {idle|transient}} <seconds>",
1828 .function = acl_set_aclplugin_fn,
1831 VLIB_CLI_COMMAND (aclplugin_show_command, static) = {
1832 .path = "show acl-plugin",
1833 .short_help = "show acl-plugin sessions",
1834 .function = acl_show_aclplugin_fn,
1840 static clib_error_t *
1841 acl_init (vlib_main_t * vm)
1843 acl_main_t *am = &acl_main;
1844 clib_error_t *error = 0;
1845 memset (am, 0, sizeof (*am));
1847 am->vnet_main = vnet_get_main ();
1849 u8 *name = format (0, "acl_%08x%c", api_version, 0);
1851 /* Ask for a correctly-sized block of API message decode slots */
1852 am->msg_id_base = vl_msg_api_get_msg_ids ((char *) name,
1853 VL_MSG_FIRST_AVAILABLE);
1855 error = acl_plugin_api_hookup (vm);
1857 /* Add our API messages to the global name_crc hash table */
1858 setup_message_id_table (am, &api_main);
1862 acl_setup_fa_nodes();
1863 am->session_timeout_sec[ACL_TIMEOUT_TCP_TRANSIENT] = TCP_SESSION_TRANSIENT_TIMEOUT_SEC;
1864 am->session_timeout_sec[ACL_TIMEOUT_TCP_IDLE] = TCP_SESSION_IDLE_TIMEOUT_SEC;
1865 am->session_timeout_sec[ACL_TIMEOUT_UDP_IDLE] = UDP_SESSION_IDLE_TIMEOUT_SEC;
1867 am->fa_conn_table_hash_num_buckets = ACL_FA_CONN_TABLE_DEFAULT_HASH_NUM_BUCKETS;
1868 am->fa_conn_table_hash_memory_size = ACL_FA_CONN_TABLE_DEFAULT_HASH_MEMORY_SIZE;
1869 am->fa_conn_table_max_entries = ACL_FA_CONN_TABLE_DEFAULT_MAX_ENTRIES;
1873 for(tt = 0; tt < ACL_N_TIMEOUTS; tt++) {
1874 am->fa_conn_list_head[tt] = ~0;
1875 am->fa_conn_list_tail[tt] = ~0;
1879 am->fa_min_deleted_sessions_per_interval = ACL_FA_DEFAULT_MIN_DELETED_SESSIONS_PER_INTERVAL;
1880 am->fa_max_deleted_sessions_per_interval = ACL_FA_DEFAULT_MAX_DELETED_SESSIONS_PER_INTERVAL;
1881 am->fa_cleaner_wait_time_increment = ACL_FA_DEFAULT_CLEANER_WAIT_TIME_INCREMENT;
1883 am->fa_cleaner_cnt_delete_by_sw_index = 0;
1884 am->fa_cleaner_cnt_delete_by_sw_index_ok = 0;
1885 am->fa_cleaner_cnt_unknown_event = 0;
1886 am->fa_cleaner_cnt_deleted_sessions = 0;
1887 am->fa_cleaner_cnt_timer_restarted = 0;
1888 am->fa_cleaner_cnt_wait_with_timeout = 0;
1891 #define _(N, v, s) am->fa_ipv6_known_eh_bitmap = clib_bitmap_set(am->fa_ipv6_known_eh_bitmap, v, 1);
1895 am->l4_match_nonfirst_fragment = 1;
1900 VLIB_INIT_FUNCTION (acl_init);
Code Review / vpp.git / blob