2 * Copyright (c) 2016 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
18 #include <vnet/vnet.h>
19 #include <vnet/plugin/plugin.h>
22 #include <vnet/l2/l2_classify.h>
23 #include <vnet/classify/input_acl.h>
24 #include <vpp/app/version.h>
26 #include <vlibapi/api.h>
27 #include <vlibmemory/api.h>
29 /* define message IDs */
30 #include <acl/acl_msg_enum.h>
32 /* define message structures */
34 #include <acl/acl_all_api_h.h>
37 /* define generated endian-swappers */
39 #include <acl/acl_all_api_h.h>
42 /* instantiate all the print functions we know about */
43 #define vl_print(handle, ...) vlib_cli_output (handle, __VA_ARGS__)
45 #include <acl/acl_all_api_h.h>
48 /* Get the API version number */
49 #define vl_api_version(n,v) static u32 api_version=(v);
50 #include <acl/acl_all_api_h.h>
54 #include "hash_lookup.h"
58 #define REPLY_MSG_ID_BASE am->msg_id_base
59 #include <vlibapi/api_helper_macros.h>
61 /* List of message types that this plugin understands */
63 #define foreach_acl_plugin_api_msg \
64 _(ACL_PLUGIN_GET_VERSION, acl_plugin_get_version) \
65 _(ACL_PLUGIN_CONTROL_PING, acl_plugin_control_ping) \
66 _(ACL_ADD_REPLACE, acl_add_replace) \
68 _(ACL_INTERFACE_ADD_DEL, acl_interface_add_del) \
69 _(ACL_INTERFACE_SET_ACL_LIST, acl_interface_set_acl_list) \
70 _(ACL_DUMP, acl_dump) \
71 _(ACL_INTERFACE_LIST_DUMP, acl_interface_list_dump) \
72 _(MACIP_ACL_ADD, macip_acl_add) \
73 _(MACIP_ACL_ADD_REPLACE, macip_acl_add_replace) \
74 _(MACIP_ACL_DEL, macip_acl_del) \
75 _(MACIP_ACL_INTERFACE_ADD_DEL, macip_acl_interface_add_del) \
76 _(MACIP_ACL_DUMP, macip_acl_dump) \
77 _(MACIP_ACL_INTERFACE_GET, macip_acl_interface_get) \
78 _(MACIP_ACL_INTERFACE_LIST_DUMP, macip_acl_interface_list_dump)
82 VLIB_PLUGIN_REGISTER () = {
83 .version = VPP_BUILD_VER,
84 .description = "Access Control Lists",
90 acl_set_heap(acl_main_t *am)
92 if (0 == am->acl_mheap) {
93 am->acl_mheap = mheap_alloc (0 /* use VM */ , am->acl_mheap_size);
94 mheap_t *h = mheap_header (am->acl_mheap);
95 h->flags |= MHEAP_FLAG_THREAD_SAFE;
97 void *oldheap = clib_mem_set_heap(am->acl_mheap);
102 acl_plugin_acl_set_validate_heap(acl_main_t *am, int on)
104 clib_mem_set_heap(acl_set_heap(am));
105 mheap_t *h = mheap_header (am->acl_mheap);
107 h->flags |= MHEAP_FLAG_VALIDATE;
108 h->flags &= ~MHEAP_FLAG_SMALL_OBJECT_CACHE;
111 h->flags &= ~MHEAP_FLAG_VALIDATE;
112 h->flags |= MHEAP_FLAG_SMALL_OBJECT_CACHE;
117 acl_plugin_acl_set_trace_heap(acl_main_t *am, int on)
119 clib_mem_set_heap(acl_set_heap(am));
120 mheap_t *h = mheap_header (am->acl_mheap);
122 h->flags |= MHEAP_FLAG_TRACE;
124 h->flags &= ~MHEAP_FLAG_TRACE;
129 vl_api_acl_plugin_get_version_t_handler (vl_api_acl_plugin_get_version_t * mp)
131 acl_main_t *am = &acl_main;
132 vl_api_acl_plugin_get_version_reply_t *rmp;
133 int msg_size = sizeof (*rmp);
134 unix_shared_memory_queue_t *q;
136 q = vl_api_client_index_to_input_queue (mp->client_index);
142 rmp = vl_msg_api_alloc (msg_size);
143 memset (rmp, 0, msg_size);
145 ntohs (VL_API_ACL_PLUGIN_GET_VERSION_REPLY + am->msg_id_base);
146 rmp->context = mp->context;
147 rmp->major = htonl (ACL_PLUGIN_VERSION_MAJOR);
148 rmp->minor = htonl (ACL_PLUGIN_VERSION_MINOR);
150 vl_msg_api_send_shmem (q, (u8 *) & rmp);
154 vl_api_acl_plugin_control_ping_t_handler (vl_api_acl_plugin_control_ping_t * mp)
156 vl_api_acl_plugin_control_ping_reply_t *rmp;
157 acl_main_t *am = &acl_main;
161 REPLY_MACRO2 (VL_API_ACL_PLUGIN_CONTROL_PING_REPLY,
163 rmp->vpe_pid = ntohl (getpid ());
169 acl_add_list (u32 count, vl_api_acl_rule_t rules[],
170 u32 * acl_list_index, u8 * tag)
172 acl_main_t *am = &acl_main;
175 acl_rule_t *acl_new_rules = 0;
178 if (*acl_list_index != ~0)
180 /* They supplied some number, let's see if this ACL exists */
181 if (pool_is_free_index (am->acls, *acl_list_index))
183 /* tried to replace a non-existent ACL, no point doing anything */
184 clib_warning("acl-plugin-error: Trying to replace nonexistent ACL %d (tag %s)", *acl_list_index, tag);
189 clib_warning("acl-plugin-warning: supplied no rules for ACL %d (tag %s)", *acl_list_index, tag);
192 void *oldheap = acl_set_heap(am);
194 /* Create and populate the rules */
196 vec_validate(acl_new_rules, count-1);
198 for (i = 0; i < count; i++)
200 r = vec_elt_at_index(acl_new_rules, i);
201 memset(r, 0, sizeof(*r));
202 r->is_permit = rules[i].is_permit;
203 r->is_ipv6 = rules[i].is_ipv6;
206 memcpy (&r->src, rules[i].src_ip_addr, sizeof (r->src));
207 memcpy (&r->dst, rules[i].dst_ip_addr, sizeof (r->dst));
211 memcpy (&r->src.ip4, rules[i].src_ip_addr, sizeof (r->src.ip4));
212 memcpy (&r->dst.ip4, rules[i].dst_ip_addr, sizeof (r->dst.ip4));
214 r->src_prefixlen = rules[i].src_ip_prefix_len;
215 r->dst_prefixlen = rules[i].dst_ip_prefix_len;
216 r->proto = rules[i].proto;
217 r->src_port_or_type_first = ntohs ( rules[i].srcport_or_icmptype_first );
218 r->src_port_or_type_last = ntohs ( rules[i].srcport_or_icmptype_last );
219 r->dst_port_or_code_first = ntohs ( rules[i].dstport_or_icmpcode_first );
220 r->dst_port_or_code_last = ntohs ( rules[i].dstport_or_icmpcode_last );
221 r->tcp_flags_value = rules[i].tcp_flags_value;
222 r->tcp_flags_mask = rules[i].tcp_flags_mask;
225 if (~0 == *acl_list_index)
228 pool_get_aligned (am->acls, a, CLIB_CACHE_LINE_BYTES);
229 memset (a, 0, sizeof (*a));
230 /* Will return the newly allocated ACL index */
231 *acl_list_index = a - am->acls;
235 a = am->acls + *acl_list_index;
236 hash_acl_delete(am, *acl_list_index);
237 /* Get rid of the old rules */
241 a->rules = acl_new_rules;
243 memcpy (a->tag, tag, sizeof (a->tag));
244 hash_acl_add(am, *acl_list_index);
245 clib_mem_set_heap (oldheap);
250 acl_del_list (u32 acl_list_index)
252 acl_main_t *am = &acl_main;
255 if (pool_is_free_index (am->acls, acl_list_index))
260 if (acl_list_index < vec_len(am->input_sw_if_index_vec_by_acl)) {
261 if (vec_len(vec_elt(am->input_sw_if_index_vec_by_acl, acl_list_index)) > 0) {
262 /* ACL is applied somewhere inbound. Refuse to delete */
266 if (acl_list_index < vec_len(am->output_sw_if_index_vec_by_acl)) {
267 if (vec_len(vec_elt(am->output_sw_if_index_vec_by_acl, acl_list_index)) > 0) {
268 /* ACL is applied somewhere outbound. Refuse to delete */
273 void *oldheap = acl_set_heap(am);
274 /* delete any references to the ACL */
275 for (i = 0; i < vec_len (am->output_acl_vec_by_sw_if_index); i++)
277 for (ii = 0; ii < vec_len (am->output_acl_vec_by_sw_if_index[i]);
280 if (acl_list_index == am->output_acl_vec_by_sw_if_index[i][ii])
282 vec_del1 (am->output_acl_vec_by_sw_if_index[i], ii);
290 for (i = 0; i < vec_len (am->input_acl_vec_by_sw_if_index); i++)
292 for (ii = 0; ii < vec_len (am->input_acl_vec_by_sw_if_index[i]);
295 if (acl_list_index == am->input_acl_vec_by_sw_if_index[i][ii])
297 vec_del1 (am->input_acl_vec_by_sw_if_index[i], ii);
305 /* delete the hash table data */
307 hash_acl_delete(am, acl_list_index);
308 /* now we can delete the ACL itself */
309 a = pool_elt_at_index (am->acls, acl_list_index);
313 pool_put (am->acls, a);
314 clib_mem_set_heap (oldheap);
318 /* Some aids in ASCII graphing the content */
321 #define DOT1AD "\210\250"
322 #define DOT1Q "\201\00"
326 u8 ip4_5tuple_mask[] =
327 _(" dmac smac etype ")
328 _(ether) __ __ __ __ __ __ v __ __ __ __ __ __ v __ __ v
335 _(" ttl pr checksum ")
344 _("L4 T/U sport dport ")
354 u8 ip6_5tuple_mask[] =
355 _(" dmac smac etype ")
356 _(ether) __ __ __ __ __ __ v __ __ __ __ __ __ v __ __ v
358 _(0x0000) __ __ __ __
360 _(0x0004) __ __ XX __
362 _(0x0008) XX XX XX XX
363 _(0x000C) XX XX XX XX
364 _(0x0010) XX XX XX XX
365 _(0x0014) XX XX XX XX
367 _(0x0018) XX XX XX XX
368 _(0x001C) XX XX XX XX
369 _(0x0020) XX XX XX XX
370 _(0x0024) XX XX XX XX
371 _("L4T/U sport dport ")
372 _(tcpudp) XX XX XX XX _(padpad) __ __ __ __ _(padeth) __ __;
374 u8 dot1q_5tuple_mask[] =
375 _(" dmac smac dot1q etype ")
376 _(ether) __ __ __ __ __ __ v __ __ __ __ __ __ v DOT1Q __ __ v XX XX v
377 _(padpad) __ __ __ __
378 _(padpad) __ __ __ __
379 _(padpad) __ __ __ __
382 u8 dot1ad_5tuple_mask[] =
383 _(" dmac smac dot1ad etype ")
384 _(ether) __ __ __ __ __ __ v __ __ __ __ __ __ v DOT1AD __ __ DOT1Q __ __ v XX XX v
385 _(padpad) __ __ __ __
386 _(padpad) __ __ __ __
396 static int count_skip (u8 * p, u32 size)
398 u64 *p64 = (u64 *) p;
399 /* Be tolerant to null pointer */
403 while ((0ULL == *p64) && ((u8 *) p64 - p) < size)
407 return (p64 - (u64 *) p) / 2;
411 acl_classify_add_del_table_tiny (vnet_classify_main_t * cm, u8 * mask,
412 u32 mask_len, u32 next_table_index,
413 u32 miss_next_index, u32 * table_index,
417 u32 memory_size = 2 << 13;
418 u32 skip = count_skip (mask, mask_len);
419 u32 match = (mask_len / 16) - skip;
420 u8 *skip_mask_ptr = mask + 16 * skip;
421 u32 current_data_flag = 0;
422 int current_data_offset = 0;
426 void *oldheap = clib_mem_set_heap (cm->vlib_main->heap_base);
427 int ret = vnet_classify_add_del_table (cm, skip_mask_ptr, nbuckets,
428 memory_size, skip, match,
429 next_table_index, miss_next_index,
430 table_index, current_data_flag,
431 current_data_offset, is_add,
432 1 /* delete_chain */);
433 clib_mem_set_heap (oldheap);
438 acl_classify_add_del_table_small (vnet_classify_main_t * cm, u8 * mask,
439 u32 mask_len, u32 next_table_index,
440 u32 miss_next_index, u32 * table_index,
444 u32 memory_size = 2 << 22;
445 u32 skip = count_skip (mask, mask_len);
446 u32 match = (mask_len / 16) - skip;
447 u8 *skip_mask_ptr = mask + 16 * skip;
448 u32 current_data_flag = 0;
449 int current_data_offset = 0;
454 void *oldheap = clib_mem_set_heap (cm->vlib_main->heap_base);
455 int ret = vnet_classify_add_del_table (cm, skip_mask_ptr, nbuckets,
456 memory_size, skip, match,
