24 #include <vpp/app/version.h> 44 #define vl_print(handle, ...) vlib_cli_output (handle, __VA_ARGS__) 50 #define vl_api_version(n,v) static u32 api_version=(v); 59 #define REPLY_MSG_ID_BASE am->msg_id_base 64 #define foreach_acl_plugin_api_msg \ 65 _(ACL_PLUGIN_GET_VERSION, acl_plugin_get_version) \ 66 _(ACL_PLUGIN_CONTROL_PING, acl_plugin_control_ping) \ 67 _(ACL_ADD_REPLACE, acl_add_replace) \ 69 _(ACL_INTERFACE_ADD_DEL, acl_interface_add_del) \ 70 _(ACL_INTERFACE_SET_ACL_LIST, acl_interface_set_acl_list) \ 71 _(ACL_DUMP, acl_dump) \ 72 _(ACL_INTERFACE_LIST_DUMP, acl_interface_list_dump) \ 73 _(MACIP_ACL_ADD, macip_acl_add) \ 74 _(MACIP_ACL_ADD_REPLACE, macip_acl_add_replace) \ 75 _(MACIP_ACL_DEL, macip_acl_del) \ 76 _(MACIP_ACL_INTERFACE_ADD_DEL, macip_acl_interface_add_del) \ 77 _(MACIP_ACL_DUMP, macip_acl_dump) \ 78 _(MACIP_ACL_INTERFACE_GET, macip_acl_interface_get) \ 79 _(MACIP_ACL_INTERFACE_LIST_DUMP, macip_acl_interface_list_dump) 84 .version = VPP_BUILD_VER,
85 .description =
"Access Control Lists",
134 int msg_size =
sizeof (*rmp);
144 memset (rmp, 0, msg_size);
146 ntohs (VL_API_ACL_PLUGIN_GET_VERSION_REPLY + am->
msg_id_base);
164 rmp->
vpe_pid = ntohl (getpid ());
171 u32 * acl_list_index,
u8 * tag)
179 if (*acl_list_index != ~0)
185 clib_warning(
"acl-plugin-error: Trying to replace nonexistent ACL %d (tag %s)", *acl_list_index, tag);
190 clib_warning(
"acl-plugin-warning: supplied no rules for ACL %d (tag %s)", *acl_list_index, tag);
199 for (i = 0; i <
count; i++)
202 memset(r, 0,
sizeof(*r));
226 if (~0 == *acl_list_index)
230 memset (a, 0,
sizeof (*a));
232 *acl_list_index = a - am->
acls;
236 a = am->
acls + *acl_list_index;
242 a->
rules = acl_new_rules;
244 memcpy (a->
tag, tag, sizeof (a->
tag));
326 _(
" dmac smac etype ")
327 _(ether) __ __ __ __ __ __
v __ __ __ __ __ __
v __ __
v 334 _(" ttl pr checksum ")
343 _("L4 T/U sport dport ")
354 _(" dmac smac etype ")
355 _(ether) __ __ __ __ __ __
v __ __ __ __ __ __
v __ __
v 357 _(0x0000) __ __ __ __
359 _(0x0004) __ __
XX __
370 _("L4T/U sport dport ")
371 _(tcpudp)
XX XX XX XX _(padpad) __ __ __ __ _(padeth) __ __;
385 while ((0ULL == *p64) && ((
u8 *) p64 - p) <
size)
389 return (p64 - (
u64 *) p) / 2;
394 u32 mask_len,
u32 next_table_index,
395 u32 miss_next_index,
u32 * table_index,
401 u32 match = (mask_len / 16) - skip;
402 u8 *skip_mask_ptr = mask + 16 * skip;
403 u32 current_data_flag = 0;
404 int current_data_offset = 0;
410 memory_size, skip, match,
411 next_table_index, miss_next_index,
412 table_index, current_data_flag,
413 current_data_offset, is_add,
421 u32 mask_len,
u32 next_table_index,
422 u32 miss_next_index,
u32 * table_index,
428 u32 match = (mask_len / 16) - skip;
429 u8 *skip_mask_ptr = mask + 16 * skip;
430 u32 current_data_flag = 0;
431 int current_data_offset = 0;
438 memory_size, skip, match,
439 next_table_index, miss_next_index,
440 table_index, current_data_flag,
441 current_data_offset, is_add,
452 u32 ip4_table_index = ~0;
453 u32 ip6_table_index = ~0;
471 sizeof (ip4_5tuple_mask) - 1, ~0,
473 &ip4_table_index, 0);
483 &ip6_table_index, 0);
493 u32 ip4_table_index = ~0;
494 u32 ip6_table_index = ~0;
513 sizeof (ip4_5tuple_mask) - 1, ~0,
515 &ip4_table_index, 0);
525 &ip6_table_index, 0);
535 u32 ip4_table_index = ~0;
536 u32 ip6_table_index = ~0;
545 sizeof (ip4_5tuple_mask) - 1, ~0,
547 &ip4_table_index, 1);
554 &ip6_table_index, 1);
558 sizeof (ip4_5tuple_mask) - 1, ~0,
560 &ip4_table_index, 0);
565 ip6_table_index, ~0);
571 &ip6_table_index, 0);
573 sizeof (ip4_5tuple_mask) - 1, ~0,
575 &ip4_table_index, 0);
594 u32 ip4_table_index = ~0;
595 u32 ip6_table_index = ~0;
604 sizeof (ip4_5tuple_mask) - 1, ~0,
606 &ip4_table_index, 1);
613 &ip6_table_index, 1);
617 sizeof (ip4_5tuple_mask) - 1, ~0,
619 &ip4_table_index, 0);
624 ip6_table_index, ~0);
626 (
"ACL enabling on interface sw_if_index %d, setting tables to the following: ip4: %d ip6: %d\n",
627 sw_if_index, ip4_table_index, ip6_table_index);
633 &ip6_table_index, 0);
635 sizeof (ip4_5tuple_mask) - 1, ~0,
637 &ip4_table_index, 0);
663 return VNET_API_ERROR_INVALID_SW_IF_INDEX;
688 return VNET_API_ERROR_INVALID_SW_IF_INDEX;
727 clib_warning(
"ACL %d is already applied inbound on sw_if_index %d (index %d)",
728 acl_list_index, sw_if_index, index);
749 clib_warning(
"ACL %d is already applied outbound on sw_if_index %d (index %d)",
750 acl_list_index, sw_if_index, index);
783 if (acl_list_index ==
812 if (acl_list_index ==
930 for (i = 0; i <
vec_len (mv); i++)
932 if ((mv[i].prefix_len == prefix_len) && (mv[
i].
