ligang/vpp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

acl: API cleanup

Browse Source 
Use consistent API types.

Type: fix

Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
Change-Id: If90d753f129312400c4c3669bb86289d0c3e0d99
Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
This commit is contained in:
Jakub Grajciar
2020-03-11 12:47:32 +01:00
committed by Ole Trøan
parent 4897d77c6d
commit aad1ee1494
20 changed files with 1204 additions and 1121 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
src/plugins/acl/acl.api
View File

@@ -19,9 +19,10 @@
used to control the ACL plugin
*/
option version = "1.0.1";
option version = "2.0.0";
import "plugins/acl/acl_types.api";
import "vnet/interface_types.api";
/** \brief Get the plugin version
@param client_index - opaque cookie to identify the sender
@@ -106,7 +107,7 @@ manual_print manual_endian define acl_add_replace
u32 client_index;
u32 context;
u32 acl_index; /* ~0 to add, existing ACL# to replace */
u8 tag[64]; /* What gets in here gets out in the corresponding tag field when dumping the ACLs. */
string tag[64]; /* What gets in here gets out in the corresponding tag field when dumping the ACLs. */
u32 count;
vl_api_acl_rule_t r[count];
option vat_help = "<acl-idx> [<ipv4|ipv6>] <permit|permit+reflect|deny|action N> [src IP/plen] [dst IP/plen] [sport X-Y] [dport X-Y] [proto P] [tcpflags FL MASK], ... , ...";
@@ -154,13 +155,13 @@ autoreply manual_print define acl_interface_add_del
{
u32 client_index;
u32 context;
u8 is_add;
bool is_add [default=true];
/*
* is_input = 0 => ACL applied on interface egress
* is_input = 1 => ACL applied on interface ingress
*/
u8 is_input;
u32 sw_if_index;
bool is_input;
vl_api_interface_index_t sw_if_index;
u32 acl_index;
option vat_help = "<intfc> | sw_if_index <if-idx> [add|del] [input|output] acl <acl-idx>";
};
@@ -178,7 +179,7 @@ autoreply manual_print define acl_interface_set_acl_list
{
u32 client_index;
u32 context;
u32 sw_if_index;
vl_api_interface_index_t sw_if_index;
u8 count;
u8 n_input; /* First n_input ACLs are set as a list of input ACLs, the rest are applied as output */
u32 acls[count];
@@ -216,7 +217,7 @@ manual_endian manual_print define acl_details
{
u32 context;
u32 acl_index;
u8 tag[64]; /* Same blob that was supplied to us when creating the ACL, one hopes. */
string tag[64]; /* Same blob that was supplied to us when creating the ACL, one hopes. */
u32 count;
vl_api_acl_rule_t r[count];
};
@@ -231,7 +232,7 @@ define acl_interface_list_dump
{
u32 client_index;
u32 context;
u32 sw_if_index; /* ~0 for all interfaces */
vl_api_interface_index_t sw_if_index; /* ~0 for all interfaces */
option vat_help = "[<intfc> | sw_if_index <if-idx>]";
};
@@ -246,7 +247,7 @@ define acl_interface_list_dump
define acl_interface_list_details
{
u32 context;
u32 sw_if_index;
vl_api_interface_index_t sw_if_index;
u8 count;
u8 n_input;
u32 acls[count];
@@ -264,7 +265,7 @@ manual_endian manual_print define macip_acl_add
{
u32 client_index;
u32 context;
u8 tag[64];
string tag[64];
u32 count;
vl_api_macip_acl_rule_t r[count];
option vat_help = "...";
@@ -297,7 +298,7 @@ manual_endian manual_print define macip_acl_add_replace
u32 client_index;
u32 context;
u32 acl_index; /* ~0 to add, existing MACIP ACL# to replace */
u8 tag[64];
string tag[64];
u32 count;
vl_api_macip_acl_rule_t r[count];
option vat_help = "<acl-idx> [<ipv4|ipv6>] <permit|deny|action N> [count <count>] [src] ip <ipaddress/[plen]> mac <mac> mask <mac_mask>, ... , ...";
@@ -342,9 +343,9 @@ autoreply manual_print define macip_acl_interface_add_del
{
u32 client_index;
u32 context;
u8 is_add;
bool is_add [default=true];
/* MACIP ACLs are always input */
u32 sw_if_index;
vl_api_interface_index_t sw_if_index;
u32 acl_index;
option vat_help = "<intfc> | sw_if_index <if-idx> [add|del] acl <acl-idx>";
};
@@ -375,7 +376,7 @@ manual_endian manual_print define macip_acl_details
{
u32 context;
u32 acl_index;
u8 tag[64];
string tag[64];
u32 count;
vl_api_macip_acl_rule_t r[count];
};
@@ -414,7 +415,7 @@ define macip_acl_interface_list_dump
{
u32 client_index;
u32 context;
u32 sw_if_index; /* ~0 for all interfaces */
vl_api_interface_index_t sw_if_index; /* ~0 for all interfaces */
};
/** \brief Details about a single MACIP ACL contents
@@ -427,7 +428,7 @@ define macip_acl_interface_list_dump
define macip_acl_interface_list_details
{
u32 context;
u32 sw_if_index;
vl_api_interface_index_t sw_if_index;
u8 count;
u32 acls[count];
};
@@ -445,7 +446,7 @@ autoreply manual_print define acl_interface_set_etype_whitelist
{
u32 client_index;
u32 context;
u32 sw_if_index;
vl_api_interface_index_t sw_if_index;
u8 count; /* Total number of ethertypes in the whitelist */
u8 n_input; /* first n_input ethertypes are input, the rest - output */
u16 whitelist[count];
@@ -462,7 +463,7 @@ define acl_interface_etype_whitelist_dump
{
u32 client_index;
u32 context;
u32 sw_if_index; /* ~0 for all interfaces */
vl_api_interface_index_t sw_if_index; /* ~0 for all interfaces */
option vat_help = "[<intfc> | sw_if_index <if-idx>]";
};
@@ -477,7 +478,7 @@ define acl_interface_etype_whitelist_dump
define acl_interface_etype_whitelist_details
{
u32 context;
u32 sw_if_index;
vl_api_interface_index_t sw_if_index;
u8 count;
u8 n_input; /* first n_input ethertypes are input, the rest - output */
u16 whitelist[count];

