summaryrefslogtreecommitdiffstats
path: root/src/plugins/acl/acl.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/plugins/acl/acl.c')
-rw-r--r--src/plugins/acl/acl.c198
1 files changed, 46 insertions, 152 deletions
diff --git a/src/plugins/acl/acl.c b/src/plugins/acl/acl.c
index 48678f5e48f..017eb68e313 100644
--- a/src/plugins/acl/acl.c
+++ b/src/plugins/acl/acl.c
@@ -24,6 +24,8 @@
#include <vnet/classify/in_out_acl.h>
#include <vpp/app/version.h>
+#include <vnet/ethernet/ethernet_types_api.h>
+
#include <vlibapi/api.h>
#include <vlibmemory/api.h>
@@ -342,47 +344,10 @@ validate_and_reset_acl_counters (acl_main_t * am, u32 acl_index)
}
static int
-acl_api_ip4_invalid_prefix (void *ip4_pref_raw, u8 ip4_prefix_len)
+acl_api_invalid_prefix (const vl_api_prefix_t * prefix)
{
- ip4_address_t ip4_addr;
- ip4_address_t ip4_mask;
- ip4_address_t ip4_masked_addr;
-
- memcpy (&ip4_addr, ip4_pref_raw, sizeof (ip4_addr));
- ip4_preflen_to_mask (ip4_prefix_len, &ip4_mask);
- ip4_masked_addr.as_u32 = ip4_addr.as_u32 & ip4_mask.as_u32;
- int ret = (ip4_masked_addr.as_u32 != ip4_addr.as_u32);
- if (ret)
- {
- clib_warning
- ("inconsistent addr %U for prefix len %d; (%U when masked)",
- format_ip4_address, ip4_pref_raw, ip4_prefix_len, format_ip4_address,
- &ip4_masked_addr);
- }
- return ret;
-}
-
-static int
-acl_api_ip6_invalid_prefix (void *ip6_pref_raw, u8 ip6_prefix_len)
-{
- ip6_address_t ip6_addr;
- ip6_address_t ip6_mask;
- ip6_address_t ip6_masked_addr;
-
- memcpy (&ip6_addr, ip6_pref_raw, sizeof (ip6_addr));
- ip6_preflen_to_mask (ip6_prefix_len, &ip6_mask);
- ip6_masked_addr.as_u64[0] = ip6_addr.as_u64[0] & ip6_mask.as_u64[0];
- ip6_masked_addr.as_u64[1] = ip6_addr.as_u64[1] & ip6_mask.as_u64[1];
- int ret = ((ip6_masked_addr.as_u64[0] != ip6_addr.as_u64[0])
- || (ip6_masked_addr.as_u64[1] != ip6_addr.as_u64[1]));
- if (ret)
- {
- clib_warning
- ("inconsistent addr %U for prefix len %d; (%U when masked)",
- format_ip6_address, ip6_pref_raw, ip6_prefix_len, format_ip6_address,
- &ip6_masked_addr);
- }
- return ret;
+ ip_prefix_t ip_prefix;
+ return ip_prefix_decode2 (prefix, &ip_prefix);
}
static int
@@ -402,32 +367,10 @@ acl_add_list (u32 count, vl_api_acl_rule_t rules[],
/* check if what they request is consistent */
for (i = 0; i < count; i++)
{
- if (rules[i].is_ipv6)
- {
- if (rules[i].src_ip_prefix_len > 128)
- return VNET_API_ERROR_INVALID_VALUE;
- if (rules[i].dst_ip_prefix_len > 128)
- return VNET_API_ERROR_INVALID_VALUE;
- if (acl_api_ip6_invalid_prefix
- (&rules[i].src_ip_addr, rules[i].src_ip_prefix_len))
- return VNET_API_ERROR_INVALID_SRC_ADDRESS;
- if (acl_api_ip6_invalid_prefix
- (&rules[i].dst_ip_addr, rules[i].dst_ip_prefix_len))
- return VNET_API_ERROR_INVALID_DST_ADDRESS;
- }
- else
- {
- if (rules[i].src_ip_prefix_len > 32)
- return VNET_API_ERROR_INVALID_VALUE;
- if (rules[i].dst_ip_prefix_len > 32)
- return VNET_API_ERROR_INVALID_VALUE;
- if (acl_api_ip4_invalid_prefix
- (&rules[i].src_ip_addr, rules[i].src_ip_prefix_len))
- return VNET_API_ERROR_INVALID_SRC_ADDRESS;
- if (acl_api_ip4_invalid_prefix
- (&rules[i].dst_ip_addr, rules[i].dst_ip_prefix_len))
- return VNET_API_ERROR_INVALID_DST_ADDRESS;
- }
+ if (acl_api_invalid_prefix (&rules[i].src_prefix))
+ return VNET_API_ERROR_INVALID_SRC_ADDRESS;
+ if (acl_api_invalid_prefix (&rules[i].dst_prefix))
+ return VNET_API_ERROR_INVALID_DST_ADDRESS;
