diff options
Diffstat (limited to 'src/plugins/acl/acl.c')
-rw-r--r-- | src/plugins/acl/acl.c | 136 |
1 files changed, 55 insertions, 81 deletions
diff --git a/src/plugins/acl/acl.c b/src/plugins/acl/acl.c index 48678f5e48f..289e9b8b8d7 100644 --- a/src/plugins/acl/acl.c +++ b/src/plugins/acl/acl.c @@ -24,6 +24,8 @@ #include <vnet/classify/in_out_acl.h> #include <vpp/app/version.h> +#include <vnet/ethernet/ethernet_types_api.h> + #include <vlibapi/api.h> #include <vlibmemory/api.h> @@ -342,35 +344,41 @@ validate_and_reset_acl_counters (acl_main_t * am, u32 acl_index) } static int -acl_api_ip4_invalid_prefix (void *ip4_pref_raw, u8 ip4_prefix_len) +acl_api_ip4_invalid_prefix (const vl_api_prefix_t * prefix) { ip4_address_t ip4_addr; ip4_address_t ip4_mask; ip4_address_t ip4_masked_addr; - memcpy (&ip4_addr, ip4_pref_raw, sizeof (ip4_addr)); - ip4_preflen_to_mask (ip4_prefix_len, &ip4_mask); + if (prefix->len > 32) + return 1; + + ip4_address_decode (prefix->address.un.ip4, &ip4_addr); + ip4_preflen_to_mask (prefix->len, &ip4_mask); ip4_masked_addr.as_u32 = ip4_addr.as_u32 & ip4_mask.as_u32; int ret = (ip4_masked_addr.as_u32 != ip4_addr.as_u32); if (ret) { clib_warning ("inconsistent addr %U for prefix len %d; (%U when masked)", - format_ip4_address, ip4_pref_raw, ip4_prefix_len, format_ip4_address, - &ip4_masked_addr); + format_ip4_address, prefix->address.un.ip4, prefix->len, + format_ip4_address, &ip4_masked_addr); } return ret; } static int -acl_api_ip6_invalid_prefix (void *ip6_pref_raw, u8 ip6_prefix_len) +acl_api_ip6_invalid_prefix (const vl_api_prefix_t * prefix) { ip6_address_t ip6_addr; ip6_address_t ip6_mask; ip6_address_t ip6_masked_addr; - memcpy (&ip6_addr, ip6_pref_raw, sizeof (ip6_addr)); - ip6_preflen_to_mask (ip6_prefix_len, &ip6_mask); + if (prefix->len > 128) + return 1; + + ip6_address_decode (prefix->address.un.ip6, &ip6_addr); + ip6_preflen_to_mask (prefix->len, &ip6_mask); ip6_masked_addr.as_u64[0] = ip6_addr.as_u64[0] & ip6_mask.as_u64[0]; ip6_masked_addr.as_u64[1] = ip6_addr.as_u64[1] & ip6_mask.as_u64[1]; int ret = ((ip6_masked_addr.as_u64[0] != ip6_addr.as_u64[0]) @@ -379,13 +387,21 @@ acl_api_ip6_invalid_prefix (void *ip6_pref_raw, u8 ip6_prefix_len) { clib_warning ("inconsistent addr %U for prefix len %d; (%U when masked)", - format_ip6_address, ip6_pref_raw, ip6_prefix_len, format_ip6_address, - &ip6_masked_addr); + format_ip6_address, prefix->address.un.ip6, prefix->len, + format_ip6_address, &ip6_masked_addr); } return ret; } static int +acl_api_invalid_prefix (const vl_api_prefix_t * prefix) +{ + if (prefix->address.af == ADDRESS_IP6) + return acl_api_ip6_invalid_prefix (prefix); + return acl_api_ip4_invalid_prefix (prefix); +} + +static int acl_add_list (u32 count, vl_api_acl_rule_t rules[], u32 * acl_list_index, u8 * tag) { @@ -402,32 +418,10 @@ acl_add_list (u32 count, vl_api_acl_rule_t rules[], /* check if what they request is consistent */ for (i = 0; i < count; i++) { - if (rules[i].is_ipv6) - { - if (rules[i].src_ip_prefix_len > 128) - return VNET_API_ERROR_INVALID_VALUE; - if (rules[i].dst_ip_prefix_len > 128) - return VNET_API_ERROR_INVALID_VALUE; - if (acl_api_ip6_invalid_prefix - (&rules[i].src_ip_addr, rules[i].src_ip_prefix_len)) - return VNET_API_ERROR_INVALID_SRC_ADDRESS; - if (acl_api_ip6_invalid_prefix - (&rules[i].dst_ip_addr, rules[i].dst_ip_prefix_len)) - return VNET_API_ERROR_INVALID_DST_ADDRESS; - } - else - { - if (rules[i].src_ip_prefix_len > 32) - return VNET_API_ERROR_INVALID_VALUE; - if (rules[i].dst_ip_prefix_len > 32) - return VNET_API_ERROR_INVALID_VALUE; - if (acl_api_ip4_invalid_prefix - (&rules[i].src_ip_addr, rules[i].src_ip_prefix_len)) - return VNET_API_ERROR_INVALID_SRC_ADDRESS; - if (acl_api_ip4_invalid_prefix - (&rules[i].dst_ip_addr, rules[i].dst_ip_prefix_len)) - return VNET_API_ERROR_INVALID_DST_ADDRESS; - } + if (acl_api_invalid_prefix (&rules[i].src_prefix)) + return VNET_API_ERROR_INVALID_SRC_ADDRESS; + if (acl_api_invalid_prefix (&rules[i].dst_prefix)) + return VNET_API_ERROR_INVALID_DST_ADDRESS; if (ntohs (rules[i].srcport_or_icmptype_first) > ntohs (rules[i].srcport_or_icmptype_last)) return VNET_API_ERROR_INVALID_VALUE_2; @@ -466,19 +460,11 @@ acl_add_list (u32 count, vl_api_acl_rule_t rules[], r = vec_elt_at_index (acl_new_rules, i); clib_memset (r, 0, sizeof (*r)); r->is_permit = rules[i].is_permit; - r->is_ipv6 = rules[i].is_ipv6; - if (r->is_ipv6) - { - memcpy (&r->src, rules[i].src_ip_addr, sizeof (r->src)); - memcpy (&r->dst, rules[i].dst_ip_addr, sizeof (r->dst)); - } - else - { - memcpy (&r->src.ip4, rules[i].src_ip_addr, sizeof (r->src.ip4)); - memcpy (&r->dst.ip4, rules[i].dst_ip_addr, sizeof (r->dst.ip4)); - } - r->src_prefixlen = rules[i].src_ip_prefix_len; - r->dst_prefixlen = rules[i].dst_ip_prefix_len; + r->is_ipv6 = rules[i].src_prefix.address.af; + ip_address_decode (&rules[i].src_prefix.address, &r->src); + ip_address_decode (&rules[i].dst_prefix.address, &r->dst); + r->src_prefixlen = rules[i].src_prefix.len; + r->dst_prefixlen = rules[i].dst_prefix.len; r->proto = rules[i].proto; r->src_port_or_type_first = ntohs (rules[i].srcport_or_icmptype_first); r->src_port_or_type_last = ntohs (rules[i].srcport_or_icmptype_last); @@ -1714,14 +1700,12 @@ macip_acl_add_list (u32 count, vl_api_macip_acl_rule_t rules[], { r = &acl_new_rules[i]; r->is_permit = rules[i].is_permit; - r->is_ipv6 = rules[i].is_ipv6; - memcpy (&r->src_mac, rules[i].src_mac, 6); - memcpy (&r->src_mac_mask, rules[i].src_mac_mask, 6); - if (rules[i].is_ipv6) - memcpy (&r->src_ip_addr.ip6, rules[i].src_ip_addr, 16); - else - memcpy (&r->src_ip_addr.ip4, rules[i].src_ip_addr, 4); - r->src_prefixlen = rules[i].src_ip_prefix_len; + r->is_ipv6 = rules[i].src_prefix.address.af; + mac_address_decode (rules[i].src_mac, (mac_address_t *) & r->src_mac); + mac_address_decode (rules[i].src_mac_mask, + (mac_address_t *) & r->src_mac_mask); + ip_address_decode (&rules[i].src_prefix.address, &r->src_ip_addr); + r->src_prefixlen = rules[i].src_prefix.len; } if (~0 == *acl_list_index) @@ -2046,19 +2030,12 @@ static void copy_acl_rule_to_api_rule (vl_api_acl_rule_t * api_rule, acl_rule_t * r) { api_rule->is_permit = r->is_permit; - api_rule->is_ipv6 = r->is_ipv6; - if (r->is_ipv6) - { - memcpy (api_rule->src_ip_addr, &r->src, sizeof (r->src)); - memcpy (api_rule->dst_ip_addr, &r->dst, sizeof (r->dst)); - } - else - { - memcpy (api_rule->src_ip_addr, &r->src.ip4, sizeof (r->src.ip4)); - memcpy (api_rule->dst_ip_addr, &r->dst.ip4, sizeof (r->dst.ip4)); - } - api_rule->src_ip_prefix_len = r->src_prefixlen; - api_rule->dst_ip_prefix_len = r->dst_prefixlen; + ip_address_encode (&r->src, r->is_ipv6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4, + &api_rule->src_prefix.address); + ip_address_encode (&r->dst, r->is_ipv6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4, + &api_rule->dst_prefix.address); + api_rule->src_prefix.len = r->src_prefixlen; + api_rule->dst_prefix.len = r->dst_prefixlen; api_rule->proto = r->proto; api_rule->srcport_or_icmptype_first = htons (r->src_port_or_type_first); api_rule->srcport_or_icmptype_last = htons (r->src_port_or_type_last); @@ -2333,17 +2310,14 @@ send_macip_acl_details (acl_main_t * am, vl_api_registration_t * reg, { r = &acl->rules[i]; rules[i].is_permit = r->is_permit; - rules[i].is_ipv6 = r->is_ipv6; - memcpy (rules[i].src_mac, &r->src_mac, sizeof (r->src_mac)); - memcpy (rules[i].src_mac_mask, &r->src_mac_mask, - sizeof (r->src_mac_mask)); - if (r->is_ipv6) - memcpy (rules[i].src_ip_addr, &r->src_ip_addr.ip6, - sizeof (r->src_ip_addr.ip6)); - else - memcpy (rules[i].src_ip_addr, &r->src_ip_addr.ip4, - sizeof (r->src_ip_addr.ip4)); - rules[i].src_ip_prefix_len = r->src_prefixlen; + mac_address_encode ((mac_address_t *) & r->src_mac, + rules[i].src_mac); + mac_address_encode ((mac_address_t *) & r->src_mac_mask, + rules[i].src_mac_mask); + ip_address_encode (&r->src_ip_addr, + r->is_ipv6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4, + &rules[i].src_prefix.address); + rules[i].src_prefix.len = r->src_prefixlen; } } else |