2 * Copyright (c) 2016 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
18 #include <vnet/vnet.h>
19 #include <vnet/plugin/plugin.h>
22 #include <vnet/l2/l2_classify.h>
23 #include <vnet/l2/l2_in_out_feat_arc.h>
24 #include <vnet/classify/in_out_acl.h>
25 #include <vpp/app/version.h>
27 #include <vlibapi/api.h>
28 #include <vlibmemory/api.h>
30 /* define message IDs */
31 #include <acl/acl_msg_enum.h>
33 /* define message structures */
35 #include <acl/acl_all_api_h.h>
38 /* define generated endian-swappers */
40 #include <acl/acl_all_api_h.h>
43 /* instantiate all the print functions we know about */
44 #define vl_print(handle, ...) vlib_cli_output (handle, __VA_ARGS__)
46 #include <acl/acl_all_api_h.h>
49 /* Get the API version number */
50 #define vl_api_version(n,v) static u32 api_version=(v);
51 #include <acl/acl_all_api_h.h>
55 #include "public_inlines.h"
59 #define REPLY_MSG_ID_BASE am->msg_id_base
60 #include <vlibapi/api_helper_macros.h>
63 * The code for the bihash, used by the session management.
65 #include <vppinfra/bihash_40_8.h>
66 #include <vppinfra/bihash_template.h>
67 #include <vppinfra/bihash_template.c>
69 /* List of message types that this plugin understands */
71 #define foreach_acl_plugin_api_msg \
72 _(ACL_PLUGIN_GET_VERSION, acl_plugin_get_version) \
73 _(ACL_PLUGIN_CONTROL_PING, acl_plugin_control_ping) \
74 _(ACL_ADD_REPLACE, acl_add_replace) \
76 _(ACL_INTERFACE_ADD_DEL, acl_interface_add_del) \
77 _(ACL_INTERFACE_SET_ACL_LIST, acl_interface_set_acl_list) \
78 _(ACL_DUMP, acl_dump) \
79 _(ACL_INTERFACE_LIST_DUMP, acl_interface_list_dump) \
80 _(MACIP_ACL_ADD, macip_acl_add) \
81 _(MACIP_ACL_ADD_REPLACE, macip_acl_add_replace) \
82 _(MACIP_ACL_DEL, macip_acl_del) \
83 _(MACIP_ACL_INTERFACE_ADD_DEL, macip_acl_interface_add_del) \
84 _(MACIP_ACL_DUMP, macip_acl_dump) \
85 _(MACIP_ACL_INTERFACE_GET, macip_acl_interface_get) \
86 _(MACIP_ACL_INTERFACE_LIST_DUMP, macip_acl_interface_list_dump) \
87 _(ACL_INTERFACE_SET_ETYPE_WHITELIST, acl_interface_set_etype_whitelist) \
88 _(ACL_INTERFACE_ETYPE_WHITELIST_DUMP, acl_interface_etype_whitelist_dump)
92 VLIB_PLUGIN_REGISTER () = {
93 .version = VPP_BUILD_VER,
94 .description = "Access Control Lists",
98 /* methods exported from ACL-as-a-service */
99 static acl_plugin_methods_t acl_plugin;
103 format_vec16 (u8 * s, va_list * va)
105 u16 *v = va_arg (*va, u16 *);
106 char *fmt = va_arg (*va, char *);
108 for (i = 0; i < vec_len (v); i++)
111 s = format (s, ", ");
112 s = format (s, fmt, v[i]);
118 acl_set_heap (acl_main_t * am)
120 if (0 == am->acl_mheap)
122 if (0 == am->acl_mheap_size)
124 vlib_thread_main_t *tm = vlib_get_thread_main ();
125 u64 per_worker_slack = 1000000LL;
126 u64 per_worker_size =
128 ((u64) am->fa_conn_table_max_entries) * sizeof (fa_session_t);
129 u64 per_worker_size_with_slack = per_worker_slack + per_worker_size;
130 u64 main_slack = 2000000LL;
131 u64 bihash_size = (u64) am->fa_conn_table_hash_memory_size;
134 per_worker_size_with_slack * tm->n_vlib_mains + bihash_size +
137 u64 max_possible = ((uword) ~ 0);
138 if (am->acl_mheap_size > max_possible)
140 clib_warning ("ACL heap size requested: %lld, max possible %lld",
141 am->acl_mheap_size, max_possible);
144 am->acl_mheap = mheap_alloc_with_lock (0 /* use VM */ ,
147 if (0 == am->acl_mheap)
150 ("ACL plugin failed to allocate main heap of %U bytes, abort",
151 format_memory_size, am->acl_mheap_size);
154 void *oldheap = clib_mem_set_heap (am->acl_mheap);
159 acl_plugin_set_heap ()
161 acl_main_t *am = &acl_main;
162 return acl_set_heap (am);
166 acl_plugin_acl_set_validate_heap (acl_main_t * am, int on)
168 clib_mem_set_heap (acl_set_heap (am));
169 #if USE_DLMALLOC == 0
170 mheap_t *h = mheap_header (am->acl_mheap);
173 h->flags |= MHEAP_FLAG_VALIDATE;
174 h->flags &= ~MHEAP_FLAG_SMALL_OBJECT_CACHE;
179 h->flags &= ~MHEAP_FLAG_VALIDATE;
180 h->flags |= MHEAP_FLAG_SMALL_OBJECT_CACHE;
186 acl_plugin_acl_set_trace_heap (acl_main_t * am, int on)
188 clib_mem_set_heap (acl_set_heap (am));
189 #if USE_DLMALLOC == 0
190 mheap_t *h = mheap_header (am->acl_mheap);
193 h->flags |= MHEAP_FLAG_TRACE;
197 h->flags &= ~MHEAP_FLAG_TRACE;
203 vl_api_acl_plugin_get_version_t_handler (vl_api_acl_plugin_get_version_t * mp)
205 acl_main_t *am = &acl_main;
206 vl_api_acl_plugin_get_version_reply_t *rmp;
207 int msg_size = sizeof (*rmp);
208 vl_api_registration_t *reg;
210 reg = vl_api_client_index_to_registration (mp->client_index);
214 rmp = vl_msg_api_alloc (msg_size);
215 clib_memset (rmp, 0, msg_size);
217 ntohs (VL_API_ACL_PLUGIN_GET_VERSION_REPLY + am->msg_id_base);
218 rmp->context = mp->context;
219 rmp->major = htonl (ACL_PLUGIN_VERSION_MAJOR);
220 rmp->minor = htonl (ACL_PLUGIN_VERSION_MINOR);
222 vl_api_send_msg (reg, (u8 *) rmp);
226 vl_api_acl_plugin_control_ping_t_handler (vl_api_acl_plugin_control_ping_t *
229 vl_api_acl_plugin_control_ping_reply_t *rmp;
230 acl_main_t *am = &acl_main;
234 REPLY_MACRO2 (VL_API_ACL_PLUGIN_CONTROL_PING_REPLY,
236 rmp->vpe_pid = ntohl (getpid ());
242 print_clib_warning_and_reset (vlib_main_t * vm, u8 * out0)
244 clib_warning ("%v", out0);
245 vec_reset_length (out0);
249 print_cli_and_reset (vlib_main_t * vm, u8 * out0)
251 vlib_cli_output (vm, "%v", out0);
252 vec_reset_length (out0);
255 typedef void (*acl_vector_print_func_t) (vlib_main_t * vm, u8 * out0);
258 acl_print_acl_x (acl_vector_print_func_t vpr, vlib_main_t * vm,
259 acl_main_t * am, int acl_index)
262 u8 *out0 = format (0, "acl-index %u count %u tag {%s}\n", acl_index,
263 am->acls[acl_index].count, am->acls[acl_index].tag);
266 for (j = 0; j < am->acls[acl_index].count; j++)
268 r = &am->acls[acl_index].rules[j];
269 out0 = format (out0, " %9d: %s ", j, r->is_ipv6 ? "ipv6" : "ipv4");
270 out0 = format_acl_action (out0, r->is_permit);
271 out0 = format (out0, " src %U/%d", format_ip46_address, &r->src,
272 r->is_ipv6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4,
275 format (out0, " dst %U/%d", format_ip46_address, &r->dst,
276 r->is_ipv6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4, r->dst_prefixlen);
277 out0 = format (out0, " proto %d", r->proto);
278 out0 = format (out0, " sport %d", r->src_port_or_type_first);
279 if (r->src_port_or_type_first != r->src_port_or_type_last)
281 out0 = format (out0, "-%d", r->src_port_or_type_last);
283 out0 = format (out0, " dport %d", r->dst_port_or_code_first);
284 if (r->dst_port_or_code_first != r->dst_port_or_code_last)
286 out0 = format (out0, "-%d", r->dst_port_or_code_last);
288 if (r->tcp_flags_mask || r->tcp_flags_value)
291 format (out0, " tcpflags %d mask %d", r->tcp_flags_value,
294 out0 = format (out0, "\n");
300 acl_print_acl (vlib_main_t * vm, acl_main_t * am, int acl_index)
302 acl_print_acl_x (print_cli_and_reset, vm, am, acl_index);
306 warning_acl_print_acl (vlib_main_t * vm, acl_main_t * am, int acl_index)
308 acl_print_acl_x (print_clib_warning_and_reset, vm, am, acl_index);
312 increment_policy_epoch (acl_main_t * am, u32 sw_if_index, int is_input)
315 u32 **ppolicy_epoch_by_swi =
316 is_input ? &am->input_policy_epoch_by_sw_if_index :
317 &am->output_policy_epoch_by_sw_if_index;
318 vec_validate (*ppolicy_epoch_by_swi, sw_if_index);
320 u32 *p_epoch = vec_elt_at_index ((*ppolicy_epoch_by_swi), sw_if_index);
322 ((1 + *p_epoch) & FA_POLICY_EPOCH_MASK) +
323 (is_input * FA_POLICY_EPOCH_IS_INPUT);
327 try_increment_acl_policy_epoch (acl_main_t * am, u32 acl_num, int is_input)
329 u32 ***p_swi_vec_by_acl = is_input ? &am->input_sw_if_index_vec_by_acl
330 : &am->output_sw_if_index_vec_by_acl;
331 if (acl_num < vec_len (*p_swi_vec_by_acl))
334 vec_foreach (p_swi, (*p_swi_vec_by_acl)[acl_num])
336 increment_policy_epoch (am, *p_swi, is_input);
343 policy_notify_acl_change (acl_main_t * am, u32 acl_num)
345 try_increment_acl_policy_epoch (am, acl_num, 0);
346 try_increment_acl_policy_epoch (am, acl_num, 1);
352 acl_add_list (u32 count, vl_api_acl_rule_t rules[],
353 u32 * acl_list_index, u8 * tag)
355 acl_main_t *am = &acl_main;
358 acl_rule_t *acl_new_rules = 0;
361 if (am->trace_acl > 255)
362 clib_warning ("API dbg: acl_add_list index %d tag %s", *acl_list_index,
365 if (*acl_list_index != ~0)
367 /* They supplied some number, let's see if this ACL exists */
368 if (pool_is_free_index (am->acls, *acl_list_index))
370 /* tried to replace a non-existent ACL, no point doing anything */
372 ("acl-plugin-error: Trying to replace nonexistent ACL %d (tag %s)",
373 *acl_list_index, tag);
374 return VNET_API_ERROR_NO_SUCH_ENTRY;
380 ("acl-plugin-warning: supplied no rules for ACL %d (tag %s)",
381 *acl_list_index, tag);
384 void *oldheap = acl_set_heap (am);
386 /* Create and populate the rules */
388 vec_validate (acl_new_rules, count - 1);
390 for (i = 0; i < count; i++)
392 r = vec_elt_at_index (acl_new_rules, i);
393 clib_memset (r, 0, sizeof (*r));
394 r->is_permit = rules[i].is_permit;
395 r->is_ipv6 = rules[i].is_ipv6;
398 memcpy (&r->src, rules[i].src_ip_addr, sizeof (r->src));
399 memcpy (&r->dst, rules[i].dst_ip_addr, sizeof (r->dst));
403 memcpy (&r->src.ip4, rules[i].src_ip_addr, sizeof (r->src.ip4));
404 memcpy (&r->dst.ip4, rules[i].dst_ip_addr, sizeof (r->dst.ip4));
406 r->src_prefixlen = rules[i].src_ip_prefix_len;
407 r->dst_prefixlen = rules[i].dst_ip_prefix_len;
408 r->proto = rules[i].proto;
409 r->src_port_or_type_first = ntohs (rules[i].srcport_or_icmptype_first);
410 r->src_port_or_type_last = ntohs (rules[i].srcport_or_icmptype_last);
411 r->dst_port_or_code_first = ntohs (rules[i].dstport_or_icmpcode_first);
412 r->dst_port_or_code_last = ntohs (rules[i].dstport_or_icmpcode_last);
413 r->tcp_flags_value = rules[i].tcp_flags_value;
414 r->tcp_flags_mask = rules[i].tcp_flags_mask;
417 if (~0 == *acl_list_index)
420 pool_get_aligned (am->acls, a, CLIB_CACHE_LINE_BYTES);
421 clib_memset (a, 0, sizeof (*a));
422 /* Will return the newly allocated ACL index */
423 *acl_list_index = a - am->acls;
427 a = am->acls + *acl_list_index;
428 /* Get rid of the old rules */
432 a->rules = acl_new_rules;
434 memcpy (a->tag, tag, sizeof (a->tag));
435 if (am->trace_acl > 255)
436 warning_acl_print_acl (am->vlib_main, am, *acl_list_index);
437 if (am->reclassify_sessions)
439 /* a change in an ACLs if they are applied may mean a new policy epoch */
440 policy_notify_acl_change (am, *acl_list_index);
443 /* notify the lookup contexts about the ACL changes */
444 acl_plugin_lookup_context_notify_acl_change (*acl_list_index);
445 clib_mem_set_heap (oldheap);
450 acl_is_used_by (u32 acl_index, u32 ** foo_index_vec_by_acl)
452 if (acl_index < vec_len (foo_index_vec_by_acl))
454 if (vec_len (vec_elt (foo_index_vec_by_acl, acl_index)) > 0)
456 /* ACL is applied somewhere. */
464 acl_del_list (u32 acl_list_index)
466 acl_main_t *am = &acl_main;
468 if (pool_is_free_index (am->acls, acl_list_index))
470 return VNET_API_ERROR_NO_SUCH_ENTRY;
