25 #include <vpp/app/version.h> 45 #define vl_print(handle, ...) vlib_cli_output (handle, __VA_ARGS__) 51 #define vl_api_version(n,v) static u32 api_version=(v); 61 #define REPLY_MSG_ID_BASE am->msg_id_base 66 #define foreach_acl_plugin_api_msg \ 67 _(ACL_PLUGIN_GET_VERSION, acl_plugin_get_version) \ 68 _(ACL_ADD_REPLACE, acl_add_replace) \ 70 _(ACL_INTERFACE_ADD_DEL, acl_interface_add_del) \ 71 _(ACL_INTERFACE_SET_ACL_LIST, acl_interface_set_acl_list) \ 72 _(ACL_DUMP, acl_dump) \ 73 _(ACL_INTERFACE_LIST_DUMP, acl_interface_list_dump) \ 74 _(MACIP_ACL_ADD, macip_acl_add) \ 75 _(MACIP_ACL_DEL, macip_acl_del) \ 76 _(MACIP_ACL_INTERFACE_ADD_DEL, macip_acl_interface_add_del) \ 77 _(MACIP_ACL_DUMP, macip_acl_dump) \ 78 _(MACIP_ACL_INTERFACE_GET, macip_acl_interface_get) 82 .version = VPP_BUILD_VER,
83 .description =
"Access Control Lists",
92 int msg_size =
sizeof (*rmp);
102 memset (rmp, 0, msg_size);
104 ntohs (VL_API_ACL_PLUGIN_GET_VERSION_REPLY + am->
msg_id_base);
115 u32 * acl_list_index,
u8 * tag)
123 if (*acl_list_index != ~0)
142 for (i = 0; i < count; i++)
144 r = &acl_new_rules[
i];
168 if (~0 == *acl_list_index)
172 memset (a, 0,
sizeof (*a));
174 *acl_list_index = a - am->
acls;
178 a = am->
acls + *acl_list_index;
182 a->
rules = acl_new_rules;
184 memcpy (a->
tag, tag, sizeof (a->
tag));
233 a = &am->
acls[acl_list_index];
249 _(
" dmac smac etype ")
250 _(ether) __ __ __ __ __ __
v __ __ __ __ __ __
v __ __
v 257 _(" ttl pr checksum ")
266 _("L4 T/U sport dport ")
277 _(" dmac smac etype ")
278 _(ether) __ __ __ __ __ __
v __ __ __ __ __ __
v __ __
v 280 _(0x0000) __ __ __ __
282 _(0x0004) __ __
XX __
293 _("L4T/U sport dport ")
294 _(tcpudp)
XX XX XX XX _(padpad) __ __ __ __ _(padeth) __ __;
308 while ((0ULL == *p64) && ((
u8 *) p64 - p) <
size)
312 return (p64 - (
u64 *) p) / 2;
317 u32 mask_len,
u32 next_table_index,
318 u32 miss_next_index,
u32 * table_index,
321 u32 nbuckets = 65536;
324 u32 match = (mask_len / 16) - skip;
325 u8 *skip_mask_ptr = mask + 16 * skip;
326 u32 current_data_flag = 0;
327 int current_data_offset = 0;
333 memory_size, skip, match,
334 next_table_index, miss_next_index,
335 table_index, current_data_flag,
336 current_data_offset, is_add,
342 u32 mask_len,
u32 next_table_index,
343 u32 miss_next_index,
u32 * table_index,
349 u32 match = (mask_len / 16) - skip;
350 u8 *skip_mask_ptr = mask + 16 * skip;
351 u32 current_data_flag = 0;
352 int current_data_offset = 0;
358 memory_size, skip, match,
359 next_table_index, miss_next_index,
360 table_index, current_data_flag,
361 current_data_offset, is_add,
370 u32 ip4_table_index = ~0;
371 u32 ip6_table_index = ~0;
386 sizeof (ip4_5tuple_mask) - 1, ~0,
388 &ip4_table_index, 0);
398 &ip6_table_index, 0);
408 u32 ip4_table_index = ~0;
409 u32 ip6_table_index = ~0;
