summaryrefslogtreecommitdiffstats
path: root/src/plugins/acl/acl.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/plugins/acl/acl.c')
-rw-r--r--src/plugins/acl/acl.c136
1 files changed, 55 insertions, 81 deletions
diff --git a/src/plugins/acl/acl.c b/src/plugins/acl/acl.c
index 48678f5e48f..289e9b8b8d7 100644
--- a/src/plugins/acl/acl.c
+++ b/src/plugins/acl/acl.c
@@ -24,6 +24,8 @@
#include <vnet/classify/in_out_acl.h>
#include <vpp/app/version.h>
+#include <vnet/ethernet/ethernet_types_api.h>
+
#include <vlibapi/api.h>
#include <vlibmemory/api.h>
@@ -342,35 +344,41 @@ validate_and_reset_acl_counters (acl_main_t * am, u32 acl_index)
}
static int
-acl_api_ip4_invalid_prefix (void *ip4_pref_raw, u8 ip4_prefix_len)
+acl_api_ip4_invalid_prefix (const vl_api_prefix_t * prefix)
{
ip4_address_t ip4_addr;
ip4_address_t ip4_mask;
ip4_address_t ip4_masked_addr;
- memcpy (&ip4_addr, ip4_pref_raw, sizeof (ip4_addr));
- ip4_preflen_to_mask (ip4_prefix_len, &ip4_mask);
+ if (prefix->len > 32)
+ return 1;
+
+ ip4_address_decode (prefix->address.un.ip4, &ip4_addr);
+ ip4_preflen_to_mask (prefix->len, &ip4_mask);
ip4_masked_addr.as_u32 = ip4_addr.as_u32 & ip4_mask.as_u32;
int ret = (ip4_masked_addr.as_u32 != ip4_addr.as_u32);
if (ret)
{
clib_warning
("inconsistent addr %U for prefix len %d; (%U when masked)",
- format_ip4_address, ip4_pref_raw, ip4_prefix_len, format_ip4_address,
- &ip4_masked_addr);
+ format_ip4_address, prefix->address.un.ip4, prefix->len,
+ format_ip4_address, &ip4_masked_addr);
}
return ret;
}
static int
-acl_api_ip6_invalid_prefix (void *ip6_pref_raw, u8 ip6_prefix_len)
+acl_api_ip6_invalid_prefix (const vl_api_prefix_t * prefix)
{
ip6_address_t ip6_addr;
ip6_address_t ip6_mask;
ip6_address_t ip6_masked_addr;
- memcpy (&ip6_addr, ip6_pref_raw, sizeof (ip6_addr));
- ip6_preflen_to_mask (ip6_prefix_len, &ip6_mask);
+ if (prefix->len > 128)
+ return 1;
+
+ ip6_address_decode (prefix->address.un.ip6, &ip6_addr);
+ ip6_preflen_to_mask (prefix->len, &ip6_mask);
ip6_masked_addr.as_u64[0] = ip6_addr.as_u64[0] & ip6_mask.as_u64[0];
ip6_masked_addr.as_u64[1] = ip6_addr.as_u64[1] & ip6_mask.as_u64[1];
int ret = ((ip6_masked_addr.as_u64[0] != ip6_addr.as_u64[0])
@@ -379,13 +387,21 @@ acl_api_ip6_invalid_prefix (void *ip6_pref_raw, u8 ip6_prefix_len)
{
clib_warning
("inconsistent addr %U for prefix len %d; (%U when masked)",
- format_ip6_address, ip6_pref_raw, ip6_prefix_len, format_ip6_address,
- &ip6_masked_addr);
+ format_ip6_address, prefix->address.un.ip6, prefix->len,
+ format_ip6_address, &ip6_masked_addr);
}
return ret;
}
static int
+acl_api_invalid_prefix (const vl_api_prefix_t * prefix)
+{
+ if (prefix->address.af == ADDRESS_IP6)
+ return acl_api_ip6_invalid_prefix (prefix);
