FD.io VPP  v21.06-3-gbb25fbf28
Vector Packet Processing
in_out_acl.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2015 Cisco and/or its affiliates.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at:
6  *
7  * http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 #include <vnet/ip/ip.h>
18 #include <vnet/l2/l2_output.h>
19 #include <vnet/l2/l2_input.h>
20 
22 
23 static int
28  int feature_enable, int is_output)
29 {
30 
31  if (tid == IN_OUT_ACL_TABLE_L2)
32  {
33  if (is_output)
34  l2output_intf_bitmap_enable (sw_if_index, L2OUTPUT_FEAT_ACL,
35  feature_enable);
36  else
37  l2input_intf_bitmap_enable (sw_if_index, L2INPUT_FEAT_ACL,
38  feature_enable);
39  }
40  else
41  { /* IP[46] */
43  u8 arc;
44 
45  if (tid == IN_OUT_ACL_TABLE_IP4)
46  {
47  char *arc_name = is_output ? "ip4-output" : "ip4-unicast";
49  is_output ? "ip4-outacl" : "ip4-inacl",
50  sw_if_index, feature_enable, 0, 0);
51  arc = vnet_get_feature_arc_index (arc_name);
52  }
53  else
54  {
55  char *arc_name = is_output ? "ip6-output" : "ip6-unicast";
57  is_output ? "ip6-outacl" : "ip6-inacl",
58  sw_if_index, feature_enable, 0, 0);
59  arc = vnet_get_feature_arc_index (arc_name);
60  }
61 
63  am->vnet_config_main[is_output][tid] = &fcm->config_main;
64  }
65 
66  return 0;
67 }
68 
69 int
71  u32 ip4_table_index,
72  u32 ip6_table_index, u32 l2_table_index,
73  u32 is_add, u32 is_output)
74 {
76  vnet_classify_main_t *vcm = am->vnet_classify_main;
77  u32 acl[IN_OUT_ACL_N_TABLES] = { ip4_table_index, ip6_table_index,
78  l2_table_index
79  };
80  u32 ti;
81 
82  /* Assume that we've validated sw_if_index in the API layer */
83 
84  for (ti = 0; ti < IN_OUT_ACL_N_TABLES; ti++)
85  {
86  if (acl[ti] == ~0)
87  continue;
88 
89  if (pool_is_free_index (vcm->tables, acl[ti]))
90  return VNET_API_ERROR_NO_SUCH_TABLE;
91 
93  (am->classify_table_index_by_sw_if_index[is_output][ti], sw_if_index,
94  ~0);
95 
96  /* Reject any DEL operation with wrong sw_if_index */
97  if (!is_add &&
98  (acl[ti] !=
99  am->classify_table_index_by_sw_if_index[is_output][ti]
100  [sw_if_index]))
101  {
103  ("Non-existent intf_idx=%d with table_index=%d for delete",
104  sw_if_index, acl[ti]);
105  return VNET_API_ERROR_NO_SUCH_TABLE;
106  }
107 
108  /* Return ok on ADD operaton if feature is already enabled */
109  if (is_add &&
110  am->classify_table_index_by_sw_if_index[is_output][ti][sw_if_index]
111  != ~0)
112  return 0;
113 
115  is_output);
116 
117  if (is_add)
118  am->classify_table_index_by_sw_if_index[is_output][ti][sw_if_index] =
119  acl[ti];
120  else
121  am->classify_table_index_by_sw_if_index[is_output][ti][sw_if_index] =
122  ~0;
123  }
124 
125  return 0;
126 }
127 
128 int
130  u32 ip4_table_index,
131  u32 ip6_table_index, u32 l2_table_index, u32 is_add)
132 {
133  return vnet_set_in_out_acl_intfc (vm, sw_if_index, ip4_table_index,
134  ip6_table_index, l2_table_index, is_add,
136 }
137 
138 int
140  u32 ip4_table_index,
141  u32 ip6_table_index, u32 l2_table_index,
142  u32 is_add)
143 {
144  return vnet_set_in_out_acl_intfc (vm, sw_if_index, ip4_table_index,
145  ip6_table_index, l2_table_index, is_add,
147 }
148 
149 static clib_error_t *
151  unformat_input_t * input, vlib_cli_command_t * cmd,