424 sizeof (ip4_5tuple_mask) - 1, ~0,
426 &ip4_table_index, 0);
436 &ip6_table_index, 0);
446 u32 ip4_table_index = ~0;
447 u32 ip6_table_index = ~0;
454 sizeof (ip4_5tuple_mask) - 1, ~0,
456 &ip4_table_index, 1);
463 &ip6_table_index, 1);
467 sizeof (ip4_5tuple_mask) - 1, ~0,
469 &ip4_table_index, 0);
474 ip6_table_index, ~0);
476 (
"ACL enabling on interface sw_if_index %d, setting tables to the following: ip4: %d ip6: %d\n",
477 sw_if_index, ip4_table_index, ip6_table_index);
483 &ip6_table_index, 0);
485 sizeof (ip4_5tuple_mask) - 1, ~0,
487 &ip4_table_index, 0);
504 u32 ip4_table_index = ~0;
505 u32 ip6_table_index = ~0;
512 sizeof (ip4_5tuple_mask) - 1, ~0,
514 &ip4_table_index, 1);
521 &ip6_table_index, 1);
525 sizeof (ip4_5tuple_mask) - 1, ~0,
527 &ip4_table_index, 0);
532 ip6_table_index, ~0);
534 (
"ACL enabling on interface sw_if_index %d, setting tables to the following: ip4: %d ip6: %d\n",
535 sw_if_index, ip4_table_index, ip6_table_index);
541 &ip6_table_index, 0);
543 sizeof (ip4_5tuple_mask) - 1, ~0,
545 &ip4_table_index, 0);
569 return VNET_API_ERROR_INVALID_SW_IF_INDEX;
594 return VNET_API_ERROR_INVALID_SW_IF_INDEX;
644 if (acl_list_index ==
663 if (acl_list_index ==
751 if (memcmp (addr1, addr2, prefixlen / 8))
758 u8 b1 = *((
u8 *) addr1 + 1 + prefixlen / 8);
759 u8 b2 = *((
u8 *) addr2 + 1 + prefixlen / 8);
760 u8 mask0 = (0xff - ((1 << (8 - (prefixlen % 8))) - 1));
761 return (b1 & mask0) == b2;
771 uint32_t a1 = ntohl (addr1->ip4.as_u32);
772 uint32_t a2 = ntohl (addr2->ip4.as_u32);
773 uint32_t mask0 = 0xffffffff - ((1 << (32 - prefixlen)) - 1);
774 return (a1 & mask0) == a2;
781 return ((port >= port_first) && (port <= port_last));
786 u8 * r_action,
int *r_is_ip6,
u32 * r_acl_match_p,
787 u32 * r_rule_match_p,
u32 * trace_bitmap)
792 ip46_address_t src, dst;
804 type0 = clib_net_to_host_u16 (h0->
type);
805 is_ip4 = (type0 == ETHERNET_TYPE_IP4);
806 is_ip6 = (type0 == ETHERNET_TYPE_IP6);
808 if (!(is_ip4 || is_ip6))
821 *trace_bitmap |= 0x00000001;
841 *trace_bitmap |= 0x00000002;
858 *r_acl_match_p = acl_index;
860 *r_rule_match_p = -1;
864 a = am->
acls + acl_index;
865 for (i = 0; i < a->
count; i++)
878 if (proto != r->
proto)
896 *r_acl_match_p = acl_index;
906 u32 * acl_match_p,
u32 * rule_match_p,
919 &is_ip6, acl_match_p, rule_match_p, trace_bitmap))
942 u32 * acl_match_p,
u32 * rule_match_p,
955 &is_ip6, acl_match_p, rule_match_p, trace_bitmap))
992 for (i = 0; i <
vec_len (mv); i++)
994 if ((mv[i].prefix_len == prefix_len) && (mv[
i].
is_ipv6 == is_ipv6)
995 && (0 == memcmp (mv[i].mac_mask, mac_mask, 6)))
1038 u32 match_type_index;
1044 for (i = 0; i < a->
count; i++)
1052 match_type_index =
vec_len (mvec);
1054 memcpy (mvec[match_type_index].mac_mask,
1060 mvec[match_type_index].
