2 * Copyright (c) 2016 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
18 #include <vnet/vnet.h>
19 #include <vnet/plugin/plugin.h>
22 #include <vnet/l2/l2_classify.h>
23 #include <vnet/classify/in_out_acl.h>
24 #include <vpp/app/version.h>
26 #include <vlibapi/api.h>
27 #include <vlibmemory/api.h>
29 /* define message IDs */
30 #include <acl/acl_msg_enum.h>
32 /* define message structures */
34 #include <acl/acl_all_api_h.h>
37 /* define generated endian-swappers */
39 #include <acl/acl_all_api_h.h>
42 /* instantiate all the print functions we know about */
43 #define vl_print(handle, ...) vlib_cli_output (handle, __VA_ARGS__)
45 #include <acl/acl_all_api_h.h>
48 /* Get the API version number */
49 #define vl_api_version(n,v) static u32 api_version=(v);
50 #include <acl/acl_all_api_h.h>
54 #include "hash_lookup.h"
58 #define REPLY_MSG_ID_BASE am->msg_id_base
59 #include <vlibapi/api_helper_macros.h>
61 /* List of message types that this plugin understands */
63 #define foreach_acl_plugin_api_msg \
64 _(ACL_PLUGIN_GET_VERSION, acl_plugin_get_version) \
65 _(ACL_PLUGIN_CONTROL_PING, acl_plugin_control_ping) \
66 _(ACL_ADD_REPLACE, acl_add_replace) \
68 _(ACL_INTERFACE_ADD_DEL, acl_interface_add_del) \
69 _(ACL_INTERFACE_SET_ACL_LIST, acl_interface_set_acl_list) \
70 _(ACL_DUMP, acl_dump) \
71 _(ACL_INTERFACE_LIST_DUMP, acl_interface_list_dump) \
72 _(MACIP_ACL_ADD, macip_acl_add) \
73 _(MACIP_ACL_ADD_REPLACE, macip_acl_add_replace) \
74 _(MACIP_ACL_DEL, macip_acl_del) \
75 _(MACIP_ACL_INTERFACE_ADD_DEL, macip_acl_interface_add_del) \
76 _(MACIP_ACL_DUMP, macip_acl_dump) \
77 _(MACIP_ACL_INTERFACE_GET, macip_acl_interface_get) \
78 _(MACIP_ACL_INTERFACE_LIST_DUMP, macip_acl_interface_list_dump)
82 VLIB_PLUGIN_REGISTER () = {
83 .version = VPP_BUILD_VER,
84 .description = "Access Control Lists",
90 acl_set_heap (acl_main_t * am)
92 if (0 == am->acl_mheap)
94 am->acl_mheap = mheap_alloc (0 /* use VM */ , am->acl_mheap_size);
95 mheap_t *h = mheap_header (am->acl_mheap);
96 h->flags |= MHEAP_FLAG_THREAD_SAFE;
98 void *oldheap = clib_mem_set_heap (am->acl_mheap);
103 acl_plugin_acl_set_validate_heap (acl_main_t * am, int on)
105 clib_mem_set_heap (acl_set_heap (am));
106 mheap_t *h = mheap_header (am->acl_mheap);
109 h->flags |= MHEAP_FLAG_VALIDATE;
110 h->flags &= ~MHEAP_FLAG_SMALL_OBJECT_CACHE;
115 h->flags &= ~MHEAP_FLAG_VALIDATE;
116 h->flags |= MHEAP_FLAG_SMALL_OBJECT_CACHE;
121 acl_plugin_acl_set_trace_heap (acl_main_t * am, int on)
123 clib_mem_set_heap (acl_set_heap (am));
124 mheap_t *h = mheap_header (am->acl_mheap);
127 h->flags |= MHEAP_FLAG_TRACE;
131 h->flags &= ~MHEAP_FLAG_TRACE;
136 vl_api_acl_plugin_get_version_t_handler (vl_api_acl_plugin_get_version_t * mp)
138 acl_main_t *am = &acl_main;
139 vl_api_acl_plugin_get_version_reply_t *rmp;
140 int msg_size = sizeof (*rmp);
141 vl_api_registration_t *reg;
143 reg = vl_api_client_index_to_registration (mp->client_index);
147 rmp = vl_msg_api_alloc (msg_size);
148 memset (rmp, 0, msg_size);
150 ntohs (VL_API_ACL_PLUGIN_GET_VERSION_REPLY + am->msg_id_base);
151 rmp->context = mp->context;
152 rmp->major = htonl (ACL_PLUGIN_VERSION_MAJOR);
153 rmp->minor = htonl (ACL_PLUGIN_VERSION_MINOR);
155 vl_api_send_msg (reg, (u8 *) rmp);
159 vl_api_acl_plugin_control_ping_t_handler (vl_api_acl_plugin_control_ping_t *
162 vl_api_acl_plugin_control_ping_reply_t *rmp;
163 acl_main_t *am = &acl_main;
167 REPLY_MACRO2 (VL_API_ACL_PLUGIN_CONTROL_PING_REPLY,
169 rmp->vpe_pid = ntohl (getpid ());
175 acl_add_list (u32 count, vl_api_acl_rule_t rules[],
176 u32 * acl_list_index, u8 * tag)
178 acl_main_t *am = &acl_main;
181 acl_rule_t *acl_new_rules = 0;
184 if (*acl_list_index != ~0)
186 /* They supplied some number, let's see if this ACL exists */
187 if (pool_is_free_index (am->acls, *acl_list_index))
189 /* tried to replace a non-existent ACL, no point doing anything */
191 ("acl-plugin-error: Trying to replace nonexistent ACL %d (tag %s)",
192 *acl_list_index, tag);
193 return VNET_API_ERROR_NO_SUCH_ENTRY;
199 ("acl-plugin-warning: supplied no rules for ACL %d (tag %s)",
200 *acl_list_index, tag);
203 void *oldheap = acl_set_heap (am);
205 /* Create and populate the rules */
207 vec_validate (acl_new_rules, count - 1);
209 for (i = 0; i < count; i++)
211 r = vec_elt_at_index (acl_new_rules, i);
212 memset (r, 0, sizeof (*r));
213 r->is_permit = rules[i].is_permit;
214 r->is_ipv6 = rules[i].is_ipv6;
217 memcpy (&r->src, rules[i].src_ip_addr, sizeof (r->src));
218 memcpy (&r->dst, rules[i].dst_ip_addr, sizeof (r->dst));
222 memcpy (&r->src.ip4, rules[i].src_ip_addr, sizeof (r->src.ip4));
223 memcpy (&r->dst.ip4, rules[i].dst_ip_addr, sizeof (r->dst.ip4));
225 r->src_prefixlen = rules[i].src_ip_prefix_len;
226 r->dst_prefixlen = rules[i].dst_ip_prefix_len;
227 r->proto = rules[i].proto;
228 r->src_port_or_type_first = ntohs (rules[i].srcport_or_icmptype_first);
229 r->src_port_or_type_last = ntohs (rules[i].srcport_or_icmptype_last);
230 r->dst_port_or_code_first = ntohs (rules[i].dstport_or_icmpcode_first);
231 r->dst_port_or_code_last = ntohs (rules[i].dstport_or_icmpcode_last);
232 r->tcp_flags_value = rules[i].tcp_flags_value;
233 r->tcp_flags_mask = rules[i].tcp_flags_mask;
236 if (~0 == *acl_list_index)
239 pool_get_aligned (am->acls, a, CLIB_CACHE_LINE_BYTES);
240 memset (a, 0, sizeof (*a));
241 /* Will return the newly allocated ACL index */
242 *acl_list_index = a - am->acls;
246 a = am->acls + *acl_list_index;
247 hash_acl_delete (am, *acl_list_index);
248 /* Get rid of the old rules */
252 a->rules = acl_new_rules;
254 memcpy (a->tag, tag, sizeof (a->tag));
255 hash_acl_add (am, *acl_list_index);
256 clib_mem_set_heap (oldheap);
261 acl_del_list (u32 acl_list_index)
263 acl_main_t *am = &acl_main;
266 if (pool_is_free_index (am->acls, acl_list_index))
268 return VNET_API_ERROR_NO_SUCH_ENTRY;
271 if (acl_list_index < vec_len (am->input_sw_if_index_vec_by_acl))
273 if (vec_len (vec_elt (am->input_sw_if_index_vec_by_acl, acl_list_index))
276 /* ACL is applied somewhere inbound. Refuse to delete */
277 return VNET_API_ERROR_ACL_IN_USE_INBOUND;
280 if (acl_list_index < vec_len (am->output_sw_if_index_vec_by_acl))
283 (vec_elt (am->output_sw_if_index_vec_by_acl, acl_list_index)) > 0)
285 /* ACL is applied somewhere outbound. Refuse to delete */
286 return VNET_API_ERROR_ACL_IN_USE_OUTBOUND;
290 void *oldheap = acl_set_heap (am);
291 /* delete any references to the ACL */
292 for (i = 0; i < vec_len (am->output_acl_vec_by_sw_if_index); i++)
294 for (ii = 0; ii < vec_len (am->output_acl_vec_by_sw_if_index[i]);
297 if (acl_list_index == am->output_acl_vec_by_sw_if_index[i][ii])
299 vec_del1 (am->output_acl_vec_by_sw_if_index[i], ii);
307 for (i = 0; i < vec_len (am->input_acl_vec_by_sw_if_index); i++)
309 for (ii = 0; ii < vec_len (am->input_acl_vec_by_sw_if_index[i]);
312 if (acl_list_index == am->input_acl_vec_by_sw_if_index[i][ii])
314 vec_del1 (am->input_acl_vec_by_sw_if_index[i], ii);
322 /* delete the hash table data */
324 hash_acl_delete (am, acl_list_index);
325 /* now we can delete the ACL itself */
326 a = pool_elt_at_index (am->acls, acl_list_index);
330 pool_put (am->acls, a);
331 clib_mem_set_heap (oldheap);
335 /* Some aids in ASCII graphing the content */
342 u8 ip4_5tuple_mask[] =
343 _(" dmac smac etype ")
344 _(ether) __ __ __ __ __ __ v __ __ __ __ __ __ v __ __ v
351 _(" ttl pr checksum ")
360 _("L4 T/U sport dport ")
370 u8 ip6_5tuple_mask[] =
371 _(" dmac smac etype ")
372 _(ether) __ __ __ __ __ __ v __ __ __ __ __ __ v __ __ v
374 _(0x0000) __ __ __ __
376 _(0x0004) __ __ XX __
378 _(0x0008) XX XX XX XX
379 _(0x000C) XX XX XX XX
380 _(0x0010) XX XX XX XX
381 _(0x0014) XX XX XX XX
383 _(0x0018) XX XX XX XX
384 _(0x001C) XX XX XX XX
385 _(0x0020) XX XX XX XX
386 _(0x0024) XX XX XX XX
387 _("L4T/U sport dport ")
388 _(tcpudp) XX XX XX XX _(padpad) __ __ __ __ _(padeth) __ __;
390 u8 dot1q_5tuple_mask[] =
391 _(" dmac smac dot1q etype ")
392 _(ether) __ __ __ __ __ __ v __ __ __ __ __ __ v XX XX __ __ v XX XX v
393 _(padpad) __ __ __ __
394 _(padpad) __ __ __ __
395 _(padpad) __ __ __ __
398 u8 dot1ad_5tuple_mask[] =
399 _(" dmac smac dot1ad dot1q etype ")
400 _(ether) __ __ __ __ __ __ v __ __ __ __ __ __ v XX XX __ __ XX XX __ __ v XX XX v
401 _(padpad) __ __ __ __
402 _(padpad) __ __ __ __
412 count_skip (u8 * p, u32 size)
414 u64 *p64 = (u64 *) p;
415 /* Be tolerant to null pointer */
419 while ((0ULL == *p64) && ((u8 *) p64 - p) < size)
423 return (p64 - (u64 *) p) / 2;
427 acl_classify_add_del_table_tiny (vnet_classify_main_t * cm, u8 * mask,
428 u32 mask_len, u32 next_table_index,
429 u32 miss_next_index, u32 * table_index,
433 u32 memory_size = 2 << 13;
434 u32 skip = count_skip (mask, mask_len);
435 u32 match = (mask_len / 16) - skip;
436 u8 *skip_mask_ptr = mask + 16 * skip;
437 u32 current_data_flag = 0;
438 int current_data_offset = 0;
442 void *oldheap = clib_mem_set_heap (cm->vlib_main->heap_base);
443 int ret = vnet_classify_add_del_table (cm, skip_mask_ptr, nbuckets,
444 memory_size, skip, match,
445 next_table_index, miss_next_index,
446 table_index, current_data_flag,
447 current_data_offset, is_add,
448 1 /* delete_chain */ );
449 clib_mem_set_heap (oldheap);
454 acl_classify_add_del_table_small (vnet_classify_main_t * cm, u8 * mask,
455 u32 mask_len, u32 next_table_index,
456 u32 miss_next_index, u32 * table_index,
460 u32 memory_size = 2 << 22;
461 u32 skip = count_skip (mask, mask_len);
462 u32 match = (mask_len / 16) - skip;
463 u8 *skip_mask_ptr = mask + 16 * skip;
464 u32 current_data_flag = 0;
465 int current_data_offset = 0;
470 void *oldheap = clib_mem_set_heap (cm->vlib_main->heap_base);
471 int ret = vnet_classify_add_del_table (cm, skip_mask_ptr, nbuckets,
472 memory_size, skip, match,
473 next_table_index, miss_next_index,
474 table_index, current_data_flag,
475 current_data_offset, is_add,
476 1 /* delete_chain */ );
477 clib_mem_set_heap (oldheap);
482 acl_unhook_l2_input_classify (acl_main_t * am, u32 sw_if_index)
484 vnet_classify_main_t *cm = &vnet_classify_main;
485 u32 ip4_table_index = ~0;
486 u32 ip6_table_index = ~0;
487 u32 dot1q_table_index = ~0;
488 u32 dot1ad_table_index = ~0;