472 if (acl_is_used_by (acl_list_index, am->input_sw_if_index_vec_by_acl))
473 return VNET_API_ERROR_ACL_IN_USE_INBOUND;
474 if (acl_is_used_by (acl_list_index, am->output_sw_if_index_vec_by_acl))
475 return VNET_API_ERROR_ACL_IN_USE_OUTBOUND;
476 /* lookup contexts cover other cases, not just inbound/outbound, so check that */
477 if (acl_is_used_by (acl_list_index, am->lc_index_vec_by_acl))
478 return VNET_API_ERROR_ACL_IN_USE_BY_LOOKUP_CONTEXT;
480 void *oldheap = acl_set_heap (am);
482 /* now we can delete the ACL itself */
483 a = pool_elt_at_index (am->acls, acl_list_index);
486 pool_put (am->acls, a);
487 /* acl_list_index is now free, notify the lookup contexts */
488 acl_plugin_lookup_context_notify_acl_change (acl_list_index);
489 clib_mem_set_heap (oldheap);
494 count_skip (u8 * p, u32 size)
496 u64 *p64 = (u64 *) p;
497 /* Be tolerant to null pointer */
501 while ((0ULL == *p64) && ((u8 *) p64 - p) < size)
505 return (p64 - (u64 *) p) / 2;
509 acl_classify_add_del_table_small (vnet_classify_main_t * cm, u8 * mask,
510 u32 mask_len, u32 next_table_index,
511 u32 miss_next_index, u32 * table_index,
515 u32 memory_size = 2 << 22;
516 u32 skip = count_skip (mask, mask_len);
517 u32 match = (mask_len / 16) - skip;
518 u8 *skip_mask_ptr = mask + 16 * skip;
519 u32 current_data_flag = 0;
520 int current_data_offset = 0;
525 void *oldheap = clib_mem_set_heap (cm->vlib_main->heap_base);
526 int ret = vnet_classify_add_del_table (cm, skip_mask_ptr, nbuckets,
527 memory_size, skip, match,
528 next_table_index, miss_next_index,
529 table_index, current_data_flag,
530 current_data_offset, is_add,
531 1 /* delete_chain */ );
532 clib_mem_set_heap (oldheap);
537 intf_has_etype_whitelist (acl_main_t * am, u32 sw_if_index, int is_input)
540 ? am->input_etype_whitelist_by_sw_if_index
541 : am->output_etype_whitelist_by_sw_if_index;
542 u16 *whitelist = (vec_len (v) > sw_if_index) ? vec_elt (v, sw_if_index) : 0;
543 return vec_len (whitelist) > 0;
547 acl_clear_sessions (acl_main_t * am, u32 sw_if_index)
549 void *oldheap = clib_mem_set_heap (am->vlib_main->heap_base);
550 vlib_process_signal_event (am->vlib_main, am->fa_cleaner_node_index,
551 ACL_FA_CLEANER_DELETE_BY_SW_IF_INDEX,
553 clib_mem_set_heap (oldheap);
558 acl_interface_in_enable_disable (acl_main_t * am, u32 sw_if_index,
564 if (pool_is_free_index (am->vnet_main->interface_main.sw_interfaces,
566 return VNET_API_ERROR_INVALID_SW_IF_INDEX;
568 if (clib_bitmap_get (am->in_acl_on_sw_if_index, sw_if_index) ==
572 acl_fa_enable_disable (sw_if_index, 1, enable_disable);
574 void *oldheap = clib_mem_set_heap (am->vlib_main->heap_base);
575 rv = vnet_l2_feature_enable_disable ("l2-input-ip4", "acl-plugin-in-ip4-l2",
576 sw_if_index, enable_disable, 0, 0);
578 clib_error ("Could not enable on input");
579 rv = vnet_l2_feature_enable_disable ("l2-input-ip6", "acl-plugin-in-ip6-l2",
580 sw_if_index, enable_disable, 0, 0);
582 clib_error ("Could not enable on input");
584 if (intf_has_etype_whitelist (am, sw_if_index, 1))
585 vnet_l2_feature_enable_disable ("l2-input-nonip",
586 "acl-plugin-in-nonip-l2", sw_if_index,
587 enable_disable, 0, 0);
589 clib_mem_set_heap (oldheap);
591 am->in_acl_on_sw_if_index =
592 clib_bitmap_set (am->in_acl_on_sw_if_index, sw_if_index, enable_disable);
598 acl_interface_out_enable_disable (acl_main_t * am, u32 sw_if_index,
604 if (pool_is_free_index (am->vnet_main->interface_main.sw_interfaces,
606 return VNET_API_ERROR_INVALID_SW_IF_INDEX;
608 if (clib_bitmap_get (am->out_acl_on_sw_if_index, sw_if_index) ==
612 acl_fa_enable_disable (sw_if_index, 0, enable_disable);
614 void *oldheap = clib_mem_set_heap (am->vlib_main->heap_base);
616 vnet_l2_feature_enable_disable ("l2-output-ip4", "acl-plugin-out-ip4-l2",
617 sw_if_index, enable_disable, 0, 0);
619 clib_error ("Could not enable on output");
621 vnet_l2_feature_enable_disable ("l2-output-ip6", "acl-plugin-out-ip6-l2",
622 sw_if_index, enable_disable, 0, 0);
624 clib_error ("Could not enable on output");
625 if (intf_has_etype_whitelist (am, sw_if_index, 0))
626 vnet_l2_feature_enable_disable ("l2-output-nonip",
627 "acl-plugin-out-nonip-l2", sw_if_index,
628 enable_disable, 0, 0);
631 clib_mem_set_heap (oldheap);
633 am->out_acl_on_sw_if_index =
634 clib_bitmap_set (am->out_acl_on_sw_if_index, sw_if_index, enable_disable);
640 acl_interface_inout_enable_disable (acl_main_t * am, u32 sw_if_index,
641 int is_input, int enable_disable)
644 return acl_interface_in_enable_disable (am, sw_if_index, enable_disable);
646 return acl_interface_out_enable_disable (am, sw_if_index, enable_disable);
650 acl_is_not_defined (acl_main_t * am, u32 acl_list_index)
652 return (pool_is_free_index (am->acls, acl_list_index));
656 acl_interface_set_inout_acl_list (acl_main_t * am, u32 sw_if_index,
657 u8 is_input, u32 * vec_acl_list_index,
658 int *may_clear_sessions)
661 uword *seen_acl_bitmap = 0;
662 uword *old_seen_acl_bitmap = 0;
663 uword *change_acl_bitmap = 0;
668 if (am->trace_acl > 255)
670 ("API dbg: acl_interface_set_inout_acl_list: sw_if_index %d is_input %d acl_vec: [%U]",
671 sw_if_index, is_input, format_vec32, vec_acl_list_index, "%d");
673 vec_foreach (pacln, vec_acl_list_index)
675 if (acl_is_not_defined (am, *pacln))
677 /* ACL is not defined. Can not apply */
678 clib_warning ("ERROR: ACL %d not defined", *pacln);
679 rv = VNET_API_ERROR_NO_SUCH_ENTRY;
682 if (clib_bitmap_get (seen_acl_bitmap, *pacln))
684 /* ACL being applied twice within the list. error. */
685 clib_warning ("ERROR: ACL %d being applied twice", *pacln);
686 rv = VNET_API_ERROR_ENTRY_ALREADY_EXISTS;
689 seen_acl_bitmap = clib_bitmap_set (seen_acl_bitmap, *pacln, 1);
693 u32 **pinout_lc_index_by_sw_if_index =
695 input_lc_index_by_sw_if_index : &am->output_lc_index_by_sw_if_index;
697 u32 ***pinout_acl_vec_by_sw_if_index =
699 input_acl_vec_by_sw_if_index : &am->output_acl_vec_by_sw_if_index;
701 u32 ***pinout_sw_if_index_vec_by_acl =
703 input_sw_if_index_vec_by_acl : &am->output_sw_if_index_vec_by_acl;
705 vec_validate ((*pinout_acl_vec_by_sw_if_index), sw_if_index);
707 clib_bitmap_validate (old_seen_acl_bitmap, 1);
709 vec_foreach (pacln, (*pinout_acl_vec_by_sw_if_index)[sw_if_index])
711 old_seen_acl_bitmap = clib_bitmap_set (old_seen_acl_bitmap, *pacln, 1);
714 clib_bitmap_dup_xor (old_seen_acl_bitmap, seen_acl_bitmap);
716 if (am->trace_acl > 255)
717 clib_warning ("bitmaps: old seen %U new seen %U changed %U",
718 format_bitmap_hex, old_seen_acl_bitmap, format_bitmap_hex,
719 seen_acl_bitmap, format_bitmap_hex, change_acl_bitmap);
722 clib_bitmap_foreach(acln, change_acl_bitmap, ({
723 if (clib_bitmap_get(old_seen_acl_bitmap, acln)) {
724 /* ACL is being removed. */
725 if (acln < vec_len((*pinout_sw_if_index_vec_by_acl))) {
726 int index = vec_search((*pinout_sw_if_index_vec_by_acl)[acln], sw_if_index);
727 vec_del1((*pinout_sw_if_index_vec_by_acl)[acln], index);
730 /* ACL is being added. */
731 vec_validate((*pinout_sw_if_index_vec_by_acl), acln);
732 vec_add1((*pinout_sw_if_index_vec_by_acl)[acln], sw_if_index);
737 vec_free ((*pinout_acl_vec_by_sw_if_index)[sw_if_index]);
738 (*pinout_acl_vec_by_sw_if_index)[sw_if_index] =
739 vec_dup (vec_acl_list_index);
741 if (am->reclassify_sessions)
743 /* re-applying ACLs means a new policy epoch */
744 increment_policy_epoch (am, sw_if_index, is_input);
748 /* if no commonalities between the ACL# - then we should definitely clear the sessions */
749 if (may_clear_sessions && *may_clear_sessions
750 && !clib_bitmap_is_zero (change_acl_bitmap))
752 acl_clear_sessions (am, sw_if_index);
753 *may_clear_sessions = 0;
758 * prepare or delete the lookup context if necessary, and if context exists, set ACL list
760 vec_validate_init_empty ((*pinout_lc_index_by_sw_if_index), sw_if_index,
762 if (vec_len (vec_acl_list_index) > 0)
764 u32 lc_index = (*pinout_lc_index_by_sw_if_index)[sw_if_index];
767 if (~0 == am->interface_acl_user_id)
768 am->interface_acl_user_id =
769 acl_plugin.register_user_module ("interface ACL", "sw_if_index",
772 acl_plugin.get_lookup_context_index (am->interface_acl_user_id,
773 sw_if_index, is_input);
774 (*pinout_lc_index_by_sw_if_index)[sw_if_index] = lc_index;
776 acl_plugin.set_acl_vec_for_context (lc_index, vec_acl_list_index);
780 if (~0 != (*pinout_lc_index_by_sw_if_index)[sw_if_index])
782 acl_plugin.put_lookup_context_index ((*pinout_lc_index_by_sw_if_index)[sw_if_index]);
783 (*pinout_lc_index_by_sw_if_index)[sw_if_index] = ~0;
787 /* ensure ACL processing is enabled/disabled as needed */
788 acl_interface_inout_enable_disable (am, sw_if_index, is_input,
789 vec_len (vec_acl_list_index) > 0);
792 clib_bitmap_free (change_acl_bitmap);
793 clib_bitmap_free (seen_acl_bitmap);
794 clib_bitmap_free (old_seen_acl_bitmap);
799 acl_interface_reset_inout_acls (u32 sw_if_index, u8 is_input,
800 int *may_clear_sessions)
802 acl_main_t *am = &acl_main;
803 void *oldheap = acl_set_heap (am);
804 acl_interface_set_inout_acl_list (am, sw_if_index, is_input, 0,
806 clib_mem_set_heap (oldheap);
810 acl_interface_add_del_inout_acl (u32 sw_if_index, u8 is_add, u8 is_input,
814 acl_main_t *am = &acl_main;
816 int may_clear_sessions = 1;
818 int error_already_applied = is_input ? VNET_API_ERROR_ACL_IN_USE_INBOUND
819 : VNET_API_ERROR_ACL_IN_USE_OUTBOUND;
821 u32 ***pinout_acl_vec_by_sw_if_index =
823 input_acl_vec_by_sw_if_index : &am->output_acl_vec_by_sw_if_index;
825 void *oldheap = acl_set_heap (am);
829 vec_validate ((*pinout_acl_vec_by_sw_if_index), sw_if_index);
830 u32 index = vec_search ((*pinout_acl_vec_by_sw_if_index)[sw_if_index],
835 rv = error_already_applied;
839 acl_vec = vec_dup ((*pinout_acl_vec_by_sw_if_index)[sw_if_index]);
840 vec_add1 (acl_vec, acl_list_index);
844 if (sw_if_index >= vec_len (*pinout_acl_vec_by_sw_if_index))
846 rv = VNET_API_ERROR_NO_SUCH_ENTRY;
850 u32 index = vec_search ((*pinout_acl_vec_by_sw_if_index)[sw_if_index],
855 rv = VNET_API_ERROR_NO_SUCH_ENTRY;
859 acl_vec = vec_dup ((*pinout_acl_vec_by_sw_if_index)[sw_if_index]);
860 vec_del1 (acl_vec, index);
863 rv = acl_interface_set_inout_acl_list (am, sw_if_index, is_input, acl_vec,
864 &may_clear_sessions);
867 clib_mem_set_heap (oldheap);
872 acl_set_etype_whitelists (acl_main_t * am, u32 sw_if_index, u16 * vec_in,
875 vec_validate (am->input_etype_whitelist_by_sw_if_index, sw_if_index);
876 vec_validate (am->output_etype_whitelist_by_sw_if_index, sw_if_index);
878 vec_free (am->input_etype_whitelist_by_sw_if_index[sw_if_index]);
879 vec_free (am->output_etype_whitelist_by_sw_if_index[sw_if_index]);
881 am->input_etype_whitelist_by_sw_if_index[sw_if_index] = vec_in;
882 am->output_etype_whitelist_by_sw_if_index[sw_if_index] = vec_out;
885 * if there are already inbound/outbound ACLs applied, toggle the
886 * enable/disable - this will recreate the necessary tables.