136
src/plugins/acl/acl.c
View File

@@ -24,6 +24,8 @@
#include <vnet/classify/in_out_acl.h>
#include <vpp/app/version.h>
#include <vnet/ethernet/ethernet_types_api.h>
#include <vlibapi/api.h>
#include <vlibmemory/api.h>
@@ -342,35 +344,41 @@ validate_and_reset_acl_counters (acl_main_t * am, u32 acl_index)
}
static int
acl_api_ip4_invalid_prefix (void *ip4_pref_raw, u8 ip4_prefix_len)
acl_api_ip4_invalid_prefix (const vl_api_prefix_t * prefix)
{
ip4_address_t ip4_addr;
ip4_address_t ip4_mask;
ip4_address_t ip4_masked_addr;
memcpy (&ip4_addr, ip4_pref_raw, sizeof (ip4_addr));
ip4_preflen_to_mask (ip4_prefix_len, &ip4_mask);
if (prefix->len > 32)
return 1;
ip4_address_decode (prefix->address.un.ip4, &ip4_addr);
ip4_preflen_to_mask (prefix->len, &ip4_mask);
ip4_masked_addr.as_u32 = ip4_addr.as_u32 & ip4_mask.as_u32;
int ret = (ip4_masked_addr.as_u32 != ip4_addr.as_u32);
if (ret)
{
clib_warning
("inconsistent addr %U for prefix len %d; (%U when masked)",
format_ip4_address, ip4_pref_raw, ip4_prefix_len, format_ip4_address,
&ip4_masked_addr);
format_ip4_address, prefix->address.un.ip4, prefix->len,
format_ip4_address, &ip4_masked_addr);
}
return ret;
}
static int
acl_api_ip6_invalid_prefix (void *ip6_pref_raw, u8 ip6_prefix_len)
acl_api_ip6_invalid_prefix (const vl_api_prefix_t * prefix)
{
ip6_address_t ip6_addr;
ip6_address_t ip6_mask;
ip6_address_t ip6_masked_addr;
memcpy (&ip6_addr, ip6_pref_raw, sizeof (ip6_addr));
ip6_preflen_to_mask (ip6_prefix_len, &ip6_mask);
if (prefix->len > 128)
return 1;
ip6_address_decode (prefix->address.un.ip6, &ip6_addr);
ip6_preflen_to_mask (prefix->len, &ip6_mask);
ip6_masked_addr.as_u64[0] = ip6_addr.as_u64[0] & ip6_mask.as_u64[0];
ip6_masked_addr.as_u64[1] = ip6_addr.as_u64[1] & ip6_mask.as_u64[1];
int ret = ((ip6_masked_addr.as_u64[0] != ip6_addr.as_u64[0])
@@ -379,12 +387,20 @@ acl_api_ip6_invalid_prefix (void *ip6_pref_raw, u8 ip6_prefix_len)
{
clib_warning
("inconsistent addr %U for prefix len %d; (%U when masked)",
format_ip6_address, ip6_pref_raw, ip6_prefix_len, format_ip6_address,
&ip6_masked_addr);
format_ip6_address, prefix->address.un.ip6, prefix->len,
format_ip6_address, &ip6_masked_addr);
}
return ret;
}
static int
acl_api_invalid_prefix (const vl_api_prefix_t * prefix)
{
if (prefix->address.af == ADDRESS_IP6)
return acl_api_ip6_invalid_prefix (prefix);
return acl_api_ip4_invalid_prefix (prefix);
}
static int
acl_add_list (u32 count, vl_api_acl_rule_t rules[],
u32 * acl_list_index, u8 * tag)
@@ -402,32 +418,10 @@ acl_add_list (u32 count, vl_api_acl_rule_t rules[],
/* check if what they request is consistent */
for (i = 0; i < count; i++)
{
if (rules[i].is_ipv6)
{
if (rules[i].src_ip_prefix_len > 128)
return VNET_API_ERROR_INVALID_VALUE;
if (rules[i].dst_ip_prefix_len > 128)
return VNET_API_ERROR_INVALID_VALUE;
if (acl_api_ip6_invalid_prefix
(&rules[i].src_ip_addr, rules[i].src_ip_prefix_len))
return VNET_API_ERROR_INVALID_SRC_ADDRESS;
if (acl_api_ip6_invalid_prefix
(&rules[i].dst_ip_addr, rules[i].dst_ip_prefix_len))
return VNET_API_ERROR_INVALID_DST_ADDRESS;
}
else
{
if (rules[i].src_ip_prefix_len > 32)
return VNET_API_ERROR_INVALID_VALUE;
if (rules[i].dst_ip_prefix_len > 32)
return VNET_API_ERROR_INVALID_VALUE;
if (acl_api_ip4_invalid_prefix
(&rules[i].src_ip_addr, rules[i].src_ip_prefix_len))
return VNET_API_ERROR_INVALID_SRC_ADDRESS;
if (acl_api_ip4_invalid_prefix
(&rules[i].dst_ip_addr, rules[i].dst_ip_prefix_len))
return VNET_API_ERROR_INVALID_DST_ADDRESS;
}
if (acl_api_invalid_prefix (&rules[i].src_prefix))
return VNET_API_ERROR_INVALID_SRC_ADDRESS;
if (acl_api_invalid_prefix (&rules[i].dst_prefix))
return VNET_API_ERROR_INVALID_DST_ADDRESS;
if (ntohs (rules[i].srcport_or_icmptype_first) >
ntohs (rules[i].srcport_or_icmptype_last))