is_ipv6 == is_ipv6)
933 && (0 == memcmp (mv[i].mac_mask, mac_mask, 6)))
948 unsigned int mac_bits_set = 0;
949 unsigned int mac_byte;
954 for (; mac_byte; mac_byte >>= 1)
955 mac_bits_set += mac_byte & 1;
990 u32 match_type_index;
996 for (i = 0; i < a->
count; i++)
1004 match_type_index =
vec_len (mvec);
1006 memcpy (mvec[match_type_index].mac_mask,
1012 mvec[match_type_index].
count++;
1027 memset (mask, 0,
sizeof (mask));
1028 memcpy (&mask[6], mt->
mac_mask, 6);
1029 memset (&mask[12], 0xff, 2);
1030 memcpy (&mask[14 + 8], mt->
mac_mask, 6);
1033 mask[14 + 14 + i] = 0xff;
1037 mask_len = ((14 + 14 + ((mt->
prefix_len+7) / 8) +
1051 memset (mask, 0,
sizeof (mask));
1052 memcpy (&mask[6], mt->
mac_mask, 6);
1055 mask[l3_src_offs +
i] = 0xff;
1060 0xff - ((1 << (8 - mt->
prefix_len % 8)) - 1);
1066 mask_len = ((l3_src_offs + ((mt->
prefix_len+7) / 8) +
1078 for (i = 0; i < a->
count; i++)
1084 memset (mask, 0,
sizeof (mask));
1086 memset (&mask[12], 0xff, 2);
1103 ASSERT(match_type_index != ~0);
1107 0, action, metadata, 1);
1109 if (!is6 && (mvec[match_type_index].arp_table_index != ~0))
1111 memset (mask, 0,
sizeof (mask));
1119 0, action, metadata, 1);
1150 u32 * acl_list_index,
u8 * tag)
1158 if (*acl_list_index != ~0)
1164 clib_warning(
"acl-plugin-error: Trying to replace nonexistent MACIP ACL %d (tag %s)", *acl_list_index, tag);
1170 clib_warning(
"acl-plugin-warning: Trying to create empty MACIP ACL (tag %s)", tag);
1177 for (i = 0; i <
count; i++)
1179 r = &acl_new_rules[
i];
1184 if(rules[i].is_ipv6)
1191 if (~0 == *acl_list_index)
1195 memset (a, 0,
sizeof (*a));
1209 a->
rules = acl_new_rules;
1211 memcpy (a->
tag, tag, sizeof (a->
tag));
1226 u32 macip_acl_index;
1233 if (~0 == macip_acl_index)
1249 u32 macip_acl_index)
1345 if (supplied_len < expected_len) {
1346 clib_warning(
"%s: Supplied message length %d is less than expected %d",
1347 where, supplied_len, expected_len);
1363 u32 expected_len =
sizeof(*mp) + acl_count*
sizeof(mp->
r[0]);
1368 rv = VNET_API_ERROR_INVALID_VALUE;
1383 vl_api_acl_del_reply_t *rmp;
1397 vl_api_acl_interface_add_del_reply_t *rmp;
1401 rv = VNET_API_ERROR_INVALID_SW_IF_INDEX;
1415 vl_api_acl_interface_set_acl_list_reply_t *rmp;
1422 rv = VNET_API_ERROR_INVALID_SW_IF_INDEX;
1428 for (i = 0; i < mp->
count; i++)
1436 for (i = 0; i < mp->
count; i++)
1439 ntohl (mp->
acls[i]));
1444 REPLY_MACRO (VL_API_ACL_INTERFACE_SET_ACL_LIST_REPLY);
1480 int msg_size =
sizeof (*mp) +
sizeof (mp->
r[0]) * acl->
count;
1484 memset (mp, 0, msg_size);
1485 mp->_vl_msg_id = ntohs (VL_API_ACL_DETAILS + am->
msg_id_base);
1491 memcpy (mp->
tag, acl->
tag, sizeof (mp->
tag));
1494 for (i = 0; i < acl->
count; i++)
1526 send_acl_details(am, q, acl, mp->context);
1550 u32 sw_if_index,
u32 context)
1565 count = n_input + n_output;
1567 msg_size =
sizeof (*mp);
1568 msg_size +=
sizeof (mp->
acls[0]) * count;
1571 memset (mp, 0, msg_size);
1573 ntohs (VL_API_ACL_INTERFACE_LIST_DETAILS + am->
msg_id_base);
1580 for (i = 0; i < n_input; i++)
1584 for (i = 0; i < n_output; i++)
1586 mp->
acls[n_input +
i] =
1615 send_acl_interface_list_details(am, q, swif->sw_if_index, mp->context);
1635 u32 acl_list_index = ~0;
1637 u32 expected_len =
sizeof(*mp) + acl_count*
sizeof(mp->
r[0]);
1642 rv = VNET_API_ERROR_INVALID_VALUE;
1661 u32 expected_len =
sizeof(*mp) + acl_count*
sizeof(mp->
r[0]);
1666 rv = VNET_API_ERROR_INVALID_VALUE;
1681 vl_api_macip_acl_del_reply_t *rmp;
1694 vl_api_macip_acl_interface_add_del_reply_t *rmp;
1700 rv = VNET_API_ERROR_INVALID_SW_IF_INDEX;
1706 REPLY_MACRO (VL_API_MACIP_ACL_INTERFACE_ADD_DEL_REPLY);
1717 int msg_size =
sizeof (*mp) + (acl ?