152  u32 is_output)
153 {
154  vnet_main_t *vnm = vnet_get_main ();
155  u32 sw_if_index = ~0;
156  u32 ip4_table_index = ~0;
157  u32 ip6_table_index = ~0;
158  u32 l2_table_index = ~0;
159  u32 is_add = 1;
160  u32 idx_cnt = 0;
161  int rv;
162 
164  {
165  if (unformat (input, "intfc %U", unformat_vnet_sw_interface,
166  vnm, &sw_if_index))
167  ;
168  else if (unformat (input, "ip4-table %d", &ip4_table_index))
169  idx_cnt++;
170  else if (unformat (input, "ip6-table %d", &ip6_table_index))
171  idx_cnt++;
172  else if (unformat (input, "l2-table %d", &l2_table_index))
173  idx_cnt++;
174  else if (unformat (input, "del"))
175  is_add = 0;
176  else
177  break;
178  }
179 
180  if (sw_if_index == ~0)
181  return clib_error_return (0, "Interface must be specified.");
182 
183  if (!idx_cnt)
184  return clib_error_return (0, "Table index should be specified.");
185 
186  if (idx_cnt > 1)
187  return clib_error_return (0, "Only one table index per API is allowed.");
188 
189  rv = vnet_set_in_out_acl_intfc (vm, sw_if_index, ip4_table_index,
190  ip6_table_index, l2_table_index, is_add,
191  is_output);
192 
193  switch (rv)
194  {
195  case 0:
196  break;
197 
198  case VNET_API_ERROR_NO_MATCHING_INTERFACE:
199  return clib_error_return (0, "No such interface");
200 
201  case VNET_API_ERROR_NO_SUCH_ENTRY:
202  return clib_error_return (0, "No such classifier table");
203  }
204  return 0;
205 }
206 
207 static clib_error_t *
209  unformat_input_t * input, vlib_cli_command_t * cmd)
210 {
211  return set_in_out_acl_command_fn (vm, input, cmd,
213 }
214 
215 static clib_error_t *
217  unformat_input_t * input, vlib_cli_command_t * cmd)
218 {
219  return set_in_out_acl_command_fn (vm, input, cmd,
221 }
222 
223 /*
224  * Configure interface to enable/disble input/output ACL features:
225  * intfc - interface name to be configured as input ACL
226  * Ip4-table <index> [del] - enable/disable IP4 input ACL
227  * Ip6-table <index> [del] - enable/disable IP6 input ACL
228  * l2-table <index> [del] - enable/disable Layer2 input ACL
229  *
230  * Note: Only one table index per API call is allowed.
231  *
232  */
233 /* *INDENT-OFF* */
235  .path = "set interface input acl",
236  .short_help =
237  "set interface input acl intfc <int> [ip4-table <index>]\n"
238  " [ip6-table <index>] [l2-table <index>] [del]",
239  .function = set_input_acl_command_fn,
240 };
242  .path = "set interface output acl",
243  .short_help =
244  "set interface output acl intfc <int> [ip4-table <index>]\n"
245  " [ip6-table <index>] [l2-table <index>] [del]",
246  .function = set_output_acl_command_fn,
247 };
248 /* *INDENT-ON* */
249 
250 clib_error_t *
252 {
254 
255  am->vlib_main = vm;
256  am->vnet_main = vnet_get_main ();
257  am->vnet_classify_main = &vnet_classify_main;
258 
259  return 0;
260 }
261 /* *INDENT-OFF* */
263 {
264  .runs_after = VLIB_INITS("ip_in_out_acl_init"),
265 };
266 /* *INDENT-ON* */
267 
268 uword
269 unformat_acl_type (unformat_input_t * input, va_list * args)
270 {
271  u32 *acl_type = va_arg (*args, u32 *);
272  u32 tid = IN_OUT_ACL_N_TABLES;
273 
275  {
276  if (unformat (input, "ip4"))
277  tid = IN_OUT_ACL_TABLE_IP4;
278  else if (unformat (input, "ip6"))
279  tid = IN_OUT_ACL_TABLE_IP6;
