2 * Copyright (c) 2015 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 *------------------------------------------------------------------
17 * acl_test.c - test harness plugin
18 *------------------------------------------------------------------
22 #include <vlibapi/api.h>
23 #include <vlibmemory/api.h>
24 #include <vppinfra/error.h>
25 #include <vnet/ip/ip.h>
26 #include <arpa/inet.h>
28 #define __plugin_msg_base acl_test_main.msg_id_base
29 #include <vlibapi/vat_helper_macros.h>
31 uword unformat_sw_if_index (unformat_input_t * input, va_list * args);
33 /* Declare message IDs */
34 #include <acl/acl_msg_enum.h>
36 /* define message structures */
38 #include <acl/acl_all_api_h.h>
41 /* define message structures */
43 #include <acl/acl_all_api_h.h>
46 /* instantiate all the print functions we know about */
47 #define vl_print(handle, ...)
49 #include <acl/acl_all_api_h.h>
52 /* Get the API version number. */
53 #define vl_api_version(n,v) static u32 api_version=(v);
54 #include <acl/acl_all_api_h.h>
58 /* API message ID base */
63 acl_test_main_t acl_test_main;
65 #define foreach_standard_reply_retval_handler \
67 _(acl_interface_add_del_reply) \
68 _(macip_acl_interface_add_del_reply) \
69 _(acl_interface_set_acl_list_reply) \
70 _(acl_interface_set_etype_whitelist_reply) \
71 _(macip_acl_del_reply)
73 #define foreach_reply_retval_aclindex_handler \
74 _(acl_add_replace_reply) \
75 _(macip_acl_add_reply) \
76 _(macip_acl_add_replace_reply)
79 static void vl_api_##n##_t_handler \
80 (vl_api_##n##_t * mp) \
82 vat_main_t * vam = acl_test_main.vat_main; \
83 i32 retval = ntohl(mp->retval); \
84 if (vam->async_mode) { \
85 vam->async_errors += (retval < 0); \
87 vam->retval = retval; \
88 vam->result_ready = 1; \
91 foreach_standard_reply_retval_handler;
95 static void vl_api_##n##_t_handler \
96 (vl_api_##n##_t * mp) \
98 vat_main_t * vam = acl_test_main.vat_main; \
99 i32 retval = ntohl(mp->retval); \
100 if (vam->async_mode) { \
101 vam->async_errors += (retval < 0); \
103 clib_warning("ACL index: %d", ntohl(mp->acl_index)); \
104 vam->retval = retval; \
105 vam->result_ready = 1; \
108 foreach_reply_retval_aclindex_handler;
111 /* These two ought to be in a library somewhere but they aren't */
113 my_unformat_mac_address (unformat_input_t * input, va_list * args)
115 u8 *a = va_arg (*args, u8 *);
116 return unformat (input, "%x:%x:%x:%x:%x:%x", &a[0], &a[1], &a[2], &a[3],
121 my_format_mac_address (u8 * s, va_list * args)
123 u8 *a = va_arg (*args, u8 *);
124 return format (s, "%02x:%02x:%02x:%02x:%02x:%02x",
125 a[0], a[1], a[2], a[3], a[4], a[5]);
130 static void vl_api_acl_plugin_get_version_reply_t_handler
131 (vl_api_acl_plugin_get_version_reply_t * mp)
133 vat_main_t * vam = acl_test_main.vat_main;
134 clib_warning("ACL plugin version: %d.%d", ntohl(mp->major), ntohl(mp->minor));
135 vam->result_ready = 1;
138 static void vl_api_acl_interface_list_details_t_handler
139 (vl_api_acl_interface_list_details_t * mp)
142 vat_main_t * vam = acl_test_main.vat_main;
144 vl_api_acl_interface_list_details_t_endian(mp);
145 out = format(out, "sw_if_index: %d, count: %d, n_input: %d\n", mp->sw_if_index, mp->count, mp->n_input);
146 out = format(out, " input ");
147 for(i=0; i<mp->count; i++) {
148 if (i == mp->n_input)
149 out = format(out, "\n output ");
150 out = format(out, "%d ", ntohl (mp->acls[i]));
152 out = format(out, "\n");
153 clib_warning("%s", out);
155 vam->result_ready = 1;
158 static void vl_api_acl_interface_etype_whitelist_details_t_handler
159 (vl_api_acl_interface_etype_whitelist_details_t * mp)
162 vat_main_t * vam = acl_test_main.vat_main;
164 vl_api_acl_interface_etype_whitelist_details_t_endian(mp);
165 out = format(out, "sw_if_index: %d, count: %d, n_input: %d\n", mp->sw_if_index, mp->count, mp->n_input);
166 out = format(out, " input ");
167 for(i=0; i<mp->count; i++) {
168 if (i == mp->n_input)
169 out = format(out, "\n output ");
170 out = format(out, "%04x ", ntohs(mp->whitelist[i]));
172 out = format(out, "\n");
173 clib_warning("%s", out);
175 vam->result_ready = 1;
181 vl_api_acl_rule_t_pretty_format (u8 *out, vl_api_acl_rule_t * a)
183 int af = a->is_ipv6 ? AF_INET6 : AF_INET;
184 u8 src[INET6_ADDRSTRLEN];
185 u8 dst[INET6_ADDRSTRLEN];
186 inet_ntop(af, a->src_ip_addr, (void *)src, sizeof(src));
187 inet_ntop(af, a->dst_ip_addr, (void *)dst, sizeof(dst));
189 out = format(out, "%s action %d src %s/%d dst %s/%d proto %d sport %d-%d dport %d-%d tcpflags %d mask %d",
190 a->is_ipv6 ? "ipv6" : "ipv4", a->is_permit,
191 src, a->src_ip_prefix_len,
192 dst, a->dst_ip_prefix_len,
194 a->srcport_or_icmptype_first, a->srcport_or_icmptype_last,
195 a->dstport_or_icmpcode_first, a->dstport_or_icmpcode_last,
196 a->tcp_flags_value, a->tcp_flags_mask);
202 static void vl_api_acl_details_t_handler
203 (vl_api_acl_details_t * mp)
206 vat_main_t * vam = acl_test_main.vat_main;
207 vl_api_acl_details_t_endian(mp);
209 out = format(0, "acl_index: %d, count: %d\n tag {%s}\n", mp->acl_index, mp->count, mp->tag);
210 for(i=0; i<mp->count; i++) {
211 out = format(out, " ");
212 out = vl_api_acl_rule_t_pretty_format(out, &mp->r[i]);
213 out = format(out, "%s\n", i<mp->count-1 ? "," : "");
215 clib_warning("%s", out);
217 vam->result_ready = 1;
221 vl_api_macip_acl_rule_t_pretty_format (u8 *out, vl_api_macip_acl_rule_t * a)
223 int af = a->is_ipv6 ? AF_INET6 : AF_INET;
224 u8 src[INET6_ADDRSTRLEN];
225 inet_ntop(af, a->src_ip_addr, (void *)src, sizeof(src));
227 out = format(out, "%s action %d ip %s/%d mac %U mask %U",
228 a->is_ipv6 ? "ipv6" : "ipv4", a->is_permit,
229 src, a->src_ip_prefix_len,
230 my_format_mac_address, a->src_mac,
231 my_format_mac_address, a->src_mac_mask);
236 static void vl_api_macip_acl_details_t_handler
237 (vl_api_macip_acl_details_t * mp)
240 vat_main_t * vam = acl_test_main.vat_main;
241 vl_api_macip_acl_details_t_endian(mp);
242 u8 *out = format(0,"MACIP acl_index: %d, count: %d\n tag {%s}\n", mp->acl_index, mp->count, mp->tag);
243 for(i=0; i<mp->count; i++) {
244 out = format(out, " ");
245 out = vl_api_macip_acl_rule_t_pretty_format(out, &mp->r[i]);
246 out = format(out, "%s\n", i<mp->count-1 ? "," : "");
248 clib_warning("%s", out);
250 vam->result_ready = 1;
253 static void vl_api_macip_acl_interface_get_reply_t_handler
254 (vl_api_macip_acl_interface_get_reply_t * mp)
257 vat_main_t * vam = acl_test_main.vat_main;
258 u8 *out = format(0, "sw_if_index with MACIP ACL count: %d\n", ntohl(mp->count));
259 for(i=0; i<ntohl(mp->count); i++) {
260 out = format(out, " macip_acl_interface_add_del sw_if_index %d add acl %d\n", i, ntohl(mp->acls[i]));
262 out = format(out, "\n");
263 clib_warning("%s", out);
265 vam->result_ready = 1;
268 static void vl_api_acl_plugin_control_ping_reply_t_handler
269 (vl_api_acl_plugin_control_ping_reply_t * mp)
271 vat_main_t *vam = &vat_main;
272 i32 retval = ntohl (mp->retval);
275 vam->async_errors += (retval < 0);
279 vam->retval = retval;
280 vam->result_ready = 1;
286 * Table of message reply handlers, must include boilerplate handlers
289 #define foreach_vpe_api_reply_msg \
290 _(ACL_ADD_REPLACE_REPLY, acl_add_replace_reply) \
291 _(ACL_DEL_REPLY, acl_del_reply) \
292 _(ACL_INTERFACE_ADD_DEL_REPLY, acl_interface_add_del_reply) \
293 _(ACL_INTERFACE_SET_ACL_LIST_REPLY, acl_interface_set_acl_list_reply) \
294 _(ACL_INTERFACE_SET_ETYPE_WHITELIST_REPLY, acl_interface_set_etype_whitelist_reply) \
295 _(ACL_INTERFACE_ETYPE_WHITELIST_DETAILS, acl_interface_etype_whitelist_details) \
296 _(ACL_INTERFACE_LIST_DETAILS, acl_interface_list_details) \
297 _(ACL_DETAILS, acl_details) \
298 _(MACIP_ACL_ADD_REPLY, macip_acl_add_reply) \
299 _(MACIP_ACL_ADD_REPLACE_REPLY, macip_acl_add_replace_reply) \
300 _(MACIP_ACL_DEL_REPLY, macip_acl_del_reply) \
301 _(MACIP_ACL_DETAILS, macip_acl_details) \
302 _(MACIP_ACL_INTERFACE_ADD_DEL_REPLY, macip_acl_interface_add_del_reply) \
303 _(MACIP_ACL_INTERFACE_GET_REPLY, macip_acl_interface_get_reply) \
304 _(ACL_PLUGIN_CONTROL_PING_REPLY, acl_plugin_control_ping_reply) \
305 _(ACL_PLUGIN_GET_VERSION_REPLY, acl_plugin_get_version_reply)
307 static int api_acl_plugin_get_version (vat_main_t * vam)
309 acl_test_main_t * sm = &acl_test_main;
310 vl_api_acl_plugin_get_version_t * mp;
311 u32 msg_size = sizeof(*mp);
314 vam->result_ready = 0;
315 mp = vl_msg_api_alloc_as_if_client(msg_size);
316 memset (mp, 0, msg_size);
317 mp->_vl_msg_id = ntohs (VL_API_ACL_PLUGIN_GET_VERSION + sm->msg_id_base);
318 mp->client_index = vam->my_client_index;
323 /* Wait for a reply... */
328 static int api_macip_acl_interface_get (vat_main_t * vam)
330 acl_test_main_t * sm = &acl_test_main;
331 vl_api_acl_plugin_get_version_t * mp;
332 u32 msg_size = sizeof(*mp);
335 vam->result_ready = 0;
336 mp = vl_msg_api_alloc_as_if_client(msg_size);
337 memset (mp, 0, msg_size);
338 mp->_vl_msg_id = ntohs (VL_API_MACIP_ACL_INTERFACE_GET + sm->msg_id_base);
339 mp->client_index = vam->my_client_index;
344 /* Wait for a reply... */
349 #define vec_validate_acl_rules(v, idx) \
351 if (vec_len(v) < idx+1) { \
352 vec_validate(v, idx); \
353 v[idx].is_permit = 0x1; \
354 v[idx].srcport_or_icmptype_last = 0xffff; \
355 v[idx].dstport_or_icmpcode_last = 0xffff; \
360 static int api_acl_add_replace (vat_main_t * vam)
362 acl_test_main_t * sm = &acl_test_main;
363 unformat_input_t * i = vam->input;
364 vl_api_acl_add_replace_t * mp;
366 u32 msg_size = sizeof (*mp); /* without the rules */
368 vl_api_acl_rule_t *rules = 0;
371 int n_rules_override = -1;
376 u32 tcpflags, tcpmask;
377 u32 src_prefix_length = 0, dst_prefix_length = 0;
378 ip4_address_t src_v4address, dst_v4address;
379 ip6_address_t src_v6address, dst_v6address;
383 if (!unformat (i, "%d", &acl_index)) {
387 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
389 if (unformat (i, "ipv6"))
391 vec_validate_acl_rules(rules, rule_idx);
392 rules[rule_idx].is_ipv6 = 1;
394 else if (unformat (i, "ipv4"))
396 vec_validate_acl_rules(rules, rule_idx);
397 rules[rule_idx].is_ipv6 = 0;
399 else if (unformat (i, "permit+reflect"))
401 vec_validate_acl_rules(rules, rule_idx);
402 rules[rule_idx].is_permit = 2;
404 else if (unformat (i, "permit"))
406 vec_validate_acl_rules(rules, rule_idx);
407 rules[rule_idx].is_permit = 1;
409 else if (unformat (i, "deny"))
411 vec_validate_acl_rules(rules, rule_idx);
412 rules[rule_idx].is_permit = 0;
414 else if (unformat (i, "count %d", &n_rules_override))
416 /* we will use this later */
418 else if (unformat (i, "action %d", &action))
420 vec_validate_acl_rules(rules, rule_idx);
421 rules[rule_idx].is_permit = action;
423 else if (unformat (i, "src %U/%d",
424 unformat_ip4_address, &src_v4address, &src_prefix_length))
426 vec_validate_acl_rules(rules, rule_idx);
427 memcpy (rules[rule_idx].src_ip_addr, &src_v4address, 4);
428 rules[rule_idx].src_ip_prefix_len = src_prefix_length;
429 rules[rule_idx].is_ipv6 = 0;
431 else if (unformat (i, "src %U/%d",
432 unformat_ip6_address, &src_v6address, &src_prefix_length))
434 vec_validate_acl_rules(rules, rule_idx);
435 memcpy (rules[rule_idx].src_ip_addr, &src_v6address, 16);
436 rules[rule_idx].src_ip_prefix_len = src_prefix_length;
437 rules[rule_idx].is_ipv6 = 1;
439 else if (unformat (i, "dst %U/%d",
440 unformat_ip4_address, &dst_v4address, &dst_prefix_length))
442 vec_validate_acl_rules(rules, rule_idx);
443 memcpy (rules[rule_idx].dst_ip_addr, &dst_v4address, 4);
444 rules[rule_idx].dst_ip_prefix_len = dst_prefix_length;
445 rules[rule_idx].is_ipv6 = 0;
447 else if (unformat (i, "dst %U/%d",
448 unformat_ip6_address, &dst_v6address, &dst_prefix_length))
450 vec_validate_acl_rules(rules, rule_idx);
451 memcpy (rules[rule_idx].dst_ip_addr, &dst_v6address, 16);
452 rules[rule_idx].dst_ip_prefix_len = dst_prefix_length;
453 rules[rule_idx].is_ipv6 = 1;
455 else if (unformat (i, "sport %d-%d", &port1, &port2))
457 vec_validate_acl_rules(rules, rule_idx);
458 rules[rule_idx].srcport_or_icmptype_first = htons(port1);
459 rules[rule_idx].srcport_or_icmptype_last = htons(port2);
461 else if (unformat (i, "sport %d", &port1))
463 vec_validate_acl_rules(rules, rule_idx);
464 rules[rule_idx].srcport_or_icmptype_first = htons(port1);
465 rules[rule_idx].srcport_or_icmptype_last = htons(port1);
467 else if (unformat (i, "dport %d-%d", &port1, &port2))
469 vec_validate_acl_rules(rules, rule_idx);
470 rules[rule_idx].dstport_or_icmpcode_first = htons(port1);
471 rules[rule_idx].dstport_or_icmpcode_last = htons(port2);
473 else if (unformat (i, "dport %d", &port1))
475 vec_validate_acl_rules(rules, rule_idx);
476 rules[rule_idx].dstport_or_icmpcode_first = htons(port1);
477 rules[rule_idx].dstport_or_icmpcode_last = htons(port1);
479 else if (unformat (i, "tcpflags %d %d", &tcpflags, &tcpmask))
481 vec_validate_acl_rules(rules, rule_idx);
482 rules[rule_idx].tcp_flags_value = tcpflags;
483 rules[rule_idx].tcp_flags_mask = tcpmask;
485 else if (unformat (i, "tcpflags %d mask %d", &tcpflags, &tcpmask))
487 vec_validate_acl_rules(rules, rule_idx);
488 rules[rule_idx].tcp_flags_value = tcpflags;
489 rules[rule_idx].tcp_flags_mask = tcpmask;
491 else if (unformat (i, "proto %d", &proto))
493 vec_validate_acl_rules(rules, rule_idx);
494 rules[rule_idx].proto = proto;
496 else if (unformat (i, "tag %s", &tag))
499 else if (unformat (i, ","))
502 vec_validate_acl_rules(rules, rule_idx);
508 /* Construct the API message */
509 vam->result_ready = 0;
512 n_rules = vec_len(rules);
516 if (n_rules_override >= 0)
517 n_rules = n_rules_override;
519 msg_size += n_rules*sizeof(rules[0]);
521 mp = vl_msg_api_alloc_as_if_client(msg_size);
522 memset (mp, 0, msg_size);
523 mp->_vl_msg_id = ntohs (VL_API_ACL_ADD_REPLACE + sm->msg_id_base);
524 mp->client_index = vam->my_client_index;
525 if ((n_rules > 0) && rules)
526 clib_memcpy(mp->r, rules, n_rules*sizeof (vl_api_acl_rule_t));
529 if (vec_len(tag) >= sizeof(mp->tag))
531 tag[sizeof(mp->tag)-1] = 0;
532 _vec_len(tag) = sizeof(mp->tag);
534 clib_memcpy(mp->tag, tag, vec_len(tag));
537 mp->acl_index = ntohl(acl_index);
538 mp->count = htonl(n_rules);
543 /* Wait for a reply... */
550 * Read the series of ACL entries from file in the following format:
553 @0.0.0.0/1 131.179.121.0/24 0 : 65535 0 : 65535 0x00/0x00 0x0000/0x0000
554 @128.0.0.0/1 85.54.226.0/23 0 : 65535 0 : 65535 0x00/0x00 0x0000/0x0000
555 @128.0.0.0/1 85.54.48.0/23 0 : 65535 0 : 65535 0x00/0x00 0x0000/0x0000
556 @128.0.0.0/1 31.237.44.0/23 0 : 65535 0 : 65535 0x00/0x00 0x0000/0x0000
557 @0.0.0.0/1 255.84.184.0/23 0 : 65535 0 : 65535 0x00/0x00 0x0000/0x0000
558 @132.92.0.0/16 0.0.0.0/0 0 : 65535 0 : 65535 0x01/0xFF 0x0000/0x0000
564 api_acl_add_replace_from_file (vat_main_t * vam)
567 unformat_input_t * input = vam->input;
568 acl_test_main_t * sm = &acl_test_main;
569 vl_api_acl_add_replace_t * mp;
571 u32 msg_size = sizeof (*mp); /* without the rules */
573 vl_api_acl_rule_t *rules = 0;
576 int n_rules_override = -1;
578 int append_default_permit = 0;
579 u32 tcpflags = 0, tcpmask = 0;
580 ip4_address_t src_v4address, dst_v4address;
584 char *file_name = NULL;
585 unformat_input_t file_input;
587 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
589 if (unformat (input, "filename %s", &file_name))
591 /* we will use this later */
593 else if (unformat (input, "acl-index %d", &acl_index))
595 /* we will try to replace an existing ACL */
597 else if (unformat (input, "permit+reflect"))
601 else if (unformat (input, "permit"))
605 else if (unformat (input, "append-default-permit"))
607 append_default_permit = 1;
613 fd = open(file_name, O_RDONLY);
616 clib_warning("Could not open file '%s'");
620 /* input from file */
622 unformat_init_clib_file(input, fd);
624 unsigned sport_low, sport_high, dport_low, dport_high;
625 unsigned proto, protomask;
626 u32 src_prefix_length, dst_prefix_length;
627 u32 unused1, unused2;
629 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
631 if (!unformat(input, "@%U/%d\t%U/%d\t%d : %d\t%d : %d\t0x%x/0x%x\t0x%x/0x%x",
632 unformat_ip4_address, &src_v4address, &src_prefix_length,
633 unformat_ip4_address, &dst_v4address, &dst_prefix_length,
634 &sport_low, &sport_high, &dport_low, &dport_high, &proto, &protomask, &unused1, &unused2)) {
635 clib_warning("Error parsing");
640 vec_validate_acl_rules(rules, rule_idx);
642 rules[rule_idx].is_ipv6 = 0;
643 rules[rule_idx].is_permit = is_permit;
644 memcpy (rules[rule_idx].src_ip_addr, &src_v4address, 4);
645 rules[rule_idx].src_ip_prefix_len = src_prefix_length;
646 memcpy (rules[rule_idx].dst_ip_addr, &dst_v4address, 4);
647 rules[rule_idx].dst_ip_prefix_len = dst_prefix_length;
648 rules[rule_idx].srcport_or_icmptype_first = htons(sport_low);
649 rules[rule_idx].srcport_or_icmptype_last = htons(sport_high);
650 rules[rule_idx].dstport_or_icmpcode_first = htons(dport_low);
651 rules[rule_idx].dstport_or_icmpcode_last = htons(dport_high);
652 rules[rule_idx].tcp_flags_value = tcpflags;
653 rules[rule_idx].tcp_flags_mask = tcpmask;
654 rules[rule_idx].proto = proto;
657 rules[rule_idx].is_permit = is_permit;
659 if (append_default_permit) {
661 vec_validate_acl_rules(rules, rule_idx);
663 rules[rule_idx].is_ipv6 = 0;
664 rules[rule_idx].is_permit = is_permit == 2 ? 2 : 1;
666 src_v4address.data[0]=0;
667 src_v4address.data[1]=0;
668 src_v4address.data[2]=0;
669 src_v4address.data[3]=0;
670 memcpy (rules[rule_idx].src_ip_addr, &src_v4address, 4);
671 rules[rule_idx].src_ip_prefix_len = 0;
673 dst_v4address.data[0]=0;
674 dst_v4address.data[1]=0;
675 dst_v4address.data[2]=0;
676 dst_v4address.data[3]=0;
677 memcpy (rules[rule_idx].dst_ip_addr, &dst_v4address, 4);
678 rules[rule_idx].dst_ip_prefix_len = 0;
680 rules[rule_idx].srcport_or_icmptype_first = htons(0);
681 rules[rule_idx].srcport_or_icmptype_last = htons(65535);
682 rules[rule_idx].dstport_or_icmpcode_first = htons(0);
683 rules[rule_idx].dstport_or_icmpcode_last = htons(65535);
684 rules[rule_idx].tcp_flags_value = 0;
685 rules[rule_idx].tcp_flags_mask = 0;
686 rules[rule_idx].proto = 0;
689 /* Construct the API message */
691 vam->result_ready = 0;
694 n_rules = vec_len(rules);
698 if (n_rules_override >= 0)
699 n_rules = n_rules_override;
701 msg_size += n_rules*sizeof(rules[0]);
703 mp = vl_msg_api_alloc_as_if_client(msg_size);
704 memset (mp, 0, msg_size);
705 mp->_vl_msg_id = ntohs (VL_API_ACL_ADD_REPLACE + sm->msg_id_base);
706 mp->client_index = vam->my_client_index;
707 mp->client_index = 0;
709 clib_memcpy(mp->r, rules, n_rules*sizeof (vl_api_acl_rule_t));
712 if (vec_len(tag) >= sizeof(mp->tag))
714 tag[sizeof(mp->tag)-1] = 0;
715 _vec_len(tag) = sizeof(mp->tag);
717 clib_memcpy(mp->tag, tag, vec_len(tag));
720 mp->acl_index = ntohl(acl_index);
721 mp->count = htonl(n_rules);
726 /* Wait for a reply... */
737 static int api_acl_del (vat_main_t * vam)
739 unformat_input_t * i = vam->input;
740 vl_api_acl_del_t * mp;
744 if (!unformat (i, "%d", &acl_index)) {
745 errmsg ("missing acl index\n");
749 /* Construct the API message */
751 mp->acl_index = ntohl(acl_index);
756 /* Wait for a reply... */
761 static int api_macip_acl_del (vat_main_t * vam)
763 unformat_input_t * i = vam->input;
764 vl_api_acl_del_t * mp;
768 if (!unformat (i, "%d", &acl_index)) {
769 errmsg ("missing acl index\n");
773 /* Construct the API message */
774 M(MACIP_ACL_DEL, mp);
775 mp->acl_index = ntohl(acl_index);
780 /* Wait for a reply... */
785 static int api_acl_interface_add_del (vat_main_t * vam)
787 unformat_input_t * i = vam->input;
788 vl_api_acl_interface_add_del_t * mp;
789 u32 sw_if_index = ~0;
795 // acl_interface_add_del <intfc> | sw_if_index <if-idx> acl_index <acl-idx> [out] [del]
797 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
799 if (unformat (i, "%d", &acl_index))
806 /* Parse args required to build the message */
807 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
808 if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index))
810 else if (unformat (i, "sw_if_index %d", &sw_if_index))
812 else if (unformat (i, "add"))
814 else if (unformat (i, "del"))
816 else if (unformat (i, "acl %d", &acl_index))
818 else if (unformat (i, "input"))
820 else if (unformat (i, "output"))
826 if (sw_if_index == ~0) {
827 errmsg ("missing interface name / explicit sw_if_index number \n");
831 if (acl_index == ~0) {
832 errmsg ("missing ACL index\n");
838 /* Construct the API message */
839 M(ACL_INTERFACE_ADD_DEL, mp);
840 mp->acl_index = ntohl(acl_index);
841 mp->sw_if_index = ntohl(sw_if_index);
843 mp->is_input = is_input;
848 /* Wait for a reply... */
853 static int api_macip_acl_interface_add_del (vat_main_t * vam)
855 unformat_input_t * i = vam->input;
856 vl_api_macip_acl_interface_add_del_t * mp;
857 u32 sw_if_index = ~0;
862 /* Parse args required to build the message */
863 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
864 if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index))
866 else if (unformat (i, "sw_if_index %d", &sw_if_index))
868 else if (unformat (i, "add"))
870 else if (unformat (i, "del"))
872 else if (unformat (i, "acl %d", &acl_index))
878 if (sw_if_index == ~0) {
879 errmsg ("missing interface name / explicit sw_if_index number \n");
883 if (acl_index == ~0) {
884 errmsg ("missing ACL index\n");
890 /* Construct the API message */
891 M(MACIP_ACL_INTERFACE_ADD_DEL, mp);
892 mp->acl_index = ntohl(acl_index);
893 mp->sw_if_index = ntohl(sw_if_index);
899 /* Wait for a reply... */
904 static int api_acl_interface_set_acl_list (vat_main_t * vam)
906 unformat_input_t * i = vam->input;
907 vl_api_acl_interface_set_acl_list_t * mp;
908 u32 sw_if_index = ~0;
915 // acl_interface_set_acl_list <intfc> | sw_if_index <if-idx> input [acl-idx list] output [acl-idx list]
917 /* Parse args required to build the message */
918 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
919 if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index))
921 else if (unformat (i, "sw_if_index %d", &sw_if_index))
923 else if (unformat (i, "%d", &acl_index))
926 vec_add1(inacls, htonl(acl_index));
928 vec_add1(outacls, htonl(acl_index));
930 else if (unformat (i, "acl %d", &acl_index))
932 else if (unformat (i, "input"))
934 else if (unformat (i, "output"))
940 if (sw_if_index == ~0) {
941 errmsg ("missing interface name / explicit sw_if_index number \n");
945 /* Construct the API message */
946 M2(ACL_INTERFACE_SET_ACL_LIST, mp, sizeof(u32) * (vec_len(inacls) + vec_len(outacls)));
947 mp->sw_if_index = ntohl(sw_if_index);
948 mp->n_input = vec_len(inacls);
949 mp->count = vec_len(inacls) + vec_len(outacls);
950 vec_append(inacls, outacls);
951 if (vec_len(inacls) > 0)
952 clib_memcpy(mp->acls, inacls, vec_len(inacls)*sizeof(u32));
957 /* Wait for a reply... */
962 static int api_acl_interface_set_etype_whitelist (vat_main_t * vam)
964 unformat_input_t * i = vam->input;
965 vl_api_acl_interface_set_etype_whitelist_t * mp;
966 u32 sw_if_index = ~0;
973 // acl_interface_set_etype_whitelist <intfc> | sw_if_index <if-idx> input [ethertype list] output [ethertype list]
975 /* Parse args required to build the message */
976 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
977 if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index))
979 else if (unformat (i, "sw_if_index %d", &sw_if_index))
981 else if (unformat (i, "%x", ðertype))
983 ethertype = ethertype & 0xffff;
985 vec_add1(etypes_in, htons(ethertype));
987 vec_add1(etypes_out, htons(ethertype));
989 else if (unformat (i, "input"))
991 else if (unformat (i, "output"))
997 if (sw_if_index == ~0) {
998 errmsg ("missing interface name / explicit sw_if_index number \n");
1002 /* Construct the API message */
1003 M2(ACL_INTERFACE_SET_ETYPE_WHITELIST, mp, sizeof(u32) * (vec_len(etypes_in) + vec_len(etypes_out)));
1004 mp->sw_if_index = ntohl(sw_if_index);
1005 mp->n_input = vec_len(etypes_in);
1006 mp->count = vec_len(etypes_in) + vec_len(etypes_out);
1007 vec_append(etypes_in, etypes_out);
1008 if (vec_len(etypes_in) > 0)
1009 clib_memcpy(mp->whitelist, etypes_in, vec_len(etypes_in)*sizeof(etypes_in[0]));
1014 /* Wait for a reply... */
1020 api_acl_send_control_ping(vat_main_t *vam)
1022 vl_api_acl_plugin_control_ping_t *mp_ping;
1024 M(ACL_PLUGIN_CONTROL_PING, mp_ping);
1029 static int api_acl_interface_list_dump (vat_main_t * vam)
1031 unformat_input_t * i = vam->input;
1032 u32 sw_if_index = ~0;
1033 vl_api_acl_interface_list_dump_t * mp;
1036 /* Parse args required to build the message */
1037 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
1038 if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index))
1040 else if (unformat (i, "sw_if_index %d", &sw_if_index))
1046 /* Construct the API message */
1047 M(ACL_INTERFACE_LIST_DUMP, mp);
1048 mp->sw_if_index = ntohl (sw_if_index);
1053 /* Use control ping for synchronization */
1054 api_acl_send_control_ping(vam);
1056 /* Wait for a reply... */
1061 static int api_acl_dump (vat_main_t * vam)
1063 unformat_input_t * i = vam->input;
1065 vl_api_acl_dump_t * mp;
1068 /* Parse args required to build the message */
1069 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
1070 if (unformat (i, "%d", &acl_index))
1076 /* Construct the API message */
1078 mp->acl_index = ntohl (acl_index);
1083 /* Use control ping for synchronization */
1084 api_acl_send_control_ping(vam);
1086 /* Wait for a reply... */
1091 static int api_macip_acl_dump (vat_main_t * vam)
1093 unformat_input_t * i = vam->input;
1095 vl_api_acl_dump_t * mp;
1098 /* Parse args required to build the message */
1099 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
1100 if (unformat (i, "%d", &acl_index))
1106 /* Construct the API message */
1107 M(MACIP_ACL_DUMP, mp);
1108 mp->acl_index = ntohl (acl_index);
1113 /* Use control ping for synchronization */
1114 api_acl_send_control_ping(vam);
1116 /* Wait for a reply... */
1121 static int api_acl_interface_etype_whitelist_dump (vat_main_t * vam)
1123 unformat_input_t * i = vam->input;
1124 u32 sw_if_index = ~0;
1125 vl_api_acl_interface_etype_whitelist_dump_t * mp;
1128 /* Parse args required to build the message */
1129 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
1130 if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index))
1132 else if (unformat (i, "sw_if_index %d", &sw_if_index))
1138 /* Construct the API message */
1139 M(ACL_INTERFACE_ETYPE_WHITELIST_DUMP, mp);
1140 mp->sw_if_index = ntohl (sw_if_index);
1145 /* Use control ping for synchronization */
1146 api_acl_send_control_ping(vam);
1148 /* Wait for a reply... */
1154 #define vec_validate_macip_acl_rules(v, idx) \
1156 if (vec_len(v) < idx+1) { \
1157 vec_validate(v, idx); \
1158 v[idx].is_permit = 0x1; \
1163 static int api_macip_acl_add (vat_main_t * vam)
1165 acl_test_main_t * sm = &acl_test_main;
1166 unformat_input_t * i = vam->input;
1167 vl_api_macip_acl_add_t * mp;
1168 u32 msg_size = sizeof (*mp); /* without the rules */
1170 vl_api_macip_acl_rule_t *rules = 0;
1173 int n_rules_override = -1;
1174 u32 src_prefix_length = 0;
1176 ip4_address_t src_v4address;
1177 ip6_address_t src_v6address;
1180 u8 mac_mask_all_1[6] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
1183 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
1185 if (unformat (i, "ipv6"))
1187 vec_validate_macip_acl_rules(rules, rule_idx);
1188 rules[rule_idx].is_ipv6 = 1;
1190 else if (unformat (i, "ipv4"))
1192 vec_validate_macip_acl_rules(rules, rule_idx);
1193 rules[rule_idx].is_ipv6 = 0;
1195 else if (unformat (i, "permit"))
1197 vec_validate_macip_acl_rules(rules, rule_idx);
1198 rules[rule_idx].is_permit = 1;
1200 else if (unformat (i, "deny"))
1202 vec_validate_macip_acl_rules(rules, rule_idx);
1203 rules[rule_idx].is_permit = 0;
1205 else if (unformat (i, "count %d", &n_rules_override))
1207 /* we will use this later */
1209 else if (unformat (i, "action %d", &action))
1211 vec_validate_macip_acl_rules(rules, rule_idx);
1212 rules[rule_idx].is_permit = action;
1214 else if (unformat (i, "ip %U/%d",
1215 unformat_ip4_address, &src_v4address, &src_prefix_length) ||
1216 unformat (i, "ip %U",
1217 unformat_ip4_address, &src_v4address))
1219 if (src_prefix_length == 0)
1220 src_prefix_length = 32;
1221 vec_validate_macip_acl_rules(rules, rule_idx);
1222 memcpy (rules[rule_idx].src_ip_addr, &src_v4address, 4);
1223 rules[rule_idx].src_ip_prefix_len = src_prefix_length;
1224 rules[rule_idx].is_ipv6 = 0;
1226 else if (unformat (i, "src"))
1228 /* Everything in MACIP is "source" but allow this verbosity */
1230 else if (unformat (i, "ip %U/%d",
1231 unformat_ip6_address, &src_v6address, &src_prefix_length) ||
1232 unformat (i, "ip %U",
1233 unformat_ip6_address, &src_v6address))
1235 if (src_prefix_length == 0)
1236 src_prefix_length = 128;
1237 vec_validate_macip_acl_rules(rules, rule_idx);
1238 memcpy (rules[rule_idx].src_ip_addr, &src_v6address, 16);
1239 rules[rule_idx].src_ip_prefix_len = src_prefix_length;
1240 rules[rule_idx].is_ipv6 = 1;
1242 else if (unformat (i, "mac %U",
1243 my_unformat_mac_address, &src_mac))
1245 vec_validate_macip_acl_rules(rules, rule_idx);
1246 memcpy (rules[rule_idx].src_mac, &src_mac, 6);
1247 memcpy (rules[rule_idx].src_mac_mask, &mac_mask_all_1, 6);
1249 else if (unformat (i, "mask %U",
1250 my_unformat_mac_address, &src_mac))
1252 vec_validate_macip_acl_rules(rules, rule_idx);
1253 memcpy (rules[rule_idx].src_mac_mask, &src_mac, 6);
1255 else if (unformat (i, "tag %s", &tag))
1258 else if (unformat (i, ","))
1261 vec_validate_macip_acl_rules(rules, rule_idx);
1267 /* Construct the API message */
1268 vam->result_ready = 0;
1271 n_rules = vec_len(rules);
1273 if (n_rules_override >= 0)
1274 n_rules = n_rules_override;
1276 msg_size += n_rules*sizeof(rules[0]);
1278 mp = vl_msg_api_alloc_as_if_client(msg_size);
1279 memset (mp, 0, msg_size);
1280 mp->_vl_msg_id = ntohs (VL_API_MACIP_ACL_ADD + sm->msg_id_base);
1281 mp->client_index = vam->my_client_index;
1282 if ((n_rules > 0) && rules)
1283 clib_memcpy(mp->r, rules, n_rules*sizeof (mp->r[0]));
1286 if (vec_len(tag) >= sizeof(mp->tag))
1288 tag[sizeof(mp->tag)-1] = 0;
1289 _vec_len(tag) = sizeof(mp->tag);
1291 clib_memcpy(mp->tag, tag, vec_len(tag));
1295 mp->count = htonl(n_rules);
1300 /* Wait for a reply... */
1305 static int api_macip_acl_add_replace (vat_main_t * vam)
1307 acl_test_main_t * sm = &acl_test_main;
1308 unformat_input_t * i = vam->input;
1309 vl_api_macip_acl_add_replace_t * mp;
1311 u32 msg_size = sizeof (*mp); /* without the rules */
1313 vl_api_macip_acl_rule_t *rules = 0;
1316 int n_rules_override = -1;
1317 u32 src_prefix_length = 0;
1319 ip4_address_t src_v4address;
1320 ip6_address_t src_v6address;
1323 u8 mac_mask_all_1[6] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
1326 if (!unformat (i, "%d", &acl_index)) {
1327 /* Just assume -1 */
1330 while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
1332 if (unformat (i, "ipv6"))
1334 vec_validate_macip_acl_rules(rules, rule_idx);
1335 rules[rule_idx].is_ipv6 = 1;
1337 else if (unformat (i, "ipv4"))
1339 vec_validate_macip_acl_rules(rules, rule_idx);
1340 rules[rule_idx].is_ipv6 = 0;
1342 else if (unformat (i, "permit"))
1344 vec_validate_macip_acl_rules(rules, rule_idx);
1345 rules[rule_idx].is_permit = 1;
1347 else if (unformat (i, "deny"))
1349 vec_validate_macip_acl_rules(rules, rule_idx);
1350 rules[rule_idx].is_permit = 0;
1352 else if (unformat (i, "count %d", &n_rules_override))
1354 /* we will use this later */
1356 else if (unformat (i, "action %d", &action))
1358 vec_validate_macip_acl_rules(rules, rule_idx);
1359 rules[rule_idx].is_permit = action;
1361 else if (unformat (i, "ip %U/%d",
1362 unformat_ip4_address, &src_v4address, &src_prefix_length) ||
1363 unformat (i, "ip %U",
1364 unformat_ip4_address, &src_v4address))
1366 if (src_prefix_length == 0)
1367 src_prefix_length = 32;
1368 vec_validate_macip_acl_rules(rules, rule_idx);
1369 memcpy (rules[rule_idx].src_ip_addr, &src_v4address, 4);
1370 rules[rule_idx].src_ip_prefix_len = src_prefix_length;
1371 rules[rule_idx].is_ipv6 = 0;
1373 else if (unformat (i, "src"))
1375 /* Everything in MACIP is "source" but allow this verbosity */
1377 else if (unformat (i, "ip %U/%d",
1378 unformat_ip6_address, &src_v6address, &src_prefix_length) ||
1379 unformat (i, "ip %U",
1380 unformat_ip6_address, &src_v6address))
1382 if (src_prefix_length == 0)
1383 src_prefix_length = 128;
1384 vec_validate_macip_acl_rules(rules, rule_idx);
1385 memcpy (rules[rule_idx].src_ip_addr, &src_v6address, 16);
1386 rules[rule_idx].src_ip_prefix_len = src_prefix_length;
1387 rules[rule_idx].is_ipv6 = 1;
1389 else if (unformat (i, "mac %U",
1390 my_unformat_mac_address, &src_mac))
1392 vec_validate_macip_acl_rules(rules, rule_idx);
1393 memcpy (rules[rule_idx].src_mac, &src_mac, 6);
1394 memcpy (rules[rule_idx].src_mac_mask, &mac_mask_all_1, 6);
1396 else if (unformat (i, "mask %U",
1397 my_unformat_mac_address, &src_mac))
1399 vec_validate_macip_acl_rules(rules, rule_idx);
1400 memcpy (rules[rule_idx].src_mac_mask, &src_mac, 6);
1402 else if (unformat (i, "tag %s", &tag))
1405 else if (unformat (i, ","))
1408 vec_validate_macip_acl_rules(rules, rule_idx);
1416 errmsg ("rule/s required\n");
1419 /* Construct the API message */
1420 vam->result_ready = 0;
1423 n_rules = vec_len(rules);
1425 if (n_rules_override >= 0)
1426 n_rules = n_rules_override;
1428 msg_size += n_rules*sizeof(rules[0]);
1430 mp = vl_msg_api_alloc_as_if_client(msg_size);
1431 memset (mp, 0, msg_size);
1432 mp->_vl_msg_id = ntohs (VL_API_MACIP_ACL_ADD_REPLACE + sm->msg_id_base);
1433 mp->client_index = vam->my_client_index;
1434 if ((n_rules > 0) && rules)
1435 clib_memcpy(mp->r, rules, n_rules*sizeof (mp->r[0]));
1438 if (vec_len(tag) >= sizeof(mp->tag))
1440 tag[sizeof(mp->tag)-1] = 0;
1441 _vec_len(tag) = sizeof(mp->tag);
1443 clib_memcpy(mp->tag, tag, vec_len(tag));
1447 mp->acl_index = ntohl(acl_index);
1448 mp->count = htonl(n_rules);
1453 /* Wait for a reply... */
1459 * List of messages that the api test plugin sends,
1460 * and that the data plane plugin processes
1462 #define foreach_vpe_api_msg \
1463 _(acl_plugin_get_version, "") \
1464 _(acl_add_replace, "<acl-idx> [<ipv4|ipv6> <permit|permit+reflect|deny|action N> [src IP/plen] [dst IP/plen] [sport X-Y] [dport X-Y] [proto P] [tcpflags FL MASK], ... , ...") \
1465 _(acl_add_replace_from_file, "filename <file> [permit] [append-default-permit]") \
1466 _(acl_del, "<acl-idx>") \
1467 _(acl_dump, "[<acl-idx>]") \
1468 _(acl_interface_add_del, "<intfc> | sw_if_index <if-idx> [add|del] [input|output] acl <acl-idx>") \
1469 _(acl_interface_set_acl_list, "<intfc> | sw_if_index <if-idx> input [acl-idx list] output [acl-idx list]") \
1470 _(acl_interface_set_etype_whitelist, "<intfc> | sw_if_index <if-idx> input [ethertype list] output [ethertype list]") \
1471 _(acl_interface_etype_whitelist_dump, "[<intfc> | sw_if_index <if-idx>]") \
1472 _(acl_interface_list_dump, "[<intfc> | sw_if_index <if-idx>]") \
1473 _(macip_acl_add, "...") \
1474 _(macip_acl_add_replace, "<acl-idx> [<ipv4|ipv6> <permit|deny|action N> [count <count>] [src] ip <ipaddress/[plen]> mac <mac> mask <mac_mask>, ... , ...") \
1475 _(macip_acl_del, "<acl-idx>")\
1476 _(macip_acl_dump, "[<acl-idx>]") \
1477 _(macip_acl_interface_add_del, "<intfc> | sw_if_index <if-idx> [add|del] acl <acl-idx>") \
1478 _(macip_acl_interface_get, "")
1482 void acl_vat_api_hookup (vat_main_t *vam)
1484 acl_test_main_t * sm = &acl_test_main;
1485 /* Hook up handlers for replies from the data plane plug-in */
1487 vl_msg_api_set_handlers((VL_API_##N + sm->msg_id_base), \
1489 vl_api_##n##_t_handler, \
1491 vl_api_##n##_t_endian, \
1492 vl_api_##n##_t_print, \
1493 sizeof(vl_api_##n##_t), 1);
1494 foreach_vpe_api_reply_msg;
1497 /* API messages we can send */
1498 #define _(n,h) hash_set_mem (vam->function_by_name, #n, api_##n);
1499 foreach_vpe_api_msg;
1503 #define _(n,h) hash_set_mem (vam->help_by_name, #n, h);
1504 foreach_vpe_api_msg;
1508 clib_error_t * vat_plugin_register (vat_main_t *vam)
1510 acl_test_main_t * sm = &acl_test_main;
1515 name = format (0, "acl_%08x%c", api_version, 0);
1516 sm->msg_id_base = vl_client_get_first_plugin_msg_id ((char *) name);
1518 if (sm->msg_id_base != (u16) ~0)
1519 acl_vat_api_hookup (vam);