aboutsummaryrefslogtreecommitdiffstats
path: root/src/plugins/acl
diff options
context:
space:
mode:
authorAndrew Yourtchenko <ayourtch@gmail.com>2017-08-10 14:19:58 +0200
committerAndrew Yourtchenko <ayourtch@gmail.com>2017-08-10 16:23:45 +0000
commitfaef07fdd048cf96626daa8e09ed995af8e30f00 (patch)
tree73af12cd016db9c04ef8efe8141dc93c9473951a /src/plugins/acl
parent818eb54de01459ed3d823f8a9781bbed0845db82 (diff)
acl-plugin: hash lookup bitmask not cleared when ACL is unapplied from interface (VPP-935)
The logic in hash ACL bitmask update was using the vector of ACLs applied to the interface to rebuild the hash lookup mask. However, in transient cases (like doing group manipulation with hash ACLs), that will not hold true. Thus, make a local copy of for which ACL indices the hash_acl_apply was called previously, and maintain that one local to the hash_lookup.c file logic. Change-Id: I30187d68febce8bba2ab6ffbb1eee13b5c96a44b Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit 1de7d7044434196610190011ebb431f054701259)
Diffstat (limited to 'src/plugins/acl')
-rw-r--r--src/plugins/acl/acl.c2
-rw-r--r--src/plugins/acl/hash_lookup.c31
-rw-r--r--src/plugins/acl/hash_lookup_types.h2
3 files changed, 31 insertions, 4 deletions
diff --git a/src/plugins/acl/acl.c b/src/plugins/acl/acl.c
index 80ef56613d4..db54d4e8a52 100644
--- a/src/plugins/acl/acl.c
+++ b/src/plugins/acl/acl.c
@@ -2377,6 +2377,7 @@ acl_show_aclplugin_fn (vlib_main_t * vm,
if (swi < vec_len(am->input_applied_hash_acl_info_by_sw_if_index)) {
applied_hash_acl_info_t *pal = &am->input_applied_hash_acl_info_by_sw_if_index[swi];
out0 = format(out0, " input lookup mask_type_index_bitmap: %U\n", format_bitmap_hex, pal->mask_type_index_bitmap);
+ out0 = format(out0, " input applied acls: %U\n", format_vec32, pal->applied_acls, "%d");
}
if (swi < vec_len(am->input_hash_entry_vec_by_sw_if_index)) {
out0 = format(out0, " input lookup applied entries:\n");
@@ -2391,6 +2392,7 @@ acl_show_aclplugin_fn (vlib_main_t * vm,
if (swi < vec_len(am->output_applied_hash_acl_info_by_sw_if_index)) {
applied_hash_acl_info_t *pal = &am->output_applied_hash_acl_info_by_sw_if_index[swi];
out0 = format(out0, " output lookup mask_type_index_bitmap: %U\n", format_bitmap_hex, pal->mask_type_index_bitmap);
+ out0 = format(out0, " output applied acls: %U\n", format_vec32, pal->applied_acls, "%d");
}
if (swi < vec_len(am->output_hash_entry_vec_by_sw_if_index)) {
out0 = format(out0, " output lookup applied entries:\n");
diff --git a/src/plugins/acl/hash_lookup.c b/src/plugins/acl/hash_lookup.c
index ae522d921cc..a2edb9f3b25 100644
--- a/src/plugins/acl/hash_lookup.c
+++ b/src/plugins/acl/hash_lookup.c
@@ -339,6 +339,16 @@ hash_acl_apply(acl_main_t *am, u32 sw_if_index, u8 is_input, int acl_index)
&am->output_applied_hash_acl_info_by_sw_if_index;
vec_validate((*applied_hash_acls), sw_if_index);
applied_hash_acl_info_t *pal = vec_elt_at_index((*applied_hash_acls), sw_if_index);
+
+ /* ensure the list of applied hash acls is initialized and add this acl# to it */
+ u32 index = vec_search(pal->applied_acls, acl_index);
+ if (index != ~0) {
+ clib_warning("BUG: trying to apply twice acl_index %d on sw_if_index %d is_input %d",
+ acl_index, sw_if_index, is_input);
+ goto done;
+ }
+ vec_add1(pal->applied_acls, acl_index);
+
pal->mask_type_index_bitmap = clib_bitmap_or(pal->mask_type_index_bitmap,
ha->mask_type_index_bitmap);
/*
@@ -369,6 +379,7 @@ hash_acl_apply(acl_main_t *am, u32 sw_if_index, u8 is_input, int acl_index)
activate_applied_ace_hash_entry(am, sw_if_index, is_input, applied_hash_aces, new_index);
}
applied_hash_entries_analyze(am, applied_hash_aces);
+done:
clib_mem_set_heap (oldheap);
}
@@ -492,14 +503,14 @@ hash_acl_build_applied_lookup_bitmap(acl_main_t *am, u32 sw_if_index, u8 is_inpu
{
int i;
uword *new_lookup_bitmap = 0;
- u32 **applied_acls = is_input ? vec_elt_at_index(am->input_acl_vec_by_sw_if_index, sw_if_index)
- : vec_elt_at_index(am->output_acl_vec_by_sw_if_index, sw_if_index);
applied_hash_acl_info_t **applied_hash_acls = is_input ? &am->input_applied_hash_acl_info_by_sw_if_index
: &am->output_applied_hash_acl_info_by_sw_if_index;
applied_hash_acl_info_t *pal = vec_elt_at_index((*applied_hash_acls), sw_if_index);
- for(i=0; i < vec_len(*applied_acls); i++) {
- u32 a_acl_index = *vec_elt_at_index((*applied_acls), i);
+ for(i=0; i < vec_len(pal->applied_acls); i++) {
+ u32 a_acl_index = *vec_elt_at_index((pal->applied_acls), i);
hash_acl_info_t *ha = vec_elt_at_index(am->hash_acl_infos, a_acl_index);
+ DBG("Update bitmask = %U or %U (acl_index %d)\n", format_bitmap_hex, new_lookup_bitmap,
+ format_bitmap_hex, ha->mask_type_index_bitmap, a_acl_index);
new_lookup_bitmap = clib_bitmap_or(new_lookup_bitmap,
ha->mask_type_index_bitmap);
}
@@ -514,6 +525,18 @@ hash_acl_unapply(acl_main_t *am, u32 sw_if_index, u8 is_input, int acl_index)
int i;
DBG("HASH ACL unapply: sw_if_index %d is_input %d acl %d", sw_if_index, is_input, acl_index);
+ applied_hash_acl_info_t **applied_hash_acls = is_input ? &am->input_applied_hash_acl_info_by_sw_if_index
+ : &am->output_applied_hash_acl_info_by_sw_if_index;
+ applied_hash_acl_info_t *pal = vec_elt_at_index((*applied_hash_acls), sw_if_index);
+
+ /* remove this acl# from the list of applied hash acls */
+ u32 index = vec_search(pal->applied_acls, acl_index);
+ if (index == ~0) {
+ clib_warning("BUG: trying to unapply unapplied acl_index %d on sw_if_index %d is_input %d",
+ acl_index, sw_if_index, is_input);
+ return;
+ }
+ vec_del1(pal->applied_acls, index);
hash_acl_info_t *ha = vec_elt_at_index(am->hash_acl_infos, acl_index);
applied_hash_ace_entry_t **applied_hash_aces = get_applied_hash_aces(am, is_input, sw_if_index);
diff --git a/src/plugins/acl/hash_lookup_types.h b/src/plugins/acl/hash_lookup_types.h
index fbc9777b83d..837cc0a802d 100644
--- a/src/plugins/acl/hash_lookup_types.h
+++ b/src/plugins/acl/hash_lookup_types.h
@@ -73,6 +73,8 @@ typedef struct {
* hash_ace_info_t=>mask_type_index bits set
*/
uword *mask_type_index_bitmap;
+ /* applied ACLs so we can track them independently from main ACL module */
+ u32 *applied_acls;
} applied_hash_acl_info_t;