889 if (vec_len (am->input_acl_vec_by_sw_if_index) > sw_if_index)
891 if (vec_len (am->input_acl_vec_by_sw_if_index[sw_if_index]) > 0)
893 acl_interface_in_enable_disable (am, sw_if_index, 0);
894 acl_interface_in_enable_disable (am, sw_if_index, 1);
897 if (vec_len (am->output_acl_vec_by_sw_if_index) > sw_if_index)
899 if (vec_len (am->output_acl_vec_by_sw_if_index[sw_if_index]) > 0)
901 acl_interface_out_enable_disable (am, sw_if_index, 0);
902 acl_interface_out_enable_disable (am, sw_if_index, 1);
918 u32 dot1q_table_index;
919 u32 dot1ad_table_index;
920 u32 arp_dot1q_table_index;
921 u32 arp_dot1ad_table_index;
924 u32 out_arp_table_index;
925 u32 out_dot1q_table_index;
926 u32 out_dot1ad_table_index;
927 u32 out_arp_dot1q_table_index;
928 u32 out_arp_dot1ad_table_index;
929 } macip_match_type_t;
932 macip_find_match_type (macip_match_type_t * mv, u8 * mac_mask, u8 prefix_len,
938 for (i = 0; i < vec_len (mv); i++)
940 if ((mv[i].prefix_len == prefix_len) && (mv[i].is_ipv6 == is_ipv6)
941 && (0 == memcmp (mv[i].mac_mask, mac_mask, 6)))
951 /* Get metric used to sort match types.
952 The more specific and the more often seen - the bigger the metric */
954 match_type_metric (macip_match_type_t * m)
956 unsigned int mac_bits_set = 0;
957 unsigned int mac_byte;
959 for (i = 0; i < 6; i++)
961 mac_byte = m->mac_mask[i];
962 for (; mac_byte; mac_byte >>= 1)
963 mac_bits_set += mac_byte & 1;
966 * Attempt to place the more specific and the more used rules on top.
967 * There are obvious caveat corner cases to this, but they do not
968 * seem to be sensible in real world (e.g. specific IPv4 with wildcard MAC
969 * going with a wildcard IPv4 with a specific MAC).
971 return m->prefix_len + mac_bits_set + m->is_ipv6 + 10 * m->count;
975 match_type_compare (macip_match_type_t * m1, macip_match_type_t * m2)
977 /* Ascending sort based on the metric values */
978 return match_type_metric (m1) - match_type_metric (m2);
981 /* Get the offset of L3 source within ethernet packet */
983 get_l3_src_offset (int is6)
986 return (sizeof (ethernet_header_t) +
987 offsetof (ip6_header_t, src_address));
989 return (sizeof (ethernet_header_t) +
990 offsetof (ip4_header_t, src_address));
994 get_l3_dst_offset (int is6)
997 return (sizeof (ethernet_header_t) +
998 offsetof (ip6_header_t, dst_address));
1000 return (sizeof (ethernet_header_t) +
1001 offsetof (ip4_header_t, dst_address));
1005 * return if the is_permit value also requires to create the egress tables
1006 * For backwards compatibility, we keep the is_permit = 1 to only
1007 * create the ingress tables, and the new value of 3 will also
1008 * create the egress tables based on destination.
1011 macip_permit_also_egress (u8 is_permit)
1013 return (is_permit == 3);
1017 macip_create_classify_tables (acl_main_t * am, u32 macip_acl_index)
1019 macip_match_type_t *mvec = NULL;
1020 macip_match_type_t *mt;
1021 macip_acl_list_t *a = pool_elt_at_index (am->macip_acls, macip_acl_index);
1023 u32 match_type_index;
1027 vnet_classify_main_t *cm = &vnet_classify_main;
1029 /* Count the number of different types of rules */
1030 for (i = 0; i < a->count; i++)
1034 macip_find_match_type (mvec, a->rules[i].src_mac_mask,
1035 a->rules[i].src_prefixlen,
1036 a->rules[i].is_ipv6)))
1038 match_type_index = vec_len (mvec);
1039 vec_validate (mvec, match_type_index);
1040 memcpy (mvec[match_type_index].mac_mask,
1041 a->rules[i].src_mac_mask, 6);
1042 mvec[match_type_index].prefix_len = a->rules[i].src_prefixlen;
1043 mvec[match_type_index].is_ipv6 = a->rules[i].is_ipv6;
1044 mvec[match_type_index].has_egress = 0;
1045 mvec[match_type_index].table_index = ~0;
1046 mvec[match_type_index].arp_table_index = ~0;
1047 mvec[match_type_index].dot1q_table_index = ~0;
1048 mvec[match_type_index].dot1ad_table_index = ~0;
1049 mvec[match_type_index].arp_dot1q_table_index = ~0;
1050 mvec[match_type_index].arp_dot1ad_table_index = ~0;
1051 mvec[match_type_index].out_table_index = ~0;
1052 mvec[match_type_index].out_arp_table_index = ~0;
1053 mvec[match_type_index].out_dot1q_table_index = ~0;
1054 mvec[match_type_index].out_dot1ad_table_index = ~0;
1055 mvec[match_type_index].out_arp_dot1q_table_index = ~0;
1056 mvec[match_type_index].out_arp_dot1ad_table_index = ~0;
1058 mvec[match_type_index].count++;
1059 mvec[match_type_index].has_egress |=
1060 macip_permit_also_egress (a->rules[i].is_permit);
1062 /* Put the most frequently used tables last in the list so we can create classifier tables in reverse order */
1063 vec_sort_with_function (mvec, match_type_compare);
1064 /* Create the classifier tables */
1066 out_last_table = ~0;
1067 /* First add ARP tables */
1068 vec_foreach (mt, mvec)
1071 int is6 = mt->is_ipv6;
1073 u32 *last_tag_table;
1074 u32 *out_last_tag_table;
1081 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1082 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1083 | Destination Address |
1084 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1086 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
1088 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1089 | EtherType | Hardware Type |
1090 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1091 | Protocol Type | Hw addr len | Proto addr len|
1092 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1094 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
1095 | Sender Hardware Address |
1096 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1097 | Sender Protocol Address |
1098 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1099 | Target Hardware Address |
1100 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1101 | | TargetProtocolAddress |
1102 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1104 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1106 for (tags = 2; tags >= 0; tags--)
1108 clib_memset (mask, 0, sizeof (mask));
1109 /* source MAC address */
1110 memcpy (&mask[6], mt->mac_mask, 6);
1116 clib_memset (&mask[12], 0xff, 2); /* ethernet protocol */
1118 last_tag_table = &mt->arp_table_index;
1121 clib_memset (&mask[12], 0xff, 2); /* VLAN tag1 */
1122 clib_memset (&mask[16], 0xff, 2); /* ethernet protocol */
1124 last_tag_table = &mt->arp_dot1q_table_index;
1127 clib_memset (&mask[12], 0xff, 2); /* VLAN tag1 */
1128 clib_memset (&mask[16], 0xff, 2); /* VLAN tag2 */
1129 clib_memset (&mask[20], 0xff, 2); /* ethernet protocol */
1131 last_tag_table = &mt->arp_dot1ad_table_index;
1135 /* sender hardware address within ARP */
1136 memcpy (&mask[l3_offset + 8], mt->mac_mask, 6);
1137 /* sender protocol address within ARP */
1138 for (i = 0; i < (mt->prefix_len / 8); i++)
1139 mask[l3_offset + 14 + i] = 0xff;
1140 if (mt->prefix_len % 8)
1141 mask[l3_offset + 14 + (mt->prefix_len / 8)] =
1142 0xff - ((1 << (8 - mt->prefix_len % 8)) - 1);
1144 mask_len = ((l3_offset + 14 + ((mt->prefix_len + 7) / 8) +
1146 1)) / sizeof (u32x4)) * sizeof (u32x4);
1147 acl_classify_add_del_table_small (cm, mask, mask_len, last_table,
1148 (~0 == last_table) ? 0 : ~0,
1150 last_table = *last_tag_table;
1153 /* egress ARP table */
1154 clib_memset (mask, 0, sizeof (mask));
1160 clib_memset (&mask[12], 0xff, 2); /* ethernet protocol */
1162 out_last_tag_table = &mt->out_arp_table_index;
1165 clib_memset (&mask[12], 0xff, 2); /* VLAN tag1 */
1166 clib_memset (&mask[16], 0xff, 2); /* ethernet protocol */
1168 out_last_tag_table = &mt->out_arp_dot1q_table_index;
1171 clib_memset (&mask[12], 0xff, 2); /* VLAN tag1 */
1172 clib_memset (&mask[16], 0xff, 2); /* VLAN tag2 */
1173 clib_memset (&mask[20], 0xff, 2); /* ethernet protocol */
1175 out_last_tag_table = &mt->out_arp_dot1ad_table_index;
1179 /* AYXX: FIXME here - can we tighten the ARP-related table more ? */
1180 /* mask captures just the destination and the ethertype */
1181 mask_len = ((l3_offset +
1183 1)) / sizeof (u32x4)) * sizeof (u32x4);
1184 acl_classify_add_del_table_small (cm, mask, mask_len,
1187 out_last_table) ? 0 : ~0,
1188 out_last_tag_table, 1);
1189 out_last_table = *out_last_tag_table;
1194 /* Now add IP[46] tables */
1195 vec_foreach (mt, mvec)
1198 int is6 = mt->is_ipv6;
1202 u32 *last_tag_table;
1203 u32 *out_last_tag_table;
1206 * create chained tables for VLAN (no-tags, dot1q and dot1ad) packets
1208 for (tags = 2; tags >= 0; tags--)
1210 clib_memset (mask, 0, sizeof (mask));
1211 memcpy (&mask[6], mt->mac_mask, 6);
1212 l3_src_offs = tags * 4 + get_l3_src_offset (is6);
1217 clib_memset (&mask[12], 0xff, 2); /* ethernet protocol */
1218 last_tag_table = &mt->table_index;
1221 clib_memset (&mask[12], 0xff, 2); /* VLAN tag1 */
1222 clib_memset (&mask[16], 0xff, 2); /* ethernet protocol */
1223 last_tag_table = &mt->dot1q_table_index;
1226 clib_memset (&mask[12], 0xff, 2); /* VLAN tag1 */
1227 clib_memset (&mask[16], 0xff, 2); /* VLAN tag2 */
1228 clib_memset (&mask[20], 0xff, 2); /* ethernet protocol */
1229 last_tag_table = &mt->dot1ad_table_index;
1232 for (i = 0; i < (mt->prefix_len / 8); i++)
1234 mask[l3_src_offs + i] = 0xff;
1236 if (mt->prefix_len % 8)
1238 mask[l3_src_offs + (mt->prefix_len / 8)] =
1239 0xff - ((1 << (8 - mt->prefix_len % 8)) - 1);
1242 * Round-up the number of bytes needed to store the prefix,
1243 * and round up the number of vectors too
1245 mask_len = ((l3_src_offs + ((mt->prefix_len + 7) / 8) +
1246 (sizeof (u32x4) - 1)) / sizeof (u32x4)) * sizeof (u32x4);
1247 acl_classify_add_del_table_small (cm, mask, mask_len, last_table,
1248 (~0 == last_table) ? 0 : ~0,
1250 last_table = *last_tag_table;
1254 for (tags = 2; tags >= 0; tags--)
1256 clib_memset (mask, 0, sizeof (mask));
1257 /* MAC destination */
1258 memcpy (&mask[0], mt->mac_mask, 6);
1259 l3_dst_offs = tags * 4 + get_l3_dst_offset (is6);
1264 clib_memset (&mask[12], 0xff, 2); /* ethernet protocol */
1265 out_last_tag_table = &mt->out_table_index;
1268 clib_memset (&mask[12], 0xff, 2); /* VLAN tag1 */
1269 clib_memset (&mask[16], 0xff, 2); /* ethernet protocol */
1270 out_last_tag_table = &mt->out_dot1q_table_index;
1273 clib_memset (&mask[12], 0xff, 2); /* VLAN tag1 */
1274 clib_memset (&mask[16], 0xff, 2); /* VLAN tag2 */
1275 clib_memset (&mask[20], 0xff, 2); /* ethernet protocol */
1276 out_last_tag_table = &mt->out_dot1ad_table_index;
1279 for (i = 0; i < (mt->prefix_len / 8); i++)
1281 mask[l3_dst_offs + i] = 0xff;
1283 if (mt->prefix_len % 8)
1285 mask[l3_dst_offs + (mt->prefix_len / 8)] =
1286 0xff - ((1 << (8 - mt->prefix_len % 8)) - 1);
1289 * Round-up the number of bytes needed to store the prefix,
1290 * and round up the number of vectors too
1292 mask_len = ((l3_dst_offs + ((mt->prefix_len + 7) / 8) +
1294 1)) / sizeof (u32x4)) * sizeof (u32x4);
1295 acl_classify_add_del_table_small (cm, mask, mask_len,
1297 (~0 == out_last_table) ? 0 : ~0,
1298 out_last_tag_table, 1);
1299 out_last_table = *out_last_tag_table;
1303 a->ip4_table_index = last_table;
1304 a->ip6_table_index = last_table;
1305 a->l2_table_index = last_table;
1307 a->out_ip4_table_index = out_last_table;
1308 a->out_ip6_table_index = out_last_table;
1309 a->out_l2_table_index = out_last_table;
1311 /* Populate the classifier tables with rules from the MACIP ACL */
1312 for (i = 0; i < a->count; i++)
1316 int is6 = a->rules[i].is_ipv6;
1323 macip_find_match_type (mvec, a->rules[i].src_mac_mask,
1324 a->rules[i].src_prefixlen,
1325 a->rules[i].is_ipv6);
1326 ASSERT (match_type_index != ~0);
