2 * Copyright (c) 2016 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
18 #include <vnet/vnet.h>
19 #include <vnet/plugin/plugin.h>
21 #include <acl/l2sess.h>
23 #include <vnet/l2/l2_classify.h>
24 #include <vnet/classify/input_acl.h>
26 #include <vlibapi/api.h>
27 #include <vlibmemory/api.h>
28 #include <vlibsocket/api.h>
30 /* define message IDs */
31 #include <acl/acl_msg_enum.h>
33 /* define message structures */
35 #include <acl/acl_all_api_h.h>
38 /* define generated endian-swappers */
40 #include <acl/acl_all_api_h.h>
43 /* instantiate all the print functions we know about */
44 #define vl_print(handle, ...) vlib_cli_output (handle, __VA_ARGS__)
46 #include <acl/acl_all_api_h.h>
49 /* Get the API version number */
50 #define vl_api_version(n,v) static u32 api_version=(v);
51 #include <acl/acl_all_api_h.h>
60 * A handy macro to set up a message reply.
61 * Assumes that the following variables are available:
62 * mp - pointer to request message
63 * rmp - pointer to reply message type
67 #define REPLY_MACRO(t) \
69 unix_shared_memory_queue_t * q = \
70 vl_api_client_index_to_input_queue (mp->client_index); \
74 rmp = vl_msg_api_alloc (sizeof (*rmp)); \
75 rmp->_vl_msg_id = ntohs((t)+sm->msg_id_base); \
76 rmp->context = mp->context; \
77 rmp->retval = ntohl(rv); \
79 vl_msg_api_send_shmem (q, (u8 *)&rmp); \
82 #define REPLY_MACRO2(t, body) \
84 unix_shared_memory_queue_t * q; \
85 rv = vl_msg_api_pd_handler (mp, rv); \
86 q = vl_api_client_index_to_input_queue (mp->client_index); \
90 rmp = vl_msg_api_alloc (sizeof (*rmp)); \
91 rmp->_vl_msg_id = ntohs((t)+am->msg_id_base); \
92 rmp->context = mp->context; \
93 rmp->retval = ntohl(rv); \
94 do {body;} while (0); \
95 vl_msg_api_send_shmem (q, (u8 *)&rmp); \
98 #define REPLY_MACRO3(t, n, body) \
100 unix_shared_memory_queue_t * q; \
101 rv = vl_msg_api_pd_handler (mp, rv); \
102 q = vl_api_client_index_to_input_queue (mp->client_index); \
106 rmp = vl_msg_api_alloc (sizeof (*rmp) + n); \
107 rmp->_vl_msg_id = ntohs((t)+am->msg_id_base); \
108 rmp->context = mp->context; \
109 rmp->retval = ntohl(rv); \
110 do {body;} while (0); \
111 vl_msg_api_send_shmem (q, (u8 *)&rmp); \
115 /* List of message types that this plugin understands */
117 #define foreach_acl_plugin_api_msg \
118 _(ACL_PLUGIN_GET_VERSION, acl_plugin_get_version) \
119 _(ACL_ADD_REPLACE, acl_add_replace) \
120 _(ACL_DEL, acl_del) \
121 _(ACL_INTERFACE_ADD_DEL, acl_interface_add_del) \
122 _(ACL_INTERFACE_SET_ACL_LIST, acl_interface_set_acl_list) \
123 _(ACL_DUMP, acl_dump) \
124 _(ACL_INTERFACE_LIST_DUMP, acl_interface_list_dump) \
125 _(MACIP_ACL_ADD, macip_acl_add) \
126 _(MACIP_ACL_DEL, macip_acl_del) \
127 _(MACIP_ACL_INTERFACE_ADD_DEL, macip_acl_interface_add_del) \
128 _(MACIP_ACL_DUMP, macip_acl_dump) \
129 _(MACIP_ACL_INTERFACE_GET, macip_acl_interface_get)
132 * This routine exists to convince the vlib plugin framework that
133 * we haven't accidentally copied a random .dll into the plugin directory.
135 * Also collects global variable pointers passed from the vpp engine
139 vlib_plugin_register (vlib_main_t * vm, vnet_plugin_handoff_t * h,
142 acl_main_t *am = &acl_main;
143 clib_error_t *error = 0;
146 am->vnet_main = h->vnet_main;
147 am->ethernet_main = h->ethernet_main;
149 l2sess_vlib_plugin_register(vm, h, from_early_init);
156 vl_api_acl_plugin_get_version_t_handler (vl_api_acl_plugin_get_version_t * mp)
158 acl_main_t *am = &acl_main;
159 vl_api_acl_plugin_get_version_reply_t *rmp;
160 int msg_size = sizeof (*rmp);
161 unix_shared_memory_queue_t *q;
163 q = vl_api_client_index_to_input_queue (mp->client_index);
169 rmp = vl_msg_api_alloc (msg_size);
170 memset (rmp, 0, msg_size);
172 ntohs (VL_API_ACL_PLUGIN_GET_VERSION_REPLY + am->msg_id_base);
173 rmp->context = mp->context;
174 rmp->major = htonl (ACL_PLUGIN_VERSION_MAJOR);
175 rmp->minor = htonl (ACL_PLUGIN_VERSION_MINOR);
177 vl_msg_api_send_shmem (q, (u8 *) & rmp);
182 acl_add_list (u32 count, vl_api_acl_rule_t rules[],
183 u32 * acl_list_index, u8 * tag)
185 acl_main_t *am = &acl_main;
188 acl_rule_t *acl_new_rules;
191 if (*acl_list_index != ~0)
193 /* They supplied some number, let's see if this ACL exists */
194 if (pool_is_free_index (am->acls, *acl_list_index))
196 /* tried to replace a non-existent ACL, no point doing anything */
201 /* Create and populate the rules */
202 acl_new_rules = clib_mem_alloc_aligned (sizeof (acl_rule_t) * count,
203 CLIB_CACHE_LINE_BYTES);
206 /* Could not allocate rules. New or existing ACL - bail out regardless */
210 for (i = 0; i < count; i++)
212 r = &acl_new_rules[i];
213 r->is_permit = rules[i].is_permit;
214 r->is_ipv6 = rules[i].is_ipv6;
217 memcpy (&r->src, rules[i].src_ip_addr, sizeof (r->src));
218 memcpy (&r->dst, rules[i].dst_ip_addr, sizeof (r->dst));
222 memcpy (&r->src.ip4, rules[i].src_ip_addr, sizeof (r->src.ip4));
223 memcpy (&r->dst.ip4, rules[i].dst_ip_addr, sizeof (r->dst.ip4));
225 r->src_prefixlen = rules[i].src_ip_prefix_len;
226 r->dst_prefixlen = rules[i].dst_ip_prefix_len;
227 r->proto = rules[i].proto;
228 r->src_port_or_type_first = rules[i].srcport_or_icmptype_first;
229 r->src_port_or_type_last = rules[i].srcport_or_icmptype_last;
230 r->dst_port_or_code_first = rules[i].dstport_or_icmpcode_first;
231 r->dst_port_or_code_last = rules[i].dstport_or_icmpcode_last;
232 r->tcp_flags_value = rules[i].tcp_flags_value;
233 r->tcp_flags_mask = rules[i].tcp_flags_mask;
236 if (~0 == *acl_list_index)
239 pool_get_aligned (am->acls, a, CLIB_CACHE_LINE_BYTES);
240 memset (a, 0, sizeof (*a));
241 /* Will return the newly allocated ACL index */
242 *acl_list_index = a - am->acls;
246 a = am->acls + *acl_list_index;
247 /* Get rid of the old rules */
248 clib_mem_free (a->rules);
250 a->rules = acl_new_rules;
252 memcpy (a->tag, tag, sizeof (a->tag));
258 acl_del_list (u32 acl_list_index)
260 acl_main_t *am = &acl_main;
263 if (pool_is_free_index (am->acls, acl_list_index))
268 /* delete any references to the ACL */
269 for (i = 0; i < vec_len (am->output_acl_vec_by_sw_if_index); i++)
271 for (ii = 0; ii < vec_len (am->output_acl_vec_by_sw_if_index[i]);
274 if (acl_list_index == am->output_acl_vec_by_sw_if_index[i][ii])
276 vec_del1 (am->output_acl_vec_by_sw_if_index[i], ii);
284 for (i = 0; i < vec_len (am->input_acl_vec_by_sw_if_index); i++)
286 for (ii = 0; ii < vec_len (am->input_acl_vec_by_sw_if_index[i]);
289 if (acl_list_index == am->input_acl_vec_by_sw_if_index[i][ii])
291 vec_del1 (am->input_acl_vec_by_sw_if_index[i], ii);
300 /* now we can delete the ACL itself */
301 a = &am->acls[acl_list_index];
304 clib_mem_free (a->rules);
306 pool_put (am->acls, a);
310 /* Some aids in ASCII graphing the content */
316 u8 ip4_5tuple_mask[] =
317 _(" dmac smac etype ")
318 _(ether) __ __ __ __ __ __ v __ __ __ __ __ __ v __ __ v
325 _(" ttl pr checksum ")
334 _("L4 T/U sport dport ")
344 u8 ip6_5tuple_mask[] =
345 _(" dmac smac etype ")
346 _(ether) __ __ __ __ __ __ v __ __ __ __ __ __ v __ __ v
348 _(0x0000) __ __ __ __
350 _(0x0004) __ __ XX __
352 _(0x0008) XX XX XX XX
353 _(0x000C) XX XX XX XX
354 _(0x0010) XX XX XX XX
355 _(0x0014) XX XX XX XX
357 _(0x0018) XX XX XX XX
358 _(0x001C) XX XX XX XX
359 _(0x0020) XX XX XX XX
360 _(0x0024) XX XX XX XX
361 _("L4T/U sport dport ")
362 _(tcpudp) XX XX XX XX _(padpad) __ __ __ __ _(padeth) __ __;
369 static int count_skip (u8 * p, u32 size)
371 u64 *p64 = (u64 *) p;
372 /* Be tolerant to null pointer */
376 while ((0ULL == *p64) && ((u8 *) p64 - p) < size)
380 return (p64 - (u64 *) p) / 2;
384 acl_classify_add_del_table_big (vnet_classify_main_t * cm, u8 * mask,
385 u32 mask_len, u32 next_table_index,
386 u32 miss_next_index, u32 * table_index,
389 u32 nbuckets = 65536;
390 u32 memory_size = 2 << 30;
391 u32 skip = count_skip (mask, mask_len);
392 u32 match = (mask_len / 16) - skip;
393 u8 *skip_mask_ptr = mask + 16 * skip;
394 u32 current_data_flag = 0;
395 int current_data_offset = 0;
400 return vnet_classify_add_del_table (cm, skip_mask_ptr, nbuckets,
401 memory_size, skip, match,
402 next_table_index, miss_next_index,
403 table_index, current_data_flag,
404 current_data_offset, is_add,
405 1 /* delete_chain */);
409 acl_classify_add_del_table_small (vnet_classify_main_t * cm, u8 * mask,
410 u32 mask_len, u32 next_table_index,
411 u32 miss_next_index, u32 * table_index,
415 u32 memory_size = 2 << 20;
416 u32 skip = count_skip (mask, mask_len);
417 u32 match = (mask_len / 16) - skip;
418 u8 *skip_mask_ptr = mask + 16 * skip;
419 u32 current_data_flag = 0;
420 int current_data_offset = 0;
425 return vnet_classify_add_del_table (cm, skip_mask_ptr, nbuckets,
426 memory_size, skip, match,
427 next_table_index, miss_next_index,
428 table_index, current_data_flag,
429 current_data_offset, is_add,
430 1 /* delete_chain */);
435 acl_unhook_l2_input_classify (acl_main_t * am, u32 sw_if_index)
437 vnet_classify_main_t *cm = &vnet_classify_main;
438 u32 ip4_table_index = ~0;
439 u32 ip6_table_index = ~0;
441 vec_validate_init_empty (am->acl_ip4_input_classify_table_by_sw_if_index,
443 vec_validate_init_empty (am->acl_ip6_input_classify_table_by_sw_if_index,
446 vnet_l2_input_classify_enable_disable (sw_if_index, 0);
448 if (am->acl_ip4_input_classify_table_by_sw_if_index[sw_if_index] != ~0)
451 am->acl_ip4_input_classify_table_by_sw_if_index[sw_if_index];
452 am->acl_ip4_input_classify_table_by_sw_if_index[sw_if_index] = ~0;
453 acl_classify_add_del_table_big (cm, ip4_5tuple_mask,
454 sizeof (ip4_5tuple_mask) - 1, ~0,
455 am->l2_input_classify_next_acl,
456 &ip4_table_index, 0);
458 if (am->acl_ip6_input_classify_table_by_sw_if_index[sw_if_index] != ~0)
461 am->acl_ip6_input_classify_table_by_sw_if_index[sw_if_index];
462 am->acl_ip6_input_classify_table_by_sw_if_index[sw_if_index] = ~0;
463 acl_classify_add_del_table_big (cm, ip6_5tuple_mask,
464 sizeof (ip6_5tuple_mask) - 1, ~0,
465 am->l2_input_classify_next_acl,
466 &ip6_table_index, 0);
473 acl_unhook_l2_output_classify (acl_main_t * am, u32 sw_if_index)
475 vnet_classify_main_t *cm = &vnet_classify_main;
476 u32 ip4_table_index = ~0;
477 u32 ip6_table_index = ~0;
479 vec_validate_init_empty (am->acl_ip4_output_classify_table_by_sw_if_index,
481 vec_validate_init_empty (am->acl_ip6_output_classify_table_by_sw_if_index,
484 vnet_l2_output_classify_enable_disable (sw_if_index, 0);
486 if (am->acl_ip4_output_classify_table_by_sw_if_index[sw_if_index] != ~0)
489 am->acl_ip4_output_classify_table_by_sw_if_index[sw_if_index];
490 am->acl_ip4_output_classify_table_by_sw_if_index[sw_if_index] = ~0;
491 acl_classify_add_del_table_big (cm, ip4_5tuple_mask,
492 sizeof (ip4_5tuple_mask) - 1, ~0,
493 am->l2_output_classify_next_acl,
494 &ip4_table_index, 0);
496 if (am->acl_ip6_output_classify_table_by_sw_if_index[sw_if_index] != ~0)
499 am->acl_ip6_output_classify_table_by_sw_if_index[sw_if_index];
500 am->acl_ip6_output_classify_table_by_sw_if_index[sw_if_index] = ~0;
501 acl_classify_add_del_table_big (cm, ip6_5tuple_mask,
502 sizeof (ip6_5tuple_mask) - 1, ~0,
503 am->l2_output_classify_next_acl,
504 &ip6_table_index, 0);
511 acl_hook_l2_input_classify (acl_main_t * am, u32 sw_if_index)
513 vnet_classify_main_t *cm = &vnet_classify_main;
514 u32 ip4_table_index = ~0;
515 u32 ip6_table_index = ~0;
518 /* in case there were previous tables attached */
519 acl_unhook_l2_input_classify (am, sw_if_index);
521 acl_classify_add_del_table_big (cm, ip4_5tuple_mask,
522 sizeof (ip4_5tuple_mask) - 1, ~0,
523 am->l2_input_classify_next_acl,
524 &ip4_table_index, 1);
528 acl_classify_add_del_table_big (cm, ip6_5tuple_mask,
529 sizeof (ip6_5tuple_mask) - 1, ~0,
530 am->l2_input_classify_next_acl,
531 &ip6_table_index, 1);
534 acl_classify_add_del_table_big (cm, ip4_5tuple_mask,
535 sizeof (ip4_5tuple_mask) - 1, ~0,
536 am->l2_input_classify_next_acl,
537 &ip4_table_index, 0);
541 vnet_l2_input_classify_set_tables (sw_if_index, ip4_table_index,
542 ip6_table_index, ~0);
544 ("ACL enabling on interface sw_if_index %d, setting tables to the following: ip4: %d ip6: %d\n",
545 sw_if_index, ip4_table_index, ip6_table_index);
548 acl_classify_add_del_table_big (cm, ip6_5tuple_mask,
549 sizeof (ip6_5tuple_mask) - 1, ~0,
550 am->l2_input_classify_next_acl,
551 &ip6_table_index, 0);
552 acl_classify_add_del_table_big (cm, ip4_5tuple_mask,
553 sizeof (ip4_5tuple_mask) - 1, ~0,
554 am->l2_input_classify_next_acl,
555 &ip4_table_index, 0);
559 am->acl_ip4_input_classify_table_by_sw_if_index[sw_if_index] =
561 am->acl_ip6_input_classify_table_by_sw_if_index[sw_if_index] =
564 vnet_l2_input_classify_enable_disable (sw_if_index, 1);
569 acl_hook_l2_output_classify (acl_main_t * am, u32 sw_if_index)
571 vnet_classify_main_t *cm = &vnet_classify_main;
572 u32 ip4_table_index = ~0;
573 u32 ip6_table_index = ~0;
576 /* in case there were previous tables attached */
577 acl_unhook_l2_output_classify (am, sw_if_index);
579 acl_classify_add_del_table_big (cm, ip4_5tuple_mask,
580 sizeof (ip4_5tuple_mask) - 1, ~0,
581 am->l2_output_classify_next_acl,
582 &ip4_table_index, 1);
586 acl_classify_add_del_table_big (cm, ip6_5tuple_mask,
587 sizeof (ip6_5tuple_mask) - 1, ~0,
588 am->l2_output_classify_next_acl,
589 &ip6_table_index, 1);
592 acl_classify_add_del_table_big (cm, ip4_5tuple_mask,
593 sizeof (ip4_5tuple_mask) - 1, ~0,
594 am->l2_output_classify_next_acl,
595 &ip4_table_index, 0);
599 vnet_l2_output_classify_set_tables (sw_if_index, ip4_table_index,
600 ip6_table_index, ~0);
602 ("ACL enabling on interface sw_if_index %d, setting tables to the following: ip4: %d ip6: %d\n",
603 sw_if_index, ip4_table_index, ip6_table_index);
606 acl_classify_add_del_table_big (cm, ip6_5tuple_mask,
607 sizeof (ip6_5tuple_mask) - 1, ~0,
608 am->l2_output_classify_next_acl,
609 &ip6_table_index, 0);
610 acl_classify_add_del_table_big (cm, ip4_5tuple_mask,
611 sizeof (ip4_5tuple_mask) - 1, ~0,
612 am->l2_output_classify_next_acl,
613 &ip4_table_index, 0);
617 am->acl_ip4_output_classify_table_by_sw_if_index[sw_if_index] =
619 am->acl_ip6_output_classify_table_by_sw_if_index[sw_if_index] =
622 vnet_l2_output_classify_enable_disable (sw_if_index, 1);
628 acl_interface_in_enable_disable (acl_main_t * am, u32 sw_if_index,
634 if (pool_is_free_index (am->vnet_main->interface_main.sw_interfaces,
636 return VNET_API_ERROR_INVALID_SW_IF_INDEX;
640 rv = acl_hook_l2_input_classify (am, sw_if_index);
644 rv = acl_unhook_l2_input_classify (am, sw_if_index);
651 acl_interface_out_enable_disable (acl_main_t * am, u32 sw_if_index,
657 if (pool_is_free_index (am->vnet_main->interface_main.sw_interfaces,
659 return VNET_API_ERROR_INVALID_SW_IF_INDEX;
663 rv = acl_hook_l2_output_classify (am, sw_if_index);
667 rv = acl_unhook_l2_output_classify (am, sw_if_index);
675 acl_interface_add_inout_acl (u32 sw_if_index, u8 is_input, u32 acl_list_index)
677 acl_main_t *am = &acl_main;
680 vec_validate (am->input_acl_vec_by_sw_if_index, sw_if_index);
681 vec_add (am->input_acl_vec_by_sw_if_index[sw_if_index], &acl_list_index,
683 acl_interface_in_enable_disable (am, sw_if_index, 1);
687 vec_validate (am->output_acl_vec_by_sw_if_index, sw_if_index);
688 vec_add (am->output_acl_vec_by_sw_if_index[sw_if_index],
690 acl_interface_out_enable_disable (am, sw_if_index, 1);
696 acl_interface_del_inout_acl (u32 sw_if_index, u8 is_input, u32 acl_list_index)
698 acl_main_t *am = &acl_main;
703 vec_validate (am->input_acl_vec_by_sw_if_index, sw_if_index);
704 for (i = 0; i < vec_len (am->input_acl_vec_by_sw_if_index[sw_if_index]);
707 if (acl_list_index ==
708 am->input_acl_vec_by_sw_if_index[sw_if_index][i])
710 vec_del1 (am->input_acl_vec_by_sw_if_index[sw_if_index], i);
715 if (0 == vec_len (am->input_acl_vec_by_sw_if_index[sw_if_index]))
717 acl_interface_in_enable_disable (am, sw_if_index, 0);
722 vec_validate (am->output_acl_vec_by_sw_if_index, sw_if_index);
724 i < vec_len (am->output_acl_vec_by_sw_if_index[sw_if_index]); i++)
726 if (acl_list_index ==
727 am->output_acl_vec_by_sw_if_index[sw_if_index][i])
729 vec_del1 (am->output_acl_vec_by_sw_if_index[sw_if_index], i);
734 if (0 == vec_len (am->output_acl_vec_by_sw_if_index[sw_if_index]))
736 acl_interface_out_enable_disable (am, sw_if_index, 0);
743 acl_interface_reset_inout_acls (u32 sw_if_index, u8 is_input)
745 acl_main_t *am = &acl_main;
748 acl_interface_in_enable_disable (am, sw_if_index, 0);
749 vec_validate (am->input_acl_vec_by_sw_if_index, sw_if_index);
750 vec_reset_length (am->input_acl_vec_by_sw_if_index[sw_if_index]);
754 acl_interface_out_enable_disable (am, sw_if_index, 0);
755 vec_validate (am->output_acl_vec_by_sw_if_index, sw_if_index);
756 vec_reset_length (am->output_acl_vec_by_sw_if_index[sw_if_index]);
761 acl_interface_add_del_inout_acl (u32 sw_if_index, u8 is_add, u8 is_input,
768 acl_interface_add_inout_acl (sw_if_index, is_input, acl_list_index);
773 acl_interface_del_inout_acl (sw_if_index, is_input, acl_list_index);
780 get_ptr_to_offset (vlib_buffer_t * b0, int offset)
782 u8 *p = vlib_buffer_get_current (b0) + offset;
787 acl_get_l4_proto (vlib_buffer_t * b0, int node_is_ip6)
799 proto = *((u8 *) vlib_buffer_get_current (b0) + proto_offset);
804 acl_match_addr (ip46_address_t * addr1, ip46_address_t * addr2, int prefixlen,
809 /* match any always succeeds */
814 if (memcmp (addr1, addr2, prefixlen / 8))
816 /* If the starting full bytes do not match, no point in bittwidling the thumbs further */
821 u8 b1 = *((u8 *) addr1 + 1 + prefixlen / 8);
822 u8 b2 = *((u8 *) addr2 + 1 + prefixlen / 8);
823 u8 mask0 = (0xff - ((1 << (8 - (prefixlen % 8))) - 1));
824 return (b1 & mask0) == b2;
828 /* The prefix fits into integer number of bytes, so nothing left to do */
834 uint32_t a1 = ntohl (addr1->ip4.as_u32);
835 uint32_t a2 = ntohl (addr2->ip4.as_u32);
836 uint32_t mask0 = 0xffffffff - ((1 << (32 - prefixlen)) - 1);
837 return (a1 & mask0) == a2;
842 acl_match_port (u16 port, u16 port_first, u16 port_last, int is_ip6)
844 return ((port >= port_first) && (port <= port_last));
848 acl_packet_match (acl_main_t * am, u32 acl_index, vlib_buffer_t * b0,
849 u8 * r_action, int *r_is_ip6, u32 * r_acl_match_p,
850 u32 * r_rule_match_p, u32 * trace_bitmap)
852 ethernet_header_t *h0;
855 ip46_address_t src, dst;
866 h0 = vlib_buffer_get_current (b0);
867 type0 = clib_net_to_host_u16 (h0->type);
868 is_ip4 = (type0 == ETHERNET_TYPE_IP4);
869 is_ip6 = (type0 == ETHERNET_TYPE_IP6);
871 if (!(is_ip4 || is_ip6))
875 /* The bunch of hardcoded offsets here is intentional to get rid of them
876 ASAP, when getting to a faster matching code */
879 clib_memcpy (&src.ip4, get_ptr_to_offset (b0, 26), 4);
880 clib_memcpy (&dst.ip4, get_ptr_to_offset (b0, 30), 4);
881 proto = acl_get_l4_proto (b0, 0);
884 *trace_bitmap |= 0x00000001;
886 src_port = *(u8 *) get_ptr_to_offset (b0, 34);
888 dst_port = *(u8 *) get_ptr_to_offset (b0, 35);
893 src_port = (*(u16 *) get_ptr_to_offset (b0, 34));
894 dst_port = (*(u16 *) get_ptr_to_offset (b0, 36));
895 /* UDP gets ability to check on an oddball data byte as a bonus */
896 tcp_flags = *(u8 *) get_ptr_to_offset (b0, 14 + 20 + 13);
899 else /* is_ipv6 implicitly */
901 clib_memcpy (&src, get_ptr_to_offset (b0, 22), 16);
902 clib_memcpy (&dst, get_ptr_to_offset (b0, 38), 16);
903 proto = acl_get_l4_proto (b0, 1);
906 *trace_bitmap |= 0x00000002;
908 src_port = *(u8 *) get_ptr_to_offset (b0, 54);
910 dst_port = *(u8 *) get_ptr_to_offset (b0, 55);
915 src_port = (*(u16 *) get_ptr_to_offset (b0, 54));
916 dst_port = (*(u16 *) get_ptr_to_offset (b0, 56));
917 tcp_flags = *(u8 *) get_ptr_to_offset (b0, 14 + 40 + 13);
920 if (pool_is_free_index (am->acls, acl_index))
923 *r_acl_match_p = acl_index;
925 *r_rule_match_p = -1;
926 /* the ACL does not exist but is used for policy. Block traffic. */
929 a = am->acls + acl_index;
930 for (i = 0; i < a->count; i++)
933 if (is_ip6 != r->is_ipv6)
937 if (!acl_match_addr (&dst, &r->dst, r->dst_prefixlen, is_ip6))
939 if (!acl_match_addr (&src, &r->src, r->src_prefixlen, is_ip6))
943 if (proto != r->proto)
946 (src_port, r->src_port_or_type_first, r->src_port_or_type_last,
950 (dst_port, r->dst_port_or_code_first, r->dst_port_or_code_last,
953 /* No need for check of proto == TCP, since in other rules both fields should be zero, so this match will succeed */
954 if ((tcp_flags & r->tcp_flags_mask) != r->tcp_flags_value)
957 /* everything matches! */
958 *r_action = r->is_permit;
961 *r_acl_match_p = acl_index;
970 input_acl_packet_match (u32 sw_if_index, vlib_buffer_t * b0, u32 * nextp,
971 u32 * acl_match_p, u32 * rule_match_p,
974 acl_main_t *am = &acl_main;
978 vec_validate (am->input_acl_vec_by_sw_if_index, sw_if_index);
979 for (i = 0; i < vec_len (am->input_acl_vec_by_sw_if_index[sw_if_index]);
983 (am, am->input_acl_vec_by_sw_if_index[sw_if_index][i], b0, &action,
984 &is_ip6, acl_match_p, rule_match_p, trace_bitmap))
988 *nextp = am->acl_in_ip6_match_next[action];
992 *nextp = am->acl_in_ip4_match_next[action];
997 if (vec_len (am->input_acl_vec_by_sw_if_index[sw_if_index]) > 0)
999 /* If there are ACLs and none matched, deny by default */
1006 output_acl_packet_match (u32 sw_if_index, vlib_buffer_t * b0, u32 * nextp,
1007 u32 * acl_match_p, u32 * rule_match_p,
1010 acl_main_t *am = &acl_main;
1014 vec_validate (am->output_acl_vec_by_sw_if_index, sw_if_index);
1015 for (i = 0; i < vec_len (am->output_acl_vec_by_sw_if_index[sw_if_index]);
1018 if (acl_packet_match
1019 (am, am->output_acl_vec_by_sw_if_index[sw_if_index][i], b0, &action,
1020 &is_ip6, acl_match_p, rule_match_p, trace_bitmap))
1024 *nextp = am->acl_out_ip6_match_next[action];
1028 *nextp = am->acl_out_ip4_match_next[action];
1033 if (vec_len (am->output_acl_vec_by_sw_if_index[sw_if_index]) > 0)
1035 /* If there are ACLs and none matched, deny by default */
1047 u32 arp_table_index;
1048 } macip_match_type_t;
1051 macip_find_match_type (macip_match_type_t * mv, u8 * mac_mask, u8 prefix_len,
1057 for (i = 0; i < vec_len (mv); i++)
1059 if ((mv[i].prefix_len == prefix_len) && (mv[i].is_ipv6 == is_ipv6)
1060 && (0 == memcmp (mv[i].mac_mask, mac_mask, 6)))
1070 /* Get metric used to sort match types.
1071 The more specific and the more often seen - the bigger the metric */
1073 match_type_metric (macip_match_type_t * m)
1075 /* FIXME: count the ones in the MAC mask as well, check how well this heuristic works in real life */
1076 return m->prefix_len + m->is_ipv6 + 10 * m->count;
1080 match_type_compare (macip_match_type_t * m1, macip_match_type_t * m2)
1082 /* Ascending sort based on the metric values */
1083 return match_type_metric (m1) - match_type_metric (m2);
1086 /* Get the offset of L3 source within ethernet packet */
1088 get_l3_src_offset(int is6)
1091 return (sizeof(ethernet_header_t) + offsetof(ip6_header_t, src_address));
1093 return (sizeof(ethernet_header_t) + offsetof(ip4_header_t, src_address));
1097 macip_create_classify_tables (acl_main_t * am, u32 macip_acl_index)
1099 macip_match_type_t *mvec = NULL;
1100 macip_match_type_t *mt;
1101 macip_acl_list_t *a = &am->macip_acls[macip_acl_index];
1103 u32 match_type_index;
1106 vnet_classify_main_t *cm = &vnet_classify_main;
1108 /* Count the number of different types of rules */
1109 for (i = 0; i < a->count; i++)
1113 macip_find_match_type (mvec, a->rules[i].src_mac_mask,
1114 a->rules[i].src_prefixlen,
1115 a->rules[i].is_ipv6)))
1117 match_type_index = vec_len (mvec);
1118 vec_validate (mvec, match_type_index);
1119 memcpy (mvec[match_type_index].mac_mask,
1120 a->rules[match_type_index].src_mac_mask, 6);
1121 mvec[match_type_index].prefix_len = a->rules[i].src_prefixlen;
1122 mvec[match_type_index].is_ipv6 = a->rules[i].is_ipv6;
1123 mvec[match_type_index].table_index = ~0;
1125 mvec[match_type_index].count++;
1127 /* Put the most frequently used tables last in the list so we can create classifier tables in reverse order */
1128 vec_sort_with_function (mvec, match_type_compare);
1129 /* Create the classifier tables */
1131 /* First add ARP tables */
1132 vec_foreach (mt, mvec)
1135 int is6 = mt->is_ipv6;
1137 mt->arp_table_index = ~0;
1140 memset (mask, 0, sizeof (mask));
1141 memcpy (&mask[6], mt->mac_mask, 6);
1142 memset (&mask[12], 0xff, 2); /* ethernet protocol */
1143 memcpy (&mask[14 + 8], mt->mac_mask, 6);
1145 for (i = 0; i < (mt->prefix_len / 8); i++)
1146 mask[14 + 14 + i] = 0xff;
1147 if (mt->prefix_len % 8)
1148 mask[14 + 14 + (mt->prefix_len / 8)] = 0xff - ((1 << (8 - mt->prefix_len % 8)) - 1);
1150 mask_len = ((14 + 14 + ((mt->prefix_len+7) / 8) +
1151 (sizeof (u32x4)-1))/sizeof(u32x4)) * sizeof (u32x4);
1152 acl_classify_add_del_table_small (cm, mask, mask_len, last_table,
1153 (~0 == last_table) ? 0 : ~0, &mt->arp_table_index,
1155 last_table = mt->arp_table_index;
1158 /* Now add IP[46] tables */
1159 vec_foreach (mt, mvec)
1162 int is6 = mt->is_ipv6;
1163 int l3_src_offs = get_l3_src_offset(is6);
1164 memset (mask, 0, sizeof (mask));
1165 memcpy (&mask[6], mt->mac_mask, 6);
1166 for (i = 0; i < (mt->prefix_len / 8); i++)
1168 mask[l3_src_offs + i] = 0xff;
1170 if (mt->prefix_len % 8)
1172 mask[l3_src_offs + (mt->prefix_len / 8)] =
1173 0xff - ((1 << (8 - mt->prefix_len % 8)) - 1);
1176 * Round-up the number of bytes needed to store the prefix,
1177 * and round up the number of vectors too
1179 mask_len = ((l3_src_offs + ((mt->prefix_len+7) / 8) +
1180 (sizeof (u32x4)-1))/sizeof(u32x4)) * sizeof (u32x4);
1181 acl_classify_add_del_table_small (cm, mask, mask_len, last_table,
1182 (~0 == last_table) ? 0 : ~0, &mt->table_index,
1184 last_table = mt->table_index;
1186 a->ip4_table_index = ~0;
1187 a->ip6_table_index = ~0;
1188 a->l2_table_index = last_table;
1190 /* Populate the classifier tables with rules from the MACIP ACL */
1191 for (i = 0; i < a->count; i++)
1195 int is6 = a->rules[i].is_ipv6;
1196 int l3_src_offs = get_l3_src_offset(is6);
1197 memset (mask, 0, sizeof (mask));
1198 memcpy (&mask[6], a->rules[i].src_mac, 6);
1199 memset (&mask[12], 0xff, 2); /* ethernet protocol */
1202 memcpy (&mask[l3_src_offs], &a->rules[i].src_ip_addr.ip6, 16);
1208 memcpy (&mask[l3_src_offs], &a->rules[i].src_ip_addr.ip4, 4);
1213 macip_find_match_type (mvec, a->rules[i].src_mac_mask,
1214 a->rules[i].src_prefixlen,
1215 a->rules[i].is_ipv6);
1216 /* add session to table mvec[match_type_index].table_index; */
1217 vnet_classify_add_del_session (cm, mvec[match_type_index].table_index,
1218 mask, a->rules[i].is_permit ? ~0 : 0, i,
1219 0, action, metadata, 1);
1220 /* add ARP table entry too */
1221 if (!is6 && (mvec[match_type_index].arp_table_index != ~0))
1223 memset (mask, 0, sizeof (mask));
1224 memcpy (&mask[6], a->rules[i].src_mac, 6);
1227 memcpy (&mask[14 + 8], a->rules[i].src_mac, 6);
1228 memcpy (&mask[14 + 14], &a->rules[i].src_ip_addr.ip4, 4);
1229 vnet_classify_add_del_session (cm, mvec[match_type_index].arp_table_index,
1230 mask, a->rules[i].is_permit ? ~0 : 0, i,
1231 0, action, metadata, 1);
1238 macip_destroy_classify_tables (acl_main_t * am, u32 macip_acl_index)
1240 vnet_classify_main_t *cm = &vnet_classify_main;
1241 macip_acl_list_t *a = &am->macip_acls[macip_acl_index];
1243 if (a->ip4_table_index != ~0)
1245 acl_classify_add_del_table_small (cm, 0, ~0, ~0, ~0, &a->ip4_table_index, 0);
1246 a->ip4_table_index = ~0;
1248 if (a->ip6_table_index != ~0)
1250 acl_classify_add_del_table_small (cm, 0, ~0, ~0, ~0, &a->ip6_table_index, 0);
1251 a->ip6_table_index = ~0;
1253 if (a->l2_table_index != ~0)
1255 acl_classify_add_del_table_small (cm, 0, ~0, ~0, ~0, &a->l2_table_index, 0);
1256 a->l2_table_index = ~0;
1261 macip_acl_add_list (u32 count, vl_api_macip_acl_rule_t rules[],
1262 u32 * acl_list_index, u8 * tag)
1264 acl_main_t *am = &acl_main;
1265 macip_acl_list_t *a;
1266 macip_acl_rule_t *r;
1267 macip_acl_rule_t *acl_new_rules;
1270 /* Create and populate the rules */
1271 acl_new_rules = clib_mem_alloc_aligned (sizeof (macip_acl_rule_t) * count,
1272 CLIB_CACHE_LINE_BYTES);
1275 /* Could not allocate rules. New or existing ACL - bail out regardless */
1279 for (i = 0; i < count; i++)
1281 r = &acl_new_rules[i];
1282 r->is_permit = rules[i].is_permit;
1283 r->is_ipv6 = rules[i].is_ipv6;
1284 memcpy (&r->src_mac, rules[i].src_mac, 6);
1285 memcpy (&r->src_mac_mask, rules[i].src_mac_mask, 6);
1286 if(rules[i].is_ipv6)
1287 memcpy (&r->src_ip_addr.ip6, rules[i].src_ip_addr, 16);
1289 memcpy (&r->src_ip_addr.ip4, rules[i].src_ip_addr, 4);
1290 r->src_prefixlen = rules[i].src_ip_prefix_len;
1294 pool_get_aligned (am->macip_acls, a, CLIB_CACHE_LINE_BYTES);
1295 memset (a, 0, sizeof (*a));
1296 /* Will return the newly allocated ACL index */
1297 *acl_list_index = a - am->macip_acls;
1299 a->rules = acl_new_rules;
1301 memcpy (a->tag, tag, sizeof (a->tag));
1303 /* Create and populate the classifer tables */
1304 macip_create_classify_tables (am, *acl_list_index);
1310 /* No check for validity of sw_if_index - the callers were supposed to validate */
1313 macip_acl_interface_del_acl (acl_main_t * am, u32 sw_if_index)
1316 u32 macip_acl_index;
1317 macip_acl_list_t *a;
1318 vec_validate_init_empty (am->macip_acl_by_sw_if_index, sw_if_index, ~0);
1319 macip_acl_index = am->macip_acl_by_sw_if_index[sw_if_index];
1320 /* No point in deleting MACIP ACL which is not applied */
1321 if (~0 == macip_acl_index)
1323 a = &am->macip_acls[macip_acl_index];
1324 /* remove the classifier tables off the interface L2 ACL */
1326 vnet_set_input_acl_intfc (am->vlib_main, sw_if_index, a->ip4_table_index,
1327 a->ip6_table_index, a->l2_table_index, 0);
1328 /* Unset the MACIP ACL index */
1329 am->macip_acl_by_sw_if_index[sw_if_index] = ~0;
1333 /* No check for validity of sw_if_index - the callers were supposed to validate */
1336 macip_acl_interface_add_acl (acl_main_t * am, u32 sw_if_index,
1337 u32 macip_acl_index)
1339 macip_acl_list_t *a;
1341 if (pool_is_free_index (am->macip_acls, macip_acl_index))
1345 a = &am->macip_acls[macip_acl_index];
1346 vec_validate_init_empty (am->macip_acl_by_sw_if_index, sw_if_index, ~0);
1347 /* If there already a MACIP ACL applied, unapply it */
1348 if (~0 != am->macip_acl_by_sw_if_index[sw_if_index])
1349 macip_acl_interface_del_acl(am, sw_if_index);
1350 am->macip_acl_by_sw_if_index[sw_if_index] = macip_acl_index;
1351 /* Apply the classifier tables for L2 ACLs */
1353 vnet_set_input_acl_intfc (am->vlib_main, sw_if_index, a->ip4_table_index,
1354 a->ip6_table_index, a->l2_table_index, 1);
1359 macip_acl_del_list (u32 acl_list_index)
1361 acl_main_t *am = &acl_main;
1362 macip_acl_list_t *a;
1364 if (pool_is_free_index (am->macip_acls, acl_list_index))
1369 /* delete any references to the ACL */
1370 for (i = 0; i < vec_len (am->macip_acl_by_sw_if_index); i++)
1372 if (am->macip_acl_by_sw_if_index[i] == acl_list_index)
1374 macip_acl_interface_del_acl (am, i);
1378 /* Now that classifier tables are detached, clean them up */
1379 macip_destroy_classify_tables (am, acl_list_index);
1381 /* now we can delete the ACL itself */
1382 a = &am->macip_acls[acl_list_index];
1385 clib_mem_free (a->rules);
1387 pool_put (am->macip_acls, a);
1393 macip_acl_interface_add_del_acl (u32 sw_if_index, u8 is_add,
1396 acl_main_t *am = &acl_main;
1400 rv = macip_acl_interface_add_acl (am, sw_if_index, acl_list_index);
1404 rv = macip_acl_interface_del_acl (am, sw_if_index);
1409 /* API message handler */
1411 vl_api_acl_add_replace_t_handler (vl_api_acl_add_replace_t * mp)
1413 vl_api_acl_add_replace_reply_t *rmp;
1414 acl_main_t *am = &acl_main;
1416 u32 acl_list_index = ntohl (mp->acl_index);
1418 rv = acl_add_list (ntohl (mp->count), mp->r, &acl_list_index, mp->tag);
1421 REPLY_MACRO2(VL_API_ACL_ADD_REPLACE_REPLY,
1423 rmp->acl_index = htonl(acl_list_index);
1429 vl_api_acl_del_t_handler (vl_api_acl_del_t * mp)
1431 acl_main_t *sm = &acl_main;
1432 vl_api_acl_del_reply_t *rmp;
1435 rv = acl_del_list (ntohl (mp->acl_index));
1437 REPLY_MACRO (VL_API_ACL_DEL_REPLY);
1441 vl_api_acl_interface_add_del_t_handler (vl_api_acl_interface_add_del_t * mp)
1443 acl_main_t *sm = &acl_main;
1444 vnet_interface_main_t *im = &sm->vnet_main->interface_main;
1445 u32 sw_if_index = ntohl (mp->sw_if_index);
1446 vl_api_acl_interface_add_del_reply_t *rmp;
1449 if (pool_is_free_index(im->sw_interfaces, sw_if_index))
1450 rv = VNET_API_ERROR_INVALID_SW_IF_INDEX;
1453 acl_interface_add_del_inout_acl (sw_if_index, mp->is_add,
1454 mp->is_input, ntohl (mp->acl_index));
1456 REPLY_MACRO (VL_API_ACL_INTERFACE_ADD_DEL_REPLY);
1460 vl_api_acl_interface_set_acl_list_t_handler
1461 (vl_api_acl_interface_set_acl_list_t * mp)
1463 acl_main_t *sm = &acl_main;
1464 vl_api_acl_interface_set_acl_list_reply_t *rmp;
1467 vnet_interface_main_t *im = &sm->vnet_main->interface_main;
1468 u32 sw_if_index = ntohl (mp->sw_if_index);
1470 if (pool_is_free_index(im->sw_interfaces, sw_if_index))
1471 rv = VNET_API_ERROR_INVALID_SW_IF_INDEX;
1474 acl_interface_reset_inout_acls (sw_if_index, 0);
1475 acl_interface_reset_inout_acls (sw_if_index, 1);
1477 for (i = 0; i < mp->count; i++)
1479 acl_interface_add_del_inout_acl (sw_if_index, 1, (i < mp->n_input),
1480 ntohl (mp->acls[i]));
1484 REPLY_MACRO (VL_API_ACL_INTERFACE_SET_ACL_LIST_REPLY);
1488 copy_acl_rule_to_api_rule (vl_api_acl_rule_t * api_rule, acl_rule_t * r)
1490 api_rule->is_permit = r->is_permit;
1491 api_rule->is_ipv6 = r->is_ipv6;
1494 memcpy (api_rule->src_ip_addr, &r->src, sizeof (r->src));
1495 memcpy (api_rule->dst_ip_addr, &r->dst, sizeof (r->dst));
1499 memcpy (api_rule->src_ip_addr, &r->src.ip4, sizeof (r->src.ip4));
1500 memcpy (api_rule->dst_ip_addr, &r->dst.ip4, sizeof (r->dst.ip4));
1502 api_rule->src_ip_prefix_len = r->src_prefixlen;
1503 api_rule->dst_ip_prefix_len = r->dst_prefixlen;
1504 api_rule->proto = r->proto;
1505 api_rule->srcport_or_icmptype_first = r->src_port_or_type_first;
1506 api_rule->srcport_or_icmptype_last = r->src_port_or_type_last;
1507 api_rule->dstport_or_icmpcode_first = r->dst_port_or_code_first;
1508 api_rule->dstport_or_icmpcode_last = r->dst_port_or_code_last;
1509 api_rule->tcp_flags_mask = r->tcp_flags_mask;
1510 api_rule->tcp_flags_value = r->tcp_flags_value;
1514 send_acl_details (acl_main_t * am, unix_shared_memory_queue_t * q,
1515 acl_list_t * acl, u32 context)
1517 vl_api_acl_details_t *mp;
1518 vl_api_acl_rule_t *rules;
1520 int msg_size = sizeof (*mp) + sizeof (mp->r[0]) * acl->count;
1522 mp = vl_msg_api_alloc (msg_size);
1523 memset (mp, 0, msg_size);
1524 mp->_vl_msg_id = ntohs (VL_API_ACL_DETAILS + am->msg_id_base);
1526 /* fill in the message */
1527 mp->context = context;
1528 mp->count = htonl (acl->count);
1529 mp->acl_index = htonl (acl - am->acls);
1530 memcpy (mp->tag, acl->tag, sizeof (mp->tag));
1531 // clib_memcpy (mp->r, acl->rules, acl->count * sizeof(acl->rules[0]));
1533 for (i = 0; i < acl->count; i++)
1535 copy_acl_rule_to_api_rule (&rules[i], &acl->rules[i]);
1538 clib_warning("Sending acl details for ACL index %d", ntohl(mp->acl_index));
1539 vl_msg_api_send_shmem (q, (u8 *) & mp);
1544 vl_api_acl_dump_t_handler (vl_api_acl_dump_t * mp)
1546 acl_main_t *am = &acl_main;
1551 unix_shared_memory_queue_t *q;
1553 q = vl_api_client_index_to_input_queue (mp->client_index);
1559 if (mp->acl_index == ~0)
1562 /* Just dump all ACLs */
1563 pool_foreach (acl, am->acls,
1565 send_acl_details(am, q, acl, mp->context);
1571 acl_index = ntohl (mp->acl_index);
1572 if (!pool_is_free_index (am->acls, acl_index))
1574 acl = &am->acls[acl_index];
1575 send_acl_details (am, q, acl, mp->context);
1581 /* FIXME API: should we signal an error here at all ? */
1587 send_acl_interface_list_details (acl_main_t * am,
1588 unix_shared_memory_queue_t * q,
1589 u32 sw_if_index, u32 context)
1591 vl_api_acl_interface_list_details_t *mp;
1598 vec_validate (am->input_acl_vec_by_sw_if_index, sw_if_index);
1599 vec_validate (am->output_acl_vec_by_sw_if_index, sw_if_index);
1601 n_input = vec_len (am->input_acl_vec_by_sw_if_index[sw_if_index]);
1602 n_output = vec_len (am->output_acl_vec_by_sw_if_index[sw_if_index]);
1603 count = n_input + n_output;
1605 msg_size = sizeof (*mp);
1606 msg_size += sizeof (mp->acls[0]) * count;
1608 mp = vl_msg_api_alloc (msg_size);
1609 memset (mp, 0, msg_size);
1611 ntohs (VL_API_ACL_INTERFACE_LIST_DETAILS + am->msg_id_base);
1613 /* fill in the message */
1614 mp->context = context;
1615 mp->sw_if_index = htonl (sw_if_index);
1617 mp->n_input = n_input;
1618 for (i = 0; i < n_input; i++)
1620 mp->acls[i] = htonl (am->input_acl_vec_by_sw_if_index[sw_if_index][i]);
1622 for (i = 0; i < n_output; i++)
1624 mp->acls[n_input + i] =
1625 htonl (am->output_acl_vec_by_sw_if_index[sw_if_index][i]);
1628 vl_msg_api_send_shmem (q, (u8 *) & mp);
1632 vl_api_acl_interface_list_dump_t_handler (vl_api_acl_interface_list_dump_t *
1635 acl_main_t *am = &acl_main;
1636 vnet_sw_interface_t *swif;
1637 vnet_interface_main_t *im = &am->vnet_main->interface_main;
1640 unix_shared_memory_queue_t *q;
1642 q = vl_api_client_index_to_input_queue (mp->client_index);
1648 if (mp->sw_if_index == ~0)
1651 pool_foreach (swif, im->sw_interfaces,
1653 send_acl_interface_list_details(am, q, swif->sw_if_index, mp->context);
1659 sw_if_index = ntohl (mp->sw_if_index);
1660 if (!pool_is_free_index(im->sw_interfaces, sw_if_index))
1661 send_acl_interface_list_details (am, q, sw_if_index, mp->context);
1665 /* MACIP ACL API handlers */
1668 vl_api_macip_acl_add_t_handler (vl_api_macip_acl_add_t * mp)
1670 vl_api_macip_acl_add_reply_t *rmp;
1671 acl_main_t *am = &acl_main;
1673 u32 acl_list_index = ~0;
1676 macip_acl_add_list (ntohl (mp->count), mp->r, &acl_list_index, mp->tag);
1679 REPLY_MACRO2(VL_API_MACIP_ACL_ADD_REPLY,
1681 rmp->acl_index = htonl(acl_list_index);
1687 vl_api_macip_acl_del_t_handler (vl_api_macip_acl_del_t * mp)
1689 acl_main_t *sm = &acl_main;
1690 vl_api_macip_acl_del_reply_t *rmp;
1693 rv = macip_acl_del_list (ntohl (mp->acl_index));
1695 REPLY_MACRO (VL_API_MACIP_ACL_DEL_REPLY);
1699 vl_api_macip_acl_interface_add_del_t_handler
1700 (vl_api_macip_acl_interface_add_del_t * mp)
1702 acl_main_t *sm = &acl_main;
1703 vl_api_macip_acl_interface_add_del_reply_t *rmp;
1705 vnet_interface_main_t *im = &sm->vnet_main->interface_main;
1706 u32 sw_if_index = ntohl (mp->sw_if_index);
1708 if (pool_is_free_index(im->sw_interfaces, sw_if_index))
1709 rv = VNET_API_ERROR_INVALID_SW_IF_INDEX;
1712 macip_acl_interface_add_del_acl (ntohl (mp->sw_if_index), mp->is_add,
1713 ntohl (mp->acl_index));
1715 REPLY_MACRO (VL_API_MACIP_ACL_INTERFACE_ADD_DEL_REPLY);
1719 send_macip_acl_details (acl_main_t * am, unix_shared_memory_queue_t * q,
1720 macip_acl_list_t * acl, u32 context)
1722 vl_api_macip_acl_details_t *mp;
1723 vl_api_macip_acl_rule_t *rules;
1724 macip_acl_rule_t *r;
1726 int msg_size = sizeof (*mp) + (acl ? sizeof (mp->r[0]) * acl->count : 0);
1728 mp = vl_msg_api_alloc (msg_size);
1729 memset (mp, 0, msg_size);
1730 mp->_vl_msg_id = ntohs (VL_API_MACIP_ACL_DETAILS + am->msg_id_base);
1732 /* fill in the message */
1733 mp->context = context;
1736 memcpy (mp->tag, acl->tag, sizeof (mp->tag));
1737 mp->count = htonl (acl->count);
1738 mp->acl_index = htonl (acl - am->macip_acls);
1740 for (i = 0; i < acl->count; i++)
1743 rules[i].is_permit = r->is_permit;
1744 rules[i].is_ipv6 = r->is_ipv6;
1745 memcpy (rules[i].src_mac, &r->src_mac, sizeof (r->src_mac));
1746 memcpy (rules[i].src_mac_mask, &r->src_mac_mask,
1747 sizeof (r->src_mac_mask));
1749 memcpy (rules[i].src_ip_addr, &r->src_ip_addr.ip6,
1750 sizeof (r->src_ip_addr.ip6));
1752 memcpy (rules[i].src_ip_addr, &r->src_ip_addr.ip4,
1753 sizeof (r->src_ip_addr.ip4));
1754 rules[i].src_ip_prefix_len = r->src_prefixlen;
1759 /* No martini, no party - no ACL applied to this interface. */
1764 vl_msg_api_send_shmem (q, (u8 *) & mp);
1769 vl_api_macip_acl_dump_t_handler (vl_api_macip_acl_dump_t * mp)
1771 acl_main_t *am = &acl_main;
1772 macip_acl_list_t *acl;
1774 unix_shared_memory_queue_t *q;
1776 q = vl_api_client_index_to_input_queue (mp->client_index);
1782 if (mp->acl_index == ~0)
1784 /* Just dump all ACLs for now, with sw_if_index = ~0 */
1785 pool_foreach (acl, am->macip_acls, (
1787 send_macip_acl_details (am, q, acl,
1795 u32 acl_index = ntohl (mp->acl_index);
1796 if (!pool_is_free_index (am->macip_acls, acl_index))
1798 acl = &am->macip_acls[acl_index];
1799 send_macip_acl_details (am, q, acl, mp->context);
1805 vl_api_macip_acl_interface_get_t_handler (vl_api_macip_acl_interface_get_t *
1808 acl_main_t *am = &acl_main;
1809 vl_api_macip_acl_interface_get_reply_t *rmp;
1810 u32 count = vec_len (am->macip_acl_by_sw_if_index);
1811 int msg_size = sizeof (*rmp) + sizeof (rmp->acls[0]) * count;
1812 unix_shared_memory_queue_t *q;
1815 q = vl_api_client_index_to_input_queue (mp->client_index);
1821 rmp = vl_msg_api_alloc (msg_size);
1822 memset (rmp, 0, msg_size);
1824 ntohs (VL_API_MACIP_ACL_INTERFACE_GET_REPLY + am->msg_id_base);
1825 rmp->context = mp->context;
1826 rmp->count = htonl (count);
1827 for (i = 0; i < count; i++)
1829 rmp->acls[i] = htonl (am->macip_acl_by_sw_if_index[i]);
1832 vl_msg_api_send_shmem (q, (u8 *) & rmp);
1837 /* Set up the API message handling tables */
1838 static clib_error_t *
1839 acl_plugin_api_hookup (vlib_main_t * vm)
1841 acl_main_t *sm = &acl_main;
1843 vl_msg_api_set_handlers((VL_API_##N + sm->msg_id_base), \
1845 vl_api_##n##_t_handler, \
1847 vl_api_##n##_t_endian, \
1848 vl_api_##n##_t_print, \
1849 sizeof(vl_api_##n##_t), 1);
1850 foreach_acl_plugin_api_msg;
1856 #define vl_msg_name_crc_list
1857 #include <acl/acl_all_api_h.h>
1858 #undef vl_msg_name_crc_list
1861 setup_message_id_table (acl_main_t * sm, api_main_t * am)
1863 #define _(id,n,crc) \
1864 vl_msg_api_add_msg_name_crc (am, #n "_" #crc, id + sm->msg_id_base);
1865 foreach_vl_msg_name_crc_acl;
1870 register_match_action_nexts (u32 next_in_ip4, u32 next_in_ip6,
1871 u32 next_out_ip4, u32 next_out_ip6)
1873 acl_main_t *am = &acl_main;
1874 u32 act = am->n_match_actions;
1875 if (am->n_match_actions == 255)
1879 am->n_match_actions++;
1880 am->acl_in_ip4_match_next[act] = next_in_ip4;
1881 am->acl_in_ip6_match_next[act] = next_in_ip6;
1882 am->acl_out_ip4_match_next[act] = next_out_ip4;
1883 am->acl_out_ip6_match_next[act] = next_out_ip6;
1888 acl_setup_nodes (void)
1890 vlib_main_t *vm = vlib_get_main ();
1891 acl_main_t *am = &acl_main;
1894 n = vlib_get_node_by_name (vm, (u8 *) "l2-input-classify");
1895 am->l2_input_classify_next_acl =
1896 vlib_node_add_next_with_slot (vm, n->index, acl_in_node.index, ~0);
1897 n = vlib_get_node_by_name (vm, (u8 *) "l2-output-classify");
1898 am->l2_output_classify_next_acl =
1899 vlib_node_add_next_with_slot (vm, n->index, acl_out_node.index, ~0);
1901 feat_bitmap_init_next_nodes (vm, acl_in_node.index, L2INPUT_N_FEAT,
1902 l2input_get_feat_names (),
1903 am->acl_in_node_input_next_node_index);
1905 memset (&am->acl_in_ip4_match_next[0], 0,
1906 sizeof (am->acl_in_ip4_match_next));
1907 memset (&am->acl_in_ip6_match_next[0], 0,
1908 sizeof (am->acl_in_ip6_match_next));
1909 memset (&am->acl_out_ip4_match_next[0], 0,
1910 sizeof (am->acl_out_ip4_match_next));
1911 memset (&am->acl_out_ip6_match_next[0], 0,
1912 sizeof (am->acl_out_ip6_match_next));
1913 am->n_match_actions = 0;
1915 register_match_action_nexts (0, 0, 0, 0); /* drop */
1916 register_match_action_nexts (~0, ~0, ~0, ~0); /* permit */
1917 register_match_action_nexts (ACL_IN_L2S_INPUT_IP4_ADD, ACL_IN_L2S_INPUT_IP6_ADD, ACL_OUT_L2S_OUTPUT_IP4_ADD, ACL_OUT_L2S_OUTPUT_IP6_ADD); /* permit + create session */
1922 static clib_error_t *
1923 acl_init (vlib_main_t * vm)
1925 acl_main_t *am = &acl_main;
1926 clib_error_t *error = 0;
1927 memset (am, 0, sizeof (*am));
1929 am->vnet_main = vnet_get_main ();
1931 u8 *name = format (0, "acl_%08x%c", api_version, 0);
1933 /* Ask for a correctly-sized block of API message decode slots */
1934 am->msg_id_base = vl_msg_api_get_msg_ids ((char *) name,
1935 VL_MSG_FIRST_AVAILABLE);
1937 error = acl_plugin_api_hookup (vm);
1940 /* Add our API messages to the global name_crc hash table */
1941 setup_message_id_table (am, &api_main);
1948 VLIB_INIT_FUNCTION (acl_init);
Code Review / vpp.git / blob