489 void *oldheap = acl_set_heap (am);
491 vec_validate_init_empty (am->acl_ip4_input_classify_table_by_sw_if_index,
493 vec_validate_init_empty (am->acl_ip6_input_classify_table_by_sw_if_index,
495 vec_validate_init_empty (am->acl_dot1q_input_classify_table_by_sw_if_index,
497 vec_validate_init_empty (am->acl_dot1ad_input_classify_table_by_sw_if_index,
500 /* switch to global heap while calling vnet_* functions */
501 clib_mem_set_heap (cm->vlib_main->heap_base);
502 vnet_l2_input_classify_enable_disable (sw_if_index, 0);
504 if (am->acl_ip4_input_classify_table_by_sw_if_index[sw_if_index] != ~0)
507 am->acl_ip4_input_classify_table_by_sw_if_index[sw_if_index];
508 am->acl_ip4_input_classify_table_by_sw_if_index[sw_if_index] = ~0;
509 acl_classify_add_del_table_tiny (cm, ip4_5tuple_mask,
510 sizeof (ip4_5tuple_mask) - 1, ~0,
511 am->l2_input_classify_next_acl_ip4,
512 &ip4_table_index, 0);
514 if (am->acl_ip6_input_classify_table_by_sw_if_index[sw_if_index] != ~0)
517 am->acl_ip6_input_classify_table_by_sw_if_index[sw_if_index];
518 am->acl_ip6_input_classify_table_by_sw_if_index[sw_if_index] = ~0;
519 acl_classify_add_del_table_tiny (cm, ip6_5tuple_mask,
520 sizeof (ip6_5tuple_mask) - 1, ~0,
521 am->l2_input_classify_next_acl_ip6,
522 &ip6_table_index, 0);
524 if (am->acl_dot1q_input_classify_table_by_sw_if_index[sw_if_index] != ~0)
527 am->acl_dot1q_input_classify_table_by_sw_if_index[sw_if_index];
528 am->acl_dot1q_input_classify_table_by_sw_if_index[sw_if_index] = ~0;
529 acl_classify_add_del_table_tiny (cm, ip6_5tuple_mask,
530 sizeof (ip6_5tuple_mask) - 1, ~0,
531 ~0, &dot1q_table_index, 0);
533 if (am->acl_dot1ad_input_classify_table_by_sw_if_index[sw_if_index] != ~0)
536 am->acl_dot1ad_input_classify_table_by_sw_if_index[sw_if_index];
537 am->acl_dot1ad_input_classify_table_by_sw_if_index[sw_if_index] = ~0;
538 acl_classify_add_del_table_tiny (cm, dot1ad_5tuple_mask,
539 sizeof (dot1ad_5tuple_mask) - 1, ~0,
540 ~0, &dot1ad_table_index, 0);
542 clib_mem_set_heap (oldheap);
547 acl_unhook_l2_output_classify (acl_main_t * am, u32 sw_if_index)
549 vnet_classify_main_t *cm = &vnet_classify_main;
550 u32 ip4_table_index = ~0;
551 u32 ip6_table_index = ~0;
552 u32 dot1q_table_index = ~0;
553 u32 dot1ad_table_index = ~0;
554 void *oldheap = acl_set_heap (am);
556 vec_validate_init_empty (am->acl_ip4_output_classify_table_by_sw_if_index,
558 vec_validate_init_empty (am->acl_ip6_output_classify_table_by_sw_if_index,
560 vec_validate_init_empty (am->acl_dot1q_output_classify_table_by_sw_if_index,
562 vec_validate_init_empty
563 (am->acl_dot1ad_output_classify_table_by_sw_if_index, sw_if_index, ~0);
565 /* switch to global heap while calling vnet_* functions */
566 clib_mem_set_heap (cm->vlib_main->heap_base);
568 vnet_l2_output_classify_enable_disable (sw_if_index, 0);
570 if (am->acl_ip4_output_classify_table_by_sw_if_index[sw_if_index] != ~0)
573 am->acl_ip4_output_classify_table_by_sw_if_index[sw_if_index];
574 am->acl_ip4_output_classify_table_by_sw_if_index[sw_if_index] = ~0;
575 acl_classify_add_del_table_tiny (cm, ip4_5tuple_mask,
576 sizeof (ip4_5tuple_mask) - 1, ~0,
577 am->l2_output_classify_next_acl_ip4,
578 &ip4_table_index, 0);
580 if (am->acl_ip6_output_classify_table_by_sw_if_index[sw_if_index] != ~0)
583 am->acl_ip6_output_classify_table_by_sw_if_index[sw_if_index];
584 am->acl_ip6_output_classify_table_by_sw_if_index[sw_if_index] = ~0;
585 acl_classify_add_del_table_tiny (cm, ip6_5tuple_mask,
586 sizeof (ip6_5tuple_mask) - 1, ~0,
587 am->l2_output_classify_next_acl_ip6,
588 &ip6_table_index, 0);
590 if (am->acl_dot1q_output_classify_table_by_sw_if_index[sw_if_index] != ~0)
593 am->acl_dot1q_output_classify_table_by_sw_if_index[sw_if_index];
594 am->acl_dot1q_output_classify_table_by_sw_if_index[sw_if_index] = ~0;
595 acl_classify_add_del_table_tiny (cm, ip6_5tuple_mask,
596 sizeof (ip6_5tuple_mask) - 1, ~0,
597 ~0, &dot1q_table_index, 0);
599 if (am->acl_dot1ad_output_classify_table_by_sw_if_index[sw_if_index] != ~0)
602 am->acl_dot1ad_output_classify_table_by_sw_if_index[sw_if_index];
603 am->acl_dot1ad_output_classify_table_by_sw_if_index[sw_if_index] = ~0;
604 acl_classify_add_del_table_tiny (cm, dot1ad_5tuple_mask,
605 sizeof (dot1ad_5tuple_mask) - 1, ~0,
606 ~0, &dot1ad_table_index, 0);
608 clib_mem_set_heap (oldheap);
613 acl_add_vlan_session (acl_main_t * am, u32 table_index, u8 is_output,
614 u8 is_dot1ad, u8 is_ip6)
616 vnet_classify_main_t *cm = &vnet_classify_main;
626 l2_output_classify_next_acl_ip6 : am->l2_input_classify_next_acl_ip6;
632 l2_output_classify_next_acl_ip4 : am->l2_input_classify_next_acl_ip4;
634 match = (is_dot1ad) ? dot1ad_5tuple_mask : dot1q_5tuple_mask;
635 idx = (is_dot1ad) ? 20 : 16;
638 /* 802.1ad ethertype */
641 /* 802.1q ethertype */
647 /* 802.1q ethertype */
652 /* add sessions to vlan tables per ethernet_type */
656 match[idx + 1] = 0xdd;
662 match[idx + 1] = 0x00;
665 vnet_classify_add_del_session (cm, table_index, match, next_acl,
666 session_idx, 0, 0, 0, 1);
667 /* reset the mask back to being a mask */
669 match[idx + 1] = 0xff;
680 acl_hook_l2_input_classify (acl_main_t * am, u32 sw_if_index)
682 vnet_classify_main_t *cm = &vnet_classify_main;
683 u32 ip4_table_index = ~0;
684 u32 ip6_table_index = ~0;
685 u32 dot1q_table_index = ~0;
686 u32 dot1ad_table_index = ~0;
689 void *prevheap = clib_mem_set_heap (cm->vlib_main->heap_base);
691 /* in case there were previous tables attached */
692 acl_unhook_l2_input_classify (am, sw_if_index);
694 acl_classify_add_del_table_tiny (cm, ip4_5tuple_mask,
695 sizeof (ip4_5tuple_mask) - 1, ~0,
696 am->l2_input_classify_next_acl_ip4,
697 &ip4_table_index, 1);
702 acl_classify_add_del_table_tiny (cm, ip6_5tuple_mask,
703 sizeof (ip6_5tuple_mask) - 1, ~0,
704 am->l2_input_classify_next_acl_ip6,
705 &ip6_table_index, 1);
708 acl_classify_add_del_table_tiny (cm, ip4_5tuple_mask,
709 sizeof (ip4_5tuple_mask) - 1, ~0,
710 am->l2_input_classify_next_acl_ip4,
711 &ip4_table_index, 0);
716 acl_classify_add_del_table_tiny (cm, dot1ad_5tuple_mask,
717 sizeof (dot1ad_5tuple_mask) - 1, ~0,
718 ~0, &dot1ad_table_index, 1);
720 acl_classify_add_del_table_tiny (cm, dot1q_5tuple_mask,
721 sizeof (dot1q_5tuple_mask) - 1,
722 dot1ad_table_index, ~0,
723 &dot1q_table_index, 1);
726 acl_classify_add_del_table_tiny (cm, dot1ad_5tuple_mask,
727 sizeof (dot1ad_5tuple_mask) - 1, ~0,
728 ~0, &dot1ad_table_index, 0);
729 acl_classify_add_del_table_tiny (cm, ip6_5tuple_mask,
730 sizeof (ip6_5tuple_mask) - 1, ~0,
731 am->l2_input_classify_next_acl_ip6,
732 &ip6_table_index, 0);
733 acl_classify_add_del_table_tiny (cm, ip4_5tuple_mask,
734 sizeof (ip4_5tuple_mask) - 1, ~0,
735 am->l2_input_classify_next_acl_ip4,
736 &ip4_table_index, 0);
741 vnet_l2_input_classify_set_tables (sw_if_index, ip4_table_index,
742 ip6_table_index, dot1q_table_index);
746 acl_classify_add_del_table_tiny (cm, ip4_5tuple_mask,
747 sizeof (ip4_5tuple_mask) - 1, ~0,
748 am->l2_input_classify_next_acl_ip4,
749 &ip4_table_index, 0);
750 acl_classify_add_del_table_tiny (cm, ip6_5tuple_mask,
751 sizeof (ip6_5tuple_mask) - 1, ~0,
752 am->l2_input_classify_next_acl_ip6,
753 &ip6_table_index, 0);
754 acl_classify_add_del_table_tiny (cm, dot1q_5tuple_mask,
755 sizeof (dot1q_5tuple_mask) - 1, ~0,
756 ~0, &dot1q_table_index, 0);
757 acl_classify_add_del_table_tiny (cm, dot1ad_5tuple_mask,
758 sizeof (dot1ad_5tuple_mask) - 1, ~0,
759 ~0, &dot1ad_table_index, 0);
763 /* add sessions to vlan tables per ethernet_type */
764 acl_add_vlan_session (am, dot1q_table_index, 0, 0, 0);
765 acl_add_vlan_session (am, dot1q_table_index, 0, 0, 1);
766 acl_add_vlan_session (am, dot1ad_table_index, 0, 1, 0);
767 acl_add_vlan_session (am, dot1ad_table_index, 0, 1, 1);
769 am->acl_ip4_input_classify_table_by_sw_if_index[sw_if_index] =
771 am->acl_ip6_input_classify_table_by_sw_if_index[sw_if_index] =
773 am->acl_dot1q_input_classify_table_by_sw_if_index[sw_if_index] =
775 am->acl_dot1ad_input_classify_table_by_sw_if_index[sw_if_index] =
778 vnet_l2_input_classify_enable_disable (sw_if_index, 1);
780 clib_mem_set_heap (prevheap);
785 acl_hook_l2_output_classify (acl_main_t * am, u32 sw_if_index)
787 vnet_classify_main_t *cm = &vnet_classify_main;
788 u32 ip4_table_index = ~0;
789 u32 ip6_table_index = ~0;
790 u32 dot1q_table_index = ~0;
791 u32 dot1ad_table_index = ~0;
794 void *prevheap = clib_mem_set_heap (cm->vlib_main->heap_base);
796 /* in case there were previous tables attached */
797 acl_unhook_l2_output_classify (am, sw_if_index);
799 acl_classify_add_del_table_tiny (cm, ip4_5tuple_mask,
800 sizeof (ip4_5tuple_mask) - 1, ~0,
801 am->l2_output_classify_next_acl_ip4,
802 &ip4_table_index, 1);
806 acl_classify_add_del_table_tiny (cm, ip6_5tuple_mask,
807 sizeof (ip6_5tuple_mask) - 1, ~0,
808 am->l2_output_classify_next_acl_ip6,
809 &ip6_table_index, 1);
812 acl_classify_add_del_table_tiny (cm, ip4_5tuple_mask,
813 sizeof (ip4_5tuple_mask) - 1, ~0,
814 am->l2_output_classify_next_acl_ip4,
815 &ip4_table_index, 0);
820 acl_classify_add_del_table_tiny (cm, dot1ad_5tuple_mask,
821 sizeof (dot1ad_5tuple_mask) - 1, ~0,
822 ~0, &dot1ad_table_index, 1);
824 acl_classify_add_del_table_tiny (cm, dot1q_5tuple_mask,
825 sizeof (dot1q_5tuple_mask) - 1,
826 dot1ad_table_index, ~0,
827 &dot1q_table_index, 1);
830 acl_classify_add_del_table_tiny (cm, dot1ad_5tuple_mask,
831 sizeof (dot1ad_5tuple_mask) - 1, ~0,
832 ~0, &dot1ad_table_index, 0);
833 acl_classify_add_del_table_tiny (cm, ip6_5tuple_mask,
834 sizeof (ip6_5tuple_mask) - 1, ~0,
835 am->l2_output_classify_next_acl_ip6,
836 &ip6_table_index, 0);
837 acl_classify_add_del_table_tiny (cm, ip4_5tuple_mask,
838 sizeof (ip4_5tuple_mask) - 1, ~0,
839 am->l2_output_classify_next_acl_ip4,
840 &ip4_table_index, 0);
845 vnet_l2_output_classify_set_tables (sw_if_index, ip4_table_index,
846 ip6_table_index, dot1q_table_index);
849 ("ACL enabling on interface sw_if_index %d, setting tables to the following: ip4: %d ip6: %d\n",
850 sw_if_index, ip4_table_index, ip6_table_index);
853 acl_classify_add_del_table_tiny (cm, ip6_5tuple_mask,
854 sizeof (ip6_5tuple_mask) - 1, ~0,
855 am->l2_output_classify_next_acl_ip6,
856 &ip6_table_index, 0);
