From c9b20bc7a5399fd1e7bf2d33e7c4f1f08ef1c1e4 Mon Sep 17 00:00:00 2001 From: Andrew Yourtchenko Date: Thu, 8 Dec 2016 20:33:19 +0100 Subject: acl: make MACIP ACL apply/unapply/delete logic more robust 1. vnet_set_input_acl_intfc expects currently applied table ids to remove them properly, fixed that. 2. check if the interface has MACIP ACL applied before unapplying it 3. if applying MACIP ACL to interface that has one already applied, unapply that first. These changes required also swapping the order of the add/del functions. Change-Id: I179490371507b07e9dd8852000954156c318d98c Signed-off-by: Andrew Yourtchenko --- plugins/acl-plugin/acl/acl.c | 37 ++++++++++++++++++++++++++----------- 1 file changed, 26 insertions(+), 11 deletions(-) diff --git a/plugins/acl-plugin/acl/acl.c b/plugins/acl-plugin/acl/acl.c index 7b95152cbf3..8ff5a6b721c 100644 --- a/plugins/acl-plugin/acl/acl.c +++ b/plugins/acl-plugin/acl/acl.c @@ -1260,6 +1260,29 @@ macip_acl_add_list (u32 count, vl_api_macip_acl_rule_t rules[], } +/* No check for validity of sw_if_index - the callers were supposed to validate */ + +static int +macip_acl_interface_del_acl (acl_main_t * am, u32 sw_if_index) +{ + int rv; + u32 macip_acl_index; + macip_acl_list_t *a; + vec_validate_init_empty (am->macip_acl_by_sw_if_index, sw_if_index, ~0); + macip_acl_index = am->macip_acl_by_sw_if_index[sw_if_index]; + /* No point in deleting MACIP ACL which is not applied */ + if (~0 == macip_acl_index) + return -1; + a = &am->macip_acls[macip_acl_index]; + /* remove the classifier tables off the interface L2 ACL */ + rv = + vnet_set_input_acl_intfc (am->vlib_main, sw_if_index, a->ip4_table_index, + a->ip6_table_index, a->l2_table_index, 0); + /* Unset the MACIP ACL index */ + am->macip_acl_by_sw_if_index[sw_if_index] = ~0; + return rv; +} + /* No check for validity of sw_if_index - the callers were supposed to validate */ static int @@ -1274,6 +1297,9 @@ macip_acl_interface_add_acl (acl_main_t * am, u32 sw_if_index, } a = &am->macip_acls[macip_acl_index]; vec_validate_init_empty (am->macip_acl_by_sw_if_index, sw_if_index, ~0); + /* If there already a MACIP ACL applied, unapply it */ + if (~0 != am->macip_acl_by_sw_if_index[sw_if_index]) + macip_acl_interface_del_acl(am, sw_if_index); am->macip_acl_by_sw_if_index[sw_if_index] = macip_acl_index; /* Apply the classifier tables for L2 ACLs */ rv = @@ -1282,17 +1308,6 @@ macip_acl_interface_add_acl (acl_main_t * am, u32 sw_if_index, return rv; } -static int -macip_acl_interface_del_acl (acl_main_t * am, u32 sw_if_index) -{ - int rv; - vec_validate_init_empty (am->macip_acl_by_sw_if_index, sw_if_index, ~0); - am->macip_acl_by_sw_if_index[sw_if_index] = ~0; - /* remove the classifier tables off the interface L2 ACL */ - rv = vnet_set_input_acl_intfc (am->vlib_main, sw_if_index, ~0, ~0, ~0, 0); - return rv; -} - static int macip_acl_del_list (u32 acl_list_index) { -- cgit 1.2.3-korg