457 next_table_index, miss_next_index,
458 table_index, current_data_flag,
459 current_data_offset, is_add,
460 1 /* delete_chain */);
461 clib_mem_set_heap (oldheap);
466 acl_unhook_l2_input_classify (acl_main_t * am, u32 sw_if_index)
468 vnet_classify_main_t *cm = &vnet_classify_main;
469 u32 ip4_table_index = ~0;
470 u32 ip6_table_index = ~0;
471 u32 dot1q_table_index = ~0;
472 u32 dot1ad_table_index = ~0;
473 void *oldheap = acl_set_heap(am);
475 vec_validate_init_empty (am->acl_ip4_input_classify_table_by_sw_if_index,
477 vec_validate_init_empty (am->acl_ip6_input_classify_table_by_sw_if_index,
479 vec_validate_init_empty (am->acl_dot1q_input_classify_table_by_sw_if_index,
481 vec_validate_init_empty (am->acl_dot1ad_input_classify_table_by_sw_if_index,
484 /* switch to global heap while calling vnet_* functions */
485 clib_mem_set_heap (cm->vlib_main->heap_base);
486 vnet_l2_input_classify_enable_disable (sw_if_index, 0);
488 if (am->acl_ip4_input_classify_table_by_sw_if_index[sw_if_index] != ~0)
491 am->acl_ip4_input_classify_table_by_sw_if_index[sw_if_index];
492 am->acl_ip4_input_classify_table_by_sw_if_index[sw_if_index] = ~0;
493 acl_classify_add_del_table_tiny (cm, ip4_5tuple_mask,
494 sizeof (ip4_5tuple_mask) - 1, ~0,
495 am->l2_input_classify_next_acl_ip4,
496 &ip4_table_index, 0);
498 if (am->acl_ip6_input_classify_table_by_sw_if_index[sw_if_index] != ~0)
501 am->acl_ip6_input_classify_table_by_sw_if_index[sw_if_index];
502 am->acl_ip6_input_classify_table_by_sw_if_index[sw_if_index] = ~0;
503 acl_classify_add_del_table_tiny (cm, ip6_5tuple_mask,
504 sizeof (ip6_5tuple_mask) - 1, ~0,
505 am->l2_input_classify_next_acl_ip6,
506 &ip6_table_index, 0);
508 if (am->acl_dot1q_input_classify_table_by_sw_if_index[sw_if_index] != ~0)
511 am->acl_dot1q_input_classify_table_by_sw_if_index[sw_if_index];
512 am->acl_dot1q_input_classify_table_by_sw_if_index[sw_if_index] = ~0;
513 acl_classify_add_del_table_tiny (cm, ip6_5tuple_mask,
514 sizeof (ip6_5tuple_mask) - 1, ~0,
516 &dot1q_table_index, 0);
518 if (am->acl_dot1ad_input_classify_table_by_sw_if_index[sw_if_index] != ~0)
521 am->acl_dot1ad_input_classify_table_by_sw_if_index[sw_if_index];
522 am->acl_dot1ad_input_classify_table_by_sw_if_index[sw_if_index] = ~0;
523 acl_classify_add_del_table_tiny (cm, dot1ad_5tuple_mask,
524 sizeof (dot1ad_5tuple_mask) - 1, ~0,
526 &dot1ad_table_index, 0);
528 clib_mem_set_heap (oldheap);
533 acl_unhook_l2_output_classify (acl_main_t * am, u32 sw_if_index)
535 vnet_classify_main_t *cm = &vnet_classify_main;
536 u32 ip4_table_index = ~0;
537 u32 ip6_table_index = ~0;
538 u32 dot1q_table_index = ~0;
539 u32 dot1ad_table_index = ~0;
540 void *oldheap = acl_set_heap(am);
542 vec_validate_init_empty (am->acl_ip4_output_classify_table_by_sw_if_index,
544 vec_validate_init_empty (am->acl_ip6_output_classify_table_by_sw_if_index,
546 vec_validate_init_empty (am->acl_dot1q_output_classify_table_by_sw_if_index,
548 vec_validate_init_empty (am->acl_dot1ad_output_classify_table_by_sw_if_index,
551 /* switch to global heap while calling vnet_* functions */
552 clib_mem_set_heap (cm->vlib_main->heap_base);
554 vnet_l2_output_classify_enable_disable (sw_if_index, 0);
556 if (am->acl_ip4_output_classify_table_by_sw_if_index[sw_if_index] != ~0)
559 am->acl_ip4_output_classify_table_by_sw_if_index[sw_if_index];
560 am->acl_ip4_output_classify_table_by_sw_if_index[sw_if_index] = ~0;
561 acl_classify_add_del_table_tiny (cm, ip4_5tuple_mask,
562 sizeof (ip4_5tuple_mask) - 1, ~0,
563 am->l2_output_classify_next_acl_ip4,
564 &ip4_table_index, 0);
566 if (am->acl_ip6_output_classify_table_by_sw_if_index[sw_if_index] != ~0)
569 am->acl_ip6_output_classify_table_by_sw_if_index[sw_if_index];
570 am->acl_ip6_output_classify_table_by_sw_if_index[sw_if_index] = ~0;
571 acl_classify_add_del_table_tiny (cm, ip6_5tuple_mask,
572 sizeof (ip6_5tuple_mask) - 1, ~0,
573 am->l2_output_classify_next_acl_ip6,
574 &ip6_table_index, 0);
576 if (am->acl_dot1q_output_classify_table_by_sw_if_index[sw_if_index] != ~0)
579 am->acl_dot1q_output_classify_table_by_sw_if_index[sw_if_index];
580 am->acl_dot1q_output_classify_table_by_sw_if_index[sw_if_index] = ~0;
581 acl_classify_add_del_table_tiny (cm, ip6_5tuple_mask,
582 sizeof (ip6_5tuple_mask) - 1, ~0,
584 &dot1q_table_index, 0);
586 if (am->acl_dot1ad_output_classify_table_by_sw_if_index[sw_if_index] != ~0)
589 am->acl_dot1ad_output_classify_table_by_sw_if_index[sw_if_index];
590 am->acl_dot1ad_output_classify_table_by_sw_if_index[sw_if_index] = ~0;
591 acl_classify_add_del_table_tiny (cm, dot1ad_5tuple_mask,
592 sizeof (dot1ad_5tuple_mask) - 1, ~0,
594 &dot1ad_table_index, 0);
596 clib_mem_set_heap (oldheap);
601 acl_add_vlan_session(acl_main_t * am, u32 table_index, u8 is_output, u8 is_dot1ad, u8 is_ip6)
603 vnet_classify_main_t *cm = &vnet_classify_main;
611 next_acl = (is_output)?am->l2_output_classify_next_acl_ip6:am->l2_input_classify_next_acl_ip6;
615 next_acl = (is_output)?am->l2_output_classify_next_acl_ip4:am->l2_input_classify_next_acl_ip4;
617 match = (is_dot1ad)?dot1ad_5tuple_mask:dot1q_5tuple_mask;
618 idx = (is_dot1ad)?20:16;
620 /* add sessions to vlan tables per ethernet_type */
633 vnet_classify_add_del_session (cm, table_index, match, next_acl,
634 session_idx, 0, 0, 0, 1);
635 memset (&match[idx], 0x00, 2);
639 acl_hook_l2_input_classify (acl_main_t * am, u32 sw_if_index)
641 vnet_classify_main_t *cm = &vnet_classify_main;
642 u32 ip4_table_index = ~0;
643 u32 ip6_table_index = ~0;
644 u32 dot1q_table_index = ~0;
645 u32 dot1ad_table_index = ~0;
648 void *prevheap = clib_mem_set_heap (cm->vlib_main->heap_base);
650 /* in case there were previous tables attached */
651 acl_unhook_l2_input_classify (am, sw_if_index);
653 acl_classify_add_del_table_tiny (cm, ip4_5tuple_mask,
654 sizeof (ip4_5tuple_mask) - 1, ~0,
655 am->l2_input_classify_next_acl_ip4,
656 &ip4_table_index, 1);
661 acl_classify_add_del_table_tiny (cm, ip6_5tuple_mask,
662 sizeof (ip6_5tuple_mask) - 1, ~0,
663 am->l2_input_classify_next_acl_ip6,
664 &ip6_table_index, 1);
667 acl_classify_add_del_table_tiny (cm, ip4_5tuple_mask,
668 sizeof (ip4_5tuple_mask) - 1, ~0,
669 am->l2_input_classify_next_acl_ip4,
670 &ip4_table_index, 0);
675 acl_classify_add_del_table_tiny (cm, dot1ad_5tuple_mask,
676 sizeof (dot1ad_5tuple_mask) - 1, ~0,
677 ~0, &dot1ad_table_index, 1);
679 acl_classify_add_del_table_tiny (cm, dot1q_5tuple_mask,
680 sizeof (dot1q_5tuple_mask) - 1, dot1ad_table_index,
681 ~0, &dot1q_table_index, 1);
684 acl_classify_add_del_table_tiny (cm, dot1ad_5tuple_mask,
685 sizeof (dot1ad_5tuple_mask) - 1, ~0,
686 ~0, &dot1ad_table_index, 0);
687 acl_classify_add_del_table_tiny (cm, ip6_5tuple_mask,
688 sizeof (ip6_5tuple_mask) - 1, ~0,
689 am->l2_input_classify_next_acl_ip6,
690 &ip6_table_index, 0);
691 acl_classify_add_del_table_tiny (cm, ip4_5tuple_mask,
692 sizeof (ip4_5tuple_mask) - 1, ~0,
693 am->l2_input_classify_next_acl_ip4,
694 &ip4_table_index, 0);
699 vnet_l2_input_classify_set_tables (sw_if_index, ip4_table_index,
700 ip6_table_index, dot1q_table_index);
704 acl_classify_add_del_table_tiny (cm, ip4_5tuple_mask,
705 sizeof (ip4_5tuple_mask) - 1, ~0,
706 am->l2_input_classify_next_acl_ip4,
707 &ip4_table_index, 0);
708 acl_classify_add_del_table_tiny (cm, ip6_5tuple_mask,
709 sizeof (ip6_5tuple_mask) - 1, ~0,
710 am->l2_input_classify_next_acl_ip6,
711 &ip6_table_index, 0);
712 acl_classify_add_del_table_tiny (cm, dot1q_5tuple_mask,
713 sizeof (dot1q_5tuple_mask) - 1, ~0,
714 ~0, &dot1q_table_index, 0);
715 acl_classify_add_del_table_tiny (cm, dot1ad_5tuple_mask,
716 sizeof (dot1ad_5tuple_mask) - 1, ~0,
717 ~0, &dot1ad_table_index, 0);
721 /* add sessions to vlan tables per ethernet_type */
722 acl_add_vlan_session(am, dot1q_table_index, 0, 0, 0);
723 acl_add_vlan_session(am, dot1q_table_index, 0, 0, 1);
724 acl_add_vlan_session(am, dot1ad_table_index, 0, 1, 0);
725 acl_add_vlan_session(am, dot1ad_table_index, 0, 1, 1);
727 am->acl_ip4_input_classify_table_by_sw_if_index[sw_if_index] =
729 am->acl_ip6_input_classify_table_by_sw_if_index[sw_if_index] =
731 am->acl_dot1q_input_classify_table_by_sw_if_index[sw_if_index] =
733 am->acl_dot1ad_input_classify_table_by_sw_if_index[sw_if_index] =
736 vnet_l2_input_classify_enable_disable (sw_if_index, 1);
738 clib_mem_set_heap (prevheap);
743 acl_hook_l2_output_classify (acl_main_t * am, u32 sw_if_index)
745 vnet_classify_main_t *cm = &vnet_classify_main;
746 u32 ip4_table_index = ~0;
747 u32 ip6_table_index = ~0;
748 u32 dot1q_table_index = ~0;
749 u32 dot1ad_table_index = ~0;
752 void *prevheap = clib_mem_set_heap (cm->vlib_main->heap_base);
754 /* in case there were previous tables attached */
755 acl_unhook_l2_output_classify (am, sw_if_index);
757 acl_classify_add_del_table_tiny (cm, ip4_5tuple_mask,
758 sizeof (ip4_5tuple_mask) - 1, ~0,
759 am->l2_output_classify_next_acl_ip4,
760 &ip4_table_index, 1);
764 acl_classify_add_del_table_tiny (cm, ip6_5tuple_mask,
765 sizeof (ip6_5tuple_mask) - 1, ~0,
766 am->l2_output_classify_next_acl_ip6,
767 &ip6_table_index, 1);
770 acl_classify_add_del_table_tiny (cm, ip4_5tuple_mask,
771 sizeof (ip4_5tuple_mask) - 1, ~0,
772 am->l2_output_classify_next_acl_ip4,
773 &ip4_table_index, 0);
778 acl_classify_add_del_table_tiny (cm, dot1ad_5tuple_mask,
779 sizeof (dot1ad_5tuple_mask) - 1, ~0,
780 ~0, &dot1ad_table_index, 1);
782 acl_classify_add_del_table_tiny (cm, dot1q_5tuple_mask,
783 sizeof (dot1q_5tuple_mask) - 1, dot1ad_table_index,
784 ~0, &dot1q_table_index, 1);
787 acl_classify_add_del_table_tiny (cm, dot1ad_5tuple_mask,
788 sizeof (dot1ad_5tuple_mask) - 1, ~0,
789 ~0, &dot1ad_table_index, 0);
790 acl_classify_add_del_table_tiny (cm, ip6_5tuple_mask,