return VNET_API_ERROR_INVALID_VALUE_2;
@@ -466,19 +460,11 @@ acl_add_list (u32 count, vl_api_acl_rule_t rules[],
r = vec_elt_at_index (acl_new_rules, i);
clib_memset (r, 0, sizeof (*r));
r->is_permit = rules[i].is_permit;
r->is_ipv6 = rules[i].is_ipv6;
if (r->is_ipv6)
{
memcpy (&r->src, rules[i].src_ip_addr, sizeof (r->src));
memcpy (&r->dst, rules[i].dst_ip_addr, sizeof (r->dst));
}
else
{
memcpy (&r->src.ip4, rules[i].src_ip_addr, sizeof (r->src.ip4));
memcpy (&r->dst.ip4, rules[i].dst_ip_addr, sizeof (r->dst.ip4));
}
r->src_prefixlen = rules[i].src_ip_prefix_len;
r->dst_prefixlen = rules[i].dst_ip_prefix_len;
r->is_ipv6 = rules[i].src_prefix.address.af;
ip_address_decode (&rules[i].src_prefix.address, &r->src);
ip_address_decode (&rules[i].dst_prefix.address, &r->dst);
r->src_prefixlen = rules[i].src_prefix.len;
r->dst_prefixlen = rules[i].dst_prefix.len;
r->proto = rules[i].proto;
r->src_port_or_type_first = ntohs (rules[i].srcport_or_icmptype_first);
r->src_port_or_type_last = ntohs (rules[i].srcport_or_icmptype_last);
@@ -1714,14 +1700,12 @@ macip_acl_add_list (u32 count, vl_api_macip_acl_rule_t rules[],
{
r = &acl_new_rules[i];
r->is_permit = rules[i].is_permit;
r->is_ipv6 = rules[i].is_ipv6;
memcpy (&r->src_mac, rules[i].src_mac, 6);
memcpy (&r->src_mac_mask, rules[i].src_mac_mask, 6);
if (rules[i].is_ipv6)
memcpy (&r->src_ip_addr.ip6, rules[i].src_ip_addr, 16);
else
memcpy (&r->src_ip_addr.ip4, rules[i].src_ip_addr, 4);
r->src_prefixlen = rules[i].src_ip_prefix_len;
r->is_ipv6 = rules[i].src_prefix.address.af;
mac_address_decode (rules[i].src_mac, (mac_address_t *) & r->src_mac);
mac_address_decode (rules[i].src_mac_mask,
(mac_address_t *) & r->src_mac_mask);
ip_address_decode (&rules[i].src_prefix.address, &r->src_ip_addr);
r->src_prefixlen = rules[i].src_prefix.len;
}
if (~0 == *acl_list_index)
@@ -2046,19 +2030,12 @@ static void
copy_acl_rule_to_api_rule (vl_api_acl_rule_t * api_rule, acl_rule_t * r)
{
api_rule->is_permit = r->is_permit;
api_rule->is_ipv6 = r->is_ipv6;
if (r->is_ipv6)
{
memcpy (api_rule->src_ip_addr, &r->src, sizeof (r->src));
memcpy (api_rule->dst_ip_addr, &r->dst, sizeof (r->dst));
}
else
{
memcpy (api_rule->src_ip_addr, &r->src.ip4, sizeof (r->src.ip4));
memcpy (api_rule->dst_ip_addr, &r->dst.ip4, sizeof (r->dst.ip4));
}
api_rule->src_ip_prefix_len = r->src_prefixlen;
api_rule->dst_ip_prefix_len = r->dst_prefixlen;
ip_address_encode (&r->src, r->is_ipv6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4,
&api_rule->src_prefix.address);
ip_address_encode (&r->dst, r->is_ipv6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4,
&api_rule->dst_prefix.address);
api_rule->src_prefix.len = r->src_prefixlen;
api_rule->dst_prefix.len = r->dst_prefixlen;
api_rule->proto = r->proto;
api_rule->srcport_or_icmptype_first = htons (r->src_port_or_type_first);
api_rule->srcport_or_icmptype_last = htons (r->src_port_or_type_last);
@@ -2333,17 +2310,14 @@ send_macip_acl_details (acl_main_t * am, vl_api_registration_t * reg,
{
r = &acl->rules[i];
rules[i].is_permit = r->is_permit;
rules[i].is_ipv6 = r->is_ipv6;
memcpy (rules[i].src_mac, &r->src_mac, sizeof (r->src_mac));
memcpy (rules[i].src_mac_mask, &r->src_mac_mask,
sizeof (r->src_mac_mask));
if (r->is_ipv6)
memcpy (rules[i].src_ip_addr, &r->src_ip_addr.ip6,
sizeof (r->src_ip_addr.ip6));
else
memcpy (rules[i].src_ip_addr, &r->src_ip_addr.ip4,
sizeof (r->src_ip_addr.ip4));
rules[i].src_ip_prefix_len = r->src_prefixlen;
mac_address_encode ((mac_address_t *) & r->src_mac,
rules[i].src_mac);
mac_address_encode ((mac_address_t *) & r->src_mac_mask,
rules[i].src_mac_mask);
ip_address_encode (&r->src_ip_addr,
r->is_ipv6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4,
&rules[i].src_prefix.address);
rules[i].src_prefix.len = r->src_prefixlen;
}
}
else