857 acl_classify_add_del_table_tiny (cm, ip4_5tuple_mask,
858 sizeof (ip4_5tuple_mask) - 1, ~0,
859 am->l2_output_classify_next_acl_ip4,
860 &ip4_table_index, 0);
861 acl_classify_add_del_table_tiny (cm, dot1q_5tuple_mask,
862 sizeof (dot1q_5tuple_mask) - 1, ~0,
863 ~0, &dot1q_table_index, 0);
864 acl_classify_add_del_table_tiny (cm, dot1ad_5tuple_mask,
865 sizeof (dot1ad_5tuple_mask) - 1, ~0,
866 ~0, &dot1ad_table_index, 0);
870 /* add sessions to vlan tables per ethernet_type */
871 acl_add_vlan_session (am, dot1q_table_index, 1, 0, 0);
872 acl_add_vlan_session (am, dot1q_table_index, 1, 0, 1);
873 acl_add_vlan_session (am, dot1ad_table_index, 1, 1, 0);
874 acl_add_vlan_session (am, dot1ad_table_index, 1, 1, 1);
876 am->acl_ip4_output_classify_table_by_sw_if_index[sw_if_index] =
878 am->acl_ip6_output_classify_table_by_sw_if_index[sw_if_index] =
880 am->acl_dot1q_output_classify_table_by_sw_if_index[sw_if_index] =
882 am->acl_dot1ad_output_classify_table_by_sw_if_index[sw_if_index] =
885 vnet_l2_output_classify_enable_disable (sw_if_index, 1);
887 clib_mem_set_heap (prevheap);
892 acl_interface_in_enable_disable (acl_main_t * am, u32 sw_if_index,
898 if (pool_is_free_index (am->vnet_main->interface_main.sw_interfaces,
900 return VNET_API_ERROR_INVALID_SW_IF_INDEX;
902 acl_fa_enable_disable (sw_if_index, 1, enable_disable);
906 rv = acl_hook_l2_input_classify (am, sw_if_index);
910 rv = acl_unhook_l2_input_classify (am, sw_if_index);
917 acl_interface_out_enable_disable (acl_main_t * am, u32 sw_if_index,
923 if (pool_is_free_index (am->vnet_main->interface_main.sw_interfaces,
925 return VNET_API_ERROR_INVALID_SW_IF_INDEX;
927 acl_fa_enable_disable (sw_if_index, 0, enable_disable);
931 rv = acl_hook_l2_output_classify (am, sw_if_index);
935 rv = acl_unhook_l2_output_classify (am, sw_if_index);
942 acl_is_not_defined (acl_main_t * am, u32 acl_list_index)
944 return (pool_is_free_index (am->acls, acl_list_index));
949 acl_interface_add_inout_acl (u32 sw_if_index, u8 is_input, u32 acl_list_index)
951 acl_main_t *am = &acl_main;
952 if (acl_is_not_defined (am, acl_list_index))
954 /* ACL is not defined. Can not apply */
955 return VNET_API_ERROR_NO_SUCH_ENTRY;
957 void *oldheap = acl_set_heap (am);
961 vec_validate (am->input_acl_vec_by_sw_if_index, sw_if_index);
963 u32 index = vec_search (am->input_acl_vec_by_sw_if_index[sw_if_index],
965 if (index < vec_len (am->input_acl_vec_by_sw_if_index[sw_if_index]))
968 ("ACL %d is already applied inbound on sw_if_index %d (index %d)",
969 acl_list_index, sw_if_index, index);
970 /* the entry is already there */
971 clib_mem_set_heap (oldheap);
972 return VNET_API_ERROR_ACL_IN_USE_INBOUND;
974 /* if there was no ACL applied before, enable the ACL processing */
975 if (vec_len (am->input_acl_vec_by_sw_if_index[sw_if_index]) == 0)
977 acl_interface_in_enable_disable (am, sw_if_index, 1);
979 vec_add (am->input_acl_vec_by_sw_if_index[sw_if_index], &acl_list_index,
981 vec_validate (am->input_sw_if_index_vec_by_acl, acl_list_index);
982 vec_add (am->input_sw_if_index_vec_by_acl[acl_list_index], &sw_if_index,
987 vec_validate (am->output_acl_vec_by_sw_if_index, sw_if_index);
989 u32 index = vec_search (am->output_acl_vec_by_sw_if_index[sw_if_index],
991 if (index < vec_len (am->output_acl_vec_by_sw_if_index[sw_if_index]))
994 ("ACL %d is already applied outbound on sw_if_index %d (index %d)",
995 acl_list_index, sw_if_index, index);
996 /* the entry is already there */
997 clib_mem_set_heap (oldheap);
998 return VNET_API_ERROR_ACL_IN_USE_OUTBOUND;
1000 /* if there was no ACL applied before, enable the ACL processing */
1001 if (vec_len (am->output_acl_vec_by_sw_if_index[sw_if_index]) == 0)
1003 acl_interface_out_enable_disable (am, sw_if_index, 1);
1005 vec_add (am->output_acl_vec_by_sw_if_index[sw_if_index],
1006 &acl_list_index, 1);
1007 vec_validate (am->output_sw_if_index_vec_by_acl, acl_list_index);
1008 vec_add (am->output_sw_if_index_vec_by_acl[acl_list_index],
1011 clib_mem_set_heap (oldheap);
1017 acl_interface_del_inout_acl (u32 sw_if_index, u8 is_input, u32 acl_list_index)
1019 acl_main_t *am = &acl_main;
1021 int rv = VNET_API_ERROR_NO_SUCH_ENTRY;
1022 void *oldheap = acl_set_heap (am);
1025 vec_validate (am->input_acl_vec_by_sw_if_index, sw_if_index);
1026 for (i = 0; i < vec_len (am->input_acl_vec_by_sw_if_index[sw_if_index]);
1029 if (acl_list_index ==
1030 am->input_acl_vec_by_sw_if_index[sw_if_index][i])
1032 vec_del1 (am->input_acl_vec_by_sw_if_index[sw_if_index], i);
1038 if (acl_list_index < vec_len (am->input_sw_if_index_vec_by_acl))
1041 vec_search (am->input_sw_if_index_vec_by_acl[acl_list_index],
1044 vec_len (am->input_sw_if_index_vec_by_acl[acl_list_index]))
1046 hash_acl_unapply (am, sw_if_index, is_input, acl_list_index);
1047 vec_del1 (am->input_sw_if_index_vec_by_acl[acl_list_index],
1052 /* If there is no more ACLs applied on an interface, disable ACL processing */
1053 if (0 == vec_len (am->input_acl_vec_by_sw_if_index[sw_if_index]))
1055 acl_interface_in_enable_disable (am, sw_if_index, 0);
1060 vec_validate (am->output_acl_vec_by_sw_if_index, sw_if_index);
1062 i < vec_len (am->output_acl_vec_by_sw_if_index[sw_if_index]); i++)
1064 if (acl_list_index ==
1065 am->output_acl_vec_by_sw_if_index[sw_if_index][i])
1067 vec_del1 (am->output_acl_vec_by_sw_if_index[sw_if_index], i);
1073 if (acl_list_index < vec_len (am->output_sw_if_index_vec_by_acl))
1076 vec_search (am->output_sw_if_index_vec_by_acl[acl_list_index],
1079 vec_len (am->output_sw_if_index_vec_by_acl[acl_list_index]))
1081 hash_acl_unapply (am, sw_if_index, is_input, acl_list_index);
1082 vec_del1 (am->output_sw_if_index_vec_by_acl[acl_list_index],
1087 /* If there is no more ACLs applied on an interface, disable ACL processing */
1088 if (0 == vec_len (am->output_acl_vec_by_sw_if_index[sw_if_index]))
1090 acl_interface_out_enable_disable (am, sw_if_index, 0);
1093 clib_mem_set_heap (oldheap);
1098 acl_interface_reset_inout_acls (u32 sw_if_index, u8 is_input)
1100 acl_main_t *am = &acl_main;
1102 void *oldheap = acl_set_heap (am);
1105 vec_validate (am->input_acl_vec_by_sw_if_index, sw_if_index);
1106 if (vec_len (am->input_acl_vec_by_sw_if_index[sw_if_index]) > 0)
1108 acl_interface_in_enable_disable (am, sw_if_index, 0);
1111 for (i = vec_len (am->input_acl_vec_by_sw_if_index[sw_if_index]) - 1;
1114 u32 acl_list_index =
1115 am->input_acl_vec_by_sw_if_index[sw_if_index][i];
1116 hash_acl_unapply (am, sw_if_index, is_input, acl_list_index);
1117 if (acl_list_index < vec_len (am->input_sw_if_index_vec_by_acl))
1120 vec_search (am->input_sw_if_index_vec_by_acl[acl_list_index],
1123 vec_len (am->input_sw_if_index_vec_by_acl[acl_list_index]))
1125 vec_del1 (am->input_sw_if_index_vec_by_acl[acl_list_index],
1131 vec_reset_length (am->input_acl_vec_by_sw_if_index[sw_if_index]);
1135 vec_validate (am->output_acl_vec_by_sw_if_index, sw_if_index);
1136 if (vec_len (am->output_acl_vec_by_sw_if_index[sw_if_index]) > 0)
1138 acl_interface_out_enable_disable (am, sw_if_index, 0);
1141 for (i = vec_len (am->output_acl_vec_by_sw_if_index[sw_if_index]) - 1;
1144 u32 acl_list_index =
1145 am->output_acl_vec_by_sw_if_index[sw_if_index][i];
1146 hash_acl_unapply (am, sw_if_index, is_input, acl_list_index);
1147 if (acl_list_index < vec_len (am->output_sw_if_index_vec_by_acl))
1150 vec_search (am->output_sw_if_index_vec_by_acl[acl_list_index],
1153 vec_len (am->output_sw_if_index_vec_by_acl[acl_list_index]))
1155 vec_del1 (am->output_sw_if_index_vec_by_acl[acl_list_index],
1161 vec_reset_length (am->output_acl_vec_by_sw_if_index[sw_if_index]);
1163 clib_mem_set_heap (oldheap);
1167 acl_interface_add_del_inout_acl (u32 sw_if_index, u8 is_add, u8 is_input,
1170 int rv = VNET_API_ERROR_NO_SUCH_ENTRY;
1171 acl_main_t *am = &acl_main;
1175 acl_interface_add_inout_acl (sw_if_index, is_input, acl_list_index);
1178 hash_acl_apply (am, sw_if_index, is_input, acl_list_index);
1183 hash_acl_unapply (am, sw_if_index, is_input, acl_list_index);
1185 acl_interface_del_inout_acl (sw_if_index, is_input, acl_list_index);
1199 u32 arp_table_index;
1200 u32 dot1q_table_index;
1201 u32 dot1ad_table_index;
1203 u32 out_table_index;
1204 u32 out_arp_table_index;
1205 u32 out_dot1q_table_index;
1206 u32 out_dot1ad_table_index;
1207 } macip_match_type_t;
1210 macip_find_match_type (macip_match_type_t * mv, u8 * mac_mask, u8 prefix_len,
1216 for (i = 0; i < vec_len (mv); i++)
1218 if ((mv[i].prefix_len == prefix_len) && (mv[i].is_ipv6 == is_ipv6)
1219 && (0 == memcmp (mv[i].mac_mask, mac_mask, 6)))
1229 /* Get metric used to sort match types.
1230 The more specific and the more often seen - the bigger the metric */
1232 match_type_metric (macip_match_type_t * m)
1234 unsigned int mac_bits_set = 0;
1235 unsigned int mac_byte;
1237 for (i = 0; i < 6; i++)
1239 mac_byte = m->mac_mask[i];
1240 for (; mac_byte; mac_byte >>= 1)
1241 mac_bits_set += mac_byte & 1;
1244 * Attempt to place the more specific and the more used rules on top.
1245 * There are obvious caveat corner cases to this, but they do not
1246 * seem to be sensible in real world (e.g. specific IPv4 with wildcard MAC
1247 * going with a wildcard IPv4 with a specific MAC).
1249 return m->prefix_len + mac_bits_set + m->is_ipv6 + 10 * m->count;
1253 match_type_compare (macip_match_type_t * m1, macip_match_type_t * m2)
1255 /* Ascending sort based on the metric values */
1256 return match_type_metric (m1) - match_type_metric (m2);
1259 /* Get the offset of L3 source within ethernet packet */
1261 get_l3_src_offset (int is6)
1264 return (sizeof (ethernet_header_t) +
1265 offsetof (ip6_header_t, src_address));
1267 return (sizeof (ethernet_header_t) +
1268 offsetof (ip4_header_t, src_address));
1272 get_l3_dst_offset (int is6)
1275 return (sizeof (ethernet_header_t) +
1276 offsetof (ip6_header_t, dst_address));
1278 return (sizeof (ethernet_header_t) +
1279 offsetof (ip4_header_t, dst_address));
1283 * return if the is_permit value also requires to create the egress tables
1284 * For backwards compatibility, we keep the is_permit = 1 to only
1285 * create the ingress tables, and the new value of 3 will also
1286 * create the egress tables based on destination.