791 sizeof (ip6_5tuple_mask) - 1, ~0,
792 am->l2_output_classify_next_acl_ip6,
793 &ip6_table_index, 0);
794 acl_classify_add_del_table_tiny (cm, ip4_5tuple_mask,
795 sizeof (ip4_5tuple_mask) - 1, ~0,
796 am->l2_output_classify_next_acl_ip4,
797 &ip4_table_index, 0);
802 vnet_l2_output_classify_set_tables (sw_if_index, ip4_table_index,
803 ip6_table_index, dot1q_table_index);
806 ("ACL enabling on interface sw_if_index %d, setting tables to the following: ip4: %d ip6: %d\n",
807 sw_if_index, ip4_table_index, ip6_table_index);
810 acl_classify_add_del_table_tiny (cm, ip6_5tuple_mask,
811 sizeof (ip6_5tuple_mask) - 1, ~0,
812 am->l2_output_classify_next_acl_ip6,
813 &ip6_table_index, 0);
814 acl_classify_add_del_table_tiny (cm, ip4_5tuple_mask,
815 sizeof (ip4_5tuple_mask) - 1, ~0,
816 am->l2_output_classify_next_acl_ip4,
817 &ip4_table_index, 0);
818 acl_classify_add_del_table_tiny (cm, dot1q_5tuple_mask,
819 sizeof (dot1q_5tuple_mask) - 1, ~0,
821 &dot1q_table_index, 0);
822 acl_classify_add_del_table_tiny (cm, dot1ad_5tuple_mask,
823 sizeof (dot1ad_5tuple_mask) - 1, ~0,
825 &dot1ad_table_index, 0);
829 /* add sessions to vlan tables per ethernet_type */
830 acl_add_vlan_session(am, dot1q_table_index, 1, 0, 0);
831 acl_add_vlan_session(am, dot1q_table_index, 1, 0, 1);
832 acl_add_vlan_session(am, dot1ad_table_index, 1, 1, 0);
833 acl_add_vlan_session(am, dot1ad_table_index, 1, 1, 1);
835 am->acl_ip4_output_classify_table_by_sw_if_index[sw_if_index] =
837 am->acl_ip6_output_classify_table_by_sw_if_index[sw_if_index] =
839 am->acl_dot1q_output_classify_table_by_sw_if_index[sw_if_index] =
841 am->acl_dot1ad_output_classify_table_by_sw_if_index[sw_if_index] =
844 vnet_l2_output_classify_enable_disable (sw_if_index, 1);
846 clib_mem_set_heap (prevheap);
851 acl_interface_in_enable_disable (acl_main_t * am, u32 sw_if_index,
857 if (pool_is_free_index (am->vnet_main->interface_main.sw_interfaces,
859 return VNET_API_ERROR_INVALID_SW_IF_INDEX;
861 acl_fa_enable_disable(sw_if_index, 1, enable_disable);
865 rv = acl_hook_l2_input_classify (am, sw_if_index);
869 rv = acl_unhook_l2_input_classify (am, sw_if_index);
876 acl_interface_out_enable_disable (acl_main_t * am, u32 sw_if_index,
882 if (pool_is_free_index (am->vnet_main->interface_main.sw_interfaces,
884 return VNET_API_ERROR_INVALID_SW_IF_INDEX;
886 acl_fa_enable_disable(sw_if_index, 0, enable_disable);
890 rv = acl_hook_l2_output_classify (am, sw_if_index);
894 rv = acl_unhook_l2_output_classify (am, sw_if_index);
901 acl_is_not_defined(acl_main_t *am, u32 acl_list_index)
903 return (pool_is_free_index (am->acls, acl_list_index));
908 acl_interface_add_inout_acl (u32 sw_if_index, u8 is_input, u32 acl_list_index)
910 acl_main_t *am = &acl_main;
911 if (acl_is_not_defined(am, acl_list_index)) {
912 /* ACL is not defined. Can not apply */
915 void *oldheap = acl_set_heap(am);
919 vec_validate (am->input_acl_vec_by_sw_if_index, sw_if_index);
921 u32 index = vec_search(am->input_acl_vec_by_sw_if_index[sw_if_index], acl_list_index);
922 if (index < vec_len(am->input_acl_vec_by_sw_if_index[sw_if_index])) {
923 clib_warning("ACL %d is already applied inbound on sw_if_index %d (index %d)",
924 acl_list_index, sw_if_index, index);
925 /* the entry is already there */
926 clib_mem_set_heap (oldheap);
929 /* if there was no ACL applied before, enable the ACL processing */
930 if (vec_len(am->input_acl_vec_by_sw_if_index[sw_if_index]) == 0) {
931 acl_interface_in_enable_disable (am, sw_if_index, 1);
933 vec_add (am->input_acl_vec_by_sw_if_index[sw_if_index], &acl_list_index,
935 vec_validate (am->input_sw_if_index_vec_by_acl, acl_list_index);
936 vec_add (am->input_sw_if_index_vec_by_acl[acl_list_index], &sw_if_index,
941 vec_validate (am->output_acl_vec_by_sw_if_index, sw_if_index);
943 u32 index = vec_search(am->output_acl_vec_by_sw_if_index[sw_if_index], acl_list_index);
944 if (index < vec_len(am->output_acl_vec_by_sw_if_index[sw_if_index])) {
945 clib_warning("ACL %d is already applied outbound on sw_if_index %d (index %d)",
946 acl_list_index, sw_if_index, index);
947 /* the entry is already there */
948 clib_mem_set_heap (oldheap);
951 /* if there was no ACL applied before, enable the ACL processing */
952 if (vec_len(am->output_acl_vec_by_sw_if_index[sw_if_index]) == 0) {
953 acl_interface_out_enable_disable (am, sw_if_index, 1);
955 vec_add (am->output_acl_vec_by_sw_if_index[sw_if_index],
957 vec_validate (am->output_sw_if_index_vec_by_acl, acl_list_index);
958 vec_add (am->output_sw_if_index_vec_by_acl[acl_list_index], &sw_if_index,
961 clib_mem_set_heap (oldheap);
967 acl_interface_del_inout_acl (u32 sw_if_index, u8 is_input, u32 acl_list_index)
969 acl_main_t *am = &acl_main;
972 void *oldheap = acl_set_heap(am);
975 vec_validate (am->input_acl_vec_by_sw_if_index, sw_if_index);
976 for (i = 0; i < vec_len (am->input_acl_vec_by_sw_if_index[sw_if_index]);
979 if (acl_list_index ==
980 am->input_acl_vec_by_sw_if_index[sw_if_index][i])
982 vec_del1 (am->input_acl_vec_by_sw_if_index[sw_if_index], i);
988 if (acl_list_index < vec_len(am->input_sw_if_index_vec_by_acl)) {
989 u32 index = vec_search(am->input_sw_if_index_vec_by_acl[acl_list_index], sw_if_index);
990 if (index < vec_len(am->input_sw_if_index_vec_by_acl[acl_list_index])) {
991 hash_acl_unapply(am, sw_if_index, is_input, acl_list_index);
992 vec_del1 (am->input_sw_if_index_vec_by_acl[acl_list_index], index);
996 /* If there is no more ACLs applied on an interface, disable ACL processing */
997 if (0 == vec_len (am->input_acl_vec_by_sw_if_index[sw_if_index]))
999 acl_interface_in_enable_disable (am, sw_if_index, 0);
1004 vec_validate (am->output_acl_vec_by_sw_if_index, sw_if_index);
1006 i < vec_len (am->output_acl_vec_by_sw_if_index[sw_if_index]); i++)
1008 if (acl_list_index ==
1009 am->output_acl_vec_by_sw_if_index[sw_if_index][i])
1011 vec_del1 (am->output_acl_vec_by_sw_if_index[sw_if_index], i);
1017 if (acl_list_index < vec_len(am->output_sw_if_index_vec_by_acl)) {
1018 u32 index = vec_search(am->output_sw_if_index_vec_by_acl[acl_list_index], sw_if_index);
1019 if (index < vec_len(am->output_sw_if_index_vec_by_acl[acl_list_index])) {
1020 hash_acl_unapply(am, sw_if_index, is_input, acl_list_index);
1021 vec_del1 (am->output_sw_if_index_vec_by_acl[acl_list_index], index);
1025 /* If there is no more ACLs applied on an interface, disable ACL processing */
1026 if (0 == vec_len (am->output_acl_vec_by_sw_if_index[sw_if_index]))
1028 acl_interface_out_enable_disable (am, sw_if_index, 0);
1031 clib_mem_set_heap (oldheap);
1036 acl_interface_reset_inout_acls (u32 sw_if_index, u8 is_input)
1038 acl_main_t *am = &acl_main;
1040 void *oldheap = acl_set_heap(am);
1043 vec_validate (am->input_acl_vec_by_sw_if_index, sw_if_index);
1044 if (vec_len(am->input_acl_vec_by_sw_if_index[sw_if_index]) > 0) {
1045 acl_interface_in_enable_disable (am, sw_if_index, 0);
1048 for(i = vec_len(am->input_acl_vec_by_sw_if_index[sw_if_index])-1; i>=0; i--) {
1049 u32 acl_list_index = am->input_acl_vec_by_sw_if_index[sw_if_index][i];
1050 hash_acl_unapply(am, sw_if_index, is_input, acl_list_index);
1051 if (acl_list_index < vec_len(am->input_sw_if_index_vec_by_acl)) {
1052 u32 index = vec_search(am->input_sw_if_index_vec_by_acl[acl_list_index], sw_if_index);
1053 if (index < vec_len(am->input_sw_if_index_vec_by_acl[acl_list_index])) {
1054 vec_del1 (am->input_sw_if_index_vec_by_acl[acl_list_index], index);
1059 vec_reset_length (am->input_acl_vec_by_sw_if_index[sw_if_index]);
1063 vec_validate (am->output_acl_vec_by_sw_if_index, sw_if_index);
1064 if (vec_len(am->output_acl_vec_by_sw_if_index[sw_if_index]) > 0) {
1065 acl_interface_out_enable_disable (am, sw_if_index, 0);
1068 for(i = vec_len(am->output_acl_vec_by_sw_if_index[sw_if_index])-1; i>=0; i--) {
1069 u32 acl_list_index = am->output_acl_vec_by_sw_if_index[sw_if_index][i];
1070 hash_acl_unapply(am, sw_if_index, is_input, acl_list_index);
1071 if (acl_list_index < vec_len(am->output_sw_if_index_vec_by_acl)) {
1072 u32 index = vec_search(am->output_sw_if_index_vec_by_acl[acl_list_index], sw_if_index);
1073 if (index < vec_len(am->output_sw_if_index_vec_by_acl[acl_list_index])) {
1074 vec_del1 (am->output_sw_if_index_vec_by_acl[acl_list_index], index);
1079 vec_reset_length (am->output_acl_vec_by_sw_if_index[sw_if_index]);
1081 clib_mem_set_heap (oldheap);
1085 acl_interface_add_del_inout_acl (u32 sw_if_index, u8 is_add, u8 is_input,
1089 acl_main_t *am = &acl_main;
1093 acl_interface_add_inout_acl (sw_if_index, is_input, acl_list_index);
1096 hash_acl_apply(am, sw_if_index, is_input, acl_list_index);
1101 hash_acl_unapply(am, sw_if_index, is_input, acl_list_index);
1103 acl_interface_del_inout_acl (sw_if_index, is_input, acl_list_index);
1116 u32 arp_table_index;
1117 u32 dot1q_table_index;
1118 u32 dot1ad_table_index;
1119 } macip_match_type_t;
1122 macip_find_match_type (macip_match_type_t * mv, u8 * mac_mask, u8 prefix_len,
1128 for (i = 0; i < vec_len (mv); i++)
1130 if ((mv[i].prefix_len == prefix_len) && (mv[i].is_ipv6 == is_ipv6)
1131 && (0 == memcmp (mv[i].mac_mask, mac_mask, 6)))
1141 /* Get metric used to sort match types.
1142 The more specific and the more often seen - the bigger the metric */
1144 match_type_metric (macip_match_type_t * m)
1146 unsigned int mac_bits_set = 0;
1147 unsigned int mac_byte;
1151 mac_byte = m->mac_mask[i];
1152 for (; mac_byte; mac_byte >>= 1)
1153 mac_bits_set += mac_byte & 1;
1156 * Attempt to place the more specific and the more used rules on top.
1157 * There are obvious caveat corner cases to this, but they do not
1158 * seem to be sensible in real world (e.g. specific IPv4 with wildcard MAC
1159 * going with a wildcard IPv4 with a specific MAC).