151
src/plugins/acl/acl_test.c
View File

@@ -25,6 +25,9 @@
#include <vnet/ip/ip.h>
#include <arpa/inet.h>
#include <vnet/ip/ip_format_fns.h>
#include <vnet/ethernet/ethernet_format_fns.h>
#define __plugin_msg_base acl_test_main.msg_id_base
#include <vlibapi/vat_helper_macros.h>
@@ -156,16 +159,16 @@ static void vl_api_acl_plugin_get_conn_table_max_entries_reply_t_handler
static inline u8 *
vl_api_acl_rule_t_pretty_format (u8 *out, vl_api_acl_rule_t * a)
{
int af = a->is_ipv6 ? AF_INET6 : AF_INET;
int af = a->src_prefix.address.af ? AF_INET6 : AF_INET;
u8 src[INET6_ADDRSTRLEN];
u8 dst[INET6_ADDRSTRLEN];
inet_ntop(af, a->src_ip_addr, (void *)src, sizeof(src));
inet_ntop(af, a->dst_ip_addr, (void *)dst, sizeof(dst));
inet_ntop(af, &a->src_prefix.address.un, (void *)src, sizeof(src));
inet_ntop(af, &a->dst_prefix.address.un, (void *)dst, sizeof(dst));
out = format(out, "%s action %d src %s/%d dst %s/%d proto %d sport %d-%d dport %d-%d tcpflags %d mask %d",
a->is_ipv6 ? "ipv6" : "ipv4", a->is_permit,
src, a->src_ip_prefix_len,
dst, a->dst_ip_prefix_len,
a->src_prefix.address.af ? "ipv6" : "ipv4", a->is_permit,
src, a->src_prefix.len,
dst, a->dst_prefix.len,
a->proto,
a->srcport_or_icmptype_first, a->srcport_or_icmptype_last,
a->dstport_or_icmpcode_first, a->dstport_or_icmpcode_last,
@@ -196,13 +199,13 @@ static void vl_api_acl_details_t_handler
static inline u8 *
vl_api_macip_acl_rule_t_pretty_format (u8 *out, vl_api_macip_acl_rule_t * a)
{
int af = a->is_ipv6 ? AF_INET6 : AF_INET;
int af = a->src_prefix.address.af ? AF_INET6 : AF_INET;
u8 src[INET6_ADDRSTRLEN];
inet_ntop(af, a->src_ip_addr, (void *)src, sizeof(src));
inet_ntop(af, &a->src_prefix.address.un, (void *)src, sizeof(src));
out = format(out, "%s action %d ip %s/%d mac %U mask %U",
a->is_ipv6 ? "ipv6" : "ipv4", a->is_permit,
src, a->src_ip_prefix_len,
a->src_prefix.address.af ? "ipv6" : "ipv4", a->is_permit,
src, a->src_prefix.len,
my_format_mac_address, a->src_mac,
my_format_mac_address, a->src_mac_mask);
return(out);
@@ -349,17 +352,7 @@ static int api_acl_add_replace (vat_main_t * vam)
while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
{
if (unformat (i, "ipv6"))
{
vec_validate_acl_rules(rules, rule_idx);
rules[rule_idx].is_ipv6 = 1;
}
else if (unformat (i, "ipv4"))
{
vec_validate_acl_rules(rules, rule_idx);
rules[rule_idx].is_ipv6 = 0;
}
else if (unformat (i, "permit+reflect"))
if (unformat (i, "permit+reflect"))
{
vec_validate_acl_rules(rules, rule_idx);
rules[rule_idx].is_permit = 2;
@@ -387,33 +380,33 @@ static int api_acl_add_replace (vat_main_t * vam)
unformat_ip4_address, &src_v4address, &src_prefix_length))
{
vec_validate_acl_rules(rules, rule_idx);
memcpy (rules[rule_idx].src_ip_addr, &src_v4address, 4);
rules[rule_idx].src_ip_prefix_len = src_prefix_length;
rules[rule_idx].is_ipv6 = 0;
memcpy (rules[rule_idx].src_prefix.address.un.ip4, &src_v4address, 4);
rules[rule_idx].src_prefix.address.af = ADDRESS_IP4;
rules[rule_idx].src_prefix.len = src_prefix_length;
}
else if (unformat (i, "src %U/%d",
unformat_ip6_address, &src_v6address, &src_prefix_length))
{
vec_validate_acl_rules(rules, rule_idx);
memcpy (rules[rule_idx].src_ip_addr, &src_v6address, 16);
rules[rule_idx].src_ip_prefix_len = src_prefix_length;
rules[rule_idx].is_ipv6 = 1;
memcpy (rules[rule_idx].src_prefix.address.un.ip6, &src_v6address, 16);
rules[rule_idx].src_prefix.address.af = ADDRESS_IP6;
rules[rule_idx].src_prefix.len = src_prefix_length;
