summaryrefslogtreecommitdiffstats
path: root/src/plugins/acl/acl.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/plugins/acl/acl.c')
-rw-r--r--src/plugins/acl/acl.c136
1 files changed, 81 insertions, 55 deletions
diff --git a/src/plugins/acl/acl.c b/src/plugins/acl/acl.c
index 289e9b8b8d7..48678f5e48f 100644
--- a/src/plugins/acl/acl.c
+++ b/src/plugins/acl/acl.c
@@ -24,8 +24,6 @@
#include <vnet/classify/in_out_acl.h>
#include <vpp/app/version.h>
-#include <vnet/ethernet/ethernet_types_api.h>
-
#include <vlibapi/api.h>
#include <vlibmemory/api.h>
@@ -344,41 +342,35 @@ validate_and_reset_acl_counters (acl_main_t * am, u32 acl_index)
}
static int
-acl_api_ip4_invalid_prefix (const vl_api_prefix_t * prefix)
+acl_api_ip4_invalid_prefix (void *ip4_pref_raw, u8 ip4_prefix_len)
{
ip4_address_t ip4_addr;
ip4_address_t ip4_mask;
ip4_address_t ip4_masked_addr;
- if (prefix->len > 32)
- return 1;
-
- ip4_address_decode (prefix->address.un.ip4, &ip4_addr);
- ip4_preflen_to_mask (prefix->len, &ip4_mask);
+ memcpy (&ip4_addr, ip4_pref_raw, sizeof (ip4_addr));
+ ip4_preflen_to_mask (ip4_prefix_len, &ip4_mask);
ip4_masked_addr.as_u32 = ip4_addr.as_u32 & ip4_mask.as_u32;
int ret = (ip4_masked_addr.as_u32 != ip4_addr.as_u32);
if (ret)
{
clib_warning
("inconsistent addr %U for prefix len %d; (%U when masked)",
- format_ip4_address, prefix->address.un.ip4, prefix->len,
- format_ip4_address, &ip4_masked_addr);
+ format_ip4_address, ip4_pref_raw, ip4_prefix_len, format_ip4_address,
+ &ip4_masked_addr);
}
return ret;
}
static int
-acl_api_ip6_invalid_prefix (const vl_api_prefix_t * prefix)
+acl_api_ip6_invalid_prefix (void *ip6_pref_raw, u8 ip6_prefix_len)
{
ip6_address_t ip6_addr;
ip6_address_t ip6_mask;
ip6_address_t ip6_masked_addr;
- if (prefix->len > 128)
- return 1;
-
- ip6_address_decode (prefix->address.un.ip6, &ip6_addr);
- ip6_preflen_to_mask (prefix->len, &ip6_mask);
+ memcpy (&ip6_addr, ip6_pref_raw, sizeof (ip6_addr));
+ ip6_preflen_to_mask (ip6_prefix_len, &ip6_mask);
ip6_masked_addr.as_u64[0] = ip6_addr.as_u64[0] & ip6_mask.as_u64[0];
ip6_masked_addr.as_u64[1] = ip6_addr.as_u64[1] & ip6_mask.as_u64[1];
int ret = ((ip6_masked_addr.as_u64[0] != ip6_addr.as_u64[0])
@@ -387,21 +379,13 @@ acl_api_ip6_invalid_prefix (const vl_api_prefix_t * prefix)
{
clib_warning
("inconsistent addr %U for prefix len %d; (%U when masked)",
- format_ip6_address, prefix->address.un.ip6, prefix->len,
- format_ip6_address, &ip6_masked_addr);
+ format_ip6_address, ip6_pref_raw, ip6_prefix_len, format_ip6_address,
+ &ip6_masked_addr);
}
return ret;
}
static int
-acl_api_invalid_prefix (const vl_api_prefix_t * prefix)
-{
- if (prefix->address.af == ADDRESS_IP6)
- return acl_api_ip6_invalid_prefix (prefix);
- return acl_api_ip4_invalid_prefix (prefix);
-}
-
-static int
acl_add_list (u32 count, vl_api_acl_rule_t rules[],
u32 * acl_list_index, u8 * tag)
{
@@ -418,10 +402,32 @@ acl_add_list (u32 count, vl_api_acl_rule_t rules[],
/* check if what they request is consistent */
for (i = 0; i < count; i++)
{
- if (acl_api_invalid_prefix (&rules[i].src_prefix))
- return VNET_API_ERROR_INVALID_SRC_ADDRESS;
- if (acl_api_invalid_prefix (&rules[i].dst_prefix))
- return VNET_API_ERROR_INVALID_DST_ADDRESS;
+ if (rules[i].is_ipv6)
+ {
+ if (rules[i].src_ip_prefix_len > 128)
+ return VNET_API_ERROR_INVALID_VALUE;
+ if (rules[i].dst_ip_prefix_len > 128)
+ return VNET_API_ERROR_INVALID_VALUE;
+ if (acl_api_ip6_invalid_prefix
+ (&rules[i].src_ip_addr, rules[i].src_ip_prefix_len))
+ return VNET_API_ERROR_INVALID_SRC_ADDRESS;
+ if (acl_api_ip6_invalid_prefix
+ (&rules[i].dst_ip_addr, rules[i].dst_ip_prefix_len))
+ return VNET_API_ERROR_INVALID_DST_ADDRESS;
+ }
+ else
+ {
+ if (rules[i].src_ip_prefix_len > 32)
+ return VNET_API_ERROR_INVALID_VALUE;
+ if (rules[i].dst_ip_prefix_len > 32)
+ return VNET_API_ERROR_INVALID_VALUE;
+ if (acl_api_ip4_invalid_prefix
+ (&rules[i].src_ip_addr, rules[i].src_ip_prefix_len))
+ return VNET_API_ERROR_INVALID_SRC_ADDRESS;
+ if (acl_api_ip4_invalid_prefix
+ (&rules[i].dst_ip_addr, rules[i].dst_ip_prefix_len))
+ return VNET_API_ERROR_INVALID_DST_ADDRESS;
+ }
if (ntohs (rules[i].srcport_or_icmptype_first) >
ntohs (rules[i].srcport_or_icmptype_last))
return VNET_API_ERROR_INVALID_VALUE_2;
@@ -460,11 +466,19 @@ acl_add_list (u32 count, vl_api_acl_rule_t rules[],
r = vec_elt_at_index (acl_new_rules, i);
clib_memset (r, 0, sizeof (*r));
r->is_permit = rules[i].is_permit;
- r->is_ipv6 = rules[i].src_prefix.address.af;
- ip_address_decode (&rules[i].src_prefix.address, &r->src);
- ip_address_decode (&rules[i].dst_prefix.address, &r->dst);
- r->src_prefixlen = rules[i].src_prefix.len;
- r->dst_prefixlen = rules[i].dst_prefix.len;
+ r->is_ipv6 = rules[i].is_ipv6;
+ if (r->is_ipv6)
+ {
+ memcpy (&r->src, rules[i].src_ip_addr, sizeof (r->src));
+ memcpy (&r->dst, rules[i].dst_ip_addr, sizeof (r->dst));
+ }
+ else
+ {
+ memcpy (&r->src.ip4, rules[i].src_ip_addr, sizeof (r->src.ip4));
+ memcpy (&r->dst.ip4, rules[i].dst_ip_addr, sizeof (r->dst.ip4));
+ }
+ r->src_prefixlen = rules[i].src_ip_prefix_len;
+ r->dst_prefixlen = rules[i].dst_ip_prefix_len;
r->proto = rules[i].proto;
r->src_port_or_type_first = ntohs (rules[i].srcport_or_icmptype_first);
r->src_port_or_type_last = ntohs (rules[i].srcport_or_icmptype_last);
@@ -1700,12 +1714,14 @@ macip_acl_add_list (u32 count, vl_api_macip_acl_rule_t rules[],
{
r = &acl_new_rules[i];
r->is_permit = rules[i].is_permit;
- r->is_ipv6 = rules[i].src_prefix.address.af;
- mac_address_decode (rules[i].src_mac, (mac_address_t *) & r->src_mac);
- mac_address_decode (rules[i].src_mac_mask,
- (mac_address_t *) & r->src_mac_mask);
- ip_address_decode (&rules[i].src_prefix.address, &r->src_ip_addr);
- r->src_prefixlen = rules[i].src_prefix.len;
+ r->is_ipv6 = rules[i].is_ipv6;
+ memcpy (&r->src_mac, rules[i].src_mac, 6);
+ memcpy (&r->src_mac_mask, rules[i].src_mac_mask, 6);
+ if (rules[i].is_ipv6)
+ memcpy (&r->src_ip_addr.ip6, rules[i].src_ip_addr, 16);
+ else
+ memcpy (&r->src_ip_addr.ip4, rules[i].src_ip_addr, 4);
+ r->src_prefixlen = rules[i].src_ip_prefix_len;
}
if (~0 == *acl_list_index)
@@ -2030,12 +2046,19 @@ static void
copy_acl_rule_to_api_rule (vl_api_acl_rule_t * api_rule, acl_rule_t * r)
{
api_rule->is_permit = r->is_permit;
- ip_address_encode (&r->src, r->is_ipv6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4,
- &api_rule->src_prefix.address);
- ip_address_encode (&r->dst, r->is_ipv6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4,
- &api_rule->dst_prefix.address);
- api_rule->src_prefix.len = r->src_prefixlen;
- api_rule->dst_prefix.len = r->dst_prefixlen;
+ api_rule->is_ipv6 = r->is_ipv6;
+ if (r->is_ipv6)
+ {
+ memcpy (api_rule->src_ip_addr, &r->src, sizeof (r->src));
+ memcpy (api_rule->dst_ip_addr, &r->dst, sizeof (r->dst));
+ }
+ else
+ {
+ memcpy (api_rule->src_ip_addr, &r->src.ip4, sizeof (r->src.ip4));
+ memcpy (api_rule->dst_ip_addr, &r->dst.ip4, sizeof (r->dst.ip4));
+ }
+ api_rule->src_ip_prefix_len = r->src_prefixlen;
+ api_rule->dst_ip_prefix_len = r->dst_prefixlen;
api_rule->proto = r->proto;
api_rule->srcport_or_icmptype_first = htons (r->src_port_or_type_first);
api_rule->srcport_or_icmptype_last = htons (r->src_port_or_type_last);
@@ -2310,14 +2333,17 @@ send_macip_acl_details (acl_main_t * am, vl_api_registration_t * reg,
{
r = &acl->rules[i];
rules[i].is_permit = r->is_permit;
- mac_address_encode ((mac_address_t *) & r->src_mac,
- rules[i].src_mac);
- mac_address_encode ((mac_address_t *) & r->src_mac_mask,
- rules[i].src_mac_mask);
- ip_address_encode (&r->src_ip_addr,
- r->is_ipv6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4,
- &rules[i].src_prefix.address);
- rules[i].src_prefix.len = r->src_prefixlen;
+ rules[i].is_ipv6 = r->is_ipv6;
+ memcpy (rules[i].src_mac, &r->src_mac, sizeof (r->src_mac));
+ memcpy (rules[i].src_mac_mask, &r->src_mac_mask,
+ sizeof (r->src_mac_mask));
+ if (r->is_ipv6)
+ memcpy (rules[i].src_ip_addr, &r->src_ip_addr.ip6,
+ sizeof (r->src_ip_addr.ip6));
+ else
+ memcpy (rules[i].src_ip_addr, &r->src_ip_addr.ip4,
+ sizeof (r->src_ip_addr.ip4));
+ rules[i].src_ip_prefix_len = r->src_prefixlen;
}
}
else