summaryrefslogtreecommitdiffstats
path: root/src/plugins/acl/acl_test.c
AgeCommit message (Collapse)AuthorFilesLines
2018-06-14acl-plugin: VAT: add an option to load entire ACL from a ClassBench ruleset ↵Andrew Yourtchenko1-0/+190
file for testing Add a command "acl_add_replace_from_file" to VAT which can load a ruleset and add an ACL with it. There are a few options which augment the ACL being created: "permit+reflect" or "permit" alter the default action from deny on the ACEs created. "append-default-permit" adds an entry in the end with the "permit+reflect" if the default action has been changed to permit+reflect, or with a simple permit otherwise. This command is IPv4-only because the available datasets were IPv4-only. Change-Id: I26b9f33ecb6b59e051d1d9cbafedbc47e8203392 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-03-09ACL: Fix the detail for ethertype whitelistMohsin Kazmi1-1/+1
Change-Id: Ie8b4effbd25e1e26b625d451ec059bac58a5a5a1 Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
2018-03-08acl-plugin: add the support for dumping the ethertype whitelist (VPP-1163)Andrew Yourtchenko1-0/+56
The gerrit 10434 which added the support for whitelist model on ethertypes, did not include the support to dump the current state. This patch fills that gap. Change-Id: I3222078ccb1839dc366140fa5f6b8999b2926fd2 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-02-08acl-plugin: add whitelisted ethertype mode (VPP-1163)Andrew Yourtchenko1-0/+60
Currently, ACL plugin largely does not care about the ethertypes other than 0x0800 (IPv4) and 0x86dd (IPv6), the only exception being 0x0806 (ARP), which is dealt with by the MACIP ACLs. The other ethertypes in L2 mode are just let through. This adds a new API message acl_interface_set_etype_whitelist, which allows to flip the mode of a given interface into "ethertype whitelist mode": the caller of this message must supply the two lists (inbound and outbound) of the ethertypes that are to be permitted, the rest of the ethertypes are dropped. The whitelisting for a given interface and direction takes effect only when a policy ACL is also applied. This operates on the same classifier node as the one used for dispatching the policy ACL, thus, if one wishes for most of the reasonable IPv4 deployments to continue to operate within the whitelist mode, they must permit ARP ethertype (0x0806) The empty list for a given direction resets the processing to allow the unknown ethertypes. So, if one wants to just permit the IPv4 and IPv6 and nothing else, one can add their ethertypes to the whitelist. Add the "show acl-plugin interface" corresponding outputs about the whitelists, vat command, and unittests. Change-Id: I4659978c801f36d554b6615e56e424b77876662c Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-10-03Repair vlib API socket serverDave Barach1-1/+0
- Teach vpp_api_test to send/receive API messages over sockets - Add memfd-based shared memory - Add api messages to create memfd-based shared memory segments - vpp_api_test supports both socket and shared memory segment connections - vpp_api_test pivot from socket to shared memory API messaging - add socket client support to libvlibclient.so - dead client reaper sends ping messages, container-friendly - dead client reaper falls back to kill (<pid>, 0) live checking if e.g. a python app goes silent for tens of seconds - handle ping messages in python client support code - teach show api ring about pairwise shared-memory segments - fix ip probing of already resolved destinations (VPP-998) We'll need this work to implement proper host-stack client isolation Change-Id: Ic23b65f75c854d0393d9a2e9d6b122a9551be769 Signed-off-by: Dave Barach <dave@barachs.net> Signed-off-by: Dave Wallace <dwallacelf@gmail.com> Signed-off-by: Florin Coras <fcoras@cisco.com>
2017-09-12ACL-plugin add "replace" semantics for adding a new MacIP aclPavel Kotucek1-3/+157
Change-Id: Ia5c869b2d8b8ad012b9e89fb6720c9c32d9ee065 Signed-off-by: Pavel Kotucek <pkotucek@cisco.com>
2017-08-18Fix small issues in ACL apiPavel Kotucek1-3/+11
Enable IP address without prefix length, if not given use max (32/128) Parse correctly type of acl (ipv4). Change-Id: I3d5d6b45037c9e0f95d2d112ae584f006c6cb4d1 Signed-off-by: Pavel Kotucek <pkotucek@cisco.com>
2017-06-21acl-plugin: vat: acl_interface_list_dump confusing/incorrect output in case ↵Andrew Yourtchenko1-2/+2
n_input == 0 The logic to print the line " output " is wrong for the case of n_input == 0, and the applied ACLs are printed as if they were applied on input. One may still figure out the truth by looking at the n_input value above, but it is confusing. Change-Id: I7b4a4d548e569994678dd1e139eb829456548b88 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-06-07acl-plugin: add a plugin-specific control-ping message api and make the test ↵Andrew Yourtchenko1-0/+35
code use it This fixes the undesirable pause in the dump commands in case there is nothing to dump. Change-Id: I0554556c9e442038aa2a1ed8c88234f21f7fe9b9 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-06-07acl-plugin: fix coverity error in acl_test.cAndrew Yourtchenko1-2/+2
Attempting to supply within a VAT CLI to add the ACLs a rule count override with no rules to add would result in null pointer dereference as we attempt to copy those rules to the message. Add the check to avoid copy if the source pointer is null (i.e. if there are no rules to copy from). This commit fixes coverity errors 166797 and 166792. Change-Id: Icabe060d961ba07dc41f63b8e17fca12ff82aa29 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-05-15Add a missing byte-swap call in ACL intf dump.Jon Loeliger1-1/+1
Change-Id: I87495d95dc6c5a36ff6d2ae05203e22e43403bf6 Signed-off-by: Jon Loeliger <jdl@netgate.com>
2017-04-12acl-plugin: missing "deny" parameter in APIPavel Kotucek1-0/+5
Change-Id: Ie2ab844ad27b5ddb552bad9b19e7029cf91e4071 Signed-off-by: Pavel Kotucek <pkotucek@cisco.com>
2017-04-05acl-plugin: fix pretty-printing in "api trace custom-dump" (VPP-683)Andrew Yourtchenko1-2/+28
Change-Id: Id15b401223aabe7dacb7566c871ebefc17fbb1fc Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit 7fd3f513c7df198c45204eba0a3e9a3abe509593)
2017-02-02Refactor fragile msg macro W and W2 to not burry return control flow.Jon Loeliger1-16/+36
Instead, have them accept and assign a return paramter leaving the return control flow up to the caller. Clean up otherwise misleading returns present even after "NOT REACHED" comments. Change-Id: I0861921f73ab65d55b95eabd27514f0129152723 Signed-off-by: Jon Loeliger <jdl@netgate.com>
2017-02-02Localize the timeout variable within the W message macro.Jon Loeliger1-12/+0
Rather than rely on an unbound variable, explicitly introduce the timeout variable within the 'do { ... } while (0)' construct as a block-local variable. Change-Id: I6e78635290f9b5ab3f56b7f116c5fa762c88c9e9 Signed-off-by: Jon Loeliger <jdl@netgate.com>
2017-02-02Convert message macro S to accept a message pointer parameter;Jon Loeliger1-12/+12
Rather than blindly assume an unbound, fixed message parameter explicilty pass it as a paramter to the S() macro. Change-Id: Ieea1f1815cadd2eec7d9240408d69acdc3caa49a Signed-off-by: Jon Loeliger <jdl@netgate.com>
2017-02-02Ensure all M() and M2() second parameters are the message pointer.Jon Loeliger1-8/+8
Rather than maintain (?) an unused second parameter, t, and pull an unbound message pointer, mp, out of context, explicitly list the message pointer as the second parameter. Change-Id: I92143efda6211cdf6b935470f8c71579742a6b64 Signed-off-by: Jon Loeliger <jdl@netgate.com>
2017-01-25Repair plugin binary API message numberingDave Barach1-0/+2
Change-Id: I422a3f168bd483e011cfaf54af022cb79b78db02 Signed-off-by: Dave Barach <dave@barachs.net>
2017-01-23binary-api debug CLI works with pluginsDave Barach1-47/+4
Change-Id: I81f33f5153d5afac94b66b5a8cb91da77463af79 Signed-off-by: Dave Barach <dave@barachs.net>
2017-01-01Move java,lua api and remaining plugins to src/Damjan Marion1-0/+1024
Change-Id: I1c3b87e886603678368428ae56a6bd3327cbc90d Signed-off-by: Damjan Marion <damarion@cisco.com>