}
else if (unformat (i, "dst %U/%d",
unformat_ip4_address, &dst_v4address, &dst_prefix_length))
{
vec_validate_acl_rules(rules, rule_idx);
memcpy (rules[rule_idx].dst_ip_addr, &dst_v4address, 4);
rules[rule_idx].dst_ip_prefix_len = dst_prefix_length;
rules[rule_idx].is_ipv6 = 0;
memcpy (rules[rule_idx].dst_prefix.address.un.ip4, &dst_v4address, 4);
rules[rule_idx].dst_prefix.address.af = ADDRESS_IP4;
rules[rule_idx].dst_prefix.len = dst_prefix_length;
}
else if (unformat (i, "dst %U/%d",
unformat_ip6_address, &dst_v6address, &dst_prefix_length))
{
vec_validate_acl_rules(rules, rule_idx);
memcpy (rules[rule_idx].dst_ip_addr, &dst_v6address, 16);
rules[rule_idx].dst_ip_prefix_len = dst_prefix_length;
rules[rule_idx].is_ipv6 = 1;
memcpy (rules[rule_idx].dst_prefix.address.un.ip6, &dst_v6address, 16);
rules[rule_idx].dst_prefix.address.af = ADDRESS_IP6;
rules[rule_idx].dst_prefix.len = dst_prefix_length;
}
else if (unformat (i, "sport %d-%d", &port1, &port2))
{
@@ -651,12 +644,13 @@ api_acl_add_replace_from_file (vat_main_t * vam)
rule_idx++;
vec_validate_acl_rules(rules, rule_idx);
rules[rule_idx].is_ipv6 = 0;
rules[rule_idx].is_permit = is_permit;
memcpy (rules[rule_idx].src_ip_addr, &src_v4address, 4);
rules[rule_idx].src_ip_prefix_len = src_prefix_length;
memcpy (rules[rule_idx].dst_ip_addr, &dst_v4address, 4);
rules[rule_idx].dst_ip_prefix_len = dst_prefix_length;
memcpy (rules[rule_idx].src_prefix.address.un.ip4, &src_v4address, 4);
rules[rule_idx].src_prefix.address.af = ADDRESS_IP4;
rules[rule_idx].src_prefix.len = src_prefix_length;
memcpy (rules[rule_idx].dst_prefix.address.un.ip4, &dst_v4address, 4);
rules[rule_idx].dst_prefix.address.af = ADDRESS_IP4;
rules[rule_idx].dst_prefix.len = dst_prefix_length;
rules[rule_idx].srcport_or_icmptype_first = htons(sport_low);
rules[rule_idx].srcport_or_icmptype_last = htons(sport_high);
rules[rule_idx].dstport_or_icmpcode_first = htons(dport_low);
@@ -671,22 +665,23 @@ api_acl_add_replace_from_file (vat_main_t * vam)
rule_idx++;
vec_validate_acl_rules(rules, rule_idx);
rules[rule_idx].is_ipv6 = 0;
rules[rule_idx].is_permit = is_permit == 2 ? 2 : 1;
src_v4address.data[0]=0;
src_v4address.data[1]=0;
src_v4address.data[2]=0;
src_v4address.data[3]=0;
memcpy (rules[rule_idx].src_ip_addr, &src_v4address, 4);
rules[rule_idx].src_ip_prefix_len = 0;
memcpy (rules[rule_idx].src_prefix.address.un.ip4, &src_v4address, 4);
rules[rule_idx].src_prefix.address.af = ADDRESS_IP4;
rules[rule_idx].src_prefix.len = 0;
dst_v4address.data[0]=0;
dst_v4address.data[1]=0;
dst_v4address.data[2]=0;
dst_v4address.data[3]=0;
memcpy (rules[rule_idx].dst_ip_addr, &dst_v4address, 4);
rules[rule_idx].dst_ip_prefix_len = 0;
memcpy (rules[rule_idx].dst_prefix.address.un.ip4, &dst_v4address, 4);
rules[rule_idx].dst_prefix.address.af = ADDRESS_IP4;
rules[rule_idx].dst_prefix.len = 0;
rules[rule_idx].srcport_or_icmptype_first = htons(0);
rules[rule_idx].srcport_or_icmptype_last = htons(65535);
@@ -1176,17 +1171,7 @@ static int api_macip_acl_add (vat_main_t * vam)
while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
{
if (unformat (i, "ipv6"))
{
vec_validate_macip_acl_rules(rules, rule_idx);
rules[rule_idx].is_ipv6 = 1;
}
else if (unformat (i, "ipv4"))
{
vec_validate_macip_acl_rules(rules, rule_idx);
rules[rule_idx].is_ipv6 = 0;
}
else if (unformat (i, "permit"))
if (unformat (i, "permit"))
{
vec_validate_macip_acl_rules(rules, rule_idx);
rules[rule_idx].is_permit = 1;
