diff options
Diffstat (limited to 'src/plugins/acl/acl.c')
-rw-r--r-- | src/plugins/acl/acl.c | 136 |
1 files changed, 81 insertions, 55 deletions
diff --git a/src/plugins/acl/acl.c b/src/plugins/acl/acl.c index 289e9b8b8d7..48678f5e48f 100644 --- a/src/plugins/acl/acl.c +++ b/src/plugins/acl/acl.c @@ -24,8 +24,6 @@ #include <vnet/classify/in_out_acl.h> #include <vpp/app/version.h> -#include <vnet/ethernet/ethernet_types_api.h> - #include <vlibapi/api.h> #include <vlibmemory/api.h> @@ -344,41 +342,35 @@ validate_and_reset_acl_counters (acl_main_t * am, u32 acl_index) } static int -acl_api_ip4_invalid_prefix (const vl_api_prefix_t * prefix) +acl_api_ip4_invalid_prefix (void *ip4_pref_raw, u8 ip4_prefix_len) { ip4_address_t ip4_addr; ip4_address_t ip4_mask; ip4_address_t ip4_masked_addr; - if (prefix->len > 32) - return 1; - - ip4_address_decode (prefix->address.un.ip4, &ip4_addr); - ip4_preflen_to_mask (prefix->len, &ip4_mask); + memcpy (&ip4_addr, ip4_pref_raw, sizeof (ip4_addr)); + ip4_preflen_to_mask (ip4_prefix_len, &ip4_mask); ip4_masked_addr.as_u32 = ip4_addr.as_u32 & ip4_mask.as_u32; int ret = (ip4_masked_addr.as_u32 != ip4_addr.as_u32); if (ret) { clib_warning ("inconsistent addr %U for prefix len %d; (%U when masked)", - format_ip4_address, prefix->address.un.ip4, prefix->len, - format_ip4_address, &ip4_masked_addr); + format_ip4_address, ip4_pref_raw, ip4_prefix_len, format_ip4_address, + &ip4_masked_addr); } return ret; } static int -acl_api_ip6_invalid_prefix (const vl_api_prefix_t * prefix) +acl_api_ip6_invalid_prefix (void *ip6_pref_raw, u8 ip6_prefix_len) { ip6_address_t ip6_addr; ip6_address_t ip6_mask; ip6_address_t ip6_masked_addr; - if (prefix->len > 128) - return 1; - - ip6_address_decode (prefix->address.un.ip6, &ip6_addr); - ip6_preflen_to_mask (prefix->len, &ip6_mask); + memcpy (&ip6_addr, ip6_pref_raw, sizeof (ip6_addr)); + ip6_preflen_to_mask (ip6_prefix_len, &ip6_mask); ip6_masked_addr.as_u64[0] = ip6_addr.as_u64[0] & ip6_mask.as_u64[0]; ip6_masked_addr.as_u64[1] = ip6_addr.as_u64[1] & ip6_mask.as_u64[1]; int ret = ((ip6_masked_addr.as_u64[0] != ip6_addr.as_u64[0]) @@ -387,21 +379,13 @@ acl_api_ip6_invalid_prefix (const vl_api_prefix_t * prefix) { clib_warning ("inconsistent addr %U for prefix len %d; (%U when masked)", - format_ip6_address, prefix->address.un.ip6, prefix->len, - format_ip6_address, &ip6_masked_addr); + format_ip6_address, ip6_pref_raw, ip6_prefix_len, format_ip6_address, + &ip6_masked_addr); } return ret; } static int -acl_api_invalid_prefix (const vl_api_prefix_t * prefix) -{ - if (prefix->address.af == ADDRESS_IP6) - return acl_api_ip6_invalid_prefix (prefix); - return acl_api_ip4_invalid_prefix (prefix); -} - -static int acl_add_list (u32 count, vl_api_acl_rule_t rules[], u32 * acl_list_index, u8 * tag) { @@ -418,10 +402,32 @@ acl_add_list (u32 count, vl_api_acl_rule_t rules[], /* check if what they request is consistent */ for (i = 0; i < count; i++) { - if (acl_api_invalid_prefix (&rules[i].src_prefix)) - return VNET_API_ERROR_INVALID_SRC_ADDRESS; - if (acl_api_invalid_prefix (&rules[i].dst_prefix)) - return VNET_API_ERROR_INVALID_DST_ADDRESS; + if (rules[i].is_ipv6) + { + if (rules[i].src_ip_prefix_len > 128) + return VNET_API_ERROR_INVALID_VALUE; + if (rules[i].dst_ip_prefix_len > 128) + return VNET_API_ERROR_INVALID_VALUE; + if (acl_api_ip6_invalid_prefix + (&rules[i].src_ip_addr, rules[i].src_ip_prefix_len)) + return VNET_API_ERROR_INVALID_SRC_ADDRESS; + if (acl_api_ip6_invalid_prefix + (&rules[i].dst_ip_addr, rules[i].dst_ip_prefix_len)) + return VNET_API_ERROR_INVALID_DST_ADDRESS; + } + else + { + if (rules[i].src_ip_prefix_len > 32) + return VNET_API_ERROR_INVALID_VALUE; + if (rules[i].dst_ip_prefix_len > 32) + return VNET_API_ERROR_INVALID_VALUE; + if (acl_api_ip4_invalid_prefix + (&rules[i].src_ip_addr, rules[i].src_ip_prefix_len)) + return VNET_API_ERROR_INVALID_SRC_ADDRESS; + if (acl_api_ip4_invalid_prefix + (&rules[i].dst_ip_addr, rules[i].dst_ip_prefix_len)) + return VNET_API_ERROR_INVALID_DST_ADDRESS; + } if (ntohs (rules[i].srcport_or_icmptype_first) > ntohs (rules[i].srcport_or_icmptype_last)) return VNET_API_ERROR_INVALID_VALUE_2; @@ -460,11 +466,19 @@ acl_add_list (u32 count, vl_api_acl_rule_t rules[], r = vec_elt_at_index (acl_new_rules, i); clib_memset (r, 0, sizeof (*r)); r->is_permit = rules[i].is_permit; - r->is_ipv6 = rules[i].src_prefix.address.af; - ip_address_decode (&rules[i].src_prefix.address, &r->src); - ip_address_decode (&rules[i].dst_prefix.address, &r->dst); - r->src_prefixlen = rules[i].src_prefix.len; - r->dst_prefixlen = rules[i].dst_prefix.len; + r->is_ipv6 = rules[i].is_ipv6; + if (r->is_ipv6) + { + memcpy (&r->src, rules[i].src_ip_addr, sizeof (r->src)); + memcpy (&r->dst, rules[i].dst_ip_addr, sizeof (r->dst)); + } + else + { + memcpy (&r->src.ip4, rules[i].src_ip_addr, sizeof (r->src.ip4)); + memcpy (&r->dst.ip4, rules[i].dst_ip_addr, sizeof (r->dst.ip4)); + } + r->src_prefixlen = rules[i].src_ip_prefix_len; + r->dst_prefixlen = rules[i].dst_ip_prefix_len; r->proto = rules[i].proto; r->src_port_or_type_first = ntohs (rules[i].srcport_or_icmptype_first); r->src_port_or_type_last = ntohs (rules[i].srcport_or_icmptype_last); @@ -1700,12 +1714,14 @@ macip_acl_add_list (u32 count, vl_api_macip_acl_rule_t rules[], { r = &acl_new_rules[i]; r->is_permit = rules[i].is_permit; - r->is_ipv6 = rules[i].src_prefix.address.af; - mac_address_decode (rules[i].src_mac, (mac_address_t *) & r->src_mac); - mac_address_decode (rules[i].src_mac_mask, - (mac_address_t *) & r->src_mac_mask); - ip_address_decode (&rules[i].src_prefix.address, &r->src_ip_addr); - r->src_prefixlen = rules[i].src_prefix.len; + r->is_ipv6 = rules[i].is_ipv6; + memcpy (&r->src_mac, rules[i].src_mac, 6); + memcpy (&r->src_mac_mask, rules[i].src_mac_mask, 6); + if (rules[i].is_ipv6) + memcpy (&r->src_ip_addr.ip6, rules[i].src_ip_addr, 16); + else + memcpy (&r->src_ip_addr.ip4, rules[i].src_ip_addr, 4); + r->src_prefixlen = rules[i].src_ip_prefix_len; } if (~0 == *acl_list_index) @@ -2030,12 +2046,19 @@ static void copy_acl_rule_to_api_rule (vl_api_acl_rule_t * api_rule, acl_rule_t * r) { api_rule->is_permit = r->is_permit; - ip_address_encode (&r->src, r->is_ipv6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4, - &api_rule->src_prefix.address); - ip_address_encode (&r->dst, r->is_ipv6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4, - &api_rule->dst_prefix.address); - api_rule->src_prefix.len = r->src_prefixlen; - api_rule->dst_prefix.len = r->dst_prefixlen; + api_rule->is_ipv6 = r->is_ipv6; + if (r->is_ipv6) + { + memcpy (api_rule->src_ip_addr, &r->src, sizeof (r->src)); + memcpy (api_rule->dst_ip_addr, &r->dst, sizeof (r->dst)); + } + else + { + memcpy (api_rule->src_ip_addr, &r->src.ip4, sizeof (r->src.ip4)); + memcpy (api_rule->dst_ip_addr, &r->dst.ip4, sizeof (r->dst.ip4)); + } + api_rule->src_ip_prefix_len = r->src_prefixlen; + api_rule->dst_ip_prefix_len = r->dst_prefixlen; api_rule->proto = r->proto; api_rule->srcport_or_icmptype_first = htons (r->src_port_or_type_first); api_rule->srcport_or_icmptype_last = htons (r->src_port_or_type_last); @@ -2310,14 +2333,17 @@ send_macip_acl_details (acl_main_t * am, vl_api_registration_t * reg, { r = &acl->rules[i]; rules[i].is_permit = r->is_permit; - mac_address_encode ((mac_address_t *) & r->src_mac, - rules[i].src_mac); - mac_address_encode ((mac_address_t *) & r->src_mac_mask, - rules[i].src_mac_mask); - ip_address_encode (&r->src_ip_addr, - r->is_ipv6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4, - &rules[i].src_prefix.address); - rules[i].src_prefix.len = r->src_prefixlen; + rules[i].is_ipv6 = r->is_ipv6; + memcpy (rules[i].src_mac, &r->src_mac, sizeof (r->src_mac)); + memcpy (rules[i].src_mac_mask, &r->src_mac_mask, + sizeof (r->src_mac_mask)); + if (r->is_ipv6) + memcpy (rules[i].src_ip_addr, &r->src_ip_addr.ip6, + sizeof (r->src_ip_addr.ip6)); + else + memcpy (rules[i].src_ip_addr, &r->src_ip_addr.ip4, + sizeof (r->src_ip_addr.ip4)); + rules[i].src_ip_prefix_len = r->src_prefixlen; } } else |