count++;
1075 memset (mask, 0,
sizeof (mask));
1076 memcpy (&mask[6], mt->
mac_mask, 6);
1077 memset (&mask[12], 0xff, 2);
1078 memcpy (&mask[14 + 8], mt->
mac_mask, 6);
1081 mask[14 + 14 + i] = 0xff;
1085 mask_len = ((14 + 14 + ((mt->
prefix_len+7) / 8) +
1099 memset (mask, 0,
sizeof (mask));
1100 memcpy (&mask[6], mt->
mac_mask, 6);
1103 mask[l3_src_offs +
i] = 0xff;
1108 0xff - ((1 << (8 - mt->
prefix_len % 8)) - 1);
1114 mask_len = ((l3_src_offs + ((mt->
prefix_len+7) / 8) +
1126 for (i = 0; i < a->
count; i++)
1132 memset (mask, 0,
sizeof (mask));
1134 memset (&mask[12], 0xff, 2);
1154 0, action, metadata, 1);
1156 if (!is6 && (mvec[match_type_index].arp_table_index != ~0))
1158 memset (mask, 0,
sizeof (mask));
1166 0, action, metadata, 1);
1197 u32 * acl_list_index,
u8 * tag)
1214 for (i = 0; i < count; i++)
1216 r = &acl_new_rules[
i];
1221 if(rules[i].is_ipv6)
1230 memset (a, 0,
sizeof (*a));
1234 a->
rules = acl_new_rules;
1236 memcpy (a->
tag, tag, sizeof (a->
tag));
1251 u32 macip_acl_index;
1256 if (~0 == macip_acl_index)
1272 u32 macip_acl_index)
1385 rv = VNET_API_ERROR_INVALID_SW_IF_INDEX;
1406 rv = VNET_API_ERROR_INVALID_SW_IF_INDEX;
1412 for (i = 0; i < mp->
count; i++)
1415 ntohl (mp->
acls[i]));
1419 REPLY_MACRO (VL_API_ACL_INTERFACE_SET_ACL_LIST_REPLY);
1455 int msg_size =
sizeof (*mp) +
sizeof (mp->
r[0]) * acl->
count;
1458 memset (mp, 0, msg_size);
1459 mp->_vl_msg_id = ntohs (VL_API_ACL_DETAILS + am->
msg_id_base);
1465 memcpy (mp->
tag, acl->
tag, sizeof (mp->
tag));
1468 for (i = 0; i < acl->
count; i++)
1500 send_acl_details(am, q, acl, mp->context);
1509 acl = &am->
acls[acl_index];
1524 u32 sw_if_index,
u32 context)
1538 count = n_input + n_output;
1540 msg_size =
sizeof (*mp);
1541 msg_size +=
sizeof (mp->
acls[0]) * count;
1544 memset (mp, 0, msg_size);
1546 ntohs (VL_API_ACL_INTERFACE_LIST_DETAILS + am->
msg_id_base);
1553 for (i = 0; i < n_input; i++)
1557 for (i = 0; i < n_output; i++)
1559 mp->
acls[n_input +
i] =
1588 send_acl_interface_list_details(am, q, swif->sw_if_index, mp->context);
1608 u32 acl_list_index = ~0;
1644 rv = VNET_API_ERROR_INVALID_SW_IF_INDEX;
1650 REPLY_MACRO (VL_API_MACIP_ACL_INTERFACE_ADD_DEL_REPLY);
1661 int msg_size =
sizeof (*mp) + (acl ?
