acl-plugin: add whitelisted ethertype mode (VPP-1163)

Currently, ACL plugin largely does not care about the ethertypes other than 0x0800 (IPv4) and 0x86dd (IPv6), the only exception being 0x0806 (ARP), which is dealt with by the MACIP ACLs. The other ethertypes in L2 mode are just let through. This adds a new API message acl_interface_set_etype_whitelist, which allows to flip the mode of a given interface into "ethertype whitelist mode": the caller of this message must supply the two lists (inbound and outbound) of the ethertypes that are to be permitted, the rest of the ethertypes are dropped. The whitelisting for a given interface and direction takes effect only when a policy ACL is also applied. This operates on the same classifier node as the one used for dispatching the policy ACL, thus, if one wishes for most of the reasonable IPv4 deployments to continue to operate within the whitelist mode, they must permit ARP ethertype (0x0806) The empty list for a given direction resets the processing to allow the unknown ethertypes. So, if one wants to just permit the IPv4 and IPv6 and nothing else, one can add their ethertypes to the whitelist. Add the "show acl-plugin interface" corresponding outputs about the whitelists, vat command, and unittests. Change-Id: I4659978c801f36d554b6615e56e424b77876662c Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-02-06 17:42:32 +01:00
parent be2251b0c5
commit c43b3f9864
7 changed files with 411 additions and 12 deletions
--- a/src/plugins/acl/acl.api
+++ b/src/plugins/acl/acl.api
@ -476,3 +476,23 @@ define macip_acl_interface_list_details
  u8 count;
  u32 acls[count];
 };
+
+/** \brief Set the ethertype whitelists on an interface. Takes effect when applying ACLs on the interface, so must be given prior.
+    @param client_index - opaque cookie to identify the sender
+    @param context - sender context, to match reply w/ request
+    @param sw_if_index - the interface to alter the list of ACLs on
+    @param count - total number of whitelisted ethertypes in the vector
+    @param n_input - this many first elements correspond to input whitelisted ethertypes, the rest - output
+    @param whitelist - vector of whitelisted ethertypes
+*/
+
+autoreply manual_print define acl_interface_set_etype_whitelist
+{
+  u32 client_index;
+  u32 context;
+  u32 sw_if_index;
+  u8 count; /* Total number of ethertypes in the whitelist */
+  u8 n_input; /* first n_input ethertypes are input, the rest - output */
+  u16 whitelist[count];
+};
+
--- a/src/plugins/acl/acl.c
+++ b/src/plugins/acl/acl.c
--- a/src/plugins/acl/acl.h
+++ b/src/plugins/acl/acl.h
@ -188,6 +188,12 @@ typedef struct {
  u32 *acl_dot1q_output_classify_table_by_sw_if_index;
  u32 *acl_dot1ad_output_classify_table_by_sw_if_index;

+  u32 *acl_etype_input_classify_table_by_sw_if_index;
+  u32 *acl_etype_output_classify_table_by_sw_if_index;
+
+  u16 **input_etype_whitelist_by_sw_if_index;
+  u16 **output_etype_whitelist_by_sw_if_index;
+
  /* MACIP (input) ACLs associated with the interfaces */
  u32 *macip_acl_by_sw_if_index;

--- a/src/plugins/acl/acl_test.c
+++ b/src/plugins/acl/acl_test.c
@ -67,6 +67,7 @@ _(acl_del_reply) \
 _(acl_interface_add_del_reply) \
 _(macip_acl_interface_add_del_reply) \
 _(acl_interface_set_acl_list_reply) \
+_(acl_interface_set_etype_whitelist_reply) \
 _(macip_acl_del_reply)

