if (0 != rv)
{
+ index_t *gui;
+ vec_foreach (gui, guis) gbp_rule_free (*gui);
vec_free (guis);
return (rv);
}
return (gu - gbp_rule_pool);
}
+void
+gbp_rule_free (index_t gui)
+{
+ pool_put_index (gbp_rule_pool, gui);
+}
+
index_t
gbp_next_hop_alloc (const ip46_address_t * ip,
index_t grd, const mac_address_t * mac, index_t gbd)
adj_unlock (gnh->gnh_ai[fproto]);
}
}
+
+ gbp_rule_free (*gui);
}
vec_free (rules);
}
return (s);
}
-static u8 *
+u8 *
format_gbp_rule_action (u8 * s, va_list * args)
{
gbp_rule_action_t action = va_arg (*args, gbp_rule_action_t);
_(DROP_CONTRACT, "drop-contract") \
_(DROP_ETHER_TYPE, "drop-ether-type") \
_(DROP_NO_CONTRACT, "drop-no-contract") \
- _(DROP_NO_DCLASS, "drop-no-dclass")
+ _(DROP_NO_DCLASS, "drop-no-dclass") \
+ _(DROP_NO_RULE, "drop-no-rule")
typedef enum
{
extern index_t gbp_rule_alloc (gbp_rule_action_t action,
gbp_hash_mode_t hash_mode, index_t * nhs);
+extern void gbp_rule_free (index_t gui);
extern index_t gbp_next_hop_alloc (const ip46_address_t * ip,
index_t grd,
const mac_address_t * mac, index_t gbd);
typedef int (*gbp_contract_cb_t) (gbp_contract_t * gbpe, void *ctx);
extern void gbp_contract_walk (gbp_contract_cb_t bgpe, void *ctx);
+extern u8 *format_gbp_rule_action (u8 * s, va_list * args);
extern u8 *format_gbp_contract (u8 * s, va_list * args);
/**
gbp_contract_apply (vlib_main_t * vm, gbp_main_t * gm,
gbp_contract_key_t * key, vlib_buffer_t * b,
gbp_rule_t ** rule, u32 * intra, u32 * sclass1,
+ u32 * acl_match, u32 * rule_match,
gbp_contract_error_t * err,
gbp_contract_apply_type_t type)
{
fa_5tuple_opaque_t fa_5tuple;
const gbp_contract_t *contract;
index_t contract_index;
- u32 acl_pos, acl_match, rule_match, trace_bitmap;
+ u32 acl_pos, trace_bitmap;
u16 etype;
u8 ip6, action;
&fa_5tuple);
acl_plugin_match_5tuple_inline (gm->acl_plugin.p_acl_main,
contract->gc_lc_index, &fa_5tuple, ip6,
- &action, &acl_pos, &acl_match, &rule_match,
+ &action, &acl_pos, acl_match, rule_match,
&trace_bitmap);
if (action <= 0)
goto contract_deny;
- *rule = gbp_rule_get (contract->gc_rules[rule_match]);
+ if (PREDICT_FALSE (*rule_match >= vec_len (contract->gc_rules)))
+ {
+ *err = GBP_CONTRACT_ERROR_DROP_NO_RULE;
+ goto contract_deny;
+ }
+
+ *rule = gbp_rule_get (contract->gc_rules[*rule_match]);
switch ((*rule)->gu_action)
{
case GBP_RULE_PERMIT:
gbp_policy_trace_t *t = va_arg (*args, gbp_policy_trace_t *);
s =
- format (s, "scope:%d sclass:%d, dclass:%d, allowed:%d flags:%U", t->scope,
- t->sclass, t->dclass, t->allowed, format_vxlan_gbp_header_gpflags,
- t->flags);
+ format (s,
+ "scope:%d sclass:%d, dclass:%d, action:%U flags:%U acl: %d rule: %d",
+ t->scope, t->sclass, t->dclass, format_gbp_rule_action, t->action,
+ format_vxlan_gbp_header_gpflags, t->flags, t->acl_match,
+ t->rule_match);
return s;
}
gbp_scope_t scope;
sclass_t sclass;
sclass_t dclass;
- u32 allowed;
+ gbp_rule_action_t action;
u32 flags;
+ u32 acl_match;
+ u32 rule_match;
} gbp_policy_trace_t;
/* packet trace format function */
u8 * format_gbp_policy_trace (u8 * s, va_list * args);
static_always_inline void
-gbp_policy_trace(vlib_main_t * vm, vlib_node_runtime_t * node, vlib_buffer_t *b, const gbp_contract_key_t *key, u8 allowed)
+gbp_policy_trace(vlib_main_t * vm, vlib_node_runtime_t * node, vlib_buffer_t *b, const gbp_contract_key_t *key, gbp_rule_action_t action, u32 acl_match, u32 rule_match)
{
gbp_policy_trace_t *t;
t->sclass = key->gck_src;
t->dclass = key->gck_dst;
t->scope = key->gck_scope;
- t->allowed = allowed;
+ t->action = action;
t->flags = vnet_buffer2 (b)->gbp.flags;
+ t->acl_match = acl_match;
+ t->rule_match = rule_match;
}
#endif /* __GBP_POLICY_H__ */
while (n_left_from > 0 && n_left_to_next > 0)
{
+ gbp_rule_action_t action0 = GBP_RULE_DENY;
+ u32 acl_match = ~0, rule_match = ~0;
const gbp_policy_dpo_t *gpd0;
- gbp_rule_action_t action0;
gbp_contract_error_t err0;
- u32 bi0, next0;
gbp_contract_key_t key0;
vlib_buffer_t *b0;
gbp_rule_t *rule0;
+ u32 bi0, next0;
bi0 = from[0];
to_next[0] = bi0;
action0 =
gbp_contract_apply (vm, gm, &key0, b0, &rule0, &n_allow_intra,
- &n_allow_sclass_1, &err0,
+ &n_allow_sclass_1, &acl_match, &rule_match,
+ &err0,
is_ip6 ? GBP_CONTRACT_APPLY_IP6 :
GBP_CONTRACT_APPLY_IP4);
switch (action0)
}
trace:
- gbp_policy_trace (vm, node, b0, &key0, (next0 != GBP_POLICY_DROP));
+ gbp_policy_trace (vm, node, b0, &key0, action0, acl_match,
+ rule_match);
vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next,
n_left_to_next, bi0, next0);
while (n_left_from > 0 && n_left_to_next > 0)
{
+ gbp_rule_action_t action0 = GBP_RULE_DENY;
const ethernet_header_t *h0;
const gbp_endpoint_t *ge0;
- gbp_rule_action_t action0;
gbp_contract_error_t err0;
+ u32 acl_match = ~0, rule_match = ~0;
gbp_policy_next_t next0;
gbp_contract_key_t key0;
u32 bi0, sw_if_index0;
action0 =
gbp_contract_apply (vm, gm, &key0, b0, &rule0, &n_allow_intra,
- &n_allow_sclass_1, &err0,
- GBP_CONTRACT_APPLY_L2);
+ &n_allow_sclass_1, &acl_match, &rule_match,
+ &err0, GBP_CONTRACT_APPLY_L2);
switch (action0)
{
case GBP_RULE_PERMIT:
}
trace:
- gbp_policy_trace (vm, node, b0, &key0,
- (next0 != GBP_POLICY_NEXT_DROP));
+ gbp_policy_trace (vm, node, b0, &key0, action0, acl_match,
+ rule_match);
/* verify speculative enqueue, maybe switch current next frame */
vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
Code Review / vpp.git / commitdiff