sizeof (mp->
r[0]) * acl->
count : 0);
1664 memset (mp, 0, msg_size);
1665 mp->_vl_msg_id = ntohs (VL_API_MACIP_ACL_DETAILS + am->
msg_id_base);
1671 memcpy (mp->
tag, acl->
tag, sizeof (mp->
tag));
1675 for (i = 0; i < acl->
count; i++)
1684 memcpy (rules[i].src_ip_addr, &r->
src_ip_addr.ip6,
1687 memcpy (rules[i].src_ip_addr, &r->
src_ip_addr.ip4,
1722 send_macip_acl_details (am, q, acl,
1746 int msg_size =
sizeof (*rmp) +
sizeof (rmp->
acls[0]) * count;
1757 memset (rmp, 0, msg_size);
1759 ntohs (VL_API_MACIP_ACL_INTERFACE_GET_REPLY + am->
msg_id_base);
1761 rmp->
count = htonl (count);
1762 for (i = 0; i < count; i++)
1776 vl_msg_api_set_handlers((VL_API_##N + am->msg_id_base), \ 1778 vl_api_##n##_t_handler, \ 1780 vl_api_##n##_t_endian, \ 1781 vl_api_##n##_t_print, \ 1782 sizeof(vl_api_##n##_t), 1); 1789 #define vl_msg_name_crc_list 1791 #undef vl_msg_name_crc_list 1796 #define _(id,n,crc) \ 1797 vl_msg_api_add_msg_name_crc (apim, #n "_" #crc, id + am->msg_id_base); 1798 foreach_vl_msg_name_crc_acl;
1804 u32 next_out_ip4,
u32 next_out_ip6)
1926 switch(timeout_type) {
1952 if ((eh < 256) && (value < 2))
1992 if (
unformat (input,
"l2-datapath")) {
2009 if (
unformat (input,
"skip-ipv6-extension-header %u %u", &eh_val, &val)) {
2015 if (
unformat (input,
"l4-match-nonfirst-fragment %u", &val))
2029 if (
unformat (input,
"max-entries")) {
2030 if (!
unformat(input,
"%u", &val)) {
2032 "expecting maximum number of entries, got `%U`",
2040 if (
unformat (input,
"hash-table-buckets")) {
2041 if (!
unformat(input,
"%u", &val)) {
2043 "expecting maximum number of hash table buckets, got `%U`",
2051 if (
unformat (input,
"hash-table-memory")) {
2054 "expecting maximum amount of hash table memory, got `%U`",
2067 if (!
unformat(input,
"%u", &timeout)) {
2069 "expecting timeout value in seconds, got `%U`",
2080 if (!
unformat(input,
"%u", &timeout)) {
2082 "expecting timeout value in seconds, got `%U`",
2091 if (!
unformat(input,
"%u", &timeout)) {
2093 "expecting timeout value in seconds, got `%U`",
2125 u32 sw_if_index = swif->sw_if_index;
2126 u64 n_adds = sw_if_index < vec_len(am->fa_session_adds_by_sw_if_index) ? am->fa_session_adds_by_sw_if_index[sw_if_index] : 0;
2127 u64 n_dels = sw_if_index < vec_len(am->fa_session_dels_by_sw_if_index) ? am->fa_session_dels_by_sw_if_index[sw_if_index] : 0;
2128 out0 = format(out0,
"sw_if_index %d: add %lu - del %lu = %lu\n", sw_if_index, n_adds, n_dels, n_adds - n_dels);
2130 out0 =
format(out0,
"\n\nConn cleaner thread counters:\n");
2131 #define _(cnt, desc) out0 = format(out0, " %20lu: %s\n", am->cnt, desc); 2135 vlib_cli_output(vm,
"Sessions per interval: min %lu max %lu increment: %f ms current: %f ms",
2147 .path =
"set acl-plugin",
2148 .short_help =
"set acl-plugin session timeout {{udp idle}|tcp {idle|transient}} <seconds>",
2153 .path =
"show acl-plugin",
2154 .short_help =
"show acl-plugin sessions",
2166 memset (am, 0,
sizeof (*am));
2170 u8 *name =
format (0,
"acl_%08x%c", api_version, 0);
2205 am->fa_cleaner_cnt_delete_by_sw_index = 0;
2206 am->fa_cleaner_cnt_delete_by_sw_index_ok = 0;
2207 am->fa_cleaner_cnt_unknown_event = 0;
2208 am->fa_cleaner_cnt_deleted_sessions = 0;
2209 am->fa_cleaner_cnt_timer_restarted = 0;
2210 am->fa_cleaner_cnt_wait_with_timeout = 0;
2213 #define _(N, v, s) am->fa_ipv6_known_eh_bitmap = clib_bitmap_set(am->fa_ipv6_known_eh_bitmap, v, 1);
#define vec_validate(V, I)
Make sure vector is long enough for given index (no header, unspecified alignment) ...