 #define foreach_reply_retval_aclindex_handler  \
@ -269,6 +270,7 @@ _(ACL_ADD_REPLACE_REPLY, acl_add_replace_reply) \
 _(ACL_DEL_REPLY, acl_del_reply) \
 _(ACL_INTERFACE_ADD_DEL_REPLY, acl_interface_add_del_reply)  \
 _(ACL_INTERFACE_SET_ACL_LIST_REPLY, acl_interface_set_acl_list_reply) \
+_(ACL_INTERFACE_SET_ETYPE_WHITELIST_REPLY, acl_interface_set_etype_whitelist_reply) \
 _(ACL_INTERFACE_LIST_DETAILS, acl_interface_list_details)  \
 _(ACL_DETAILS, acl_details)  \
 _(MACIP_ACL_ADD_REPLY, macip_acl_add_reply) \
@ -746,6 +748,63 @@ static int api_acl_interface_set_acl_list (vat_main_t * vam)
    return ret;
 }

+static int api_acl_interface_set_etype_whitelist (vat_main_t * vam)
+{
+    unformat_input_t * i = vam->input;
+    vl_api_acl_interface_set_etype_whitelist_t * mp;
+    u32 sw_if_index = ~0;
+    u32 ethertype = ~0;
+    u16 *etypes_in = 0;
+    u16 *etypes_out = 0;
+    u8 is_input = 1;
+    int ret;
+
+//  acl_interface_set_etype_whitelist <intfc> | sw_if_index <if-idx> input [ethertype list] output [ethertype list]
+
+    /* Parse args required to build the message */
+    while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
+        if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index))
+            ;
+        else if (unformat (i, "sw_if_index %d", &sw_if_index))
+            ;
+        else if (unformat (i, "%x", &ethertype))
+          {
+            ethertype = ethertype & 0xffff;
+            if(is_input)
+              vec_add1(etypes_in, htons(ethertype));
+            else
+              vec_add1(etypes_out, htons(ethertype));
+          }
+        else if (unformat (i, "input"))
+            is_input = 1;
+        else if (unformat (i, "output"))
+            is_input = 0;
+        else
+            break;
+    }
+
+    if (sw_if_index == ~0) {
+        errmsg ("missing interface name / explicit sw_if_index number \n");
+        return -99;
+    }
+
+    /* Construct the API message */
+    M2(ACL_INTERFACE_SET_ETYPE_WHITELIST, mp, sizeof(u32) * (vec_len(etypes_in) + vec_len(etypes_out)));
+    mp->sw_if_index = ntohl(sw_if_index);
+    mp->n_input = vec_len(etypes_in);
+    mp->count = vec_len(etypes_in) + vec_len(etypes_out);
+    vec_append(etypes_in, etypes_out);
+    if (vec_len(etypes_in) > 0)
+      clib_memcpy(mp->whitelist, etypes_in, vec_len(etypes_in)*sizeof(etypes_in[0]));
+
+    /* send it... */
+    S(mp);
+
+    /* Wait for a reply... */
+    W (ret);
+    return ret;
+}
+
 static void
 api_acl_send_control_ping(vat_main_t *vam)
 {
@ -1163,6 +1222,7 @@ _(acl_del, "<acl-idx>") \
 _(acl_dump, "[<acl-idx>]") \
 _(acl_interface_add_del, "<intfc> | sw_if_index <if-idx> [add|del] [input|output] acl <acl-idx>") \
 _(acl_interface_set_acl_list, "<intfc> | sw_if_index <if-idx> input [acl-idx list] output [acl-idx list]") \
+_(acl_interface_set_etype_whitelist, "<intfc> | sw_if_index <if-idx> input [ethertype list] output [ethertype list]") \
 _(acl_interface_list_dump, "[<intfc> | sw_if_index <if-idx>]") \
 _(macip_acl_add, "...") \
 _(macip_acl_add_replace, "<acl-idx> [<ipv4|ipv6> <permit|deny|action N> [count <count>] [src] ip <ipaddress/[plen]> mac <mac> mask <mac_mask>, ... , ...") \
--- a/src/plugins/acl/manual_fns.h
+++ b/src/plugins/acl/manual_fns.h
@ -359,6 +359,30 @@ vl_api_acl_interface_set_acl_list_t_print (vl_api_acl_interface_set_acl_list_t
  return handle;
 }