sizeof (mp->
r[0]) * acl->
count : 0);
1720 memset (mp, 0, msg_size);
1721 mp->_vl_msg_id = ntohs (VL_API_MACIP_ACL_DETAILS + am->
msg_id_base);
1727 memcpy (mp->
tag, acl->
tag, sizeof (mp->
tag));
1731 for (i = 0; i < acl->
count; i++)
1740 memcpy (rules[i].src_ip_addr, &r->
src_ip_addr.ip6,
1743 memcpy (rules[i].src_ip_addr, &r->
src_ip_addr.ip4,
1778 send_macip_acl_details (am, q, acl,
1802 int msg_size =
sizeof (*rmp) +
sizeof (rmp->
acls[0]) * count;
1813 memset (rmp, 0, msg_size);
1815 ntohs (VL_API_MACIP_ACL_INTERFACE_GET_REPLY + am->
msg_id_base);
1817 rmp->
count = htonl (count);
1818 for (i = 0; i <
count; i++)
1835 int msg_size =
sizeof (*rmp) +
sizeof (rmp->
acls[0]);
1838 memset (rmp, 0, msg_size);
1839 rmp->_vl_msg_id = ntohs (VL_API_MACIP_ACL_INTERFACE_LIST_DETAILS + am->
msg_id_base);
1845 rmp->
acls[0] = htonl (acl_index);
1863 if (sw_if_index == ~0)
1892 vl_msg_api_set_handlers((VL_API_##N + am->msg_id_base), \ 1894 vl_api_##n##_t_handler, \ 1896 vl_api_##n##_t_endian, \ 1897 vl_api_##n##_t_print, \ 1898 sizeof(vl_api_##n##_t), 1); 1905 #define vl_msg_name_crc_list 1907 #undef vl_msg_name_crc_list 1912 #define _(id,n,crc) \ 1913 vl_msg_api_add_msg_name_crc (apim, #n "_" #crc, id + am->msg_id_base); 1914 foreach_vl_msg_name_crc_acl;
1989 if ((eh < 256) && (value < 2))
2034 if (
unformat (input,
"skip-ipv6-extension-header %u %u", &eh_val, &val)) {
2040 if (
unformat (input,
"use-hash-acl-matching %u", &val))
2045 if (
unformat (input,
"l4-match-nonfirst-fragment %u", &val))
2054 if (
unformat(input,
"validate %u", &val))
2056 else if (
unformat(input,
"trace %u", &val))
2062 if (
unformat(input,
"validate %u", &val))
2064 else if (
unformat(input,
"trace %u", &val))
2073 if (
unformat (input,
"max-entries")) {
2074 if (!
unformat(input,
"%u", &val)) {
2076 "expecting maximum number of entries, got `%U`",
2084 if (
unformat (input,
"hash-table-buckets")) {
2085 if (!
unformat(input,
"%u", &val)) {
2087 "expecting maximum number of hash table buckets, got `%U`",
2095 if (
unformat (input,
"hash-table-memory")) {
2098 "expecting maximum amount of hash table memory, got `%U`",
2111 if (!
unformat(input,
"%u", &timeout)) {
2113 "expecting timeout value in seconds, got `%U`",
2124 if (!
unformat(input,
"%u", &timeout)) {
2126 "expecting timeout value in seconds, got `%U`",
2135 if (!