1328 for (tags = 2; tags >= 0; tags--)
1330 clib_memset (mask, 0, sizeof (mask));
1331 l3_src_offs = tags * 4 + get_l3_src_offset (is6);
1332 memcpy (&mask[6], a->rules[i].src_mac, 6);
1337 tag_table = mvec[match_type_index].table_index;
1341 tag_table = mvec[match_type_index].dot1q_table_index;
1347 tag_table = mvec[match_type_index].dot1ad_table_index;
1357 memcpy (&mask[l3_src_offs], &a->rules[i].src_ip_addr.ip6, 16);
1359 mask[eth + 1] = 0xdd;
1363 memcpy (&mask[l3_src_offs], &a->rules[i].src_ip_addr.ip4, 4);
1365 mask[eth + 1] = 0x00;
1368 /* add session to table mvec[match_type_index].table_index; */
1369 vnet_classify_add_del_session (cm, tag_table,
1370 mask, a->rules[i].is_permit ? ~0 : 0,
1371 i, 0, action, metadata, 1);
1372 clib_memset (&mask[12], 0, sizeof (mask) - 12);
1375 /* add ARP table entry too */
1376 if (!is6 && (mvec[match_type_index].arp_table_index != ~0))
1378 clib_memset (mask, 0, sizeof (mask));
1379 memcpy (&mask[6], a->rules[i].src_mac, 6);
1381 for (tags = 2; tags >= 0; tags--)
1387 tag_table = mvec[match_type_index].arp_table_index;
1393 tag_table = mvec[match_type_index].arp_dot1q_table_index;
1401 tag_table = mvec[match_type_index].arp_dot1ad_table_index;
1412 memcpy (&mask[l3_src_offs + 8], a->rules[i].src_mac, 6);
1413 memcpy (&mask[l3_src_offs + 14], &a->rules[i].src_ip_addr.ip4,
1415 vnet_classify_add_del_session (cm, tag_table, mask,
1416 a->rules[i].is_permit ? ~0 : 0,
1417 i, 0, action, metadata, 1);
1420 if (macip_permit_also_egress (a->rules[i].is_permit))
1422 /* Add the egress entry with destination set */
1423 for (tags = 2; tags >= 0; tags--)
1425 clib_memset (mask, 0, sizeof (mask));
1426 l3_dst_offs = tags * 4 + get_l3_dst_offset (is6);
1427 /* src mac in the other direction becomes dst */
1428 memcpy (&mask[0], a->rules[i].src_mac, 6);
1433 tag_table = mvec[match_type_index].out_table_index;
1437 tag_table = mvec[match_type_index].out_dot1q_table_index;
1443 tag_table = mvec[match_type_index].out_dot1ad_table_index;
1453 memcpy (&mask[l3_dst_offs], &a->rules[i].src_ip_addr.ip6,
1456 mask[eth + 1] = 0xdd;
1460 memcpy (&mask[l3_dst_offs], &a->rules[i].src_ip_addr.ip4,
1463 mask[eth + 1] = 0x00;
1466 /* add session to table mvec[match_type_index].table_index; */
1467 vnet_classify_add_del_session (cm, tag_table,
1469 a->rules[i].is_permit ? ~0 : 0,
1470 i, 0, action, metadata, 1);
1471 // clib_memset (&mask[12], 0, sizeof (mask) - 12);
1474 /* add ARP table entry too */
1475 if (!is6 && (mvec[match_type_index].out_arp_table_index != ~0))
1477 for (tags = 2; tags >= 0; tags--)
1479 clib_memset (mask, 0, sizeof (mask));
1484 tag_table = mvec[match_type_index].out_arp_table_index;
1490 mvec[match_type_index].out_arp_dot1q_table_index;
1498 mvec[match_type_index].out_arp_dot1ad_table_index;
1508 vnet_classify_add_del_session (cm, tag_table,
1511 rules[i].is_permit ? ~0 : 0,
1512 i, 0, action, metadata, 1);
1521 macip_destroy_classify_tables (acl_main_t * am, u32 macip_acl_index)
1523 vnet_classify_main_t *cm = &vnet_classify_main;
1524 macip_acl_list_t *a = pool_elt_at_index (am->macip_acls, macip_acl_index);
1526 if (a->ip4_table_index != ~0)
1528 acl_classify_add_del_table_small (cm, 0, ~0, ~0, ~0,
1529 &a->ip4_table_index, 0);
1530 a->ip4_table_index = ~0;
1532 if (a->ip6_table_index != ~0)
1534 acl_classify_add_del_table_small (cm, 0, ~0, ~0, ~0,
1535 &a->ip6_table_index, 0);
1536 a->ip6_table_index = ~0;
1538 if (a->l2_table_index != ~0)
1540 acl_classify_add_del_table_small (cm, 0, ~0, ~0, ~0, &a->l2_table_index,
1542 a->l2_table_index = ~0;
1544 if (a->out_ip4_table_index != ~0)
1546 acl_classify_add_del_table_small (cm, 0, ~0, ~0, ~0,
1547 &a->out_ip4_table_index, 0);
1548 a->out_ip4_table_index = ~0;
1550 if (a->out_ip6_table_index != ~0)
1552 acl_classify_add_del_table_small (cm, 0, ~0, ~0, ~0,
1553 &a->out_ip6_table_index, 0);
1554 a->out_ip6_table_index = ~0;
1556 if (a->out_l2_table_index != ~0)
1558 acl_classify_add_del_table_small (cm, 0, ~0, ~0, ~0,
1559 &a->out_l2_table_index, 0);
1560 a->out_l2_table_index = ~0;
1565 macip_maybe_apply_unapply_classifier_tables (acl_main_t * am, u32 acl_index,
1571 macip_acl_list_t *a = pool_elt_at_index (am->macip_acls, acl_index);
1573 for (i = 0; i < vec_len (am->macip_acl_by_sw_if_index); i++)
1574 if (vec_elt (am->macip_acl_by_sw_if_index, i) == acl_index)
1576 rv0 = vnet_set_input_acl_intfc (am->vlib_main, i, a->ip4_table_index,
1577 a->ip6_table_index, a->l2_table_index,
1579 /* return the first unhappy outcome but make try to plough through. */
1582 vnet_set_output_acl_intfc (am->vlib_main, i, a->out_ip4_table_index,
1583 a->out_ip6_table_index,
1584 a->out_l2_table_index, is_apply);
1585 /* return the first unhappy outcome but make try to plough through. */
1592 macip_acl_add_list (u32 count, vl_api_macip_acl_rule_t rules[],
1593 u32 * acl_list_index, u8 * tag)
1595 acl_main_t *am = &acl_main;
1596 macip_acl_list_t *a;
1597 macip_acl_rule_t *r;
1598 macip_acl_rule_t *acl_new_rules = 0;
1602 if (*acl_list_index != ~0)
1604 /* They supplied some number, let's see if this MACIP ACL exists */
1605 if (pool_is_free_index (am->macip_acls, *acl_list_index))
1607 /* tried to replace a non-existent ACL, no point doing anything */
1609 ("acl-plugin-error: Trying to replace nonexistent MACIP ACL %d (tag %s)",
1610 *acl_list_index, tag);
1611 return VNET_API_ERROR_NO_SUCH_ENTRY;
1618 ("acl-plugin-warning: Trying to create empty MACIP ACL (tag %s)",
1621 /* if replacing the ACL, unapply the classifier tables first - they will be gone.. */
1622 if (~0 != *acl_list_index)
1623 rv = macip_maybe_apply_unapply_classifier_tables (am, *acl_list_index, 0);
1624 void *oldheap = acl_set_heap (am);
1625 /* Create and populate the rules */
1627 vec_validate (acl_new_rules, count - 1);
1629 for (i = 0; i < count; i++)
1631 r = &acl_new_rules[i];
1632 r->is_permit = rules[i].is_permit;
1633 r->is_ipv6 = rules[i].is_ipv6;
1634 memcpy (&r->src_mac, rules[i].src_mac, 6);
1635 memcpy (&r->src_mac_mask, rules[i].src_mac_mask, 6);
1636 if (rules[i].is_ipv6)
1637 memcpy (&r->src_ip_addr.ip6, rules[i].src_ip_addr, 16);
1639 memcpy (&r->src_ip_addr.ip4, rules[i].src_ip_addr, 4);
1640 r->src_prefixlen = rules[i].src_ip_prefix_len;
1643 if (~0 == *acl_list_index)
1646 pool_get_aligned (am->macip_acls, a, CLIB_CACHE_LINE_BYTES);
1647 clib_memset (a, 0, sizeof (*a));
1648 /* Will return the newly allocated ACL index */
1649 *acl_list_index = a - am->macip_acls;
1653 a = pool_elt_at_index (am->macip_acls, *acl_list_index);
1656 vec_free (a->rules);
1658 macip_destroy_classify_tables (am, *acl_list_index);
1661 a->rules = acl_new_rules;
1663 memcpy (a->tag, tag, sizeof (a->tag));
1665 /* Create and populate the classifier tables */
1666 macip_create_classify_tables (am, *acl_list_index);
1667 clib_mem_set_heap (oldheap);
1668 /* If the ACL was already applied somewhere, reapply the newly created tables */
1670 || macip_maybe_apply_unapply_classifier_tables (am, *acl_list_index, 1);
1674 /* No check that sw_if_index denotes a valid interface - the callers
1675 * were supposed to validate.
1677 * That said, if sw_if_index corresponds to an interface that exists at all,
1678 * this function must return errors accordingly if the ACL is not applied.
1682 macip_acl_interface_del_acl (acl_main_t * am, u32 sw_if_index)
1685 u32 macip_acl_index;
1686 macip_acl_list_t *a;
1688 /* The vector is too short - MACIP ACL is not applied */
1689 if (sw_if_index >= vec_len (am->macip_acl_by_sw_if_index))
1690 return VNET_API_ERROR_NO_SUCH_ENTRY;
1692 macip_acl_index = am->macip_acl_by_sw_if_index[sw_if_index];
1693 /* No point in deleting MACIP ACL which is not applied */
1694 if (~0 == macip_acl_index)
1695 return VNET_API_ERROR_NO_SUCH_ENTRY;
1697 a = pool_elt_at_index (am->macip_acls, macip_acl_index);
1698 /* remove the classifier tables off the interface L2 ACL */
1700 vnet_set_input_acl_intfc (am->vlib_main, sw_if_index, a->ip4_table_index,
1701 a->ip6_table_index, a->l2_table_index, 0);
1703 vnet_set_output_acl_intfc (am->vlib_main, sw_if_index,
1704 a->out_ip4_table_index, a->out_ip6_table_index,
1705 a->out_l2_table_index, 0);
1706 /* Unset the MACIP ACL index */
1707 am->macip_acl_by_sw_if_index[sw_if_index] = ~0;
1708 /* macip_acl_interface_add_acl did a vec_add1() to this previously, so [sw_if_index] should be valid */
1709 u32 index = vec_search (am->sw_if_index_vec_by_macip_acl[macip_acl_index],
1712 vec_del1 (am->sw_if_index_vec_by_macip_acl[macip_acl_index], index);
1716 /* No check for validity of sw_if_index - the callers were supposed to validate */
1719 macip_acl_interface_add_acl (acl_main_t * am, u32 sw_if_index,
1720 u32 macip_acl_index)
1722 macip_acl_list_t *a;
1724 if (pool_is_free_index (am->macip_acls, macip_acl_index))
1726 return VNET_API_ERROR_NO_SUCH_ENTRY;
1728 void *oldheap = acl_set_heap (am);
1729 a = pool_elt_at_index (am->macip_acls, macip_acl_index);
1730 vec_validate_init_empty (am->macip_acl_by_sw_if_index, sw_if_index, ~0);
1731 vec_validate (am->sw_if_index_vec_by_macip_acl, macip_acl_index);
1732 vec_add1 (am->sw_if_index_vec_by_macip_acl[macip_acl_index], sw_if_index);
1733 clib_mem_set_heap (oldheap);
1734 /* If there already a MACIP ACL applied, unapply it */
1735 if (~0 != am->macip_acl_by_sw_if_index[sw_if_index])
1736 macip_acl_interface_del_acl (am, sw_if_index);
1737 am->macip_acl_by_sw_if_index[sw_if_index] = macip_acl_index;
1739 /* Apply the classifier tables for L2 ACLs */
1741 vnet_set_input_acl_intfc (am->vlib_main, sw_if_index, a->ip4_table_index,
1742 a->ip6_table_index, a->l2_table_index, 1);
1744 vnet_set_output_acl_intfc (am->vlib_main, sw_if_index,
1745 a->out_ip4_table_index, a->out_ip6_table_index,
1746 a->out_l2_table_index, 1);
1751 macip_acl_del_list (u32 acl_list_index)
1753 acl_main_t *am = &acl_main;
1754 macip_acl_list_t *a;
1756 if (pool_is_free_index (am->macip_acls, acl_list_index))
1758 return VNET_API_ERROR_NO_SUCH_ENTRY;
1761 /* delete any references to the ACL */
1762 for (i = 0; i < vec_len (am->macip_acl_by_sw_if_index); i++)
1764 if (am->macip_acl_by_sw_if_index[i] == acl_list_index)
1766 macip_acl_interface_del_acl (am, i);
1770 void *oldheap = acl_set_heap (am);
1771 /* Now that classifier tables are detached, clean them up */
1772 macip_destroy_classify_tables (am, acl_list_index);
1774 /* now we can delete the ACL itself */
1775 a = pool_elt_at_index (am->macip_acls, acl_list_index);
1778 vec_free (a->rules);
1780 pool_put (am->macip_acls, a);
1781 clib_mem_set_heap (oldheap);
1787 macip_acl_interface_add_del_acl (u32 sw_if_index, u8 is_add,
1790 acl_main_t *am = &acl_main;
1794 rv = macip_acl_interface_add_acl (am, sw_if_index, acl_list_index);
1798 rv = macip_acl_interface_del_acl (am, sw_if_index);
1804 * If the client does not allocate enough memory for a variable-length
1805 * message, and then proceed to use it as if the full memory allocated,
1806 * absent the check we happily consume that on the VPP side, and go
1807 * along as if nothing happened. However, the resulting
1808 * effects range from just garbage in the API decode
1809 * (because the decoder snoops too far), to potential memory
1812 * This verifies that the actual length of the message is
1813 * at least expected_len, and complains loudly if it is not.
1815 * A failing check here is 100% a software bug on the API user side,
1816 * so we might as well yell.
