summaryrefslogtreecommitdiffstats
path: root/src/plugins/acl/acl.c
AgeCommit message (Collapse)AuthorFilesLines
2019-08-28acl: perform a sanity check of ACL rules before creating ACLAndrew Yourtchenko1-0/+81
Adding acl with incorrect arguments like 1.1.1.1/24 (instead of 1.1.1.0/24) don't cause a disaster, but doesn't match either, as some might expect. Add an explicit sanity check which returns an error. Type: fix Change-Id: Id1601f4b9c9887d3e7e70aac419d1f1de0c0e012 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2019-08-16acl: fix stats-segment counters validation on acl updateAndrew Yourtchenko1-5/+10
The stats-segment validation/clear logic for acl counters was wrong, fix it. Also add the code to the unittests to cover that case, add a vat command to enable/disable counters, clean up the unnecessary endian conversion and remove the stray clib_warning() Change-Id: I421297a92e4aeb885c468c72a97cec25981df615 Type: fix Ticket: VPP-1744 Fixes: f995c7122ba0d024b17bc3232e8edd18d5e25088 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit 4c945dacb9ff9da731301feb26b1edb4ac00e8bd)
2019-07-24acl: implement countersAndrew Yourtchenko1-1/+65
implement per-acl-number counters in the stats segment. They are created during the ACL creation, the counters are incremented in the dataplane using the new inline function with the extra parameter being the packet size. Counting in shared segment adds a noticeable overhead, so add also an API to turn the counters on. Type: feature Change-Id: I8af7b0c31a3d986b68089eb52452aed45df66c7b Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2019-07-09acl: perform the ACL-as-a-service user registrations in global heapAndrew Yourtchenko1-5/+3
Some users tend to call registration routine long before they need that service - which triggers an immediate initialization of the ACL heap, which is rather big. This commit defers this process by keeping the registrations in the global heap. Change-Id: I5825871bd836851942b55184b6ee2657c7a9cc33 Type: fix Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2019-05-03plugins: clean up plugin descriptionsDave Wallace1-1/+1
- Make plugin descriptions more consistent so the output of "show plugin" can be used in the wiki. Change-Id: I4c6feb11e7dcc5a4cf0848eed37f1d3b035c7dda Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2019-04-10API: Fix shared memory only action handlers.Ole Troan1-7/+5
Some API action handlers called vl_msg_ai_send_shmem() directly. That breaks Unix domain socket API transport. A couple (bond / vhost) also tried to send a sw_interface_event directly, but did not send the message to all that had registred interest. That scheme never worked correctly. Refactored and improved the interface event code. Change-Id: Idb90edfd8703c6ae593b36b4eeb4d3ed7da5c808 Signed-off-by: Ole Troan <ot@cisco.com>
2019-03-22acl-plugin: get rid of a separate "count" field in the linear acl structAndrew Yourtchenko1-8/+9
Long time ago, the linear array of rules in the ACL structure was not a vector. Now it is, so get rid of the extraneous "count" member. Do so in a manner that would ease potential the MP-safe manipulation of ACL rules in the future. Change-Id: Ib9c0731e4f21723c9ec4d7f00c3e5ead8e1e97bd Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-12-11New api in order to get max entries of connection table is added.Khers1-1/+28
Change-Id: I2f81ec95de55ad2355f82550451ad825c228e5cd Signed-off-by: Khers <s3m2e1.6star@gmail.com>
2018-11-22acl-plugin: optimize hash memory usage + fix the startup config parsing for ↵Andrew Yourtchenko1-6/+10
memory sizes [VPP-1502] In a couple of places vec_add1()-style was repeatedly called in a loop for smallish vectors where the number of additions was known in advance. With a test with large number of ACEs these numbers contribute to heap fragmentation noticeably. Minimize the number of allocations by preallocating the known size and then resetting the length accordingly, and then calling vec_add1() Also unify the parsing of the memory-related startup config parameters. Change-Id: If8fba344eb1dee8f865ffe7b396ca3b6bd9dc1d0 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-10-25acl-plugin: "show acl-plugin acl" ACE# is truncated to 4 digits in outputAndrew Yourtchenko1-1/+1
