24 #include <vpp/app/version.h> 43 #define vl_print(handle, ...) vlib_cli_output (handle, __VA_ARGS__) 49 #define vl_api_version(n,v) static u32 api_version=(v); 58 #define REPLY_MSG_ID_BASE am->msg_id_base 70 #define foreach_acl_plugin_api_msg \ 71 _(ACL_PLUGIN_GET_VERSION, acl_plugin_get_version) \ 72 _(ACL_PLUGIN_CONTROL_PING, acl_plugin_control_ping) \ 73 _(ACL_ADD_REPLACE, acl_add_replace) \ 75 _(ACL_INTERFACE_ADD_DEL, acl_interface_add_del) \ 76 _(ACL_INTERFACE_SET_ACL_LIST, acl_interface_set_acl_list) \ 77 _(ACL_DUMP, acl_dump) \ 78 _(ACL_INTERFACE_LIST_DUMP, acl_interface_list_dump) \ 79 _(MACIP_ACL_ADD, macip_acl_add) \ 80 _(MACIP_ACL_ADD_REPLACE, macip_acl_add_replace) \ 81 _(MACIP_ACL_DEL, macip_acl_del) \ 82 _(MACIP_ACL_INTERFACE_ADD_DEL, macip_acl_interface_add_del) \ 83 _(MACIP_ACL_DUMP, macip_acl_dump) \ 84 _(MACIP_ACL_INTERFACE_GET, macip_acl_interface_get) \ 85 _(MACIP_ACL_INTERFACE_LIST_DUMP, macip_acl_interface_list_dump) \ 86 _(ACL_INTERFACE_SET_ETYPE_WHITELIST, acl_interface_set_etype_whitelist) \ 87 _(ACL_INTERFACE_ETYPE_WHITELIST_DUMP, acl_interface_etype_whitelist_dump) 92 .version = VPP_BUILD_VER,
93 .description =
"Access Control Lists",
105 char *fmt = va_arg (*va,
char *);
107 for (i = 0; i <
vec_len (v); i++)
111 s =
format (s, fmt, v[i]);
124 u64 per_worker_slack = 1000000LL;
125 u64 per_worker_size =
128 u64 per_worker_size_with_slack = per_worker_slack + per_worker_size;
129 u64 main_slack = 2000000LL;
133 per_worker_size_with_slack * tm->
n_vlib_mains + bihash_size +
139 clib_warning (
"ACL heap size requested: %lld, max possible %lld",
146 (
"ACL plugin failed to allocate main heap of %U bytes, abort",
201 int msg_size =
sizeof (*rmp);
209 memset (rmp, 0, msg_size);
211 ntohs (VL_API_ACL_PLUGIN_GET_VERSION_REPLY + am->
msg_id_base);
230 rmp->
vpe_pid = ntohl (getpid ());
256 u8 *out0 =
format (0,
"acl-index %u count %u tag {%s}\n", acl_index,
260 for (j = 0; j < am->
acls[acl_index].
count; j++)
263 out0 =
format (out0,
" %4d: %s ", j, r->
is_ipv6 ?
"ipv6" :
"ipv4");
288 out0 =
format (out0,
"\n");
309 u32 **ppolicy_epoch_by_swi =
325 if (acl_num <
vec_len (*p_swi_vec_by_acl))
347 u32 * acl_list_index,
u8 * tag)
356 clib_warning (
"API dbg: acl_add_list index %d tag %s", *acl_list_index,
359 if (*acl_list_index != ~0)
366 (
"acl-plugin-error: Trying to replace nonexistent ACL %d (tag %s)",
367 *acl_list_index, tag);
368 return VNET_API_ERROR_NO_SUCH_ENTRY;
374 (
"acl-plugin-warning: supplied no rules for ACL %d (tag %s)",
375 *acl_list_index, tag);
384 for (i = 0; i <
count; i++)
387 memset (r, 0,
sizeof (*r));
411 if (~0 == *acl_list_index)
415 memset (a, 0,
sizeof (*a));
417 *acl_list_index = a - am->
acls;
421 a = am->
acls + *acl_list_index;
426 a->
rules = acl_new_rules;
428 memcpy (a->
tag, tag, sizeof (a->
tag));
446 if (acl_index <
vec_len (foo_index_vec_by_acl))
464 return VNET_API_ERROR_NO_SUCH_ENTRY;
467 return VNET_API_ERROR_ACL_IN_USE_INBOUND;
469 return VNET_API_ERROR_ACL_IN_USE_OUTBOUND;
472 return VNET_API_ERROR_ACL_IN_USE_BY_LOOKUP_CONTEXT;
495 _(
" dmac smac etype ")
496 _(ether) __ __ __ __ __ __
v __ __ __ __ __ __
v __ __
v 503 _(" ttl pr checksum ")
512 _("L4 T/U sport dport ")
523 _(" dmac smac etype ")
524 _(ether) __ __ __ __ __ __
v __ __ __ __ __ __
v __ __
v 526 _(0x0000) __ __ __ __
528 _(0x0004) __ __
XX __
539 _("L4T/U sport dport ")
540 _(tcpudp)
XX XX XX XX _(padpad) __ __ __ __ _(padeth) __ __;
543 _(" dmac smac dot1q etype ")
544 _(ether) __ __ __ __ __ __
v __ __ __ __ __ __
v XX XX __ __
v XX XX v 545 _(padpad) __ __ __ __
546 _(padpad) __ __ __ __
547 _(padpad) __ __ __ __
551 _(" dmac smac dot1ad dot1q etype ")
552 _(ether) __ __ __ __ __ __
v __ __ __ __ __ __
v XX XX __ __
XX XX __ __
v XX XX v 553 _(padpad) __ __ __ __
554 _(padpad) __ __ __ __
558 _(" dmac smac etype ")
559 _(ether) __ __ __ __ __ __
v __ __ __ __ __ __
v XX XX __ __;
575 while ((0ULL == *p64) && ((
u8 *) p64 - p) <
size)
579 return (p64 - (
u64 *) p) / 2;
584 u32 mask_len,
u32 next_table_index,
585 u32 miss_next_index,
u32 * table_index,
591 u32 match = (mask_len / 16) - skip;
592 u8 *skip_mask_ptr = mask + 16 * skip;
593 u32 current_data_flag = 0;
594 int current_data_offset = 0;
600 memory_size, skip, match,
601 next_table_index, miss_next_index,
602 table_index, current_data_flag,
603 current_data_offset, is_add,
611 u32 mask_len,
u32 next_table_index,
612 u32 miss_next_index,
u32 * table_index,
618 u32 match = (mask_len / 16) - skip;
619 u8 *skip_mask_ptr = mask + 16 * skip;
620 u32 current_data_flag = 0;
621 int current_data_offset = 0;
628 memory_size, skip, match,
629 next_table_index, miss_next_index,
630 table_index, current_data_flag,
631 current_data_offset, is_add,
641 u32 ip4_table_index = ~0;
642 u32 ip6_table_index = ~0;
643 u32 dot1q_table_index = ~0;
644 u32 dot1ad_table_index = ~0;
645 u32 etype_table_index = ~0;
669 sizeof (ip4_5tuple_mask) - 1, ~0,
671 &ip4_table_index, 0);
681 &ip6_table_index, 0);
690 ~0, &dot1q_table_index, 0);
699 ~0, &dot1ad_table_index, 0);
708 ~0, &etype_table_index, 0);
718 u32 ip4_table_index = ~0;
719 u32 ip6_table_index = ~0;
720 u32 dot1q_table_index = ~0;
721 u32 dot1ad_table_index = ~0;
722 u32 etype_table_index = ~0;
747 sizeof (ip4_5tuple_mask) - 1, ~0,