280  else if (unformat (input, "l2"))
281  tid = IN_OUT_ACL_TABLE_L2;
282  else
283  break;
284  }
285 
286  *acl_type = tid;
287  return 1;
288 }
289 
290 u8 *
291 format_vnet_in_out_acl_info (u8 * s, va_list * va)
292 {
293  in_out_acl_main_t *am = va_arg (*va, in_out_acl_main_t *);
294  int sw_if_idx = va_arg (*va, int);
295  u32 tid = va_arg (*va, u32);
296 
297  if (tid == ~0)
298  {
299  s = format (s, "%10s%20s\t\t%s", "Intfc idx", "Classify table",
300  "Interface name");
301  return s;
302  }
303 
304  s = format (s, "%10d%20d\t\t%U", sw_if_idx, tid,
305  format_vnet_sw_if_index_name, am->vnet_main, sw_if_idx);
306 
307  return s;
308 }
309 
310 static clib_error_t *
312  unformat_input_t * input,
313  vlib_cli_command_t * cmd, u32 is_output)
314 {
317  int i;
318  u32 *vec_tbl;
319 
321  {
322  if (unformat (input, "type %U", unformat_acl_type, &type))
323  ;
324  else
325  break;
326  }
327 
328  if (type == IN_OUT_ACL_N_TABLES)
329  return clib_error_return (0, is_output ? "Invalid output ACL table type."
330  : "Invalid input ACL table type.");
331 
332  vec_tbl = am->classify_table_index_by_sw_if_index[is_output][type];
333 
334  if (vec_len (vec_tbl))
335  vlib_cli_output (vm, "%U", format_vnet_in_out_acl_info, am, ~0 /* hdr */ ,
336  ~0);
337  else
338  vlib_cli_output (vm, is_output ? "No output ACL tables configured"
339  : "No input ACL tables configured");
340 
341  for (i = 0; i < vec_len (vec_tbl); i++)
342  {
343  if (vec_elt (vec_tbl, i) == ~0)
344  continue;
345 
347  am, i, vec_elt (vec_tbl, i));
348  }
349 
350  return 0;
351 }
352 
353 static clib_error_t *
355  unformat_input_t * input, vlib_cli_command_t * cmd)
356 {
357  return show_in_out_acl_command_fn (vm, input, cmd,
359 }
360 
361 static clib_error_t *
363  unformat_input_t * input, vlib_cli_command_t * cmd)
364 {
365  return show_in_out_acl_command_fn (vm, input, cmd,
367 }
368 
369 /* *INDENT-OFF* */
371  .path = "show inacl",
372  .short_help = "show inacl type [ip4|ip6|l2]",
373  .function = show_inacl_command_fn,
374 };
376  .path = "show outacl",
377  .short_help = "show outacl type [ip4|ip6|l2]",
378  .function = show_outacl_command_fn,
379 };
380 /* *INDENT-ON* */
381 
382 /*
383  * fd.io coding-style-patch-verification: ON
384  *
385  * Local Variables:
386  * eval: (c-set-style "gnu")
387  * End:
388  */
show_inacl_command
static vlib_cli_command_t show_inacl_command
(constructor) VLIB_CLI_COMMAND (show_inacl_command)
Definition: in_out_acl.c:370
vnet_feature_config_main_t_
Definition: feature.h:80
show_inacl_command_fn
static clib_error_t * show_inacl_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: in_out_acl.c:354
vnet_feature_config_main_t_::config_main
vnet_config_main_t config_main
Definition: feature.h:82
vnet_set_input_acl_intfc
int vnet_set_input_acl_intfc(vlib_main_t *vm, u32 sw_if_index, u32 ip4_table_index, u32 ip6_table_index, u32 l2_table_index, u32 is_add)
Definition: in_out_acl.c:129
set_output_acl_command
static vlib_cli_command_t set_output_acl_command
(constructor) VLIB_CLI_COMMAND (set_output_acl_command)
Definition: in_out_acl.c:241
vnet_classify_main
vnet_classify_main_t vnet_classify_main
Definition: vnet_classify.c:32
clib_error_return
#define clib_error_return(e, args...)