+ return acl_api_ip4_invalid_prefix (prefix);
+}
+
+static int
acl_add_list (u32 count, vl_api_acl_rule_t rules[],
u32 * acl_list_index, u8 * tag)
{
@@ -402,32 +418,10 @@ acl_add_list (u32 count, vl_api_acl_rule_t rules[],
/* check if what they request is consistent */
for (i = 0; i < count; i++)
{
- if (rules[i].is_ipv6)
- {
- if (rules[i].src_ip_prefix_len > 128)
- return VNET_API_ERROR_INVALID_VALUE;
- if (rules[i].dst_ip_prefix_len > 128)
- return VNET_API_ERROR_INVALID_VALUE;
- if (acl_api_ip6_invalid_prefix
- (&rules[i].src_ip_addr, rules[i].src_ip_prefix_len))
- return VNET_API_ERROR_INVALID_SRC_ADDRESS;
- if (acl_api_ip6_invalid_prefix
- (&rules[i].dst_ip_addr, rules[i].dst_ip_prefix_len))
- return VNET_API_ERROR_INVALID_DST_ADDRESS;
- }
- else
- {
- if (rules[i].src_ip_prefix_len > 32)
- return VNET_API_ERROR_INVALID_VALUE;
- if (rules[i].dst_ip_prefix_len > 32)
- return VNET_API_ERROR_INVALID_VALUE;
- if (acl_api_ip4_invalid_prefix
- (&rules[i].src_ip_addr, rules[i].src_ip_prefix_len))
- return VNET_API_ERROR_INVALID_SRC_ADDRESS;
- if (acl_api_ip4_invalid_prefix
- (&rules[i].dst_ip_addr, rules[i].dst_ip_prefix_len))
- return VNET_API_ERROR_INVALID_DST_ADDRESS;
- }
+ if (acl_api_invalid_prefix (&rules[i].src_prefix))
+ return VNET_API_ERROR_INVALID_SRC_ADDRESS;
+ if (acl_api_invalid_prefix (&rules[i].dst_prefix))
+ return VNET_API_ERROR_INVALID_DST_ADDRESS;
if (ntohs (rules[i].srcport_or_icmptype_first) >
ntohs (rules[i].srcport_or_icmptype_last))
return VNET_API_ERROR_INVALID_VALUE_2;
@@ -466,19 +460,11 @@ acl_add_list (u32 count, vl_api_acl_rule_t rules[],
r = vec_elt_at_index (acl_new_rules, i);
clib_memset (r, 0, sizeof (*r));
r->is_permit = rules[i].is_permit;
- r->is_ipv6 = rules[i].is_ipv6;
- if (r->is_ipv6)
- {
- memcpy (&r->src, rules[i].src_ip_addr, sizeof (r->src));
- memcpy (&r->dst, rules[i].dst_ip_addr, sizeof (r->dst));
- }
- else
- {
- memcpy (&r->src.ip4, rules[i].src_ip_addr, sizeof (r->src.ip4));
- memcpy (&r->dst.ip4, rules[i].dst_ip_addr, sizeof (r->dst.ip4));
- }
- r->src_prefixlen = rules[i].src_ip_prefix_len;
- r->dst_prefixlen = rules[i].dst_ip_prefix_len;
+ r->is_ipv6 = rules[i].src_prefix.address.af;
+ ip_address_decode (&rules[i].src_prefix.address, &r->src);
+ ip_address_decode (&rules[i].dst_prefix.address, &r->dst);
+ r->src_prefixlen = rules[i].src_prefix.len;
+ r->dst_prefixlen = rules[i].dst_prefix.len;
r->proto = rules[i].proto;
r->src_port_or_type_first = ntohs (rules[i].srcport_or_icmptype_first);
r->src_port_or_type_last = ntohs (rules[i].srcport_or_icmptype_last);
@@ -1714,14 +1700,12 @@ macip_acl_add_list (u32 count, vl_api_macip_acl_rule_t rules[],
{
r = &acl_new_rules[i];
r->is_permit = rules[i].is_permit;