1820 verify_message_len (void *mp, u32 expected_len, char *where)
1822 u32 supplied_len = vl_msg_api_get_msg_length (mp);
1823 if (supplied_len < expected_len)
1825 clib_warning ("%s: Supplied message length %d is less than expected %d",
1826 where, supplied_len, expected_len);
1835 /* API message handler */
1837 vl_api_acl_add_replace_t_handler (vl_api_acl_add_replace_t * mp)
1839 vl_api_acl_add_replace_reply_t *rmp;
1840 acl_main_t *am = &acl_main;
1842 u32 acl_list_index = ntohl (mp->acl_index);
1843 u32 acl_count = ntohl (mp->count);
1844 u32 expected_len = sizeof (*mp) + acl_count * sizeof (mp->r[0]);
1846 if (verify_message_len (mp, expected_len, "acl_add_replace"))
1848 rv = acl_add_list (acl_count, mp->r, &acl_list_index, mp->tag);
1852 rv = VNET_API_ERROR_INVALID_VALUE;
1856 REPLY_MACRO2(VL_API_ACL_ADD_REPLACE_REPLY,
1858 rmp->acl_index = htonl(acl_list_index);
1864 vl_api_acl_del_t_handler (vl_api_acl_del_t * mp)
1866 acl_main_t *am = &acl_main;
1867 vl_api_acl_del_reply_t *rmp;
1870 rv = acl_del_list (ntohl (mp->acl_index));
1872 REPLY_MACRO (VL_API_ACL_DEL_REPLY);
1876 vl_api_acl_interface_add_del_t_handler (vl_api_acl_interface_add_del_t * mp)
1878 acl_main_t *am = &acl_main;
1879 vnet_interface_main_t *im = &am->vnet_main->interface_main;
1880 u32 sw_if_index = ntohl (mp->sw_if_index);
1881 vl_api_acl_interface_add_del_reply_t *rmp;
1884 if (pool_is_free_index (im->sw_interfaces, sw_if_index))
1885 rv = VNET_API_ERROR_INVALID_SW_IF_INDEX;
1888 acl_interface_add_del_inout_acl (sw_if_index, mp->is_add,
1889 mp->is_input, ntohl (mp->acl_index));
1891 REPLY_MACRO (VL_API_ACL_INTERFACE_ADD_DEL_REPLY);
1895 vl_api_acl_interface_set_acl_list_t_handler
1896 (vl_api_acl_interface_set_acl_list_t * mp)
1898 acl_main_t *am = &acl_main;
1899 vl_api_acl_interface_set_acl_list_reply_t *rmp;
1902 vnet_interface_main_t *im = &am->vnet_main->interface_main;
1903 u32 sw_if_index = ntohl (mp->sw_if_index);
1905 if (pool_is_free_index (im->sw_interfaces, sw_if_index))
1906 rv = VNET_API_ERROR_INVALID_SW_IF_INDEX;
1909 int may_clear_sessions = 1;
1910 for (i = 0; i < mp->count; i++)
1912 if (acl_is_not_defined (am, ntohl (mp->acls[i])))
1914 /* ACL does not exist, so we can not apply it */
1915 rv = VNET_API_ERROR_NO_SUCH_ENTRY;
1920 void *oldheap = acl_set_heap (am);
1922 u32 *in_acl_vec = 0;
1923 u32 *out_acl_vec = 0;
1924 for (i = 0; i < mp->count; i++)
1925 if (i < mp->n_input)
1926 vec_add1 (in_acl_vec, clib_net_to_host_u32 (mp->acls[i]));
1928 vec_add1 (out_acl_vec, clib_net_to_host_u32 (mp->acls[i]));
1931 acl_interface_set_inout_acl_list (am, sw_if_index, 0, out_acl_vec,
1932 &may_clear_sessions);
1934 || acl_interface_set_inout_acl_list (am, sw_if_index, 1,
1936 &may_clear_sessions);
1937 vec_free (in_acl_vec);
1938 vec_free (out_acl_vec);
1939 clib_mem_set_heap (oldheap);
1943 REPLY_MACRO (VL_API_ACL_INTERFACE_SET_ACL_LIST_REPLY);
1947 copy_acl_rule_to_api_rule (vl_api_acl_rule_t * api_rule, acl_rule_t * r)
1949 api_rule->is_permit = r->is_permit;
1950 api_rule->is_ipv6 = r->is_ipv6;
1953 memcpy (api_rule->src_ip_addr, &r->src, sizeof (r->src));
1954 memcpy (api_rule->dst_ip_addr, &r->dst, sizeof (r->dst));
1958 memcpy (api_rule->src_ip_addr, &r->src.ip4, sizeof (r->src.ip4));
1959 memcpy (api_rule->dst_ip_addr, &r->dst.ip4, sizeof (r->dst.ip4));
1961 api_rule->src_ip_prefix_len = r->src_prefixlen;
1962 api_rule->dst_ip_prefix_len = r->dst_prefixlen;
1963 api_rule->proto = r->proto;
1964 api_rule->srcport_or_icmptype_first = htons (r->src_port_or_type_first);
1965 api_rule->srcport_or_icmptype_last = htons (r->src_port_or_type_last);
1966 api_rule->dstport_or_icmpcode_first = htons (r->dst_port_or_code_first);
1967 api_rule->dstport_or_icmpcode_last = htons (r->dst_port_or_code_last);
1968 api_rule->tcp_flags_mask = r->tcp_flags_mask;
1969 api_rule->tcp_flags_value = r->tcp_flags_value;
1973 send_acl_details (acl_main_t * am, vl_api_registration_t * reg,
1974 acl_list_t * acl, u32 context)
1976 vl_api_acl_details_t *mp;
1977 vl_api_acl_rule_t *rules;
1979 int msg_size = sizeof (*mp) + sizeof (mp->r[0]) * acl->count;
1980 void *oldheap = acl_set_heap (am);
1982 mp = vl_msg_api_alloc (msg_size);
1983 clib_memset (mp, 0, msg_size);
1984 mp->_vl_msg_id = ntohs (VL_API_ACL_DETAILS + am->msg_id_base);
1986 /* fill in the message */
1987 mp->context = context;
1988 mp->count = htonl (acl->count);
1989 mp->acl_index = htonl (acl - am->acls);
1990 memcpy (mp->tag, acl->tag, sizeof (mp->tag));
1991 // clib_memcpy (mp->r, acl->rules, acl->count * sizeof(acl->rules[0]));
1993 for (i = 0; i < acl->count; i++)
1995 copy_acl_rule_to_api_rule (&rules[i], &acl->rules[i]);
1998 clib_mem_set_heap (oldheap);
1999 vl_api_send_msg (reg, (u8 *) mp);
2004 vl_api_acl_dump_t_handler (vl_api_acl_dump_t * mp)
2006 acl_main_t *am = &acl_main;
2010 vl_api_registration_t *reg;
2012 reg = vl_api_client_index_to_registration (mp->client_index);
2016 if (mp->acl_index == ~0)
2019 /* Just dump all ACLs */
2020 pool_foreach (acl, am->acls,
2022 send_acl_details(am, reg, acl, mp->context);
2028 acl_index = ntohl (mp->acl_index);
2029 if (!pool_is_free_index (am->acls, acl_index))
2031 acl = pool_elt_at_index (am->acls, acl_index);
2032 send_acl_details (am, reg, acl, mp->context);
2038 /* FIXME API: should we signal an error here at all ? */
2044 send_acl_interface_list_details (acl_main_t * am,
2045 vl_api_registration_t * reg,
2046 u32 sw_if_index, u32 context)
2048 vl_api_acl_interface_list_details_t *mp;
2054 void *oldheap = acl_set_heap (am);
2056 vec_validate (am->input_acl_vec_by_sw_if_index, sw_if_index);
2057 vec_validate (am->output_acl_vec_by_sw_if_index, sw_if_index);
2059 clib_mem_set_heap (oldheap);
2061 n_input = vec_len (am->input_acl_vec_by_sw_if_index[sw_if_index]);
2062 n_output = vec_len (am->output_acl_vec_by_sw_if_index[sw_if_index]);
2063 count = n_input + n_output;
2065 msg_size = sizeof (*mp);
2066 msg_size += sizeof (mp->acls[0]) * count;
2068 mp = vl_msg_api_alloc (msg_size);
2069 clib_memset (mp, 0, msg_size);
2071 ntohs (VL_API_ACL_INTERFACE_LIST_DETAILS + am->msg_id_base);
2073 /* fill in the message */
2074 mp->context = context;
2075 mp->sw_if_index = htonl (sw_if_index);
2077 mp->n_input = n_input;
2078 for (i = 0; i < n_input; i++)
2080 mp->acls[i] = htonl (am->input_acl_vec_by_sw_if_index[sw_if_index][i]);
2082 for (i = 0; i < n_output; i++)
2084 mp->acls[n_input + i] =
2085 htonl (am->output_acl_vec_by_sw_if_index[sw_if_index][i]);
2087 vl_api_send_msg (reg, (u8 *) mp);
2091 vl_api_acl_interface_list_dump_t_handler (vl_api_acl_interface_list_dump_t *
2094 acl_main_t *am = &acl_main;
2095 vnet_sw_interface_t *swif;
2096 vnet_interface_main_t *im = &am->vnet_main->interface_main;
2099 vl_api_registration_t *reg;
2101 reg = vl_api_client_index_to_registration (mp->client_index);
2105 if (mp->sw_if_index == ~0)
2108 pool_foreach (swif, im->sw_interfaces,
2110 send_acl_interface_list_details(am, reg, swif->sw_if_index, mp->context);
2116 sw_if_index = ntohl (mp->sw_if_index);
2117 if (!pool_is_free_index (im->sw_interfaces, sw_if_index))
2118 send_acl_interface_list_details (am, reg, sw_if_index, mp->context);
2122 /* MACIP ACL API handlers */
2125 vl_api_macip_acl_add_t_handler (vl_api_macip_acl_add_t * mp)
2127 vl_api_macip_acl_add_reply_t *rmp;
2128 acl_main_t *am = &acl_main;
2130 u32 acl_list_index = ~0;
2131 u32 acl_count = ntohl (mp->count);
2132 u32 expected_len = sizeof (*mp) + acl_count * sizeof (mp->r[0]);
2134 if (verify_message_len (mp, expected_len, "macip_acl_add"))
2136 rv = macip_acl_add_list (acl_count, mp->r, &acl_list_index, mp->tag);
2140 rv = VNET_API_ERROR_INVALID_VALUE;
2144 REPLY_MACRO2(VL_API_MACIP_ACL_ADD_REPLY,
2146 rmp->acl_index = htonl(acl_list_index);
2152 vl_api_macip_acl_add_replace_t_handler (vl_api_macip_acl_add_replace_t * mp)
2154 vl_api_macip_acl_add_replace_reply_t *rmp;
2155 acl_main_t *am = &acl_main;
2157 u32 acl_list_index = ntohl (mp->acl_index);
2158 u32 acl_count = ntohl (mp->count);
2159 u32 expected_len = sizeof (*mp) + acl_count * sizeof (mp->r[0]);
2161 if (verify_message_len (mp, expected_len, "macip_acl_add_replace"))
2163 rv = macip_acl_add_list (acl_count, mp->r, &acl_list_index, mp->tag);
2167 rv = VNET_API_ERROR_INVALID_VALUE;
2171 REPLY_MACRO2(VL_API_MACIP_ACL_ADD_REPLACE_REPLY,
2173 rmp->acl_index = htonl(acl_list_index);
2179 vl_api_macip_acl_del_t_handler (vl_api_macip_acl_del_t * mp)
2181 acl_main_t *am = &acl_main;
2182 vl_api_macip_acl_del_reply_t *rmp;
2185 rv = macip_acl_del_list (ntohl (mp->acl_index));
2187 REPLY_MACRO (VL_API_MACIP_ACL_DEL_REPLY);
2191 vl_api_macip_acl_interface_add_del_t_handler
2192 (vl_api_macip_acl_interface_add_del_t * mp)
2194 acl_main_t *am = &acl_main;
2195 vl_api_macip_acl_interface_add_del_reply_t *rmp;
2197 vnet_interface_main_t *im = &am->vnet_main->interface_main;
2198 u32 sw_if_index = ntohl (mp->sw_if_index);
2200 if (pool_is_free_index (im->sw_interfaces, sw_if_index))
2201 rv = VNET_API_ERROR_INVALID_SW_IF_INDEX;
2204 macip_acl_interface_add_del_acl (ntohl (mp->sw_if_index), mp->is_add,
2205 ntohl (mp->acl_index));
2207 REPLY_MACRO (VL_API_MACIP_ACL_INTERFACE_ADD_DEL_REPLY);
2211 send_macip_acl_details (acl_main_t * am, vl_api_registration_t * reg,
2212 macip_acl_list_t * acl, u32 context)
2214 vl_api_macip_acl_details_t *mp;
2215 vl_api_macip_acl_rule_t *rules;
2216 macip_acl_rule_t *r;
2218 int msg_size = sizeof (*mp) + (acl ? sizeof (mp->r[0]) * acl->count : 0);
2220 mp = vl_msg_api_alloc (msg_size);
2221 clib_memset (mp, 0, msg_size);
2222 mp->_vl_msg_id = ntohs (VL_API_MACIP_ACL_DETAILS + am->msg_id_base);
2224 /* fill in the message */
2225 mp->context = context;
2228 memcpy (mp->tag, acl->tag, sizeof (mp->tag));
2229 mp->count = htonl (acl->count);
2230 mp->acl_index = htonl (acl - am->macip_acls);
2232 for (i = 0; i < acl->count; i++)
2235 rules[i].is_permit = r->is_permit;
2236 rules[i].is_ipv6 = r->is_ipv6;
2237 memcpy (rules[i].src_mac, &r->src_mac, sizeof (r->src_mac));
2238 memcpy (rules[i].src_mac_mask, &r->src_mac_mask,
2239 sizeof (r->src_mac_mask));
2241 memcpy (rules[i].src_ip_addr, &r->src_ip_addr.ip6,
2242 sizeof (r->src_ip_addr.ip6));
2244 memcpy (rules[i].src_ip_addr, &r->src_ip_addr.ip4,
2245 sizeof (r->src_ip_addr.ip4));
2246 rules[i].src_ip_prefix_len = r->src_prefixlen;
2251 /* No martini, no party - no ACL applied to this interface. */
2256 vl_api_send_msg (reg, (u8 *) mp);
2261 vl_api_macip_acl_dump_t_handler (vl_api_macip_acl_dump_t * mp)
2263 acl_main_t *am = &acl_main;
2264 macip_acl_list_t *acl;
2266 vl_api_registration_t *reg;
2268 reg = vl_api_client_index_to_registration (mp->client_index);
2272 if (mp->acl_index == ~0)
2274 /* Just dump all ACLs for now, with sw_if_index = ~0 */
2275 pool_foreach (acl, am->macip_acls, (
2277 send_macip_acl_details (am, reg,
2286 u32 acl_index = ntohl (mp->acl_index);
2287 if (!pool_is_free_index (am->macip_acls, acl_index))
2289 acl = pool_elt_at_index (am->macip_acls, acl_index);
2290 send_macip_acl_details (am, reg, acl, mp->context);
2296 vl_api_macip_acl_interface_get_t_handler (vl_api_macip_acl_interface_get_t *
2299 acl_main_t *am = &acl_main;
2300 vl_api_macip_acl_interface_get_reply_t *rmp;
2301 u32 count = vec_len (am->macip_acl_by_sw_if_index);
2302 int msg_size = sizeof (*rmp) + sizeof (rmp->acls[0]) * count;
2303 vl_api_registration_t *reg;
2306 reg = vl_api_client_index_to_registration (mp->client_index);
