aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrew Yourtchenko <ayourtch@gmail.com>2016-12-08 20:33:19 +0100
committerOle Trøan <otroan@employees.org>2016-12-08 21:18:38 +0000
commitc9b20bc7a5399fd1e7bf2d33e7c4f1f08ef1c1e4 (patch)
tree19f1bc704800b89917c487bb209d4680d8432880
parent32905661d1d16198d74ec4596fe95659ebf81b67 (diff)
acl: make MACIP ACL apply/unapply/delete logic more robust
1. vnet_set_input_acl_intfc expects currently applied table ids to remove them properly, fixed that. 2. check if the interface has MACIP ACL applied before unapplying it 3. if applying MACIP ACL to interface that has one already applied, unapply that first. These changes required also swapping the order of the add/del functions. Change-Id: I179490371507b07e9dd8852000954156c318d98c Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
-rw-r--r--plugins/acl-plugin/acl/acl.c37
1 files changed, 26 insertions, 11 deletions
diff --git a/plugins/acl-plugin/acl/acl.c b/plugins/acl-plugin/acl/acl.c
index 7b95152c..8ff5a6b7 100644
--- a/plugins/acl-plugin/acl/acl.c
+++ b/plugins/acl-plugin/acl/acl.c
@@ -1263,6 +1263,29 @@ macip_acl_add_list (u32 count, vl_api_macip_acl_rule_t rules[],
/* No check for validity of sw_if_index - the callers were supposed to validate */
static int
+macip_acl_interface_del_acl (acl_main_t * am, u32 sw_if_index)
+{
+ int rv;
+ u32 macip_acl_index;
+ macip_acl_list_t *a;
+ vec_validate_init_empty (am->macip_acl_by_sw_if_index, sw_if_index, ~0);
+ macip_acl_index = am->macip_acl_by_sw_if_index[sw_if_index];
+ /* No point in deleting MACIP ACL which is not applied */
+ if (~0 == macip_acl_index)
+ return -1;
+ a = &am->macip_acls[macip_acl_index];
+ /* remove the classifier tables off the interface L2 ACL */
+ rv =
+ vnet_set_input_acl_intfc (am->vlib_main, sw_if_index, a->ip4_table_index,
+ a->ip6_table_index, a->l2_table_index, 0);
+ /* Unset the MACIP ACL index */
+ am->macip_acl_by_sw_if_index[sw_if_index] = ~0;
+ return rv;
+}
+
+/* No check for validity of sw_if_index - the callers were supposed to validate */
+
+static int
macip_acl_interface_add_acl (acl_main_t * am, u32 sw_if_index,
u32 macip_acl_index)
{
@@ -1274,6 +1297,9 @@ macip_acl_interface_add_acl (acl_main_t * am, u32 sw_if_index,
}
a = &am->macip_acls[macip_acl_index];
vec_validate_init_empty (am->macip_acl_by_sw_if_index, sw_if_index, ~0);
+ /* If there already a MACIP ACL applied, unapply it */
+ if (~0 != am->macip_acl_by_sw_if_index[sw_if_index])
+ macip_acl_interface_del_acl(am, sw_if_index);
am->macip_acl_by_sw_if_index[sw_if_index] = macip_acl_index;
/* Apply the classifier tables for L2 ACLs */
rv =
@@ -1283,17 +1309,6 @@ macip_acl_interface_add_acl (acl_main_t * am, u32 sw_if_index,
}
static int
-macip_acl_interface_del_acl (acl_main_t * am, u32 sw_if_index)
-{
- int rv;
- vec_validate_init_empty (am->macip_acl_by_sw_if_index, sw_if_index, ~0);
- am->macip_acl_by_sw_if_index[sw_if_index] = ~0;
- /* remove the classifier tables off the interface L2 ACL */
- rv = vnet_set_input_acl_intfc (am->vlib_main, sw_if_index, ~0, ~0, ~0, 0);
- return rv;
-}
-
-static int
macip_acl_del_list (u32 acl_list_index)
{
acl_main_t *am = &acl_main;