@@ -1213,9 +1198,9 @@ static int api_macip_acl_add (vat_main_t * vam)
if (src_prefix_length == 0)
src_prefix_length = 32;
vec_validate_macip_acl_rules(rules, rule_idx);
memcpy (rules[rule_idx].src_ip_addr, &src_v4address, 4);
rules[rule_idx].src_ip_prefix_len = src_prefix_length;
rules[rule_idx].is_ipv6 = 0;
memcpy (rules[rule_idx].src_prefix.address.un.ip4, &src_v4address, 4);
rules[rule_idx].src_prefix.address.af = ADDRESS_IP4;
rules[rule_idx].src_prefix.len = src_prefix_length;
}
else if (unformat (i, "src"))
{
@@ -1229,9 +1214,9 @@ static int api_macip_acl_add (vat_main_t * vam)
if (src_prefix_length == 0)
src_prefix_length = 128;
vec_validate_macip_acl_rules(rules, rule_idx);
memcpy (rules[rule_idx].src_ip_addr, &src_v6address, 16);
rules[rule_idx].src_ip_prefix_len = src_prefix_length;
rules[rule_idx].is_ipv6 = 1;
memcpy (rules[rule_idx].src_prefix.address.un.ip4, &src_v6address, 4);
rules[rule_idx].src_prefix.address.af = ADDRESS_IP6;
rules[rule_idx].src_prefix.len = src_prefix_length;
}
else if (unformat (i, "mac %U",
my_unformat_mac_address, &src_mac))
@@ -1323,17 +1308,7 @@ static int api_macip_acl_add_replace (vat_main_t * vam)
while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
{
if (unformat (i, "ipv6"))
{
vec_validate_macip_acl_rules(rules, rule_idx);
rules[rule_idx].is_ipv6 = 1;
}
else if (unformat (i, "ipv4"))
{
vec_validate_macip_acl_rules(rules, rule_idx);
rules[rule_idx].is_ipv6 = 0;
}
else if (unformat (i, "permit"))
if (unformat (i, "permit"))
{
vec_validate_macip_acl_rules(rules, rule_idx);
rules[rule_idx].is_permit = 1;
@@ -1353,32 +1328,32 @@ static int api_macip_acl_add_replace (vat_main_t * vam)
rules[rule_idx].is_permit = action;
}
else if (unformat (i, "ip %U/%d",
unformat_ip4_address, &src_v4address, &src_prefix_length) ||
unformat (i, "ip %U",
unformat_ip4_address, &src_v4address))
unformat_ip4_address, &src_v4address, &src_prefix_length) ||
unformat (i, "ip %U",
unformat_ip4_address, &src_v4address))
{
if (src_prefix_length == 0)
src_prefix_length = 32;
vec_validate_macip_acl_rules(rules, rule_idx);
memcpy (rules[rule_idx].src_ip_addr, &src_v4address, 4);
rules[rule_idx].src_ip_prefix_len = src_prefix_length;
rules[rule_idx].is_ipv6 = 0;
if (src_prefix_length == 0)
src_prefix_length = 32;
vec_validate_macip_acl_rules(rules, rule_idx);
memcpy (rules[rule_idx].src_prefix.address.un.ip4, &src_v4address, 4);
rules[rule_idx].src_prefix.address.af = ADDRESS_IP4;
rules[rule_idx].src_prefix.len = src_prefix_length;
}
else if (unformat (i, "src"))
{
/* Everything in MACIP is "source" but allow this verbosity */
/* Everything in MACIP is "source" but allow this verbosity */
}
else if (unformat (i, "ip %U/%d",
unformat_ip6_address, &src_v6address, &src_prefix_length) ||
unformat (i, "ip %U",
unformat_ip6_address, &src_v6address))
unformat_ip6_address, &src_v6address, &src_prefix_length) ||
unformat (i, "ip %U",
unformat_ip6_address, &src_v6address))
{
if (src_prefix_length == 0)
src_prefix_length = 128;
src_prefix_length = 128;
vec_validate_macip_acl_rules(rules, rule_idx);
memcpy (rules[rule_idx].src_ip_addr, &src_v6address, 16);
rules[rule_idx].src_ip_prefix_len = src_prefix_length;
rules[rule_idx].is_ipv6 = 1;
memcpy (rules[rule_idx].src_prefix.address.un.ip4, &src_v6address, 4);
rules[rule_idx].src_prefix.address.af = ADDRESS_IP6;
rules[rule_idx].src_prefix.len = src_prefix_length;
}
else if (unformat (i, "mac %U",
my_unformat_mac_address, &src_mac))

