ASSERT (rp);
if (!RT (rule_is_match_for_key) (key, rp))
- return ~0;
+ return SESSION_RULES_TABLE_INVALID_INDEX;
for (i = 0; i < vec_len (rp->next_indices); i++)
{
rv = RT (mma_rules_table_lookup) (srt, key, rp->next_indices[i]);
- if (rv != ~0)
+ if (rv != SESSION_RULES_TABLE_INVALID_INDEX)
return (rv);
}
return (rp->action_index);
ASSERT (rp);
if (!RT (rule_is_match_for_key) (key, rp))
- return ~0;
+ return SESSION_RULES_TABLE_INVALID_INDEX;
for (i = 0; i < vec_len (rp->next_indices); i++)
{
rv = RT (mma_rules_table_lookup_rule) (srt, key, rp->next_indices[i]);
- if (rv != ~0)
+ if (rv != SESSION_RULES_TABLE_INVALID_INDEX)
return (rv);
}
return rule_index;
rp = RT (mma_rules_table_get_rule) (srt, rule_index);
if (!RT (rule_is_match_for_key) (&rule->match, rp))
- return ~0;
+ return SESSION_RULES_TABLE_INVALID_INDEX;
if (RT (rule_is_exact_match) (rule, rp))
{
if (rule_index == srt->root_index)
else if (rv == 0)
return rv;
}
- return ~0;
+ return SESSION_RULES_TABLE_INVALID_INDEX;
}
/*
return session_lookup_del_connection (ts);
}
+static u32
+session_lookup_action_to_session (u32 action_index)
+{
+ if (action_index != SESSION_RULES_TABLE_ACTION_DROP)
+ return action_index;
+ return SESSION_INVALID_INDEX;
+}
+
static stream_session_t *
session_lookup_app_listen_session (u32 app_index, u8 fib_proto,
u8 transport_proto)
ip4_address_t * lcl, u16 lcl_port,
ip4_address_t * rmt, u16 rmt_port)
{
- u32 action_index;
+ u32 action_index, session_index;
action_index = session_rules_table_lookup4 (srt, proto, lcl, rmt, lcl_port,
rmt_port);
+ session_index = session_lookup_action_to_session (action_index);
/* Nothing sophisticated for now, action index is app index */
- return session_lookup_app_listen_session (action_index, FIB_PROTOCOL_IP4,
+ return session_lookup_app_listen_session (session_index, FIB_PROTOCOL_IP4,
proto);
}
ip6_address_t * lcl, u16 lcl_port,
ip6_address_t * rmt, u16 rmt_port)
{
- u32 action_index;
+ u32 action_index, session_index;
action_index = session_rules_table_lookup6 (srt, proto, lcl, rmt, lcl_port,
rmt_port);
- return session_lookup_app_listen_session (action_index, FIB_PROTOCOL_IP6,
+ session_index = session_lookup_action_to_session (action_index);
+ return session_lookup_app_listen_session (session_index, FIB_PROTOCOL_IP6,
proto);
}
session_kv6_t kv6;
ip4_address_t lcl4;
ip6_address_t lcl6;
- u32 si;
+ u32 ai;
int rv;
st = session_table_get (table_index);
return kv4.value;
memset (&lcl4, 0, sizeof (lcl4));
- si =
- session_rules_table_lookup4 (&st->session_rules, sep->transport_proto,
- &lcl4, &sep->ip.ip4, 0, sep->port);
- if (si != SESSION_RULES_TABLE_INVALID_INDEX)
- return si;
+ ai = session_rules_table_lookup4 (&st->session_rules,
+ sep->transport_proto, &lcl4,
+ &sep->ip.ip4, 0, sep->port);
+ if (ai != SESSION_RULES_TABLE_INVALID_INDEX)
+ return session_lookup_action_to_session (ai);
}
else
{
return kv6.value;
memset (&lcl6, 0, sizeof (lcl6));
- si =
- session_rules_table_lookup6 (&st->session_rules, sep->transport_proto,
- &lcl6, &sep->ip.ip6, 0, sep->port);
- if (si != SESSION_RULES_TABLE_INVALID_INDEX)
- return si;
+ ai = session_rules_table_lookup6 (&st->session_rules,
+ sep->transport_proto, &lcl6,
+ &sep->ip.ip6, 0, sep->port);
+ if (ai != SESSION_RULES_TABLE_INVALID_INDEX)
+ return session_lookup_action_to_session (ai);
}
return SESSION_INVALID_HANDLE;
}
session_kv6_t kv6;
ip4_address_t lcl4;
ip6_address_t lcl6;
- u32 si;
+ u32 ai;
int rv;
st = session_table_get (table_index);
return (u32) kv4.value;
memset (&lcl4, 0, sizeof (lcl4));
- si =
- session_rules_table_lookup4 (&st->session_rules, sep->transport_proto,
- &lcl4, &sep->ip.ip4, 0, sep->port);
- if (si != SESSION_RULES_TABLE_INVALID_INDEX)
- return si;
+ ai = session_rules_table_lookup4 (&st->session_rules,
+ sep->transport_proto, &lcl4,
+ &sep->ip.ip4, 0, sep->port);
+ if (ai != SESSION_RULES_TABLE_INVALID_INDEX)
+ return session_lookup_action_to_session (ai);
}
else
{
return (u32) kv6.value;
memset (&lcl6, 0, sizeof (lcl6));
- si =
- session_rules_table_lookup6 (&st->session_rules, sep->transport_proto,
- &lcl6, &sep->ip.ip6, 0, sep->port);