if (ntohs (rules[i].srcport_or_icmptype_first) >
ntohs (rules[i].srcport_or_icmptype_last))
return VNET_API_ERROR_INVALID_VALUE_2;
@@ -466,19 +409,11 @@ acl_add_list (u32 count, vl_api_acl_rule_t rules[],
r = vec_elt_at_index (acl_new_rules, i);
clib_memset (r, 0, sizeof (*r));
r->is_permit = rules[i].is_permit;
- r->is_ipv6 = rules[i].is_ipv6;
- if (r->is_ipv6)
- {
- memcpy (&r->src, rules[i].src_ip_addr, sizeof (r->src));
- memcpy (&r->dst, rules[i].dst_ip_addr, sizeof (r->dst));
- }
- else
- {
- memcpy (&r->src.ip4, rules[i].src_ip_addr, sizeof (r->src.ip4));
- memcpy (&r->dst.ip4, rules[i].dst_ip_addr, sizeof (r->dst.ip4));
- }
- r->src_prefixlen = rules[i].src_ip_prefix_len;
- r->dst_prefixlen = rules[i].dst_ip_prefix_len;
+ r->is_ipv6 = rules[i].src_prefix.address.af;
+ ip_address_decode (&rules[i].src_prefix.address, &r->src);
+ ip_address_decode (&rules[i].dst_prefix.address, &r->dst);
+ r->src_prefixlen = rules[i].src_prefix.len;
+ r->dst_prefixlen = rules[i].dst_prefix.len;
r->proto = rules[i].proto;
r->src_port_or_type_first = ntohs (rules[i].srcport_or_icmptype_first);
r->src_port_or_type_last = ntohs (rules[i].srcport_or_icmptype_last);
@@ -1714,14 +1649,12 @@ macip_acl_add_list (u32 count, vl_api_macip_acl_rule_t rules[],
{
r = &acl_new_rules[i];
r->is_permit = rules[i].is_permit;
- r->is_ipv6 = rules[i].is_ipv6;
- memcpy (&r->src_mac, rules[i].src_mac, 6);
- memcpy (&r->src_mac_mask, rules[i].src_mac_mask, 6);
- if (rules[i].is_ipv6)
- memcpy (&r->src_ip_addr.ip6, rules[i].src_ip_addr, 16);
- else
- memcpy (&r->src_ip_addr.ip4, rules[i].src_ip_addr, 4);
- r->src_prefixlen = rules[i].src_ip_prefix_len;
+ r->is_ipv6 = rules[i].src_prefix.address.af;
+ mac_address_decode (rules[i].src_mac, (mac_address_t *) & r->src_mac);
+ mac_address_decode (rules[i].src_mac_mask,
+ (mac_address_t *) & r->src_mac_mask);
+ ip_address_decode (&rules[i].src_prefix.address, &r->src_ip_addr);
+ r->src_prefixlen = rules[i].src_prefix.len;
}
if (~0 == *acl_list_index)
@@ -2046,19 +1979,12 @@ static void
copy_acl_rule_to_api_rule (vl_api_acl_rule_t * api_rule, acl_rule_t * r)
{
api_rule->is_permit = r->is_permit;
- api_rule->is_ipv6 = r->is_ipv6;
- if (r->is_ipv6)
- {
- memcpy (api_rule->src_ip_addr, &r->src, sizeof (r->src));
- memcpy (api_rule->dst_ip_addr, &r->dst, sizeof (r->dst));
- }
- else
- {
- memcpy (api_rule->src_ip_addr, &r->src.ip4, sizeof (r->src.ip4));
- memcpy (api_rule->dst_ip_addr, &r->dst.ip4, sizeof (r->dst.ip4));
- }
- api_rule->src_ip_prefix_len = r->src_prefixlen;
- api_rule->dst_ip_prefix_len = r->dst_prefixlen;
+ ip_address_encode (&r->src, r->is_ipv6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4,
+ &api_rule->src_prefix.address);
+ ip_address_encode (&r->dst, r->is_ipv6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4,
+ &api_rule->dst_prefix.address);
+ api_rule->src_prefix.len = r->src_prefixlen;
+ api_rule->dst_prefix.len = r->dst_prefixlen;
api_rule->proto = r->proto;
api_rule->srcport_or_icmptype_first = htons (r->src_port_or_type_first);
api_rule->srcport_or_icmptype_last = htons (r->src_port_or_type_last);
@@ -2333,17 +2259,14 @@ send_macip_acl_details (acl_main_t * am, vl_api_registration_t * reg,
{
r = &acl->rules[i];
rules[i].is_permit = r->is_permit;
- rules[i].is_ipv6 = r->is_ipv6;
- memcpy (rules[i].src_mac, &r->src_mac, sizeof (r->src_mac));
- memcpy (rules[i].src_mac_mask, &r->src_mac_mask,
