diff options
Diffstat (limited to 'src/plugins/acl/acl.c')
-rw-r--r-- | src/plugins/acl/acl.c | 198 |
1 files changed, 46 insertions, 152 deletions
diff --git a/src/plugins/acl/acl.c b/src/plugins/acl/acl.c index 48678f5e48f..017eb68e313 100644 --- a/src/plugins/acl/acl.c +++ b/src/plugins/acl/acl.c @@ -24,6 +24,8 @@ #include <vnet/classify/in_out_acl.h> #include <vpp/app/version.h> +#include <vnet/ethernet/ethernet_types_api.h> + #include <vlibapi/api.h> #include <vlibmemory/api.h> @@ -342,47 +344,10 @@ validate_and_reset_acl_counters (acl_main_t * am, u32 acl_index) } static int -acl_api_ip4_invalid_prefix (void *ip4_pref_raw, u8 ip4_prefix_len) +acl_api_invalid_prefix (const vl_api_prefix_t * prefix) { - ip4_address_t ip4_addr; - ip4_address_t ip4_mask; - ip4_address_t ip4_masked_addr; - - memcpy (&ip4_addr, ip4_pref_raw, sizeof (ip4_addr)); - ip4_preflen_to_mask (ip4_prefix_len, &ip4_mask); - ip4_masked_addr.as_u32 = ip4_addr.as_u32 & ip4_mask.as_u32; - int ret = (ip4_masked_addr.as_u32 != ip4_addr.as_u32); - if (ret) - { - clib_warning - ("inconsistent addr %U for prefix len %d; (%U when masked)", - format_ip4_address, ip4_pref_raw, ip4_prefix_len, format_ip4_address, - &ip4_masked_addr); - } - return ret; -} - -static int -acl_api_ip6_invalid_prefix (void *ip6_pref_raw, u8 ip6_prefix_len) -{ - ip6_address_t ip6_addr; - ip6_address_t ip6_mask; - ip6_address_t ip6_masked_addr; - - memcpy (&ip6_addr, ip6_pref_raw, sizeof (ip6_addr)); - ip6_preflen_to_mask (ip6_prefix_len, &ip6_mask); - ip6_masked_addr.as_u64[0] = ip6_addr.as_u64[0] & ip6_mask.as_u64[0]; - ip6_masked_addr.as_u64[1] = ip6_addr.as_u64[1] & ip6_mask.as_u64[1]; - int ret = ((ip6_masked_addr.as_u64[0] != ip6_addr.as_u64[0]) - || (ip6_masked_addr.as_u64[1] != ip6_addr.as_u64[1])); - if (ret) - { - clib_warning - ("inconsistent addr %U for prefix len %d; (%U when masked)", - format_ip6_address, ip6_pref_raw, ip6_prefix_len, format_ip6_address, - &ip6_masked_addr); - } - return ret; + ip_prefix_t ip_prefix; + return ip_prefix_decode2 (prefix, &ip_prefix); } static int @@ -402,32 +367,10 @@ acl_add_list (u32 count, vl_api_acl_rule_t rules[], /* check if what they request is consistent */ for (i = 0; i < count; i++) { - if (rules[i].is_ipv6) - { - if (rules[i].src_ip_prefix_len > 128) - return VNET_API_ERROR_INVALID_VALUE; - if (rules[i].dst_ip_prefix_len > 128) - return VNET_API_ERROR_INVALID_VALUE; - if (acl_api_ip6_invalid_prefix - (&rules[i].src_ip_addr, rules[i].src_ip_prefix_len)) - return VNET_API_ERROR_INVALID_SRC_ADDRESS; - if (acl_api_ip6_invalid_prefix - (&rules[i].dst_ip_addr, rules[i].dst_ip_prefix_len)) - return VNET_API_ERROR_INVALID_DST_ADDRESS; - } - else - { - if (rules[i].src_ip_prefix_len > 32) - return VNET_API_ERROR_INVALID_VALUE; - if (rules[i].dst_ip_prefix_len > 32) - return VNET_API_ERROR_INVALID_VALUE; - if (acl_api_ip4_invalid_prefix - (&rules[i].src_ip_addr, rules[i].src_ip_prefix_len)) - return VNET_API_ERROR_INVALID_SRC_ADDRESS; - if (acl_api_ip4_invalid_prefix - (&rules[i].dst_ip_addr, rules[i].dst_ip_prefix_len)) - return VNET_API_ERROR_INVALID_DST_ADDRESS; - } + if (acl_api_invalid_prefix (&rules[i].src_prefix)) + return VNET_API_ERROR_INVALID_SRC_ADDRESS; + if (acl_api_invalid_prefix (&rules[i].dst_prefix)) + return VNET_API_ERROR_INVALID_DST_ADDRESS; if (ntohs (rules[i].srcport_or_icmptype_first) > ntohs (rules[i].srcport_or_icmptype_last)) return VNET_API_ERROR_INVALID_VALUE_2; @@ -466,19 +409,11 @@ acl_add_list (u32 count, vl_api_acl_rule_t rules[], r = vec_elt_at_index (acl_new_rules, i); clib_memset (r, 0, sizeof (*r)); r->is_permit = rules[i].is_permit; - r->is_ipv6 = rules[i].is_ipv6; - if (r->is_ipv6) - { - memcpy (&r->src, rules[i].src_ip_addr, sizeof (r->src)); - memcpy (&r->dst, rules[i].dst_ip_addr, sizeof (r->dst)); - } - else - { - memcpy (&r->src.ip4, rules[i].src_ip_addr, sizeof (r->src.ip4)); - memcpy (&r->dst.ip4, rules[i].dst_ip_addr, sizeof (r->dst.ip4)); - } - r->src_prefixlen = rules[i].src_ip_prefix_len; - r->dst_prefixlen = rules[i].dst_ip_prefix_len; + r->is_ipv6 = rules[i].src_prefix.address.af; + ip_address_decode (&rules[i].src_prefix.address, &r->src); + ip_address_decode (&rules[i].dst_prefix.address, &r->dst); + r->src_prefixlen = rules[i].src_prefix.len; + r->dst_prefixlen = rules[i].dst_prefix.len; r->proto = rules[i].proto; r->src_port_or_type_first = ntohs (rules[i].srcport_or_icmptype_first); r->src_port_or_type_last = ntohs (rules[i].srcport_or_icmptype_last); @@ -1714,14 +1649,12 @@ macip_acl_add_list (u32 count, vl_api_macip_acl_rule_t rules[], { r = &acl_new_rules[i]; r->is_permit = rules[i].is_permit; - r->is_ipv6 = rules[i].is_ipv6; - memcpy (&r->src_mac, rules[i].src_mac, 6); - memcpy (&r->src_mac_mask, rules[i].src_mac_mask, 6); - if (rules[i].is_ipv6) - memcpy (&r->src_ip_addr.ip6, rules[i].src_ip_addr, 16); - else - memcpy (&r->src_ip_addr.ip4, rules[i].src_ip_addr, 4); - r->src_prefixlen = rules[i].src_ip_prefix_len; + r->is_ipv6 = rules[i].src_prefix.address.af; + mac_address_decode (rules[i].src_mac, (mac_address_t *) & r->src_mac); + mac_address_decode (rules[i].src_mac_mask, + (mac_address_t *) & r->src_mac_mask); + ip_address_decode (&rules[i].src_prefix.address, &r->src_ip_addr); + r->src_prefixlen = rules[i].src_prefix.len; } if (~0 == *acl_list_index) @@ -2046,19 +1979,12 @@ static void copy_acl_rule_to_api_rule (vl_api_acl_rule_t * api_rule, acl_rule_t * r) { api_rule->is_permit = r->is_permit; - api_rule->is_ipv6 = r->is_ipv6; - if (r->is_ipv6) - { - memcpy (api_rule->src_ip_addr, &r->src, sizeof (r->src)); - memcpy (api_rule->dst_ip_addr, &r->dst, sizeof (r->dst)); - } - else - { - memcpy (api_rule->src_ip_addr, &r->src.ip4, sizeof (r->src.ip4)); - memcpy (api_rule->dst_ip_addr, &r->dst.ip4, sizeof (r->dst.ip4)); - } - api_rule->src_ip_prefix_len = r->src_prefixlen; - api_rule->dst_ip_prefix_len = r->dst_prefixlen; + ip_address_encode (&r->src, r->is_ipv6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4, + &api_rule->src_prefix.address); + ip_address_encode (&r->dst, r->is_ipv6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4, + &api_rule->dst_prefix.address); + api_rule->src_prefix.len = r->src_prefixlen; + api_rule->dst_prefix.len = r->dst_prefixlen; api_rule->proto = r->proto; api_rule->srcport_or_icmptype_first = htons (r->src_port_or_type_first); api_rule->srcport_or_icmptype_last = htons (r->src_port_or_type_last); @@ -2333,17 +2259,14 @@ send_macip_acl_details (acl_main_t * am, vl_api_registration_t * reg, { r = &acl->rules[i]; rules[i].is_permit = r->is_permit; - rules[i].is_ipv6 = r->is_ipv6; - memcpy (rules[i].src_mac, &r->src_mac, sizeof (r->src_mac)); - memcpy (rules[i].src_mac_mask, &r->src_mac_mask, - sizeof (r->src_mac_mask)); - if (r->is_ipv6) - memcpy (rules[i].src_ip_addr, &r->src_ip_addr.ip6, - sizeof (r->src_ip_addr.ip6)); - else - memcpy (rules[i].src_ip_addr, &r->src_ip_addr.ip4, - sizeof (r->src_ip_addr.ip4)); - rules[i].src_ip_prefix_len = r->src_prefixlen; + mac_address_encode ((mac_address_t *) & r->src_mac, + rules[i].src_mac); + mac_address_encode ((mac_address_t *) & r->src_mac_mask, + rules[i].src_mac_mask); + ip_address_encode (&r->src_ip_addr, + r->is_ipv6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4, + &rules[i].src_prefix.address); + rules[i].src_prefix.len = r->src_prefixlen; } } else @@ -2994,8 +2917,7 @@ acl_set_aclplugin_acl_fn (vlib_main_t * vm, u32 action = 0; u32 tcpflags, tcpmask; u32 src_prefix_length = 0, dst_prefix_length = 0; - ip4_address_t src_v4address, dst_v4address; - ip6_address_t src_v6address, dst_v6address; + ip46_address_t src, dst; u8 *tag = (u8 *) "cli"; if (!unformat_user (input, unformat_line_input, line_input)) @@ -3003,17 +2925,7 @@ acl_set_aclplugin_acl_fn (vlib_main_t * vm, while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT) { - if (unformat (line_input, "ipv6")) - { - vec_validate_acl_rules (rules, rule_idx); - rules[rule_idx].is_ipv6 = 1; - } - else if (unformat (line_input, "ipv4")) - { - vec_validate_acl_rules (rules, rule_idx); - rules[rule_idx].is_ipv6 = 0; - } - else if (unformat (line_input, "permit+reflect")) + if (unformat (line_input, "permit+reflect")) { vec_validate_acl_rules (rules, rule_idx); rules[rule_idx].is_permit = 2; @@ -3038,40 +2950,22 @@ acl_set_aclplugin_acl_fn (vlib_main_t * vm, rules[rule_idx].is_permit = action; } else if (unformat (line_input, "src %U/%d", - unformat_ip4_address, &src_v4address, - &src_prefix_length)) - { - vec_validate_acl_rules (rules, rule_idx); - memcpy (rules[rule_idx].src_ip_addr, &src_v4address, 4); - rules[rule_idx].src_ip_prefix_len = src_prefix_length; - rules[rule_idx].is_ipv6 = 0; - } - else if (unformat (line_input, "src %U/%d", - unformat_ip6_address, &src_v6address, - &src_prefix_length)) - { - vec_validate_acl_rules (rules, rule_idx); - memcpy (rules[rule_idx].src_ip_addr, &src_v6address, 16); - rules[rule_idx].src_ip_prefix_len = src_prefix_length; - rules[rule_idx].is_ipv6 = 1; - } - else if (unformat (line_input, "dst %U/%d", - unformat_ip4_address, &dst_v4address, - &dst_prefix_length)) + unformat_ip46_address, &src, &src_prefix_length)) { vec_validate_acl_rules (rules, rule_idx); - memcpy (rules[rule_idx].dst_ip_addr, &dst_v4address, 4); - rules[rule_idx].dst_ip_prefix_len = dst_prefix_length; - rules[rule_idx].is_ipv6 = 0; + ip_address_encode (&src, IP46_TYPE_ANY, + &rules[rule_idx].src_prefix.address); + rules[rule_idx].src_prefix.address.af = ADDRESS_IP4; + rules[rule_idx].src_prefix.len = src_prefix_length; } else if (unformat (line_input, "dst %U/%d", - unformat_ip6_address, &dst_v6address, - &dst_prefix_length)) + unformat_ip46_address, &dst, &dst_prefix_length)) { vec_validate_acl_rules (rules, rule_idx); - memcpy (rules[rule_idx].dst_ip_addr, &dst_v6address, 16); - rules[rule_idx].dst_ip_prefix_len = dst_prefix_length; - rules[rule_idx].is_ipv6 = 1; + ip_address_encode (&dst, IP46_TYPE_ANY, + &rules[rule_idx].dst_prefix.address); + rules[rule_idx].dst_prefix.address.af = ADDRESS_IP4; + rules[rule_idx].dst_prefix.len = dst_prefix_length; } else if (unformat (line_input, "sport %d-%d", &port1, &port2)) { |