I was expecting "%4d" format string to exhibit the same behavior as the one in C standard library, but rather than specifying _minimal_ width and expanding as necessary, it actually truncates the output. Changing that to "%9d" should take care of pushing this surprising difference in behavior into the domain of impossible. Change-Id: Ia687137ca765bf9c1575af998ff11314010e81ad Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-10-23c11 safe string handling supportDave Barach1-45/+45
Change-Id: Ied34720ca5a6e6e717eea4e86003e854031b6eab Signed-off-by: Dave Barach <dave@barachs.net>
2018-10-20acl-plugin: use the L2 feature arc infrastructure instead of L2 classifier ↵Andrew Yourtchenko1-661/+38
for plumbing This makes ACL plugin use the new feature arcs, which slightly increases performance. Since for ethertype whitelisting we were using the L2 classifier, to retain the functionality, make a simple node doing that, and plug it into non-ip L2 feature arc whenever needed. Change-Id: I3add377a6c790117dd3fd056e5615cb4c4438cf4 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-09-25acl-plugin: optimize session idle timer checksAndrew Yourtchenko1-0/+8
This commit adds explicit signaling from a non-owning thread to the owning thread to restart the session timer as necessary. Consequently, we now can sweep the session lists at their respective timeouts, rather than sweeping all the lists at the pace of the shortest timeout value, just taking care to wake up if the session requeue to a different list results in needing to wake up earlier. Change-Id: Ifc8c500f6988748f4cd3dc184dd7824321aaaaca Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-09-24Trivial: Clean up some typos.Paul Vinciguerra1-2/+2
Change-Id: I085615fde1f966490f30ed5d32017b8b088cfd59 Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2018-07-23fix vector index range checksEyal Bari1-2/+2
Change-Id: I63c36644c9d93f2c3ec6606ca0205b407499de4e Signed-off-by: Eyal Bari <ebari@cisco.com>
2018-07-18Add config option to use dlmalloc instead of mheapDave Barach1-3/+8
Configure w/ --enable-dlmalloc, see .../build-data/platforms/vpp.mk src/vppinfra/dlmalloc.[ch] are slightly modified versions of the well-known Doug Lea malloc. Main advantage: dlmalloc mspaces have no inherent size limit. Change-Id: I19b3f43f3c65bcfb82c1a265a97922d01912446e Signed-off-by: Dave Barach <dave@barachs.net>
2018-06-27acl-plugin: tm: add tuplemerge algorithm for relaxing the hashtable masksAndrew Yourtchenko1-0/+14
Slightly refactored from the initial implementation of the TupleMerge [1] algorithm by Valerio Bruschi (valerio.bruschi@telecom-paristech.fr) [1] James Daly, Eric Torng "TupleMerge: Building Online Packet Classifiers by Omitting Bits", In Proc. IEEE ICCCN 2017, pp. 1-10 Also add startup parameters to turn on/off the algorithm ("use tuple merge 1/0"), and a startup parameter to be able to tweak the split threshold ("tuple merge split threshold N"), the default value of the split threshold is 39 as per paper, but some more tuning might be necessary to find the best value. This change, alongside with the optimizations which avoid extra lookups, significantly reduces the slowdown on the ClassBench generated ACLs, which are supposed to resemble realistic ACLs seen in use in the field. Change-Id: I9713e4673970e9a62d4d9e9718365293375fab7b Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-06-20acl-plugin: acl-as-a-service: VPP-1248: fix the error if exports.h included ↵Andrew Yourtchenko1-18/+15
in more than one C file Including the exports.h from multiple .c files belonging to a single plugin results in an error. Rework the approach to require the table of function pointers to be filled in by the initialization function. Since the inline functions are compiled in the "caller" context, there is no knowledge about the acl_main structure used by the ACL plugin. To help with that, the signature of inline functions is slightly different, taking the p_acl_main pointer as the first parameter. That pointer is filled into the .p_acl_main field of the method table during the initialization - since the calling of non-inline variants would have required filling the method table, this should give minimal headaches during the use and switch between the two methods. Change-Id: Icb70695efa23579c46c716944838766cebc8573e Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-06-02acl-plugin: multicore: session management fixesAndrew Yourtchenko1-15/+28