49
src/plugins/acl/acl_types.api
View File

@@ -15,14 +15,20 @@
* limitations under the License.
*/
import "vnet/ip/ip_types.api";
import "vnet/ethernet/ethernet_types.api";
enum acl_action : u8
{
ACL_ACTION_API_DENY = 0,
ACL_ACTION_API_PERMIT = 1,
ACL_ACTION_API_PERMIT_REFLECT = 2,
};
/** \brief Access List Rule entry
@param is_permit - deny (0), permit (1), or permit+reflect(2) action on this rule.
@param is_ipv6 - IP addresses in this rule are IPv6 (1) or IPv4 (0)
@param src_ip_addr - Source prefix value
@param src_ip_prefix_len - Source prefix length
@param dst_ip_addr - Destination prefix value
@param dst_ip_prefix_len - Destination prefix length
@param src_prefix - Source prefix
@param dst_prefix - Destination prefix
@param proto - L4 protocol (http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml)
@param srcport_or_icmptype_first - beginning of source port or ICMP4/6 type range
@param srcport_or_icmptype_last - end of source port or ICMP4/6 type range
@@ -34,17 +40,14 @@
typedef acl_rule
{
u8 is_permit;
u8 is_ipv6;
u8 src_ip_addr[16];
u8 src_ip_prefix_len;
u8 dst_ip_addr[16];
u8 dst_ip_prefix_len;
vl_api_acl_action_t is_permit;
vl_api_prefix_t src_prefix;
vl_api_prefix_t dst_prefix;
/*
* L4 protocol. IANA number. 1 = ICMP, 58 = ICMPv6, 6 = TCP, 17 = UDP.
* 0 => ignore L4 and ignore the ports/tcpflags when matching.
*/
u8 proto;
vl_api_ip_proto_t proto;
/*
* If the L4 protocol is TCP or UDP, the below
* hold ranges of ports, else if the L4 is ICMP/ICMPv6
@@ -70,30 +73,24 @@ typedef acl_rule
/** \brief MACIP Access List Rule entry
@param is_permit - deny (0), permit (1) action on this rule.
@param is_ipv6 - IP addresses in this rule are IPv6 (1) or IPv4 (0)
@param src_mac - match masked source MAC address against this value
@param src_mac_mask - AND source MAC address with this value before matching
@param src_ip_addr - Source prefix value
@param src_ip_prefix_len - Source prefix length
@param src_prefix - Source prefix value
*/
typedef macip_acl_rule
{
u8 is_permit;
u8 is_ipv6;
vl_api_acl_action_t is_permit;
/*
* The source mac of the packet ANDed with src_mac_mask.
* The source ip[46] address in the packet is matched
* against src_ip_addr, with src_ip_prefix_len set to 0.
* against src_prefix set to 0.
*
* For better performance, minimize the number of
* (src_mac_mask, src_ip_prefix_len) combinations
* (src_mac_mask, src_prefix.len) combinations
* in a MACIP ACL.
*/
u8 src_mac[6];
u8 src_mac_mask[6];
u8 src_ip_addr[16];
u8 src_ip_prefix_len;
vl_api_mac_address_t src_mac;
vl_api_mac_address_t src_mac_mask;
vl_api_prefix_t src_prefix;
};

31
src/plugins/acl/manual_fns.h
View File

@@ -18,6 +18,7 @@
#include <vnet/ip/format.h>
#include <vnet/ethernet/ethernet.h>
#include <vnet/ip/ip_types_api.h>
#define vl_endianfun /* define message structures */
#include <acl/acl_types.api.h>
@@ -128,19 +129,18 @@ static inline void *
vl_api_acl_rule_t_print (vl_api_acl_rule_t * a, void *handle)
{
u8 *s;
fib_prefix_t src, dst;
s = format (0, " %s ", a->is_ipv6 ? "ipv6" : "ipv4");
ip_prefix_decode (&a->src_prefix, &src);
ip_prefix_decode (&a->dst_prefix, &dst);
s = format (0, " %s ", a->src_prefix.address.af ? "ipv6" : "ipv4");
s = format_acl_action (s, a->is_permit);
s = format (s, " \\\n");
if (a->is_ipv6)
s = format (s, " src %U/%d dst %U/%d \\\n",
format_ip6_address, a->src_ip_addr, a->src_ip_prefix_len,
format_ip6_address, a->dst_ip_addr, a->dst_ip_prefix_len);
else
s = format (s, " src %U/%d dst %U/%d \\\n",
format_ip4_address, a->src_ip_addr, a->src_ip_prefix_len,
format_ip4_address, a->dst_ip_addr, a->dst_ip_prefix_len);
s = format (s, " src %U dst %U \\\n",
format_fib_prefix, &src,
format_fib_prefix, &dst);
s = format (s, " proto %d \\\n", a->proto);
s = format (s, " sport %d-%d dport %d-%d \\\n",
clib_net_to_host_u16 (a->srcport_or_icmptype_first),
@@ -158,20 +158,19 @@ static inline void *
vl_api_macip_acl_rule_t_print (vl_api_macip_acl_rule_t * a, void *handle)
{
u8 *s;
fib_prefix_t src;
s = format (0, " %s %s \\\n", a->is_ipv6 ? "ipv6" : "ipv4",
ip_prefix_decode (&a->src_prefix, &src);
s = format (0, " %s %s \\\n", a->src_prefix.address.af ? "ipv6" : "ipv4",
a->is_permit ? "permit" : "deny");
s = format (s, " src mac %U mask %U \\\n",
format_ethernet_address, a->src_mac,
format_ethernet_address, a->src_mac_mask);
if (a->is_ipv6)
s = format (s, " src ip %U/%d, \\",
format_ip6_address, a->src_ip_addr, a->src_ip_prefix_len);
else
s = format (s, " src ip %U/%d, \\",
format_ip4_address, a->src_ip_addr, a->src_ip_prefix_len);
s = format (s, " src ip %U, \\",
format_fib_prefix, &src);
PRINT_S;
return handle;