749 &ip4_table_index, 0);
759 &ip6_table_index, 0);
768 ~0, &dot1q_table_index, 0);
777 ~0, &dot1ad_table_index, 0);
786 ~0, &etype_table_index, 0);
794 u8 is_dot1ad,
u8 is_ip6)
815 idx = (is_dot1ad) ? 20 : 16;
836 match[idx + 1] = 0xdd;
842 match[idx + 1] = 0x00;
846 session_idx, 0, 0, 0, 1);
849 match[idx + 1] = 0xff;
870 u32 etype_table_index)
882 for (i = 0; i <
vec_len (whitelist); i++)
885 match[12] = (whitelist[
i] >> 8) & 0xff;
886 match[13] = whitelist[
i] & 0xff;
889 whitelist[i], 0, 0, 0, 1);
902 u32 ip4_table_index = ~0;
903 u32 ip6_table_index = ~0;
904 u32 dot1q_table_index = ~0;
905 u32 dot1ad_table_index = ~0;
906 u32 etype_table_index = ~0;
915 sizeof (ip4_5tuple_mask) - 1, ~0,
917 &ip4_table_index, 1);
925 &ip6_table_index, 1);
929 sizeof (ip4_5tuple_mask) - 1, ~0,
931 &ip4_table_index, 0);
938 &etype_table_index, 1);
945 etype_table_index, ~0,
946 &dot1ad_table_index, 1);
950 dot1ad_table_index, ~0,
951 &dot1q_table_index, 1);
956 ~0, &dot1ad_table_index, 0);
960 &ip6_table_index, 0);
962 sizeof (ip4_5tuple_mask) - 1, ~0,
964 &ip4_table_index, 0);
970 ip6_table_index, dot1q_table_index);
975 sizeof (ip4_5tuple_mask) - 1, ~0,
977 &ip4_table_index, 0);
981 &ip6_table_index, 0);
984 ~0, &dot1q_table_index, 0);
987 ~0, &dot1ad_table_index, 0);
1020 u32 ip4_table_index = ~0;
1021 u32 ip6_table_index = ~0;
1022 u32 dot1q_table_index = ~0;
1023 u32 dot1ad_table_index = ~0;
1024 u32 etype_table_index = ~0;
1033 sizeof (ip4_5tuple_mask) - 1, ~0,
1035 &ip4_table_index, 1);
1042 &ip6_table_index, 1);
1046 sizeof (ip4_5tuple_mask) - 1, ~0,
1048 &ip4_table_index, 0);
1055 &etype_table_index, 1);
1063 etype_table_index, ~0,
1064 &dot1ad_table_index, 1);
1068 dot1ad_table_index, ~0,
1069 &dot1q_table_index, 1);
1074 ~0, &dot1ad_table_index, 0);
1078 &ip6_table_index, 0);
1080 sizeof (ip4_5tuple_mask) - 1, ~0,
1082 &ip4_table_index, 0);
1088 ip6_table_index, dot1q_table_index);
1099 &ip6_table_index, 0);
1101 sizeof (ip4_5tuple_mask) - 1, ~0,
1103 &ip4_table_index, 0);
1106 ~0, &dot1q_table_index, 0);
1109 ~0, &dot1ad_table_index, 0);
1156 return VNET_API_ERROR_INVALID_SW_IF_INDEX;
1188 return VNET_API_ERROR_INVALID_SW_IF_INDEX;
1213 int is_input,
int enable_disable)
1229 u8 is_input,
u32 * vec_acl_list_index,
1230 int *may_clear_sessions)
1233 uword *seen_acl_bitmap = 0;
1234 uword *old_seen_acl_bitmap = 0;
1235 uword *change_acl_bitmap = 0;
1242 (
"API dbg: acl_interface_set_inout_acl_list: sw_if_index %d is_input %d acl_vec: [%U]",
1243 sw_if_index, is_input,
format_vec32, vec_acl_list_index,
"%d");
1251 rv = VNET_API_ERROR_NO_SUCH_ENTRY;
1257 clib_warning (
"ERROR: ACL %d being applied twice", *pacln);
1258 rv = VNET_API_ERROR_ENTRY_ALREADY_EXISTS;
1265 u32 **pinout_lc_index_by_sw_if_index =
1269 u32 ***pinout_acl_vec_by_sw_if_index =
1273 u32 ***pinout_sw_if_index_vec_by_acl =
1277 vec_validate ((*pinout_acl_vec_by_sw_if_index), sw_if_index);
1281 vec_foreach (pacln, (*pinout_acl_vec_by_sw_if_index)[sw_if_index])
1283 old_seen_acl_bitmap =
clib_bitmap_set (old_seen_acl_bitmap, *pacln, 1);
1289 clib_warning (
"bitmaps: old seen %U new seen %U changed %U",
1290 format_bitmap_hex, old_seen_acl_bitmap, format_bitmap_hex,
1291 seen_acl_bitmap, format_bitmap_hex, change_acl_bitmap);
1297 if (acln <
vec_len((*pinout_sw_if_index_vec_by_acl))) {
1298 int index =
vec_search((*pinout_sw_if_index_vec_by_acl)[acln], sw_if_index);
1299 vec_del1((*pinout_sw_if_index_vec_by_acl)[acln], index);
1304 vec_add1((*pinout_sw_if_index_vec_by_acl)[acln], sw_if_index);
1309 vec_free ((*pinout_acl_vec_by_sw_if_index)[sw_if_index]);
1310 (*pinout_acl_vec_by_sw_if_index)[sw_if_index] =
1321 if (may_clear_sessions && *may_clear_sessions
1325 *may_clear_sessions = 0;
1334 if (
vec_len (vec_acl_list_index) > 0)
1336 u32 lc_index = (*pinout_lc_index_by_sw_if_index)[sw_if_index];
1341 acl_plugin.register_user_module (
"interface ACL",
"sw_if_index",
1345 sw_if_index, is_input);
1346 (*pinout_lc_index_by_sw_if_index)[sw_if_index] = lc_index;
1348 acl_plugin.set_acl_vec_for_context (lc_index, vec_acl_list_index);
1352 if (~0 != (*pinout_lc_index_by_sw_if_index)[sw_if_index])
1354 acl_plugin.put_lookup_context_index ((*pinout_lc_index_by_sw_if_index)[sw_if_index]);
1355 (*pinout_lc_index_by_sw_if_index)[sw_if_index] = ~0;
1361 vec_len (vec_acl_list_index) > 0);
1372 int *may_clear_sessions)
1377 may_clear_sessions);
1388 int may_clear_sessions = 1;
1390 int error_already_applied = is_input ? VNET_API_ERROR_ACL_IN_USE_INBOUND
1391 : VNET_API_ERROR_ACL_IN_USE_OUTBOUND;
1393 u32 ***pinout_acl_vec_by_sw_if_index =
1401 vec_validate ((*pinout_acl_vec_by_sw_if_index), sw_if_index);
1402 u32 index =
vec_search ((*pinout_acl_vec_by_sw_if_index)[sw_if_index],
1407 rv = error_already_applied;
1411 acl_vec =
vec_dup ((*pinout_acl_vec_by_sw_if_index)[sw_if_index]);
1412 vec_add1 (acl_vec, acl_list_index);
1416 if (sw_if_index >=
vec_len (*pinout_acl_vec_by_sw_if_index))
1418 rv = VNET_API_ERROR_NO_SUCH_ENTRY;
1422 u32 index =
vec_search ((*pinout_acl_vec_by_sw_if_index)[sw_if_index],
1427 rv = VNET_API_ERROR_NO_SUCH_ENTRY;
1431 acl_vec =
vec_dup ((*pinout_acl_vec_by_sw_if_index)[sw_if_index]);
1436 &may_clear_sessions);
1510 for (i = 0; i <
vec_len (mv); i++)
1512 if ((mv[i].prefix_len == prefix_len) && (mv[
i].