1161 return m->prefix_len + mac_bits_set + m->is_ipv6 + 10 * m->count;
1165 match_type_compare (macip_match_type_t * m1, macip_match_type_t * m2)
1167 /* Ascending sort based on the metric values */
1168 return match_type_metric (m1) - match_type_metric (m2);
1171 /* Get the offset of L3 source within ethernet packet */
1173 get_l3_src_offset(int is6)
1176 return (sizeof(ethernet_header_t) + offsetof(ip6_header_t, src_address));
1178 return (sizeof(ethernet_header_t) + offsetof(ip4_header_t, src_address));
1182 macip_create_classify_tables (acl_main_t * am, u32 macip_acl_index)
1184 macip_match_type_t *mvec = NULL;
1185 macip_match_type_t *mt;
1186 macip_acl_list_t *a = pool_elt_at_index (am->macip_acls, macip_acl_index);
1188 u32 match_type_index;
1191 vnet_classify_main_t *cm = &vnet_classify_main;
1193 /* Count the number of different types of rules */
1194 for (i = 0; i < a->count; i++)
1198 macip_find_match_type (mvec, a->rules[i].src_mac_mask,
1199 a->rules[i].src_prefixlen,
1200 a->rules[i].is_ipv6)))
1202 match_type_index = vec_len (mvec);
1203 vec_validate (mvec, match_type_index);
1204 memcpy (mvec[match_type_index].mac_mask,
1205 a->rules[i].src_mac_mask, 6);
1206 mvec[match_type_index].prefix_len = a->rules[i].src_prefixlen;
1207 mvec[match_type_index].is_ipv6 = a->rules[i].is_ipv6;
1208 mvec[match_type_index].table_index = ~0;
1209 mvec[match_type_index].dot1q_table_index = ~0;
1210 mvec[match_type_index].dot1ad_table_index = ~0;
1212 mvec[match_type_index].count++;
1214 /* Put the most frequently used tables last in the list so we can create classifier tables in reverse order */
1215 vec_sort_with_function (mvec, match_type_compare);
1216 /* Create the classifier tables */
1218 /* First add ARP tables */
1219 vec_foreach (mt, mvec)
1222 int is6 = mt->is_ipv6;
1224 mt->arp_table_index = ~0;
1227 memset (mask, 0, sizeof (mask));
1228 memcpy (&mask[6], mt->mac_mask, 6);
1229 memset (&mask[12], 0xff, 2); /* ethernet protocol */
1230 memcpy (&mask[14 + 8], mt->mac_mask, 6);
1232 for (i = 0; i < (mt->prefix_len / 8); i++)
1233 mask[14 + 14 + i] = 0xff;
1234 if (mt->prefix_len % 8)
1235 mask[14 + 14 + (mt->prefix_len / 8)] = 0xff - ((1 << (8 - mt->prefix_len % 8)) - 1);
1237 mask_len = ((14 + 14 + ((mt->prefix_len+7) / 8) +
1238 (sizeof (u32x4)-1))/sizeof(u32x4)) * sizeof (u32x4);
1239 acl_classify_add_del_table_small (cm, mask, mask_len, last_table,
1240 (~0 == last_table) ? 0 : ~0, &mt->arp_table_index,
1242 last_table = mt->arp_table_index;
1245 /* Now add IP[46] tables */
1246 vec_foreach (mt, mvec)
1249 int is6 = mt->is_ipv6;
1250 int l3_src_offs = get_l3_src_offset(is6);
1252 u32 *last_tag_table;
1255 * create chained tables for VLAN (no-tags, dot1q and dot1ad) packets
1258 for (tags = 2; tags >= 0; tags--)
1260 memset (mask, 0, sizeof (mask));
1261 memcpy (&mask[6], mt->mac_mask, 6);
1266 memset (&mask[12], 0xff, 2); /* ethernet protocol */
1267 last_tag_table = &mt->table_index;
1270 memset (&mask[12], 0xff, 2); /* VLAN tag1 */
1271 memset (&mask[16], 0xff, 2); /* ethernet protocol */
1272 last_tag_table = &mt->dot1q_table_index;
1275 memset (&mask[12], 0xff, 2); /* VLAN tag1 */
1276 memset (&mask[16], 0xff, 2); /* VLAN tag2 */
1277 memset (&mask[20], 0xff, 2); /* ethernet protocol */
1278 last_tag_table = &mt->dot1ad_table_index;
1281 for (i = 0; i < (mt->prefix_len / 8); i++)
1283 mask[l3_src_offs + i] = 0xff;
1285 if (mt->prefix_len % 8)
1287 mask[l3_src_offs + (mt->prefix_len / 8)] =
1288 0xff - ((1 << (8 - mt->prefix_len % 8)) - 1);
1291 * Round-up the number of bytes needed to store the prefix,
1292 * and round up the number of vectors too
1294 mask_len = ((l3_src_offs + ((mt->prefix_len+7) / 8) +
1295 (sizeof (u32x4)-1))/sizeof(u32x4)) * sizeof (u32x4);
1296 acl_classify_add_del_table_small (cm, mask, mask_len, last_table,
1297 (~0 == last_table) ? 0 : ~0, last_tag_table,
1299 last_table = *last_tag_table;
1301 memset (&mask[12], 0, sizeof (mask)-12);
1305 a->ip4_table_index = last_table;
1306 a->ip6_table_index = last_table;
1307 a->l2_table_index = last_table;
1309 /* Populate the classifier tables with rules from the MACIP ACL */
1310 for (i = 0; i < a->count; i++)
1314 int is6 = a->rules[i].is_ipv6;
1315 int l3_src_offs = get_l3_src_offset(is6);
1320 macip_find_match_type (mvec, a->rules[i].src_mac_mask,
1321 a->rules[i].src_prefixlen,
1322 a->rules[i].is_ipv6);
1323 ASSERT(match_type_index != ~0);
1326 for (tags = 2; tags >= 0; tags--)
1328 memset (mask, 0, sizeof (mask));
1329 memcpy (&mask[6], a->rules[i].src_mac, 6);
1334 tag_table = mvec[match_type_index].table_index;
1338 tag_table = mvec[match_type_index].dot1q_table_index;
1344 tag_table = mvec[match_type_index].dot1ad_table_index;
1354 memcpy (&mask[l3_src_offs], &a->rules[i].src_ip_addr.ip6, 16);
1360 memcpy (&mask[l3_src_offs], &a->rules[i].src_ip_addr.ip4, 4);
1365 /* add session to table mvec[match_type_index].table_index; */
1366 vnet_classify_add_del_session (cm, tag_table,
1367 mask, a->rules[i].is_permit ? ~0 : 0, i,
1368 0, action, metadata, 1);
1369 memset (&mask[12], 0, sizeof (mask)-12);
1373 /* add ARP table entry too */
1374 if (!is6 && (mvec[match_type_index].arp_table_index != ~0))
1376 memset (mask, 0, sizeof (mask));
1377 memcpy (&mask[6], a->rules[i].src_mac, 6);
1380 memcpy (&mask[14 + 8], a->rules[i].src_mac, 6);
1381 memcpy (&mask[14 + 14], &a->rules[i].src_ip_addr.ip4, 4);
1382 vnet_classify_add_del_session (cm, mvec[match_type_index].arp_table_index,
1383 mask, a->rules[i].is_permit ? ~0 : 0, i,
1384 0, action, metadata, 1);
1391 macip_destroy_classify_tables (acl_main_t * am, u32 macip_acl_index)
1393 vnet_classify_main_t *cm = &vnet_classify_main;
1394 macip_acl_list_t *a = pool_elt_at_index (am->macip_acls, macip_acl_index);
1396 if (a->ip4_table_index != ~0)
1398 acl_classify_add_del_table_small (cm, 0, ~0, ~0, ~0, &a->ip4_table_index, 0);
1399 a->ip4_table_index = ~0;
1401 if (a->ip6_table_index != ~0)
1403 acl_classify_add_del_table_small (cm, 0, ~0, ~0, ~0, &a->ip6_table_index, 0);
1404 a->ip6_table_index = ~0;
1406 if (a->l2_table_index != ~0)
1408 acl_classify_add_del_table_small (cm, 0, ~0, ~0, ~0, &a->l2_table_index, 0);
1409 a->l2_table_index = ~0;
1414 macip_acl_add_list (u32 count, vl_api_macip_acl_rule_t rules[],
1415 u32 * acl_list_index, u8 * tag)
1417 acl_main_t *am = &acl_main;
1418 macip_acl_list_t *a;
1419 macip_acl_rule_t *r;
1420 macip_acl_rule_t *acl_new_rules = 0;
1423 if (*acl_list_index != ~0)
1425 /* They supplied some number, let's see if this MACIP ACL exists */
1426 if (pool_is_free_index (am->macip_acls, *acl_list_index))
1428 /* tried to replace a non-existent ACL, no point doing anything */
1429 clib_warning("acl-plugin-error: Trying to replace nonexistent MACIP ACL %d (tag %s)", *acl_list_index, tag);
1435 clib_warning("acl-plugin-warning: Trying to create empty MACIP ACL (tag %s)", tag);
1437 void *oldheap = acl_set_heap(am);
1438 /* Create and populate the rules */
1440 vec_validate(acl_new_rules, count-1);
1442 for (i = 0; i < count; i++)
1444 r = &acl_new_rules[i];
1445 r->is_permit = rules[i].is_permit;
1446 r->is_ipv6 = rules[i].is_ipv6;
1447 memcpy (&r->src_mac, rules[i].src_mac, 6);
1448 memcpy (&r->src_mac_mask, rules[i].src_mac_mask, 6);
1449 if(rules[i].is_ipv6)
1450 memcpy (&r->src_ip_addr.ip6, rules[i].src_ip_addr, 16);
1452 memcpy (&r->src_ip_addr.ip4, rules[i].src_ip_addr, 4);
1453 r->src_prefixlen = rules[i].src_ip_prefix_len;
1456 if (~0 == *acl_list_index)
1459 pool_get_aligned (am->macip_acls, a, CLIB_CACHE_LINE_BYTES);
1460 memset (a, 0, sizeof (*a));
1461 /* Will return the newly allocated ACL index */
1462 *acl_list_index = a - am->macip_acls;
1466 a = pool_elt_at_index (am->macip_acls, *acl_list_index);
1469 vec_free (a->rules);
1471 macip_destroy_classify_tables (am, *acl_list_index);
1474 a->rules = acl_new_rules;
1476 memcpy (a->tag, tag, sizeof (a->tag));
1478 /* Create and populate the classifer tables */
1479 macip_create_classify_tables (am, *acl_list_index);
1480 clib_mem_set_heap (oldheap);
1485 /* No check for validity of sw_if_index - the callers were supposed to validate */
1488 macip_acl_interface_del_acl (acl_main_t * am, u32 sw_if_index)
1491 u32 macip_acl_index;
1492 macip_acl_list_t *a;
1493 void *oldheap = acl_set_heap(am);
1494 vec_validate_init_empty (am->macip_acl_by_sw_if_index, sw_if_index, ~0);
1495 clib_mem_set_heap (oldheap);
1496 macip_acl_index = am->macip_acl_by_sw_if_index[sw_if_index];
1497 /* No point in deleting MACIP ACL which is not applied */
1498 if (~0 == macip_acl_index)
1500 a = pool_elt_at_index (am->macip_acls, macip_acl_index);
1501 /* remove the classifier tables off the interface L2 ACL */
1503 vnet_set_input_acl_intfc (am->vlib_main, sw_if_index, a->ip4_table_index,
1504 a->ip6_table_index, a->l2_table_index, 0);
1505 /* Unset the MACIP ACL index */
1506 am->macip_acl_by_sw_if_index[sw_if_index] = ~0;
1510 /* No check for validity of sw_if_index - the callers were supposed to validate */
1513 macip_acl_interface_add_acl (acl_main_t * am, u32 sw_if_index,
1514 u32 macip_acl_index)
1516 macip_acl_list_t *a;
1518 if (pool_is_free_index (am->macip_acls, macip_acl_index))
1522 void *oldheap = acl_set_heap(am);
1523 a = pool_elt_at_index (am->macip_acls, macip_acl_index);
1524 vec_validate_init_empty (am->macip_acl_by_sw_if_index, sw_if_index, ~0);
1525 clib_mem_set_heap (oldheap);
1526 /* If there already a MACIP ACL applied, unapply it */
1527 if (~0 != am->macip_acl_by_sw_if_index[sw_if_index])
1528 macip_acl_interface_del_acl(am, sw_if_index);
1529 am->macip_acl_by_sw_if_index[sw_if_index] = macip_acl_index;
1531 /* Apply the classifier tables for L2 ACLs */
1533 vnet_set_input_acl_intfc (am->vlib_main, sw_if_index, a->ip4_table_index,
1534 a->ip6_table_index, a->l2_table_index, 1);
1539 macip_acl_del_list (u32 acl_list_index)
1541 acl_main_t *am = &acl_main;
1542 macip_acl_list_t *a;
1544 if (pool_is_free_index (am->macip_acls, acl_list_index))
1549 /* delete any references to the ACL */
1550 for (i = 0; i < vec_len (am->macip_acl_by_sw_if_index); i++)
1552 if (am->macip_acl_by_sw_if_index[i] == acl_list_index)
1554 macip_acl_interface_del_acl (am, i);
1558 void *oldheap = acl_set_heap(am);
1559 /* Now that classifier tables are detached, clean them up */
1560 macip_destroy_classify_tables (am, acl_list_index);
1562 /* now we can delete the ACL itself */
1563 a = pool_elt_at_index (am->macip_acls, acl_list_index);
1566 vec_free (a->rules);
1568 pool_put (am->macip_acls, a);
1569 clib_mem_set_heap (oldheap);
1575 macip_acl_interface_add_del_acl (u32 sw_if_index, u8 is_add,
1578 acl_main_t *am = &acl_main;
1582 rv = macip_acl_interface_add_acl (am, sw_if_index, acl_list_index);
1586 rv = macip_acl_interface_del_acl (am, sw_if_index);
1592 * If the client does not allocate enough memory for a variable-length
1593 * message, and then proceed to use it as if the full memory allocated,
1594 * absent the check we happily consume that on the VPP side, and go
1595 * along as if nothing happened. However, the resulting
1596 * effects range from just garbage in the API decode
1597 * (because the decoder snoops too far), to potential memory
1600 * This verifies that the actual length of the message is
1601 * at least expected_len, and complains loudly if it is not.
1603 * A failing check here is 100% a software bug on the API user side,
1604 * so we might as well yell.