- r->is_ipv6 = rules[i].is_ipv6;
- memcpy (&r->src_mac, rules[i].src_mac, 6);
- memcpy (&r->src_mac_mask, rules[i].src_mac_mask, 6);
- if (rules[i].is_ipv6)
- memcpy (&r->src_ip_addr.ip6, rules[i].src_ip_addr, 16);
- else
- memcpy (&r->src_ip_addr.ip4, rules[i].src_ip_addr, 4);
- r->src_prefixlen = rules[i].src_ip_prefix_len;
+ r->is_ipv6 = rules[i].src_prefix.address.af;
+ mac_address_decode (rules[i].src_mac, (mac_address_t *) & r->src_mac);
+ mac_address_decode (rules[i].src_mac_mask,
+ (mac_address_t *) & r->src_mac_mask);
+ ip_address_decode (&rules[i].src_prefix.address, &r->src_ip_addr);
+ r->src_prefixlen = rules[i].src_prefix.len;
}
if (~0 == *acl_list_index)
@@ -2046,19 +2030,12 @@ static void
copy_acl_rule_to_api_rule (vl_api_acl_rule_t * api_rule, acl_rule_t * r)
{
api_rule->is_permit = r->is_permit;
- api_rule->is_ipv6 = r->is_ipv6;
- if (r->is_ipv6)
- {
- memcpy (api_rule->src_ip_addr, &r->src, sizeof (r->src));
- memcpy (api_rule->dst_ip_addr, &r->dst, sizeof (r->dst));
- }
- else
- {
- memcpy (api_rule->src_ip_addr, &r->src.ip4, sizeof (r->src.ip4));
- memcpy (api_rule->dst_ip_addr, &r->dst.ip4, sizeof (r->dst.ip4));
- }
- api_rule->src_ip_prefix_len = r->src_prefixlen;
- api_rule->dst_ip_prefix_len = r->dst_prefixlen;
+ ip_address_encode (&r->src, r->is_ipv6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4,
+ &api_rule->src_prefix.address);
+ ip_address_encode (&r->dst, r->is_ipv6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4,
+ &api_rule->dst_prefix.address);
+ api_rule->src_prefix.len = r->src_prefixlen;
+ api_rule->dst_prefix.len = r->dst_prefixlen;
api_rule->proto = r->proto;
api_rule->srcport_or_icmptype_first = htons (r->src_port_or_type_first);
api_rule->srcport_or_icmptype_last = htons (r->src_port_or_type_last);
@@ -2333,17 +2310,14 @@ send_macip_acl_details (acl_main_t * am, vl_api_registration_t * reg,
{
r = &acl->rules[i];
rules[i].is_permit = r->is_permit;
- rules[i].is_ipv6 = r->is_ipv6;
- memcpy (rules[i].src_mac, &r->src_mac, sizeof (r->src_mac));
- memcpy (rules[i].src_mac_mask, &r->src_mac_mask,
- sizeof (r->src_mac_mask));
- if (r->is_ipv6)
- memcpy (rules[i].src_ip_addr, &r->src_ip_addr.ip6,
- sizeof (r->src_ip_addr.ip6));
- else
- memcpy (rules[i].src_ip_addr, &r->src_ip_addr.ip4,
- sizeof (r->src_ip_addr.ip4));
- rules[i].src_ip_prefix_len = r->src_prefixlen;
+ mac_address_encode ((mac_address_t *) & r->src_mac,
+ rules[i].src_mac);
+ mac_address_encode ((mac_address_t *) & r->src_mac_mask,
+ rules[i].src_mac_mask);
+ ip_address_encode (&r->src_ip_addr,
+ r->is_ipv6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4,
+ &rules[i].src_prefix.address);
+ rules[i].src_prefix.len = r->src_prefixlen;
}
}
else