is_ipv6 == is_ipv6)
1513 && (0 == memcmp (mv[i].mac_mask, mac_mask, 6)))
1528 unsigned int mac_bits_set = 0;
1529 unsigned int mac_byte;
1531 for (i = 0; i < 6; i++)
1534 for (; mac_byte; mac_byte >>= 1)
1535 mac_bits_set += mac_byte & 1;
1585 return (is_permit == 3);
1595 u32 match_type_index;
1602 for (i = 0; i < a->
count; i++)
1610 match_type_index =
vec_len (mvec);
1612 memcpy (mvec[match_type_index].mac_mask,
1630 mvec[match_type_index].
count++;
1638 out_last_table = ~0;
1645 u32 *last_tag_table;
1646 u32 *out_last_tag_table;
1678 for (tags = 2; tags >= 0; tags--)
1680 memset (mask, 0,
sizeof (mask));
1682 memcpy (&mask[6], mt->
mac_mask, 6);
1688 memset (&mask[12], 0xff, 2);
1693 memset (&mask[12], 0xff, 2);
1694 memset (&mask[16], 0xff, 2);
1699 memset (&mask[12], 0xff, 2);
1700 memset (&mask[16], 0xff, 2);
1701 memset (&mask[20], 0xff, 2);
1708 memcpy (&mask[l3_offset + 8], mt->
mac_mask, 6);
1711 mask[l3_offset + 14 + i] = 0xff;
1713 mask[l3_offset + 14 + (mt->
prefix_len / 8)] =
1714 0xff - ((1 << (8 - mt->
prefix_len % 8)) - 1);
1716 mask_len = ((l3_offset + 14 + ((mt->
prefix_len + 7) / 8) +
1720 (~0 == last_table) ? 0 : ~0,
1722 last_table = *last_tag_table;
1726 memset (mask, 0,
sizeof (mask));
1732 memset (&mask[12], 0xff, 2);
1737 memset (&mask[12], 0xff, 2);
1738 memset (&mask[16], 0xff, 2);
1743 memset (&mask[12], 0xff, 2);
1744 memset (&mask[16], 0xff, 2);
1745 memset (&mask[20], 0xff, 2);
1753 mask_len = ((l3_offset +
1759 out_last_table) ? 0 : ~0,
1760 out_last_tag_table, 1);
1761 out_last_table = *out_last_tag_table;
1774 u32 *last_tag_table;
1775 u32 *out_last_tag_table;
1780 for (tags = 2; tags >= 0; tags--)
1782 memset (mask, 0,
sizeof (mask));
1783 memcpy (&mask[6], mt->
mac_mask, 6);
1789 memset (&mask[12], 0xff, 2);
1793 memset (&mask[12], 0xff, 2);
1794 memset (&mask[16], 0xff, 2);
1798 memset (&mask[12], 0xff, 2);
1799 memset (&mask[16], 0xff, 2);
1800 memset (&mask[20], 0xff, 2);
1806 mask[l3_src_offs +
i] = 0xff;
1811 0xff - ((1 << (8 - mt->
prefix_len % 8)) - 1);
1817 mask_len = ((l3_src_offs + ((mt->
prefix_len + 7) / 8) +
1820 (~0 == last_table) ? 0 : ~0,
1822 last_table = *last_tag_table;
1826 for (tags = 2; tags >= 0; tags--)
1828 memset (mask, 0,
sizeof (mask));
1830 memcpy (&mask[0], mt->
mac_mask, 6);
1836 memset (&mask[12], 0xff, 2);
1840 memset (&mask[12], 0xff, 2);
1841 memset (&mask[16], 0xff, 2);
1845 memset (&mask[12], 0xff, 2);
1846 memset (&mask[16], 0xff, 2);
1847 memset (&mask[20], 0xff, 2);
1853 mask[l3_dst_offs +
i] = 0xff;
1858 0xff - ((1 << (8 - mt->
prefix_len % 8)) - 1);
1864 mask_len = ((l3_dst_offs + ((mt->
prefix_len + 7) / 8) +
1869 (~0 == out_last_table) ? 0 : ~0,
1870 out_last_tag_table, 1);
1871 out_last_table = *out_last_tag_table;
1884 for (i = 0; i < a->
count; i++)
1898 ASSERT (match_type_index != ~0);
1900 for (tags = 2; tags >= 0; tags--)
1902 memset (mask, 0,
sizeof (mask));
1931 mask[eth + 1] = 0xdd;
1937 mask[eth + 1] = 0x00;
1943 i, 0, action, metadata, 1);
1944 memset (&mask[12], 0,
sizeof (mask) - 12);
1948 if (!is6 && (mvec[match_type_index].arp_table_index != ~0))
1950 memset (mask, 0,
sizeof (mask));
1953 for (tags = 2; tags >= 0; tags--)
1984 memcpy (&mask[l3_src_offs + 8], a->
rules[i].
src_mac, 6);
1989 i, 0, action, metadata, 1);
1995 for (tags = 2; tags >= 0; tags--)
1997 memset (mask, 0,
sizeof (mask));
2028 mask[eth + 1] = 0xdd;
2035 mask[eth + 1] = 0x00;
2042 i, 0, action, metadata, 1);
2047 if (!is6 && (mvec[match_type_index].out_arp_table_index != ~0))
2049 for (tags = 2; tags >= 0; tags--)
2051 memset (mask, 0,
sizeof (mask));
2083 rules[i].is_permit ? ~0 : 0,
2084 i, 0, action, metadata, 1);
2165 u32 * acl_list_index,
u8 * tag)
2174 if (*acl_list_index != ~0)
2181 (
"acl-plugin-error: Trying to replace nonexistent MACIP ACL %d (tag %s)",
2182 *acl_list_index, tag);
2183 return VNET_API_ERROR_NO_SUCH_ENTRY;
2190 (
"acl-plugin-warning: Trying to create empty MACIP ACL (tag %s)",
2194 if (~0 != *acl_list_index)
2201 for (i = 0; i <
count; i++)
2203 r = &acl_new_rules[
i];
2208 if (rules[i].is_ipv6)
2215 if (~0 == *acl_list_index)
2219 memset (a, 0,
sizeof (*a));
2233 a->
rules = acl_new_rules;
2235 memcpy (a->
tag, tag, sizeof (a->
tag));
2257 u32 macip_acl_index;
2262 return VNET_API_ERROR_NO_SUCH_ENTRY;
2266 if (~0 == macip_acl_index)
2267 return VNET_API_ERROR_NO_SUCH_ENTRY;
2292 u32 macip_acl_index)
2298 return VNET_API_ERROR_NO_SUCH_ENTRY;
2330 return VNET_API_ERROR_NO_SUCH_ENTRY;
2395 if (supplied_len < expected_len)
2397 clib_warning (
"%s: Supplied message length %d is less than expected %d",
2398 where, supplied_len, expected_len);
2416 u32 expected_len =
sizeof (*mp) + acl_count *
sizeof (mp->
r[0]);
2424 rv = VNET_API_ERROR_INVALID_VALUE;
2439 vl_api_acl_del_reply_t *rmp;
2453 vl_api_acl_interface_add_del_reply_t *rmp;
2457 rv = VNET_API_ERROR_INVALID_SW_IF_INDEX;
2471 vl_api_acl_interface_set_acl_list_reply_t *rmp;
2478 rv = VNET_API_ERROR_INVALID_SW_IF_INDEX;
2481 int may_clear_sessions = 1;
2482 for (i = 0; i < mp->
count; i++)
2487 rv = VNET_API_ERROR_NO_SUCH_ENTRY;
2494 u32 *in_acl_vec = 0;
2495 u32 *out_acl_vec = 0;
2496 for (i = 0; i < mp->
count; i++)
2497 if (i < mp->n_input)
2498 vec_add1 (in_acl_vec, clib_net_to_host_u32 (mp->
acls[i]));
2500 vec_add1 (out_acl_vec, clib_net_to_host_u32 (mp->
acls[i]));
2504 &may_clear_sessions);
2508 &may_clear_sessions);
2515 REPLY_MACRO (VL_API_ACL_INTERFACE_SET_ACL_LIST_REPLY);
2551 int msg_size =
sizeof (*mp) +
sizeof (mp->
r[0]) * acl->
count;
2555 memset (mp, 0, msg_size);
2556 mp->_vl_msg_id = ntohs (VL_API_ACL_DETAILS + am->
msg_id_base);
2562 memcpy (mp->
tag, acl->
tag, sizeof (mp->
tag));
2565 for (i = 0; i < acl->
count; i++)
2594 send_acl_details(am, reg, acl, mp->context);
2618 u32 sw_if_index,
u32 context)
2635 count = n_input + n_output;
2637 msg_size =
sizeof (*mp);
2638 msg_size +=
sizeof (mp->
acls[0]) * count;
2641 memset (mp, 0, msg_size);
2643 ntohs (VL_API_ACL_INTERFACE_LIST_DETAILS + am->
msg_id_base);
2650 for (i = 0; i < n_input; i++)
2654 for (i = 0; i < n_output; i++)
2656 mp->
acls[n_input +
i] =
2682 send_acl_interface_list_details(am, reg, swif->sw_if_index, mp->context);
2702 u32 acl_list_index = ~0;
2704 u32 expected_len =
sizeof (*mp) + acl_count *
sizeof (mp->
r[0]);
2712 rv = VNET_API_ERROR_INVALID_VALUE;
2731 u32 expected_len =
sizeof (*mp) + acl_count *
sizeof (mp->
r[0]);
2739 rv = VNET_API_ERROR_INVALID_VALUE;
2754 vl_api_macip_acl_del_reply_t *rmp;
2767 vl_api_macip_acl_interface_add_del_reply_t *rmp;
2773 rv = VNET_API_ERROR_INVALID_SW_IF_INDEX;
2779 REPLY_MACRO (VL_API_MACIP_ACL_INTERFACE_ADD_DEL_REPLY);
2790 int msg_size =
sizeof (*mp) + (acl ?
