diff options
author | Andrew Yourtchenko <ayourtch@gmail.com> | 2016-12-08 20:33:19 +0100 |
---|---|---|
committer | Ole Trøan <otroan@employees.org> | 2016-12-08 21:18:38 +0000 |
commit | c9b20bc7a5399fd1e7bf2d33e7c4f1f08ef1c1e4 (patch) | |
tree | 19f1bc704800b89917c487bb209d4680d8432880 | |
parent | 32905661d1d16198d74ec4596fe95659ebf81b67 (diff) |
acl: make MACIP ACL apply/unapply/delete logic more robust
1. vnet_set_input_acl_intfc expects currently applied table ids to
remove them properly, fixed that.
2. check if the interface has MACIP ACL applied before unapplying it
3. if applying MACIP ACL to interface that has one already applied,
unapply that first.
These changes required also swapping the order of the add/del functions.
Change-Id: I179490371507b07e9dd8852000954156c318d98c
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
-rw-r--r-- | plugins/acl-plugin/acl/acl.c | 37 |
1 files changed, 26 insertions, 11 deletions
diff --git a/plugins/acl-plugin/acl/acl.c b/plugins/acl-plugin/acl/acl.c index 7b95152cbf3..8ff5a6b721c 100644 --- a/plugins/acl-plugin/acl/acl.c +++ b/plugins/acl-plugin/acl/acl.c @@ -1263,6 +1263,29 @@ macip_acl_add_list (u32 count, vl_api_macip_acl_rule_t rules[], /* No check for validity of sw_if_index - the callers were supposed to validate */ static int +macip_acl_interface_del_acl (acl_main_t * am, u32 sw_if_index) +{ + int rv; + u32 macip_acl_index; + macip_acl_list_t *a; + vec_validate_init_empty (am->macip_acl_by_sw_if_index, sw_if_index, ~0); + macip_acl_index = am->macip_acl_by_sw_if_index[sw_if_index]; + /* No point in deleting MACIP ACL which is not applied */ + if (~0 == macip_acl_index) + return -1; + a = &am->macip_acls[macip_acl_index]; + /* remove the classifier tables off the interface L2 ACL */ + rv = + vnet_set_input_acl_intfc (am->vlib_main, sw_if_index, a->ip4_table_index, + a->ip6_table_index, a->l2_table_index, 0); + /* Unset the MACIP ACL index */ + am->macip_acl_by_sw_if_index[sw_if_index] = ~0; + return rv; +} + +/* No check for validity of sw_if_index - the callers were supposed to validate */ + +static int macip_acl_interface_add_acl (acl_main_t * am, u32 sw_if_index, u32 macip_acl_index) { @@ -1274,6 +1297,9 @@ macip_acl_interface_add_acl (acl_main_t * am, u32 sw_if_index, } a = &am->macip_acls[macip_acl_index]; vec_validate_init_empty (am->macip_acl_by_sw_if_index, sw_if_index, ~0); + /* If there already a MACIP ACL applied, unapply it */ + if (~0 != am->macip_acl_by_sw_if_index[sw_if_index]) + macip_acl_interface_del_acl(am, sw_if_index); am->macip_acl_by_sw_if_index[sw_if_index] = macip_acl_index; /* Apply the classifier tables for L2 ACLs */ rv = @@ -1283,17 +1309,6 @@ macip_acl_interface_add_acl (acl_main_t * am, u32 sw_if_index, } static int -macip_acl_interface_del_acl (acl_main_t * am, u32 sw_if_index) -{ - int rv; - vec_validate_init_empty (am->macip_acl_by_sw_if_index, sw_if_index, ~0); - am->macip_acl_by_sw_if_index[sw_if_index] = ~0; - /* remove the classifier tables off the interface L2 ACL */ - rv = vnet_set_input_acl_intfc (am->vlib_main, sw_if_index, ~0, ~0, ~0, 0); - return rv; -} - -static int macip_acl_del_list (u32 acl_list_index) { acl_main_t *am = &acl_main; |