aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorPavel Kotucek <pkotucek@cisco.com>2017-03-02 15:22:47 +0100
committerOle Trøan <otroan@employees.org>2017-03-13 13:17:00 +0000
commit59dda065bb92d1588824483ed5e7cf9adb228d3a (patch)
treeb28faee1197262a038bfee4acee1568ff9c98468 /src
parent557a71c89bcc7b8dff5522f7496527a26ae5bcb4 (diff)
ACL plugin rejects ICMP messages (VPP-624)
Change-Id: I95113a277b94cce5ff332fcf9f57ec6f385acec0 Signed-off-by: Pavel Kotucek <pkotucek@cisco.com>
Diffstat (limited to 'src')
-rw-r--r--src/plugins/acl/acl.c40
1 files changed, 19 insertions, 21 deletions
diff --git a/src/plugins/acl/acl.c b/src/plugins/acl/acl.c
index 3fe084b4..b6af7380 100644
--- a/src/plugins/acl/acl.c
+++ b/src/plugins/acl/acl.c
@@ -208,10 +208,10 @@ acl_add_list (u32 count, vl_api_acl_rule_t rules[],
r->src_prefixlen = rules[i].src_ip_prefix_len;
r->dst_prefixlen = rules[i].dst_ip_prefix_len;
r->proto = rules[i].proto;
- r->src_port_or_type_first = rules[i].srcport_or_icmptype_first;
- r->src_port_or_type_last = rules[i].srcport_or_icmptype_last;
- r->dst_port_or_code_first = rules[i].dstport_or_icmpcode_first;
- r->dst_port_or_code_last = rules[i].dstport_or_icmpcode_last;
+ r->src_port_or_type_first = ntohs ( rules[i].srcport_or_icmptype_first );
+ r->src_port_or_type_last = ntohs ( rules[i].srcport_or_icmptype_last );
+ r->dst_port_or_code_first = ntohs ( rules[i].dstport_or_icmpcode_first );
+ r->dst_port_or_code_last = ntohs ( rules[i].dstport_or_icmpcode_last );
r->tcp_flags_value = rules[i].tcp_flags_value;
r->tcp_flags_mask = rules[i].tcp_flags_mask;
}
@@ -839,8 +839,8 @@ acl_packet_match (acl_main_t * am, u32 acl_index, vlib_buffer_t * b0,
int is_ip6;
int is_ip4;
u8 proto;
- u16 src_port;
- u16 dst_port;
+ u16 src_port = 0;
+ u16 dst_port = 0;
u8 tcp_flags = 0;
int i;
acl_list_t *a;
@@ -866,15 +866,13 @@ acl_packet_match (acl_main_t * am, u32 acl_index, vlib_buffer_t * b0,
{
*trace_bitmap |= 0x00000001;
/* type */
- src_port = *(u8 *) get_ptr_to_offset (b0, 34);
+ src_port = ((u16) (*(u8 *) get_ptr_to_offset (b0, 34)));
/* code */
- dst_port = *(u8 *) get_ptr_to_offset (b0, 35);
- }
- else
- {
+ dst_port = ((u16) (*(u8 *) get_ptr_to_offset (b0, 35)));
+ } else {
/* assume TCP/UDP */
- src_port = (*(u16 *) get_ptr_to_offset (b0, 34));
- dst_port = (*(u16 *) get_ptr_to_offset (b0, 36));
+ src_port = ntohs ((u16) (*(u16 *) get_ptr_to_offset (b0, 34)));
+ dst_port = ntohs ((u16) (*(u16 *) get_ptr_to_offset (b0, 36)));
/* UDP gets ability to check on an oddball data byte as a bonus */
tcp_flags = *(u8 *) get_ptr_to_offset (b0, 14 + 20 + 13);
}
@@ -888,15 +886,15 @@ acl_packet_match (acl_main_t * am, u32 acl_index, vlib_buffer_t * b0,
{
*trace_bitmap |= 0x00000002;
/* type */
- src_port = *(u8 *) get_ptr_to_offset (b0, 54);
+ src_port = (u16) (*(u8 *) get_ptr_to_offset (b0, 54));
/* code */
- dst_port = *(u8 *) get_ptr_to_offset (b0, 55);
+ dst_port = (u16) (*(u8 *) get_ptr_to_offset (b0, 55));
}
else
{
/* assume TCP/UDP */
- src_port = (*(u16 *) get_ptr_to_offset (b0, 54));
- dst_port = (*(u16 *) get_ptr_to_offset (b0, 56));
+ src_port = ntohs ((u16) (*(u16 *) get_ptr_to_offset (b0, 54)));
+ dst_port = ntohs ((u16) (*(u16 *) get_ptr_to_offset (b0, 56)));
tcp_flags = *(u8 *) get_ptr_to_offset (b0, 14 + 40 + 13);
}
}
@@ -1485,10 +1483,10 @@ copy_acl_rule_to_api_rule (vl_api_acl_rule_t * api_rule, acl_rule_t * r)
api_rule->src_ip_prefix_len = r->src_prefixlen;
api_rule->dst_ip_prefix_len = r->dst_prefixlen;
api_rule->proto = r->proto;
- api_rule->srcport_or_icmptype_first = r->src_port_or_type_first;
- api_rule->srcport_or_icmptype_last = r->src_port_or_type_last;
- api_rule->dstport_or_icmpcode_first = r->dst_port_or_code_first;
- api_rule->dstport_or_icmpcode_last = r->dst_port_or_code_last;
+ api_rule->srcport_or_icmptype_first = htons (r->src_port_or_type_first);
+ api_rule->srcport_or_icmptype_last = htons (r->src_port_or_type_last);
+ api_rule->dstport_or_icmpcode_first = htons (r->dst_port_or_code_first);
+ api_rule->dstport_or_icmpcode_last = htons (r->dst_port_or_code_last);
api_rule->tcp_flags_mask = r->tcp_flags_mask;
api_rule->tcp_flags_value = r->tcp_flags_value;
}