diff options
author | Pavel Kotucek <pkotucek@cisco.com> | 2017-03-02 15:22:47 +0100 |
---|---|---|
committer | Ole Trøan <otroan@employees.org> | 2017-03-13 13:17:00 +0000 |
commit | 59dda065bb92d1588824483ed5e7cf9adb228d3a (patch) | |
tree | b28faee1197262a038bfee4acee1568ff9c98468 /src | |
parent | 557a71c89bcc7b8dff5522f7496527a26ae5bcb4 (diff) |
ACL plugin rejects ICMP messages (VPP-624)
Change-Id: I95113a277b94cce5ff332fcf9f57ec6f385acec0
Signed-off-by: Pavel Kotucek <pkotucek@cisco.com>
Diffstat (limited to 'src')
-rw-r--r-- | src/plugins/acl/acl.c | 40 |
1 files changed, 19 insertions, 21 deletions
diff --git a/src/plugins/acl/acl.c b/src/plugins/acl/acl.c index 3fe084b4..b6af7380 100644 --- a/src/plugins/acl/acl.c +++ b/src/plugins/acl/acl.c @@ -208,10 +208,10 @@ acl_add_list (u32 count, vl_api_acl_rule_t rules[], r->src_prefixlen = rules[i].src_ip_prefix_len; r->dst_prefixlen = rules[i].dst_ip_prefix_len; r->proto = rules[i].proto; - r->src_port_or_type_first = rules[i].srcport_or_icmptype_first; - r->src_port_or_type_last = rules[i].srcport_or_icmptype_last; - r->dst_port_or_code_first = rules[i].dstport_or_icmpcode_first; - r->dst_port_or_code_last = rules[i].dstport_or_icmpcode_last; + r->src_port_or_type_first = ntohs ( rules[i].srcport_or_icmptype_first ); + r->src_port_or_type_last = ntohs ( rules[i].srcport_or_icmptype_last ); + r->dst_port_or_code_first = ntohs ( rules[i].dstport_or_icmpcode_first ); + r->dst_port_or_code_last = ntohs ( rules[i].dstport_or_icmpcode_last ); r->tcp_flags_value = rules[i].tcp_flags_value; r->tcp_flags_mask = rules[i].tcp_flags_mask; } @@ -839,8 +839,8 @@ acl_packet_match (acl_main_t * am, u32 acl_index, vlib_buffer_t * b0, int is_ip6; int is_ip4; u8 proto; - u16 src_port; - u16 dst_port; + u16 src_port = 0; + u16 dst_port = 0; u8 tcp_flags = 0; int i; acl_list_t *a; @@ -866,15 +866,13 @@ acl_packet_match (acl_main_t * am, u32 acl_index, vlib_buffer_t * b0, { *trace_bitmap |= 0x00000001; /* type */ - src_port = *(u8 *) get_ptr_to_offset (b0, 34); + src_port = ((u16) (*(u8 *) get_ptr_to_offset (b0, 34))); /* code */ - dst_port = *(u8 *) get_ptr_to_offset (b0, 35); - } - else - { + dst_port = ((u16) (*(u8 *) get_ptr_to_offset (b0, 35))); + } else { /* assume TCP/UDP */ - src_port = (*(u16 *) get_ptr_to_offset (b0, 34)); - dst_port = (*(u16 *) get_ptr_to_offset (b0, 36)); + src_port = ntohs ((u16) (*(u16 *) get_ptr_to_offset (b0, 34))); + dst_port = ntohs ((u16) (*(u16 *) get_ptr_to_offset (b0, 36))); /* UDP gets ability to check on an oddball data byte as a bonus */ tcp_flags = *(u8 *) get_ptr_to_offset (b0, 14 + 20 + 13); } @@ -888,15 +886,15 @@ acl_packet_match (acl_main_t * am, u32 acl_index, vlib_buffer_t * b0, { *trace_bitmap |= 0x00000002; /* type */ - src_port = *(u8 *) get_ptr_to_offset (b0, 54); + src_port = (u16) (*(u8 *) get_ptr_to_offset (b0, 54)); /* code */ - dst_port = *(u8 *) get_ptr_to_offset (b0, 55); + dst_port = (u16) (*(u8 *) get_ptr_to_offset (b0, 55)); } else { /* assume TCP/UDP */ - src_port = (*(u16 *) get_ptr_to_offset (b0, 54)); - dst_port = (*(u16 *) get_ptr_to_offset (b0, 56)); + src_port = ntohs ((u16) (*(u16 *) get_ptr_to_offset (b0, 54))); + dst_port = ntohs ((u16) (*(u16 *) get_ptr_to_offset (b0, 56))); tcp_flags = *(u8 *) get_ptr_to_offset (b0, 14 + 40 + 13); } } @@ -1485,10 +1483,10 @@ copy_acl_rule_to_api_rule (vl_api_acl_rule_t * api_rule, acl_rule_t * r) api_rule->src_ip_prefix_len = r->src_prefixlen; api_rule->dst_ip_prefix_len = r->dst_prefixlen; api_rule->proto = r->proto; - api_rule->srcport_or_icmptype_first = r->src_port_or_type_first; - api_rule->srcport_or_icmptype_last = r->src_port_or_type_last; - api_rule->dstport_or_icmpcode_first = r->dst_port_or_code_first; - api_rule->dstport_or_icmpcode_last = r->dst_port_or_code_last; + api_rule->srcport_or_icmptype_first = htons (r->src_port_or_type_first); + api_rule->srcport_or_icmptype_last = htons (r->src_port_or_type_last); + api_rule->dstport_or_icmpcode_first = htons (r->dst_port_or_code_first); + api_rule->dstport_or_icmpcode_last = htons (r->dst_port_or_code_last); api_rule->tcp_flags_mask = r->tcp_flags_mask; api_rule->tcp_flags_value = r->tcp_flags_value; } |