sizeof (mp->
r[0]) * acl->
count : 0);
2793 memset (mp, 0, msg_size);
2794 mp->_vl_msg_id = ntohs (VL_API_MACIP_ACL_DETAILS + am->
msg_id_base);
2800 memcpy (mp->
tag, acl->
tag, sizeof (mp->
tag));
2804 for (i = 0; i < acl->
count; i++)
2813 memcpy (rules[i].src_ip_addr, &r->
src_ip_addr.ip6,
2816 memcpy (rules[i].src_ip_addr, &r->
src_ip_addr.ip4,
2849 send_macip_acl_details (am, reg,
2874 int msg_size =
sizeof (*rmp) +
sizeof (rmp->
acls[0]) * count;
2883 memset (rmp, 0, msg_size);
2885 ntohs (VL_API_MACIP_ACL_INTERFACE_GET_REPLY + am->
msg_id_base);
2887 rmp->
count = htonl (count);
2888 for (i = 0; i <
count; i++)
2900 u32 acl_index,
u32 context)
2904 int msg_size =
sizeof (*rmp) +
sizeof (rmp->
acls[0]);
2907 memset (rmp, 0, msg_size);
2909 ntohs (VL_API_MACIP_ACL_INTERFACE_LIST_DETAILS + am->
msg_id_base);
2915 rmp->
acls[0] = htonl (acl_index);
2932 if (sw_if_index == ~0)
2961 vl_api_acl_interface_set_etype_whitelist_reply_t *rmp;
2966 u16 *vec_in = 0, *vec_out = 0;
2970 rv = VNET_API_ERROR_INVALID_SW_IF_INDEX;
2973 for (i = 0; i < mp->
count; i++)
2975 if (i < mp->n_input)
2984 REPLY_MACRO (VL_API_ACL_INTERFACE_SET_ETYPE_WHITELIST_REPLY);
2990 u32 sw_if_index,
u32 context)
2999 u16 *whitelist_in = 0;
3000 u16 *whitelist_out = 0;
3010 if ((0 == whitelist_in) && (0 == whitelist_out))
3015 n_input =
vec_len (whitelist_in);
3016 n_output =
vec_len (whitelist_out);
3017 count = n_input + n_output;
3019 msg_size =
sizeof (*mp);
3020 msg_size +=
sizeof (mp->
whitelist[0]) * count;
3023 memset (mp, 0, msg_size);
3025 ntohs (VL_API_ACL_INTERFACE_ETYPE_WHITELIST_DETAILS + am->
msg_id_base);
3032 for (i = 0; i < n_input; i++)
3036 for (i = 0; i < n_output; i++)
3038 mp->
whitelist[n_input +
i] = htons (whitelist_out[i]);
3065 send_acl_interface_etype_whitelist_details(am, reg, swif->sw_if_index, mp->context);
3086 vl_msg_api_set_handlers((VL_API_##N + am->msg_id_base), \ 3088 vl_api_##n##_t_handler, \ 3090 vl_api_##n##_t_endian, \ 3091 vl_api_##n##_t_print, \ 3092 sizeof(vl_api_##n##_t), 1); 3099 #define vl_msg_name_crc_list 3101 #undef vl_msg_name_crc_list 3106 #define _(id,n,crc) \ 3107 vl_msg_api_add_msg_name_crc (apim, #n "_" #crc, id + am->msg_id_base); 3108 foreach_vl_msg_name_crc_acl;
3168 clib_warning (
"Unknown timeout type %d", timeout_type);
3187 if ((eh < 256) && (value < 2))
3209 int may_clear_sessions = 1;
3236 if (
unformat (input,
"skip-ipv6-extension-header %u %u", &eh_val, &val))
3244 if (
unformat (input,
"use-hash-acl-matching %u", &val))
3249 if (
unformat (input,
"l4-match-nonfirst-fragment %u", &val))
3254 if (
unformat (input,
"reclassify-sessions %u", &val))
3259 if (
unformat (input,
"event-trace"))
3264 "expecting trace level, got `%U`",
3278 if (
unformat (input,
"validate %u", &val))
3280 else if (
unformat (input,
"trace %u", &val))
3286 if (
unformat (input,
"validate %u", &val))
3288 else if (
unformat (input,
"trace %u", &val))
3299 if (
unformat (input,
"max-entries"))
3304 "expecting maximum number of entries, got `%U`",
3314 if (
unformat (input,
"hash-table-buckets"))
3319 "expecting maximum number of hash table buckets, got `%U`",
3329 if (
unformat (input,
"hash-table-memory"))
3334 "expecting maximum amount of hash table memory, got `%U`",
3344 if (
unformat (input,
"event-trace"))
3349 "expecting trace level, got `%U`",
3367 if (!
unformat (input,
"%u", &timeout))
3370 "expecting timeout value in seconds, got `%U`",
3386 if (!
unformat (input,
"%u", &timeout))
3389 "expecting timeout value in seconds, got `%U`",
3402 if (!