u32 * acl_ip4_output_classify_table_by_sw_if_index
static int macip_acl_interface_add_acl(acl_main_t *am, u32 sw_if_index, u32 macip_acl_index)
u32 fa_cleaner_node_index
u32 session_timeout_sec[ACL_N_TIMEOUTS]
Use acl_interface_set_acl_list instead Append/remove an ACL index to/from the list of ACLs checked fo...
u32 fa_acl_in_ip4_l2_node_feat_next_node_index[32]
static int macip_acl_interface_add_del_acl(u32 sw_if_index, u8 is_add, u32 acl_list_index)
static int acl_hook_l2_output_classify(acl_main_t *am, u32 sw_if_index)
static void send_macip_acl_details(acl_main_t *am, unix_shared_memory_queue_t *q, macip_acl_list_t *acl, u32 context)
sll srl srl sll sra u16x4 i
static clib_error_t * acl_init(vlib_main_t *vm)
int acl_interface_out_enable_disable(acl_main_t *am, u32 sw_if_index, int enable_disable)
char ** l2output_get_feat_names(void)
static int acl_interface_del_inout_acl(u32 sw_if_index, u8 is_input, u32 acl_list_index)
static void vl_api_acl_plugin_get_version_t_handler(vl_api_acl_plugin_get_version_t *mp)
int acl_interface_in_enable_disable(acl_main_t *am, u32 sw_if_index, int enable_disable)
void acl_setup_fa_nodes(void)
u64 fa_current_cleaner_timer_wait_interval
void output_acl_packet_match(u32 sw_if_index, vlib_buffer_t *b0, u32 *nextp, u32 *acl_match_p, u32 *rule_match_p, u32 *trace_bitmap)
Set the vector of input/output ACLs checked for an interface.
static clib_error_t * acl_show_aclplugin_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
#define foreach_acl_plugin_api_msg
u32 ** input_acl_vec_by_sw_if_index
void vl_msg_api_send_shmem(unix_shared_memory_queue_t *q, u8 *elem)
Dump the list(s) of ACL applied to specific or all interfaces.
vnet_main_t * vnet_get_main(void)
vl_api_macip_acl_rule_t r[count]
void acl_setup_nodes(void)
static int count_skip(u8 *p, u32 size)
vnet_interface_main_t interface_main
static void vl_api_acl_add_replace_t_handler(vl_api_acl_add_replace_t *mp)
static void vl_api_macip_acl_dump_t_handler(vl_api_macip_acl_dump_t *mp)
u32 acl_out_node_feat_next_node_index[32]
int l4_match_nonfirst_fragment
#define ACL_FA_CONN_TABLE_DEFAULT_HASH_NUM_BUCKETS
#define ACL_PLUGIN_VERSION_MINOR
#define REPLY_MACRO2(t, body)
static void vl_api_macip_acl_add_t_handler(vl_api_macip_acl_add_t *mp)
u32 * acl_ip6_input_classify_table_by_sw_if_index
u32 acl_in_ip4_match_next[256]
unix_shared_memory_queue_t * vl_api_client_index_to_input_queue(u32 index)
u32 fa_conn_list_tail[ACL_N_TIMEOUTS]
void vnet_l2_input_classify_enable_disable(u32 sw_if_index, int enable_disable)
Enable/disable l2 input classification on a specific interface.
static uword * clib_bitmap_set(uword *ai, uword i, uword value)
Sets the ith bit of a bitmap to new_value Removes trailing zeros from the bitmap. ...
u32 l2_input_classify_next_acl_ip4
u16 dstport_or_icmpcode_last
vlib_node_registration_t acl_out_node
(constructor) VLIB_REGISTER_NODE (acl_out_node)
static u32 macip_find_match_type(macip_match_type_t *mv, u8 *mac_mask, u8 prefix_len, u8 is_ipv6)
#define vec_reset_length(v)
Reset vector length to zero NULL-pointer tolerant.