1289 macip_permit_also_egress (u8 is_permit)
1291 return (is_permit == 3);
1295 macip_create_classify_tables (acl_main_t * am, u32 macip_acl_index)
1297 macip_match_type_t *mvec = NULL;
1298 macip_match_type_t *mt;
1299 macip_acl_list_t *a = pool_elt_at_index (am->macip_acls, macip_acl_index);
1301 u32 match_type_index;
1305 vnet_classify_main_t *cm = &vnet_classify_main;
1307 /* Count the number of different types of rules */
1308 for (i = 0; i < a->count; i++)
1312 macip_find_match_type (mvec, a->rules[i].src_mac_mask,
1313 a->rules[i].src_prefixlen,
1314 a->rules[i].is_ipv6)))
1316 match_type_index = vec_len (mvec);
1317 vec_validate (mvec, match_type_index);
1318 memcpy (mvec[match_type_index].mac_mask,
1319 a->rules[i].src_mac_mask, 6);
1320 mvec[match_type_index].prefix_len = a->rules[i].src_prefixlen;
1321 mvec[match_type_index].is_ipv6 = a->rules[i].is_ipv6;
1322 mvec[match_type_index].has_egress = 0;
1323 mvec[match_type_index].table_index = ~0;
1324 mvec[match_type_index].arp_table_index = ~0;
1325 mvec[match_type_index].dot1q_table_index = ~0;
1326 mvec[match_type_index].dot1ad_table_index = ~0;
1327 mvec[match_type_index].out_table_index = ~0;
1328 mvec[match_type_index].out_arp_table_index = ~0;
1329 mvec[match_type_index].out_dot1q_table_index = ~0;
1330 mvec[match_type_index].out_dot1ad_table_index = ~0;
1332 mvec[match_type_index].count++;
1333 mvec[match_type_index].has_egress |=
1334 macip_permit_also_egress (a->rules[i].is_permit);
1336 /* Put the most frequently used tables last in the list so we can create classifier tables in reverse order */
1337 vec_sort_with_function (mvec, match_type_compare);
1338 /* Create the classifier tables */
1340 out_last_table = ~0;
1341 /* First add ARP tables */
1342 vec_foreach (mt, mvec)
1345 int is6 = mt->is_ipv6;
1351 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1352 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1353 | Destination Address |
1354 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1356 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
1358 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1359 | EtherType | Hardware Type |
1360 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1361 | Protocol Type | Hw addr len | Proto addr len|
1362 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1364 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
1365 | Sender Hardware Address |
1366 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1367 | Sender Protocol Address |
1368 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1369 | Target Hardware Address |
1370 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1371 | | TargetProtocolAddress |
1372 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1374 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1376 memset (mask, 0, sizeof (mask));
1377 /* source MAC address */
1378 memcpy (&mask[6], mt->mac_mask, 6);
1379 memset (&mask[12], 0xff, 2); /* ethernet protocol */
1380 /* sender hardware address within ARP */
1381 memcpy (&mask[14 + 8], mt->mac_mask, 6);
1382 /* sender protocol address within ARP */
1383 for (i = 0; i < (mt->prefix_len / 8); i++)
1384 mask[14 + 14 + i] = 0xff;
1385 if (mt->prefix_len % 8)
1386 mask[14 + 14 + (mt->prefix_len / 8)] =
1387 0xff - ((1 << (8 - mt->prefix_len % 8)) - 1);
1389 mask_len = ((14 + 14 + ((mt->prefix_len + 7) / 8) +
1390 (sizeof (u32x4) - 1)) / sizeof (u32x4)) * sizeof (u32x4);
1391 acl_classify_add_del_table_small (cm, mask, mask_len, last_table,
1392 (~0 == last_table) ? 0 : ~0,
1393 &mt->arp_table_index, 1);
1394 last_table = mt->arp_table_index;
1397 /* egress ARP table */
1398 memset (mask, 0, sizeof (mask));
1399 // memcpy (&mask[0], mt->mac_mask, 6);
1400 memset (&mask[12], 0xff, 2); /* ethernet protocol */
1401 /* AYXX: FIXME here - can we tighten the ARP-related table more ? */
1402 /* mask captures just the destination and the ethertype */
1405 1)) / sizeof (u32x4)) * sizeof (u32x4);
1406 acl_classify_add_del_table_small (cm, mask, mask_len,
1408 (~0 == out_last_table) ? 0 : ~0,
1409 &mt->out_arp_table_index, 1);
1410 out_last_table = mt->out_arp_table_index;
1414 /* Now add IP[46] tables */
1415 vec_foreach (mt, mvec)
1418 int is6 = mt->is_ipv6;
1422 u32 *last_tag_table;
1423 u32 *out_last_tag_table;
1426 * create chained tables for VLAN (no-tags, dot1q and dot1ad) packets
1428 for (tags = 2; tags >= 0; tags--)
1430 memset (mask, 0, sizeof (mask));
1431 memcpy (&mask[6], mt->mac_mask, 6);
1432 l3_src_offs = tags * 4 + get_l3_src_offset (is6);
1437 memset (&mask[12], 0xff, 2); /* ethernet protocol */
1438 last_tag_table = &mt->table_index;
1441 memset (&mask[12], 0xff, 2); /* VLAN tag1 */
1442 memset (&mask[16], 0xff, 2); /* ethernet protocol */
1443 last_tag_table = &mt->dot1q_table_index;
1446 memset (&mask[12], 0xff, 2); /* VLAN tag1 */
1447 memset (&mask[16], 0xff, 2); /* VLAN tag2 */
1448 memset (&mask[20], 0xff, 2); /* ethernet protocol */
1449 last_tag_table = &mt->dot1ad_table_index;
1452 for (i = 0; i < (mt->prefix_len / 8); i++)
1454 mask[l3_src_offs + i] = 0xff;
1456 if (mt->prefix_len % 8)
1458 mask[l3_src_offs + (mt->prefix_len / 8)] =
1459 0xff - ((1 << (8 - mt->prefix_len % 8)) - 1);
1462 * Round-up the number of bytes needed to store the prefix,
1463 * and round up the number of vectors too
1465 mask_len = ((l3_src_offs + ((mt->prefix_len + 7) / 8) +
1466 (sizeof (u32x4) - 1)) / sizeof (u32x4)) * sizeof (u32x4);
1467 acl_classify_add_del_table_small (cm, mask, mask_len, last_table,
1468 (~0 == last_table) ? 0 : ~0,
1470 last_table = *last_tag_table;
1474 for (tags = 2; tags >= 0; tags--)
1476 memset (mask, 0, sizeof (mask));
1477 /* MAC destination */
1478 memcpy (&mask[0], mt->mac_mask, 6);
1479 l3_dst_offs = tags * 4 + get_l3_dst_offset (is6);
1484 memset (&mask[12], 0xff, 2); /* ethernet protocol */
1485 out_last_tag_table = &mt->out_table_index;
1488 memset (&mask[12], 0xff, 2); /* VLAN tag1 */
1489 memset (&mask[16], 0xff, 2); /* ethernet protocol */
1490 out_last_tag_table = &mt->out_dot1q_table_index;
1493 memset (&mask[12], 0xff, 2); /* VLAN tag1 */
1494 memset (&mask[16], 0xff, 2); /* VLAN tag2 */
1495 memset (&mask[20], 0xff, 2); /* ethernet protocol */
1496 out_last_tag_table = &mt->out_dot1ad_table_index;
1499 for (i = 0; i < (mt->prefix_len / 8); i++)
1501 mask[l3_dst_offs + i] = 0xff;
1503 if (mt->prefix_len % 8)
1505 mask[l3_dst_offs + (mt->prefix_len / 8)] =
1506 0xff - ((1 << (8 - mt->prefix_len % 8)) - 1);
1509 * Round-up the number of bytes needed to store the prefix,
1510 * and round up the number of vectors too
1512 mask_len = ((l3_dst_offs + ((mt->prefix_len + 7) / 8) +
1514 1)) / sizeof (u32x4)) * sizeof (u32x4);
1515 acl_classify_add_del_table_small (cm, mask, mask_len,
1517 (~0 == out_last_table) ? 0 : ~0,
1518 out_last_tag_table, 1);
1519 out_last_table = *out_last_tag_table;
1523 a->ip4_table_index = last_table;
1524 a->ip6_table_index = last_table;
1525 a->l2_table_index = last_table;
1527 a->out_ip4_table_index = out_last_table;
1528 a->out_ip6_table_index = out_last_table;
1529 a->out_l2_table_index = out_last_table;
1531 /* Populate the classifier tables with rules from the MACIP ACL */
1532 for (i = 0; i < a->count; i++)
1536 int is6 = a->rules[i].is_ipv6;
1543 macip_find_match_type (mvec, a->rules[i].src_mac_mask,
1544 a->rules[i].src_prefixlen,
1545 a->rules[i].is_ipv6);
1546 ASSERT (match_type_index != ~0);
1548 for (tags = 2; tags >= 0; tags--)
1550 memset (mask, 0, sizeof (mask));
1551 l3_src_offs = tags * 4 + get_l3_src_offset (is6);
1552 memcpy (&mask[6], a->rules[i].src_mac, 6);
1557 tag_table = mvec[match_type_index].table_index;
1561 tag_table = mvec[match_type_index].dot1q_table_index;
1567 tag_table = mvec[match_type_index].dot1ad_table_index;
1577 memcpy (&mask[l3_src_offs], &a->rules[i].src_ip_addr.ip6, 16);
1579 mask[eth + 1] = 0xdd;
1583 memcpy (&mask[l3_src_offs], &a->rules[i].src_ip_addr.ip4, 4);
1585 mask[eth + 1] = 0x00;
1588 /* add session to table mvec[match_type_index].table_index; */
1589 vnet_classify_add_del_session (cm, tag_table,
1590 mask, a->rules[i].is_permit ? ~0 : 0,
1591 i, 0, action, metadata, 1);
1592 memset (&mask[12], 0, sizeof (mask) - 12);
1595 /* add ARP table entry too */
1596 if (!is6 && (mvec[match_type_index].arp_table_index != ~0))
1598 memset (mask, 0, sizeof (mask));
1599 memcpy (&mask[6], a->rules[i].src_mac, 6);
1602 memcpy (&mask[14 + 8], a->rules[i].src_mac, 6);
1603 memcpy (&mask[14 + 14], &a->rules[i].src_ip_addr.ip4, 4);
1604 vnet_classify_add_del_session (cm,
1606 [match_type_index].arp_table_index,
1607 mask, a->rules[i].is_permit ? ~0 : 0,
1608 i, 0, action, metadata, 1);
1610 if (macip_permit_also_egress (a->rules[i].is_permit))
1612 /* Add the egress entry with destination set */
1613 for (tags = 2; tags >= 0; tags--)
1615 memset (mask, 0, sizeof (mask));
1616 l3_dst_offs = tags * 4 + get_l3_dst_offset (is6);
1617 /* src mac in the other direction becomes dst */
1618 memcpy (&mask[0], a->rules[i].src_mac, 6);
1623 tag_table = mvec[match_type_index].out_table_index;
1627 tag_table = mvec[match_type_index].out_dot1q_table_index;
1633 tag_table = mvec[match_type_index].out_dot1ad_table_index;
1643 memcpy (&mask[l3_dst_offs], &a->rules[i].src_ip_addr.ip6,
1646 mask[eth + 1] = 0xdd;
1650 memcpy (&mask[l3_dst_offs], &a->rules[i].src_ip_addr.ip4,
1653 mask[eth + 1] = 0x00;
1656 /* add session to table mvec[match_type_index].table_index; */
1657 vnet_classify_add_del_session (cm, tag_table,
1659 a->rules[i].is_permit ? ~0 : 0,
1660 i, 0, action, metadata, 1);
1661 // memset (&mask[12], 0, sizeof (mask) - 12);
1664 /* add ARP table entry too */
1665 if (!is6 && (mvec[match_type_index].out_arp_table_index != ~0))
1667 memset (mask, 0, sizeof (mask));
1668 memcpy (&mask[0], a->rules[i].src_mac, 6);
1671 vnet_classify_add_del_session (cm,
1673 [match_type_index].out_arp_table_index,
1675 a->rules[i].is_permit ? ~0 : 0,
1676 i, 0, action, metadata, 1);
1684 macip_destroy_classify_tables (acl_main_t * am, u32 macip_acl_index)
1686 vnet_classify_main_t *cm = &vnet_classify_main;
1687 macip_acl_list_t *a = pool_elt_at_index (am->macip_acls, macip_acl_index);
1689 if (a->ip4_table_index != ~0)
1691 acl_classify_add_del_table_small (cm, 0, ~0, ~0, ~0,
1692 &a->ip4_table_index, 0);
1693 a->ip4_table_index = ~0;
1695 if (a->ip6_table_index != ~0)
1697 acl_classify_add_del_table_small (cm, 0, ~0, ~0, ~0,
1698 &a->ip6_table_index, 0);
1699 a->ip6_table_index = ~0;
1701 if (a->l2_table_index != ~0)
1703 acl_classify_add_del_table_small (cm, 0, ~0, ~0, ~0, &a->l2_table_index,
1705 a->l2_table_index = ~0;
1710 macip_maybe_apply_unapply_classifier_tables (acl_main_t * am, u32 acl_index,
1716 macip_acl_list_t *a = pool_elt_at_index (am->macip_acls, acl_index);
1718 for (i = 0; i < vec_len (am->macip_acl_by_sw_if_index); i++)
1719 if (vec_elt (am->macip_acl_by_sw_if_index, i) == acl_index)
1721 rv0 = vnet_set_input_acl_intfc (am->vlib_main, i, a->ip4_table_index,
1722 a->ip6_table_index, a->l2_table_index,
1724 /* return the first unhappy outcome but make try to plough through. */
1727 vnet_set_output_acl_intfc (am->vlib_main, i, a->out_ip4_table_index,
1728 a->out_ip6_table_index,
1729 a->out_l2_table_index, is_apply);
1730 /* return the first unhappy outcome but make try to plough through. */
1737 macip_acl_add_list (u32 count, vl_api_macip_acl_rule_t rules[],
1738 u32 * acl_list_index, u8 * tag)
1740 acl_main_t *am = &acl_main;
1741 macip_acl_list_t *a;
1742 macip_acl_rule_t *r;
1743 macip_acl_rule_t *acl_new_rules = 0;
1747 if (*acl_list_index != ~0)
1749 /* They supplied some number, let's see if this MACIP ACL exists */
1750 if (pool_is_free_index (am->macip_acls, *acl_list_index))
1752 /* tried to replace a non-existent ACL, no point doing anything */
1754 ("acl-plugin-error: Trying to replace nonexistent MACIP ACL %d (tag %s)",
1755 *acl_list_index, tag);
1756 return VNET_API_ERROR_NO_SUCH_ENTRY;
1763 ("acl-plugin-warning: Trying to create empty MACIP ACL (tag %s)",
1766 /* if replacing the ACL, unapply the classifier tables first - they will be gone.. */
1767 if (~0 != *acl_list_index)
1768 rv = macip_maybe_apply_unapply_classifier_tables (am, *acl_list_index, 0);
1769 void *oldheap = acl_set_heap (am);
1770 /* Create and populate the rules */
1772 vec_validate (acl_new_rules, count - 1);
1774 for (i = 0; i < count; i++)
1776 r = &acl_new_rules[i];
1777 r->is_permit = rules[i].is_permit;
1778 r->is_ipv6 = rules[i].is_ipv6;
1779 memcpy (&r->src_mac, rules[i].src_mac, 6);
1780 memcpy (&r->src_mac_mask, rules[i].src_mac_mask, 6);
1781 if (rules[i].is_ipv6)
1782 memcpy (&r->src_ip_addr.ip6, rules[i].src_ip_addr, 16);
1784 memcpy (&r->src_ip_addr.ip4, rules[i].src_ip_addr, 4);
1785 r->src_prefixlen = rules[i].src_ip_prefix_len;
1788 if (~0 == *acl_list_index)
1791 pool_get_aligned (am->macip_acls, a, CLIB_CACHE_LINE_BYTES);
1792 memset (a, 0, sizeof (*a));
1793 /* Will return the newly allocated ACL index */
1794 *acl_list_index = a - am->macip_acls;
1798 a = pool_elt_at_index (am->macip_acls, *acl_list_index);
1801 vec_free (a->rules);
1803 macip_destroy_classify_tables (am, *acl_list_index);
1806 a->rules = acl_new_rules;
1808 memcpy (a->tag, tag, sizeof (a->tag));
1810 /* Create and populate the classifer tables */
1811 macip_create_classify_tables (am, *acl_list_index);
1812 clib_mem_set_heap (oldheap);
1813 /* If the ACL was already applied somewhere, reapply the newly created tables */
1815 || macip_maybe_apply_unapply_classifier_tables (am, *acl_list_index, 1);
1820 /* No check for validity of sw_if_index - the callers were supposed to validate */
1823 macip_acl_interface_del_acl (acl_main_t * am, u32 sw_if_index)
1826 u32 macip_acl_index;
1827 macip_acl_list_t *a;
1828 void *oldheap = acl_set_heap (am);
1829 vec_validate_init_empty (am->macip_acl_by_sw_if_index, sw_if_index, ~0);
1830 clib_mem_set_heap (oldheap);
1831 macip_acl_index = am->macip_acl_by_sw_if_index[sw_if_index];
1832 /* No point in deleting MACIP ACL which is not applied */
1833 if (~0 == macip_acl_index)
1834 return VNET_API_ERROR_NO_SUCH_ENTRY;
1835 a = pool_elt_at_index (am->macip_acls, macip_acl_index);
1836 /* remove the classifier tables off the interface L2 ACL */
1838 vnet_set_input_acl_intfc (am->vlib_main, sw_if_index, a->ip4_table_index,
1839 a->ip6_table_index, a->l2_table_index, 0);
1841 vnet_set_output_acl_intfc (am->vlib_main, sw_if_index,
1842 a->out_ip4_table_index, a->out_ip6_table_index,
1843 a->out_l2_table_index, 0);
1844 /* Unset the MACIP ACL index */
1845 am->macip_acl_by_sw_if_index[sw_if_index] = ~0;
1849 /* No check for validity of sw_if_index - the callers were supposed to validate */
1852 macip_acl_interface_add_acl (acl_main_t * am, u32 sw_if_index,
1853 u32 macip_acl_index)
1855 macip_acl_list_t *a;
1857 if (pool_is_free_index (am->macip_acls, macip_acl_index))
1859 return VNET_API_ERROR_NO_SUCH_ENTRY;
1861 void *oldheap = acl_set_heap (am);
1862 a = pool_elt_at_index (am->macip_acls, macip_acl_index);
1863 vec_validate_init_empty (am->macip_acl_by_sw_if_index, sw_if_index, ~0);
1864 clib_mem_set_heap (oldheap);
1865 /* If there already a MACIP ACL applied, unapply it */
1866 if (~0 != am->macip_acl_by_sw_if_index[sw_if_index])
1867 macip_acl_interface_del_acl (am, sw_if_index);
1868 am->macip_acl_by_sw_if_index[sw_if_index] = macip_acl_index;
1870 /* Apply the classifier tables for L2 ACLs */
1872 vnet_set_input_acl_intfc (am->vlib_main, sw_if_index, a->ip4_table_index,
1873 a->ip6_table_index, a->l2_table_index, 1);
1875 vnet_set_output_acl_intfc (am->vlib_main, sw_if_index,
1876 a->out_ip4_table_index, a->out_ip6_table_index,
1877 a->out_l2_table_index, 1);
1882 macip_acl_del_list (u32 acl_list_index)
1884 acl_main_t *am = &acl_main;
1885 macip_acl_list_t *a;
1887 if (pool_is_free_index (am->macip_acls, acl_list_index))
1889 return VNET_API_ERROR_NO_SUCH_ENTRY;
1892 /* delete any references to the ACL */
1893 for (i = 0; i < vec_len (am->macip_acl_by_sw_if_index); i++)
1895 if (am->macip_acl_by_sw_if_index[i] == acl_list_index)
1897 macip_acl_interface_del_acl (am, i);
1901 void *oldheap = acl_set_heap (am);
1902 /* Now that classifier tables are detached, clean them up */
1903 macip_destroy_classify_tables (am, acl_list_index);
1905 /* now we can delete the ACL itself */
1906 a = pool_elt_at_index (am->macip_acls, acl_list_index);
1909 vec_free (a->rules);
1911 pool_put (am->macip_acls, a);
1912 clib_mem_set_heap (oldheap);
1918 macip_acl_interface_add_del_acl (u32 sw_if_index, u8 is_add,
1921 acl_main_t *am = &acl_main;
1925 rv = macip_acl_interface_add_acl (am, sw_if_index, acl_list_index);
1929 rv = macip_acl_interface_del_acl (am, sw_if_index);
1935 * If the client does not allocate enough memory for a variable-length
1936 * message, and then proceed to use it as if the full memory allocated,
1937 * absent the check we happily consume that on the VPP side, and go
1938 * along as if nothing happened. However, the resulting
1939 * effects range from just garbage in the API decode
1940 * (because the decoder snoops too far), to potential memory
1943 * This verifies that the actual length of the message is
1944 * at least expected_len, and complains loudly if it is not.