unformat(input,
"%u", &timeout)) {
2137 "expecting timeout value in seconds, got `%U`",
2156 u8 *
a = va_arg (*args,
u8 *);
2157 return format (s,
"%02x:%02x:%02x:%02x:%02x:%02x",
2158 a[0], a[1], a[2], a[3], a[4], a[5]);
2166 out =
format(out,
"%s action %d ip %U/%d mac %U mask %U",
2188 vlib_cli_output(vm,
"MACIP acl_index: %d, count: %d (true len %d) tag {%s} is free pool slot: %d\n",
2190 vlib_cli_output(vm,
" ip4_table_index %d, ip6_table_index %d, l2_table_index %d\n",
2238 u32 show_bihash_verbose = 0;
2239 u32 show_session_thread_id = ~0;
2240 u32 show_session_session_index = ~0;
2241 unformat (input,
"thread %u index %u", &show_session_thread_id, &show_session_session_index);
2242 unformat (input,
"verbose %u", &show_bihash_verbose);
2246 out0 =
format(out0,
"Sessions total: add %lu - del %lu = %lu\n", n_adds, n_dels, n_adds - n_dels);
2248 out0 =
format(out0,
"\n\nPer-thread data:\n");
2251 out0 =
format(out0,
"Thread #%d:\n", wk);
2253 out0 =
format(out0,
" session index %u:\n", show_session_session_index);
2256 out0 =
format(out0,
" info: %016llx %016llx %016llx %016llx %016llx %016llx\n", m[0], m[1], m[2], m[3], m[4], m[5]);
2266 out0 =
format(out0,
" connection add/del stats:\n", wk);
2269 u32 sw_if_index = swif->sw_if_index;
2270 u64 n_adds = sw_if_index < vec_len(pw->fa_session_adds_by_sw_if_index) ? pw->fa_session_adds_by_sw_if_index[sw_if_index] : 0;
2271 u64 n_dels = sw_if_index < vec_len(pw->fa_session_dels_by_sw_if_index) ? pw->fa_session_dels_by_sw_if_index[sw_if_index] : 0;
2272 out0 = format(out0,
" sw_if_index %d: add %lu - del %lu = %lu\n", sw_if_index, n_adds, n_dels, n_adds - n_dels);
2275 out0 =
format(out0,
" connection timeout type lists:\n", wk);
2279 out0 =
format(out0,
" fa_conn_list_head[%d]: %d\n", tt, head_session_index);
2280 if (~0 != head_session_index) {
2302 out0 =
format(out0,
"\n\nConn cleaner thread counters:\n");
2303 #define _(cnt, desc) out0 = format(out0, " %20lu: %s\n", am->cnt, desc); 2309 vlib_cli_output(vm,
"Sessions per interval: min %lu max %lu increment: %f ms current: %f ms",
2316 else if (
unformat (input,
"interface"))
2318 u32 sw_if_index = ~0;
2321 unformat (input,
"sw_if_index %u", &sw_if_index);
2324 out0 =
format(out0,
"sw_if_index %d:\n", swi);
2328 out0 =
format(out0,
" input acl(s): ");
2330 out0 =
format(out0,
"%d ", *pj);
2332 out0 =
format(out0,
"\n");
2337 out0 =
format(out0,
" output acl(s): ");
2339 out0 =
format(out0,
"%d ", *pj);
2341 out0 =
format(out0,
"\n");
2354 unformat (input,
"index %u", &acl_index);
2360 if ((acl_index != ~0) && (acl_index !=
i)) {
2368 out0 =
format(out0,
" %4d: %s ", j, r->
is_ipv6 ?
"ipv6" :
"ipv4");
2384 out0 =
format(out0,
"\n");
2388 out0 =
format(out0,
" applied inbound on sw_if_index: ");
2390 out0 =
format(out0,
"%d ", *pj);
2392 out0 =
format(out0,
"\n");
2395 out0 =
format(out0,
" applied outbound on sw_if_index: ");
2397 out0 =
format(out0,
"%d ", *pj);
2399 out0 =
format(out0,
"\n");
2406 else if (
unformat (input,
"memory"))
2421 else if (
unformat (input,
"tables"))
2425 u32 sw_if_index = ~0;
2426 int show_acl_hash_info = 0;
2427 int show_applied_info = 0;
2428 int show_mask_type = 0;
2429 int show_bihash = 0;
2430 u32 show_bihash_verbose = 0;
2433 show_acl_hash_info = 1;
2436 unformat (input,
"index %u", &acl_index);
2437 }
else if (
unformat (input,
"applied")) {
2438 show_applied_info = 1;
2439 unformat (input,
"sw_if_index %u", &sw_if_index);
2440 }
else if (
unformat (input,
"mask")) {
2442 }
else if (
unformat (input,
"hash")) {
2444 unformat (input,
"verbose %u", &show_bihash_verbose);
2447 if ( ! (show_mask_type || show_acl_hash_info || show_applied_info || show_bihash) ) {
2450 show_acl_hash_info = 1;
2451 show_applied_info = 1;
2455 if (show_mask_type) {
2460 vlib_cli_output(vm,
" %3d: %016llx %016llx %016llx %016llx %016llx %016llx refcount %d",
2461 mte - am->ace_mask_type_pool,
2462 mte->mask.kv.key[0], mte->mask.kv.key[1], mte->mask.kv.key[2],
2463 mte->mask.kv.key[3], mte->mask.kv.key[4], mte->mask.kv.value, mte->refcount);
2468 if (show_acl_hash_info) {
2472 out0 =
format(out0,
"Mask-ready ACL representations\n");
2474 if ((acl_index != ~0) && (acl_index !=
i)) {
2478 out0 =
format(out0,
"acl-index %u bitmask-ready layout\n", i);
2485 out0 =
format(out0,
" %4d: %016llx %016llx %016llx %016llx %016llx %016llx mask index %d acl %d rule %d action %d src/dst portrange not ^2: %d,%d\n",
2496 if (show_applied_info) {
2499 out0 =
format(out0,
"Applied lookup entries for interfaces\n");
2505 if ((sw_if_index != ~0) && (sw_if_index != swi)) {
2508 out0 =
format(out0,
"sw_if_index %d:\n", swi);
2515 out0 =
format(out0,
" input lookup applied entries:\n");
2518 out0 =
format(out0,
" %4d: acl %d rule %d action %d bitmask-ready rule %d next %d prev %d tail %d hitcount %lld\n",