1607 static int verify_message_len(void *mp, u32 expected_len, char *where)
1609 u32 supplied_len = vl_msg_api_get_msg_length (mp);
1610 if (supplied_len < expected_len) {
1611 clib_warning("%s: Supplied message length %d is less than expected %d",
1612 where, supplied_len, expected_len);
1619 /* API message handler */
1621 vl_api_acl_add_replace_t_handler (vl_api_acl_add_replace_t * mp)
1623 vl_api_acl_add_replace_reply_t *rmp;
1624 acl_main_t *am = &acl_main;
1626 u32 acl_list_index = ntohl (mp->acl_index);
1627 u32 acl_count = ntohl (mp->count);
1628 u32 expected_len = sizeof(*mp) + acl_count*sizeof(mp->r[0]);
1630 if (verify_message_len(mp, expected_len, "acl_add_replace")) {
1631 rv = acl_add_list (acl_count, mp->r, &acl_list_index, mp->tag);
1633 rv = VNET_API_ERROR_INVALID_VALUE;
1637 REPLY_MACRO2(VL_API_ACL_ADD_REPLACE_REPLY,
1639 rmp->acl_index = htonl(acl_list_index);
1645 vl_api_acl_del_t_handler (vl_api_acl_del_t * mp)
1647 acl_main_t *am = &acl_main;
1648 vl_api_acl_del_reply_t *rmp;
1651 rv = acl_del_list (ntohl (mp->acl_index));
1653 REPLY_MACRO (VL_API_ACL_DEL_REPLY);
1657 vl_api_acl_interface_add_del_t_handler (vl_api_acl_interface_add_del_t * mp)
1659 acl_main_t *am = &acl_main;
1660 vnet_interface_main_t *im = &am->vnet_main->interface_main;
1661 u32 sw_if_index = ntohl (mp->sw_if_index);
1662 vl_api_acl_interface_add_del_reply_t *rmp;
1665 if (pool_is_free_index(im->sw_interfaces, sw_if_index))
1666 rv = VNET_API_ERROR_INVALID_SW_IF_INDEX;
1669 acl_interface_add_del_inout_acl (sw_if_index, mp->is_add,
1670 mp->is_input, ntohl (mp->acl_index));
1672 REPLY_MACRO (VL_API_ACL_INTERFACE_ADD_DEL_REPLY);
1676 vl_api_acl_interface_set_acl_list_t_handler
1677 (vl_api_acl_interface_set_acl_list_t * mp)
1679 acl_main_t *am = &acl_main;
1680 vl_api_acl_interface_set_acl_list_reply_t *rmp;
1683 vnet_interface_main_t *im = &am->vnet_main->interface_main;
1684 u32 sw_if_index = ntohl (mp->sw_if_index);
1686 if (pool_is_free_index(im->sw_interfaces, sw_if_index))
1687 rv = VNET_API_ERROR_INVALID_SW_IF_INDEX;
1690 acl_interface_reset_inout_acls (sw_if_index, 0);
1691 acl_interface_reset_inout_acls (sw_if_index, 1);
1693 for (i = 0; i < mp->count; i++)
1695 if(acl_is_not_defined(am, ntohl (mp->acls[i]))) {
1696 /* ACL does not exist, so we can not apply it */
1701 for (i = 0; i < mp->count; i++)
1703 acl_interface_add_del_inout_acl (sw_if_index, 1, (i < mp->n_input),
1704 ntohl (mp->acls[i]));
1709 REPLY_MACRO (VL_API_ACL_INTERFACE_SET_ACL_LIST_REPLY);
1713 copy_acl_rule_to_api_rule (vl_api_acl_rule_t * api_rule, acl_rule_t * r)
1715 api_rule->is_permit = r->is_permit;
1716 api_rule->is_ipv6 = r->is_ipv6;
1719 memcpy (api_rule->src_ip_addr, &r->src, sizeof (r->src));
1720 memcpy (api_rule->dst_ip_addr, &r->dst, sizeof (r->dst));
1724 memcpy (api_rule->src_ip_addr, &r->src.ip4, sizeof (r->src.ip4));
1725 memcpy (api_rule->dst_ip_addr, &r->dst.ip4, sizeof (r->dst.ip4));
1727 api_rule->src_ip_prefix_len = r->src_prefixlen;
1728 api_rule->dst_ip_prefix_len = r->dst_prefixlen;
1729 api_rule->proto = r->proto;
1730 api_rule->srcport_or_icmptype_first = htons (r->src_port_or_type_first);
1731 api_rule->srcport_or_icmptype_last = htons (r->src_port_or_type_last);
1732 api_rule->dstport_or_icmpcode_first = htons (r->dst_port_or_code_first);
1733 api_rule->dstport_or_icmpcode_last = htons (r->dst_port_or_code_last);
1734 api_rule->tcp_flags_mask = r->tcp_flags_mask;
1735 api_rule->tcp_flags_value = r->tcp_flags_value;
1739 send_acl_details (acl_main_t * am, unix_shared_memory_queue_t * q,
1740 acl_list_t * acl, u32 context)
1742 vl_api_acl_details_t *mp;
1743 vl_api_acl_rule_t *rules;
1745 int msg_size = sizeof (*mp) + sizeof (mp->r[0]) * acl->count;
1746 void *oldheap = acl_set_heap(am);
1748 mp = vl_msg_api_alloc (msg_size);
1749 memset (mp, 0, msg_size);
1750 mp->_vl_msg_id = ntohs (VL_API_ACL_DETAILS + am->msg_id_base);
1752 /* fill in the message */
1753 mp->context = context;
1754 mp->count = htonl (acl->count);
1755 mp->acl_index = htonl (acl - am->acls);
1756 memcpy (mp->tag, acl->tag, sizeof (mp->tag));
1757 // clib_memcpy (mp->r, acl->rules, acl->count * sizeof(acl->rules[0]));
1759 for (i = 0; i < acl->count; i++)
1761 copy_acl_rule_to_api_rule (&rules[i], &acl->rules[i]);
1764 clib_mem_set_heap (oldheap);
1765 vl_msg_api_send_shmem (q, (u8 *) & mp);
1770 vl_api_acl_dump_t_handler (vl_api_acl_dump_t * mp)
1772 acl_main_t *am = &acl_main;
1777 unix_shared_memory_queue_t *q;
1779 q = vl_api_client_index_to_input_queue (mp->client_index);
1785 if (mp->acl_index == ~0)
1788 /* Just dump all ACLs */
1789 pool_foreach (acl, am->acls,
1791 send_acl_details(am, q, acl, mp->context);
1797 acl_index = ntohl (mp->acl_index);
1798 if (!pool_is_free_index (am->acls, acl_index))
1800 acl = pool_elt_at_index (am->acls, acl_index);
1801 send_acl_details (am, q, acl, mp->context);
1807 /* FIXME API: should we signal an error here at all ? */
1813 send_acl_interface_list_details (acl_main_t * am,
1814 unix_shared_memory_queue_t * q,
1815 u32 sw_if_index, u32 context)
1817 vl_api_acl_interface_list_details_t *mp;
1823 void *oldheap = acl_set_heap(am);
1825 vec_validate (am->input_acl_vec_by_sw_if_index, sw_if_index);
1826 vec_validate (am->output_acl_vec_by_sw_if_index, sw_if_index);
1828 n_input = vec_len (am->input_acl_vec_by_sw_if_index[sw_if_index]);
1829 n_output = vec_len (am->output_acl_vec_by_sw_if_index[sw_if_index]);
1830 count = n_input + n_output;
1832 msg_size = sizeof (*mp);
1833 msg_size += sizeof (mp->acls[0]) * count;
1835 mp = vl_msg_api_alloc (msg_size);
1836 memset (mp, 0, msg_size);
1838 ntohs (VL_API_ACL_INTERFACE_LIST_DETAILS + am->msg_id_base);
1840 /* fill in the message */
1841 mp->context = context;
1842 mp->sw_if_index = htonl (sw_if_index);
1844 mp->n_input = n_input;
1845 for (i = 0; i < n_input; i++)
1847 mp->acls[i] = htonl (am->input_acl_vec_by_sw_if_index[sw_if_index][i]);
1849 for (i = 0; i < n_output; i++)
1851 mp->acls[n_input + i] =
1852 htonl (am->output_acl_vec_by_sw_if_index[sw_if_index][i]);
1854 clib_mem_set_heap (oldheap);
1855 vl_msg_api_send_shmem (q, (u8 *) & mp);
1859 vl_api_acl_interface_list_dump_t_handler (vl_api_acl_interface_list_dump_t *
1862 acl_main_t *am = &acl_main;
1863 vnet_sw_interface_t *swif;
1864 vnet_interface_main_t *im = &am->vnet_main->interface_main;
1867 unix_shared_memory_queue_t *q;
1869 q = vl_api_client_index_to_input_queue (mp->client_index);
1875 if (mp->sw_if_index == ~0)
1878 pool_foreach (swif, im->sw_interfaces,
1880 send_acl_interface_list_details(am, q, swif->sw_if_index, mp->context);
1886 sw_if_index = ntohl (mp->sw_if_index);
1887 if (!pool_is_free_index(im->sw_interfaces, sw_if_index))
1888 send_acl_interface_list_details (am, q, sw_if_index, mp->context);
1892 /* MACIP ACL API handlers */
1895 vl_api_macip_acl_add_t_handler (vl_api_macip_acl_add_t * mp)
1897 vl_api_macip_acl_add_reply_t *rmp;
1898 acl_main_t *am = &acl_main;
1900 u32 acl_list_index = ~0;
1901 u32 acl_count = ntohl (mp->count);
1902 u32 expected_len = sizeof(*mp) + acl_count*sizeof(mp->r[0]);
1904 if (verify_message_len(mp, expected_len, "macip_acl_add")) {
1905 rv = macip_acl_add_list (acl_count, mp->r, &acl_list_index, mp->tag);
1907 rv = VNET_API_ERROR_INVALID_VALUE;
1911 REPLY_MACRO2(VL_API_MACIP_ACL_ADD_REPLY,
1913 rmp->acl_index = htonl(acl_list_index);
1919 vl_api_macip_acl_add_replace_t_handler (vl_api_macip_acl_add_replace_t * mp)
1921 vl_api_macip_acl_add_replace_reply_t *rmp;
1922 acl_main_t *am = &acl_main;
1924 u32 acl_list_index = ntohl (mp->acl_index);
1925 u32 acl_count = ntohl (mp->count);
1926 u32 expected_len = sizeof(*mp) + acl_count*sizeof(mp->r[0]);
1928 if (verify_message_len(mp, expected_len, "macip_acl_add_replace")) {
1929 rv = macip_acl_add_list (acl_count, mp->r, &acl_list_index, mp->tag);
1931 rv = VNET_API_ERROR_INVALID_VALUE;
1935 REPLY_MACRO2(VL_API_MACIP_ACL_ADD_REPLACE_REPLY,
1937 rmp->acl_index = htonl(acl_list_index);
1943 vl_api_macip_acl_del_t_handler (vl_api_macip_acl_del_t * mp)
1945 acl_main_t *am = &acl_main;
1946 vl_api_macip_acl_del_reply_t *rmp;
1949 rv = macip_acl_del_list (ntohl (mp->acl_index));
1951 REPLY_MACRO (VL_API_MACIP_ACL_DEL_REPLY);
1955 vl_api_macip_acl_interface_add_del_t_handler
1956 (vl_api_macip_acl_interface_add_del_t * mp)
1958 acl_main_t *am = &acl_main;
1959 vl_api_macip_acl_interface_add_del_reply_t *rmp;
1961 vnet_interface_main_t *im = &am->vnet_main->interface_main;
1962 u32 sw_if_index = ntohl (mp->sw_if_index);
1964 if (pool_is_free_index(im->sw_interfaces, sw_if_index))
1965 rv = VNET_API_ERROR_INVALID_SW_IF_INDEX;
1968 macip_acl_interface_add_del_acl (ntohl (mp->sw_if_index), mp->is_add,
1969 ntohl (mp->acl_index));
1971 REPLY_MACRO (VL_API_MACIP_ACL_INTERFACE_ADD_DEL_REPLY);
1975 send_macip_acl_details (acl_main_t * am, unix_shared_memory_queue_t * q,
1976 macip_acl_list_t * acl, u32 context)
1978 vl_api_macip_acl_details_t *mp;
1979 vl_api_macip_acl_rule_t *rules;
1980 macip_acl_rule_t *r;
1982 int msg_size = sizeof (*mp) + (acl ? sizeof (mp->r[0]) * acl->count : 0);
1984 mp = vl_msg_api_alloc (msg_size);
1985 memset (mp, 0, msg_size);
1986 mp->_vl_msg_id = ntohs (VL_API_MACIP_ACL_DETAILS + am->msg_id_base);
1988 /* fill in the message */
1989 mp->context = context;
1992 memcpy (mp->tag, acl->tag, sizeof (mp->tag));
1993 mp->count = htonl (acl->count);
1994 mp->acl_index = htonl (acl - am->macip_acls);
1996 for (i = 0; i < acl->count; i++)
1999 rules[i].is_permit = r->is_permit;
2000 rules[i].is_ipv6 = r->is_ipv6;
2001 memcpy (rules[i].src_mac, &r->src_mac, sizeof (r->src_mac));
2002 memcpy (rules[i].src_mac_mask, &r->src_mac_mask,
2003 sizeof (r->src_mac_mask));
2005 memcpy (rules[i].src_ip_addr, &r->src_ip_addr.ip6,
2006 sizeof (r->src_ip_addr.ip6));
2008 memcpy (rules[i].src_ip_addr, &r->src_ip_addr.ip4,
2009 sizeof (r->src_ip_addr.ip4));
2010 rules[i].src_ip_prefix_len = r->src_prefixlen;
2015 /* No martini, no party - no ACL applied to this interface. */
2020 vl_msg_api_send_shmem (q, (u8 *) & mp);
2025 vl_api_macip_acl_dump_t_handler (vl_api_macip_acl_dump_t * mp)
2027 acl_main_t *am = &acl_main;
2028 macip_acl_list_t *acl;
2030 unix_shared_memory_queue_t *q;
2032 q = vl_api_client_index_to_input_queue (mp->client_index);
2038 if (mp->acl_index == ~0)
2040 /* Just dump all ACLs for now, with sw_if_index = ~0 */
2041 pool_foreach (acl, am->macip_acls, (
2043 send_macip_acl_details (am, q, acl,
2051 u32 acl_index = ntohl (mp->acl_index);
2052 if (!pool_is_free_index (am->macip_acls, acl_index))
2054 acl = pool_elt_at_index (am->macip_acls, acl_index);
2055 send_macip_acl_details (am, q, acl, mp->context);
2061 vl_api_macip_acl_interface_get_t_handler (vl_api_macip_acl_interface_get_t *
2064 acl_main_t *am = &acl_main;
2065 vl_api_macip_acl_interface_get_reply_t *rmp;