1946 * A failing check here is 100% a software bug on the API user side,
1947 * so we might as well yell.
1951 verify_message_len (void *mp, u32 expected_len, char *where)
1953 u32 supplied_len = vl_msg_api_get_msg_length (mp);
1954 if (supplied_len < expected_len)
1956 clib_warning ("%s: Supplied message length %d is less than expected %d",
1957 where, supplied_len, expected_len);
1966 /* API message handler */
1968 vl_api_acl_add_replace_t_handler (vl_api_acl_add_replace_t * mp)
1970 vl_api_acl_add_replace_reply_t *rmp;
1971 acl_main_t *am = &acl_main;
1973 u32 acl_list_index = ntohl (mp->acl_index);
1974 u32 acl_count = ntohl (mp->count);
1975 u32 expected_len = sizeof (*mp) + acl_count * sizeof (mp->r[0]);
1977 if (verify_message_len (mp, expected_len, "acl_add_replace"))
1979 rv = acl_add_list (acl_count, mp->r, &acl_list_index, mp->tag);
1983 rv = VNET_API_ERROR_INVALID_VALUE;
1987 REPLY_MACRO2(VL_API_ACL_ADD_REPLACE_REPLY,
1989 rmp->acl_index = htonl(acl_list_index);
1995 vl_api_acl_del_t_handler (vl_api_acl_del_t * mp)
1997 acl_main_t *am = &acl_main;
1998 vl_api_acl_del_reply_t *rmp;
2001 rv = acl_del_list (ntohl (mp->acl_index));
2003 REPLY_MACRO (VL_API_ACL_DEL_REPLY);
2007 vl_api_acl_interface_add_del_t_handler (vl_api_acl_interface_add_del_t * mp)
2009 acl_main_t *am = &acl_main;
2010 vnet_interface_main_t *im = &am->vnet_main->interface_main;
2011 u32 sw_if_index = ntohl (mp->sw_if_index);
2012 vl_api_acl_interface_add_del_reply_t *rmp;
2015 if (pool_is_free_index (im->sw_interfaces, sw_if_index))
2016 rv = VNET_API_ERROR_INVALID_SW_IF_INDEX;
2019 acl_interface_add_del_inout_acl (sw_if_index, mp->is_add,
2020 mp->is_input, ntohl (mp->acl_index));
2022 REPLY_MACRO (VL_API_ACL_INTERFACE_ADD_DEL_REPLY);
2026 vl_api_acl_interface_set_acl_list_t_handler
2027 (vl_api_acl_interface_set_acl_list_t * mp)
2029 acl_main_t *am = &acl_main;
2030 vl_api_acl_interface_set_acl_list_reply_t *rmp;
2033 vnet_interface_main_t *im = &am->vnet_main->interface_main;
2034 u32 sw_if_index = ntohl (mp->sw_if_index);
2036 if (pool_is_free_index (im->sw_interfaces, sw_if_index))
2037 rv = VNET_API_ERROR_INVALID_SW_IF_INDEX;
2040 acl_interface_reset_inout_acls (sw_if_index, 0);
2041 acl_interface_reset_inout_acls (sw_if_index, 1);
2043 for (i = 0; i < mp->count; i++)
2045 if (acl_is_not_defined (am, ntohl (mp->acls[i])))
2047 /* ACL does not exist, so we can not apply it */
2048 rv = VNET_API_ERROR_NO_SUCH_ENTRY;
2053 for (i = 0; i < mp->count; i++)
2055 acl_interface_add_del_inout_acl (sw_if_index, 1,
2057 ntohl (mp->acls[i]));
2062 REPLY_MACRO (VL_API_ACL_INTERFACE_SET_ACL_LIST_REPLY);
2066 copy_acl_rule_to_api_rule (vl_api_acl_rule_t * api_rule, acl_rule_t * r)
2068 api_rule->is_permit = r->is_permit;
2069 api_rule->is_ipv6 = r->is_ipv6;
2072 memcpy (api_rule->src_ip_addr, &r->src, sizeof (r->src));
2073 memcpy (api_rule->dst_ip_addr, &r->dst, sizeof (r->dst));
2077 memcpy (api_rule->src_ip_addr, &r->src.ip4, sizeof (r->src.ip4));
2078 memcpy (api_rule->dst_ip_addr, &r->dst.ip4, sizeof (r->dst.ip4));
2080 api_rule->src_ip_prefix_len = r->src_prefixlen;
2081 api_rule->dst_ip_prefix_len = r->dst_prefixlen;
2082 api_rule->proto = r->proto;
2083 api_rule->srcport_or_icmptype_first = htons (r->src_port_or_type_first);
2084 api_rule->srcport_or_icmptype_last = htons (r->src_port_or_type_last);
2085 api_rule->dstport_or_icmpcode_first = htons (r->dst_port_or_code_first);
2086 api_rule->dstport_or_icmpcode_last = htons (r->dst_port_or_code_last);
2087 api_rule->tcp_flags_mask = r->tcp_flags_mask;
2088 api_rule->tcp_flags_value = r->tcp_flags_value;
2092 send_acl_details (acl_main_t * am, vl_api_registration_t * reg,
2093 acl_list_t * acl, u32 context)
2095 vl_api_acl_details_t *mp;
2096 vl_api_acl_rule_t *rules;
2098 int msg_size = sizeof (*mp) + sizeof (mp->r[0]) * acl->count;
2099 void *oldheap = acl_set_heap (am);
2101 mp = vl_msg_api_alloc (msg_size);
2102 memset (mp, 0, msg_size);
2103 mp->_vl_msg_id = ntohs (VL_API_ACL_DETAILS + am->msg_id_base);
2105 /* fill in the message */
2106 mp->context = context;
2107 mp->count = htonl (acl->count);
2108 mp->acl_index = htonl (acl - am->acls);
2109 memcpy (mp->tag, acl->tag, sizeof (mp->tag));
2110 // clib_memcpy (mp->r, acl->rules, acl->count * sizeof(acl->rules[0]));
2112 for (i = 0; i < acl->count; i++)
2114 copy_acl_rule_to_api_rule (&rules[i], &acl->rules[i]);
2117 clib_mem_set_heap (oldheap);
2118 vl_api_send_msg (reg, (u8 *) mp);
2123 vl_api_acl_dump_t_handler (vl_api_acl_dump_t * mp)
2125 acl_main_t *am = &acl_main;
2129 vl_api_registration_t *reg;
2131 reg = vl_api_client_index_to_registration (mp->client_index);
2135 if (mp->acl_index == ~0)
2138 /* Just dump all ACLs */
2139 pool_foreach (acl, am->acls,
2141 send_acl_details(am, reg, acl, mp->context);
2147 acl_index = ntohl (mp->acl_index);
2148 if (!pool_is_free_index (am->acls, acl_index))
2150 acl = pool_elt_at_index (am->acls, acl_index);
2151 send_acl_details (am, reg, acl, mp->context);
2157 /* FIXME API: should we signal an error here at all ? */
2163 send_acl_interface_list_details (acl_main_t * am,
2164 vl_api_registration_t * reg,
2165 u32 sw_if_index, u32 context)
2167 vl_api_acl_interface_list_details_t *mp;
2173 void *oldheap = acl_set_heap (am);
2175 vec_validate (am->input_acl_vec_by_sw_if_index, sw_if_index);
2176 vec_validate (am->output_acl_vec_by_sw_if_index, sw_if_index);
2178 n_input = vec_len (am->input_acl_vec_by_sw_if_index[sw_if_index]);
2179 n_output = vec_len (am->output_acl_vec_by_sw_if_index[sw_if_index]);
2180 count = n_input + n_output;
2182 msg_size = sizeof (*mp);
2183 msg_size += sizeof (mp->acls[0]) * count;
2185 mp = vl_msg_api_alloc (msg_size);
2186 memset (mp, 0, msg_size);
2188 ntohs (VL_API_ACL_INTERFACE_LIST_DETAILS + am->msg_id_base);
2190 /* fill in the message */
2191 mp->context = context;
2192 mp->sw_if_index = htonl (sw_if_index);
2194 mp->n_input = n_input;
2195 for (i = 0; i < n_input; i++)
2197 mp->acls[i] = htonl (am->input_acl_vec_by_sw_if_index[sw_if_index][i]);
2199 for (i = 0; i < n_output; i++)
2201 mp->acls[n_input + i] =
2202 htonl (am->output_acl_vec_by_sw_if_index[sw_if_index][i]);
2204 clib_mem_set_heap (oldheap);
2205 vl_api_send_msg (reg, (u8 *) mp);
2209 vl_api_acl_interface_list_dump_t_handler (vl_api_acl_interface_list_dump_t *
2212 acl_main_t *am = &acl_main;
2213 vnet_sw_interface_t *swif;
2214 vnet_interface_main_t *im = &am->vnet_main->interface_main;
2217 vl_api_registration_t *reg;
2219 reg = vl_api_client_index_to_registration (mp->client_index);
2223 if (mp->sw_if_index == ~0)
2226 pool_foreach (swif, im->sw_interfaces,
2228 send_acl_interface_list_details(am, reg, swif->sw_if_index, mp->context);
2234 sw_if_index = ntohl (mp->sw_if_index);
2235 if (!pool_is_free_index (im->sw_interfaces, sw_if_index))
2236 send_acl_interface_list_details (am, reg, sw_if_index, mp->context);
2240 /* MACIP ACL API handlers */
2243 vl_api_macip_acl_add_t_handler (vl_api_macip_acl_add_t * mp)
2245 vl_api_macip_acl_add_reply_t *rmp;
2246 acl_main_t *am = &acl_main;
2248 u32 acl_list_index = ~0;
2249 u32 acl_count = ntohl (mp->count);
2250 u32 expected_len = sizeof (*mp) + acl_count * sizeof (mp->r[0]);
2252 if (verify_message_len (mp, expected_len, "macip_acl_add"))
2254 rv = macip_acl_add_list (acl_count, mp->r, &acl_list_index, mp->tag);
2258 rv = VNET_API_ERROR_INVALID_VALUE;
2262 REPLY_MACRO2(VL_API_MACIP_ACL_ADD_REPLY,
2264 rmp->acl_index = htonl(acl_list_index);
2270 vl_api_macip_acl_add_replace_t_handler (vl_api_macip_acl_add_replace_t * mp)
2272 vl_api_macip_acl_add_replace_reply_t *rmp;
2273 acl_main_t *am = &acl_main;
2275 u32 acl_list_index = ntohl (mp->acl_index);
2276 u32 acl_count = ntohl (mp->count);
2277 u32 expected_len = sizeof (*mp) + acl_count * sizeof (mp->r[0]);
2279 if (verify_message_len (mp, expected_len, "macip_acl_add_replace"))
2281 rv = macip_acl_add_list (acl_count, mp->r, &acl_list_index, mp->tag);
2285 rv = VNET_API_ERROR_INVALID_VALUE;
2289 REPLY_MACRO2(VL_API_MACIP_ACL_ADD_REPLACE_REPLY,
2291 rmp->acl_index = htonl(acl_list_index);
2297 vl_api_macip_acl_del_t_handler (vl_api_macip_acl_del_t * mp)
2299 acl_main_t *am = &acl_main;
2300 vl_api_macip_acl_del_reply_t *rmp;
2303 rv = macip_acl_del_list (ntohl (mp->acl_index));
2305 REPLY_MACRO (VL_API_MACIP_ACL_DEL_REPLY);
2309 vl_api_macip_acl_interface_add_del_t_handler
2310 (vl_api_macip_acl_interface_add_del_t * mp)
2312 acl_main_t *am = &acl_main;
2313 vl_api_macip_acl_interface_add_del_reply_t *rmp;
2315 vnet_interface_main_t *im = &am->vnet_main->interface_main;
2316 u32 sw_if_index = ntohl (mp->sw_if_index);
2318 if (pool_is_free_index (im->sw_interfaces, sw_if_index))
2319 rv = VNET_API_ERROR_INVALID_SW_IF_INDEX;
2322 macip_acl_interface_add_del_acl (ntohl (mp->sw_if_index), mp->is_add,
2323 ntohl (mp->acl_index));
2325 REPLY_MACRO (VL_API_MACIP_ACL_INTERFACE_ADD_DEL_REPLY);
2329 send_macip_acl_details (acl_main_t * am, vl_api_registration_t * reg,
2330 macip_acl_list_t * acl, u32 context)
2332 vl_api_macip_acl_details_t *mp;
2333 vl_api_macip_acl_rule_t *rules;
2334 macip_acl_rule_t *r;
2336 int msg_size = sizeof (*mp) + (acl ? sizeof (mp->r[0]) * acl->count : 0);
2338 mp = vl_msg_api_alloc (msg_size);
2339 memset (mp, 0, msg_size);
2340 mp->_vl_msg_id = ntohs (VL_API_MACIP_ACL_DETAILS + am->msg_id_base);
2342 /* fill in the message */
2343 mp->context = context;
2346 memcpy (mp->tag, acl->tag, sizeof (mp->tag));
2347 mp->count = htonl (acl->count);
2348 mp->acl_index = htonl (acl - am->macip_acls);
2350 for (i = 0; i < acl->count; i++)
2353 rules[i].is_permit = r->is_permit;
2354 rules[i].is_ipv6 = r->is_ipv6;
2355 memcpy (rules[i].src_mac, &r->src_mac, sizeof (r->src_mac));
2356 memcpy (rules[i].src_mac_mask, &r->src_mac_mask,
2357 sizeof (r->src_mac_mask));
2359 memcpy (rules[i].src_ip_addr, &r->src_ip_addr.ip6,
2360 sizeof (r->src_ip_addr.ip6));
2362 memcpy (rules[i].src_ip_addr, &r->src_ip_addr.ip4,
2363 sizeof (r->src_ip_addr.ip4));
2364 rules[i].src_ip_prefix_len = r->src_prefixlen;
2369 /* No martini, no party - no ACL applied to this interface. */
2374 vl_api_send_msg (reg, (u8 *) mp);
2379 vl_api_macip_acl_dump_t_handler (vl_api_macip_acl_dump_t * mp)
2381 acl_main_t *am = &acl_main;
2382 macip_acl_list_t *acl;
2384 vl_api_registration_t *reg;
2386 reg = vl_api_client_index_to_registration (mp->client_index);
2390 if (mp->acl_index == ~0)
2392 /* Just dump all ACLs for now, with sw_if_index = ~0 */
2393 pool_foreach (acl, am->macip_acls, (
2395 send_macip_acl_details (am, reg,
2404 u32 acl_index = ntohl (mp->acl_index);
2405 if (!pool_is_free_index (am->macip_acls, acl_index))
2407 acl = pool_elt_at_index (am->macip_acls, acl_index);
2408 send_macip_acl_details (am, reg, acl, mp->context);
2414 vl_api_macip_acl_interface_get_t_handler (vl_api_macip_acl_interface_get_t *
2417 acl_main_t *am = &acl_main;
2418 vl_api_macip_acl_interface_get_reply_t *rmp;
2419 u32 count = vec_len (am->macip_acl_by_sw_if_index);
2420 int msg_size = sizeof (*rmp) + sizeof (rmp->acls[0]) * count;
2421 vl_api_registration_t *reg;
2424 reg = vl_api_client_index_to_registration (mp->client_index);
2428 rmp = vl_msg_api_alloc (msg_size);