2530 out0 =
format(out0,
" output lookup applied entries:\n");
2533 out0 =
format(out0,
" %4d: acl %d rule %d action %d bitmask-ready rule %d next %d prev %d tail %d hitcount %lld\n",
2566 .path =
"set acl-plugin",
2567 .short_help =
"set acl-plugin session timeout {{udp idle}|tcp {idle|transient}} <seconds>",
2572 .path =
"show acl-plugin",
2573 .short_help =
"show acl-plugin {sessions|acl|interface|tables}",
2578 .path =
"show acl-plugin macip",
2579 .short_help =
"show acl-plugin macip {acl|interface}",
2585 .path =
"clear acl-plugin sessions",
2586 .short_help =
"clear acl-plugin sessions",
2595 u32 conn_table_hash_buckets;
2596 u32 conn_table_hash_memory_size;
2597 u32 conn_table_max_entries;
2600 u32 hash_lookup_hash_buckets;
2601 u32 hash_lookup_hash_memory;
2605 if (
unformat (input,
"connection hash buckets %d", &conn_table_hash_buckets))
2607 else if (
unformat (input,
"connection hash memory %d",
2608 &conn_table_hash_memory_size))
2610 else if (
unformat (input,
"connection count max %d",
2611 &conn_table_max_entries))
2613 else if (
unformat (input,
"main heap size %d",
2616 else if (
unformat (input,
"hash lookup heap size %d",
2619 else if (
unformat (input,
"hash lookup hash buckets %d",
2620 &hash_lookup_hash_buckets))
2622 else if (
unformat (input,
"hash lookup hash memory %d",
2623 &hash_lookup_hash_memory))
2638 memset (am, 0,
sizeof (*am));
2642 u8 *name =
format (0,
"acl_%08x%c", api_version, 0);
2690 am->fa_cleaner_cnt_delete_by_sw_index = 0;
2691 am->fa_cleaner_cnt_delete_by_sw_index_ok = 0;
2692 am->fa_cleaner_cnt_unknown_event = 0;
2693 am->fa_cleaner_cnt_timer_restarted = 0;
2694 am->fa_cleaner_cnt_wait_with_timeout = 0;
2697 #define _(N, v, s) am->fa_ipv6_known_eh_bitmap = clib_bitmap_set(am->fa_ipv6_known_eh_bitmap, v, 1);
#define vec_validate(V, I)
Make sure vector is long enough for given index (no header, unspecified alignment) ...
u32 * acl_ip4_output_classify_table_by_sw_if_index
static int macip_acl_interface_add_acl(acl_main_t *am, u32 sw_if_index, u32 macip_acl_index)
u32 fa_cleaner_node_index
u32 session_timeout_sec[ACL_N_TIMEOUTS]
static u8 * format_bitmap_hex(u8 *s, va_list *args)
Format a bitmap as a string of hex bytes.
Use acl_interface_set_acl_list instead Append/remove an ACL index to/from the list of ACLs checked fo...
#define vec_foreach_index(var, v)
Iterate over vector indices.
u32 fa_acl_in_ip4_l2_node_feat_next_node_index[32]
static int macip_acl_interface_add_del_acl(u32 sw_if_index, u8 is_add, u32 acl_list_index)
static clib_error_t * acl_clear_aclplugin_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
static int acl_set_skip_ipv6_eh(u32 eh, u32 value)
static int acl_hook_l2_output_classify(acl_main_t *am, u32 sw_if_index)
u16 vl_msg_api_get_msg_ids(const char *name, int n)
static int verify_message_len(void *mp, u32 expected_len, char *where)
static int acl_classify_add_del_table_tiny(vnet_classify_main_t *cm, u8 *mask, u32 mask_len, u32 next_table_index, u32 miss_next_index, u32 *table_index, int is_add)
#define UDP_SESSION_IDLE_TIMEOUT_SEC
void acl_plugin_hash_acl_set_trace_heap(acl_main_t *am, int on)
static void send_macip_acl_details(acl_main_t *am, unix_shared_memory_queue_t *q, macip_acl_list_t *acl, u32 context)
sll srl srl sll sra u16x4 i
static clib_error_t * acl_init(vlib_main_t *vm)
static void acl_setup_fa_nodes(void)
static void send_macip_acl_interface_list_details(acl_main_t *am, unix_shared_memory_queue_t *q, u32 sw_if_index, u32 acl_index, u32 context)
void show_fa_sessions_hash(vlib_main_t *vm, u32 verbose)
int acl_interface_out_enable_disable(acl_main_t *am, u32 sw_if_index, int enable_disable)
char ** l2output_get_feat_names(void)
static int acl_interface_del_inout_acl(u32 sw_if_index, u8 is_input, u32 acl_list_index)
uword * pending_clear_sw_if_index_bitmap
static void vl_api_acl_plugin_get_version_t_handler(vl_api_acl_plugin_get_version_t *mp)
int acl_interface_in_enable_disable(acl_main_t *am, u32 sw_if_index, int enable_disable)
u64 fa_current_cleaner_timer_wait_interval
Set the vector of input/output ACLs checked for an interface.
static clib_error_t * acl_show_aclplugin_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
#define foreach_acl_plugin_api_msg
u32 ** input_acl_vec_by_sw_if_index
Dump the list(s) of ACL applied to specific or all interfaces.
vnet_main_t * vnet_get_main(void)
vl_api_macip_acl_rule_t r[count]
static int count_skip(u8 *p, u32 size)
vnet_interface_main_t interface_main
static void vl_api_acl_add_replace_t_handler(vl_api_acl_add_replace_t *mp)
static void vl_api_macip_acl_dump_t_handler(vl_api_macip_acl_dump_t *mp)
int l4_match_nonfirst_fragment
void * mheap_alloc(void *memory, uword size)
Control ping from the client to the server response.