Details about one MACIP ACL.
u32 fa_acl_out_ip4_l2_node_feat_next_node_index[32]
f64 fa_cleaner_wait_time_increment
#define vec_add(V, E, N)
Add N elements to end of vector V (no header, unspecified alignment)
u32 fa_l2_output_classify_next_acl_ip4
uword fa_conn_table_hash_memory_size
u16 dst_port_or_code_last
static clib_error_t * acl_sw_interface_add_del(vnet_main_t *vnm, u32 sw_if_index, u32 is_add)
static int acl_match_addr(ip46_address_t *addr1, ip46_address_t *addr2, int prefixlen, int is_ip6)
u32 l2_output_classify_next_acl_ip4
ip46_address_t src_ip_addr
u32 fa_conn_list_head[ACL_N_TIMEOUTS]
void mv(vnet_classify_table_t *t)
#define pool_foreach(VAR, POOL, BODY)
Iterate through pool.
#define VLIB_INIT_FUNCTION(x)
u16 dstport_or_icmpcode_first
u64 fa_conn_table_max_entries
uword vlib_node_add_next_with_slot(vlib_main_t *vm, uword node_index, uword next_node_index, uword slot)
Add or delete a MACIP ACL to/from interface.
#define clib_error_return(e, args...)
void input_acl_packet_match(u32 sw_if_index, vlib_buffer_t *b0, u32 *nextp, u32 *acl_match_p, u32 *rule_match_p, u32 *trace_bitmap)
#define ACL_FA_CONN_TABLE_DEFAULT_MAX_ENTRIES
int vnet_l2_output_classify_set_tables(u32 sw_if_index, u32 ip4_table_index, u32 ip6_table_index, u32 other_table_index)
Set l2 per-protocol, per-interface output classification tables.
VNET_SW_INTERFACE_ADD_DEL_FUNCTION(acl_sw_interface_add_del)
static int acl_match_port(u16 port, u16 port_first, u16 port_last, int is_ip6)
u32 fa_acl_out_ip6_l2_node_feat_next_node_index[32]
u32 * acl_ip4_input_classify_table_by_sw_if_index
int vnet_classify_add_del_session(vnet_classify_main_t *cm, u32 table_index, u8 *match, u32 hit_next_index, u32 opaque_index, i32 advance, u8 action, u32 metadata, int is_add)
static int acl_unhook_l2_input_classify(acl_main_t *am, u32 sw_if_index)
u32 acl_in_node_feat_next_node_index[32]
static int acl_hook_l2_input_classify(acl_main_t *am, u32 sw_if_index)
static void setup_message_id_table(acl_main_t *am, api_main_t *apim)
static void vlib_process_signal_event(vlib_main_t *vm, uword node_index, uword type_opaque, uword data)
#define ACL_FA_DEFAULT_CLEANER_WAIT_TIME_INCREMENT
u16 dst_port_or_code_first
u32 fa_l2_input_classify_next_acl_ip4
static void vl_api_acl_dump_t_handler(vl_api_acl_dump_t *mp)
uword * fa_ipv6_known_eh_bitmap
Replace an existing ACL in-place or create a new ACL.
#define ACL_FA_DEFAULT_MIN_DELETED_SESSIONS_PER_INTERVAL
static void * vlib_buffer_get_current(vlib_buffer_t *b)
Get pointer to current data to process.
#define pool_put(P, E)
Free an object E in pool P.
Details about a single ACL contents.
#define vec_del1(v, i)
Delete the element at index I.
vl_api_acl_rule_t r[count]
static int get_l3_src_offset(int is6)
u32 fa_l2_output_classify_next_acl_ip6
u32 l2_input_classify_next_acl_ip6
vlib_node_registration_t acl_in_node
(constructor) VLIB_REGISTER_NODE (acl_in_node)
static void send_acl_details(acl_main_t *am, unix_shared_memory_queue_t *q, acl_list_t *acl, u32 context)
u16 src_port_or_type_first
u64 fa_min_deleted_sessions_per_interval
static int match_type_compare(macip_match_type_t *m1, macip_match_type_t *m2)
u32 fa_l2_input_classify_next_acl_ip6
#define pool_get_aligned(P, E, A)
Allocate an object E from a pool P (general version).