2429 memset (rmp, 0, msg_size);
2431 ntohs (VL_API_MACIP_ACL_INTERFACE_GET_REPLY + am->msg_id_base);
2432 rmp->context = mp->context;
2433 rmp->count = htonl (count);
2434 for (i = 0; i < count; i++)
2436 rmp->acls[i] = htonl (am->macip_acl_by_sw_if_index[i]);
2439 vl_api_send_msg (reg, (u8 *) rmp);
2443 send_macip_acl_interface_list_details (acl_main_t * am,
2444 vl_api_registration_t * reg,
2446 u32 acl_index, u32 context)
2448 vl_api_macip_acl_interface_list_details_t *rmp;
2449 /* at this time there is only ever 1 mac ip acl per interface */
2450 int msg_size = sizeof (*rmp) + sizeof (rmp->acls[0]);
2452 rmp = vl_msg_api_alloc (msg_size);
2453 memset (rmp, 0, msg_size);
2455 ntohs (VL_API_MACIP_ACL_INTERFACE_LIST_DETAILS + am->msg_id_base);
2457 /* fill in the message */
2458 rmp->context = context;
2460 rmp->sw_if_index = htonl (sw_if_index);
2461 rmp->acls[0] = htonl (acl_index);
2463 vl_api_send_msg (reg, (u8 *) rmp);
2467 vl_api_macip_acl_interface_list_dump_t_handler
2468 (vl_api_macip_acl_interface_list_dump_t * mp)
2470 vl_api_registration_t *reg;
2471 acl_main_t *am = &acl_main;
2472 u32 sw_if_index = ntohl (mp->sw_if_index);
2474 reg = vl_api_client_index_to_registration (mp->client_index);
2478 if (sw_if_index == ~0)
2480 vec_foreach_index (sw_if_index, am->macip_acl_by_sw_if_index)
2482 if (~0 != am->macip_acl_by_sw_if_index[sw_if_index])
2484 send_macip_acl_interface_list_details (am, reg, sw_if_index,
2485 am->macip_acl_by_sw_if_index
2493 if (vec_len (am->macip_acl_by_sw_if_index) > sw_if_index)
2495 send_macip_acl_interface_list_details (am, reg, sw_if_index,
2496 am->macip_acl_by_sw_if_index
2497 [sw_if_index], mp->context);
2502 /* Set up the API message handling tables */
2503 static clib_error_t *
2504 acl_plugin_api_hookup (vlib_main_t * vm)
2506 acl_main_t *am = &acl_main;
2508 vl_msg_api_set_handlers((VL_API_##N + am->msg_id_base), \
2510 vl_api_##n##_t_handler, \
2512 vl_api_##n##_t_endian, \
2513 vl_api_##n##_t_print, \
2514 sizeof(vl_api_##n##_t), 1);
2515 foreach_acl_plugin_api_msg;
2521 #define vl_msg_name_crc_list
2522 #include <acl/acl_all_api_h.h>
2523 #undef vl_msg_name_crc_list
2526 setup_message_id_table (acl_main_t * am, api_main_t * apim)
2528 #define _(id,n,crc) \
2529 vl_msg_api_add_msg_name_crc (apim, #n "_" #crc, id + am->msg_id_base);
2530 foreach_vl_msg_name_crc_acl;
2535 acl_setup_fa_nodes (void)
2537 vlib_main_t *vm = vlib_get_main ();
2538 acl_main_t *am = &acl_main;
2539 vlib_node_t *n, *n4, *n6;
2541 n = vlib_get_node_by_name (vm, (u8 *) "l2-input-classify");
2542 n4 = vlib_get_node_by_name (vm, (u8 *) "acl-plugin-in-ip4-l2");
2543 n6 = vlib_get_node_by_name (vm, (u8 *) "acl-plugin-in-ip6-l2");
2546 am->l2_input_classify_next_acl_ip4 =
2547 vlib_node_add_next_with_slot (vm, n->index, n4->index, ~0);
2548 am->l2_input_classify_next_acl_ip6 =
2549 vlib_node_add_next_with_slot (vm, n->index, n6->index, ~0);
2551 feat_bitmap_init_next_nodes (vm, n4->index, L2INPUT_N_FEAT,
2552 l2input_get_feat_names (),
2553 am->fa_acl_in_ip4_l2_node_feat_next_node_index);
2555 feat_bitmap_init_next_nodes (vm, n6->index, L2INPUT_N_FEAT,
2556 l2input_get_feat_names (),
2557 am->fa_acl_in_ip6_l2_node_feat_next_node_index);
2560 n = vlib_get_node_by_name (vm, (u8 *) "l2-output-classify");
2561 n4 = vlib_get_node_by_name (vm, (u8 *) "acl-plugin-out-ip4-l2");
2562 n6 = vlib_get_node_by_name (vm, (u8 *) "acl-plugin-out-ip6-l2");
2564 am->l2_output_classify_next_acl_ip4 =
2565 vlib_node_add_next_with_slot (vm, n->index, n4->index, ~0);
2566 am->l2_output_classify_next_acl_ip6 =
2567 vlib_node_add_next_with_slot (vm, n->index, n6->index, ~0);
2569 feat_bitmap_init_next_nodes (vm, n4->index, L2OUTPUT_N_FEAT,
2570 l2output_get_feat_names (),
2571 am->fa_acl_out_ip4_l2_node_feat_next_node_index);
2573 feat_bitmap_init_next_nodes (vm, n6->index, L2OUTPUT_N_FEAT,
2574 l2output_get_feat_names (),
2575 am->fa_acl_out_ip6_l2_node_feat_next_node_index);
2579 acl_set_timeout_sec (int timeout_type, u32 value)
2581 acl_main_t *am = &acl_main;
2582 clib_time_t *ct = &am->vlib_main->clib_time;
2584 if (timeout_type < ACL_N_TIMEOUTS)
2586 am->session_timeout_sec[timeout_type] = value;
2590 clib_warning ("Unknown timeout type %d", timeout_type);
2593 am->session_timeout[timeout_type] =
2594 (u64) (((f64) value) / ct->seconds_per_clock);
2598 acl_set_session_max_entries (u32 value)
2600 acl_main_t *am = &acl_main;
2601 am->fa_conn_table_max_entries = value;
2605 acl_set_skip_ipv6_eh (u32 eh, u32 value)
2607 acl_main_t *am = &acl_main;
2609 if ((eh < 256) && (value < 2))
2611 am->fa_ipv6_known_eh_bitmap =
2612 clib_bitmap_set (am->fa_ipv6_known_eh_bitmap, eh, value);
2620 static clib_error_t *
2621 acl_sw_interface_add_del (vnet_main_t * vnm, u32 sw_if_index, u32 is_add)
2623 acl_main_t *am = &acl_main;
2624 if (0 == am->acl_mheap)
2626 /* ACL heap is not initialized, so definitely nothing to do. */
2631 vlib_process_signal_event (am->vlib_main, am->fa_cleaner_node_index,
2632 ACL_FA_CLEANER_DELETE_BY_SW_IF_INDEX,
2634 /* also unapply any ACLs in case the users did not do so. */
2635 macip_acl_interface_del_acl (am, sw_if_index);
2636 acl_interface_reset_inout_acls (sw_if_index, 0);
2637 acl_interface_reset_inout_acls (sw_if_index, 1);
2642 VNET_SW_INTERFACE_ADD_DEL_FUNCTION (acl_sw_interface_add_del);
2646 static clib_error_t *
2647 acl_set_aclplugin_fn (vlib_main_t * vm,
2648 unformat_input_t * input, vlib_cli_command_t * cmd)
2650 clib_error_t *error = 0;
2654 uword memory_size = 0;
2655 acl_main_t *am = &acl_main;
2657 if (unformat (input, "skip-ipv6-extension-header %u %u", &eh_val, &val))
2659 if (!acl_set_skip_ipv6_eh (eh_val, val))
2661 error = clib_error_return (0, "expecting eh=0..255, value=0..1");
2665 if (unformat (input, "use-hash-acl-matching %u", &val))
2667 am->use_hash_acl_matching = (val != 0);
2670 if (unformat (input, "l4-match-nonfirst-fragment %u", &val))
2672 am->l4_match_nonfirst_fragment = (val != 0);
2675 if (unformat (input, "heap"))
2677 if (unformat (input, "main"))
2679 if (unformat (input, "validate %u", &val))
2680 acl_plugin_acl_set_validate_heap (am, val);
2681 else if (unformat (input, "trace %u", &val))
2682 acl_plugin_acl_set_trace_heap (am, val);
2685 else if (unformat (input, "hash"))
2687 if (unformat (input, "validate %u", &val))
2688 acl_plugin_hash_acl_set_validate_heap (am, val);
2689 else if (unformat (input, "trace %u", &val))
2690 acl_plugin_hash_acl_set_trace_heap (am, val);
2695 if (unformat (input, "session"))
2697 if (unformat (input, "table"))
2699 /* The commands here are for tuning/testing. No user-serviceable parts inside */
2700 if (unformat (input, "max-entries"))
2702 if (!unformat (input, "%u", &val))
2704 error = clib_error_return (0,
2705 "expecting maximum number of entries, got `%U`",
2706 format_unformat_error, input);
2711 acl_set_session_max_entries (val);
2715 if (unformat (input, "hash-table-buckets"))
2717 if (!unformat (input, "%u", &val))
2719 error = clib_error_return (0,
2720 "expecting maximum number of hash table buckets, got `%U`",
2721 format_unformat_error, input);
2726 am->fa_conn_table_hash_num_buckets = val;
2730 if (unformat (input, "hash-table-memory"))
2732 if (!unformat (input, "%U", unformat_memory_size, &memory_size))
2734 error = clib_error_return (0,
2735 "expecting maximum amount of hash table memory, got `%U`",
2736 format_unformat_error, input);
2741 am->fa_conn_table_hash_memory_size = memory_size;
2745 if (unformat (input, "event-trace"))
2747 if (!unformat (input, "%u", &val))
2749 error = clib_error_return (0,
2750 "expecting trace level, got `%U`",
2751 format_unformat_error, input);
2756 am->trace_sessions = val;
2762 if (unformat (input, "timeout"))
2764 if (unformat (input, "udp"))
2766 if (unformat (input, "idle"))
2768 if (!unformat (input, "%u", &timeout))
2770 error = clib_error_return (0,
2771 "expecting timeout value in seconds, got `%U`",
2772 format_unformat_error,
2778 acl_set_timeout_sec (ACL_TIMEOUT_UDP_IDLE, timeout);
2783 if (unformat (input, "tcp"))
2785 if (unformat (input, "idle"))
2787 if (!unformat (input, "%u", &timeout))
2789 error = clib_error_return (0,
2790 "expecting timeout value in seconds, got `%U`",
2791 format_unformat_error,
2797 acl_set_timeout_sec (ACL_TIMEOUT_TCP_IDLE, timeout);
2801 if (unformat (input, "transient"))
2803 if (!unformat (input, "%u", &timeout))
2805 error = clib_error_return (0,
2806 "expecting timeout value in seconds, got `%U`",
2807 format_unformat_error,
2813 acl_set_timeout_sec (ACL_TIMEOUT_TCP_TRANSIENT,
2827 my_format_mac_address (u8 * s, va_list * args)
2829 u8 *a = va_arg (*args, u8 *);
2830 return format (s, "%02x:%02x:%02x:%02x:%02x:%02x",
2831 a[0], a[1], a[2], a[3], a[4], a[5]);
2835 my_macip_acl_rule_t_pretty_format (u8 * out, va_list * args)
2837 macip_acl_rule_t *a = va_arg (*args, macip_acl_rule_t *);
2839 out = format (out, "%s action %d ip %U/%d mac %U mask %U",
2840 a->is_ipv6 ? "ipv6" : "ipv4", a->is_permit,
2841 format_ip46_address, &a->src_ip_addr,
2842 a->is_ipv6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4,
2844 my_format_mac_address, a->src_mac,
2845 my_format_mac_address, a->src_mac_mask);
2850 macip_acl_print (acl_main_t * am, u32 macip_acl_index)
2852 vlib_main_t *vm = am->vlib_main;
2855 /* Don't try to print someone else's memory */
2856 if (macip_acl_index > vec_len (am->macip_acls))
2859 macip_acl_list_t *a = vec_elt_at_index (am->macip_acls, macip_acl_index);
2860 int free_pool_slot = pool_is_free_index (am->macip_acls, macip_acl_index);
2862 vlib_cli_output (vm,
2863 "MACIP acl_index: %d, count: %d (true len %d) tag {%s} is free pool slot: %d\n",
2864 macip_acl_index, a->count, vec_len (a->rules), a->tag,
2866 vlib_cli_output (vm,
2867 " ip4_table_index %d, ip6_table_index %d, l2_table_index %d\n",
2868 a->ip4_table_index, a->ip6_table_index, a->l2_table_index);
2869 vlib_cli_output (vm,
2870 " out_ip4_table_index %d, out_ip6_table_index %d, out_l2_table_index %d\n",
2871 a->out_ip4_table_index, a->out_ip6_table_index,
2872 a->out_l2_table_index);
2873 for (i = 0; i < vec_len (a->rules); i++)
2874 vlib_cli_output (vm, " rule %d: %U\n", i,
2875 my_macip_acl_rule_t_pretty_format,
2876 vec_elt_at_index (a->rules, i));
2880 static clib_error_t *
2881 acl_show_aclplugin_macip_acl_fn (vlib_main_t * vm,
2883 input, vlib_cli_command_t * cmd)
2885 clib_error_t *error = 0;
2886 acl_main_t *am = &acl_main;
2888 for (i = 0; i < vec_len (am->macip_acls); i++)
2889 macip_acl_print (am, i);
2893 static clib_error_t *
2894 acl_show_aclplugin_macip_interface_fn (vlib_main_t * vm,
2896 input, vlib_cli_command_t * cmd)
2898 clib_error_t *error = 0;
2899 acl_main_t *am = &acl_main;
2901 for (i = 0; i < vec_len (am->macip_acl_by_sw_if_index); i++)
2903 vlib_cli_output (vm, " sw_if_index %d: %d\n", i,
2904 vec_elt (am->macip_acl_by_sw_if_index, i));
2909 #define PRINT_AND_RESET(vm, out0) do { vlib_cli_output(vm, "%v", out0); vec_reset_length(out0); } while(0)
2911 acl_print_acl (vlib_main_t * vm, acl_main_t * am, int acl_index)
2914 u8 *out0 = format (0, "acl-index %u count %u tag {%s}\n", acl_index,
2915 am->acls[acl_index].count, am->acls[acl_index].tag);
2917 PRINT_AND_RESET (vm, out0);