unformat (input,
"%u", &timeout))
3405 "expecting timeout value in seconds, got `%U`",
3428 u8 *
a = va_arg (*args,
u8 *);
3429 return format (s,
"%02x:%02x:%02x:%02x:%02x:%02x",
3430 a[0], a[1], a[2], a[3], a[4], a[5]);
3438 out =
format (out,
"%s action %d ip %U/%d mac %U mask %U",
3462 "MACIP acl_index: %d, count: %d (true len %d) tag {%s} is free pool slot: %d\n",
3466 " ip4_table_index %d, ip6_table_index %d, l2_table_index %d\n",
3469 " out_ip4_table_index %d, out_ip6_table_index %d, out_l2_table_index %d\n",
3489 (void)
unformat (input,
"index %u", &acl_index);
3497 if ((acl_index != ~0) && (acl_index !=
i))
3544 if ((acl_index != ~0) && (acl_index !=
i))
3578 (void)
unformat (input,
"index %u", &acl_index);
3592 (void)
unformat (input,
"index %u", &lc_index);
3606 (void)
unformat (input,
"index %u", &lc_index);
3624 if ((sw_if_index != ~0) && (sw_if_index != swi))
3703 u64 five_tuple[6] = { 0, 0, 0, 0, 0, 0 };
3706 (input,
"%llx %llx %llx %llx %llx %llx", &five_tuple[0], &five_tuple[1],
3707 &five_tuple[2], &five_tuple[3], &five_tuple[4], &five_tuple[5]))
3724 u32 sw_if_index = ~0;
3725 (void)
unformat (input,
"sw_if_index %u", &sw_if_index);
3726 int show_acl =
unformat (input,
"acl");
3727 int detail =
unformat (input,
"detail");
3764 u32 show_session_thread_id,
3765 u32 show_session_session_index)
3778 vlib_cli_output (vm,
"Sessions total: add %lu - del %lu = %lu", n_adds,
3779 n_dels, n_adds - n_dels);
3780 vlib_cli_output (vm,
"Sessions active: add %lu - deact %lu = %lu", n_adds,
3781 n_deact, n_adds - n_deact);
3782 vlib_cli_output (vm,
"Sessions being purged: deact %lu - del %lu = %lu",
3783 n_deact, n_dels, n_deact - n_dels);
3792 if (show_session_thread_id == wk
3796 show_session_session_index);
3801 " info: %016llx %016llx %016llx %016llx %016llx %016llx",
3802 m[0], m[1], m[2], m[3], m[4], m[5]);
3825 (pw->fa_session_adds_by_sw_if_index)
3827 pw->fa_session_adds_by_sw_if_index
3832 (pw->fa_session_dels_by_sw_if_index)
3834 pw->fa_session_dels_by_sw_if_index
3836 u64 n_epoch_changes =
3839 (pw->fa_session_epoch_change_by_sw_if_index)
3841 pw->fa_session_epoch_change_by_sw_if_index
3843 vlib_cli_output (vm,
3844 " sw_if_index %d: add %lu - del %lu = %lu; epoch chg: %lu",
3860 head_session_index);
3861 if (~0 != head_session_index)
3900 #define _(cnt, desc) vlib_cli_output(vm, " %20lu: %s", am->cnt, desc); 3906 "Sessions per interval: min %lu max %lu increment: %f ms current: %f ms",
3923 u32 show_bihash_verbose = 0;
3924 u32 show_session_thread_id = ~0;
3925 u32 show_session_session_index = ~0;
3926 (void)
unformat (input,
"thread %u index %u", &show_session_thread_id,
3927 &show_session_session_index);
3928 (void)
unformat (input,
"verbose %u", &show_bihash_verbose);
3931 show_session_session_index);
3945 int show_acl_hash_info = 0;
3946 int show_applied_info = 0;
3947 int show_mask_type = 0;
3948 int show_bihash = 0;
3949 u32 show_bihash_verbose = 0;
3953 show_acl_hash_info = 1;
3956 unformat (input,
"index %u", &acl_index);
3958 else if (
unformat (input,
"applied"))
3960 show_applied_info = 1;
3961 unformat (input,
"lc_index %u", &lc_index);
3970 unformat (input,
"verbose %u", &show_bihash_verbose);
3974 (show_mask_type || show_acl_hash_info || show_applied_info
3979 show_acl_hash_info = 1;
3980 show_applied_info = 1;
3985 if (show_acl_hash_info)
3987 if (show_applied_info)
4008 .path =
"set acl-plugin",
4009 .short_help =
"set acl-plugin session timeout {{udp idle}|tcp {idle|transient}} <seconds>",
4014 .path =
"show acl-plugin acl",
4015 .short_help =
"show acl-plugin acl [index N]",
4020 .path =
"show acl-plugin lookup context",
4021 .short_help =
"show acl-plugin lookup context [index N]",
4026 .path =
"show acl-plugin lookup user",
4027 .short_help =
"show acl-plugin lookup user [index N]",
4032 .path =
"show acl-plugin decode 5tuple",
4033 .short_help =
"show acl-plugin decode 5tuple XXXX XXXX XXXX XXXX XXXX XXXX",
4038 .path =
"show acl-plugin interface",
4039 .short_help =
"show acl-plugin interface [sw_if_index N] [acl]",
4044 .path =
"show acl-plugin memory",
4045 .short_help =
"show acl-plugin memory",
4050 .path =
"show acl-plugin sessions",
4051 .short_help =
"show acl-plugin sessions",
4056 .path =
"show acl-plugin tables",
4057 .short_help =
"show acl-plugin tables [ acl [index N] | applied [ lc_index N ] | mask | hash [verbose N] ]",
4062 .path =
"show acl-plugin macip acl",
4063 .short_help =
"show acl-plugin macip acl [index N]",
4068 .path =
"show acl-plugin macip interface",
4069 .short_help =
"show acl-plugin macip interface",
4074 .path =
"clear acl-plugin sessions",
4075 .short_help =
"clear acl-plugin sessions",
4084 u32 conn_table_hash_buckets;
4085 u32 conn_table_hash_memory_size;
4086 u32 conn_table_max_entries;
4087 uword main_heap_size;
4088 uword hash_heap_size;
4089 u32 hash_lookup_hash_buckets;
4090 u32 hash_lookup_hash_memory;
4091 u32 reclassify_sessions;
4092 u32 use_tuple_merge;
4093 u32 tuple_merge_split_threshold;
4098 (input,
"connection hash buckets %d", &conn_table_hash_buckets))
4100 else if (
unformat (input,
"connection hash memory %d",
4101 &conn_table_hash_memory_size))
4103 else if (
unformat (input,
"connection count max %d",
4104 &conn_table_max_entries))
4116 else if (
unformat (input,
"hash lookup hash buckets %d",
4117 &hash_lookup_hash_buckets))
4119 else if (
unformat (input,
"hash lookup hash memory %d",
4120 &hash_lookup_hash_memory))
4122 else if (
unformat (input,
"use tuple merge %d", &use_tuple_merge))
4126 (input,
"tuple merge split threshold %d",
4127 &tuple_merge_split_threshold))
4130 else if (
unformat (input,
"reclassify sessions %d",
4131 &reclassify_sessions))
4148 memset (am, 0,
sizeof (*am));
4153 u8 *name =
format (0,
"acl_%08x%c", api_version, 0);
4223 am->fa_cleaner_cnt_delete_by_sw_index = 0;
4224 am->fa_cleaner_cnt_delete_by_sw_index_ok = 0;
4225 am->fa_cleaner_cnt_unknown_event = 0;
4226 am->fa_cleaner_cnt_timer_restarted = 0;
4227 am->fa_cleaner_cnt_wait_with_timeout = 0;
4230 #define _(N, v, s) am->fa_ipv6_known_eh_bitmap = clib_bitmap_set(am->fa_ipv6_known_eh_bitmap, v, 1); vlib_log_class_t vlib_log_register_class(char *class, char *subclass)
#define vec_validate(V, I)
Make sure vector is long enough for given index (no header, unspecified alignment) ...
u32 * input_policy_epoch_by_sw_if_index
u8 * format_vec16(u8 *s, va_list *va)
u32 * acl_ip4_output_classify_table_by_sw_if_index
static int macip_acl_interface_add_acl(acl_main_t *am, u32 sw_if_index, u32 macip_acl_index)
u32 fa_cleaner_node_index
u32 session_timeout_sec[ACL_N_TIMEOUTS]
Use acl_interface_set_acl_list instead Append/remove an ACL index to/from the list of ACLs checked fo...
