From 3935fc8527c340535a00108b78f3de064df50a7f Mon Sep 17 00:00:00 2001 From: Gregory Thiemonge Date: Fri, 16 Mar 2018 07:40:50 +0000 Subject: ACL: Fix next_table_index classifiers consistancy Fixed consistancy between the first classifier match and the next_table_index classifier matches: - CLASSIFY_ACTION_SET_METADATA was applied only for the first classifier, but it was not applied for the other classifiers - Actions should be performed only for input ACLs - Payload should point at the IP header for output ACLs Change-Id: Ifbd7791756320ae3198520c41902f5e99e3d40b4 Signed-off-by: Gregory Thiemonge --- src/vnet/ip/ip_in_out_acl.c | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/src/vnet/ip/ip_in_out_acl.c b/src/vnet/ip/ip_in_out_acl.c index b50f5b1ff67..699f69eda78 100644 --- a/src/vnet/ip/ip_in_out_acl.c +++ b/src/vnet/ip/ip_in_out_acl.c @@ -401,6 +401,10 @@ ip_in_out_acl_inline (vlib_main_t * vm, else h0 = b0->data; + /* advance the match pointer so the matching happens on IP header */ + if (is_output) + h0 += vnet_buffer (b0)->l2_classify.pad.l2_len; + hash0 = vnet_classify_hash_packet (t0, (u8 *) h0); e0 = vnet_classify_find_entry (t0, (u8 *) h0, hash0, now); @@ -424,11 +428,19 @@ ip_in_out_acl_inline (vlib_main_t * vm, IP6_ERROR_INACL_SESSION_DENY) : IP6_ERROR_NONE; b0->error = error_node->errors[error0]; - if (e0->action == CLASSIFY_ACTION_SET_IP4_FIB_INDEX - || e0->action == - CLASSIFY_ACTION_SET_IP6_FIB_INDEX) - vnet_buffer (b0)->sw_if_index[VLIB_TX] = - e0->metadata; + if (!is_output) + { + if (e0->action == + CLASSIFY_ACTION_SET_IP4_FIB_INDEX + || e0->action == + CLASSIFY_ACTION_SET_IP6_FIB_INDEX) + vnet_buffer (b0)->sw_if_index[VLIB_TX] = + e0->metadata; + else if (e0->action == + CLASSIFY_ACTION_SET_METADATA) + vnet_buffer (b0)->ip.adj_index[VLIB_TX] = + e0->metadata; + } break; } } -- cgit 1.2.3-korg