+static inline void *
+vl_api_acl_interface_set_etype_whitelist_t_print (vl_api_acl_interface_set_etype_whitelist_t
+					   * a, void *handle)
+{
+  u8 *s;
+  int i;
+
+  s = format
+    (0, "SCRIPT: acl_interface_set_etype_whitelist sw_if_index %d count %d\n",
+     clib_net_to_host_u32 (a->sw_if_index), (u32) a->count);
+
+  s = format (s, "    input ");
+
+  for (i = 0; i < a->count; i++)
+    {
+      if (i == a->n_input)
+        s = format (s, "output ");
+      s = format (s, "%x ", clib_net_to_host_u16 (a->whitelist[i]));
+    }
+
+  PRINT_S;
+  return handle;
+}
+
 static inline void *
 vl_api_acl_interface_add_del_t_print (vl_api_acl_interface_add_del_t * a,
 				      void *handle)
--- a/test/test_acl_plugin.py
+++ b/test/test_acl_plugin.py
@ -247,6 +247,15 @@ class TestACLplugin(VppTestCase):
                                                 acls=[reply.acl_index])
        return

+    def etype_whitelist(self, whitelist, n_input):
+        # Apply whitelists on all the interfaces
+        for i in self.pg_interfaces:
+            # checkstyle can't read long names. Help them.
+            fun = self.vapi.acl_interface_set_etype_whitelist
+            fun(sw_if_index=i.sw_if_index, n_input=n_input,
+                whitelist=whitelist)
+        return
+
    def create_upper_layer(self, packet_index, proto, ports=0):
        p = self.proto_map[proto]
        if p == 'UDP':
@ -268,7 +277,8 @@ class TestACLplugin(VppTestCase):
        return ''

    def create_stream(self, src_if, packet_sizes, traffic_type=0, ipv6=0,
-                      proto=-1, ports=0, fragments=False, pkt_raw=True):
+                      proto=-1, ports=0, fragments=False,
+                      pkt_raw=True, etype=-1):
        """
        Create input packet stream for defined interface using hosts or
        deleted_hosts list.
@ -300,6 +310,10 @@ class TestACLplugin(VppTestCase):
                        pkt_info.proto = proto
                    payload = self.info_to_payload(pkt_info)
                    p = Ether(dst=dst_host.mac, src=src_host.mac)
+                    if etype > 0:
+                        p = Ether(dst=dst_host.mac,
+                                  src=src_host.mac,
+                                  type=etype)
                    if pkt_info.ip:
                        p /= IPv6(dst=dst_host.ip6, src=src_host.ip6)
                        if fragments:
@ -328,7 +342,8 @@ class TestACLplugin(VppTestCase):
                    pkts.append(p)
        return pkts

-    def verify_capture(self, pg_if, capture, traffic_type=0, ip_type=0):
+    def verify_capture(self, pg_if, capture,
+                       traffic_type=0, ip_type=0, etype=-1):
        """
        Verify captured input packet stream for defined interface.

@ -341,6 +356,12 @@ class TestACLplugin(VppTestCase):
            last_info[i.sw_if_index] = None
        dst_sw_if_index = pg_if.sw_if_index
        for packet in capture:
+            if etype > 0:
+                if packet[Ether].type != etype:
+                    self.logger.error(ppp("Unexpected ethertype in packet:",
+                                          packet))
+                else:
+                    continue
            try:
                # Raw data for ICMPv6 are stored in ICMPv6EchoRequest.data
                if traffic_type == self.ICMP and ip_type == self.IPV6:
@ -429,7 +450,7 @@ class TestACLplugin(VppTestCase):
        self.pg_start()

    def run_verify_test(self, traffic_type=0, ip_type=0, proto=-1, ports=0,
-                        frags=False, pkt_raw=True):
+                        frags=False, pkt_raw=True, etype=-1):
        # Test
        # Create incoming packet streams for packet-generator interfaces
        pkts_cnt = 0
@ -437,7 +458,7 @@ class TestACLplugin(VppTestCase):
            if self.flows.__contains__(i):
                pkts = self.create_stream(i, self.pg_if_packet_sizes,
                                          traffic_type, ip_type, proto, ports,
-                                          frags, pkt_raw)
+                                          frags, pkt_raw, etype)
                if len(pkts) > 0:
                    i.add_stream(pkts)
                    pkts_cnt += len(pkts)
@ -454,17 +475,18 @@ class TestACLplugin(VppTestCase):
                    capture = dst_if.get_capture(pkts_cnt)
                    self.logger.info("Verifying capture on interface %s" %
                                     dst_if.name)
-                    self.verify_capture(dst_if, capture, traffic_type, ip_type)
+                    self.verify_capture(dst_if, capture,
+                                        traffic_type, ip_type, etype)