2918 for (j = 0; j < am->acls[acl_index].count; j++)
2920 r = &am->acls[acl_index].rules[j];
2921 out0 = format (out0, " %4d: %s ", j, r->is_ipv6 ? "ipv6" : "ipv4");
2922 out0 = format_acl_action (out0, r->is_permit);
2923 out0 = format (out0, " src %U/%d", format_ip46_address, &r->src,
2924 r->is_ipv6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4,
2927 format (out0, " dst %U/%d", format_ip46_address, &r->dst,
2928 r->is_ipv6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4, r->dst_prefixlen);
2929 out0 = format (out0, " proto %d", r->proto);
2930 out0 = format (out0, " sport %d", r->src_port_or_type_first);
2931 if (r->src_port_or_type_first != r->src_port_or_type_last)
2933 out0 = format (out0, "-%d", r->src_port_or_type_last);
2935 out0 = format (out0, " dport %d", r->dst_port_or_code_first);
2936 if (r->dst_port_or_code_first != r->dst_port_or_code_last)
2938 out0 = format (out0, "-%d", r->dst_port_or_code_last);
2940 if (r->tcp_flags_mask || r->tcp_flags_value)
2943 format (out0, " tcpflags %d mask %d", r->tcp_flags_value,
2946 out0 = format (out0, "\n");
2947 PRINT_AND_RESET (vm, out0);
2951 #undef PRINT_AND_RESET
2954 acl_plugin_show_acl (acl_main_t * am, u32 acl_index)
2957 vlib_main_t *vm = am->vlib_main;
2959 for (i = 0; i < vec_len (am->acls); i++)
2961 if (acl_is_not_defined (am, i))
2963 /* don't attempt to show the ACLs that do not exist */
2966 if ((acl_index != ~0) && (acl_index != i))
2970 acl_print_acl (vm, am, i);
2972 if (i < vec_len (am->input_sw_if_index_vec_by_acl))
2974 vlib_cli_output (vm, " applied inbound on sw_if_index: %U\n",
2975 format_vec32, am->input_sw_if_index_vec_by_acl[i],
2978 if (i < vec_len (am->output_sw_if_index_vec_by_acl))
2980 vlib_cli_output (vm, " applied outbound on sw_if_index: %U\n",
2981 format_vec32, am->output_sw_if_index_vec_by_acl[i],
2987 static clib_error_t *
2988 acl_show_aclplugin_acl_fn (vlib_main_t * vm,
2989 unformat_input_t * input, vlib_cli_command_t * cmd)
2991 clib_error_t *error = 0;
2992 acl_main_t *am = &acl_main;
2995 (void) unformat (input, "index %u", &acl_index);
2997 acl_plugin_show_acl (am, acl_index);
3002 acl_plugin_show_interface (acl_main_t * am, u32 sw_if_index, int show_acl)
3004 vlib_main_t *vm = am->vlib_main;
3007 for (swi = 0; (swi < vec_len (am->input_acl_vec_by_sw_if_index)) ||
3008 (swi < vec_len (am->output_acl_vec_by_sw_if_index)); swi++)
3010 /* if we need a particular interface, skip all the others */
3011 if ((sw_if_index != ~0) && (sw_if_index != swi))
3014 vlib_cli_output (vm, "sw_if_index %d:\n", swi);
3016 if ((swi < vec_len (am->input_acl_vec_by_sw_if_index)) &&
3017 (vec_len (am->input_acl_vec_by_sw_if_index[swi]) > 0))
3019 vlib_cli_output (vm, " input acl(s): %U", format_vec32,
3020 am->input_acl_vec_by_sw_if_index[swi], "%d");
3023 vlib_cli_output (vm, "\n");
3024 vec_foreach (pj, am->input_acl_vec_by_sw_if_index[swi])
3026 acl_print_acl (vm, am, *pj);
3028 vlib_cli_output (vm, "\n");
3032 if ((swi < vec_len (am->output_acl_vec_by_sw_if_index)) &&
3033 (vec_len (am->output_acl_vec_by_sw_if_index[swi]) > 0))
3035 vlib_cli_output (vm, " output acl(s): %U", format_vec32,
3036 am->output_acl_vec_by_sw_if_index[swi], "%d");
3039 vlib_cli_output (vm, "\n");
3040 vec_foreach (pj, am->output_acl_vec_by_sw_if_index[swi])
3042 acl_print_acl (vm, am, *pj);
3044 vlib_cli_output (vm, "\n");
3052 static clib_error_t *
3053 acl_show_aclplugin_decode_5tuple_fn (vlib_main_t * vm,
3054 unformat_input_t * input,
3055 vlib_cli_command_t * cmd)
3057 clib_error_t *error = 0;
3058 u64 five_tuple[6] = { 0, 0, 0, 0, 0, 0 };
3061 (input, "%llx %llx %llx %llx %llx %llx", &five_tuple[0], &five_tuple[1],
3062 &five_tuple[2], &five_tuple[3], &five_tuple[4], &five_tuple[5]))
3063 vlib_cli_output (vm, "5-tuple structure decode: %U\n\n",
3064 format_acl_plugin_5tuple, five_tuple);
3066 error = clib_error_return (0, "expecting 6 hex integers");
3071 static clib_error_t *
3072 acl_show_aclplugin_interface_fn (vlib_main_t * vm,
3074 input, vlib_cli_command_t * cmd)
3076 clib_error_t *error = 0;
3077 acl_main_t *am = &acl_main;
3079 u32 sw_if_index = ~0;
3080 (void) unformat (input, "sw_if_index %u", &sw_if_index);
3081 int show_acl = unformat (input, "acl");
3083 acl_plugin_show_interface (am, sw_if_index, show_acl);
3087 static clib_error_t *
3088 acl_show_aclplugin_memory_fn (vlib_main_t * vm,
3089 unformat_input_t * input,
3090 vlib_cli_command_t * cmd)
3092 clib_error_t *error = 0;
3093 acl_main_t *am = &acl_main;
3095 vlib_cli_output (vm, "ACL plugin main heap statistics:\n");
3098 vlib_cli_output (vm, " %U\n", format_mheap, am->acl_mheap, 1);
3102 vlib_cli_output (vm, " Not initialized\n");
3104 vlib_cli_output (vm, "ACL hash lookup support heap statistics:\n");
3105 if (am->hash_lookup_mheap)
3107 vlib_cli_output (vm, " %U\n", format_mheap, am->hash_lookup_mheap, 1);
3111 vlib_cli_output (vm, " Not initialized\n");
3117 acl_plugin_show_sessions (acl_main_t * am,
3118 u32 show_session_thread_id,
3119 u32 show_session_session_index)
3121 vlib_main_t *vm = am->vlib_main;
3123 vnet_interface_main_t *im = &am->vnet_main->interface_main;
3124 vnet_sw_interface_t *swif;
3127 u64 n_adds = am->fa_session_total_adds;
3128 u64 n_dels = am->fa_session_total_dels;
3129 vlib_cli_output (vm, "Sessions total: add %lu - del %lu = %lu", n_adds,
3130 n_dels, n_adds - n_dels);
3132 vlib_cli_output (vm, "\n\nPer-thread data:");
3133 for (wk = 0; wk < vec_len (am->per_worker_data); wk++)
3135 acl_fa_per_worker_data_t *pw = &am->per_worker_data[wk];
3136 vlib_cli_output (vm, "Thread #%d:", wk);
3137 if (show_session_thread_id == wk
3138 && show_session_session_index < pool_len (pw->fa_sessions_pool))
3140 vlib_cli_output (vm, " session index %u:",
3141 show_session_session_index);
3142 fa_session_t *sess =
3143 pw->fa_sessions_pool + show_session_session_index;
3144 u64 *m = (u64 *) & sess->info;
3145 vlib_cli_output (vm,
3146 " info: %016llx %016llx %016llx %016llx %016llx %016llx",
3147 m[0], m[1], m[2], m[3], m[4], m[5]);
3148 vlib_cli_output (vm, " sw_if_index: %u", sess->sw_if_index);
3149 vlib_cli_output (vm, " tcp_flags_seen: %x",
3150 sess->tcp_flags_seen.as_u16);
3151 vlib_cli_output (vm, " last active time: %lu",
3152 sess->last_active_time);
3153 vlib_cli_output (vm, " thread index: %u", sess->thread_index);
3154 vlib_cli_output (vm, " link enqueue time: %lu",
3155 sess->link_enqueue_time);
3156 vlib_cli_output (vm, " link next index: %u",
3157 sess->link_next_idx);
3158 vlib_cli_output (vm, " link prev index: %u",
3159 sess->link_prev_idx);
3160 vlib_cli_output (vm, " link list id: %u", sess->link_list_id);
3162 vlib_cli_output (vm, " connection add/del stats:", wk);
3163 pool_foreach (swif, im->sw_interfaces, (
3170 (pw->fa_session_adds_by_sw_if_index)
3172 pw->fa_session_adds_by_sw_if_index
3177 (pw->fa_session_dels_by_sw_if_index)
3179 pw->fa_session_dels_by_sw_if_index
3181 vlib_cli_output (vm,
3182 " sw_if_index %d: add %lu - del %lu = %lu",
3191 vlib_cli_output (vm, " connection timeout type lists:", wk);
3193 for (tt = 0; tt < ACL_N_TIMEOUTS; tt++)
3195 u32 head_session_index = pw->fa_conn_list_head[tt];
3196 vlib_cli_output (vm, " fa_conn_list_head[%d]: %d", tt,
3197 head_session_index);
3198 if (~0 != head_session_index)
3200 fa_session_t *sess = pw->fa_sessions_pool + head_session_index;
3201 vlib_cli_output (vm, " last active time: %lu",
3202 sess->last_active_time);
3203 vlib_cli_output (vm, " link enqueue time: %lu",
3204 sess->link_enqueue_time);
3208 vlib_cli_output (vm, " Next expiry time: %lu", pw->next_expiry_time);
3209 vlib_cli_output (vm, " Requeue until time: %lu",
3210 pw->requeue_until_time);
3211 vlib_cli_output (vm, " Current time wait interval: %lu",
3212 pw->current_time_wait_interval);
3213 vlib_cli_output (vm, " Count of deleted sessions: %lu",
3214 pw->cnt_deleted_sessions);
3215 vlib_cli_output (vm, " Delete already deleted: %lu",
3216 pw->cnt_already_deleted_sessions);
3217 vlib_cli_output (vm, " Session timers restarted: %lu",
3218 pw->cnt_session_timer_restarted);
3219 vlib_cli_output (vm, " Swipe until this time: %lu",
3220 pw->swipe_end_time);
3221 vlib_cli_output (vm, " sw_if_index serviced bitmap: %U",
3222 format_bitmap_hex, pw->serviced_sw_if_index_bitmap);
3223 vlib_cli_output (vm, " pending clear intfc bitmap : %U",
3225 pw->pending_clear_sw_if_index_bitmap);
3226 vlib_cli_output (vm, " clear in progress: %u", pw->clear_in_process);
3227 vlib_cli_output (vm, " interrupt is pending: %d",
3228 pw->interrupt_is_pending);
3229 vlib_cli_output (vm, " interrupt is needed: %d",
3230 pw->interrupt_is_needed);
3231 vlib_cli_output (vm, " interrupt is unwanted: %d",
3232 pw->interrupt_is_unwanted);
3233 vlib_cli_output (vm, " interrupt generation: %d",
3234 pw->interrupt_generation);
3236 vlib_cli_output (vm, "\n\nConn cleaner thread counters:");
3237 #define _(cnt, desc) vlib_cli_output(vm, " %20lu: %s", am->cnt, desc);
3238 foreach_fa_cleaner_counter;
3240 vlib_cli_output (vm, "Interrupt generation: %d",
3241 am->fa_interrupt_generation);
3242 vlib_cli_output (vm,
3243 "Sessions per interval: min %lu max %lu increment: %f ms current: %f ms",
3244 am->fa_min_deleted_sessions_per_interval,
3245 am->fa_max_deleted_sessions_per_interval,
3246 am->fa_cleaner_wait_time_increment * 1000.0,
3247 ((f64) am->fa_current_cleaner_timer_wait_interval) *
3248 1000.0 / (f64) vm->clib_time.clocks_per_second);
3251 static clib_error_t *
3252 acl_show_aclplugin_sessions_fn (vlib_main_t * vm,
3253 unformat_input_t * input,
3254 vlib_cli_command_t * cmd)
3256 clib_error_t *error = 0;
3257 acl_main_t *am = &acl_main;
3259 u32 show_bihash_verbose = 0;
3260 u32 show_session_thread_id = ~0;
3261 u32 show_session_session_index = ~0;
3262 (void) unformat (input, "thread %u index %u", &show_session_thread_id,
3263 &show_session_session_index);
3264 (void) unformat (input, "verbose %u", &show_bihash_verbose);
3266 acl_plugin_show_sessions (am, show_session_thread_id,
3267 show_session_session_index);
3268 show_fa_sessions_hash (vm, show_bihash_verbose);
3273 acl_plugin_show_tables_mask_type (acl_main_t * am)
3275 vlib_main_t *vm = am->vlib_main;
3276 ace_mask_type_entry_t *mte;
3278 vlib_cli_output (vm, "Mask-type entries:");
3280 pool_foreach(mte, am->ace_mask_type_pool,
3282 vlib_cli_output(vm, " %3d: %016llx %016llx %016llx %016llx %016llx %016llx refcount %d",
3283 mte - am->ace_mask_type_pool,
3284 mte->mask.kv.key[0], mte->mask.kv.key[1], mte->mask.kv.key[2],
3285 mte->mask.kv.key[3], mte->mask.kv.key[4], mte->mask.kv.value, mte->refcount);
3291 acl_plugin_show_tables_acl_hash_info (acl_main_t * am, u32 acl_index)
3293 vlib_main_t *vm = am->vlib_main;
3296 vlib_cli_output (vm, "Mask-ready ACL representations\n");
3297 for (i = 0; i < vec_len (am->hash_acl_infos); i++)
3299 if ((acl_index != ~0) && (acl_index != i))
3303 hash_acl_info_t *ha = &am->hash_acl_infos[i];
3304 vlib_cli_output (vm, "acl-index %u bitmask-ready layout\n", i);
3305 vlib_cli_output (vm, " applied inbound on sw_if_index list: %U\n",
3306 format_vec32, ha->inbound_sw_if_index_list, "%d");
3307 vlib_cli_output (vm, " applied outbound on sw_if_index list: %U\n",
3308 format_vec32, ha->outbound_sw_if_index_list, "%d");
