ligang/vpp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ACL plugin rejects ICMP messages (VPP-624)

Browse Source 
Change-Id: I95113a277b94cce5ff332fcf9f57ec6f385acec0
Signed-off-by: Pavel Kotucek <pkotucek@cisco.com>
This commit is contained in:
Pavel Kotucek
2017-03-02 15:22:47 +01:00
committed by Ole Trøan
parent 557a71c89b
commit 59dda065bb
3 changed files with 1042 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
src/plugins/acl/acl.c
View File

@ -208,10 +208,10 @@ acl_add_list (u32 count, vl_api_acl_rule_t rules[],
r->src_prefixlen = rules[i].src_ip_prefix_len; r->src_prefixlen = rules[i].src_ip_prefix_len;
r->dst_prefixlen = rules[i].dst_ip_prefix_len; r->dst_prefixlen = rules[i].dst_ip_prefix_len;
r->proto = rules[i].proto; r->proto = rules[i].proto;
r->src_port_or_type_first = rules[i].srcport_or_icmptype_first; r->src_port_or_type_first = ntohs ( rules[i].srcport_or_icmptype_first );
r->src_port_or_type_last = rules[i].srcport_or_icmptype_last; r->src_port_or_type_last = ntohs ( rules[i].srcport_or_icmptype_last );
r->dst_port_or_code_first = rules[i].dstport_or_icmpcode_first; r->dst_port_or_code_first = ntohs ( rules[i].dstport_or_icmpcode_first );
r->dst_port_or_code_last = rules[i].dstport_or_icmpcode_last; r->dst_port_or_code_last = ntohs ( rules[i].dstport_or_icmpcode_last );
r->tcp_flags_value = rules[i].tcp_flags_value; r->tcp_flags_value = rules[i].tcp_flags_value;
r->tcp_flags_mask = rules[i].tcp_flags_mask; r->tcp_flags_mask = rules[i].tcp_flags_mask;
} }
@ -839,8 +839,8 @@ acl_packet_match (acl_main_t * am, u32 acl_index, vlib_buffer_t * b0,
int is_ip6; int is_ip6;
int is_ip4; int is_ip4;
u8 proto; u8 proto;
u16 src_port; u16 src_port = 0;
u16 dst_port; u16 dst_port = 0;
u8 tcp_flags = 0; u8 tcp_flags = 0;
int i; int i;
acl_list_t *a; acl_list_t *a;
@ -866,15 +866,13 @@ acl_packet_match (acl_main_t * am, u32 acl_index, vlib_buffer_t * b0,
{ {
*trace_bitmap |= 0x00000001; *trace_bitmap |= 0x00000001;
/* type */ /* type */
src_port = *(u8 *) get_ptr_to_offset (b0, 34); src_port = ((u16) (*(u8 *) get_ptr_to_offset (b0, 34)));
/* code */ /* code */
dst_port = *(u8 *) get_ptr_to_offset (b0, 35); dst_port = ((u16) (*(u8 *) get_ptr_to_offset (b0, 35)));
} } else {
else
{
/* assume TCP/UDP */ /* assume TCP/UDP */
src_port = (*(u16 *) get_ptr_to_offset (b0, 34)); src_port = ntohs ((u16) (*(u16 *) get_ptr_to_offset (b0, 34)));
dst_port = (*(u16 *) get_ptr_to_offset (b0, 36)); dst_port = ntohs ((u16) (*(u16 *) get_ptr_to_offset (b0, 36)));
/* UDP gets ability to check on an oddball data byte as a bonus */ /* UDP gets ability to check on an oddball data byte as a bonus */
tcp_flags = *(u8 *) get_ptr_to_offset (b0, 14 + 20 + 13); tcp_flags = *(u8 *) get_ptr_to_offset (b0, 14 + 20 + 13);
} }
@ -888,15 +886,15 @@ acl_packet_match (acl_main_t * am, u32 acl_index, vlib_buffer_t * b0,
{ {
*trace_bitmap |= 0x00000002; *trace_bitmap |= 0x00000002;
/* type */ /* type */
src_port = *(u8 *) get_ptr_to_offset (b0, 54); src_port = (u16) (*(u8 *) get_ptr_to_offset (b0, 54));
/* code */ /* code */
dst_port = *(u8 *) get_ptr_to_offset (b0, 55); dst_port = (u16) (*(u8 *) get_ptr_to_offset (b0, 55));
} }
else else
{ {
/* assume TCP/UDP */ /* assume TCP/UDP */
src_port = (*(u16 *) get_ptr_to_offset (b0, 54)); src_port = ntohs ((u16) (*(u16 *) get_ptr_to_offset (b0, 54)));
dst_port = (*(u16 *) get_ptr_to_offset (b0, 56)); dst_port = ntohs ((u16) (*(u16 *) get_ptr_to_offset (b0, 56)));
tcp_flags = *(u8 *) get_ptr_to_offset (b0, 14 + 40 + 13); tcp_flags = *(u8 *) get_ptr_to_offset (b0, 14 + 40 + 13);
} }
} }
@ -1485,10 +1483,10 @@ copy_acl_rule_to_api_rule (vl_api_acl_rule_t * api_rule, acl_rule_t * r)
api_rule->src_ip_prefix_len = r->src_prefixlen; api_rule->src_ip_prefix_len = r->src_prefixlen;
api_rule->dst_ip_prefix_len = r->dst_prefixlen; api_rule->dst_ip_prefix_len = r->dst_prefixlen;
api_rule->proto = r->proto; api_rule->proto = r->proto;
api_rule->srcport_or_icmptype_first = r->src_port_or_type_first; api_rule->srcport_or_icmptype_first = htons (r->src_port_or_type_first);
api_rule->srcport_or_icmptype_last = r->src_port_or_type_last; api_rule->srcport_or_icmptype_last = htons (r->src_port_or_type_last);
api_rule->dstport_or_icmpcode_first = r->dst_port_or_code_first; api_rule->dstport_or_icmpcode_first = htons (r->dst_port_or_code_first);
api_rule->dstport_or_icmpcode_last = r->dst_port_or_code_last; api_rule->dstport_or_icmpcode_last = htons (r->dst_port_or_code_last);
api_rule->tcp_flags_mask = r->tcp_flags_mask; api_rule->tcp_flags_mask = r->tcp_flags_mask;
api_rule->tcp_flags_value = r->tcp_flags_value; api_rule->tcp_flags_value = r->tcp_flags_value;
} }