    def run_verify_negat_test(self, traffic_type=0, ip_type=0, proto=-1,
-                              ports=0, frags=False):
+                              ports=0, frags=False, etype=-1):
        # Test
        self.reset_packet_infos()
        for i in self.pg_interfaces:
            if self.flows.__contains__(i):
                pkts = self.create_stream(i, self.pg_if_packet_sizes,
                                          traffic_type, ip_type, proto, ports,
-                                          frags)
+                                          frags, True, etype)
                if len(pkts) > 0:
                    i.add_stream(pkts)

@ -1306,6 +1328,70 @@ class TestACLplugin(VppTestCase):

        self.logger.info("ACLP_TEST_FINISH_0113")

+    def test_0300_tcp_permit_v4_etype_aaaa(self):
+        """ permit TCPv4, send 0xAAAA etype
+        """
+        self.logger.info("ACLP_TEST_START_0300")
+
+        # Add an ACL
+        rules = []
+        rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE_2,
+                     self.proto[self.IP][self.TCP]))
+        rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
+                     self.proto[self.IP][self.TCP]))
+        # deny ip any any in the end
+        rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
+
+        # Apply rules
+        self.apply_rules(rules, "permit ipv4 tcp")
+
+        # Traffic should still pass
+        self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.TCP])
+
+        # Traffic should still pass also for an odd ethertype
+        self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.TCP],
+                             0, False, True, 0xaaaa)
+
+        self.logger.info("ACLP_TEST_FINISH_0300")
+
+    def test_0305_tcp_permit_v4_etype_blacklist_aaaa(self):
+        """ permit TCPv4, whitelist 0x0BBB ethertype, send 0xAAAA, 0x0BBB
+        """
+        self.logger.info("ACLP_TEST_START_0305")
+
+        # Add an ACL
+        rules = []
+        rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE_2,
+                     self.proto[self.IP][self.TCP]))
+        rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
+                     self.proto[self.IP][self.TCP]))
+        # deny ip any any in the end
+        rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
+
+        # Apply rules
+        self.apply_rules(rules, "permit ipv4 tcp")
+
+        # whitelist the 0xbbbb etype - so the 0xaaaa should be blocked
+        self.etype_whitelist([0xbbb], 1)
+
+        # The IPv4 traffic should still pass
+        self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.TCP])
+
+        # The oddball ethertype should be blocked
+        self.run_verify_negat_test(self.IP, self.IPV4,
+                                   self.proto[self.IP][self.TCP],
+                                   0, False, 0xaaaa)
+
+        # The whitelisted traffic, on the other hand, should pass
+        self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.TCP],
+                             0, False, True, 0x0bbb)
+
+        # remove the whitelist, the previously blocked 0xAAAA should pass now
+        self.etype_whitelist([], 0)
+        self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.TCP],
+                             0, False, True, 0xaaaa)
+
+        self.logger.info("ACLP_TEST_FINISH_0305")

 if __name__ == '__main__':
    unittest.main(testRunner=VppTestRunner)
--- a/test/vpp_papi_provider.py
+++ b/test/vpp_papi_provider.py
@ -2680,6 +2680,16 @@ class VppPapiProvider(object):
                         'acls': acls},
                        expected_retval=expected_retval)

+    def acl_interface_set_etype_whitelist(self, sw_if_index,
+                                          n_input, whitelist,
+                                          expected_retval=0):
+        return self.api(self.papi.acl_interface_set_etype_whitelist,
+                        {'sw_if_index': sw_if_index,
+                         'count': len(whitelist),
+                         'n_input': n_input,
+                         'whitelist': whitelist},
+                        expected_retval=expected_retval)
+
    def acl_interface_add_del(self,
                              sw_if_index,
                              acl_index,