361
src/plugins/acl/test/test_acl_plugin.py
View File

File diff suppressed because it is too large Load Diff

65
src/plugins/acl/test/test_acl_plugin_conns.py
View File

@@ -36,22 +36,23 @@ def to_acl_rule(self, is_permit, wildcard_sport=False):
rule_l4_sport_last = rule_l4_sport
new_rule = {
'is_permit': is_permit,
'is_ipv6': p.haslayer(IPv6),
'src_ip_addr': inet_pton(rule_family,
p[rule_l3_layer].src),
'src_ip_prefix_len': rule_prefix_len,
'dst_ip_addr': inet_pton(rule_family,
p[rule_l3_layer].dst),
'dst_ip_prefix_len': rule_prefix_len,
'srcport_or_icmptype_first': rule_l4_sport_first,
'srcport_or_icmptype_last': rule_l4_sport_last,
'dstport_or_icmpcode_first': rule_l4_dport,
'dstport_or_icmpcode_last': rule_l4_dport,
'proto': rule_l4_proto,
}
'is_permit': is_permit,
'is_ipv6': p.haslayer(IPv6),
'src_ip_addr': inet_pton(rule_family,
p[rule_l3_layer].src),
'src_ip_prefix_len': rule_prefix_len,
'dst_ip_addr': inet_pton(rule_family,
p[rule_l3_layer].dst),
'dst_ip_prefix_len': rule_prefix_len,
'srcport_or_icmptype_first': rule_l4_sport_first,
'srcport_or_icmptype_last': rule_l4_sport_last,
'dstport_or_icmpcode_first': rule_l4_dport,
'dstport_or_icmpcode_last': rule_l4_dport,
'proto': rule_l4_proto,
}
return new_rule
Packet.to_acl_rule = to_acl_rule
@@ -91,36 +92,36 @@ class Conn(L4_Conn):
if reflect_side == acl_side:
self.testcase.vapi.acl_interface_set_acl_list(
self.ifs[acl_side].sw_if_index, 1,
[reflect_acl_index,
self.ifs[acl_side].sw_if_index, 1,
[reflect_acl_index,
deny_acl_index])
self.testcase.vapi.acl_interface_set_acl_list(
self.ifs[1-acl_side].sw_if_index, 0, [])
self.ifs[1-acl_side].sw_if_index, 0, [])
else:
self.testcase.vapi.acl_interface_set_acl_list(
self.ifs[acl_side].sw_if_index, 1,
[deny_acl_index,
self.ifs[acl_side].sw_if_index, 1,
[deny_acl_index,
reflect_acl_index])
self.testcase.vapi.acl_interface_set_acl_list(
self.ifs[1-acl_side].sw_if_index, 0, [])
self.ifs[1-acl_side].sw_if_index, 0, [])
def wildcard_rule(self, is_permit):
any_addr = ["0.0.0.0", "::"]
rule_family = self.address_family
is_ip6 = 1 if rule_family == AF_INET6 else 0
new_rule = {
'is_permit': is_permit,
'is_ipv6': is_ip6,
'src_ip_addr': inet_pton(rule_family, any_addr[is_ip6]),
'src_ip_prefix_len': 0,
'dst_ip_addr': inet_pton(rule_family, any_addr[is_ip6]),
'dst_ip_prefix_len': 0,
'srcport_or_icmptype_first': 0,
'srcport_or_icmptype_last': 65535,
'dstport_or_icmpcode_first': 0,
'dstport_or_icmpcode_last': 65535,
'proto': 0,
}
'is_permit': is_permit,
'is_ipv6': is_ip6,
'src_ip_addr': inet_pton(rule_family, any_addr[is_ip6]),
'src_ip_prefix_len': 0,
'dst_ip_addr': inet_pton(rule_family, any_addr[is_ip6]),
'dst_ip_prefix_len': 0,
'srcport_or_icmptype_first': 0,
'srcport_or_icmptype_last': 65535,
'dstport_or_icmpcode_first': 0,
'dstport_or_icmpcode_last': 65535,
'proto': 0,
}
return new_rule

216
src/plugins/acl/test/test_acl_plugin_l2l3.py
View File

File diff suppressed because it is too large Load Diff

198
src/plugins/acl/test/test_acl_plugin_macip.py
View File

File diff suppressed because it is too large Load Diff

1
src/plugins/acl/test/test_classify_l2_acl.py
View File

@@ -603,5 +603,6 @@ class TestClassifyAcl(TestClassifier):
self.acl_active_table = key
self.run_verify_test(self.IP, self.IPV4, -1)
if __name__ == '__main__':
unittest.main(testRunner=VppTestRunner)

460
src/plugins/acl/test/vpp_acl.py Normal file
View File

File diff suppressed because it is too large Load Diff