vl_api_acl_rule_t r[count]
static int acl_unhook_l2_output_classify(acl_main_t *am, u32 sw_if_index)
Reply to alter the ACL list.
static int match_type_metric(macip_match_type_t *m)
static int macip_acl_del_list(u32 acl_list_index)
Dump one or all defined MACIP ACLs.
static int acl_classify_add_del_table_small(vnet_classify_main_t *cm, u8 *mask, u32 mask_len, u32 next_table_index, u32 miss_next_index, u32 *table_index, int is_add)
void * vl_msg_api_alloc(int nbytes)
#define vec_free(V)
Free vector's memory (no header).
static void feat_bitmap_init_next_nodes(vlib_main_t *vm, u32 node_index, u32 num_features, char **feat_names, u32 *next_nodes)
Initialize the feature next-node indexes of a graph node.
static int acl_classify_add_del_table_big(vnet_classify_main_t *cm, u8 *mask, u32 mask_len, u32 next_table_index, u32 miss_next_index, u32 *table_index, int is_add)
u32 register_match_action_nexts(u32 next_in_ip4, u32 next_in_ip6, u32 next_out_ip4, u32 next_out_ip6)
u16 srcport_or_icmptype_first
Reply to add/replace ACL.
#define clib_warning(format, args...)
static int acl_interface_add_inout_acl(u32 sw_if_index, u8 is_input, u32 acl_list_index)
Reply with the vector of MACIP ACLs by sw_if_index.
#define clib_memcpy(a, b, c)
void acl_set_timeout_sec(int timeout_type, u32 value)
int vnet_l2_input_classify_set_tables(u32 sw_if_index, u32 ip4_table_index, u32 ip6_table_index, u32 other_table_index)
Set l2 per-protocol, per-interface input classification tables.
#define pool_is_free_index(P, I)
Use free bitmap to query whether given index is free.
vlib_node_t * vlib_get_node_by_name(vlib_main_t *vm, u8 *name)
#define foreach_fa_cleaner_counter
void acl_fa_enable_disable(u32 sw_if_index, int is_input, int enable_disable)
#define VLIB_CLI_COMMAND(x,...)
struct _vnet_classify_main vnet_classify_main_t
u16 srcport_or_icmptype_last
static void vl_api_acl_interface_add_del_t_handler(vl_api_acl_interface_add_del_t *mp)
static int macip_acl_interface_del_acl(acl_main_t *am, u32 sw_if_index)
static void vl_api_macip_acl_del_t_handler(vl_api_macip_acl_del_t *mp)
u16 src_port_or_type_last
MACIP Access List Rule entry.
static int macip_create_classify_tables(acl_main_t *am, u32 macip_acl_index)
static void send_acl_interface_list_details(acl_main_t *am, unix_shared_memory_queue_t *q, u32 sw_if_index, u32 context)
static int acl_packet_match(acl_main_t *am, u32 acl_index, vlib_buffer_t *b0, u8 *r_action, int *r_is_ip6, u32 *r_acl_match_p, u32 *r_rule_match_p, u32 *trace_bitmap)
static void clib_mem_free(void *p)
u32 l2_output_classify_next_acl_old
l2sess_main_t l2sess_main
vnet_classify_main_t vnet_classify_main
Reply to get the plugin version.
static clib_error_t * acl_plugin_api_hookup(vlib_main_t *vm)
static int macip_acl_add_list(u32 count, vl_api_macip_acl_rule_t rules[], u32 *acl_list_index, u8 *tag)
vl_api_macip_acl_rule_t r[count]
u32 acl_out_ip6_match_next[256]
u32 fa_acl_in_ip6_l2_node_feat_next_node_index[32]
static vlib_main_t * vlib_get_main(void)
Dump the specific ACL contents or all of the ACLs' contents.