- sizeof (r->src_mac_mask));
- if (r->is_ipv6)
- memcpy (rules[i].src_ip_addr, &r->src_ip_addr.ip6,
- sizeof (r->src_ip_addr.ip6));
- else
- memcpy (rules[i].src_ip_addr, &r->src_ip_addr.ip4,
- sizeof (r->src_ip_addr.ip4));
- rules[i].src_ip_prefix_len = r->src_prefixlen;
+ mac_address_encode ((mac_address_t *) & r->src_mac,
+ rules[i].src_mac);
+ mac_address_encode ((mac_address_t *) & r->src_mac_mask,
+ rules[i].src_mac_mask);
+ ip_address_encode (&r->src_ip_addr,
+ r->is_ipv6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4,
+ &rules[i].src_prefix.address);
+ rules[i].src_prefix.len = r->src_prefixlen;
}
}
else
@@ -2994,8 +2917,7 @@ acl_set_aclplugin_acl_fn (vlib_main_t * vm,
u32 action = 0;
u32 tcpflags, tcpmask;
u32 src_prefix_length = 0, dst_prefix_length = 0;
- ip4_address_t src_v4address, dst_v4address;
- ip6_address_t src_v6address, dst_v6address;
+ ip46_address_t src, dst;
u8 *tag = (u8 *) "cli";
if (!unformat_user (input, unformat_line_input, line_input))
@@ -3003,17 +2925,7 @@ acl_set_aclplugin_acl_fn (vlib_main_t * vm,
while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
{
- if (unformat (line_input, "ipv6"))
- {
- vec_validate_acl_rules (rules, rule_idx);
- rules[rule_idx].is_ipv6 = 1;
- }
- else if (unformat (line_input, "ipv4"))
- {
- vec_validate_acl_rules (rules, rule_idx);
- rules[rule_idx].is_ipv6 = 0;
- }
- else if (unformat (line_input, "permit+reflect"))
+ if (unformat (line_input, "permit+reflect"))
{
vec_validate_acl_rules (rules, rule_idx);
rules[rule_idx].is_permit = 2;
@@ -3038,40 +2950,22 @@ acl_set_aclplugin_acl_fn (vlib_main_t * vm,
rules[rule_idx].is_permit = action;
}
else if (unformat (line_input, "src %U/%d",
- unformat_ip4_address, &src_v4address,
- &src_prefix_length))
- {
- vec_validate_acl_rules (rules, rule_idx);
- memcpy (rules[rule_idx].src_ip_addr, &src_v4address, 4);
- rules[rule_idx].src_ip_prefix_len = src_prefix_length;
- rules[rule_idx].is_ipv6 = 0;
- }
- else if (unformat (line_input, "src %U/%d",
- unformat_ip6_address, &src_v6address,
- &src_prefix_length))
- {
- vec_validate_acl_rules (rules, rule_idx);
- memcpy (rules[rule_idx].src_ip_addr, &src_v6address, 16);
- rules[rule_idx].src_ip_prefix_len = src_prefix_length;
- rules[rule_idx].is_ipv6 = 1;
- }
- else if (unformat (line_input, "dst %U/%d",
- unformat_ip4_address, &dst_v4address,
- &dst_prefix_length))
+ unformat_ip46_address, &src, &src_prefix_length))
{
vec_validate_acl_rules (rules, rule_idx);
- memcpy (rules[rule_idx].dst_ip_addr, &dst_v4address, 4);
- rules[rule_idx].dst_ip_prefix_len = dst_prefix_length;
- rules[rule_idx].is_ipv6 = 0;
+ ip_address_encode (&src, IP46_TYPE_ANY,
+ &rules[rule_idx].src_prefix.address);
+ rules[rule_idx].src_prefix.address.af = ADDRESS_IP4;
+ rules[rule_idx].src_prefix.len = src_prefix_length;
}
else if (unformat (line_input, "dst %U/%d",
- unformat_ip6_address, &dst_v6address,
- &dst_prefix_length))
+ unformat_ip46_address, &dst, &dst_prefix_length))
{
vec_validate_acl_rules (rules, rule_idx);
- memcpy (rules[rule_idx].dst_ip_addr, &dst_v6address, 16);
- rules[rule_idx].dst_ip_prefix_len = dst_prefix_length;
- rules[rule_idx].is_ipv6 = 1;
+ ip_address_encode (&dst, IP46_TYPE_ANY,
+ &rules[rule_idx].dst_prefix.address);
+ rules[rule_idx].dst_prefix.address.af = ADDRESS_IP4;
+ rules[rule_idx].dst_prefix.len = dst_prefix_length;
}
else if (unformat (line_input, "sport %d-%d", &port1, &port2))
{