2066 u32 count = vec_len (am->macip_acl_by_sw_if_index);
2067 int msg_size = sizeof (*rmp) + sizeof (rmp->acls[0]) * count;
2068 unix_shared_memory_queue_t *q;
2071 q = vl_api_client_index_to_input_queue (mp->client_index);
2077 rmp = vl_msg_api_alloc (msg_size);
2078 memset (rmp, 0, msg_size);
2080 ntohs (VL_API_MACIP_ACL_INTERFACE_GET_REPLY + am->msg_id_base);
2081 rmp->context = mp->context;
2082 rmp->count = htonl (count);
2083 for (i = 0; i < count; i++)
2085 rmp->acls[i] = htonl (am->macip_acl_by_sw_if_index[i]);
2088 vl_msg_api_send_shmem (q, (u8 *) & rmp);
2092 send_macip_acl_interface_list_details (acl_main_t * am,
2093 unix_shared_memory_queue_t * q,
2098 vl_api_macip_acl_interface_list_details_t *rmp;
2099 /* at this time there is only ever 1 mac ip acl per interface */
2100 int msg_size = sizeof (*rmp) + sizeof (rmp->acls[0]);
2102 rmp = vl_msg_api_alloc (msg_size);
2103 memset (rmp, 0, msg_size);
2104 rmp->_vl_msg_id = ntohs (VL_API_MACIP_ACL_INTERFACE_LIST_DETAILS + am->msg_id_base);
2106 /* fill in the message */
2107 rmp->context = context;
2109 rmp->sw_if_index = htonl (sw_if_index);
2110 rmp->acls[0] = htonl (acl_index);
2112 vl_msg_api_send_shmem (q, (u8 *) & rmp);
2116 vl_api_macip_acl_interface_list_dump_t_handler (vl_api_macip_acl_interface_list_dump_t *mp)
2118 unix_shared_memory_queue_t *q;
2119 acl_main_t *am = &acl_main;
2120 u32 sw_if_index = ntohl (mp->sw_if_index);
2122 q = vl_api_client_index_to_input_queue (mp->client_index);
2128 if (sw_if_index == ~0)
2130 vec_foreach_index(sw_if_index, am->macip_acl_by_sw_if_index)
2132 if (~0 != am->macip_acl_by_sw_if_index[sw_if_index])
2134 send_macip_acl_interface_list_details(am, q, sw_if_index,
2135 am->macip_acl_by_sw_if_index[sw_if_index],
2142 if (vec_len(am->macip_acl_by_sw_if_index) > sw_if_index)
2144 send_macip_acl_interface_list_details(am, q, sw_if_index,
2145 am->macip_acl_by_sw_if_index[sw_if_index],
2151 /* Set up the API message handling tables */
2152 static clib_error_t *
2153 acl_plugin_api_hookup (vlib_main_t * vm)
2155 acl_main_t *am = &acl_main;
2157 vl_msg_api_set_handlers((VL_API_##N + am->msg_id_base), \
2159 vl_api_##n##_t_handler, \
2161 vl_api_##n##_t_endian, \
2162 vl_api_##n##_t_print, \
2163 sizeof(vl_api_##n##_t), 1);
2164 foreach_acl_plugin_api_msg;
2170 #define vl_msg_name_crc_list
2171 #include <acl/acl_all_api_h.h>
2172 #undef vl_msg_name_crc_list
2175 setup_message_id_table (acl_main_t * am, api_main_t * apim)
2177 #define _(id,n,crc) \
2178 vl_msg_api_add_msg_name_crc (apim, #n "_" #crc, id + am->msg_id_base);
2179 foreach_vl_msg_name_crc_acl;
2184 acl_setup_fa_nodes (void)
2186 vlib_main_t *vm = vlib_get_main ();
2187 acl_main_t *am = &acl_main;
2188 vlib_node_t *n, *n4, *n6;
2190 n = vlib_get_node_by_name (vm, (u8 *) "l2-input-classify");
2191 n4 = vlib_get_node_by_name (vm, (u8 *) "acl-plugin-in-ip4-l2");
2192 n6 = vlib_get_node_by_name (vm, (u8 *) "acl-plugin-in-ip6-l2");
2195 am->l2_input_classify_next_acl_ip4 =
2196 vlib_node_add_next_with_slot (vm, n->index, n4->index, ~0);
2197 am->l2_input_classify_next_acl_ip6 =
2198 vlib_node_add_next_with_slot (vm, n->index, n6->index, ~0);
2200 feat_bitmap_init_next_nodes (vm, n4->index, L2INPUT_N_FEAT,
2201 l2input_get_feat_names (),
2202 am->fa_acl_in_ip4_l2_node_feat_next_node_index);
2204 feat_bitmap_init_next_nodes (vm, n6->index, L2INPUT_N_FEAT,
2205 l2input_get_feat_names (),
2206 am->fa_acl_in_ip6_l2_node_feat_next_node_index);
2209 n = vlib_get_node_by_name (vm, (u8 *) "l2-output-classify");
2210 n4 = vlib_get_node_by_name (vm, (u8 *) "acl-plugin-out-ip4-l2");
2211 n6 = vlib_get_node_by_name (vm, (u8 *) "acl-plugin-out-ip6-l2");
2213 am->l2_output_classify_next_acl_ip4 =
2214 vlib_node_add_next_with_slot (vm, n->index, n4->index, ~0);
2215 am->l2_output_classify_next_acl_ip6 =
2216 vlib_node_add_next_with_slot (vm, n->index, n6->index, ~0);
2218 feat_bitmap_init_next_nodes (vm, n4->index, L2OUTPUT_N_FEAT,
2219 l2output_get_feat_names (),
2220 am->fa_acl_out_ip4_l2_node_feat_next_node_index);
2222 feat_bitmap_init_next_nodes (vm, n6->index, L2OUTPUT_N_FEAT,
2223 l2output_get_feat_names (),
2224 am->fa_acl_out_ip6_l2_node_feat_next_node_index);
2228 acl_set_timeout_sec(int timeout_type, u32 value)
2230 acl_main_t *am = &acl_main;
2231 clib_time_t *ct = &am->vlib_main->clib_time;
2233 if (timeout_type < ACL_N_TIMEOUTS) {
2234 am->session_timeout_sec[timeout_type] = value;
2236 clib_warning("Unknown timeout type %d", timeout_type);
2239 am->session_timeout[timeout_type] = (u64)(((f64)value)/ct->seconds_per_clock);
2243 acl_set_session_max_entries(u32 value)
2245 acl_main_t *am = &acl_main;
2246 am->fa_conn_table_max_entries = value;
2250 acl_set_skip_ipv6_eh(u32 eh, u32 value)
2252 acl_main_t *am = &acl_main;
2254 if ((eh < 256) && (value < 2))
2256 am->fa_ipv6_known_eh_bitmap = clib_bitmap_set(am->fa_ipv6_known_eh_bitmap, eh, value);
2264 static clib_error_t *
2265 acl_sw_interface_add_del (vnet_main_t * vnm, u32 sw_if_index, u32 is_add)
2267 acl_main_t *am = &acl_main;
2268 if (0 == am->acl_mheap) {
2269 /* ACL heap is not initialized, so definitely nothing to do. */
2273 vlib_process_signal_event (am->vlib_main, am->fa_cleaner_node_index,
2274 ACL_FA_CLEANER_DELETE_BY_SW_IF_INDEX, sw_if_index);
2275 /* also unapply any ACLs in case the users did not do so. */
2276 macip_acl_interface_del_acl(am, sw_if_index);
2277 acl_interface_reset_inout_acls (sw_if_index, 0);
2278 acl_interface_reset_inout_acls (sw_if_index, 1);
2283 VNET_SW_INTERFACE_ADD_DEL_FUNCTION (acl_sw_interface_add_del);
2287 static clib_error_t *
2288 acl_set_aclplugin_fn (vlib_main_t * vm,
2289 unformat_input_t * input,
2290 vlib_cli_command_t * cmd)
2292 clib_error_t *error = 0;
2296 uword memory_size = 0;
2297 acl_main_t *am = &acl_main;
2299 if (unformat (input, "skip-ipv6-extension-header %u %u", &eh_val, &val)) {
2300 if(!acl_set_skip_ipv6_eh(eh_val, val)) {
2301 error = clib_error_return(0, "expecting eh=0..255, value=0..1");
2305 if (unformat (input, "use-hash-acl-matching %u", &val))
2307 am->use_hash_acl_matching = (val !=0);
2310 if (unformat (input, "l4-match-nonfirst-fragment %u", &val))
2312 am->l4_match_nonfirst_fragment = (val != 0);
2315 if (unformat (input, "heap"))
2317 if (unformat(input, "main"))
2319 if (unformat(input, "validate %u", &val))
2320 acl_plugin_acl_set_validate_heap(am, val);
2321 else if (unformat(input, "trace %u", &val))
2322 acl_plugin_acl_set_trace_heap(am, val);
2325 else if (unformat(input, "hash"))
2327 if (unformat(input, "validate %u", &val))
2328 acl_plugin_hash_acl_set_validate_heap(am, val);
2329 else if (unformat(input, "trace %u", &val))
2330 acl_plugin_hash_acl_set_trace_heap(am, val);
2335 if (unformat (input, "session")) {
2336 if (unformat (input, "table")) {
2337 /* The commands here are for tuning/testing. No user-serviceable parts inside */
2338 if (unformat (input, "max-entries")) {
2339 if (!unformat(input, "%u", &val)) {
2340 error = clib_error_return(0,
2341 "expecting maximum number of entries, got `%U`",
2342 format_unformat_error, input);
2345 acl_set_session_max_entries(val);
2349 if (unformat (input, "hash-table-buckets")) {
2350 if (!unformat(input, "%u", &val)) {
2351 error = clib_error_return(0,
2352 "expecting maximum number of hash table buckets, got `%U`",
2353 format_unformat_error, input);
2356 am->fa_conn_table_hash_num_buckets = val;
2360 if (unformat (input, "hash-table-memory")) {
2361 if (!unformat(input, "%U", unformat_memory_size, &memory_size)) {
2362 error = clib_error_return(0,
2363 "expecting maximum amount of hash table memory, got `%U`",
2364 format_unformat_error, input);
2367 am->fa_conn_table_hash_memory_size = memory_size;
2373 if (unformat (input, "timeout")) {
2374 if (unformat(input, "udp")) {
2375 if(unformat(input, "idle")) {
2376 if (!unformat(input, "%u", &timeout)) {
2377 error = clib_error_return(0,
2378 "expecting timeout value in seconds, got `%U`",
2379 format_unformat_error, input);
2382 acl_set_timeout_sec(ACL_TIMEOUT_UDP_IDLE, timeout);
2387 if (unformat(input, "tcp")) {
2388 if(unformat(input, "idle")) {
2389 if (!unformat(input, "%u", &timeout)) {
2390 error = clib_error_return(0,
2391 "expecting timeout value in seconds, got `%U`",
2392 format_unformat_error, input);
2395 acl_set_timeout_sec(ACL_TIMEOUT_TCP_IDLE, timeout);
2399 if(unformat(input, "transient")) {
2400 if (!unformat(input, "%u", &timeout)) {
2401 error = clib_error_return(0,
2402 "expecting timeout value in seconds, got `%U`",
2403 format_unformat_error, input);
2406 acl_set_timeout_sec(ACL_TIMEOUT_TCP_TRANSIENT, timeout);
2419 my_format_mac_address (u8 * s, va_list * args)
2421 u8 *a = va_arg (*args, u8 *);
2422 return format (s, "%02x:%02x:%02x:%02x:%02x:%02x",
2423 a[0], a[1], a[2], a[3], a[4], a[5]);
2427 my_macip_acl_rule_t_pretty_format (u8 *out, va_list *args)
2429 macip_acl_rule_t *a = va_arg (*args, macip_acl_rule_t *);
2431 out = format(out, "%s action %d ip %U/%d mac %U mask %U",
2432 a->is_ipv6 ? "ipv6" : "ipv4", a->is_permit,
2433 format_ip46_address, &a->src_ip_addr,
2434 a->is_ipv6 ? IP46_TYPE_IP6: IP46_TYPE_IP4,
2436 my_format_mac_address, a->src_mac,
2437 my_format_mac_address, a->src_mac_mask);
2442 macip_acl_print(acl_main_t *am, u32 macip_acl_index)
2444 vlib_main_t * vm = am->vlib_main;
2447 /* Don't try to print someone else's memory */
2448 if (macip_acl_index > vec_len(am->macip_acls))
2451 macip_acl_list_t *a = vec_elt_at_index(am->macip_acls, macip_acl_index);
2452 int free_pool_slot = pool_is_free_index(am->macip_acls, macip_acl_index);
2454 vlib_cli_output(vm, "MACIP acl_index: %d, count: %d (true len %d) tag {%s} is free pool slot: %d\n",
2455 macip_acl_index, a->count, vec_len(a->rules), a->tag, free_pool_slot);
2456 vlib_cli_output(vm, " ip4_table_index %d, ip6_table_index %d, l2_table_index %d\n",
2457 a->ip4_table_index, a->ip6_table_index, a->l2_table_index);
2458 for(i=0; i<vec_len(a->rules); i++)
2459 vlib_cli_output(vm, " rule %d: %U\n", i, my_macip_acl_rule_t_pretty_format,
2460 vec_elt_at_index(a->rules, i));
2464 static clib_error_t *
2465 acl_show_aclplugin_macip_acl_fn (vlib_main_t * vm,
2466 unformat_input_t * input,
2467 vlib_cli_command_t * cmd)
2469 clib_error_t *error = 0;
2470 acl_main_t *am = &acl_main;
2472 for(i=0; i < vec_len(am->macip_acls); i++)
2473 macip_acl_print(am, i);
2477 static clib_error_t *
2478 acl_show_aclplugin_macip_interface_fn (vlib_main_t * vm,
2479 unformat_input_t * input,
2480 vlib_cli_command_t * cmd)
2482 clib_error_t *error = 0;
2483 acl_main_t *am = &acl_main;
2485 for(i=0; i < vec_len(am->macip_acl_by_sw_if_index); i++)
2487 vlib_cli_output(vm, " sw_if_index %d: %d\n", i, vec_elt(am->macip_acl_by_sw_if_index, i));
2492 #define PRINT_AND_RESET(vm, out0) do { vlib_cli_output(vm, "%v", out0); vec_reset_length(out0); } while(0)
