summaryrefslogtreecommitdiffstats
path: root/src/plugins/acl
AgeCommit message (Collapse)AuthorFilesLines
2018-03-30acl-plugin: implement an optional session reclassification when ACL is ↵Andrew Yourtchenko4-10/+128
(re-)applied There were several discussions in which users would expect the sessions to be deleted if the new policy after the change does not permit them. There is no right or wrong answer to this question - it is a policy decision. This patch implements an idea to approach this. It uses a per-interface-per-direction counter to designate a "policy epoch" - a period of unchanging rulesets. The moment one removes or adds an ACL applied to an interface, this counter increments. The newly created connections inherit the current policy epoch in a given direction. Likewise, this counter increments if anyone updates an ACL applied to an interface. There is also a new (so far hidden) CLI "set acl-plugin reclassify-sessions [0|1]" (with default being 0) which allows to enable the checking of the existing sessions against the current policy epoch in a given direction. The session is not verified unless there is traffic hitting that session *in the direction of the policy creation* - if the epoch has changed, the session is deleted and within the same processing cycle is evaluated against the ACL rule base and recreated - thus, it should allow traffic-driven session state refresh without affecting the connectivity for the existing sessions. If the packet is coming in the direction opposite to which the session was initially created, the state adjustment is never done, because doing so generically is not really possible without diving too deep into the special cases, which may or may not work. Change-Id: I9e90426492d4bd474b5e89ea8dfb75a7c9de2646 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-03-30Add missing stdint.hChris Luke1-0/+1
Coverity has started whining about uint32_t missing in this .h Change-Id: I57992121c0593d6a0ada35917802d0300cf91259 Signed-off-by: Chris Luke <chrisy@flirble.org>
2018-03-27acl-plugin: autosize the ACL plugin heap and fix the heap size types and parsingAndrew Yourtchenko3-9/+43
- autosize the ACL plugin heap size based on the number of workers - for manual heap size setting, use the proper types (uword), and proper format/unformat functions (unformat_memory_size) Change-Id: I7c46134e949862a0abc9087d7232402fc5a95ad8 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-03-26acl-plugin: defer the ACL plugin user module registration with ACL lookup ↵Andrew Yourtchenko1-3/+5
until it is needed Registering ACL plugin user module within the "ACL as a service" infra during the plugin init causes an unnecesary ACL heap allocation and prevents the changing of the ACL heap size from the startup config. Defer this registration until just before it is needed - i.e. when applying an ACL to an interface. Change-Id: Ied79967596b3b76d6630f136c998e59f8cdad962 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-03-23acl-plugin: improvements in 'show acl-plugin macip acl' CLIAndrew Yourtchenko2-11/+47
- allow to optionally specify the specific MACIP ACL index: 'show acl-plugin macip acl [index N]' - after showing the MACIP ACL, show the sw_if_index of interface(s) where it is applied. Also, add some executions of this debug commands to the MACIP test case for easy verification. Change-Id: I56cf8272abc20b1b2581b60d528d27a70d186b18 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-03-23acl-plugin: set ACL heap within the exported functions that might alloc memoryAndrew Yourtchenko3-0/+23
The functions which get called by other plugins need to set the acl plugin heap, such that the other plugins do not have to think about it. Change-Id: I673073f17116ffe444c163bf3dff40821d0c2686 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-03-22Revert "acl-plugin: improvement on 'show acl-plugin' CLI"Damjan Marion2-37/+9
This reverts commit 378ac0533e5ac8c3121d8f66ba61a8548e55282f. Change-Id: If34b1c964453adb0e4c44e3eab4f6e306bd9c9e9 Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-03-22acl-plugin: implement ACL lookup contexts for "ACL as a service" use by ↵Andrew Yourtchenko13-1148/+2117
other plugins This code implements the functionality required for other plugins wishing to perform ACL lookups in the contexts of their choice, rather than only in the context of the interface in/out. The lookups are the stateless ACLs - there is no concept of "direction" within the context, hence no concept of "connection" either. The plugins need to include the The file acl_lookup_context.md has more info. Change-Id: I91ba97428cc92b24d1517e808dc2fd8e56ea2f8d Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-03-21acl-plugin: improvement on 'show acl-plugin' CLISteve Shin2-9/+37
- Show interface on which given MACIP ACL is applied - index is added for show acl-plugin macip acl: ex) show acl-plugin macip acl [index N] Change-Id: I3e888c8e3267060fe157dfc1bbe3e65371bd858a Signed-off-by: Steve Shin <jonshin@cisco.com>
2018-03-20Fix Allow ARP packets for dot1q interface with MACIP enabledSteve Shin1-50/+169
ARP packets need to be allowed for dot1q interface when MACIP is enabled. Change-Id: I33dd3cb6c6100c49420d57360a277f65c55ac816 Signed-off-by: Steve Shin <jonshin@cisco.com>
2018-03-09ACL: Fix the detail for ethertype whitelistMohsin Kazmi2-3/+3
Change-Id: Ie8b4effbd25e1e26b625d451ec059bac58a5a5a1 Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
2018-03-08acl-plugin: add the support for dumping the ethertype whitelist (VPP-1163)Andrew Yourtchenko3-1/+180
The gerrit 10434 which added the support for whitelist model on ethertypes, did not include the support to dump the current state. This patch fills that gap. Change-Id: I3222078ccb1839dc366140fa5f6b8999b2926fd2 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-02-09acl-plugin: Stale classify table after deleting macip ACLSteve Shin1-0/+22
Classify table for output node should be cleaned up after deleting macip ACL. Change-Id: Ibbc46c8465bec02fe6fa6a8d33a1f06bcf28e9ad Signed-off-by: Steve Shin <jonshin@cisco.com>
2018-02-08acl-plugin: add whitelisted ethertype mode (VPP-1163)Andrew Yourtchenko5-5/+308
Currently, ACL plugin largely does not care about the ethertypes other than 0x0800 (IPv4) and 0x86dd (IPv6), the only exception being 0x0806 (ARP), which is dealt with by the MACIP ACLs. The other ethertypes in L2 mode are just let through. This adds a new API message acl_interface_set_etype_whitelist, which allows to flip the mode of a given interface into "ethertype whitelist mode": the caller of this message must supply the two lists (inbound and outbound) of the ethertypes that are to be permitted, the rest of the ethertypes are dropped. The whitelisting for a given interface and direction takes effect only when a policy ACL is also applied. This operates on the same classifier node as the one used for dispatching the policy ACL, thus, if one wishes for most of the reasonable IPv4 deployments to continue to operate within the whitelist mode, they must permit ARP ethertype (0x0806) The empty list for a given direction resets the processing to allow the unknown ethertypes. So, if one wants to just permit the IPv4 and IPv6 and nothing else, one can add their ethertypes to the whitelist. Add the "show acl-plugin interface" corresponding outputs about the whitelists, vat command, and unittests. Change-Id: I4659978c801f36d554b6615e56e424b77876662c Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-02-08acl-plugin: VPP-1088: add support for egress filter in macip ACLsAndrew Yourtchenko2-16/+244
This is the second patch, using the new functionality from the change 10002 in order to implement the egress filtering on the MACIP ACLs. This adds an action "2" which means "add also egress filtering rules for this MACIP ACL. The reason for having the two choices is that the egress filtering really takes care of a fairly corner case scenario, and I am not convinced that always adding the performance cost of the egress lookup check is worth it. Also, of course, not breaking the existing implementations is a nice plus, too. Change-Id: I3d7883ed45b1cdf98d7303771bcc75951dff38f0 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-02-08acl-plugin: an elog-based tracing implementation for troubleshooting the ↵Andrew Yourtchenko4-32/+153
conn cleaner threads interactions This replaces some of the early-stage commented-out printf()s with an elog-based debug collector. It is aimed to be "better than nothing" initial implementation to be available in the field. It will be refined/updated based on use. This initial code is focused on the main/worker threads interactions, hence uses just the worker tracks. This code adds a developer debug CLI "set acl-plugin session table event-trace 1", which allows to gather the events pertaining to connection cleaning. The CLI is deliberately not part of the online help, as the express declaration that the semantics/trace levels, etc. are subject to change without notice. Change-Id: I3536309f737b73e50639cd5780822dcde667fc2c Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-02-07acl-plugin: multicore: send the interrupts to thread0 tooAndrew Yourtchenko1-1/+1
The thread0 in some configurations can handle the traffic. Some of the previous fixes accomodated for that, but the interrupt sending for connection clearing was not adapted to that, resulting in a deadlock during clearing of all connections... Change-Id: I32b4c7bac09c91c22b796baab843bdaf41f7045c Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-02-07classifier-based ACL: refactor + add output ACLAndrew Yourtchenko1-1/+1
For implementation of MACIP ACLs enhancement (VPP-1088), an outbound classifier-based ACL would be needed. There was an existing incomplete code for outbound ACLs, it looked almost exact copy of input ACLs, minus the various enhancements, trying to sync that code seemed error-prone and cumbersome to maintain in the longer run. This change refactors the input+output ACLs processing into a unified routine (thus any changes will have effect on both), and also adds the API to set the output interface ACL, with the same format and semantics as the existing input one (except working on output ACL of course). WARNING: IP outbound ACL in L3 mode clobbers the ip.* fields in the vnet_buffer_opaque_t, since the code is using l2_classify.* The net_buffer (p0)->ip.save_rewrite_length is rescued into l2_classify.pad.l2_len, and used to rewind the header in case of drop, so that ipX_drop prints something sensible. Change-Id: I62f814f1e3650e504474a3a5359edb8a0a8836ed Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-02-06Reflexive ACL support on ICMPSteve Shin1-25/+113
Normally session keys are generated by mirroring the packets sent. ICMP message type should be used and inverted for the stateful ACL. Supported ICMP messages with this patch: - ICMPv4: Echo/Timestamp/Information/Address Mask requests - ICMPv6: Echo request/Node Information Queury The invmap & valid_new tables can be modified to make any other ICMP messages to be reflexive ACL. Change-Id: Ia47b08b79fe0a5b1f7a995af78de3763d275dbd9 Signed-off-by: Steve Shin <jonshin@cisco.com>
2018-01-23VPPAPIGEN: vppapigen replacement in Python PLY.Ole Troan1-1/+1
This is a version of the VPP API generator in Python PLY. It supports the existing language, and has a plugin architecture for generators. Currently C and JSON are supported. Changes: - vl_api_version to option version = "major.minor.patch" - enum support - Added error checking and reporting - import support (removed the C pre-processor) - services (tying request/reply together) Version: option version = "1.0.0"; Enum: enum colours { RED, BLUE = 50, }; define foo { vl_api_colours_t colours; }; Services: service { rpc foo returns foo_reply; rpc foo_dump returns stream foo_details; rpc want_stats returns want_stats_reply events ip4_counters, ip6_counters; }; Future planned features: - unions - bool, text - array support (including length) - proto3 output plugin - Refactor C/C++ generator as a plugin - Refactor Java generator as a plugin Change-Id: Ifa289966c790e1b1a8e2938a91e69331e3a58bdf Signed-off-by: Ole Troan <ot@cisco.com>
2018-01-16acl-plugin: multicore: use pool_init_fixed for per-worker preallocated poolsAndrew Yourtchenko1-1/+7
One worker thread may be processing the packets for session owned by another worker thread. During session access the validity of the pool index is checked - however, the free bitmap pointer might change just at that moment, potentially resulting in a crash. Thus, use the pool_init_fixed() when initializing the per-worker pools, so that the free bitmaps are as well staying in their place. Change-Id: I5796e6b62fdc1efd4299124a388b84a7c0dc19cd Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-01-11api: remove transport specific code from handlersFlorin Coras1-57/+45
This does not update api client code. In other words, if the client assumes the transport is shmem based, this patch does not change that. Furthermore, code that checks queue size, for tail dropping, is not updated. Done for the following apis: Plugins - acl - gtpu - memif - nat - pppoe VNET - bfd - bier - tapv2 - vhost user - dhcp - flow - geneve - ip - punt - ipsec/ipsec-gre - l2 - l2tp - lisp-cp/one-cp - lisp-gpe - map - mpls - policer - session - span - udp - tap - vxlan/vxlan-gpe - interface VPP - api/api.c OAM - oam_api.c Stats - stats.c Change-Id: I0e33ecefb2bdab0295698c0add948068a5a83345 Signed-off-by: Florin Coras <fcoras@cisco.com>
2018-01-09api: refactor vlibmemoryFlorin Coras1-10/+10
- separate client/server code for both memory and socket apis - separate memory api code from generic vlib api code - move unix_shared_memory_fifo to svm and rename to svm_fifo_t - overall declutter Change-Id: I90cdd98ff74d0787d58825b914b0f1eafcfa4dc2 Signed-off-by: Florin Coras <fcoras@cisco.com>
2017-12-20acl-plugin: add a debug CLI to print 5-tuple structure in human readable ↵Andrew Yourtchenko3-0/+33
format from hex representation Even though the trace now prints the hex as well as human readable format for acl plugin, it can be handy to have a separate function which allows to decode the hex. So add this debug CLI. Change-Id: I1db133a043374817ea9e94ae3736b8a98630669d Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-12-11acl-plugin: unapply/reapply the classifier-based inacls when performing ↵Andrew Yourtchenko1-1/+29
macip_acl_add_replace on an existing MACIP ACL The classifier tables layout might (and most always will) change during the MACIP ACL modification. Furthermore, vnet_set_input_acl_intfc() is quite a picky creature - it quietly does nothing if there is an existing inacl applied, even if the number is different, so a simple "reapply" does not work. So, cleanly remove inacl, then reapply when the new tables are ready. Also, fix the testcase which was supposed to test this exact behavior. Thanks to Jon Loeliger for spotting this issue. Change-Id: I7e4bd8023d9de7e914448bb4466c1b0ef6940f58 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-12-01acl-plugin: fix coverity 177970-177973,178891, and incorrect reset of ↵Andrew Yourtchenko1-13/+33
dot1q/dot1ad classifier mask 17797[1-3] have been a false positive in the optional debug CLI argument handling, 178891 was triggered by an unnecessary use of memcpy. Also fix the issue reported by khers (thanks!) - since 178891 was in the same place. Change-Id: I3a804e2b1d25d74c11fcc389020d2c1fd69902b2 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-11-17acl-plugin: use ip.save_rewrite_length to calculate IP header offset on L3 ↵Andrew Yourtchenko1-3/+11
egress path L3 egress path does not set the ethernet flags reflecting the count of VLANs, but rather has the offset explicitly, so use that. Change-Id: Id3f6562dcd52ca24137c305f1a1c88c1f125da78 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-11-16acl-plugin: also print human-friendly format of 5tuple in packet traceAndrew Yourtchenko1-0/+22
The original version printed just a few u64s, which is useful for directly working on the code, but not when figuring out what is possibly a config or environment-related issue. So, add printing the 5-tuple struct in a way that is usable by an operator. Change-Id: I84cc3a239cdaff05ed31c3458cea198e38b58e03 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-11-11ACL: Add coding-style-patch-verification and indent.Jon Loeliger1-965/+1260
Change-Id: I2397ada9760d546423e031ad45535ef8801b05e7 Signed-off-by: Jon Loeliger <jdl@netgate.com>
2017-11-11ACLs: Use better error return codes than "-1" everywhere.Jon Loeliger1-14/+14
Added two new errors: ACL_IN_USE_INBOUND ACL_IN_USE_OUTBOUND Update ACL tests to expect new, precise return values. Change-Id: I644861a18aa5b70cce5f451dd6655641160c7697 Signed-off-by: Jon Loeliger <jdl@netgate.com>
2017-11-08ACL plugin support tagged subinterfacesPavel Kotucek2-40/+311
Change-Id: I92b351895c7efb26533c05512b91ead8ddbfb9c8 Signed-off-by: Pavel Kotucek <pkotucek@cisco.com>
2017-10-30Minor copyedit fixes to ACL Hash doc.Jon Loeliger1-7/+6
Change-Id: I7fe34e99f566dd2e0a36a9ba38f894973989ca8a Signed-off-by: Jon Loeliger <jdl@netgate.com>
2017-10-27acl-plugin: increase the amount of memory for classifier tables used by ↵Andrew Yourtchenko1-1/+1
MACIP ACLs The classifier tables upper bound of memory was just big enough to cause the unittests pass most of the time but not always. Increase the amount of space and run several hundred iterations of unittests to ensure they always pass. Change-Id: Ieb7876c6ebdde1f8c5273dbb9b090f12f2c38915 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-10-26acl-plugin: refactor the "show acl-plugin" CLI, use vlib_cli_output() vs. ↵Andrew Yourtchenko1-181/+194
format() The vppctl was getting upset with large chunks of info generated by repeated format() functions, so convert to use vlib_cli_output instead. Also, refactor the show functionality into smaller functions, separate from the input handling. Change-Id: I5d0db5ac45ce4c1b59cd41526b837412e06b1ce0 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-10-13acl-plugin: display "::" for INADDR6_ANY on ACL outputSteve Shin2-5/+10
INADDR6_ANY should be displayed as "::" instead of "0.0.0.0"(ipv4 format). Change-Id: I24ec7b6febbfeca5db7ff894f455ecb73d954334 Signed-off-by: Steve Shin <jonshin@cisco.com>
2017-10-13acl-plugin: split the "show" commands and add an option to show ACLs by ↵Andrew Yourtchenko1-317/+407
interface From the troubleshooting perspective, it is nice to immediately know the ACEs for the ACLs applied to an interface, so implement that. To make the CLI more friendly, split each of the "show" variants into an independent _cmd function with the distinct CLI path. Change-Id: I519e4799083c04e8f0fcdf3e262a73493be4b690 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-10-09vppapigen: support per-file (major,minor,patch) version stampsDave Barach1-0/+1
Add one of these statements to foo.api: vl_api_version 1.2.3 to generate a version tuple stanza in foo.api.h: /****** Version tuple *****/ vl_api_version_tuple(foo, 1, 2, 3) Change-Id: Ic514439e4677999daa8463a94f948f76b132ff15 Signed-off-by: Dave Barach <dave@barachs.net> Signed-off-by: Ole Troan <ot@cisco.com>
2017-10-03Repair vlib API socket serverDave Barach3-3/+0
- Teach vpp_api_test to send/receive API messages over sockets - Add memfd-based shared memory - Add api messages to create memfd-based shared memory segments - vpp_api_test supports both socket and shared memory segment connections - vpp_api_test pivot from socket to shared memory API messaging - add socket client support to libvlibclient.so - dead client reaper sends ping messages, container-friendly - dead client reaper falls back to kill (<pid>, 0) live checking if e.g. a python app goes silent for tens of seconds - handle ping messages in python client support code - teach show api ring about pairwise shared-memory segments - fix ip probing of already resolved destinations (VPP-998) We'll need this work to implement proper host-stack client isolation Change-Id: Ic23b65f75c854d0393d9a2e9d6b122a9551be769 Signed-off-by: Dave Barach <dave@barachs.net> Signed-off-by: Dave Wallace <dwallacelf@gmail.com> Signed-off-by: Florin Coras <fcoras@cisco.com>
2017-09-28General documentation updatesChris Luke2-3/+5
- We now have several developer-focused docs, so create an index page for them. - Rework several docs to fit into the index structure. - Experiment with code highlighting; tweak the CSS slightly to make it slightly nicer to look at. Change-Id: I4185a18f84fa0764745ca7a3148276064a3155c6 Signed-off-by: Chris Luke <chrisy@flirble.org>
2017-09-27acl-plugin: take 2 at VPP-991 fix, this time with a test case which verifies it.Andrew Yourtchenko1-2/+2
The replacement of [] with pool_elt_at_index and subsequent fixing it was incorrect - it was equivalent to &[], since it returns a pointer to the element. I've added VPP-993 previously to create a testcase, so this commit partially fulfills that one as well. Change-Id: I5b15e3ce48316f0429232aacf885e8f7c63d9522 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-09-25acl-plugin: use vec_elt_at_index rather than pool_elt_at_index to access ↵Andrew Yourtchenko1-2/+2
vector elements bb7f0f644 aimed to fix the coverity issue has incorrectly replaced the previous [] access with pool_elt_at_index(), for an element of a vector, with predictably interesting result. VPP-991 has uncovered the issue. Change-Id: Ifd3fb70332d3fdd1c4ff8570372f394913f7b6c8 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-09-22acl-plugin: remove the clib_warning "ACL enabling..."Andrew Yourtchenko1-4/+0
It was useful for debugging once upon a time... but time to say goodbye to it... Also remove the warning printed when sending ACL details. Change-Id: I43b2537e176556831eb7ff34b25c9068aa05ee27 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-09-19ACL plugin enable macip for ip4/ip6 trafficPavel Kotucek1-8/+4
Plus fixed problem with acl heap. Change-Id: I3d91db549ebe4595f1dab9b8780f90722540024b Signed-off-by: Pavel Kotucek <pkotucek@cisco.com>
2017-09-18ACL-plugin: fix coverity issuePavel Kotucek1-17/+17
Fix coverity CIDs 176805, 176806, 176811, 176812 Change-Id: I73591c922307e7a98d38d5d92ebf37c8b2ff0145 Signed-off-by: Pavel Kotucek <pkotucek@cisco.com>
2017-09-12acl-plugin: add startup-config section "acl-plugin" and heap/hash parametersAndrew Yourtchenko3-4/+60
This adds the ability to tweak the memory allocation parameters of the ACL plugin from the startup config. It may be useful in the cases involving higher limit of the connections than the default 1M, or the high number of cores. Change-Id: I2b6fb3f61126ff3ee998424b762b6aefe8fb1b8e Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-09-12ACL-plugin add "replace" semantics for adding a new MacIP aclPavel Kotucek4-18/+295
Change-Id: Ia5c869b2d8b8ad012b9e89fb6720c9c32d9ee065 Signed-off-by: Pavel Kotucek <pkotucek@cisco.com>
2017-09-08ACL-plugin MACIP ACLs testsPavel Kotucek1-2/+16
Change-Id: Ie40c837358454cfe9475cb2c14fdf20b24fa6602 Signed-off-by: Pavel Kotucek <pkotucek@cisco.com>
2017-09-08acl-plugin: add hitcount to applied hash-acl entriesAndrew Yourtchenko3-4/+10
Add a counter incremented upon the ACL check, so it is easier to see which kind of traffic is being checked by the policy, add the corresponding output to the debug CLI "show acl-plugin tables" command. Change-Id: Id811dddf204e63eeceabfcc509e3e9c5aae1dbc8 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-09-07acl-plugin: match index set to first portrange element if non-first ↵Andrew Yourtchenko1-5/+1
portrange matches on the same hash key (VPP-937) Multiple portranges that land on the same hash key will always report the match on the first portrange - even when the subsequent portranges have matched. Test escape, so make a corresponding test case and fix the code so it passes. (the commit on stable/1707 has erroneously mentioned VPP-938 jira ticket) Change-Id: Idbeb8a122252ead2468f5f9dbaf72cf0e8bb78f1 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit fb088f0a201270e949469c915c529d75ad13353e) Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-08-25acl-plugin: warning printed when acl_add_replace already applied ACLs ↵Andrew Yourtchenko4-17/+49
(complete the fix for VPP-935) The fix for VPP-935 missed the case that hash_acl_add() and hash_acl_delete() may be called during the replacement of the existing applied ACL, as a result the "applied" logic needs to be replicated for the hash acls separately, since it is a lower layer. Change-Id: I7dcb2b120fcbdceb5e59acb5029f9eb77bd0f240 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit ce9714032d36d18abe72981552219dff871ff392)