diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/plugins/acl/acl.api | 30 | ||||
-rw-r--r-- | src/plugins/acl/acl.c | 95 | ||||
-rw-r--r-- | src/plugins/acl/acl_test.c | 56 |
3 files changed, 180 insertions, 1 deletions
diff --git a/src/plugins/acl/acl.api b/src/plugins/acl/acl.api index 047fc683b87..b58ed76673a 100644 --- a/src/plugins/acl/acl.api +++ b/src/plugins/acl/acl.api @@ -496,3 +496,33 @@ autoreply manual_print define acl_interface_set_etype_whitelist u16 whitelist[count]; }; +/** \brief Dump the list(s) of Ethertype whitelists applied to specific or all interfaces + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request + @param sw_if_index - interface to dump the ethertype whitelist for +*/ + +define acl_interface_etype_whitelist_dump +{ + u32 client_index; + u32 context; + u32 sw_if_index; /* ~0 for all interfaces */ +}; + +/** \brief Details about ethertype whitelist on a single interface + @param context - returned sender context, to match reply w/ request + @param sw_if_index - interface for which the list of MACIP ACLs is applied + @param count - total number of whitelisted ethertypes in the vector + @param n_input - this many first elements correspond to input whitelisted ethertypes, the rest - output + @param whitelist - vector of whitelisted ethertypes +*/ + +define acl_interface_etype_whitelist_details +{ + u32 context; + u32 sw_if_index; + u8 count; + u8 n_input; /* first n_input ethertypes are input, the rest - output */ + u16 whitelist[count]; +}; + diff --git a/src/plugins/acl/acl.c b/src/plugins/acl/acl.c index 169dc12037a..5ab38ef6e56 100644 --- a/src/plugins/acl/acl.c +++ b/src/plugins/acl/acl.c @@ -76,7 +76,8 @@ _(MACIP_ACL_INTERFACE_ADD_DEL, macip_acl_interface_add_del) \ _(MACIP_ACL_DUMP, macip_acl_dump) \ _(MACIP_ACL_INTERFACE_GET, macip_acl_interface_get) \ _(MACIP_ACL_INTERFACE_LIST_DUMP, macip_acl_interface_list_dump) \ -_(ACL_INTERFACE_SET_ETYPE_WHITELIST, acl_interface_set_etype_whitelist) +_(ACL_INTERFACE_SET_ETYPE_WHITELIST, acl_interface_set_etype_whitelist) \ +_(ACL_INTERFACE_ETYPE_WHITELIST_DUMP, acl_interface_etype_whitelist_dump) /* *INDENT-OFF* */ @@ -2696,6 +2697,98 @@ static void REPLY_MACRO (VL_API_ACL_INTERFACE_SET_ETYPE_WHITELIST_REPLY); } +static void +send_acl_interface_etype_whitelist_details (acl_main_t * am, + vl_api_registration_t * reg, + u32 sw_if_index, u32 context) +{ + vl_api_acl_interface_etype_whitelist_details_t *mp; + int msg_size; + int n_input = 0; + int n_output = 0; + int count = 0; + int i = 0; + + u16 *whitelist_in = 0; + u16 *whitelist_out = 0; + + if (intf_has_etype_whitelist (am, sw_if_index, 0)) + whitelist_out = + vec_elt (am->output_etype_whitelist_by_sw_if_index, sw_if_index); + + if (intf_has_etype_whitelist (am, sw_if_index, 1)) + whitelist_in = + vec_elt (am->input_etype_whitelist_by_sw_if_index, sw_if_index); + + if ((0 == whitelist_in) && (0 == whitelist_out)) + return; /* nothing to do */ + + void *oldheap = acl_set_heap (am); + + n_input = vec_len (whitelist_in); + n_output = vec_len (whitelist_out); + count = n_input + n_output; + + msg_size = sizeof (*mp); + msg_size += sizeof (mp->whitelist[0]) * count; + + mp = vl_msg_api_alloc (msg_size); + memset (mp, 0, msg_size); + mp->_vl_msg_id = + ntohs (VL_API_ACL_INTERFACE_ETYPE_WHITELIST_DETAILS + am->msg_id_base); + + /* fill in the message */ + mp->context = context; + mp->sw_if_index = htonl (sw_if_index); + mp->count = count; + mp->n_input = n_input; + for (i = 0; i < n_input; i++) + { + mp->whitelist[i] = whitelist_in[i]; + } + for (i = 0; i < n_output; i++) + { + mp->whitelist[n_input + i] = whitelist_out[i]; + } + clib_mem_set_heap (oldheap); + vl_api_send_msg (reg, (u8 *) mp); +} + + +static void + vl_api_acl_interface_etype_whitelist_dump_t_handler + (vl_api_acl_interface_list_dump_t * mp) +{ + acl_main_t *am = &acl_main; + vnet_sw_interface_t *swif; + vnet_interface_main_t *im = &am->vnet_main->interface_main; + + u32 sw_if_index; + vl_api_registration_t *reg; + + reg = vl_api_client_index_to_registration (mp->client_index); + if (!reg) + return; + + if (mp->sw_if_index == ~0) + { + /* *INDENT-OFF* */ + pool_foreach (swif, im->sw_interfaces, + ({ + send_acl_interface_etype_whitelist_details(am, reg, swif->sw_if_index, mp->context); + })); + /* *INDENT-ON* */ + } + else + { + sw_if_index = ntohl (mp->sw_if_index); + if (!pool_is_free_index (im->sw_interfaces, sw_if_index)) + send_acl_interface_etype_whitelist_details (am, reg, sw_if_index, + mp->context); + } +} + + /* Set up the API message handling tables */ static clib_error_t * diff --git a/src/plugins/acl/acl_test.c b/src/plugins/acl/acl_test.c index c264034c939..1b565995308 100644 --- a/src/plugins/acl/acl_test.c +++ b/src/plugins/acl/acl_test.c @@ -155,6 +155,27 @@ static void vl_api_acl_interface_list_details_t_handler vam->result_ready = 1; } +static void vl_api_acl_interface_etype_whitelist_details_t_handler + (vl_api_acl_interface_etype_whitelist_details_t * mp) + { + int i; + vat_main_t * vam = acl_test_main.vat_main; + u8 *out = 0; + vl_api_acl_interface_etype_whitelist_details_t_endian(mp); + out = format(out, "sw_if_index: %d, count: %d, n_input: %d\n", mp->sw_if_index, mp->count, mp->n_input); + out = format(out, " input "); + for(i=0; i<mp->count; i++) { + if (i == mp->n_input) + out = format(out, "\n output "); + out = format(out, "%04x ", mp->whitelist[i]); + } + out = format(out, "\n"); + clib_warning("%s", out); + vec_free(out); + vam->result_ready = 1; + } + + static inline u8 * vl_api_acl_rule_t_pretty_format (u8 *out, vl_api_acl_rule_t * a) @@ -271,6 +292,7 @@ _(ACL_DEL_REPLY, acl_del_reply) \ _(ACL_INTERFACE_ADD_DEL_REPLY, acl_interface_add_del_reply) \ _(ACL_INTERFACE_SET_ACL_LIST_REPLY, acl_interface_set_acl_list_reply) \ _(ACL_INTERFACE_SET_ETYPE_WHITELIST_REPLY, acl_interface_set_etype_whitelist_reply) \ +_(ACL_INTERFACE_ETYPE_WHITELIST_DETAILS, acl_interface_etype_whitelist_details) \ _(ACL_INTERFACE_LIST_DETAILS, acl_interface_list_details) \ _(ACL_DETAILS, acl_details) \ _(MACIP_ACL_ADD_REPLY, macip_acl_add_reply) \ @@ -907,6 +929,39 @@ static int api_macip_acl_dump (vat_main_t * vam) return ret; } +static int api_acl_interface_etype_whitelist_dump (vat_main_t * vam) +{ + unformat_input_t * i = vam->input; + u32 sw_if_index = ~0; + vl_api_acl_interface_etype_whitelist_dump_t * mp; + int ret; + + /* Parse args required to build the message */ + while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) { + if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index)) + ; + else if (unformat (i, "sw_if_index %d", &sw_if_index)) + ; + else + break; + } + + /* Construct the API message */ + M(ACL_INTERFACE_ETYPE_WHITELIST_DUMP, mp); + mp->sw_if_index = ntohl (sw_if_index); + + /* send it... */ + S(mp); + + /* Use control ping for synchronization */ + api_acl_send_control_ping(vam); + + /* Wait for a reply... */ + W (ret); + return ret; +} + + #define vec_validate_macip_acl_rules(v, idx) \ do { \ if (vec_len(v) < idx+1) { \ @@ -1223,6 +1278,7 @@ _(acl_dump, "[<acl-idx>]") \ _(acl_interface_add_del, "<intfc> | sw_if_index <if-idx> [add|del] [input|output] acl <acl-idx>") \ _(acl_interface_set_acl_list, "<intfc> | sw_if_index <if-idx> input [acl-idx list] output [acl-idx list]") \ _(acl_interface_set_etype_whitelist, "<intfc> | sw_if_index <if-idx> input [ethertype list] output [ethertype list]") \ +_(acl_interface_etype_whitelist_dump, "[<intfc> | sw_if_index <if-idx>]") \ _(acl_interface_list_dump, "[<intfc> | sw_if_index <if-idx>]") \ _(macip_acl_add, "...") \ _(macip_acl_add_replace, "<acl-idx> [<ipv4|ipv6> <permit|deny|action N> [count <count>] [src] ip <ipaddress/[plen]> mac <mac> mask <mac_mask>, ... , ...") \ |