#define vec_foreach_index(var, v)
Iterate over vector indices.
u32 fa_acl_in_ip4_l2_node_feat_next_node_index[32]
static int macip_acl_interface_add_del_acl(u32 sw_if_index, u8 is_add, u32 acl_list_index)
static clib_error_t * acl_clear_aclplugin_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
static int acl_set_skip_ipv6_eh(u32 eh, u32 value)
static int acl_hook_l2_output_classify(acl_main_t *am, u32 sw_if_index)
static clib_error_t * acl_show_aclplugin_lookup_user_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
static int verify_message_len(void *mp, u32 expected_len, char *where)
static int acl_classify_add_del_table_tiny(vnet_classify_main_t *cm, u8 *mask, u32 mask_len, u32 next_table_index, u32 miss_next_index, u32 *table_index, int is_add)
#define UDP_SESSION_IDLE_TIMEOUT_SEC
u32 * acl_dot1ad_input_classify_table_by_sw_if_index
static clib_error_t * acl_init(vlib_main_t *vm)
static void acl_setup_fa_nodes(void)
char ** l2output_get_feat_names(void)
#define FA_SESSION_BOGUS_INDEX
uword * pending_clear_sw_if_index_bitmap
void acl_plugin_show_tables_mask_type(void)
static void vl_api_acl_plugin_get_version_t_handler(vl_api_acl_plugin_get_version_t *mp)
u64 fa_current_cleaner_timer_wait_interval
Set the vector of input/output ACLs checked for an interface.
#define foreach_acl_plugin_api_msg
Set the ethertype whitelists on an interface.
u32 ** input_acl_vec_by_sw_if_index
void acl_plugin_hash_acl_set_trace_heap(int on)
void acl_plugin_show_tables_applied_info(u32 lc_index)
Dump the list(s) of ACL applied to specific or all interfaces.
vnet_main_t * vnet_get_main(void)
vl_api_macip_acl_rule_t r[count]
static int count_skip(u8 *p, u32 size)
vnet_interface_main_t interface_main
static void vl_api_acl_add_replace_t_handler(vl_api_acl_add_replace_t *mp)
static void vl_api_macip_acl_dump_t_handler(vl_api_macip_acl_dump_t *mp)
#define clib_error(format, args...)
int l4_match_nonfirst_fragment
void * mheap_alloc(void *memory, uword size)
Control ping from the client to the server response.
#define ACL_FA_CONN_TABLE_DEFAULT_HASH_NUM_BUCKETS
#define ACL_PLUGIN_VERSION_MINOR
static clib_error_t * acl_plugin_config(vlib_main_t *vm, unformat_input_t *input)
#define ACL_PLUGIN_HASH_LOOKUP_HASH_MEMORY
#define REPLY_MACRO2(t, body)
static void vl_api_macip_acl_add_t_handler(vl_api_macip_acl_add_t *mp)
static void vl_api_acl_interface_etype_whitelist_dump_t_handler(vl_api_acl_interface_list_dump_t *mp)
Details about ethertype whitelist on a single interface.
static void vl_api_send_msg(vl_api_registration_t *rp, u8 *elem)
u32 * acl_ip6_input_classify_table_by_sw_if_index
#define vec_add1(V, E)
Add 1 element to end of vector (unspecified alignment).
static u64 clib_cpu_time_now(void)
static void acl_clear_sessions(acl_main_t *am, u32 sw_if_index)
void vnet_l2_input_classify_enable_disable(u32 sw_if_index, int enable_disable)
Enable/disable l2 input classification on a specific interface.
static int get_l3_dst_offset(int is6)
static mheap_t * mheap_header(u8 *v)
u32 * acl_etype_output_classify_table_by_sw_if_index
static uword * clib_bitmap_set(uword *ai, uword i, uword value)
Sets the ith bit of a bitmap to new_value Removes trailing zeros from the bitmap. ...
u64 session_timeout[ACL_N_TIMEOUTS]
fa_session_t * fa_sessions_pool
u32 * output_policy_epoch_by_sw_if_index
u32 out_dot1q_table_index
u32 l2_input_classify_next_acl_ip4
void(* acl_vector_print_func_t)(vlib_main_t *vm, u8 *out0)
u16 dstport_or_icmpcode_last
#define MHEAP_FLAG_THREAD_SAFE
void * vl_msg_api_alloc(int nbytes)
#define pool_len(p)
Number of elements in pool vector.
u8 * format_mheap(u8 *s, va_list *va)
static u32 macip_find_match_type(macip_match_type_t *mv, u8 *mac_mask, u8 prefix_len, u8 is_ipv6)
#define vec_reset_length(v)
Reset vector length to zero NULL-pointer tolerant.
vlib_log_class_t log_default
Details about one MACIP ACL.
void acl_plugin_lookup_context_notify_acl_change(u32 acl_num)
u32 fa_acl_out_ip4_l2_node_feat_next_node_index[32]
f64 fa_cleaner_wait_time_increment
u32 arp_dot1q_table_index
#define clib_bitmap_validate(v, n_bits)
u32 interface_acl_user_id
u32 ** lc_index_vec_by_acl
static void acl_add_vlan_session(acl_main_t *am, u32 table_index, u8 is_output, u8 is_dot1ad, u8 is_ip6)
uword fa_conn_table_hash_memory_size
u16 dst_port_or_code_last
static int acl_interface_in_enable_disable(acl_main_t *am, u32 sw_if_index, int enable_disable)
static clib_error_t * acl_sw_interface_add_del(vnet_main_t *vnm, u32 sw_if_index, u32 is_add)
u32 l2_output_classify_next_acl_ip4
ip46_address_t src_ip_addr
void mv(vnet_classify_table_t *t)
#define pool_foreach(VAR, POOL, BODY)
Iterate through pool.
#define VLIB_INIT_FUNCTION(x)
static int acl_is_not_defined(acl_main_t *am, u32 acl_list_index)
static clib_error_t * acl_show_aclplugin_acl_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
u16 dstport_or_icmpcode_first
u64 fa_conn_table_max_entries
static uword clib_bitmap_is_zero(uword *ai)
predicate function; is an entire bitmap empty?
static int acl_is_used_by(u32 acl_index, u32 **foo_index_vec_by_acl)
uword vlib_node_add_next_with_slot(vlib_main_t *vm, uword node_index, uword next_node_index, uword slot)
u64 cnt_session_timer_restarted
#define vec_elt_at_index(v, i)
Get vector value at index i checking that i is in bounds.
Add or delete a MACIP ACL to/from interface.
static void increment_policy_epoch(acl_main_t *am, u32 sw_if_index, int is_input)
static clib_error_t * acl_show_aclplugin_interface_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
#define clib_error_return(e, args...)
static u8 * format_acl_action(u8 *s, u8 action)
#define ACL_FA_CONN_TABLE_DEFAULT_MAX_ENTRIES
uword * in_acl_on_sw_if_index
static void acl_print_acl(vlib_main_t *vm, acl_main_t *am, int acl_index)
int vnet_l2_output_classify_set_tables(u32 sw_if_index, u32 ip4_table_index, u32 ip6_table_index, u32 other_table_index)
Set l2 per-protocol, per-interface output classification tables.
u32 out_arp_dot1q_table_index
#define vec_search(v, E)
Search a vector for the index of the entry that matches.