2310 rmp = vl_msg_api_alloc (msg_size);
2311 clib_memset (rmp, 0, msg_size);
2313 ntohs (VL_API_MACIP_ACL_INTERFACE_GET_REPLY + am->msg_id_base);
2314 rmp->context = mp->context;
2315 rmp->count = htonl (count);
2316 for (i = 0; i < count; i++)
2318 rmp->acls[i] = htonl (am->macip_acl_by_sw_if_index[i]);
2321 vl_api_send_msg (reg, (u8 *) rmp);
2325 send_macip_acl_interface_list_details (acl_main_t * am,
2326 vl_api_registration_t * reg,
2328 u32 acl_index, u32 context)
2330 vl_api_macip_acl_interface_list_details_t *rmp;
2331 /* at this time there is only ever 1 mac ip acl per interface */
2332 int msg_size = sizeof (*rmp) + sizeof (rmp->acls[0]);
2334 rmp = vl_msg_api_alloc (msg_size);
2335 clib_memset (rmp, 0, msg_size);
2337 ntohs (VL_API_MACIP_ACL_INTERFACE_LIST_DETAILS + am->msg_id_base);
2339 /* fill in the message */
2340 rmp->context = context;
2342 rmp->sw_if_index = htonl (sw_if_index);
2343 rmp->acls[0] = htonl (acl_index);
2345 vl_api_send_msg (reg, (u8 *) rmp);
2349 vl_api_macip_acl_interface_list_dump_t_handler
2350 (vl_api_macip_acl_interface_list_dump_t * mp)
2352 vl_api_registration_t *reg;
2353 acl_main_t *am = &acl_main;
2354 u32 sw_if_index = ntohl (mp->sw_if_index);
2356 reg = vl_api_client_index_to_registration (mp->client_index);
2360 if (sw_if_index == ~0)
2362 vec_foreach_index (sw_if_index, am->macip_acl_by_sw_if_index)
2364 if (~0 != am->macip_acl_by_sw_if_index[sw_if_index])
2366 send_macip_acl_interface_list_details (am, reg, sw_if_index,
2367 am->macip_acl_by_sw_if_index
2375 if (vec_len (am->macip_acl_by_sw_if_index) > sw_if_index)
2377 send_macip_acl_interface_list_details (am, reg, sw_if_index,
2378 am->macip_acl_by_sw_if_index
2379 [sw_if_index], mp->context);
2385 vl_api_acl_interface_set_etype_whitelist_t_handler
2386 (vl_api_acl_interface_set_etype_whitelist_t * mp)
2388 acl_main_t *am = &acl_main;
2389 vl_api_acl_interface_set_etype_whitelist_reply_t *rmp;
2392 vnet_interface_main_t *im = &am->vnet_main->interface_main;
2393 u32 sw_if_index = ntohl (mp->sw_if_index);
2394 u16 *vec_in = 0, *vec_out = 0;
2395 void *oldheap = acl_set_heap (am);
2397 if (pool_is_free_index (im->sw_interfaces, sw_if_index))
2398 rv = VNET_API_ERROR_INVALID_SW_IF_INDEX;
2401 for (i = 0; i < mp->count; i++)
2403 if (i < mp->n_input)
2404 vec_add1 (vec_in, ntohs (mp->whitelist[i]));
2406 vec_add1 (vec_out, ntohs (mp->whitelist[i]));
2408 rv = acl_set_etype_whitelists (am, sw_if_index, vec_in, vec_out);
2411 clib_mem_set_heap (oldheap);
2412 REPLY_MACRO (VL_API_ACL_INTERFACE_SET_ETYPE_WHITELIST_REPLY);
2416 send_acl_interface_etype_whitelist_details (acl_main_t * am,
2417 vl_api_registration_t * reg,
2418 u32 sw_if_index, u32 context)
2420 vl_api_acl_interface_etype_whitelist_details_t *mp;
2427 u16 *whitelist_in = 0;
2428 u16 *whitelist_out = 0;
2430 if (intf_has_etype_whitelist (am, sw_if_index, 0))
2432 vec_elt (am->output_etype_whitelist_by_sw_if_index, sw_if_index);
2434 if (intf_has_etype_whitelist (am, sw_if_index, 1))
2436 vec_elt (am->input_etype_whitelist_by_sw_if_index, sw_if_index);
2438 if ((0 == whitelist_in) && (0 == whitelist_out))
2439 return; /* nothing to do */
2441 void *oldheap = acl_set_heap (am);
2443 n_input = vec_len (whitelist_in);
2444 n_output = vec_len (whitelist_out);
2445 count = n_input + n_output;
2447 msg_size = sizeof (*mp);
2448 msg_size += sizeof (mp->whitelist[0]) * count;
2450 mp = vl_msg_api_alloc (msg_size);
2451 clib_memset (mp, 0, msg_size);
2453 ntohs (VL_API_ACL_INTERFACE_ETYPE_WHITELIST_DETAILS + am->msg_id_base);
2455 /* fill in the message */
2456 mp->context = context;
2457 mp->sw_if_index = htonl (sw_if_index);
2459 mp->n_input = n_input;
2460 for (i = 0; i < n_input; i++)
2462 mp->whitelist[i] = htons (whitelist_in[i]);
2464 for (i = 0; i < n_output; i++)
2466 mp->whitelist[n_input + i] = htons (whitelist_out[i]);
2468 clib_mem_set_heap (oldheap);
2469 vl_api_send_msg (reg, (u8 *) mp);
2474 vl_api_acl_interface_etype_whitelist_dump_t_handler
2475 (vl_api_acl_interface_list_dump_t * mp)
2477 acl_main_t *am = &acl_main;
2478 vnet_sw_interface_t *swif;
2479 vnet_interface_main_t *im = &am->vnet_main->interface_main;
2482 vl_api_registration_t *reg;
2484 reg = vl_api_client_index_to_registration (mp->client_index);
2488 if (mp->sw_if_index == ~0)
2491 pool_foreach (swif, im->sw_interfaces,
2493 send_acl_interface_etype_whitelist_details(am, reg, swif->sw_if_index, mp->context);
2499 sw_if_index = ntohl (mp->sw_if_index);
2500 if (!pool_is_free_index (im->sw_interfaces, sw_if_index))
2501 send_acl_interface_etype_whitelist_details (am, reg, sw_if_index,
2508 /* Set up the API message handling tables */
2509 static clib_error_t *
2510 acl_plugin_api_hookup (vlib_main_t * vm)
2512 acl_main_t *am = &acl_main;
2514 vl_msg_api_set_handlers((VL_API_##N + am->msg_id_base), \
2516 vl_api_##n##_t_handler, \
2518 vl_api_##n##_t_endian, \
2519 vl_api_##n##_t_print, \
2520 sizeof(vl_api_##n##_t), 1);
2521 foreach_acl_plugin_api_msg;
2527 #define vl_msg_name_crc_list
2528 #include <acl/acl_all_api_h.h>
2529 #undef vl_msg_name_crc_list
2532 setup_message_id_table (acl_main_t * am, api_main_t * apim)
2534 #define _(id,n,crc) \
2535 vl_msg_api_add_msg_name_crc (apim, #n "_" #crc, id + am->msg_id_base);
2536 foreach_vl_msg_name_crc_acl;
2541 acl_set_timeout_sec (int timeout_type, u32 value)
2543 acl_main_t *am = &acl_main;
2544 clib_time_t *ct = &am->vlib_main->clib_time;
2546 if (timeout_type < ACL_N_TIMEOUTS)
2548 am->session_timeout_sec[timeout_type] = value;
2552 clib_warning ("Unknown timeout type %d", timeout_type);
2555 am->session_timeout[timeout_type] =
2556 (u64) (((f64) value) / ct->seconds_per_clock);
2560 acl_set_session_max_entries (u32 value)
2562 acl_main_t *am = &acl_main;
2563 am->fa_conn_table_max_entries = value;
2567 acl_set_skip_ipv6_eh (u32 eh, u32 value)
2569 acl_main_t *am = &acl_main;
2571 if ((eh < 256) && (value < 2))
2573 am->fa_ipv6_known_eh_bitmap =
2574 clib_bitmap_set (am->fa_ipv6_known_eh_bitmap, eh, value);
2582 static clib_error_t *
2583 acl_sw_interface_add_del (vnet_main_t * vnm, u32 sw_if_index, u32 is_add)
2585 acl_main_t *am = &acl_main;
2586 if (0 == am->acl_mheap)
2588 /* ACL heap is not initialized, so definitely nothing to do. */
2593 int may_clear_sessions = 1;
2594 vlib_process_signal_event (am->vlib_main, am->fa_cleaner_node_index,
2595 ACL_FA_CLEANER_DELETE_BY_SW_IF_INDEX,
2597 /* also unapply any ACLs in case the users did not do so. */
2598 macip_acl_interface_del_acl (am, sw_if_index);
2599 acl_interface_reset_inout_acls (sw_if_index, 0, &may_clear_sessions);
2600 acl_interface_reset_inout_acls (sw_if_index, 1, &may_clear_sessions);
2605 VNET_SW_INTERFACE_ADD_DEL_FUNCTION (acl_sw_interface_add_del);
2609 static clib_error_t *
2610 acl_set_aclplugin_fn (vlib_main_t * vm,
2611 unformat_input_t * input, vlib_cli_command_t * cmd)
2613 clib_error_t *error = 0;
2617 uword memory_size = 0;
2618 acl_main_t *am = &acl_main;
2620 if (unformat (input, "skip-ipv6-extension-header %u %u", &eh_val, &val))
2622 if (!acl_set_skip_ipv6_eh (eh_val, val))
2624 error = clib_error_return (0, "expecting eh=0..255, value=0..1");
2628 if (unformat (input, "use-hash-acl-matching %u", &val))
2630 am->use_hash_acl_matching = (val != 0);
2633 if (unformat (input, "l4-match-nonfirst-fragment %u", &val))
2635 am->l4_match_nonfirst_fragment = (val != 0);
2638 if (unformat (input, "reclassify-sessions %u", &val))
2640 am->reclassify_sessions = (val != 0);
2643 if (unformat (input, "event-trace"))
2645 if (!unformat (input, "%u", &val))
2647 error = clib_error_return (0,
2648 "expecting trace level, got `%U`",
2649 format_unformat_error, input);
2654 am->trace_acl = val;
2658 if (unformat (input, "heap"))
2660 if (unformat (input, "main"))
2662 if (unformat (input, "validate %u", &val))
2663 acl_plugin_acl_set_validate_heap (am, val);
2664 else if (unformat (input, "trace %u", &val))
2665 acl_plugin_acl_set_trace_heap (am, val);
2668 else if (unformat (input, "hash"))
2670 if (unformat (input, "validate %u", &val))
2671 acl_plugin_hash_acl_set_validate_heap (val);
2672 else if (unformat (input, "trace %u", &val))
2673 acl_plugin_hash_acl_set_trace_heap (val);
2678 if (unformat (input, "session"))
2680 if (unformat (input, "table"))
2682 /* The commands here are for tuning/testing. No user-serviceable parts inside */
2683 if (unformat (input, "max-entries"))
2685 if (!unformat (input, "%u", &val))
2687 error = clib_error_return (0,
2688 "expecting maximum number of entries, got `%U`",
2689 format_unformat_error, input);
2694 acl_set_session_max_entries (val);
2698 if (unformat (input, "hash-table-buckets"))
2700 if (!unformat (input, "%u", &val))
2702 error = clib_error_return (0,
2703 "expecting maximum number of hash table buckets, got `%U`",
2704 format_unformat_error, input);
2709 am->fa_conn_table_hash_num_buckets = val;
2713 if (unformat (input, "hash-table-memory"))
2715 if (!unformat (input, "%U", unformat_memory_size, &memory_size))
2717 error = clib_error_return (0,
2718 "expecting maximum amount of hash table memory, got `%U`",
2719 format_unformat_error, input);
2724 am->fa_conn_table_hash_memory_size = memory_size;
2728 if (unformat (input, "event-trace"))
2730 if (!unformat (input, "%u", &val))
2732 error = clib_error_return (0,
2733 "expecting trace level, got `%U`",
2734 format_unformat_error, input);
2739 am->trace_sessions = val;
2745 if (unformat (input, "timeout"))
2747 if (unformat (input, "udp"))
2749 if (unformat (input, "idle"))
2751 if (!unformat (input, "%u", &timeout))
2753 error = clib_error_return (0,
2754 "expecting timeout value in seconds, got `%U`",
2755 format_unformat_error,
2761 acl_set_timeout_sec (ACL_TIMEOUT_UDP_IDLE, timeout);
2766 if (unformat (input, "tcp"))
2768 if (unformat (input, "idle"))
2770 if (!unformat (input, "%u", &timeout))
2772 error = clib_error_return (0,
2773 "expecting timeout value in seconds, got `%U`",
2774 format_unformat_error,
2780 acl_set_timeout_sec (ACL_TIMEOUT_TCP_IDLE, timeout);
2784 if (unformat (input, "transient"))
2786 if (!unformat (input, "%u", &timeout))
2788 error = clib_error_return (0,
2789 "expecting timeout value in seconds, got `%U`",
2790 format_unformat_error,
2796 acl_set_timeout_sec (ACL_TIMEOUT_TCP_TRANSIENT,
2810 my_format_mac_address (u8 * s, va_list * args)
2812 u8 *a = va_arg (*args, u8 *);
2813 return format (s, "%02x:%02x:%02x:%02x:%02x:%02x",
2814 a[0], a[1], a[2], a[3], a[4], a[5]);
2818 my_macip_acl_rule_t_pretty_format (u8 * out, va_list * args)
2820 macip_acl_rule_t *a = va_arg (*args, macip_acl_rule_t *);
2822 out = format (out, "%s action %d ip %U/%d mac %U mask %U",
2823 a->is_ipv6 ? "ipv6" : "ipv4", a->is_permit,
2824 format_ip46_address, &a->src_ip_addr,
2825 a->is_ipv6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4,
2827 my_format_mac_address, a->src_mac,
2828 my_format_mac_address, a->src_mac_mask);
2833 macip_acl_print (acl_main_t * am, u32 macip_acl_index)
2835 vlib_main_t *vm = am->vlib_main;
2838 /* Don't try to print someone else's memory */
2839 if (macip_acl_index >= vec_len (am->macip_acls))
2842 macip_acl_list_t *a = vec_elt_at_index (am->macip_acls, macip_acl_index);
2843 int free_pool_slot = pool_is_free_index (am->macip_acls, macip_acl_index);
2845 vlib_cli_output (vm,
2846 "MACIP acl_index: %d, count: %d (true len %d) tag {%s} is free pool slot: %d\n",
2847 macip_acl_index, a->count, vec_len (a->rules), a->tag,