int vnet_classify_add_del_table(vnet_classify_main_t *cm, u8 *mask, u32 nbuckets, u32 memory_size, u32 skip, u32 match, u32 next_table_index, u32 miss_next_index, u32 *table_index, u8 current_data_flag, i16 current_data_offset, int is_add, int del_chain)
template key/value backing page structure
u32 * macip_acl_by_sw_if_index
Get the vector of MACIP ACL IDs applied to the interfaces.
u32 * acl_ip6_output_classify_table_by_sw_if_index
static void vl_api_acl_interface_list_dump_t_handler(vl_api_acl_interface_list_dump_t *mp)
static int acl_add_list(u32 count, vl_api_acl_rule_t rules[], u32 *acl_list_index, u8 *tag)
#define UDP_SESSION_IDLE_TIMEOUT_SEC
static void vl_api_acl_del_t_handler(vl_api_acl_del_t *mp)
macip_acl_list_t * macip_acls
#define TCP_SESSION_IDLE_TIMEOUT_SEC
#define vec_len(v)
Number of elements in vector (rvalue-only, NULL tolerant)
static void * get_ptr_to_offset(vlib_buffer_t *b0, int offset)
Details about a single ACL contents.
Reply to apply/unapply the MACIP ACL.
u32 l2_input_classify_next_acl_old
#define vec_sort_with_function(vec, f)
Sort a vector using the supplied element comparison function.
vnet_sw_interface_t * sw_interfaces
void vnet_l2_output_classify_enable_disable(u32 sw_if_index, int enable_disable)
Enable/disable l2 input classification on a specific interface.
static void vl_api_acl_interface_set_acl_list_t_handler(vl_api_acl_interface_set_acl_list_t *mp)
u64 fa_max_deleted_sessions_per_interval
static clib_error_t * acl_set_aclplugin_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
static void acl_interface_reset_inout_acls(u32 sw_if_index, u8 is_input)
struct clib_bihash_value offset
template key/value backing page structure
u32 acl_in_ip6_match_next[256]
static void * clib_mem_alloc_aligned(uword size, uword align)
u64 udp_session_idle_timeout
static int acl_interface_add_del_inout_acl(u32 sw_if_index, u8 is_add, u8 is_input, u32 acl_list_index)
static void copy_acl_rule_to_api_rule(vl_api_acl_rule_t *api_rule, acl_rule_t *r)
Reply to delete the MACIP ACL.
u64 tcp_session_transient_timeout
#define vec_foreach(var, vec)
Vector iterator.
u32 acl_out_ip4_match_next[256]
u16 vl_msg_api_get_msg_ids(char *name, int n)
#define ACL_PLUGIN_VERSION_MAJOR
Reply to set the ACL list on an interface.
#define vec_validate_init_empty(V, I, INIT)
Make sure vector is long enough for given index and initialize empty space (no header, unspecified alignment)
#define CLIB_CACHE_LINE_BYTES
u32 l2_output_classify_next_acl_ip6
void acl_set_session_max_entries(u32 value)
void vlib_cli_output(vlib_main_t *vm, char *fmt,...)
#define ACL_FA_DEFAULT_MAX_DELETED_SESSIONS_PER_INTERVAL
u32 ** output_acl_vec_by_sw_if_index
u64 tcp_session_idle_timeout
#define TCP_SESSION_TRANSIENT_TIMEOUT_SEC
static void vl_api_macip_acl_interface_add_del_t_handler(vl_api_macip_acl_interface_add_del_t *mp)
u32 fa_conn_table_hash_num_buckets
int acl_set_skip_ipv6_eh(u32 eh, u32 value)
#define ACL_FA_CONN_TABLE_DEFAULT_HASH_MEMORY_SIZE
struct _unix_shared_memory_queue unix_shared_memory_queue_t
static int acl_del_list(u32 acl_list_index)
static void macip_destroy_classify_tables(acl_main_t *am, u32 macip_acl_index)
static u8 acl_get_l4_proto(vlib_buffer_t *b0, int node_is_ip6)
static void vl_api_macip_acl_interface_get_t_handler(vl_api_macip_acl_interface_get_t *mp)
foreach_fa_cleaner_counter vlib_main_t * vlib_main
1.8.11 