9
test/framework.py
View File

@ -50,6 +50,10 @@ class _PacketInfo(object):
#: Store the index of the destination packet generator interface #: Store the index of the destination packet generator interface
#: of the packet. #: of the packet.
dst = -1 dst = -1
#: Store expected ip version
ip = -1
#: Store expected upper protocol
proto = -1
#: Store the copy of the former packet. #: Store the copy of the former packet.
data = None data = None
@ -515,7 +519,8 @@ class VppTestCase(unittest.TestCase):
:returns: string containing serialized data from packet info :returns: string containing serialized data from packet info
""" """
return "%d %d %d" % (info.index, info.src, info.dst) return "%d %d %d %d %d" % (info.index, info.src, info.dst,
info.ip, info.proto)
@staticmethod @staticmethod
def payload_to_info(payload): def payload_to_info(payload):
@ -532,6 +537,8 @@ class VppTestCase(unittest.TestCase):
info.index = int(numbers[0]) info.index = int(numbers[0])
info.src = int(numbers[1]) info.src = int(numbers[1])
info.dst = int(numbers[2]) info.dst = int(numbers[2])
info.ip = int(numbers[3])
info.proto = int(numbers[4])
return info return info
def get_next_packet_info(self, info): def get_next_packet_info(self, info):

1015
test/test_acl_plugin.py Normal file
View File

File diff suppressed because it is too large Load Diff