From 59dda065bb92d1588824483ed5e7cf9adb228d3a Mon Sep 17 00:00:00 2001 From: Pavel Kotucek Date: Thu, 2 Mar 2017 15:22:47 +0100 Subject: ACL plugin rejects ICMP messages (VPP-624) Change-Id: I95113a277b94cce5ff332fcf9f57ec6f385acec0 Signed-off-by: Pavel Kotucek --- src/plugins/acl/acl.c | 40 +++++++++++++++++++--------------------- 1 file changed, 19 insertions(+), 21 deletions(-) (limited to 'src/plugins/acl') diff --git a/src/plugins/acl/acl.c b/src/plugins/acl/acl.c index 3fe084b4..b6af7380 100644 --- a/src/plugins/acl/acl.c +++ b/src/plugins/acl/acl.c @@ -208,10 +208,10 @@ acl_add_list (u32 count, vl_api_acl_rule_t rules[], r->src_prefixlen = rules[i].src_ip_prefix_len; r->dst_prefixlen = rules[i].dst_ip_prefix_len; r->proto = rules[i].proto; - r->src_port_or_type_first = rules[i].srcport_or_icmptype_first; - r->src_port_or_type_last = rules[i].srcport_or_icmptype_last; - r->dst_port_or_code_first = rules[i].dstport_or_icmpcode_first; - r->dst_port_or_code_last = rules[i].dstport_or_icmpcode_last; + r->src_port_or_type_first = ntohs ( rules[i].srcport_or_icmptype_first ); + r->src_port_or_type_last = ntohs ( rules[i].srcport_or_icmptype_last ); + r->dst_port_or_code_first = ntohs ( rules[i].dstport_or_icmpcode_first ); + r->dst_port_or_code_last = ntohs ( rules[i].dstport_or_icmpcode_last ); r->tcp_flags_value = rules[i].tcp_flags_value; r->tcp_flags_mask = rules[i].tcp_flags_mask; } @@ -839,8 +839,8 @@ acl_packet_match (acl_main_t * am, u32 acl_index, vlib_buffer_t * b0, int is_ip6; int is_ip4; u8 proto; - u16 src_port; - u16 dst_port; + u16 src_port = 0; + u16 dst_port = 0; u8 tcp_flags = 0; int i; acl_list_t *a; @@ -866,15 +866,13 @@ acl_packet_match (acl_main_t * am, u32 acl_index, vlib_buffer_t * b0, { *trace_bitmap |= 0x00000001; /* type */ - src_port = *(u8 *) get_ptr_to_offset (b0, 34); + src_port = ((u16) (*(u8 *) get_ptr_to_offset (b0, 34))); /* code */ - dst_port = *(u8 *) get_ptr_to_offset (b0, 35); - } - else - { + dst_port = ((u16) (*(u8 *) get_ptr_to_offset (b0, 35))); + } else { /* assume TCP/UDP */ - src_port = (*(u16 *) get_ptr_to_offset (b0, 34)); - dst_port = (*(u16 *) get_ptr_to_offset (b0, 36)); + src_port = ntohs ((u16) (*(u16 *) get_ptr_to_offset (b0, 34))); + dst_port = ntohs ((u16) (*(u16 *) get_ptr_to_offset (b0, 36))); /* UDP gets ability to check on an oddball data byte as a bonus */ tcp_flags = *(u8 *) get_ptr_to_offset (b0, 14 + 20 + 13); } @@ -888,15 +886,15 @@ acl_packet_match (acl_main_t * am, u32 acl_index, vlib_buffer_t * b0, { *trace_bitmap |= 0x00000002; /* type */ - src_port = *(u8 *) get_ptr_to_offset (b0, 54); + src_port = (u16) (*(u8 *) get_ptr_to_offset (b0, 54)); /* code */ - dst_port = *(u8 *) get_ptr_to_offset (b0, 55); + dst_port = (u16) (*(u8 *) get_ptr_to_offset (b0, 55)); } else { /* assume TCP/UDP */ - src_port = (*(u16 *) get_ptr_to_offset (b0, 54)); - dst_port = (*(u16 *) get_ptr_to_offset (b0, 56)); + src_port = ntohs ((u16) (*(u16 *) get_ptr_to_offset (b0, 54))); + dst_port = ntohs ((u16) (*(u16 *) get_ptr_to_offset (b0, 56))); tcp_flags = *(u8 *) get_ptr_to_offset (b0, 14 + 40 + 13); } } @@ -1485,10 +1483,10 @@ copy_acl_rule_to_api_rule (vl_api_acl_rule_t * api_rule, acl_rule_t * r) api_rule->src_ip_prefix_len = r->src_prefixlen; api_rule->dst_ip_prefix_len = r->dst_prefixlen; api_rule->proto = r->proto; - api_rule->srcport_or_icmptype_first = r->src_port_or_type_first; - api_rule->srcport_or_icmptype_last = r->src_port_or_type_last; - api_rule->dstport_or_icmpcode_first = r->dst_port_or_code_first; - api_rule->dstport_or_icmpcode_last = r->dst_port_or_code_last; + api_rule->srcport_or_icmptype_first = htons (r->src_port_or_type_first); + api_rule->srcport_or_icmptype_last = htons (r->src_port_or_type_last); + api_rule->dstport_or_icmpcode_first = htons (r->dst_port_or_code_first); + api_rule->dstport_or_icmpcode_last = htons (r->dst_port_or_code_last); api_rule->tcp_flags_mask = r->tcp_flags_mask; api_rule->tcp_flags_value = r->tcp_flags_value; } -- cgit 1.2.3-korg