summaryrefslogtreecommitdiffstats
path: root/plugins/acl-plugin
AgeCommit message (Collapse)AuthorFilesLines
2017-03-02Bump to 17.01.1 Releasev17.01.1Damjan Marion2-2/+2
Change-Id: I023400208df277df6713303452e7089720792214 Signed-off-by: Damjan Marion <damarion@cisco.com>
2017-03-02Ensure sw_if_index to node mapping for L2 output path is only done via ↵Andrew Yourtchenko7-85/+36
l2output_main.next_nodes Before this commit, several output features that happen to be the last in the list of features to be executed, send the packets directly to <interfaceName>-output. To do this, they use l2_output_dispatch, which builds a list of sw_if_index to next index mappings. When interfaces are deleted and the new interfaces are created, these mappings become stale, and cause the packets being sent to wrong interface output nodes. This patch (thanks John Lo for the brilliant idea!) adds a feature node "output", whose sole purpose is dispatching the packets to the correct interface output nodes. To do that, it uses the l2output_main.next_nodes, which is already taken care of for the case of the sw_if_index reuse, so this makes the dependent features all work correctly. Since this changes the packet path, for the features that were always the last ones it has triggered a side problem of the output feat_next_node_index not being properly initalized. These two users are l2-output-classify node and the output nodes belonging to the acl-plugin. For the first one the less invasive fix is just to initialize that field. For the acl-plugin nodes, rewrite the affected part of the code to use feat_bitmap_get_next_node_index since this is essentially what the conditional in l2_output_dispatch does, and fix the compiler warnings generated. Change-Id: If44457b1c1c3e197b78470c08555720d0872c6e5 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-02-09Plugin Makefiles did not install headers - VPP-631Keith Burns (alagalah)1-1/+1
Change-Id: I9f6fd1a63a9dfa2d2aa386cf0a3c2479525bbcec Signed-off-by: Keith Burns (alagalah) <alagalah@gmail.com>
2017-01-20Fix plugin version numbersv17.01Damjan Marion1-1/+1
Change-Id: Ie485e9dfa04747b5e4ba93fdeabc5802dc001d31 Signed-off-by: Damjan Marion <damarion@cisco.com>
2017-01-03VPP-574: fix the MACIP ACLs blocking ARP trafficAndrew Yourtchenko1-0/+47
The initial assumption was that the MACIP ACL classifier tables would be applied after the classification of the traffic based on the ethertype, it turned out to be untrue, but the fix in the code did not happen. Add the ethertype to the mask, and the logic to create the ACL classifier tables permitting the ARP ethertype with the correct payload. Change-Id: I70236a8a723970c662ddaef6bc9fce93d2e630c1 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2016-12-16Coverity fixes, VPP-486Dave Barach1-2/+2
Change-Id: I8906bb983128e8f6e2664e367d2015325c1125fb Signed-off-by: Dave Barach <dave@barachs.net>
2016-12-13ACL: Install ACL JSON in install directory.Ole Troan1-11/+12
Change-Id: I3f7dbd23114acf37322f97da80be746616a9d95d Signed-off-by: Ole Troan <ot@cisco.com>
2016-12-08acl: make MACIP ACL apply/unapply/delete logic more robustAndrew Yourtchenko1-11/+26
1. vnet_set_input_acl_intfc expects currently applied table ids to remove them properly, fixed that. 2. check if the interface has MACIP ACL applied before unapplying it 3. if applying MACIP ACL to interface that has one already applied, unapply that first. These changes required also swapping the order of the add/del functions. Change-Id: I179490371507b07e9dd8852000954156c318d98c Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2016-12-08Fix incorrect creation of classifier entries for macip ACLAndrew Yourtchenko1-9/+31
The is_ip6 flag was incorrectly set during classifier table creation phase, which intermittently caused the mismatch between the mask value and the match values, resulting in dropped packets. Fix that. Also get rid of the magic numbers in that part of the code. Change-Id: I0606561e6b07e70a1aa733746b56ed0e91752c94 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2016-12-07Acl JVpp api generation (HONEYCOMB-305)Jan Srnicek9-0/+684
Includes simple test cases for acl management. Change-Id: Ifff4f4baf9bfe84d73ebc46b591ecc46c85c94ad Signed-off-by: Jan Srnicek <jsrnicek@cisco.com> Signed-off-by: Marek Gradzki <mgradzki@cisco.com>
2016-12-07Fix coverity CIDs 157344, 157343, 157341, 157340, 157339, 157336Andrew Yourtchenko2-46/+30
The macros used to verify the validity of sw_if_index passed in the API calls have puzzled coverity. Even though the issues are false positives, the checks are rather simple, so edited them to avoid using the preprocessor macros, it makes the code easier to follow. Added the null check for 157336. Change-Id: I24651346851215b236e53e682261e1f91219b381 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2016-12-07Make table chain deletion optional in classifier API (VPP-206)Juraj Sloboda1-2/+4
Change-Id: If30c0f6d5de34943bc399b3412c2d10847538c3c Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
2016-12-06acl: The ACL plugin.Andrew Yourtchenko18-0/+5659
This is the commit from the accumulated work in the github ACL branch, to move it to gerrit. Change-Id: I85a6b0df0d3dd3c3c7588e92a1e22c553e4b6ef7 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>