3309 vlib_cli_output (vm, " mask type index bitmap: %U\n",
3310 format_bitmap_hex, ha->mask_type_index_bitmap);
3311 for (j = 0; j < vec_len (ha->rules); j++)
3313 hash_ace_info_t *pa = &ha->rules[j];
3314 m = (u64 *) & pa->match;
3315 vlib_cli_output (vm,
3316 " %4d: %016llx %016llx %016llx %016llx %016llx %016llx mask index %d acl %d rule %d action %d src/dst portrange not ^2: %d,%d\n",
3317 j, m[0], m[1], m[2], m[3], m[4], m[5],
3318 pa->mask_type_index, pa->acl_index, pa->ace_index,
3319 pa->action, pa->src_portrange_not_powerof2,
3320 pa->dst_portrange_not_powerof2);
3326 acl_plugin_print_pae (vlib_main_t * vm, int j, applied_hash_ace_entry_t * pae)
3328 vlib_cli_output (vm,
3329 " %4d: acl %d rule %d action %d bitmask-ready rule %d next %d prev %d tail %d hitcount %lld",
3330 j, pae->acl_index, pae->ace_index, pae->action,
3331 pae->hash_ace_info_index, pae->next_applied_entry_index,
3332 pae->prev_applied_entry_index,
3333 pae->tail_applied_entry_index, pae->hitcount);
3337 acl_plugin_show_tables_applied_info (acl_main_t * am, u32 sw_if_index)
3339 vlib_main_t *vm = am->vlib_main;
3341 vlib_cli_output (vm, "Applied lookup entries for interfaces");
3344 (swi < vec_len (am->input_applied_hash_acl_info_by_sw_if_index))
3345 || (swi < vec_len (am->output_applied_hash_acl_info_by_sw_if_index))
3346 || (swi < vec_len (am->input_hash_entry_vec_by_sw_if_index))
3347 || (swi < vec_len (am->output_hash_entry_vec_by_sw_if_index)); swi++)
3349 if ((sw_if_index != ~0) && (sw_if_index != swi))
3353 vlib_cli_output (vm, "sw_if_index %d:", swi);
3354 if (swi < vec_len (am->input_applied_hash_acl_info_by_sw_if_index))
3356 applied_hash_acl_info_t *pal =
3357 &am->input_applied_hash_acl_info_by_sw_if_index[swi];
3358 vlib_cli_output (vm, " input lookup mask_type_index_bitmap: %U",
3359 format_bitmap_hex, pal->mask_type_index_bitmap);
3360 vlib_cli_output (vm, " input applied acls: %U", format_vec32,
3361 pal->applied_acls, "%d");
3363 if (swi < vec_len (am->input_hash_entry_vec_by_sw_if_index))
3365 vlib_cli_output (vm, " input lookup applied entries:");
3367 j < vec_len (am->input_hash_entry_vec_by_sw_if_index[swi]);
3370 acl_plugin_print_pae (vm, j,
3371 &am->input_hash_entry_vec_by_sw_if_index
3376 if (swi < vec_len (am->output_applied_hash_acl_info_by_sw_if_index))
3378 applied_hash_acl_info_t *pal =
3379 &am->output_applied_hash_acl_info_by_sw_if_index[swi];
3380 vlib_cli_output (vm, " output lookup mask_type_index_bitmap: %U",
3381 format_bitmap_hex, pal->mask_type_index_bitmap);
3382 vlib_cli_output (vm, " output applied acls: %U", format_vec32,
3383 pal->applied_acls, "%d");
3385 if (swi < vec_len (am->output_hash_entry_vec_by_sw_if_index))
3387 vlib_cli_output (vm, " output lookup applied entries:");
3389 j < vec_len (am->output_hash_entry_vec_by_sw_if_index[swi]);
3392 acl_plugin_print_pae (vm, j,
3393 &am->output_hash_entry_vec_by_sw_if_index
3401 acl_plugin_show_tables_bihash (acl_main_t * am, u32 show_bihash_verbose)
3403 vlib_main_t *vm = am->vlib_main;
3404 show_hash_acl_hash (vm, am, show_bihash_verbose);
3407 static clib_error_t *
3408 acl_show_aclplugin_tables_fn (vlib_main_t * vm,
3409 unformat_input_t * input,
3410 vlib_cli_command_t * cmd)
3412 clib_error_t *error = 0;
3413 acl_main_t *am = &acl_main;
3416 u32 sw_if_index = ~0;
3417 int show_acl_hash_info = 0;
3418 int show_applied_info = 0;
3419 int show_mask_type = 0;
3420 int show_bihash = 0;
3421 u32 show_bihash_verbose = 0;
3423 if (unformat (input, "acl"))
3425 show_acl_hash_info = 1;
3426 /* mask-type is handy to see as well right there */
3428 unformat (input, "index %u", &acl_index);
3430 else if (unformat (input, "applied"))
3432 show_applied_info = 1;
3433 unformat (input, "sw_if_index %u", &sw_if_index);
3435 else if (unformat (input, "mask"))
3439 else if (unformat (input, "hash"))
3442 unformat (input, "verbose %u", &show_bihash_verbose);
3446 (show_mask_type || show_acl_hash_info || show_applied_info
3449 /* if no qualifiers specified, show all */
3451 show_acl_hash_info = 1;
3452 show_applied_info = 1;
3456 acl_plugin_show_tables_mask_type (am);
3457 if (show_acl_hash_info)
3458 acl_plugin_show_tables_acl_hash_info (am, acl_index);
3459 if (show_applied_info)
3460 acl_plugin_show_tables_applied_info (am, sw_if_index);
3462 acl_plugin_show_tables_bihash (am, show_bihash_verbose);
3467 static clib_error_t *
3468 acl_clear_aclplugin_fn (vlib_main_t * vm,
3469 unformat_input_t * input, vlib_cli_command_t * cmd)
3471 clib_error_t *error = 0;
3472 acl_main_t *am = &acl_main;
3473 vlib_process_signal_event (am->vlib_main, am->fa_cleaner_node_index,
3474 ACL_FA_CLEANER_DELETE_BY_SW_IF_INDEX, ~0);
3479 VLIB_CLI_COMMAND (aclplugin_set_command, static) = {
3480 .path = "set acl-plugin",
3481 .short_help = "set acl-plugin session timeout {{udp idle}|tcp {idle|transient}} <seconds>",
3482 .function = acl_set_aclplugin_fn,
3485 VLIB_CLI_COMMAND (aclplugin_show_acl_command, static) = {
3486 .path = "show acl-plugin acl",
3487 .short_help = "show acl-plugin acl [index N]",
3488 .function = acl_show_aclplugin_acl_fn,
3491 VLIB_CLI_COMMAND (aclplugin_show_decode_5tuple_command, static) = {
3492 .path = "show acl-plugin decode 5tuple",
3493 .short_help = "show acl-plugin decode 5tuple XXXX XXXX XXXX XXXX XXXX XXXX",
3494 .function = acl_show_aclplugin_decode_5tuple_fn,
3497 VLIB_CLI_COMMAND (aclplugin_show_interface_command, static) = {
3498 .path = "show acl-plugin interface",
3499 .short_help = "show acl-plugin interface [sw_if_index N] [acl]",
3500 .function = acl_show_aclplugin_interface_fn,
3503 VLIB_CLI_COMMAND (aclplugin_show_memory_command, static) = {
3504 .path = "show acl-plugin memory",
3505 .short_help = "show acl-plugin memory",
3506 .function = acl_show_aclplugin_memory_fn,
3509 VLIB_CLI_COMMAND (aclplugin_show_sessions_command, static) = {
3510 .path = "show acl-plugin sessions",
3511 .short_help = "show acl-plugin sessions",
3512 .function = acl_show_aclplugin_sessions_fn,
3515 VLIB_CLI_COMMAND (aclplugin_show_tables_command, static) = {
3516 .path = "show acl-plugin tables",
3517 .short_help = "show acl-plugin tables [ acl [index N] | applied [ sw_if_index N ] | mask | hash [verbose N] ]",
3518 .function = acl_show_aclplugin_tables_fn,
3521 VLIB_CLI_COMMAND (aclplugin_show_macip_acl_command, static) = {
3522 .path = "show acl-plugin macip acl",
3523 .short_help = "show acl-plugin macip acl",
3524 .function = acl_show_aclplugin_macip_acl_fn,
3527 VLIB_CLI_COMMAND (aclplugin_show_macip_interface_command, static) = {
3528 .path = "show acl-plugin macip interface",
3529 .short_help = "show acl-plugin macip interface",
3530 .function = acl_show_aclplugin_macip_interface_fn,
3533 VLIB_CLI_COMMAND (aclplugin_clear_command, static) = {
3534 .path = "clear acl-plugin sessions",
3535 .short_help = "clear acl-plugin sessions",
3536 .function = acl_clear_aclplugin_fn,
3540 static clib_error_t *
3541 acl_plugin_config (vlib_main_t * vm, unformat_input_t * input)
3543 acl_main_t *am = &acl_main;
3544 u32 conn_table_hash_buckets;
3545 u32 conn_table_hash_memory_size;
3546 u32 conn_table_max_entries;
3549 u32 hash_lookup_hash_buckets;
3550 u32 hash_lookup_hash_memory;
3552 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
3555 (input, "connection hash buckets %d", &conn_table_hash_buckets))
3556 am->fa_conn_table_hash_num_buckets = conn_table_hash_buckets;
3557 else if (unformat (input, "connection hash memory %d",
3558 &conn_table_hash_memory_size))
3559 am->fa_conn_table_hash_memory_size = conn_table_hash_memory_size;
3560 else if (unformat (input, "connection count max %d",
3561 &conn_table_max_entries))
3562 am->fa_conn_table_max_entries = conn_table_max_entries;
3563 else if (unformat (input, "main heap size %d", &main_heap_size))
3564 am->acl_mheap_size = main_heap_size;
3565 else if (unformat (input, "hash lookup heap size %d", &hash_heap_size))
3566 am->hash_lookup_mheap_size = hash_heap_size;
3567 else if (unformat (input, "hash lookup hash buckets %d",
3568 &hash_lookup_hash_buckets))
3569 am->hash_lookup_hash_buckets = hash_lookup_hash_buckets;
3570 else if (unformat (input, "hash lookup hash memory %d",
3571 &hash_lookup_hash_memory))
3572 am->hash_lookup_hash_memory = hash_lookup_hash_memory;
3574 return clib_error_return (0, "unknown input '%U'",
3575 format_unformat_error, input);
3580 VLIB_CONFIG_FUNCTION (acl_plugin_config, "acl-plugin");
3582 static clib_error_t *
3583 acl_init (vlib_main_t * vm)
3585 acl_main_t *am = &acl_main;
3586 clib_error_t *error = 0;
3587 memset (am, 0, sizeof (*am));
3589 am->vnet_main = vnet_get_main ();
3591 u8 *name = format (0, "acl_%08x%c", api_version, 0);
3593 /* Ask for a correctly-sized block of API message decode slots */
3594 am->msg_id_base = vl_msg_api_get_msg_ids ((char *) name,
3595 VL_MSG_FIRST_AVAILABLE);
3597 error = acl_plugin_api_hookup (vm);
3599 /* Add our API messages to the global name_crc hash table */
3600 setup_message_id_table (am, &api_main);
3604 acl_setup_fa_nodes ();
3606 am->acl_mheap_size = ACL_FA_DEFAULT_HEAP_SIZE;
3607 am->hash_lookup_mheap_size = ACL_PLUGIN_HASH_LOOKUP_HEAP_SIZE;
3609 am->hash_lookup_hash_buckets = ACL_PLUGIN_HASH_LOOKUP_HASH_BUCKETS;
3610 am->hash_lookup_hash_memory = ACL_PLUGIN_HASH_LOOKUP_HASH_MEMORY;
3612 am->session_timeout_sec[ACL_TIMEOUT_TCP_TRANSIENT] =
3613 TCP_SESSION_TRANSIENT_TIMEOUT_SEC;
3614 am->session_timeout_sec[ACL_TIMEOUT_TCP_IDLE] =
3615 TCP_SESSION_IDLE_TIMEOUT_SEC;
3616 am->session_timeout_sec[ACL_TIMEOUT_UDP_IDLE] =
3617 UDP_SESSION_IDLE_TIMEOUT_SEC;
3619 am->fa_conn_table_hash_num_buckets =
3620 ACL_FA_CONN_TABLE_DEFAULT_HASH_NUM_BUCKETS;
3621 am->fa_conn_table_hash_memory_size =
3622 ACL_FA_CONN_TABLE_DEFAULT_HASH_MEMORY_SIZE;
3623 am->fa_conn_table_max_entries = ACL_FA_CONN_TABLE_DEFAULT_MAX_ENTRIES;
3624 vlib_thread_main_t *tm = vlib_get_thread_main ();
3625 vec_validate (am->per_worker_data, tm->n_vlib_mains - 1);
3629 for (wk = 0; wk < vec_len (am->per_worker_data); wk++)
3631 acl_fa_per_worker_data_t *pw = &am->per_worker_data[wk];
3632 vec_validate (pw->fa_conn_list_head, ACL_N_TIMEOUTS - 1);
3633 vec_validate (pw->fa_conn_list_tail, ACL_N_TIMEOUTS - 1);
3634 for (tt = 0; tt < ACL_N_TIMEOUTS; tt++)
3636 pw->fa_conn_list_head[tt] = ~0;
3637 pw->fa_conn_list_tail[tt] = ~0;
3642 am->fa_min_deleted_sessions_per_interval =
3643 ACL_FA_DEFAULT_MIN_DELETED_SESSIONS_PER_INTERVAL;
3644 am->fa_max_deleted_sessions_per_interval =
3645 ACL_FA_DEFAULT_MAX_DELETED_SESSIONS_PER_INTERVAL;
3646 am->fa_cleaner_wait_time_increment =
3647 ACL_FA_DEFAULT_CLEANER_WAIT_TIME_INCREMENT;
3649 am->fa_cleaner_cnt_delete_by_sw_index = 0;
3650 am->fa_cleaner_cnt_delete_by_sw_index_ok = 0;
3651 am->fa_cleaner_cnt_unknown_event = 0;
3652 am->fa_cleaner_cnt_timer_restarted = 0;
3653 am->fa_cleaner_cnt_wait_with_timeout = 0;
3656 #define _(N, v, s) am->fa_ipv6_known_eh_bitmap = clib_bitmap_set(am->fa_ipv6_known_eh_bitmap, v, 1);
3659 am->l4_match_nonfirst_fragment = 1;
3661 /* use the new fancy hash-based matching */
3662 am->use_hash_acl_matching = 1;
3667 VLIB_INIT_FUNCTION (acl_init);
3671 * fd.io coding-style-patch-verification: ON
3674 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob