*/
#include <vnet/ip/ip.h>
#include <vnet/classify/vnet_classify.h>
-#include <vnet/classify/input_acl.h>
+#include <vnet/classify/in_out_acl.h>
-input_acl_main_t input_acl_main;
+in_out_acl_main_t in_out_acl_main;
static int
-vnet_inacl_ip_feature_enable (vlib_main_t * vnm,
- input_acl_main_t * am,
- u32 sw_if_index,
- input_acl_table_id_t tid, int feature_enable)
+vnet_in_out_acl_ip_feature_enable (vlib_main_t * vnm,
+ in_out_acl_main_t * am,
+ u32 sw_if_index,
+ in_out_acl_table_id_t tid,
+ int feature_enable, int is_output)
{
- if (tid == INPUT_ACL_TABLE_L2)
+ if (tid == IN_OUT_ACL_TABLE_L2)
{
- l2input_intf_bitmap_enable (sw_if_index, L2INPUT_FEAT_ACL,
- feature_enable);
+ l2input_intf_bitmap_enable (sw_if_index,
+ is_output ? L2OUTPUT_FEAT_ACL :
+ L2INPUT_FEAT_ACL, feature_enable);
}
else
{ /* IP[46] */
vnet_feature_config_main_t *fcm;
u8 arc;
- if (tid == INPUT_ACL_TABLE_IP4)
+ if (tid == IN_OUT_ACL_TABLE_IP4)
{
- vnet_feature_enable_disable ("ip4-unicast", "ip4-inacl",
+ char *arc_name = is_output ? "ip4-output" : "ip4-unicast";
+ vnet_feature_enable_disable (arc_name,
+ is_output ? "ip4-outacl" : "ip4-inacl",
sw_if_index, feature_enable, 0, 0);
- arc = vnet_get_feature_arc_index ("ip4-unicast");
+ arc = vnet_get_feature_arc_index (arc_name);
}
else
{
- vnet_feature_enable_disable ("ip6-unicast", "ip6-inacl",
+ char *arc_name = is_output ? "ip6-output" : "ip6-unicast";
+ vnet_feature_enable_disable (arc_name,
+ is_output ? "ip6-outacl" : "ip6-inacl",
sw_if_index, feature_enable, 0, 0);
- arc = vnet_get_feature_arc_index ("ip6-unicast");
+ arc = vnet_get_feature_arc_index (arc_name);
}
fcm = vnet_get_feature_arc_config_main (arc);
- am->vnet_config_main[tid] = &fcm->config_main;
+ am->vnet_config_main[is_output][tid] = &fcm->config_main;
}
return 0;
}
int
-vnet_set_input_acl_intfc (vlib_main_t * vm, u32 sw_if_index,
- u32 ip4_table_index,
- u32 ip6_table_index, u32 l2_table_index, u32 is_add)
+vnet_set_in_out_acl_intfc (vlib_main_t * vm, u32 sw_if_index,
+ u32 ip4_table_index,
+ u32 ip6_table_index, u32 l2_table_index,
+ u32 is_add, u32 is_output)
{
- input_acl_main_t *am = &input_acl_main;
+ in_out_acl_main_t *am = &in_out_acl_main;
vnet_classify_main_t *vcm = am->vnet_classify_main;
- u32 acl[INPUT_ACL_N_TABLES] = { ip4_table_index, ip6_table_index,
+ u32 acl[IN_OUT_ACL_N_TABLES] = { ip4_table_index, ip6_table_index,
l2_table_index
};
u32 ti;
/* Assume that we've validated sw_if_index in the API layer */
- for (ti = 0; ti < INPUT_ACL_N_TABLES; ti++)
+ for (ti = 0; ti < IN_OUT_ACL_N_TABLES; ti++)
{
if (acl[ti] == ~0)
continue;
return VNET_API_ERROR_NO_SUCH_TABLE;
vec_validate_init_empty
- (am->classify_table_index_by_sw_if_index[ti], sw_if_index, ~0);
+ (am->classify_table_index_by_sw_if_index[is_output][ti], sw_if_index,
+ ~0);
/* Reject any DEL operation with wrong sw_if_index */
if (!is_add &&
(acl[ti] !=
- am->classify_table_index_by_sw_if_index[ti][sw_if_index]))
+ am->classify_table_index_by_sw_if_index[is_output][ti]
+ [sw_if_index]))
{
clib_warning
("Non-existent intf_idx=%d with table_index=%d for delete",
/* Return ok on ADD operaton if feature is already enabled */
if (is_add &&
- am->classify_table_index_by_sw_if_index[ti][sw_if_index] != ~0)
+ am->classify_table_index_by_sw_if_index[is_output][ti][sw_if_index]
+ != ~0)
return 0;
- vnet_inacl_ip_feature_enable (vm, am, sw_if_index, ti, is_add);
+ vnet_in_out_acl_ip_feature_enable (vm, am, sw_if_index, ti, is_add,
+ is_output);
if (is_add)
- am->classify_table_index_by_sw_if_index[ti][sw_if_index] = acl[ti];
+ am->classify_table_index_by_sw_if_index[is_output][ti][sw_if_index] =
+ acl[ti];
else
- am->classify_table_index_by_sw_if_index[ti][sw_if_index] = ~0;
+ am->classify_table_index_by_sw_if_index[is_output][ti][sw_if_index] =
+ ~0;
}
return 0;
}
+int
+vnet_set_input_acl_intfc (vlib_main_t * vm, u32 sw_if_index,
+ u32 ip4_table_index,
+ u32 ip6_table_index, u32 l2_table_index, u32 is_add)
+{
+ return vnet_set_in_out_acl_intfc (vm, sw_if_index, ip4_table_index,
+ ip6_table_index, l2_table_index, is_add,
+ IN_OUT_ACL_INPUT_TABLE_GROUP);
+}
+
+int
+vnet_set_output_acl_intfc (vlib_main_t * vm, u32 sw_if_index,
+ u32 ip4_table_index,
+ u32 ip6_table_index, u32 l2_table_index,
+ u32 is_add)
+{
+ return vnet_set_in_out_acl_intfc (vm, sw_if_index, ip4_table_index,
+ ip6_table_index, l2_table_index, is_add,
+ IN_OUT_ACL_OUTPUT_TABLE_GROUP);
+}
+
static clib_error_t *
-set_input_acl_command_fn (vlib_main_t * vm,
- unformat_input_t * input, vlib_cli_command_t * cmd)
+set_in_out_acl_command_fn (vlib_main_t * vm,
+ unformat_input_t * input, vlib_cli_command_t * cmd,
+ u32 is_output)
{
vnet_main_t *vnm = vnet_get_main ();
u32 sw_if_index = ~0;
if (idx_cnt > 1)
return clib_error_return (0, "Only one table index per API is allowed.");
- rv = vnet_set_input_acl_intfc (vm, sw_if_index, ip4_table_index,
- ip6_table_index, l2_table_index, is_add);
+ rv = vnet_set_in_out_acl_intfc (vm, sw_if_index, ip4_table_index,
+ ip6_table_index, l2_table_index, is_add,
+ is_output);
switch (rv)
{
return 0;
}
+static clib_error_t *
+set_input_acl_command_fn (vlib_main_t * vm,
+ unformat_input_t * input, vlib_cli_command_t * cmd)
+{
+ return set_in_out_acl_command_fn (vm, input, cmd,
+ IN_OUT_ACL_INPUT_TABLE_GROUP);
+}
+
+static clib_error_t *
+set_output_acl_command_fn (vlib_main_t * vm,
+ unformat_input_t * input, vlib_cli_command_t * cmd)
+{
+ return set_in_out_acl_command_fn (vm, input, cmd,
+ IN_OUT_ACL_OUTPUT_TABLE_GROUP);
+}
+
/*
- * Configure interface to enable/disble input ACL feature:
+ * Configure interface to enable/disble input/output ACL features:
* intfc - interface name to be configured as input ACL
* Ip4-table <index> [del] - enable/disable IP4 input ACL
* Ip6-table <index> [del] - enable/disable IP6 input ACL
" [ip6-table <index>] [l2-table <index>] [del]",
.function = set_input_acl_command_fn,
};
+VLIB_CLI_COMMAND (set_output_acl_command, static) = {
+ .path = "set interface output acl",
+ .short_help =
+ "set interface output acl intfc <int> [ip4-table <index>]\n"
+ " [ip6-table <index>] [l2-table <index>] [del]",
+ .function = set_output_acl_command_fn,
+};
/* *INDENT-ON* */
clib_error_t *
-input_acl_init (vlib_main_t * vm)
+in_out_acl_init (vlib_main_t * vm)
{
- input_acl_main_t *am = &input_acl_main;
+ in_out_acl_main_t *am = &in_out_acl_main;
clib_error_t *error = 0;
- if ((error = vlib_call_init_function (vm, ip_inacl_init)))
+ if ((error = vlib_call_init_function (vm, ip_in_out_acl_init)))
return error;
am->vlib_main = vm;
return 0;
}
-VLIB_INIT_FUNCTION (input_acl_init);
+VLIB_INIT_FUNCTION (in_out_acl_init);
uword
unformat_acl_type (unformat_input_t * input, va_list * args)
{
u32 *acl_type = va_arg (*args, u32 *);
- u32 tid = INPUT_ACL_N_TABLES;
+ u32 tid = IN_OUT_ACL_N_TABLES;
while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
{
if (unformat (input, "ip4"))
- tid = INPUT_ACL_TABLE_IP4;
+ tid = IN_OUT_ACL_TABLE_IP4;
else if (unformat (input, "ip6"))
- tid = INPUT_ACL_TABLE_IP6;
+ tid = IN_OUT_ACL_TABLE_IP6;
else if (unformat (input, "l2"))
- tid = INPUT_ACL_TABLE_L2;
+ tid = IN_OUT_ACL_TABLE_L2;
else
break;
}
}
u8 *
-format_vnet_inacl_info (u8 * s, va_list * va)
+format_vnet_in_out_acl_info (u8 * s, va_list * va)
{
- input_acl_main_t *am = va_arg (*va, input_acl_main_t *);
+ in_out_acl_main_t *am = va_arg (*va, in_out_acl_main_t *);
int sw_if_idx = va_arg (*va, int);
u32 tid = va_arg (*va, u32);
}
static clib_error_t *
-show_inacl_command_fn (vlib_main_t * vm,
- unformat_input_t * input, vlib_cli_command_t * cmd)
+show_in_out_acl_command_fn (vlib_main_t * vm,
+ unformat_input_t * input,
+ vlib_cli_command_t * cmd, u32 is_output)
{
- input_acl_main_t *am = &input_acl_main;
- u32 type = INPUT_ACL_N_TABLES;
+ in_out_acl_main_t *am = &in_out_acl_main;
+ u32 type = IN_OUT_ACL_N_TABLES;
int i;
u32 *vec_tbl;
break;
}
- if (type == INPUT_ACL_N_TABLES)
- return clib_error_return (0, "Invalid input ACL table type.");
+ if (type == IN_OUT_ACL_N_TABLES)
+ return clib_error_return (0, is_output ? "Invalid output ACL table type."
+ : "Invalid input ACL table type.");
- vec_tbl = am->classify_table_index_by_sw_if_index[type];
+ vec_tbl = am->classify_table_index_by_sw_if_index[is_output][type];
if (vec_len (vec_tbl))
- vlib_cli_output (vm, "%U", format_vnet_inacl_info, am, ~0 /* hdr */ , ~0);
+ vlib_cli_output (vm, "%U", format_vnet_in_out_acl_info, am, ~0 /* hdr */ ,
+ ~0);
else
- vlib_cli_output (vm, "No input ACL tables configured");
+ vlib_cli_output (vm, is_output ? "No output ACL tables configured"
+ : "No input ACL tables configured");
for (i = 0; i < vec_len (vec_tbl); i++)
{
if (vec_elt (vec_tbl, i) == ~0)
continue;
- vlib_cli_output (vm, "%U", format_vnet_inacl_info,
+ vlib_cli_output (vm, "%U", format_vnet_in_out_acl_info,
am, i, vec_elt (vec_tbl, i));
}
return 0;
}
+static clib_error_t *
+show_inacl_command_fn (vlib_main_t * vm,
+ unformat_input_t * input, vlib_cli_command_t * cmd)
+{
+ return show_in_out_acl_command_fn (vm, input, cmd,
+ IN_OUT_ACL_INPUT_TABLE_GROUP);
+}
+
+static clib_error_t *
+show_outacl_command_fn (vlib_main_t * vm,
+ unformat_input_t * input, vlib_cli_command_t * cmd)
+{
+ return show_in_out_acl_command_fn (vm, input, cmd,
+ IN_OUT_ACL_OUTPUT_TABLE_GROUP);
+}
+
/* *INDENT-OFF* */
VLIB_CLI_COMMAND (show_inacl_command, static) = {
.path = "show inacl",
.short_help = "show inacl type [ip4|ip6|l2]",
.function = show_inacl_command_fn,
};
+VLIB_CLI_COMMAND (show_outacl_command, static) = {
+ .path = "show outacl",
+ .short_help = "show outacl type [ip4|ip6|l2]",
+ .function = show_outacl_command_fn,
+};
/* *INDENT-ON* */
/*
Code Review / vpp.git / blobdiff