VNET_SW_INTERFACE_ADD_DEL_FUNCTION(acl_sw_interface_add_del)
static clib_error_t * acl_show_aclplugin_decode_5tuple_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Reply to add/replace MACIP ACL.
u32 fa_acl_out_ip6_l2_node_feat_next_node_index[32]
static u8 * my_macip_acl_rule_t_pretty_format(u8 *out, va_list *args)
u32 * acl_ip4_input_classify_table_by_sw_if_index
static int etype_whitelist_add_sessions(acl_main_t *am, u32 sw_if_index, int is_input, u32 etype_table_index)
int vnet_classify_add_del_session(vnet_classify_main_t *cm, u32 table_index, u8 *match, u32 hit_next_index, u32 opaque_index, i32 advance, u8 action, u32 metadata, int is_add)
static int acl_unhook_l2_input_classify(acl_main_t *am, u32 sw_if_index)
static clib_error_t * acl_show_aclplugin_memory_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
static int acl_hook_l2_input_classify(acl_main_t *am, u32 sw_if_index)
#define clib_bitmap_foreach(i, ai, body)
Macro to iterate across set bits in a bitmap.
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
static void acl_plugin_show_interface(acl_main_t *am, u32 sw_if_index, int show_acl, int detail)
Details about a single MACIP ACL contents.
static void acl_set_session_max_entries(u32 value)
Control ping from client to api server request.
static void setup_message_id_table(acl_main_t *am, api_main_t *apim)
static void vlib_process_signal_event(vlib_main_t *vm, uword node_index, uword type_opaque, uword data)
#define ACL_FA_DEFAULT_CLEANER_WAIT_TIME_INCREMENT
u16 dst_port_or_code_first
#define TCP_SESSION_IDLE_TIMEOUT_SEC
static void warning_acl_print_acl(vlib_main_t *vm, acl_main_t *am, int acl_index)
static void vl_api_acl_dump_t_handler(vl_api_acl_dump_t *mp)
uword * fa_ipv6_known_eh_bitmap
Replace an existing ACL in-place or create a new ACL.
#define ACL_FA_DEFAULT_MIN_DELETED_SESSIONS_PER_INTERVAL
#define pool_put(P, E)
Free an object E in pool P.
#define vec_dup(V)
Return copy of vector (no header, no alignment)
u32 * output_lc_index_by_sw_if_index
void acl_plugin_acl_set_validate_heap(acl_main_t *am, int on)
Details about a single ACL contents.
static clib_error_t * acl_show_aclplugin_tables_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
#define VLIB_CONFIG_FUNCTION(x, n,...)
#define vec_del1(v, i)
Delete the element at index I.
vl_api_acl_rule_t r[count]
static void send_acl_details(acl_main_t *am, vl_api_registration_t *reg, acl_list_t *acl, u32 context)
static int get_l3_src_offset(int is6)
int vnet_set_input_acl_intfc(vlib_main_t *vm, u32 sw_if_index, u32 ip4_table_index, u32 ip6_table_index, u32 l2_table_index, u32 is_add)
static int macip_maybe_apply_unapply_classifier_tables(acl_main_t *am, u32 acl_index, int is_apply)
u32 l2_input_classify_next_acl_ip6
static void send_acl_interface_etype_whitelist_details(acl_main_t *am, vl_api_registration_t *reg, u32 sw_if_index, u32 context)
int interrupt_is_unwanted
void acl_plugin_hash_acl_set_validate_heap(int on)
static u8 * my_format_mac_address(u8 *s, va_list *args)
u64 * fa_conn_list_head_expiry_time
u32 out_arp_dot1ad_table_index
#define FA_POLICY_EPOCH_IS_INPUT
u16 src_port_or_type_first
u64 fa_min_deleted_sessions_per_interval
static int match_type_compare(macip_match_type_t *m1, macip_match_type_t *m2)
static void acl_print_acl_x(acl_vector_print_func_t vpr, vlib_main_t *vm, acl_main_t *am, int acl_index)
API main structure, used by both vpp and binary API clients.
void acl_plugin_show_tables_bihash(u32 show_bihash_verbose)
#define pool_get_aligned(P, E, A)
Allocate an object E from a pool P (general version).
vl_api_acl_rule_t r[count]
An API client registration, only in vpp/vlib.
static int acl_unhook_l2_output_classify(acl_main_t *am, u32 sw_if_index)
Dump the list(s) of MACIP ACLs applied to specific or all interfaces.
static void vl_api_acl_interface_set_etype_whitelist_t_handler(vl_api_acl_interface_set_etype_whitelist_t *mp)
static int match_type_metric(macip_match_type_t *m)
static int macip_acl_del_list(u32 acl_list_index)
Dump one or all defined MACIP ACLs.
static int acl_classify_add_del_table_small(vnet_classify_main_t *cm, u8 *mask, u32 mask_len, u32 next_table_index, u32 miss_next_index, u32 *table_index, int is_add)
static void acl_plugin_show_acl(acl_main_t *am, u32 acl_index)
static uword * clib_bitmap_dup_xor(uword *ai, uword *bi)
Logical operator across two bitmaps which duplicates the first bitmap.
u64 fa_session_total_adds
#define vec_free(V)
Free vector's memory (no header).
void acl_plugin_acl_set_trace_heap(acl_main_t *am, int on)
static void feat_bitmap_init_next_nodes(vlib_main_t *vm, u32 node_index, u32 num_features, char **feat_names, u32 *next_nodes)
Initialize the feature next-node indexes of a graph node.
void acl_fa_enable_disable(u32 sw_if_index, int is_input, int enable_disable)
static void * clib_mem_set_heap(void *heap)
u16 srcport_or_icmptype_first
Reply to add/replace ACL.
#define clib_warning(format, args...)
Reply with the vector of MACIP ACLs by sw_if_index.
void acl_plugin_show_lookup_user(u32 user_index)
int vnet_l2_input_classify_set_tables(u32 sw_if_index, u32 ip4_table_index, u32 ip6_table_index, u32 other_table_index)
Set l2 per-protocol, per-interface input classification tables.
int use_hash_acl_matching
#define pool_is_free_index(P, I)
Use free bitmap to query whether given index is free.
static clib_error_t * acl_plugin_exports_init(acl_plugin_methods_t *m)
static uword clib_bitmap_get(uword *ai, uword i)
Gets the ith bit value from a bitmap.
vlib_node_t * vlib_get_node_by_name(vlib_main_t *vm, u8 *name)
static vl_api_registration_t * vl_api_client_index_to_registration(u32 index)
#define foreach_fa_cleaner_counter
vl_api_macip_acl_rule_t r[count]
static int acl_interface_out_enable_disable(acl_main_t *am, u32 sw_if_index, int enable_disable)
int tuple_merge_split_threshold
#define VLIB_CLI_COMMAND(x,...)
struct _vnet_classify_main vnet_classify_main_t
u16 srcport_or_icmptype_last
static clib_error_t * acl_show_aclplugin_macip_acl_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
#define ACL_PLUGIN_HASH_LOOKUP_HASH_BUCKETS
u32 hash_lookup_hash_buckets
static void vl_api_acl_interface_add_del_t_handler(vl_api_acl_interface_add_del_t *mp)
static int macip_acl_interface_del_acl(acl_main_t *am, u32 sw_if_index)
static void vl_api_macip_acl_del_t_handler(vl_api_macip_acl_del_t *mp)
union fa_session_t::@363 tcp_flags_seen
static int acl_interface_inout_enable_disable(acl_main_t *am, u32 sw_if_index, int is_input, int enable_disable)
u16 src_port_or_type_last
MACIP Access List Rule entry.
static int macip_create_classify_tables(acl_main_t *am, u32 macip_acl_index)
static void acl_set_timeout_sec(int timeout_type, u32 value)
uword * out_acl_on_sw_if_index
void acl_plugin_show_lookup_context(u32 lc_index)
u32 ** sw_if_index_vec_by_macip_acl
#define MHEAP_FLAG_VALIDATE
static int macip_permit_also_egress(u8 is_permit)
#define clib_bitmap_free(v)
Free a bitmap.