#define ACL_FA_CONN_TABLE_DEFAULT_HASH_NUM_BUCKETS
#define ACL_PLUGIN_VERSION_MINOR
static clib_error_t * acl_plugin_config(vlib_main_t *vm, unformat_input_t *input)
#define ACL_PLUGIN_HASH_LOOKUP_HASH_MEMORY
#define REPLY_MACRO2(t, body)
static void vl_api_macip_acl_add_t_handler(vl_api_macip_acl_add_t *mp)
u32 * acl_ip6_input_classify_table_by_sw_if_index
#define vec_terminate_c_string(V)
(If necessary) NULL terminate a vector containing a c-string.
void vnet_l2_input_classify_enable_disable(u32 sw_if_index, int enable_disable)
Enable/disable l2 input classification on a specific interface.
static mheap_t * mheap_header(u8 *v)
static uword * clib_bitmap_set(uword *ai, uword i, uword value)
Sets the ith bit of a bitmap to new_value Removes trailing zeros from the bitmap. ...
u64 session_timeout[ACL_N_TIMEOUTS]
fa_session_t * fa_sessions_pool
u32 l2_input_classify_next_acl_ip4
applied_hash_acl_info_t * output_applied_hash_acl_info_by_sw_if_index
u16 dstport_or_icmpcode_last
static clib_error_t * acl_show_aclplugin_macip_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
#define MHEAP_FLAG_THREAD_SAFE
u8 * format_mheap(u8 *s, va_list *va)
#define pool_len(p)
Number of elements in pool vector.
static u32 macip_find_match_type(macip_match_type_t *mv, u8 *mac_mask, u8 prefix_len, u8 is_ipv6)
#define vec_reset_length(v)
Reset vector length to zero NULL-pointer tolerant.
Details about one MACIP ACL.
u32 fa_acl_out_ip4_l2_node_feat_next_node_index[32]
f64 fa_cleaner_wait_time_increment
#define vec_add(V, E, N)
Add N elements to end of vector V (no header, unspecified alignment)
void hash_acl_add(acl_main_t *am, int acl_index)
uword fa_conn_table_hash_memory_size
u16 dst_port_or_code_last
static clib_error_t * acl_sw_interface_add_del(vnet_main_t *vnm, u32 sw_if_index, u32 is_add)
u32 l2_output_classify_next_acl_ip4
ip46_address_t src_ip_addr
void mv(vnet_classify_table_t *t)
u32 next_applied_entry_index
void acl_plugin_hash_acl_set_validate_heap(acl_main_t *am, int on)
#define pool_foreach(VAR, POOL, BODY)
Iterate through pool.
#define VLIB_INIT_FUNCTION(x)
static int acl_is_not_defined(acl_main_t *am, u32 acl_list_index)
u16 dstport_or_icmpcode_first
u64 fa_conn_table_max_entries
uword vlib_node_add_next_with_slot(vlib_main_t *vm, uword node_index, uword next_node_index, uword slot)
u64 cnt_session_timer_restarted
#define vec_elt_at_index(v, i)
Get vector value at index i checking that i is in bounds.
Add or delete a MACIP ACL to/from interface.
#define clib_error_return(e, args...)
static u8 * format_acl_action(u8 *s, u8 action)
#define ACL_FA_CONN_TABLE_DEFAULT_MAX_ENTRIES
int vnet_l2_output_classify_set_tables(u32 sw_if_index, u32 ip4_table_index, u32 ip6_table_index, u32 other_table_index)
Set l2 per-protocol, per-interface output classification tables.
#define vec_search(v, E)
Search a vector for the index of the entry that matches.
VNET_SW_INTERFACE_ADD_DEL_FUNCTION(acl_sw_interface_add_del)
void hash_acl_unapply(acl_main_t *am, u32 sw_if_index, u8 is_input, int acl_index)
u32 * inbound_sw_if_index_list
void * vl_msg_api_alloc(int nbytes)
Reply to add/replace MACIP ACL.
u32 fa_acl_out_ip6_l2_node_feat_next_node_index[32]
static u8 * my_macip_acl_rule_t_pretty_format(u8 *out, va_list *args)
u32 * acl_ip4_input_classify_table_by_sw_if_index
uword * mask_type_index_bitmap
int vnet_classify_add_del_session(vnet_classify_main_t *cm, u32 table_index, u8 *match, u32 hit_next_index, u32 opaque_index, i32 advance, u8 action, u32 metadata, int is_add)
static int acl_unhook_l2_input_classify(acl_main_t *am, u32 sw_if_index)
applied_hash_acl_info_t * input_applied_hash_acl_info_by_sw_if_index
static int acl_hook_l2_input_classify(acl_main_t *am, u32 sw_if_index)
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
Details about a single MACIP ACL contents.