Definition: error.h:99
vlib_cli_command_t::path
char * path
Definition: cli.h:96
IN_OUT_ACL_TABLE_IP4
@ IN_OUT_ACL_TABLE_IP4
Definition: in_out_acl.h:31
am
app_main_t * am
Definition: application.c:489
set_output_acl_command_fn
static clib_error_t * set_output_acl_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: in_out_acl.c:216
vm
vlib_main_t * vm
X-connect all packets from the HOST to the PHY.
Definition: nat44_ei.c:3047
unformat_input_t
struct _unformat_input_t unformat_input_t
IN_OUT_ACL_INPUT_TABLE_GROUP
@ IN_OUT_ACL_INPUT_TABLE_GROUP
Definition: in_out_acl.h:39
unformat
uword unformat(unformat_input_t *i, const char *fmt,...)
Definition: unformat.c:978
pool_is_free_index
#define pool_is_free_index(P, I)
Use free bitmap to query whether given index is free.
Definition: pool.h:302
vec_elt
#define vec_elt(v, i)
Get vector value at index i.
Definition: vec_bootstrap.h:210
ti
u32 ti
Definition: interface_output.c:405
vec_len
#define vec_len(v)
Number of elements in vector (rvalue-only, NULL tolerant)
Definition: vec_bootstrap.h:142
set_in_out_acl_command_fn
static clib_error_t * set_in_out_acl_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd, u32 is_output)
Definition: in_out_acl.c:150
l2_output.h
vnet_get_main
vnet_main_t * vnet_get_main(void)
Definition: pnat_test_stubs.h:56
unformat_check_input
static uword unformat_check_input(unformat_input_t *i)
Definition: format.h:163
uword
u64 uword
Definition: types.h:112
show_in_out_acl_command_fn
static clib_error_t * show_in_out_acl_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd, u32 is_output)
Definition: in_out_acl.c:311
in_out_acl_init
clib_error_t * in_out_acl_init(vlib_main_t *vm)
Definition: in_out_acl.c:251
l2input_intf_bitmap_enable
u32 l2input_intf_bitmap_enable(u32 sw_if_index, l2input_feat_masks_t feature_bitmap, u32 enable)
Enable (or disable) the feature in the bitmap for the given interface.
Definition: l2_input.c:177
i
sll srl srl sll sra u16x4 i
Definition: vector_sse42.h:261
IN_OUT_ACL_OUTPUT_TABLE_GROUP
@ IN_OUT_ACL_OUTPUT_TABLE_GROUP
Definition: in_out_acl.h:40
VLIB_CLI_COMMAND
#define VLIB_CLI_COMMAND(x,...)
Definition: cli.h:163
IN_OUT_ACL_N_TABLES
@ IN_OUT_ACL_N_TABLES
Definition: in_out_acl.h:34
unformat_acl_type
uword unformat_acl_type(unformat_input_t *input, va_list *args)
Definition: in_out_acl.c:269
vnet_in_out_acl_ip_feature_enable
static int vnet_in_out_acl_ip_feature_enable(vlib_main_t *vnm, in_out_acl_main_t *am, u32 sw_if_index, in_out_acl_table_id_t tid, int feature_enable, int is_output)
Definition: in_out_acl.c:24
vlib_cli_output
void vlib_cli_output(vlib_main_t *vm, char *fmt,...)
Definition: cli.c:716
show_outacl_command
static vlib_cli_command_t show_outacl_command
(constructor) VLIB_CLI_COMMAND (show_outacl_command)
Definition: in_out_acl.c:375
l2_input.h
arc
u8 arc
Definition: interface_output.c:406
vnet_main_t
Definition: vnet.h:76
vnet_set_output_acl_intfc
int vnet_set_output_acl_intfc(vlib_main_t *vm, u32 sw_if_index, u32 ip4_table_index, u32 ip6_table_index, u32 l2_table_index, u32 is_add)
Definition: in_out_acl.c:139
l2output_intf_bitmap_enable
void l2output_intf_bitmap_enable(u32 sw_if_index, l2output_feat_masks_t feature_bitmap, u32 enable)
Enable (or disable) the feature in the bitmap for the given interface.