vnet_classify_main_t vnet_classify_main
static void vl_api_macip_acl_add_replace_t_handler(vl_api_macip_acl_add_replace_t *mp)
u32 * acl_etype_input_classify_table_by_sw_if_index
Reply to get the plugin version.
static clib_error_t * acl_plugin_api_hookup(vlib_main_t *vm)
static int macip_acl_add_list(u32 count, vl_api_macip_acl_rule_t rules[], u32 *acl_list_index, u8 *tag)
uword * serviced_sw_if_index_bitmap
vl_api_macip_acl_rule_t r[count]
u32 fa_acl_in_ip6_l2_node_feat_next_node_index[32]
static vlib_main_t * vlib_get_main(void)
Reply to set the ACL list on an interface.
int vnet_classify_add_del_table(vnet_classify_main_t *cm, u8 *mask, u32 nbuckets, u32 memory_size, u32 skip, u32 match, u32 next_table_index, u32 miss_next_index, u32 *table_index, u8 current_data_flag, i16 current_data_offset, int is_add, int del_chain)
#define vec_elt(v, i)
Get vector value at index i.
#define MHEAP_FLAG_SMALL_OBJECT_CACHE
static void macip_acl_print(acl_main_t *am, u32 macip_acl_index)
u32 * macip_acl_by_sw_if_index
Get the vector of MACIP ACL IDs applied to the interfaces.
u32 * acl_ip6_output_classify_table_by_sw_if_index
static void vl_api_acl_interface_list_dump_t_handler(vl_api_acl_interface_list_dump_t *mp)
static void acl_interface_reset_inout_acls(u32 sw_if_index, u8 is_input, int *may_clear_sessions)
static int acl_add_list(u32 count, vl_api_acl_rule_t rules[], u32 *acl_list_index, u8 *tag)
static void print_clib_warning_and_reset(vlib_main_t *vm, u8 *out0)
static int acl_set_etype_whitelists(acl_main_t *am, u32 sw_if_index, u16 *vec_in, u16 *vec_out)
u32 arp_dot1ad_table_index
static void vl_api_acl_del_t_handler(vl_api_acl_del_t *mp)
static void send_macip_acl_details(acl_main_t *am, vl_api_registration_t *reg, macip_acl_list_t *acl, u32 context)
macip_acl_list_t * macip_acls
static clib_error_t * acl_show_aclplugin_sessions_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
static acl_plugin_methods_t acl_plugin
static void send_macip_acl_interface_list_details(acl_main_t *am, vl_api_registration_t *reg, u32 sw_if_index, u32 acl_index, u32 context)
uword hash_lookup_mheap_size
#define vec_len(v)
Number of elements in vector (rvalue-only, NULL tolerant)
Details about a single ACL contents.
static void vl_api_macip_acl_interface_list_dump_t_handler(vl_api_macip_acl_interface_list_dump_t *mp)
acl_fa_per_worker_data_t * per_worker_data
#define vec_sort_with_function(vec, f)
Sort a vector using the supplied element comparison function.
vnet_sw_interface_t * sw_interfaces
int fa_interrupt_generation
u32 ** input_sw_if_index_vec_by_acl
u64 cnt_already_deleted_sessions
void vnet_l2_output_classify_enable_disable(u32 sw_if_index, int enable_disable)
Enable/disable l2 input classification on a specific interface.
u16 ** output_etype_whitelist_by_sw_if_index
static void vl_api_acl_interface_set_acl_list_t_handler(vl_api_acl_interface_set_acl_list_t *mp)
u64 fa_max_deleted_sessions_per_interval
void * acl_plugin_set_heap()
static clib_error_t * acl_set_aclplugin_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
static void try_increment_acl_policy_epoch(acl_main_t *am, u32 acl_num, int is_input)
static int acl_interface_add_del_inout_acl(u32 sw_if_index, u8 is_add, u8 is_input, u32 acl_list_index)
static void policy_notify_acl_change(acl_main_t *am, u32 acl_num)
static vlib_thread_main_t * vlib_get_thread_main()
static void acl_plugin_show_sessions(acl_main_t *am, u32 show_session_thread_id, u32 show_session_session_index)
static void copy_acl_rule_to_api_rule(vl_api_acl_rule_t *api_rule, acl_rule_t *r)
u16 ** input_etype_whitelist_by_sw_if_index
void mheap_validate(void *v)
#define vec_foreach(var, vec)
Vector iterator.
static void * acl_set_heap(acl_main_t *am)
u64 fa_session_total_deactivations
static void print_cli_and_reset(vlib_main_t *vm, u8 *out0)
void show_fa_sessions_hash(vlib_main_t *vm, u32 verbose)
u8 * format_acl_plugin_5tuple(u8 *s, va_list *args)
u32 * input_lc_index_by_sw_if_index
u32 vl_msg_api_get_msg_length(void *msg_arg)
u32 ** output_sw_if_index_vec_by_acl
#define ACL_PLUGIN_VERSION_MAJOR
static clib_error_t * acl_show_aclplugin_macip_interface_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
u32 * acl_dot1q_output_classify_table_by_sw_if_index
#define FA_POLICY_EPOCH_MASK
#define vec_validate_init_empty(V, I, INIT)
Make sure vector is long enough for given index and initialize empty space (no header, unspecified alignment)
#define CLIB_CACHE_LINE_BYTES
#define ACL_PLUGIN_HASH_LOOKUP_HEAP_SIZE
static int intf_has_etype_whitelist(acl_main_t *am, u32 sw_if_index, int is_input)
void acl_plugin_show_tables_acl_hash_info(u32 acl_index)
#define TM_SPLIT_THRESHOLD
u32 l2_output_classify_next_acl_ip6
static int acl_interface_set_inout_acl_list(acl_main_t *am, u32 sw_if_index, u8 is_input, u32 *vec_acl_list_index, int *may_clear_sessions)
void vlib_cli_output(vlib_main_t *vm, char *fmt,...)
#define ACL_FA_DEFAULT_MAX_DELETED_SESSIONS_PER_INTERVAL
static void vl_api_acl_plugin_control_ping_t_handler(vl_api_acl_plugin_control_ping_t *mp)
int vnet_set_output_acl_intfc(vlib_main_t *vm, u32 sw_if_index, u32 ip4_table_index, u32 ip6_table_index, u32 l2_table_index, u32 is_add)
u32 ** output_acl_vec_by_sw_if_index
static clib_error_t * acl_show_aclplugin_lookup_context_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
u32 out_dot1ad_table_index
#define TCP_SESSION_TRANSIENT_TIMEOUT_SEC
static void vl_api_macip_acl_interface_add_del_t_handler(vl_api_macip_acl_interface_add_del_t *mp)
u32 hash_lookup_hash_memory
u64 current_time_wait_interval
u32 fa_conn_table_hash_num_buckets
u32 * acl_dot1q_input_classify_table_by_sw_if_index
#define ACL_FA_CONN_TABLE_DEFAULT_HASH_MEMORY_SIZE
u64 fa_session_total_dels
static int acl_del_list(u32 acl_list_index)
static void send_acl_interface_list_details(acl_main_t *am, vl_api_registration_t *reg, u32 sw_if_index, u32 context)
static void macip_destroy_classify_tables(acl_main_t *am, u32 macip_acl_index)
u16 vl_msg_api_get_msg_ids(const char *name, int n)
static void vl_api_macip_acl_interface_get_t_handler(vl_api_macip_acl_interface_get_t *mp)
u32 * acl_dot1ad_output_classify_table_by_sw_if_index
foreach_fa_cleaner_counter vlib_main_t * vlib_main