static void acl_set_session_max_entries(u32 value)
Control ping from client to api server request.
u8 dst_portrange_not_powerof2
static void setup_message_id_table(acl_main_t *am, api_main_t *apim)
static void vlib_process_signal_event(vlib_main_t *vm, uword node_index, uword type_opaque, uword data)
#define ACL_FA_DEFAULT_CLEANER_WAIT_TIME_INCREMENT
u16 dst_port_or_code_first
#define TCP_SESSION_IDLE_TIMEOUT_SEC
static void vl_api_acl_dump_t_handler(vl_api_acl_dump_t *mp)
uword * fa_ipv6_known_eh_bitmap
Replace an existing ACL in-place or create a new ACL.
#define ACL_FA_DEFAULT_MIN_DELETED_SESSIONS_PER_INTERVAL
hash_acl_info_t * hash_acl_infos
#define pool_put(P, E)
Free an object E in pool P.
void acl_plugin_acl_set_validate_heap(acl_main_t *am, int on)
Details about a single ACL contents.
union fa_session_t::@287 tcp_flags_seen
#define VLIB_CONFIG_FUNCTION(x, n,...)
#define vec_del1(v, i)
Delete the element at index I.
vl_api_acl_rule_t r[count]
static int get_l3_src_offset(int is6)
void show_hash_acl_hash(vlib_main_t *vm, acl_main_t *am, u32 verbose)
u32 l2_input_classify_next_acl_ip6
int interrupt_is_unwanted
static u8 * my_format_mac_address(u8 *s, va_list *args)
static void send_acl_details(acl_main_t *am, unix_shared_memory_queue_t *q, acl_list_t *acl, u32 context)
u16 src_port_or_type_first
u64 fa_min_deleted_sessions_per_interval
static int match_type_compare(macip_match_type_t *m1, macip_match_type_t *m2)
API main structure, used by both vpp and binary API clients.
#define pool_get_aligned(P, E, A)
Allocate an object E from a pool P (general version).
vl_api_acl_rule_t r[count]
static int acl_unhook_l2_output_classify(acl_main_t *am, u32 sw_if_index)
uword * mask_type_index_bitmap
Dump the list(s) of MACIP ACLs applied to specific or all interfaces.
static int match_type_metric(macip_match_type_t *m)
static int macip_acl_del_list(u32 acl_list_index)
Dump one or all defined MACIP ACLs.
static int acl_classify_add_del_table_small(vnet_classify_main_t *cm, u8 *mask, u32 mask_len, u32 next_table_index, u32 miss_next_index, u32 *table_index, int is_add)
applied_hash_ace_entry_t ** output_hash_entry_vec_by_sw_if_index
u64 fa_session_total_adds
#define vec_free(V)
Free vector's memory (no header).
void acl_plugin_acl_set_trace_heap(acl_main_t *am, int on)
static void feat_bitmap_init_next_nodes(vlib_main_t *vm, u32 node_index, u32 num_features, char **feat_names, u32 *next_nodes)
Initialize the feature next-node indexes of a graph node.
u32 * outbound_sw_if_index_list
static void * clib_mem_set_heap(void *heap)
u16 srcport_or_icmptype_first
void hash_acl_delete(acl_main_t *am, int acl_index)
Reply to add/replace ACL.
#define clib_warning(format, args...)
static int acl_interface_add_inout_acl(u32 sw_if_index, u8 is_input, u32 acl_list_index)
Reply with the vector of MACIP ACLs by sw_if_index.
unix_shared_memory_queue_t * vl_api_client_index_to_input_queue(u32 index)
int vnet_l2_input_classify_set_tables(u32 sw_if_index, u32 ip4_table_index, u32 ip6_table_index, u32 other_table_index)
Set l2 per-protocol, per-interface input classification tables.
int use_hash_acl_matching
#define pool_is_free_index(P, I)
Use free bitmap to query whether given index is free.
vlib_node_t * vlib_get_node_by_name(vlib_main_t *vm, u8 *name)
#define foreach_fa_cleaner_counter
vl_api_macip_acl_rule_t r[count]
void acl_fa_enable_disable(u32 sw_if_index, int is_input, int enable_disable)
#define VLIB_CLI_COMMAND(x,...)
struct _vnet_classify_main vnet_classify_main_t
u16 srcport_or_icmptype_last
#define ACL_PLUGIN_HASH_LOOKUP_HASH_BUCKETS
u32 hash_lookup_hash_buckets
void vl_msg_api_send_shmem(unix_shared_memory_queue_t *q, u8 *elem)
static void vl_api_acl_interface_add_del_t_handler(vl_api_acl_interface_add_del_t *mp)
static int macip_acl_interface_del_acl(acl_main_t *am, u32 sw_if_index)
static void vl_api_macip_acl_del_t_handler(vl_api_macip_acl_del_t *mp)
u16 src_port_or_type_last
MACIP Access List Rule entry.
static int macip_create_classify_tables(acl_main_t *am, u32 macip_acl_index)
static void acl_set_timeout_sec(int timeout_type, u32 value)
static void send_acl_interface_list_details(acl_main_t *am, unix_shared_memory_queue_t *q, u32 sw_if_index, u32 context)
#define ACL_FA_DEFAULT_HEAP_SIZE
#define MHEAP_FLAG_VALIDATE
vnet_classify_main_t vnet_classify_main
static void vl_api_macip_acl_add_replace_t_handler(vl_api_macip_acl_add_replace_t *mp)
Reply to get the plugin version.