Definition: l2_output.c:625
format_vnet_sw_if_index_name
format_function_t format_vnet_sw_if_index_name
Definition: interface_funcs.h:455
unformat_vnet_sw_interface
unformat_function_t unformat_vnet_sw_interface
Definition: interface_funcs.h:459
format
description fragment has unexpected format
Definition: map.api:433
vec_validate_init_empty
#define vec_validate_init_empty(V, I, INIT)
Make sure vector is long enough for given index and initialize empty space (no header,...
Definition: vec.h:570
ip.h
u32
unsigned int u32
Definition: types.h:88
vnet_set_in_out_acl_intfc
int vnet_set_in_out_acl_intfc(vlib_main_t *vm, u32 sw_if_index, u32 ip4_table_index, u32 ip6_table_index, u32 l2_table_index, u32 is_add, u32 is_output)
Definition: in_out_acl.c:70
VLIB_INIT_FUNCTION
#define VLIB_INIT_FUNCTION(x)
Definition: init.h:172
vnet_classify_main_t
struct _vnet_classify_main vnet_classify_main_t
Definition: vnet_classify.h:61
vnet_classify.h
vnet_feature_enable_disable
int vnet_feature_enable_disable(const char *arc_name, const char *node_name, u32 sw_if_index, int enable_disable, void *feature_config, u32 n_feature_config_bytes)
Definition: pnat_test_stubs.h:50
vnet_get_feature_arc_config_main
static vnet_feature_config_main_t * vnet_get_feature_arc_config_main(u8 arc_index)
Definition: feature.h:233
vlib_main_t
Definition: main.h:102
format_vnet_in_out_acl_info
u8 * format_vnet_in_out_acl_info(u8 *s, va_list *va)
Definition: in_out_acl.c:291
in_out_acl.h
VLIB_INITS
#define VLIB_INITS(...)
Definition: init.h:352
u8
unsigned char u8
Definition: types.h:56
clib_error_t
Definition: clib_error.h:21
vlib_init_function_t
clib_error_t *() vlib_init_function_t(struct vlib_main_t *vm)
Definition: init.h:51
in_out_acl_table_id_t
in_out_acl_table_id_t
Definition: in_out_acl.h:29
clib_warning
#define clib_warning(format, args...)
Definition: error.h:59
rv
int __clib_unused rv
Definition: application.c:491
set_input_acl_command
static vlib_cli_command_t set_input_acl_command
(constructor) VLIB_CLI_COMMAND (set_input_acl_command)
Definition: in_out_acl.c:234
in_out_acl_main
in_out_acl_main_t in_out_acl_main
Definition: in_out_acl.c:21
IN_OUT_ACL_TABLE_L2
@ IN_OUT_ACL_TABLE_L2
Definition: in_out_acl.h:33
vlib_cli_command_t
Definition: cli.h:92
vnet_get_feature_arc_index
u8 vnet_get_feature_arc_index(const char *s)
Definition: feature.c:197
sw_if_index
vl_api_interface_index_t sw_if_index
Definition: wireguard.api:34
set_input_acl_command_fn
static clib_error_t * set_input_acl_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: in_out_acl.c:208
type
vl_api_fib_path_type_t type
Definition: fib_types.api:123
in_out_acl_main_t
Definition: in_out_acl.h:44
UNFORMAT_END_OF_INPUT
#define UNFORMAT_END_OF_INPUT
Definition: format.h:137
IN_OUT_ACL_TABLE_IP6
@ IN_OUT_ACL_TABLE_IP6
Definition: in_out_acl.h:32
show_outacl_command_fn
static clib_error_t * show_outacl_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: in_out_acl.c:362