2494 void acl_print_acl(vlib_main_t *vm, acl_main_t *am, int acl_index)
2497 u8 *out0 = format(0, "acl-index %u count %u tag {%s}\n", acl_index, am->acls[acl_index].count, am->acls[acl_index].tag);
2499 PRINT_AND_RESET(vm, out0);
2500 for(j=0; j<am->acls[acl_index].count; j++) {
2501 r = &am->acls[acl_index].rules[j];
2502 out0 = format(out0, " %4d: %s ", j, r->is_ipv6 ? "ipv6" : "ipv4");
2503 out0 = format_acl_action(out0, r->is_permit);
2504 out0 = format(out0, " src %U/%d", format_ip46_address, &r->src,
2505 r->is_ipv6 ? IP46_TYPE_IP6: IP46_TYPE_IP4, r->src_prefixlen);
2506 out0 = format(out0, " dst %U/%d", format_ip46_address, &r->dst,
2507 r->is_ipv6 ? IP46_TYPE_IP6: IP46_TYPE_IP4, r->dst_prefixlen);
2508 out0 = format(out0, " proto %d", r->proto);
2509 out0 = format(out0, " sport %d", r->src_port_or_type_first);
2510 if (r->src_port_or_type_first != r->src_port_or_type_last) {
2511 out0 = format(out0, "-%d", r->src_port_or_type_last);
2513 out0 = format(out0, " dport %d", r->dst_port_or_code_first);
2514 if (r->dst_port_or_code_first != r->dst_port_or_code_last) {
2515 out0 = format(out0, "-%d", r->dst_port_or_code_last);
2517 if (r->tcp_flags_mask || r->tcp_flags_value) {
2518 out0 = format(out0, " tcpflags %d mask %d", r->tcp_flags_value, r->tcp_flags_mask);
2520 out0 = format(out0, "\n");
2521 PRINT_AND_RESET(vm, out0);
2524 #undef PRINT_AND_RESET
2527 acl_plugin_show_acl(acl_main_t *am, u32 acl_index)
2530 vlib_main_t *vm = am->vlib_main;
2532 for(i=0; i<vec_len(am->acls); i++) {
2533 if (acl_is_not_defined(am, i)) {
2534 /* don't attempt to show the ACLs that do not exist */
2537 if ((acl_index != ~0) && (acl_index != i)) {
2540 acl_print_acl(vm, am, i);
2542 if (i<vec_len(am->input_sw_if_index_vec_by_acl)) {
2543 vlib_cli_output(vm, " applied inbound on sw_if_index: %U\n", format_vec32, am->input_sw_if_index_vec_by_acl[i], "%d");
2545 if (i<vec_len(am->output_sw_if_index_vec_by_acl)) {
2546 vlib_cli_output(vm, " applied outbound on sw_if_index: %U\n", format_vec32, am->output_sw_if_index_vec_by_acl[i], "%d");
2551 static clib_error_t *
2552 acl_show_aclplugin_acl_fn (vlib_main_t * vm,
2553 unformat_input_t * input,
2554 vlib_cli_command_t * cmd)
2556 clib_error_t *error = 0;
2557 acl_main_t *am = &acl_main;
2560 unformat (input, "index %u", &acl_index);
2562 acl_plugin_show_acl(am, acl_index);
2567 acl_plugin_show_interface(acl_main_t *am, u32 sw_if_index, int show_acl)
2569 vlib_main_t *vm = am->vlib_main;
2572 for(swi = 0; (swi < vec_len(am->input_acl_vec_by_sw_if_index)) ||
2573 (swi < vec_len(am->output_acl_vec_by_sw_if_index)); swi++) {
2574 /* if we need a particular interface, skip all the others */
2575 if ((sw_if_index != ~0) && (sw_if_index != swi))
2578 vlib_cli_output(vm, "sw_if_index %d:\n", swi);
2580 if ((swi < vec_len(am->input_acl_vec_by_sw_if_index)) &&
2581 (vec_len(am->input_acl_vec_by_sw_if_index[swi]) > 0)) {
2582 vlib_cli_output(vm, " input acl(s): %U", format_vec32, am->input_acl_vec_by_sw_if_index[swi], "%d");
2584 vlib_cli_output(vm, "\n");
2585 vec_foreach(pj, am->input_acl_vec_by_sw_if_index[swi]) {
2586 acl_print_acl(vm, am, *pj);
2588 vlib_cli_output(vm, "\n");
2592 if ((swi < vec_len(am->output_acl_vec_by_sw_if_index)) &&
2593 (vec_len(am->output_acl_vec_by_sw_if_index[swi]) > 0)) {
2594 vlib_cli_output(vm, " output acl(s): %U", format_vec32, am->output_acl_vec_by_sw_if_index[swi], "%d");
2596 vlib_cli_output(vm, "\n");
2597 vec_foreach(pj, am->output_acl_vec_by_sw_if_index[swi]) {
2598 acl_print_acl(vm, am, *pj);
2600 vlib_cli_output(vm, "\n");
2607 static clib_error_t *
2608 acl_show_aclplugin_interface_fn (vlib_main_t * vm,
2609 unformat_input_t * input,
2610 vlib_cli_command_t * cmd)
2612 clib_error_t *error = 0;
2613 acl_main_t *am = &acl_main;
2615 u32 sw_if_index = ~0;
2616 unformat (input, "sw_if_index %u", &sw_if_index);
2617 int show_acl = unformat(input, "acl");
2619 acl_plugin_show_interface(am, sw_if_index, show_acl);
2623 static clib_error_t *
2624 acl_show_aclplugin_memory_fn (vlib_main_t * vm,
2625 unformat_input_t * input,
2626 vlib_cli_command_t * cmd)
2628 clib_error_t *error = 0;
2629 acl_main_t *am = &acl_main;
2631 vlib_cli_output (vm, "ACL plugin main heap statistics:\n");
2632 if (am->acl_mheap) {
2633 vlib_cli_output (vm, " %U\n", format_mheap, am->acl_mheap, 1);
2635 vlib_cli_output (vm, " Not initialized\n");
2637 vlib_cli_output (vm, "ACL hash lookup support heap statistics:\n");
2638 if (am->hash_lookup_mheap) {
2639 vlib_cli_output (vm, " %U\n", format_mheap, am->hash_lookup_mheap, 1);
2641 vlib_cli_output (vm, " Not initialized\n");
2647 acl_plugin_show_sessions(acl_main_t *am,
2648 u32 show_session_thread_id, u32 show_session_session_index)
2650 vlib_main_t *vm = am->vlib_main;
2652 vnet_interface_main_t *im = &am->vnet_main->interface_main;
2653 vnet_sw_interface_t *swif;
2656 u64 n_adds = am->fa_session_total_adds;
2657 u64 n_dels = am->fa_session_total_dels;
2658 vlib_cli_output(vm, "Sessions total: add %lu - del %lu = %lu", n_adds, n_dels, n_adds - n_dels);
2660 vlib_cli_output(vm, "\n\nPer-thread data:");
2661 for (wk = 0; wk < vec_len (am->per_worker_data); wk++) {
2662 acl_fa_per_worker_data_t *pw = &am->per_worker_data[wk];
2663 vlib_cli_output(vm, "Thread #%d:", wk);
2664 if (show_session_thread_id == wk && show_session_session_index < pool_len(pw->fa_sessions_pool)) {
2665 vlib_cli_output(vm, " session index %u:", show_session_session_index);
2666 fa_session_t *sess = pw->fa_sessions_pool + show_session_session_index;
2667 u64 *m = (u64 *)&sess->info;
2668 vlib_cli_output(vm, " info: %016llx %016llx %016llx %016llx %016llx %016llx", m[0], m[1], m[2], m[3], m[4], m[5]);
2669 vlib_cli_output(vm, " sw_if_index: %u", sess->sw_if_index);
2670 vlib_cli_output(vm, " tcp_flags_seen: %x", sess->tcp_flags_seen.as_u16);
2671 vlib_cli_output(vm, " last active time: %lu", sess->last_active_time);
2672 vlib_cli_output(vm, " thread index: %u", sess->thread_index);
2673 vlib_cli_output(vm, " link enqueue time: %lu", sess->link_enqueue_time);
2674 vlib_cli_output(vm, " link next index: %u", sess->link_next_idx);
2675 vlib_cli_output(vm, " link prev index: %u", sess->link_prev_idx);
2676 vlib_cli_output(vm, " link list id: %u", sess->link_list_id);
2678 vlib_cli_output(vm, " connection add/del stats:", wk);
2679 pool_foreach (swif, im->sw_interfaces,
2681 u32 sw_if_index = swif->sw_if_index;
2682 u64 n_adds = sw_if_index < vec_len(pw->fa_session_adds_by_sw_if_index) ? pw->fa_session_adds_by_sw_if_index[sw_if_index] : 0;
2683 u64 n_dels = sw_if_index < vec_len(pw->fa_session_dels_by_sw_if_index) ? pw->fa_session_dels_by_sw_if_index[sw_if_index] : 0;
2684 vlib_cli_output(vm, " sw_if_index %d: add %lu - del %lu = %lu", sw_if_index, n_adds, n_dels, n_adds - n_dels);
2687 vlib_cli_output(vm, " connection timeout type lists:", wk);
2689 for(tt = 0; tt < ACL_N_TIMEOUTS; tt++) {
2690 u32 head_session_index = pw->fa_conn_list_head[tt];
2691 vlib_cli_output(vm, " fa_conn_list_head[%d]: %d", tt, head_session_index);
2692 if (~0 != head_session_index) {
2693 fa_session_t *sess = pw->fa_sessions_pool + head_session_index;
2694 vlib_cli_output(vm, " last active time: %lu", sess->last_active_time);
2695 vlib_cli_output(vm, " link enqueue time: %lu", sess->link_enqueue_time);
2699 vlib_cli_output(vm, " Next expiry time: %lu", pw->next_expiry_time);
2700 vlib_cli_output(vm, " Requeue until time: %lu", pw->requeue_until_time);
2701 vlib_cli_output(vm, " Current time wait interval: %lu", pw->current_time_wait_interval);
2702 vlib_cli_output(vm, " Count of deleted sessions: %lu", pw->cnt_deleted_sessions);
2703 vlib_cli_output(vm, " Delete already deleted: %lu", pw->cnt_already_deleted_sessions);
2704 vlib_cli_output(vm, " Session timers restarted: %lu", pw->cnt_session_timer_restarted);
2705 vlib_cli_output(vm, " Swipe until this time: %lu", pw->swipe_end_time);
2706 vlib_cli_output(vm, " sw_if_index serviced bitmap: %U", format_bitmap_hex, pw->serviced_sw_if_index_bitmap);
2707 vlib_cli_output(vm, " pending clear intfc bitmap : %U", format_bitmap_hex, pw->pending_clear_sw_if_index_bitmap);
2708 vlib_cli_output(vm, " clear in progress: %u", pw->clear_in_process);
2709 vlib_cli_output(vm, " interrupt is pending: %d", pw->interrupt_is_pending);
2710 vlib_cli_output(vm, " interrupt is needed: %d", pw->interrupt_is_needed);
2711 vlib_cli_output(vm, " interrupt is unwanted: %d", pw->interrupt_is_unwanted);
2712 vlib_cli_output(vm, " interrupt generation: %d", pw->interrupt_generation);
2714 vlib_cli_output(vm, "\n\nConn cleaner thread counters:");
2715 #define _(cnt, desc) vlib_cli_output(vm, " %20lu: %s", am->cnt, desc);
2716 foreach_fa_cleaner_counter;
2718 vlib_cli_output(vm, "Interrupt generation: %d", am->fa_interrupt_generation);
2719 vlib_cli_output(vm, "Sessions per interval: min %lu max %lu increment: %f ms current: %f ms",
2720 am->fa_min_deleted_sessions_per_interval, am->fa_max_deleted_sessions_per_interval,
2721 am->fa_cleaner_wait_time_increment * 1000.0, ((f64)am->fa_current_cleaner_timer_wait_interval) * 1000.0/(f64)vm->clib_time.clocks_per_second);
2724 static clib_error_t *
2725 acl_show_aclplugin_sessions_fn (vlib_main_t * vm,
2726 unformat_input_t * input,
2727 vlib_cli_command_t * cmd)
2729 clib_error_t *error = 0;
2730 acl_main_t *am = &acl_main;
2732 u32 show_bihash_verbose = 0;
2733 u32 show_session_thread_id = ~0;
2734 u32 show_session_session_index = ~0;
2735 unformat (input, "thread %u index %u", &show_session_thread_id, &show_session_session_index);
2736 unformat (input, "verbose %u", &show_bihash_verbose);
2738 acl_plugin_show_sessions(am, show_session_thread_id, show_session_session_index);
2739 show_fa_sessions_hash(vm, show_bihash_verbose);
2744 acl_plugin_show_tables_mask_type(acl_main_t *am)
2746 vlib_main_t *vm = am->vlib_main;
2747 ace_mask_type_entry_t *mte;
2749 vlib_cli_output(vm, "Mask-type entries:");
2751 pool_foreach(mte, am->ace_mask_type_pool,
2753 vlib_cli_output(vm, " %3d: %016llx %016llx %016llx %016llx %016llx %016llx refcount %d",
2754 mte - am->ace_mask_type_pool,
2755 mte->mask.kv.key[0], mte->mask.kv.key[1], mte->mask.kv.key[2],
2756 mte->mask.kv.key[3], mte->mask.kv.key[4], mte->mask.kv.value, mte->refcount);
2762 acl_plugin_show_tables_acl_hash_info(acl_main_t *am, u32 acl_index)
2764 vlib_main_t *vm = am->vlib_main;
2767 vlib_cli_output(vm, "Mask-ready ACL representations\n");
2768 for (i=0; i< vec_len(am->hash_acl_infos); i++) {
2769 if ((acl_index != ~0) && (acl_index != i)) {
2772 hash_acl_info_t *ha = &am->hash_acl_infos[i];
2773 vlib_cli_output(vm, "acl-index %u bitmask-ready layout\n", i);
2774 vlib_cli_output(vm, " applied inbound on sw_if_index list: %U\n", format_vec32, ha->inbound_sw_if_index_list, "%d");
2775 vlib_cli_output(vm, " applied outbound on sw_if_index list: %U\n", format_vec32, ha->outbound_sw_if_index_list, "%d");
2776 vlib_cli_output(vm, " mask type index bitmap: %U\n", format_bitmap_hex, ha->mask_type_index_bitmap);
2777 for(j=0; j<vec_len(ha->rules); j++) {
2778 hash_ace_info_t *pa = &ha->rules[j];
2779 m = (u64 *)&pa->match;
2780 vlib_cli_output(vm, " %4d: %016llx %016llx %016llx %016llx %016llx %016llx mask index %d acl %d rule %d action %d src/dst portrange not ^2: %d,%d\n",
2781 j, m[0], m[1], m[2], m[3], m[4], m[5], pa->mask_type_index,
2782 pa->acl_index, pa->ace_index, pa->action,
2783 pa->src_portrange_not_powerof2, pa->dst_portrange_not_powerof2);
2789 acl_plugin_print_pae(vlib_main_t *vm, int j, applied_hash_ace_entry_t *pae)
2791 vlib_cli_output(vm, " %4d: acl %d rule %d action %d bitmask-ready rule %d next %d prev %d tail %d hitcount %lld",
2792 j, pae->acl_index, pae->ace_index, pae->action, pae->hash_ace_info_index,
2793 pae->next_applied_entry_index, pae->prev_applied_entry_index, pae->tail_applied_entry_index, pae->hitcount);
2797 acl_plugin_show_tables_applied_info(acl_main_t *am, u32 sw_if_index)
2799 vlib_main_t *vm = am->vlib_main;
2801 vlib_cli_output(vm, "Applied lookup entries for interfaces");
2803 for(swi = 0; (swi < vec_len(am->input_applied_hash_acl_info_by_sw_if_index)) ||
2804 (swi < vec_len(am->output_applied_hash_acl_info_by_sw_if_index)) ||
2805 (swi < vec_len(am->input_hash_entry_vec_by_sw_if_index)) ||
2806 (swi < vec_len(am->output_hash_entry_vec_by_sw_if_index)); swi++) {
2807 if ((sw_if_index != ~0) && (sw_if_index != swi)) {
2810 vlib_cli_output(vm, "sw_if_index %d:", swi);
2811 if (swi < vec_len(am->input_applied_hash_acl_info_by_sw_if_index)) {
2812 applied_hash_acl_info_t *pal = &am->input_applied_hash_acl_info_by_sw_if_index[swi];
2813 vlib_cli_output(vm, " input lookup mask_type_index_bitmap: %U", format_bitmap_hex, pal->mask_type_index_bitmap);
2814 vlib_cli_output(vm, " input applied acls: %U", format_vec32, pal->applied_acls, "%d");
2816 if (swi < vec_len(am->input_hash_entry_vec_by_sw_if_index)) {
2817 vlib_cli_output(vm, " input lookup applied entries:");
2818 for(j=0; j<vec_len(am->input_hash_entry_vec_by_sw_if_index[swi]); j++) {
2819 acl_plugin_print_pae(vm, j, &am->input_hash_entry_vec_by_sw_if_index[swi][j]);
2823 if (swi < vec_len(am->output_applied_hash_acl_info_by_sw_if_index)) {
2824 applied_hash_acl_info_t *pal = &am->output_applied_hash_acl_info_by_sw_if_index[swi];
2825 vlib_cli_output(vm, " output lookup mask_type_index_bitmap: %U", format_bitmap_hex, pal->mask_type_index_bitmap);
2826 vlib_cli_output(vm, " output applied acls: %U", format_vec32, pal->applied_acls, "%d");
2828 if (swi < vec_len(am->output_hash_entry_vec_by_sw_if_index)) {
2829 vlib_cli_output(vm, " output lookup applied entries:");
2830 for(j=0; j<vec_len(am->output_hash_entry_vec_by_sw_if_index[swi]); j++) {
2831 acl_plugin_print_pae(vm, j, &am->output_hash_entry_vec_by_sw_if_index[swi][j]);
2838 acl_plugin_show_tables_bihash(acl_main_t *am, u32 show_bihash_verbose)
2840 vlib_main_t *vm = am->vlib_main;
2841 show_hash_acl_hash(vm, am, show_bihash_verbose);
2844 static clib_error_t *
2845 acl_show_aclplugin_tables_fn (vlib_main_t * vm,
2846 unformat_input_t * input,
2847 vlib_cli_command_t * cmd)
2849 clib_error_t *error = 0;
2850 acl_main_t *am = &acl_main;
2853 u32 sw_if_index = ~0;
2854 int show_acl_hash_info = 0;
2855 int show_applied_info = 0;
2856 int show_mask_type = 0;
2857 int show_bihash = 0;
2858 u32 show_bihash_verbose = 0;
2860 if (unformat (input, "acl")) {
2861 show_acl_hash_info = 1;
2862 /* mask-type is handy to see as well right there */
2864 unformat (input, "index %u", &acl_index);
2865 } else if (unformat (input, "applied")) {
2866 show_applied_info = 1;
2867 unformat (input, "sw_if_index %u", &sw_if_index);
2868 } else if (unformat (input, "mask")) {
2870 } else if (unformat (input, "hash")) {
2872 unformat (input, "verbose %u", &show_bihash_verbose);
2875 if ( ! (show_mask_type || show_acl_hash_info || show_applied_info || show_bihash) ) {
2876 /* if no qualifiers specified, show all */
2878 show_acl_hash_info = 1;
2879 show_applied_info = 1;
2883 acl_plugin_show_tables_mask_type(am);
2884 if (show_acl_hash_info)
2885 acl_plugin_show_tables_acl_hash_info(am, acl_index);
2886 if (show_applied_info)
2887 acl_plugin_show_tables_applied_info(am, sw_if_index);
2889 acl_plugin_show_tables_bihash(am, show_bihash_verbose);
2894 static clib_error_t *
2895 acl_clear_aclplugin_fn (vlib_main_t * vm,
2896 unformat_input_t * input,
2897 vlib_cli_command_t * cmd)
2899 clib_error_t *error = 0;
2900 acl_main_t *am = &acl_main;
2901 vlib_process_signal_event (am->vlib_main, am->fa_cleaner_node_index,
2902 ACL_FA_CLEANER_DELETE_BY_SW_IF_INDEX, ~0);
2907 VLIB_CLI_COMMAND (aclplugin_set_command, static) = {
2908 .path = "set acl-plugin",
2909 .short_help = "set acl-plugin session timeout {{udp idle}|tcp {idle|transient}} <seconds>",
2910 .function = acl_set_aclplugin_fn,
2913 VLIB_CLI_COMMAND (aclplugin_show_acl_command, static) = {
2914 .path = "show acl-plugin acl",
2915 .short_help = "show acl-plugin acl [index N]",
2916 .function = acl_show_aclplugin_acl_fn,
2919 VLIB_CLI_COMMAND (aclplugin_show_interface_command, static) = {
2920 .path = "show acl-plugin interface",
2921 .short_help = "show acl-plugin interface [sw_if_index N] [acl]",
2922 .function = acl_show_aclplugin_interface_fn,
2925 VLIB_CLI_COMMAND (aclplugin_show_memory_command, static) = {
2926 .path = "show acl-plugin memory",
2927 .short_help = "show acl-plugin memory",
2928 .function = acl_show_aclplugin_memory_fn,
2931 VLIB_CLI_COMMAND (aclplugin_show_sessions_command, static) = {
2932 .path = "show acl-plugin sessions",
2933 .short_help = "show acl-plugin sessions",
2934 .function = acl_show_aclplugin_sessions_fn,
2937 VLIB_CLI_COMMAND (aclplugin_show_tables_command, static) = {
2938 .path = "show acl-plugin tables",
2939 .short_help = "show acl-plugin tables [ acl [index N] | applied [ sw_if_index N ] | mask | hash [verbose N] ]",
2940 .function = acl_show_aclplugin_tables_fn,
2943 VLIB_CLI_COMMAND (aclplugin_show_macip_acl_command, static) = {
2944 .path = "show acl-plugin macip acl",
2945 .short_help = "show acl-plugin macip acl",
2946 .function = acl_show_aclplugin_macip_acl_fn,
2949 VLIB_CLI_COMMAND (aclplugin_show_macip_interface_command, static) = {
2950 .path = "show acl-plugin macip interface",
2951 .short_help = "show acl-plugin macip interface",
2952 .function = acl_show_aclplugin_macip_interface_fn,
2955 VLIB_CLI_COMMAND (aclplugin_clear_command, static) = {
2956 .path = "clear acl-plugin sessions",
2957 .short_help = "clear acl-plugin sessions",
2958 .function = acl_clear_aclplugin_fn,
2962 static clib_error_t *
2963 acl_plugin_config (vlib_main_t * vm, unformat_input_t * input)
2965 acl_main_t *am = &acl_main;
2966 u32 conn_table_hash_buckets;
2967 u32 conn_table_hash_memory_size;
2968 u32 conn_table_max_entries;
2971 u32 hash_lookup_hash_buckets;
2972 u32 hash_lookup_hash_memory;
2974 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
2976 if (unformat (input, "connection hash buckets %d", &conn_table_hash_buckets))
2977 am->fa_conn_table_hash_num_buckets = conn_table_hash_buckets;
2978 else if (unformat (input, "connection hash memory %d",
2979 &conn_table_hash_memory_size))
2980 am->fa_conn_table_hash_memory_size = conn_table_hash_memory_size;
2981 else if (unformat (input, "connection count max %d",
2982 &conn_table_max_entries))
2983 am->fa_conn_table_max_entries = conn_table_max_entries;
2984 else if (unformat (input, "main heap size %d",
2986 am->acl_mheap_size = main_heap_size;
2987 else if (unformat (input, "hash lookup heap size %d",
2989 am->hash_lookup_mheap_size = hash_heap_size;
2990 else if (unformat (input, "hash lookup hash buckets %d",
2991 &hash_lookup_hash_buckets))
2992 am->hash_lookup_hash_buckets = hash_lookup_hash_buckets;
2993 else if (unformat (input, "hash lookup hash memory %d",
2994 &hash_lookup_hash_memory))
2995 am->hash_lookup_hash_memory = hash_lookup_hash_memory;
2997 return clib_error_return (0, "unknown input '%U'",
2998 format_unformat_error, input);
3002 VLIB_CONFIG_FUNCTION (acl_plugin_config, "acl-plugin");
3004 static clib_error_t *
3005 acl_init (vlib_main_t * vm)
3007 acl_main_t *am = &acl_main;
3008 clib_error_t *error = 0;
3009 memset (am, 0, sizeof (*am));
3011 am->vnet_main = vnet_get_main ();
3013 u8 *name = format (0, "acl_%08x%c", api_version, 0);
3015 /* Ask for a correctly-sized block of API message decode slots */
3016 am->msg_id_base = vl_msg_api_get_msg_ids ((char *) name,
3017 VL_MSG_FIRST_AVAILABLE);
3019 error = acl_plugin_api_hookup (vm);
3021 /* Add our API messages to the global name_crc hash table */
3022 setup_message_id_table (am, &api_main);
3026 acl_setup_fa_nodes();
3028 am->acl_mheap_size = ACL_FA_DEFAULT_HEAP_SIZE;
3029 am->hash_lookup_mheap_size = ACL_PLUGIN_HASH_LOOKUP_HEAP_SIZE;
3031 am->hash_lookup_hash_buckets = ACL_PLUGIN_HASH_LOOKUP_HASH_BUCKETS;
3032 am->hash_lookup_hash_memory = ACL_PLUGIN_HASH_LOOKUP_HASH_MEMORY;
3034 am->session_timeout_sec[ACL_TIMEOUT_TCP_TRANSIENT] = TCP_SESSION_TRANSIENT_TIMEOUT_SEC;
3035 am->session_timeout_sec[ACL_TIMEOUT_TCP_IDLE] = TCP_SESSION_IDLE_TIMEOUT_SEC;
3036 am->session_timeout_sec[ACL_TIMEOUT_UDP_IDLE] = UDP_SESSION_IDLE_TIMEOUT_SEC;
3038 am->fa_conn_table_hash_num_buckets = ACL_FA_CONN_TABLE_DEFAULT_HASH_NUM_BUCKETS;
3039 am->fa_conn_table_hash_memory_size = ACL_FA_CONN_TABLE_DEFAULT_HASH_MEMORY_SIZE;
3040 am->fa_conn_table_max_entries = ACL_FA_CONN_TABLE_DEFAULT_MAX_ENTRIES;
3041 vlib_thread_main_t *tm = vlib_get_thread_main ();
3042 vec_validate(am->per_worker_data, tm->n_vlib_mains-1);
3046 for (wk = 0; wk < vec_len (am->per_worker_data); wk++) {
3047 acl_fa_per_worker_data_t *pw = &am->per_worker_data[wk];
3048 vec_validate(pw->fa_conn_list_head, ACL_N_TIMEOUTS-1);
3049 vec_validate(pw->fa_conn_list_tail, ACL_N_TIMEOUTS-1);
3050 for(tt = 0; tt < ACL_N_TIMEOUTS; tt++) {
3051 pw->fa_conn_list_head[tt] = ~0;
3052 pw->fa_conn_list_tail[tt] = ~0;
3057 am->fa_min_deleted_sessions_per_interval = ACL_FA_DEFAULT_MIN_DELETED_SESSIONS_PER_INTERVAL;
3058 am->fa_max_deleted_sessions_per_interval = ACL_FA_DEFAULT_MAX_DELETED_SESSIONS_PER_INTERVAL;
3059 am->fa_cleaner_wait_time_increment = ACL_FA_DEFAULT_CLEANER_WAIT_TIME_INCREMENT;
3061 am->fa_cleaner_cnt_delete_by_sw_index = 0;
3062 am->fa_cleaner_cnt_delete_by_sw_index_ok = 0;
3063 am->fa_cleaner_cnt_unknown_event = 0;
3064 am->fa_cleaner_cnt_timer_restarted = 0;
3065 am->fa_cleaner_cnt_wait_with_timeout = 0;
3068 #define _(N, v, s) am->fa_ipv6_known_eh_bitmap = clib_bitmap_set(am->fa_ipv6_known_eh_bitmap, v, 1);
3072 am->l4_match_nonfirst_fragment = 1;
3074 /* use the new fancy hash-based matching */
3075 am->use_hash_acl_matching = 1;
3080 VLIB_INIT_FUNCTION (acl_init);
Code Review / vpp.git / blob