static clib_error_t * acl_plugin_api_hookup(vlib_main_t *vm)
static int macip_acl_add_list(u32 count, vl_api_macip_acl_rule_t rules[], u32 *acl_list_index, u8 *tag)
uword * serviced_sw_if_index_bitmap
vl_api_macip_acl_rule_t r[count]
u32 fa_acl_in_ip6_l2_node_feat_next_node_index[32]
static vlib_main_t * vlib_get_main(void)
Reply to set the ACL list on an interface.
int vnet_classify_add_del_table(vnet_classify_main_t *cm, u8 *mask, u32 nbuckets, u32 memory_size, u32 skip, u32 match, u32 next_table_index, u32 miss_next_index, u32 *table_index, u8 current_data_flag, i16 current_data_offset, int is_add, int del_chain)
#define vec_elt(v, i)
Get vector value at index i.
ace_mask_type_entry_t * ace_mask_type_pool
#define MHEAP_FLAG_SMALL_OBJECT_CACHE
static void macip_acl_print(acl_main_t *am, u32 macip_acl_index)
u32 prev_applied_entry_index
u32 * macip_acl_by_sw_if_index
Get the vector of MACIP ACL IDs applied to the interfaces.
u32 * acl_ip6_output_classify_table_by_sw_if_index
static void vl_api_acl_interface_list_dump_t_handler(vl_api_acl_interface_list_dump_t *mp)
static int acl_add_list(u32 count, vl_api_acl_rule_t rules[], u32 *acl_list_index, u8 *tag)
static void vl_api_acl_del_t_handler(vl_api_acl_del_t *mp)
macip_acl_list_t * macip_acls
#define vec_len(v)
Number of elements in vector (rvalue-only, NULL tolerant)
Details about a single ACL contents.
static void vl_api_macip_acl_interface_list_dump_t_handler(vl_api_macip_acl_interface_list_dump_t *mp)
acl_fa_per_worker_data_t * per_worker_data
#define vec_sort_with_function(vec, f)
Sort a vector using the supplied element comparison function.
vnet_sw_interface_t * sw_interfaces
int fa_interrupt_generation
u32 ** input_sw_if_index_vec_by_acl
u64 cnt_already_deleted_sessions
void vnet_l2_output_classify_enable_disable(u32 sw_if_index, int enable_disable)
Enable/disable l2 input classification on a specific interface.
static void vl_api_acl_interface_set_acl_list_t_handler(vl_api_acl_interface_set_acl_list_t *mp)
u64 fa_max_deleted_sessions_per_interval
static clib_error_t * acl_set_aclplugin_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
static void acl_interface_reset_inout_acls(u32 sw_if_index, u8 is_input)
void hash_acl_apply(acl_main_t *am, u32 sw_if_index, u8 is_input, int acl_index)
static int acl_interface_add_del_inout_acl(u32 sw_if_index, u8 is_add, u8 is_input, u32 acl_list_index)
static vlib_thread_main_t * vlib_get_thread_main()
static void copy_acl_rule_to_api_rule(vl_api_acl_rule_t *api_rule, acl_rule_t *r)
void mheap_validate(void *v)
#define vec_foreach(var, vec)
Vector iterator.
static void * acl_set_heap(acl_main_t *am)
u32 tail_applied_entry_index
u32 vl_msg_api_get_msg_length(void *msg_arg)
u32 ** output_sw_if_index_vec_by_acl
#define ACL_PLUGIN_VERSION_MAJOR
#define vec_validate_init_empty(V, I, INIT)
Make sure vector is long enough for given index and initialize empty space (no header, unspecified alignment)
#define CLIB_CACHE_LINE_BYTES
#define ACL_PLUGIN_HASH_LOOKUP_HEAP_SIZE
u32 hash_lookup_mheap_size
u32 l2_output_classify_next_acl_ip6
u8 src_portrange_not_powerof2
void vlib_cli_output(vlib_main_t *vm, char *fmt,...)
#define ACL_FA_DEFAULT_MAX_DELETED_SESSIONS_PER_INTERVAL
static void vl_api_acl_plugin_control_ping_t_handler(vl_api_acl_plugin_control_ping_t *mp)
u32 ** output_acl_vec_by_sw_if_index
#define TCP_SESSION_TRANSIENT_TIMEOUT_SEC
static void vl_api_macip_acl_interface_add_del_t_handler(vl_api_macip_acl_interface_add_del_t *mp)
u32 hash_lookup_hash_memory
u64 current_time_wait_interval
u32 fa_conn_table_hash_num_buckets
#define ACL_FA_CONN_TABLE_DEFAULT_HASH_MEMORY_SIZE
u64 fa_session_total_dels
struct _unix_shared_memory_queue unix_shared_memory_queue_t
static int acl_del_list(u32 acl_list_index)
static void macip_destroy_classify_tables(acl_main_t *am, u32 macip_acl_index)
static void vl_api_macip_acl_interface_get_t_handler(vl_api_macip_acl_interface_get_t *mp)
applied_hash_ace_entry_t ** input_hash_entry_vec_by_sw_if_index
foreach_fa_cleaner_counter vlib_main_t * vlib_main
1.8.11 