- if (si != SESSION_RULES_TABLE_INVALID_INDEX)
- return si;
+ ai = session_rules_table_lookup6 (&st->session_rules,
+ sep->transport_proto, &lcl6,
+ &sep->ip.ip6, 0, sep->port);
+ if (ai != SESSION_RULES_TABLE_INVALID_INDEX)
+ return session_lookup_action_to_session (ai);
}
return SESSION_INVALID_INDEX;
}
if (args->scope & SESSION_RULE_SCOPE_LOCAL)
{
st = app_namespace_get_local_table (app_ns);
- error =
- session_rules_table_add_del (&st->session_rules, &args->table_args);
+ error = session_rules_table_add_del (&st->session_rules,
+ &args->table_args);
}
return error;
}
u8 is_add;
} session_rule_table_add_del_args_t;
+#define SESSION_RULES_TABLE_ACTION_DROP (((u32)~0) - 1)
+
typedef struct _session_rules_table_t
{
/**
stream_session_t *listener, *s;
app_namespace_t *default_ns = app_namespace_get_default ();
u32 local_ns_index = default_ns->local_table_index;
+ int verbose = 0;
+
+ while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
+ {
+ if (unformat (input, "verbose"))
+ verbose = 1;
+ else
+ {
+ vlib_cli_output (vm, "parse error: '%U'", format_unformat_error,
+ input);
+ return -1;
+ }
+ }
server_sep.is_ip4 = 1;
server_sep.port = dummy_port;
&rmt_pref.fp_addr.ip4, lcl_port + 1,
rmt_port, TRANSPORT_PROTO_TCP, 0);
SESSION_TEST ((tc == 0),
- "optimized lookup for wrong lcl port + 1 should not" " work");
+ "optimized lookup for wrong lcl port + 1 should not work");
/*
* Add 1.2.3.4/16 * 5.6.7.8/16 4321
SESSION_TEST ((app_index != server_index), "local session endpoint lookup "
"should not work (constrained lcl ip)");
+ /*
+ * Add drop rule 1.2.3.4/32 1234 5.6.7.8/32 4321 action -2 (drop)
+ */
+ args.table_args.lcl_port = 1234;
+ args.table_args.lcl.fp_addr.ip4 = lcl_ip;
+ args.table_args.lcl.fp_len = 32;
+ args.table_args.rmt.fp_addr.ip4 = rmt_ip;
+ args.table_args.rmt.fp_len = 32;
+ args.table_args.action_index = SESSION_RULES_TABLE_ACTION_DROP;
+ error = vnet_session_rule_add_del (&args);
+ SESSION_TEST ((error == 0), "Add 1.2.3.4/32 1234 5.6.7.8/32 4321 action %d",
+ args.table_args.action_index);
+
+ if (verbose)
+ {
+ session_lookup_dump_rules_table (0, FIB_PROTOCOL_IP4,
+ TRANSPORT_PROTO_TCP);
+ session_lookup_dump_local_rules_table (0, FIB_PROTOCOL_IP4,
+ TRANSPORT_PROTO_TCP);
+ }
+
+ tc = session_lookup_connection_wt4 (0, &lcl_pref.fp_addr.ip4,
+ &rmt_pref.fp_addr.ip4, lcl_port,
+ rmt_port, TRANSPORT_PROTO_TCP, 0);
+ SESSION_TEST ((tc == 0), "lookup for 1.2.3.4/32 1234 5.6.7.8/16 4321 "
+ "should fail (drop rule)");
+
/*
* Add local scope rule for 0/0 * 5.6.7.8/16 4321 action server_index
*/
+ args.table_args.lcl_port = 0;
args.table_args.lcl.fp_len = 0;
+ args.table_args.rmt.fp_len = 16;
+ args.table_args.action_index = server_index;
error = vnet_session_rule_add_del (&args);
SESSION_TEST ((error == 0), "Add * * 5.6.7.8/16 4321 action %d",
args.table_args.action_index);
+
+ if (verbose)
+ {
+ session_lookup_dump_rules_table (0, FIB_PROTOCOL_IP4,
+ TRANSPORT_PROTO_TCP);
+ session_lookup_dump_local_rules_table (0, FIB_PROTOCOL_IP4,
+ TRANSPORT_PROTO_TCP);
+ }
+
app_index = session_lookup_local_session_endpoint (local_ns_index, &sep);
SESSION_TEST ((app_index == server_index), "local session endpoint lookup "
"should work");
tc = session_lookup_connection_wt4 (0, &lcl_pref.fp_addr.ip4,
&rmt_pref.fp_addr.ip4, lcl_port,
rmt_port, TRANSPORT_PROTO_TCP, 0);
- SESSION_TEST ((tc == 0), "optimized lookup should not work (del)");
+ SESSION_TEST ((tc == 0),
+ "optimized lookup should not work (del + negative)");
+
+ args.table_args.is_add = 0;
+ args.table_args.lcl_port = 1234;
+ args.table_args.lcl.fp_addr.ip4 = lcl_ip;
+ args.table_args.lcl.fp_len = 32;
+ args.table_args.rmt.fp_addr.ip4 = rmt_ip;
+ args.table_args.rmt.fp_len = 32;
+ error = vnet_session_rule_add_del (&args);
+ SESSION_TEST ((error == 0), "Del 1.2.3.4/32 1234 5.6.7.8/32 4321 drop");
+ tc = session_lookup_connection_wt4 (0, &lcl_pref.fp_addr.ip4,
+ &rmt_pref.fp_addr.ip4, lcl_port,
+ rmt_port, TRANSPORT_PROTO_TCP, 0);
+ SESSION_TEST ((tc == 0), "optimized lookup should not work (no-rule)");
return 0;
}
Code Review / vpp.git / commitdiff