2849 vlib_cli_output (vm,
2850 " ip4_table_index %d, ip6_table_index %d, l2_table_index %d\n",
2851 a->ip4_table_index, a->ip6_table_index, a->l2_table_index);
2852 vlib_cli_output (vm,
2853 " out_ip4_table_index %d, out_ip6_table_index %d, out_l2_table_index %d\n",
2854 a->out_ip4_table_index, a->out_ip6_table_index,
2855 a->out_l2_table_index);
2856 for (i = 0; i < vec_len (a->rules); i++)
2857 vlib_cli_output (vm, " rule %d: %U\n", i,
2858 my_macip_acl_rule_t_pretty_format,
2859 vec_elt_at_index (a->rules, i));
2863 static clib_error_t *
2864 acl_show_aclplugin_macip_acl_fn (vlib_main_t * vm,
2866 input, vlib_cli_command_t * cmd)
2868 clib_error_t *error = 0;
2869 acl_main_t *am = &acl_main;
2873 (void) unformat (input, "index %u", &acl_index);
2875 for (i = 0; i < vec_len (am->macip_acls); i++)
2877 /* Don't attempt to show the ACLs that do not exist */
2878 if (pool_is_free_index (am->macip_acls, i))
2881 if ((acl_index != ~0) && (acl_index != i))
2886 macip_acl_print (am, i);
2887 if (i < vec_len (am->sw_if_index_vec_by_macip_acl))
2889 vlib_cli_output (vm, " applied on sw_if_index(s): %U\n",
2891 vec_elt (am->sw_if_index_vec_by_macip_acl, i),
2899 static clib_error_t *
2900 acl_show_aclplugin_macip_interface_fn (vlib_main_t * vm,
2902 input, vlib_cli_command_t * cmd)
2904 clib_error_t *error = 0;
2905 acl_main_t *am = &acl_main;
2907 for (i = 0; i < vec_len (am->macip_acl_by_sw_if_index); i++)
2909 vlib_cli_output (vm, " sw_if_index %d: %d\n", i,
2910 vec_elt (am->macip_acl_by_sw_if_index, i));
2916 acl_plugin_show_acl (acl_main_t * am, u32 acl_index)
2919 vlib_main_t *vm = am->vlib_main;
2921 for (i = 0; i < vec_len (am->acls); i++)
2923 if (acl_is_not_defined (am, i))
2925 /* don't attempt to show the ACLs that do not exist */
2928 if ((acl_index != ~0) && (acl_index != i))
2932 acl_print_acl (vm, am, i);
2934 if (i < vec_len (am->input_sw_if_index_vec_by_acl))
2936 vlib_cli_output (vm, " applied inbound on sw_if_index: %U\n",
2937 format_vec32, am->input_sw_if_index_vec_by_acl[i],
2940 if (i < vec_len (am->output_sw_if_index_vec_by_acl))
2942 vlib_cli_output (vm, " applied outbound on sw_if_index: %U\n",
2943 format_vec32, am->output_sw_if_index_vec_by_acl[i],
2946 if (i < vec_len (am->lc_index_vec_by_acl))
2948 vlib_cli_output (vm, " used in lookup context index: %U\n",
2949 format_vec32, am->lc_index_vec_by_acl[i], "%d");
2954 static clib_error_t *
2955 acl_show_aclplugin_acl_fn (vlib_main_t * vm,
2956 unformat_input_t * input, vlib_cli_command_t * cmd)
2958 clib_error_t *error = 0;
2959 acl_main_t *am = &acl_main;
2962 (void) unformat (input, "index %u", &acl_index);
2964 acl_plugin_show_acl (am, acl_index);
2968 static clib_error_t *
2969 acl_show_aclplugin_lookup_context_fn (vlib_main_t * vm,
2970 unformat_input_t * input,
2971 vlib_cli_command_t * cmd)
2973 clib_error_t *error = 0;
2976 (void) unformat (input, "index %u", &lc_index);
2978 acl_plugin_show_lookup_context (lc_index);
2982 static clib_error_t *
2983 acl_show_aclplugin_lookup_user_fn (vlib_main_t * vm,
2984 unformat_input_t * input,
2985 vlib_cli_command_t * cmd)
2987 clib_error_t *error = 0;
2990 (void) unformat (input, "index %u", &lc_index);
2992 acl_plugin_show_lookup_user (lc_index);
2998 acl_plugin_show_interface (acl_main_t * am, u32 sw_if_index, int show_acl,
3001 vlib_main_t *vm = am->vlib_main;
3004 for (swi = 0; (swi < vec_len (am->input_acl_vec_by_sw_if_index)) ||
3005 (swi < vec_len (am->output_acl_vec_by_sw_if_index)); swi++)
3007 /* if we need a particular interface, skip all the others */
3008 if ((sw_if_index != ~0) && (sw_if_index != swi))
3011 vlib_cli_output (vm, "sw_if_index %d:\n", swi);
3012 if (swi < vec_len (am->input_policy_epoch_by_sw_if_index))
3013 vlib_cli_output (vm, " input policy epoch: %x\n",
3014 vec_elt (am->input_policy_epoch_by_sw_if_index,
3016 if (swi < vec_len (am->output_policy_epoch_by_sw_if_index))
3017 vlib_cli_output (vm, " output policy epoch: %x\n",
3018 vec_elt (am->output_policy_epoch_by_sw_if_index,
3022 if (intf_has_etype_whitelist (am, swi, 1))
3024 vlib_cli_output (vm, " input etype whitelist: %U", format_vec16,
3025 am->input_etype_whitelist_by_sw_if_index[swi],
3028 if (intf_has_etype_whitelist (am, swi, 0))
3030 vlib_cli_output (vm, " output etype whitelist: %U", format_vec16,
3031 am->output_etype_whitelist_by_sw_if_index[swi],
3035 if ((swi < vec_len (am->input_acl_vec_by_sw_if_index)) &&
3036 (vec_len (am->input_acl_vec_by_sw_if_index[swi]) > 0))
3038 vlib_cli_output (vm, " input acl(s): %U", format_vec32,
3039 am->input_acl_vec_by_sw_if_index[swi], "%d");
3042 vlib_cli_output (vm, "\n");
3043 vec_foreach (pj, am->input_acl_vec_by_sw_if_index[swi])
3045 acl_print_acl (vm, am, *pj);
3047 vlib_cli_output (vm, "\n");
3051 if ((swi < vec_len (am->output_acl_vec_by_sw_if_index)) &&
3052 (vec_len (am->output_acl_vec_by_sw_if_index[swi]) > 0))
3054 vlib_cli_output (vm, " output acl(s): %U", format_vec32,
3055 am->output_acl_vec_by_sw_if_index[swi], "%d");
3058 vlib_cli_output (vm, "\n");
3059 vec_foreach (pj, am->output_acl_vec_by_sw_if_index[swi])
3061 acl_print_acl (vm, am, *pj);
3063 vlib_cli_output (vm, "\n");
3066 if (detail && (swi < vec_len (am->input_lc_index_by_sw_if_index)))
3068 vlib_cli_output (vm, " input lookup context index: %d",
3069 am->input_lc_index_by_sw_if_index[swi]);
3071 if (detail && (swi < vec_len (am->output_lc_index_by_sw_if_index)))
3073 vlib_cli_output (vm, " output lookup context index: %d",
3074 am->output_lc_index_by_sw_if_index[swi]);
3081 static clib_error_t *
3082 acl_show_aclplugin_decode_5tuple_fn (vlib_main_t * vm,
3083 unformat_input_t * input,
3084 vlib_cli_command_t * cmd)
3086 clib_error_t *error = 0;
3087 u64 five_tuple[6] = { 0, 0, 0, 0, 0, 0 };
3090 (input, "%llx %llx %llx %llx %llx %llx", &five_tuple[0], &five_tuple[1],
3091 &five_tuple[2], &five_tuple[3], &five_tuple[4], &five_tuple[5]))
3092 vlib_cli_output (vm, "5-tuple structure decode: %U\n\n",
3093 format_acl_plugin_5tuple, five_tuple);
3095 error = clib_error_return (0, "expecting 6 hex integers");
3100 static clib_error_t *
3101 acl_show_aclplugin_interface_fn (vlib_main_t * vm,
3103 input, vlib_cli_command_t * cmd)
3105 clib_error_t *error = 0;
3106 acl_main_t *am = &acl_main;
3108 u32 sw_if_index = ~0;
3109 (void) unformat (input, "sw_if_index %u", &sw_if_index);
3110 int show_acl = unformat (input, "acl");
3111 int detail = unformat (input, "detail");
3113 acl_plugin_show_interface (am, sw_if_index, show_acl, detail);
3117 static clib_error_t *
3118 acl_show_aclplugin_memory_fn (vlib_main_t * vm,
3119 unformat_input_t * input,
3120 vlib_cli_command_t * cmd)
3122 clib_error_t *error = 0;
3123 acl_main_t *am = &acl_main;
3125 vlib_cli_output (vm, "ACL plugin main heap statistics:\n");
3128 vlib_cli_output (vm, " %U\n", format_mheap, am->acl_mheap, 1);
3132 vlib_cli_output (vm, " Not initialized\n");
3134 vlib_cli_output (vm, "ACL hash lookup support heap statistics:\n");
3135 if (am->hash_lookup_mheap)
3137 vlib_cli_output (vm, " %U\n", format_mheap, am->hash_lookup_mheap, 1);
3141 vlib_cli_output (vm, " Not initialized\n");
3147 acl_plugin_show_sessions (acl_main_t * am,
3148 u32 show_session_thread_id,
3149 u32 show_session_session_index)
3151 vlib_main_t *vm = am->vlib_main;
3153 vnet_interface_main_t *im = &am->vnet_main->interface_main;
3154 vnet_sw_interface_t *swif;
3155 u64 now = clib_cpu_time_now ();
3156 u64 clocks_per_second = am->vlib_main->clib_time.clocks_per_second;
3159 u64 n_adds = am->fa_session_total_adds;
3160 u64 n_dels = am->fa_session_total_dels;
3161 u64 n_deact = am->fa_session_total_deactivations;
3162 vlib_cli_output (vm, "Sessions total: add %lu - del %lu = %lu", n_adds,
3163 n_dels, n_adds - n_dels);
3164 vlib_cli_output (vm, "Sessions active: add %lu - deact %lu = %lu", n_adds,
3165 n_deact, n_adds - n_deact);
3166 vlib_cli_output (vm, "Sessions being purged: deact %lu - del %lu = %lu",
3167 n_deact, n_dels, n_deact - n_dels);
3169 vlib_cli_output (vm, "now: %lu clocks per second: %lu", now,
3171 vlib_cli_output (vm, "\n\nPer-thread data:");
3172 for (wk = 0; wk < vec_len (am->per_worker_data); wk++)
3174 acl_fa_per_worker_data_t *pw = &am->per_worker_data[wk];
3175 vlib_cli_output (vm, "Thread #%d:", wk);
3176 if (show_session_thread_id == wk
3177 && show_session_session_index < pool_len (pw->fa_sessions_pool))
3179 vlib_cli_output (vm, " session index %u:",
3180 show_session_session_index);
3181 fa_session_t *sess =
3182 pw->fa_sessions_pool + show_session_session_index;
3183 u64 *m = (u64 *) & sess->info;
3184 vlib_cli_output (vm,
3185 " info: %016llx %016llx %016llx %016llx %016llx %016llx",
3186 m[0], m[1], m[2], m[3], m[4], m[5]);
3187 vlib_cli_output (vm, " sw_if_index: %u", sess->sw_if_index);
3188 vlib_cli_output (vm, " tcp_flags_seen: %x",
3189 sess->tcp_flags_seen.as_u16);
3190 vlib_cli_output (vm, " last active time: %lu",
3191 sess->last_active_time);
3192 vlib_cli_output (vm, " thread index: %u", sess->thread_index);
3193 vlib_cli_output (vm, " link enqueue time: %lu",
3194 sess->link_enqueue_time);
3195 vlib_cli_output (vm, " link next index: %u",
3196 sess->link_next_idx);
3197 vlib_cli_output (vm, " link prev index: %u",
3198 sess->link_prev_idx);
3199 vlib_cli_output (vm, " link list id: %u", sess->link_list_id);
3201 vlib_cli_output (vm, " connection add/del stats:", wk);
3202 pool_foreach (swif, im->sw_interfaces, (
3209 (pw->fa_session_adds_by_sw_if_index)
3211 pw->fa_session_adds_by_sw_if_index
3216 (pw->fa_session_dels_by_sw_if_index)
3218 pw->fa_session_dels_by_sw_if_index
3220 u64 n_epoch_changes =
3223 (pw->fa_session_epoch_change_by_sw_if_index)
3225 pw->fa_session_epoch_change_by_sw_if_index
3227 vlib_cli_output (vm,
3228 " sw_if_index %d: add %lu - del %lu = %lu; epoch chg: %lu",
3238 vlib_cli_output (vm, " connection timeout type lists:", wk);
3240 for (tt = 0; tt < ACL_N_TIMEOUTS; tt++)
3242 u32 head_session_index = pw->fa_conn_list_head[tt];
3243 vlib_cli_output (vm, " fa_conn_list_head[%d]: %d", tt,
3244 head_session_index);
3245 if (~0 != head_session_index)
3247 fa_session_t *sess = pw->fa_sessions_pool + head_session_index;
3248 vlib_cli_output (vm, " last active time: %lu",
3249 sess->last_active_time);
3250 vlib_cli_output (vm, " link enqueue time: %lu",
3251 sess->link_enqueue_time);
3255 vlib_cli_output (vm, " Next expiry time: %lu", pw->next_expiry_time);
3256 vlib_cli_output (vm, " Requeue until time: %lu",
3257 pw->requeue_until_time);
3258 vlib_cli_output (vm, " Current time wait interval: %lu",
3259 pw->current_time_wait_interval);
3260 vlib_cli_output (vm, " Count of deleted sessions: %lu",
3261 pw->cnt_deleted_sessions);
3262 vlib_cli_output (vm, " Delete already deleted: %lu",
3263 pw->cnt_already_deleted_sessions);
3264 vlib_cli_output (vm, " Session timers restarted: %lu",
3265 pw->cnt_session_timer_restarted);
3266 vlib_cli_output (vm, " Swipe until this time: %lu",
3267 pw->swipe_end_time);
3268 vlib_cli_output (vm, " sw_if_index serviced bitmap: %U",
3269 format_bitmap_hex, pw->serviced_sw_if_index_bitmap);
3270 vlib_cli_output (vm, " pending clear intfc bitmap : %U",
3272 pw->pending_clear_sw_if_index_bitmap);
3273 vlib_cli_output (vm, " clear in progress: %u", pw->clear_in_process);
3274 vlib_cli_output (vm, " interrupt is pending: %d",
3275 pw->interrupt_is_pending);
3276 vlib_cli_output (vm, " interrupt is needed: %d",
3277 pw->interrupt_is_needed);