- implement a 1us purgatory for the session structures by adding a special connection list, where all connections about to be deleted go. - add per-list-head timeouts updated upon the list enqueue/dequeue for connection idle management - add a "unused" session list with list ID#0, which should never be used unless there is a logic error. Use this ID to initialize the sessions. - improve the maintainability of the session linked list structures by using symbolic bogus index name instead of ~0 - change the ordering of session creations - first reverse, then local. To minimize the potential for two workers competing for the same session in the corner case of the two packets on different workers creating the same logical session - reduce the maximum session count to keep the memory usage the same - add extra log/debug/trace to session cleaning logic - be more aggressive with cleaning up sessions - wind up the interrupts from the workers to themselves if there is more work to do Change-Id: I3aa1c91a925a08e83793467cb15bda178c21e426 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-05-22acl-plugin: refactor to introduce multiarch dataplane functionsAndrew Yourtchenko1-0/+7
This commit splits the functions from fa_node.c into the pure dataplane node functions (which are multiarch-compiled), session management node functions (which are compiled only once), and session find/add/delete functions which are split out into the inlines. As part of the refactoring: - get rid of BV() macros in the affected chunk of code, rather use the explicit bihash function names. - add the magic trailer to the new files to ensure make checkstyle watches them. - move the bihash_template.c include for 40_8 bihash into acl.c Change-Id: I4d781e9ec4307ea84e92af93c09470ea2bd0c375 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-04-17acl-plugin: VPP-1241: fix the "show acl-plugin tables applied" outputAndrew Yourtchenko1-4/+4
It is a relatively rarely used low level command for code that didn't change, but due to infra changes it did not survive. Having it working may be very useful for corner-case debugging. So, fix it for working with the acl-as-a-service infra. Change-Id: I11b60e0c78591cc340b043ec240f0311ea1eb2f9 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit 18bde8a579960aa46f43ffbe5c2905774bd81a35)
2018-04-12Fixes for 'make UNATTENDED=yes CC=clang CXX=clang verify'Neale Ranns1-1/+0
Change-Id: I994649761fe2e66e12ae0e49a84fb1d0a966ddfb Signed-off-by: Neale Ranns <nranns@cisco.com>
2018-04-11acl-plugin: VPP-1230: fix the "undefined symbol" error for acl_main when ↵Andrew Yourtchenko1-0/+1
using the inline functions The acl_main struct, which is defined in the acl_plugin, is not visible when the ACL plugin inline code is being compiled within the context of other plugins. Fix that by using the global pointer variable, which exists in both the ACL plugin context and is set in the context of the external plugins using ACL plugin. Change-Id: Iaa74dd8cf36ff5442a06a25c5c968722116bddf8 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit 1286a15a6e60f80b0e1b349f876de8fa38c71368)
2018-03-30acl-plugin: implement an optional session reclassification when ACL is ↵Andrew Yourtchenko1-7/+89
(re-)applied There were several discussions in which users would expect the sessions to be deleted if the new policy after the change does not permit them. There is no right or wrong answer to this question - it is a policy decision. This patch implements an idea to approach this. It uses a per-interface-per-direction counter to designate a "policy epoch" - a period of unchanging rulesets. The moment one removes or adds an ACL applied to an interface, this counter increments. The newly created connections inherit the current policy epoch in a given direction. Likewise, this counter increments if anyone updates an ACL applied to an interface. There is also a new (so far hidden) CLI "set acl-plugin reclassify-sessions [0|1]" (with default being 0) which allows to enable the checking of the existing sessions against the current policy epoch in a given direction. The session is not verified unless there is traffic hitting that session *in the direction of the policy creation* - if the epoch has changed, the session is deleted and within the same processing cycle is evaluated against the ACL rule base and recreated - thus, it should allow traffic-driven session state refresh without affecting the connectivity for the existing sessions. If the packet is coming in the direction opposite to which the session was initially created, the state adjustment is never done, because doing so generically is not really possible without diving too deep into the special cases, which may or may not work. Change-Id: I9e90426492d4bd474b5e89ea8dfb75a7c9de2646 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-03-27acl-plugin: autosize the ACL plugin heap and fix the heap size types and parsingAndrew Yourtchenko1-5/+38
- autosize the ACL plugin heap size based on the number of workers - for manual heap size setting, use the proper types (uword), and proper format/unformat functions (unformat_memory_size) Change-Id: I7c46134e949862a0abc9087d7232402fc5a95ad8 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-03-26acl-plugin: defer the ACL plugin user module registration with ACL lookup ↵Andrew Yourtchenko1-3/+5
until it is needed Registering ACL plugin user module within the "ACL as a service" infra during the plugin init causes an unnecesary ACL heap allocation and prevents the changing of the ACL heap size from the startup config. Defer this registration until just before it is needed - i.e. when applying an ACL to an interface. Change-Id: Ied79967596b3b76d6630f136c998e59f8cdad962 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-03-23acl-plugin: improvements in 'show acl-plugin macip acl' CLIAndrew Yourtchenko1-11/+44
- allow to optionally specify the specific MACIP ACL index: 'show acl-plugin macip acl [index N]' - after showing the MACIP ACL, show the sw_if_index of interface(s) where it is applied. Also, add some executions of this debug commands to the MACIP test case for easy verification. Change-Id: I56cf8272abc20b1b2581b60d528d27a70d186b18 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-03-23acl-plugin: set ACL heap within the exported functions that might alloc memoryAndrew Yourtchenko1-0/+7
The functions which get called by other plugins need to set the acl plugin heap, such that the other plugins do not have to think about it. Change-Id: I673073f17116ffe444c163bf3dff40821d0c2686 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-03-22Revert "acl-plugin: improvement on 'show acl-plugin' CLI"Damjan Marion1-34/+9
This reverts commit 378ac0533e5ac8c3121d8f66ba61a8548e55282f. Change-Id: If34b1c964453adb0e4c44e3eab4f6e306bd9c9e9 Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-03-22acl-plugin: implement ACL lookup contexts for "ACL as a service" use by ↵Andrew Yourtchenko1-459/+424
other plugins This code implements the functionality required for other plugins wishing to perform ACL lookups in the contexts of their choice, rather than only in the context of the interface in/out. The lookups are the stateless ACLs - there is no concept of "direction" within the context, hence no concept of "connection" either. The plugins need to include the The file acl_lookup_context.md has more info. Change-Id: I91ba97428cc92b24d1517e808dc2fd8e56ea2f8d Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-03-21acl-plugin: improvement on 'show acl-plugin' CLISteve Shin1-9/+34
- Show interface on which given MACIP ACL is applied - index is added for show acl-plugin macip acl: ex) show acl-plugin macip acl [index N] Change-Id: I3e888c8e3267060fe157dfc1bbe3e65371bd858a Signed-off-by: Steve Shin <jonshin@cisco.com>
2018-03-20Fix Allow ARP packets for dot1q interface with MACIP enabledSteve Shin1-50/+169
ARP packets need to be allowed for dot1q interface when MACIP is enabled. Change-Id: I33dd3cb6c6100c49420d57360a277f65c55ac816 Signed-off-by: Steve Shin <jonshin@cisco.com>
2018-03-09ACL: Fix the detail for ethertype whitelistMohsin Kazmi1-2/+2
Change-Id: Ie8b4effbd25e1e26b625d451ec059bac58a5a5a1 Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
2018-03-08acl-plugin: add the support for dumping the ethertype whitelist (VPP-1163)Andrew Yourtchenko1-1/+94
The gerrit 10434 which added the support for whitelist model on ethertypes, did not include the support to dump the current state. This patch fills that gap. Change-Id: I3222078ccb1839dc366140fa5f6b8999b2926fd2 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-02-09acl-plugin: Stale classify table after deleting macip ACLSteve Shin1-0/+22
Classify table for output node should be cleaned up after deleting macip ACL. Change-Id: Ibbc46c8465bec02fe6fa6a8d33a1f06bcf28e9ad Signed-off-by: Steve Shin <jonshin@cisco.com>
2018-02-08acl-plugin: add whitelisted ethertype mode (VPP-1163)Andrew Yourtchenko1-5/+198
Currently, ACL plugin largely does not care about the ethertypes other than 0x0800 (IPv4) and 0x86dd (IPv6), the only exception being 0x0806 (ARP), which is dealt with by the MACIP ACLs. The other ethertypes in L2 mode are just let through. This adds a new API message acl_interface_set_etype_whitelist, which allows to flip the mode of a given interface into "ethertype whitelist mode": the caller of this message must supply the two lists (inbound and outbound) of the ethertypes that are to be permitted, the rest of the ethertypes are dropped. The whitelisting for a given interface and direction takes effect only when a policy ACL is also applied. This operates on the same classifier node as the one used for dispatching the policy ACL, thus, if one wishes for most of the reasonable IPv4 deployments to continue to operate within the whitelist mode, they must permit ARP ethertype (0x0806) The empty list for a given direction resets the processing to allow the unknown ethertypes. So, if one wants to just permit the IPv4 and IPv6 and nothing else, one can add their ethertypes to the whitelist. Add the "show acl-plugin interface" corresponding outputs about the whitelists, vat command, and unittests. Change-Id: I4659978c801f36d554b6615e56e424b77876662c Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-02-08acl-plugin: VPP-1088: add support for egress filter in macip ACLsAndrew Yourtchenko1-16/+240
This is the second patch, using the new functionality from the change 10002 in order to implement the egress filtering on the MACIP ACLs. This adds an action "2" which means "add also egress filtering rules for this MACIP ACL. The reason for having the two choices is that the egress filtering really takes care of a fairly corner case scenario, and I am not convinced that always adding the performance cost of the egress lookup check is worth it. Also, of course, not breaking the existing implementations is a nice plus, too. Change-Id: I3d7883ed45b1cdf98d7303771bcc75951dff38f0 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-02-08acl-plugin: an elog-based tracing implementation for troubleshooting the ↵Andrew Yourtchenko1-0/+15
conn cleaner threads interactions This replaces some of the early-stage commented-out printf()s with an elog-based debug collector. It is aimed to be "better than nothing" initial implementation to be available in the field. It will be refined/updated based on use. This initial code is focused on the main/worker threads interactions, hence uses just the worker tracks. This code adds a developer debug CLI "set acl-plugin session table event-trace 1", which allows to gather the events pertaining to connection cleaning. The CLI is deliberately not part of the online help, as the express declaration that the semantics/trace levels, etc. are subject to change without notice. Change-Id: I3536309f737b73e50639cd5780822dcde667fc2c Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-02-07classifier-based ACL: refactor + add output ACLAndrew Yourtchenko1-1/+1
For implementation of MACIP ACLs enhancement (VPP-1088), an outbound classifier-based ACL would be needed. There was an existing incomplete code for outbound ACLs, it looked almost exact copy of input ACLs, minus the various enhancements, trying to sync that code seemed error-prone and cumbersome to maintain in the longer run. This change refactors the input+output ACLs processing into a unified routine (thus any changes will have effect on both), and also adds the API to set the output interface ACL, with the same format and semantics as the existing input one (except working on output ACL of course). WARNING: IP outbound ACL in L3 mode clobbers the ip.* fields in the vnet_buffer_opaque_t, since the code is using l2_classify.* The net_buffer (p0)->ip.save_rewrite_length is rescued into l2_classify.pad.l2_len, and used to rewind the header in case of drop, so that ipX_drop prints something sensible. Change-Id: I62f814f1e3650e504474a3a5359edb8a0a8836ed Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-01-11api: remove transport specific code from handlersFlorin Coras1-57/+45
This does not update api client code. In other words, if the client assumes the transport is shmem based, this patch does not change that. Furthermore, code that checks queue size, for tail dropping, is not updated. Done for the following apis: Plugins - acl - gtpu - memif - nat - pppoe VNET - bfd - bier - tapv2 - vhost user - dhcp - flow - geneve - ip - punt - ipsec/ipsec-gre - l2 - l2tp - lisp-cp/one-cp - lisp-gpe - map - mpls - policer - session - span - udp - tap - vxlan/vxlan-gpe - interface VPP - api/api.c OAM - oam_api.c Stats - stats.c Change-Id: I0e33ecefb2bdab0295698c0add948068a5a83345 Signed-off-by: Florin Coras <fcoras@cisco.com>
2018-01-09api: refactor vlibmemoryFlorin Coras1-10/+10
- separate client/server code for both memory and socket apis - separate memory api code from generic vlib api code - move unix_shared_memory_fifo to svm and rename to svm_fifo_t - overall declutter Change-Id: I90cdd98ff74d0787d58825b914b0f1eafcfa4dc2 Signed-off-by: Florin Coras <fcoras@cisco.com>
2017-12-20acl-plugin: add a debug CLI to print 5-tuple structure in human readable ↵Andrew Yourtchenko1-0/+26
format from hex representation Even though the trace now prints the hex as well as human readable format for acl plugin, it can be handy to have a separate function which allows to decode the hex. So add this debug CLI. Change-Id: I1db133a043374817ea9e94ae3736b8a98630669d Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-12-11acl-plugin: unapply/reapply the classifier-based inacls when performing ↵Andrew Yourtchenko1-1/+29
macip_acl_add_replace on an existing MACIP ACL The classifier tables layout might (and most always will) change during the MACIP ACL modification. Furthermore, vnet_set_input_acl_intfc() is quite a picky creature - it quietly does nothing if there is an existing inacl applied, even if the number is different, so a simple "reapply" does not work. So, cleanly remove inacl, then reapply when the new tables are ready. Also, fix the testcase which was supposed to test this exact behavior. Thanks to Jon Loeliger for spotting this issue. Change-Id: I7e4bd8023d9de7e914448bb4466c1b0ef6940f58 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-12-01acl-plugin: fix coverity 177970-177973,178891, and incorrect reset of ↵Andrew Yourtchenko1-13/+33
dot1q/dot1ad classifier mask 17797[1-3] have been a false positive in the optional debug CLI argument handling, 178891 was triggered by an unnecessary use of memcpy. Also fix the issue reported by khers (thanks!) - since 178891 was in the same place. Change-Id: I3a804e2b1d25d74c11fcc389020d2c1fd69902b2 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-11-11ACL: Add coding-style-patch-verification and indent.Jon Loeliger1-965/+1260
Change-Id: I2397ada9760d546423e031ad45535ef8801b05e7 Signed-off-by: Jon Loeliger <jdl@netgate.com>
2017-11-11ACLs: Use better error return codes than "-1" everywhere.Jon Loeliger1-14/+14
Added two new errors: ACL_IN_USE_INBOUND ACL_IN_USE_OUTBOUND Update ACL tests to expect new, precise return values. Change-Id: I644861a18aa5b70cce5f451dd6655641160c7697 Signed-off-by: Jon Loeliger <jdl@netgate.com>
2017-11-08ACL plugin support tagged subinterfacesPavel Kotucek1-40/+306
Change-Id: I92b351895c7efb26533c05512b91ead8ddbfb9c8 Signed-off-by: Pavel Kotucek <pkotucek@cisco.com>
2017-10-27acl-plugin: increase the amount of memory for classifier tables used by ↵Andrew Yourtchenko1-1/+1
MACIP ACLs The classifier tables upper bound of memory was just big enough to cause the unittests pass most of the time but not always. Increase the amount of space and run several hundred iterations of unittests to ensure they always pass. Change-Id: Ieb7876c6ebdde1f8c5273dbb9b090f12f2c38915 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-10-26acl-plugin: refactor the "show acl-plugin" CLI, use vlib_cli_output() vs. ↵Andrew Yourtchenko1-181/+194
format() The vppctl was getting upset with large chunks of info generated by repeated format() functions, so convert to use vlib_cli_output instead. Also, refactor the show functionality into smaller functions, separate from the input handling. Change-Id: I5d0db5ac45ce4c1b59cd41526b837412e06b1ce0 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-10-13acl-plugin: display "::" for INADDR6_ANY on ACL outputSteve Shin1-3/+6
INADDR6_ANY should be displayed as "::" instead of "0.0.0.0"(ipv4 format). Change-Id: I24ec7b6febbfeca5db7ff894f455ecb73d954334 Signed-off-by: Steve Shin <jonshin@cisco.com>