3278 vlib_cli_output (vm, " interrupt is unwanted: %d",
3279 pw->interrupt_is_unwanted);
3280 vlib_cli_output (vm, " interrupt generation: %d",
3281 pw->interrupt_generation);
3282 vlib_cli_output (vm, " received session change requests: %d",
3283 pw->rcvd_session_change_requests);
3284 vlib_cli_output (vm, " sent session change requests: %d",
3285 pw->sent_session_change_requests);
3287 vlib_cli_output (vm, "\n\nConn cleaner thread counters:");
3288 #define _(cnt, desc) vlib_cli_output(vm, " %20lu: %s", am->cnt, desc);
3289 foreach_fa_cleaner_counter;
3291 vlib_cli_output (vm, "Interrupt generation: %d",
3292 am->fa_interrupt_generation);
3293 vlib_cli_output (vm,
3294 "Sessions per interval: min %lu max %lu increment: %f ms current: %f ms",
3295 am->fa_min_deleted_sessions_per_interval,
3296 am->fa_max_deleted_sessions_per_interval,
3297 am->fa_cleaner_wait_time_increment * 1000.0,
3298 ((f64) am->fa_current_cleaner_timer_wait_interval) *
3299 1000.0 / (f64) vm->clib_time.clocks_per_second);
3300 vlib_cli_output (vm, "Reclassify sessions: %d", am->reclassify_sessions);
3303 static clib_error_t *
3304 acl_show_aclplugin_sessions_fn (vlib_main_t * vm,
3305 unformat_input_t * input,
3306 vlib_cli_command_t * cmd)
3308 clib_error_t *error = 0;
3309 acl_main_t *am = &acl_main;
3311 u32 show_bihash_verbose = 0;
3312 u32 show_session_thread_id = ~0;
3313 u32 show_session_session_index = ~0;
3314 (void) unformat (input, "thread %u index %u", &show_session_thread_id,
3315 &show_session_session_index);
3316 (void) unformat (input, "verbose %u", &show_bihash_verbose);
3318 acl_plugin_show_sessions (am, show_session_thread_id,
3319 show_session_session_index);
3320 show_fa_sessions_hash (vm, show_bihash_verbose);
3324 static clib_error_t *
3325 acl_show_aclplugin_tables_fn (vlib_main_t * vm,
3326 unformat_input_t * input,
3327 vlib_cli_command_t * cmd)
3329 clib_error_t *error = 0;
3333 int show_acl_hash_info = 0;
3334 int show_applied_info = 0;
3335 int show_mask_type = 0;
3336 int show_bihash = 0;
3337 u32 show_bihash_verbose = 0;
3339 if (unformat (input, "acl"))
3341 show_acl_hash_info = 1;
3342 /* mask-type is handy to see as well right there */
3344 unformat (input, "index %u", &acl_index);
3346 else if (unformat (input, "applied"))
3348 show_applied_info = 1;
3349 unformat (input, "lc_index %u", &lc_index);
3351 else if (unformat (input, "mask"))
3355 else if (unformat (input, "hash"))
3358 unformat (input, "verbose %u", &show_bihash_verbose);
3362 (show_mask_type || show_acl_hash_info || show_applied_info
3365 /* if no qualifiers specified, show all */
3367 show_acl_hash_info = 1;
3368 show_applied_info = 1;
3372 acl_plugin_show_tables_mask_type ();
3373 if (show_acl_hash_info)
3374 acl_plugin_show_tables_acl_hash_info (acl_index);
3375 if (show_applied_info)
3376 acl_plugin_show_tables_applied_info (lc_index);
3378 acl_plugin_show_tables_bihash (show_bihash_verbose);
3383 static clib_error_t *
3384 acl_clear_aclplugin_fn (vlib_main_t * vm,
3385 unformat_input_t * input, vlib_cli_command_t * cmd)
3387 clib_error_t *error = 0;
3388 acl_main_t *am = &acl_main;
3389 vlib_process_signal_event (am->vlib_main, am->fa_cleaner_node_index,
3390 ACL_FA_CLEANER_DELETE_BY_SW_IF_INDEX, ~0);
3395 VLIB_CLI_COMMAND (aclplugin_set_command, static) = {
3396 .path = "set acl-plugin",
3397 .short_help = "set acl-plugin session timeout {{udp idle}|tcp {idle|transient}} <seconds>",
3398 .function = acl_set_aclplugin_fn,
3401 VLIB_CLI_COMMAND (aclplugin_show_acl_command, static) = {
3402 .path = "show acl-plugin acl",
3403 .short_help = "show acl-plugin acl [index N]",
3404 .function = acl_show_aclplugin_acl_fn,
3407 VLIB_CLI_COMMAND (aclplugin_show_lookup_context_command, static) = {
3408 .path = "show acl-plugin lookup context",
3409 .short_help = "show acl-plugin lookup context [index N]",
3410 .function = acl_show_aclplugin_lookup_context_fn,
3413 VLIB_CLI_COMMAND (aclplugin_show_lookup_user_command, static) = {
3414 .path = "show acl-plugin lookup user",
3415 .short_help = "show acl-plugin lookup user [index N]",
3416 .function = acl_show_aclplugin_lookup_user_fn,
3419 VLIB_CLI_COMMAND (aclplugin_show_decode_5tuple_command, static) = {
3420 .path = "show acl-plugin decode 5tuple",
3421 .short_help = "show acl-plugin decode 5tuple XXXX XXXX XXXX XXXX XXXX XXXX",
3422 .function = acl_show_aclplugin_decode_5tuple_fn,
3425 VLIB_CLI_COMMAND (aclplugin_show_interface_command, static) = {
3426 .path = "show acl-plugin interface",
3427 .short_help = "show acl-plugin interface [sw_if_index N] [acl]",
3428 .function = acl_show_aclplugin_interface_fn,
3431 VLIB_CLI_COMMAND (aclplugin_show_memory_command, static) = {
3432 .path = "show acl-plugin memory",
3433 .short_help = "show acl-plugin memory",
3434 .function = acl_show_aclplugin_memory_fn,
3437 VLIB_CLI_COMMAND (aclplugin_show_sessions_command, static) = {
3438 .path = "show acl-plugin sessions",
3439 .short_help = "show acl-plugin sessions",
3440 .function = acl_show_aclplugin_sessions_fn,
3443 VLIB_CLI_COMMAND (aclplugin_show_tables_command, static) = {
3444 .path = "show acl-plugin tables",
3445 .short_help = "show acl-plugin tables [ acl [index N] | applied [ lc_index N ] | mask | hash [verbose N] ]",
3446 .function = acl_show_aclplugin_tables_fn,
3449 VLIB_CLI_COMMAND (aclplugin_show_macip_acl_command, static) = {
3450 .path = "show acl-plugin macip acl",
3451 .short_help = "show acl-plugin macip acl [index N]",
3452 .function = acl_show_aclplugin_macip_acl_fn,
3455 VLIB_CLI_COMMAND (aclplugin_show_macip_interface_command, static) = {
3456 .path = "show acl-plugin macip interface",
3457 .short_help = "show acl-plugin macip interface",
3458 .function = acl_show_aclplugin_macip_interface_fn,
3461 VLIB_CLI_COMMAND (aclplugin_clear_command, static) = {
3462 .path = "clear acl-plugin sessions",
3463 .short_help = "clear acl-plugin sessions",
3464 .function = acl_clear_aclplugin_fn,
3468 static clib_error_t *
3469 acl_plugin_config (vlib_main_t * vm, unformat_input_t * input)
3471 acl_main_t *am = &acl_main;
3472 u32 conn_table_hash_buckets;
3473 uword conn_table_hash_memory_size;
3474 u32 conn_table_max_entries;
3475 uword main_heap_size;
3476 uword hash_heap_size;
3477 u32 hash_lookup_hash_buckets;
3478 uword hash_lookup_hash_memory;
3479 u32 reclassify_sessions;
3480 u32 use_tuple_merge;
3481 u32 tuple_merge_split_threshold;
3483 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
3486 (input, "connection hash buckets %d", &conn_table_hash_buckets))
3487 am->fa_conn_table_hash_num_buckets = conn_table_hash_buckets;
3490 (input, "connection hash memory %U", unformat_memory_size,
3491 &conn_table_hash_memory_size))
3492 am->fa_conn_table_hash_memory_size = conn_table_hash_memory_size;
3493 else if (unformat (input, "connection count max %d",
3494 &conn_table_max_entries))
3495 am->fa_conn_table_max_entries = conn_table_max_entries;
3498 (input, "main heap size %U", unformat_memory_size,
3500 am->acl_mheap_size = main_heap_size;
3503 (input, "hash lookup heap size %U", unformat_memory_size,
3505 am->hash_lookup_mheap_size = hash_heap_size;
3506 else if (unformat (input, "hash lookup hash buckets %d",
3507 &hash_lookup_hash_buckets))
3508 am->hash_lookup_hash_buckets = hash_lookup_hash_buckets;
3511 (input, "hash lookup hash memory %U", unformat_memory_size,
3512 &hash_lookup_hash_memory))
3513 am->hash_lookup_hash_memory = hash_lookup_hash_memory;
3514 else if (unformat (input, "use tuple merge %d", &use_tuple_merge))
3515 am->use_tuple_merge = use_tuple_merge;
3518 (input, "tuple merge split threshold %d",
3519 &tuple_merge_split_threshold))
3520 am->tuple_merge_split_threshold = tuple_merge_split_threshold;
3522 else if (unformat (input, "reclassify sessions %d",
3523 &reclassify_sessions))
3524 am->reclassify_sessions = reclassify_sessions;
3527 return clib_error_return (0, "unknown input '%U'",
3528 format_unformat_error, input);
3533 VLIB_CONFIG_FUNCTION (acl_plugin_config, "acl-plugin");
3535 static clib_error_t *
3536 acl_init (vlib_main_t * vm)
3538 acl_main_t *am = &acl_main;
3539 clib_error_t *error = 0;
3540 clib_memset (am, 0, sizeof (*am));
3542 am->vnet_main = vnet_get_main ();
3543 am->log_default = vlib_log_register_class ("acl_plugin", 0);
3545 u8 *name = format (0, "acl_%08x%c", api_version, 0);
3547 /* Ask for a correctly-sized block of API message decode slots */
3548 am->msg_id_base = vl_msg_api_get_msg_ids ((char *) name,
3549 VL_MSG_FIRST_AVAILABLE);
3551 error = acl_plugin_api_hookup (vm);
3553 /* Add our API messages to the global name_crc hash table */
3554 setup_message_id_table (am, &api_main);
3561 error = acl_plugin_exports_init (&acl_plugin);
3566 am->acl_mheap_size = 0; /* auto size when initializing */
3567 am->hash_lookup_mheap_size = ACL_PLUGIN_HASH_LOOKUP_HEAP_SIZE;
3569 am->hash_lookup_hash_buckets = ACL_PLUGIN_HASH_LOOKUP_HASH_BUCKETS;
3570 am->hash_lookup_hash_memory = ACL_PLUGIN_HASH_LOOKUP_HASH_MEMORY;
3572 am->session_timeout_sec[ACL_TIMEOUT_TCP_TRANSIENT] =
3573 TCP_SESSION_TRANSIENT_TIMEOUT_SEC;
3574 am->session_timeout_sec[ACL_TIMEOUT_TCP_IDLE] =
3575 TCP_SESSION_IDLE_TIMEOUT_SEC;
3576 am->session_timeout_sec[ACL_TIMEOUT_UDP_IDLE] =
3577 UDP_SESSION_IDLE_TIMEOUT_SEC;
3579 am->fa_conn_table_hash_num_buckets =
3580 ACL_FA_CONN_TABLE_DEFAULT_HASH_NUM_BUCKETS;
3581 am->fa_conn_table_hash_memory_size =
3582 ACL_FA_CONN_TABLE_DEFAULT_HASH_MEMORY_SIZE;
3583 am->fa_conn_table_max_entries = ACL_FA_CONN_TABLE_DEFAULT_MAX_ENTRIES;
3584 am->reclassify_sessions = 0;
3585 vlib_thread_main_t *tm = vlib_get_thread_main ();
3587 am->fa_min_deleted_sessions_per_interval =
3588 ACL_FA_DEFAULT_MIN_DELETED_SESSIONS_PER_INTERVAL;
3589 am->fa_max_deleted_sessions_per_interval =
3590 ACL_FA_DEFAULT_MAX_DELETED_SESSIONS_PER_INTERVAL;
3591 am->fa_cleaner_wait_time_increment =
3592 ACL_FA_DEFAULT_CLEANER_WAIT_TIME_INCREMENT;
3594 vec_validate (am->per_worker_data, tm->n_vlib_mains - 1);
3597 for (wk = 0; wk < vec_len (am->per_worker_data); wk++)
3599 acl_fa_per_worker_data_t *pw = &am->per_worker_data[wk];
3600 if (tm->n_vlib_mains > 1)
3602 clib_spinlock_init (&pw->pending_session_change_request_lock);
3604 vec_validate (pw->expired,
3606 am->fa_max_deleted_sessions_per_interval);
3607 _vec_len (pw->expired) = 0;
3608 vec_validate_init_empty (pw->fa_conn_list_head, ACL_N_TIMEOUTS - 1,
3609 FA_SESSION_BOGUS_INDEX);
3610 vec_validate_init_empty (pw->fa_conn_list_tail, ACL_N_TIMEOUTS - 1,
3611 FA_SESSION_BOGUS_INDEX);
3612 vec_validate_init_empty (pw->fa_conn_list_head_expiry_time,
3613 ACL_N_TIMEOUTS - 1, ~0ULL);
3617 am->fa_cleaner_cnt_delete_by_sw_index = 0;
3618 am->fa_cleaner_cnt_delete_by_sw_index_ok = 0;
3619 am->fa_cleaner_cnt_unknown_event = 0;
3620 am->fa_cleaner_cnt_timer_restarted = 0;
3621 am->fa_cleaner_cnt_wait_with_timeout = 0;
3624 #define _(N, v, s) am->fa_ipv6_known_eh_bitmap = clib_bitmap_set(am->fa_ipv6_known_eh_bitmap, v, 1);
3627 am->l4_match_nonfirst_fragment = 1;
3629 /* use the new fancy hash-based matching */
3630 am->use_hash_acl_matching = 1;
3631 /* use tuplemerge by default */
3632 am->use_tuple_merge = 1;
3633 /* Set the default threshold */
3634 am->tuple_merge_split_threshold = TM_SPLIT_THRESHOLD;
3636 am->interface_acl_user_id = ~0; /* defer till the first use */
3641 VLIB_INIT_FUNCTION (acl_init);
3645 * fd.io coding-style-patch-verification: ON
3648 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob