/* * Copyright (c) 2015 Cisco and/or its affiliates. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at: * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ /* *------------------------------------------------------------------ * acl_test.c - test harness plugin *------------------------------------------------------------------ */ #include <vat/vat.h> #include <vlibapi/api.h> #include <vlibmemory/api.h> #include <vppinfra/error.h> #include <vnet/ip/ip.h> #include <arpa/inet.h> #define __plugin_msg_base acl_test_main.msg_id_base #include <vlibapi/vat_helper_macros.h> uword unformat_sw_if_index (unformat_input_t * input, va_list * args); /* Declare message IDs */ #include <acl/acl_msg_enum.h> /* define message structures */ #define vl_typedefs #include <acl/acl_all_api_h.h> #undef vl_typedefs /* define message structures */ #define vl_endianfun #include <acl/acl_all_api_h.h> #undef vl_endianfun /* instantiate all the print functions we know about */ #define vl_print(handle, ...) #define vl_printfun #include <acl/acl_all_api_h.h> #undef vl_printfun /* Get the API version number. */ #define vl_api_version(n,v) static u32 api_version=(v); #include <acl/acl_all_api_h.h> #undef vl_api_version typedef struct { /* API message ID base */ u16 msg_id_base; vat_main_t *vat_main; } acl_test_main_t; acl_test_main_t acl_test_main; #define foreach_standard_reply_retval_handler \ _(acl_del_reply) \ _(acl_interface_add_del_reply) \ _(macip_acl_interface_add_del_reply) \ _(acl_interface_set_acl_list_reply) \ _(acl_interface_set_etype_whitelist_reply) \ _(macip_acl_del_reply) \ _(acl_stats_intf_counters_enable_reply) #define foreach_reply_retval_aclindex_handler \ _(acl_add_replace_reply) \ _(macip_acl_add_reply) \ _(macip_acl_add_replace_reply) #define _(n) \ static void vl_api_##n##_t_handler \ (vl_api_##n##_t * mp) \ { \ vat_main_t * vam = acl_test_main.vat_main; \ i32 retval = ntohl(mp->retval); \ if (vam->async_mode) { \ vam->async_errors += (retval < 0); \ } else { \ vam->retval = retval; \ vam->result_ready = 1; \ } \ } foreach_standard_reply_retval_handler; #undef _ #define _(n) \ static void vl_api_##n##_t_handler \ (vl_api_##n##_t * mp) \ { \ vat_main_t * vam = acl_test_main.vat_main; \ i32 retval = ntohl(mp->retval); \ if (vam->async_mode) { \ vam->async_errors += (retval < 0); \ } else { \ clib_warning("ACL index: %d", ntohl(mp->acl_index)); \ vam->retval = retval; \ vam->result_ready = 1; \ } \ } foreach_reply_retval_aclindex_handler; #undef _ /* These two ought to be in a library somewhere but they aren't */ static uword my_unformat_mac_address (unformat_input_t * input, va_list * args) { u8 *a = va_arg (*args, u8 *); return unformat (input, "%x:%x:%x:%x:%x:%x", &a[0], &a[1], &a[2], &a[3], &a[4], &a[5]); } static u8 * my_format_mac_address (u8 * s, va_list * args) { u8 *a = va_arg (*args, u8 *); return format (s, "%02x:%02x:%02x:%02x:%02x:%02x", a[0], a[1], a[2], a[3], a[4], a[5]); } static void vl_api_acl_plugin_get_version_reply_t_handler (vl_api_acl_plugin_get_version_reply_t * mp) { vat_main_t * vam = acl_test_main.vat_main; clib_warning("ACL plugin version: %d.%d", ntohl(mp->major), ntohl(mp->minor)); vam->result_ready = 1; } static void vl_api_acl_interface_list_details_t_handler (vl_api_acl_interface_list_details_t * mp) { int i; vat_main_t * vam = acl_test_main.vat_main; u8 *out = 0; vl_api_acl_interface_list_details_t_endian(mp); out = format(out, "sw_if_index: %d, count: %d, n_input: %d\n", mp->sw_if_index, mp->count, mp->n_input); out = format(out, " input "); for(i=0; i<mp->count; i++) { if (i == mp->n_input) out = format(out, "\n output "); out = format(out, "%d ", ntohl (mp->acls[i])); } out = format(out, "\n"); clib_warning("%s", out); vec_free(out); vam->result_ready = 1; } static void vl_api_acl_interface_etype_whitelist_details_t_handler (vl_api_acl_interface_etype_whitelist_details_t * mp) { int i; vat_main_t * vam = acl_test_main.vat_main; u8 *out = 0; vl_api_acl_interface_etype_whitelist_details_t_endian(mp); out = format(out, "sw_if_index: %d, count: %d, n_input: %d\n", mp->sw_if_index, mp->count, mp->n_input); out = format(out, " input "); for(i=0; i<mp->count; i++) { if (i == mp->n_input) out = format(out, "\n output "); out = format(out, "%04x ", ntohs(mp->whitelist[i])); } out = format(out, "\n"); clib_warning("%s", out); vec_free(out); vam->result_ready = 1; } static void vl_api_acl_plugin_get_conn_table_max_entries_reply_t_handler (vl_api_acl_plugin_get_conn_table_max_entries_reply_t * mp) { vat_main_t * vam = acl_test_main.vat_main; clib_warning("\nConn table max entries: %d", __bswap_64(mp->conn_table_max_entries) ); vam->result_ready = 1; } static inline u8 * vl_api_acl_rule_t_pretty_format (u8 *out, vl_api_acl_rule_t * a) { int af = a->is_ipv6 ? AF_INET6 : AF_INET; u8 src[INET6_ADDRSTRLEN]; u8 dst[INET6_ADDRSTRLEN]; inet_ntop(af, a->src_ip_addr, (void *)src, sizeof(src)); inet_ntop(af, a->dst_ip_addr, (void *)dst, sizeof(dst)); out = format(out, "%s action %d src %s/%d dst %s/%d proto %d sport %d-%d dport %d-%d tcpflags %d mask %d", a->is_ipv6 ? "ipv6" : "ipv4", a->is_permit, src, a->src_ip_prefix_len, dst, a->dst_ip_prefix_len, a->proto, a->srcport_or_icmptype_first, a->srcport_or_icmptype_last, a->dstport_or_icmpcode_first, a->dstport_or_icmpcode_last, a->tcp_flags_value, a->tcp_flags_mask); return(out); } static void vl_api_acl_details_t_handler (vl_api_acl_details_t * mp) { int i; vat_main_t * vam = acl_test_main.vat_main; vl_api_acl_details_t_endian(mp); u8 *out = 0; out = format(0, "acl_index: %d, count: %d\n tag {%s}\n", mp->acl_index, mp->count, mp->tag); for(i=0; i<mp->count; i++) { out = format(out, " "); out = vl_api_acl_rule_t_pretty_format(out, &mp->r[i]); out = format(out, "%s\n", i<mp->count-1 ? "," : ""); } clib_warning("%s", out); vec_free(out); vam->result_ready = 1; } static inline u8 * vl_api_macip_acl_rule_t_pretty_format (u8 *out, vl_api_macip_acl_rule_t * a) { int af = a->is_ipv6 ? AF_INET6 : AF_INET; u8 src[INET6_ADDRSTRLEN]; inet_ntop(af, a->src_ip_addr, (void *)src, sizeof(src)); out = format(out, "%s action %d ip %s/%d mac %U mask %U", a->is_ipv6 ? "ipv6" : "ipv4", a->is_permit, src, a->src_ip_prefix_len, my_format_mac_address, a->src_mac, my_format_mac_address, a->src_mac_mask); return(out); } static void vl_api_macip_acl_details_t_handler (vl_api_macip_acl_details_t * mp) { int i; vat_main_t * vam = acl_test_main.vat_main; vl_api_macip_acl_details_t_endian(mp); u8 *out = format(0,"MACIP acl_index: %d, count: %d\n tag {%s}\n", mp->acl_index, mp->count, mp->tag); for(i=0; i<mp->count; i++) { out = format(out, " "); out = vl_api_macip_acl_rule_t_pretty_format(out, &mp->r[i]); out = format(out, "%s\n", i<mp->count-1 ? "," : ""); } clib_warning("%s", out); vec_free(out); vam->result_ready = 1; } static void vl_api_macip_acl_interface_get_reply_t_handler (vl_api_macip_acl_interface_get_reply_t * mp) { int i; vat_main_t * vam = acl_test_main.vat_main; u8 *out = format(0, "sw_if_index with MACIP ACL count: %d\n", ntohl(mp->count)); for(i=0; i<ntohl(mp->count); i++) { out = format(out, " macip_acl_interface_add_del sw_if_index %d add acl %d\n", i, ntohl(mp->acls[i])); } out = format(out, "\n"); clib_warning("%s", out); vec_free(out); vam->result_ready = 1; } static void vl_api_acl_plugin_control_ping_reply_t_handler (vl_api_acl_plugin_control_ping_reply_t * mp) { vat_main_t *vam = &vat_main; i32 retval = ntohl (mp->retval); if (vam->async_mode) { vam->async_errors += (retval < 0); } else { vam->retval = retval; vam->result_ready = 1; } } /* * Table of message reply handlers, must include boilerplate handlers * we just generated */ #define foreach_vpe_api_reply_msg \ _(ACL_ADD_REPLACE_REPLY, acl_add_replace_reply) \ _(ACL_DEL_REPLY, acl_del_reply) \ _(ACL_INTERFACE_ADD_DEL_REPLY, acl_interface_add_del_reply) \ _(ACL_INTERFACE_SET_ACL_LIST_REPLY, acl_interface_set_acl_list_reply) \ _(ACL_INTERFACE_SET_ETYPE_WHITELIST_REPLY, acl_interface_set_etype_whitelist_reply) \ _(ACL_INTERFACE_ETYPE_WHITELIST_DETAILS, acl_interface_etype_whitelist_details) \ _(ACL_INTERFACE_LIST_DETAILS, acl_interface_list_details) \ _(ACL_DETAILS, acl_details) \ _(MACIP_ACL_ADD_REPLY, macip_acl_add_reply) \ _(MACIP_ACL_ADD_REPLACE_REPLY, macip_acl_add_replace_reply) \ _(MACIP_ACL_DEL_REPLY, macip_acl_del_reply) \ _(MACIP_ACL_DETAILS, macip_acl_details) \ _(MACIP_ACL_INTERFACE_ADD_DEL_REPLY, macip_acl_interface_add_del_reply) \ _(MACIP_ACL_INTERFACE_GET_REPLY, macip_acl_interface_get_reply) \ _(ACL_PLUGIN_CONTROL_PING_REPLY, acl_plugin_control_ping_reply) \ _(ACL_PLUGIN_GET_VERSION_REPLY, acl_plugin_get_version_reply) \ _(ACL_PLUGIN_GET_CONN_TABLE_MAX_ENTRIES_REPLY,acl_plugin_get_conn_table_max_entries_reply) \ _(ACL_STATS_INTF_COUNTERS_ENABLE_REPLY, acl_stats_intf_counters_enable_reply) static int api_acl_plugin_get_version (vat_main_t * vam) { acl_test_main_t * sm = &acl_test_main; vl_api_acl_plugin_get_version_t * mp; u32 msg_size = sizeof(*mp); int ret; vam->result_ready = 0; mp = vl_msg_api_alloc_as_if_client(msg_size); clib_memset (mp, 0, msg_size); mp->_vl_msg_id = ntohs (VL_API_ACL_PLUGIN_GET_VERSION + sm->msg_id_base); mp->client_index = vam->my_client_index; /* send it... */ S(mp); /* Wait for a reply... */ W (ret); return ret; } static int api_macip_acl_interface_get (vat_main_t * vam) { acl_test_main_t * sm = &acl_test_main; vl_api_acl_plugin_get_version_t * mp; u32 msg_size = sizeof(*mp); int ret; vam->result_ready = 0; mp = vl_msg_api_alloc_as_if_client(msg_size); clib_memset (mp, 0, msg_size); mp->_vl_msg_id = ntohs (VL_API_MACIP_ACL_INTERFACE_GET + sm->msg_id_base); mp->client_index = vam->my_client_index; /* send it... */ S(mp); /* Wait for a reply... */ W (ret); return ret; } #define vec_validate_acl_rules(v, idx) \ do { \ if (vec_len(v) < idx+1) { \ vec_validate(v, idx); \ v[idx].is_permit = 0x1; \ v[idx].srcport_or_icmptype_last = 0xffff; \ v[idx].dstport_or_icmpcode_last = 0xffff; \ } \ } while (0) static int api_acl_add_replace (vat_main_t * vam) { acl_test_main_t * sm = &acl_test_main; unformat_input_t * i = vam->input; vl_api_acl_add_replace_t * mp; u32 acl_index = ~0; u32 msg_size = sizeof (*mp); /* without the rules */ vl_api_acl_rule_t *rules = 0; int rule_idx = 0; int n_rules = 0; int n_rules_override = -1; u32 proto = 0; u32 port1 = 0; u32 port2 = 0; u32 action = 0; u32 tcpflags, tcpmask; u32 src_prefix_length = 0, dst_prefix_length = 0; ip4_address_t src_v4address, dst_v4address; ip6_address_t src_v6address, dst_v6address; u8 *tag = 0; int ret; if (!unformat (i, "%d", &acl_index)) { /* Just assume -1 */ } while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) { if (unformat (i, "ipv6")) { vec_validate_acl_rules(rules, rule_idx); rules[rule_idx].is_ipv6 = 1; } else if (unformat (i, "ipv4")) { vec_validate_acl_rules(rules, rule_idx); rules[rule_idx].is_ipv6 = 0; } else if (unformat (i, "permit+reflect")) { vec_validate_acl_rules(rules, rule_idx); rules[rule_idx].is_permit = 2; } else if (unformat (i, "permit")) { vec_validate_acl_rules(rules, rule_idx); rules[rule_idx].is_permit = 1; } else if (unformat (i, "deny")) { vec_validate_acl_rules(rules, rule_idx); rules[rule_idx].is_permit = 0; } else if (unformat (i, "count %d", &n_rules_override)) { /* we will use this later */ } else if (unformat (i, "action %d", &action)) { vec_validate_acl_rules(rules, rule_idx); rules[rule_idx].is_permit = action; } else if (unformat (i, "src %U/%d", unformat_ip4_address, &src_v4address, &src_prefix_length)) { vec_validate_acl_rules(rules, rule_idx); memcpy (rules[rule_idx].src_ip_addr, &src_v4address, 4); rules[rule_idx].src_ip_prefix_len = src_prefix_length; rules[rule_idx].is_ipv6 = 0; } else if (unformat (i, "src %U/%d", unformat_ip6_address, &src_v6address, &src_prefix_length)) { vec_validate_acl_rules(rules, rule_idx); memcpy (rules[rule_idx].src_ip_addr, &src_v6address, 16); rules[rule_idx].src_ip_prefix_len = src_prefix_length; rules[rule_idx].is_ipv6 = 1; } else if (unformat (i, "dst %U/%d", unformat_ip4_address, &dst_v4address, &dst_prefix_length)) { vec_validate_acl_rules(rules, rule_idx); memcpy (rules[rule_idx].dst_ip_addr, &dst_v4address, 4); rules[rule_idx].dst_ip_prefix_len = dst_prefix_length; rules[rule_idx].is_ipv6 = 0; } else if (unformat (i, "dst %U/%d", unformat_ip6_address, &dst_v6address, &dst_prefix_length)) { vec_validate_acl_rules(rules, rule_idx); memcpy (rules[rule_idx].dst_ip_addr, &dst_v6address, 16); rules[rule_idx].dst_ip_prefix_len = dst_prefix_length; rules[rule_idx].is_ipv6 = 1; } else if (unformat (i, "sport %d-%d", &port1, &port2)) { vec_validate_acl_rules(rules, rule_idx); rules[rule_idx].srcport_or_icmptype_first = htons(port1); rules[rule_idx].srcport_or_icmptype_last = htons(port2); } else if (unformat (i, "sport %d", &port1)) { vec_validate_acl_rules(rules, rule_idx); rules[rule_idx].srcport_or_icmptype_first = htons(port1); rules[rule_idx].srcport_or_icmptype_last = htons(port1); } else if (unformat (i, "dport %d-%d", &port1, &port2)) { vec_validate_acl_rules(rules, rule_idx); rules[rule_idx].dstport_or_icmpcode_first = htons(port1); rules[rule_idx].dstport_or_icmpcode_last = htons(port2); } else if (unformat (i, "dport %d", &port1)) { vec_validate_acl_rules(rules, rule_idx); rules[rule_idx].dstport_or_icmpcode_first = htons(port1); rules[rule_idx].dstport_or_icmpcode_last = htons(port1); } else if (unformat (i, "tcpflags %d %d", &tcpflags, &tcpmask)) { vec_validate_acl_rules(rules, rule_idx); rules[rule_idx].tcp_flags_value = tcpflags; rules[rule_idx].tcp_flags_mask = tcpmask; } else if (unformat (i, "tcpflags %d mask %d", &tcpflags, &tcpmask)) { vec_validate_acl_rules(rules, rule_idx); rules[rule_idx].tcp_flags_value = tcpflags; rules[rule_idx].tcp_flags_mask = tcpmask; } else if (unformat (i, "proto %d", &proto)) { vec_validate_acl_rules(rules, rule_idx); rules[rule_idx].proto = proto; } else if (unformat (i, "tag %s", &tag)) { } else if (unformat (i, ",")) { rule_idx++; vec_validate_acl_rules(rules, rule_idx); } else break; } /* Construct the API message */ vam->result_ready = 0; if(rules) n_rules = vec_len(rules); else n_rules = 0; if (n_rules_override >= 0) n_rules = n_rules_override; msg_size += n_rules*sizeof(rules[0]); mp = vl_msg_api_alloc_as_if_client(msg_size); clib_memset (mp, 0, msg_size); mp->_vl_msg_id = ntohs (VL_API_ACL_ADD_REPLACE + sm->msg_id_base); mp->client_index = vam->my_client_index; if ((n_rules > 0) && rules) clib_memcpy(mp->r, rules, n_rules*sizeof (vl_api_acl_rule_t)); if (tag) { if (vec_len(tag) >= sizeof(mp->tag)) { tag[sizeof(mp->tag)-1] = 0; _vec_len(tag) = sizeof(mp->tag); } clib_memcpy(mp->tag, tag, vec_len(tag)); vec_free(tag); } mp->acl_index = ntohl(acl_index); mp->count = htonl(n_rules); /* send it... */ S(mp); /* Wait for a reply... */ W (ret); return ret; } static int api_acl_plugin_get_conn_table_max_entries (vat_main_t * vam) { acl_test_main_t * sm = &acl_test_main; vl_api_acl_plugin_get_conn_table_max_entries_t * mp; u32 msg_size = sizeof(*mp); int ret; vam->result_ready = 0; mp = vl_msg_api_alloc_as_if_client(msg_size); memset (mp, 0, msg_size); mp->_vl_msg_id = ntohs (VL_API_ACL_PLUGIN_GET_CONN_TABLE_MAX_ENTRIES + sm->msg_id_base); mp->client_index = vam->my_client_index; /* send it... */ S(mp); /* Wait for a reply... */ W (ret); return ret; } static int api_acl_stats_intf_counters_enable (vat_main_t * vam) { acl_test_main_t * sm = &acl_test_main; unformat_input_t * i = vam->input; vl_api_acl_stats_intf_counters_enable_t * mp; u32 msg_size = sizeof(*mp); int ret; vam->result_ready = 0; mp = vl_msg_api_alloc_as_if_client(msg_size); memset (mp, 0, msg_size); mp->_vl_msg_id = ntohs (VL_API_ACL_STATS_INTF_COUNTERS_ENABLE + sm->msg_id_base); mp->client_index = vam->my_client_index; mp->enable = 1; while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) { if (unformat (i, "disable")) mp->enable = 0; else break; } /* send it... */ S(mp); /* Wait for a reply... */ W (ret); return ret; } /* * Read the series of ACL entries from file in the following format: * @0.0.0.0/1 131.179.121.0/24 0 : 65535 0 : 65535 0x00/0x00 0x0000/0x0000 @128.0.0.0/1 85.54.226.0/23 0 : 65535 0 : 65535 0x00/0x00 0x0000/0x0000 @128.0.0.0/1 85.54.48.0/23 0 : 65535 0 : 65535 0x00/0x00 0x0000/0x0000 @128.0.0.0/1 31.237.44.0/23 0 : 65535 0 : 65535 0x00/0x00 0x0000/0x0000 @0.0.0.0/1 255.84.184.0/23 0 : 65535 0 : 65535 0x00/0x00 0x0000/0x0000 @132.92.0.0/16 0.0.0.0/0 0 : 65535 0 : 65535 0x01/0xFF 0x0000/0x0000 * */ static int api_acl_add_replace_from_file (vat_main_t * vam) { int ret = -1; unformat_input_t * input = vam->input; acl_test_main_t * sm = &acl_test_main; vl_api_acl_add_replace_t * mp; u32 acl_index = ~0; u32 msg_size = sizeof (*mp); /* without the rules */ vl_api_acl_rule_t *rules = 0; int rule_idx = -1; int n_rules = 0; int is_permit = 0; int append_default_permit = 0; u32 tcpflags = 0, tcpmask = 0; ip4_address_t src_v4address, dst_v4address; int fd = -1; char *file_name = NULL; unformat_input_t file_input; while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT) { if (unformat (input, "filename %s", &file_name)) { /* we will use this later */ } else if (unformat (input, "acl-index %d", &acl_index)) { /* we will try to replace an existing ACL */ } else if (unformat (input, "permit+reflect")) { is_permit = 2; } else if (unformat (input, "permit")) { is_permit = 1; } else if (unformat (input, "append-default-permit")) { append_default_permit = 1; } else break; } fd = open(file_name, O_RDONLY); if (fd < 0) { clib_warning("Could not open file '%s'"); goto done; } /* input from file */ input = &file_input; unformat_init_clib_file(input, fd); unsigned sport_low, sport_high, dport_low, dport_high; unsigned proto, protomask; u32 src_prefix_length, dst_prefix_length; u32 unused1, unused2; while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT) { if (!unformat(input, "@%U/%d\t%U/%d\t%d : %d\t%d : %d\t0x%x/0x%x\t0x%x/0x%x", unformat_ip4_address, &src_v4address, &src_prefix_length, unformat_ip4_address, &dst_v4address, &dst_prefix_length, &sport_low, &sport_high, &dport_low, &dport_high, &proto, &protomask, &unused1, &unused2)) { clib_warning("Error parsing"); break; } rule_idx++; vec_validate_acl_rules(rules, rule_idx); rules[rule_idx].is_ipv6 = 0; rules[rule_idx].is_permit = is_permit; memcpy (rules[rule_idx].src_ip_addr, &src_v4address, 4); rules[rule_idx].src_ip_prefix_len = src_prefix_length; memcpy (rules[rule_idx].dst_ip_addr, &dst_v4address, 4); rules[rule_idx].dst_ip_prefix_len = dst_prefix_length; rules[rule_idx].srcport_or_icmptype_first = htons(sport_low); rules[rule_idx].srcport_or_icmptype_last = htons(sport_high); rules[rule_idx].dstport_or_icmpcode_first = htons(dport_low); rules[rule_idx].dstport_or_icmpcode_last = htons(dport_high); rules[rule_idx].tcp_flags_value = tcpflags; rules[rule_idx].tcp_flags_mask = tcpmask; rules[rule_idx].proto = proto; } if (append_default_permit) { rule_idx++; vec_validate_acl_rules(rules, rule_idx); rules[rule_idx].is_ipv6 = 0; rules[rule_idx].is_permit = is_permit == 2 ? 2 : 1; src_v4address.data[0]=0; src_v4address.data[1]=0; src_v4address.data[2]=0; src_v4address.data[3]=0; memcpy (rules[rule_idx].src_ip_addr, &src_v4address, 4); rules[rule_idx].src_ip_prefix_len = 0; dst_v4address.data[0]=0; dst_v4address.data[1]=0; dst_v4address.data[2]=0; dst_v4address.data[3]=0; memcpy (rules[rule_idx].dst_ip_addr, &dst_v4address, 4); rules[rule_idx].dst_ip_prefix_len = 0; rules[rule_idx].srcport_or_icmptype_first = htons(0); rules[rule_idx].srcport_or_icmptype_last = htons(65535); rules[rule_idx].dstport_or_icmpcode_first = htons(0); rules[rule_idx].dstport_or_icmpcode_last = htons(65535); rules[rule_idx].tcp_flags_value = 0; rules[rule_idx].tcp_flags_mask = 0; rules[rule_idx].proto = 0; } /* Construct the API message */ vam->result_ready = 0; n_rules = vec_len(rules); msg_size += n_rules*sizeof(rules[0]); mp = vl_msg_api_alloc_as_if_client(msg_size); clib_memset (mp, 0, msg_size); mp->_vl_msg_id = ntohs (VL_API_ACL_ADD_REPLACE + sm->msg_id_base); mp->client_index = vam->my_client_index; if (n_rules > 0) clib_memcpy(mp->r, rules, n_rules*sizeof (vl_api_acl_rule_t)); mp->acl_index = ntohl(acl_index); mp->count = htonl(n_rules); /* send it... */ S(mp); /* Wait for a reply... */ W (ret); done: if (fd > 0) close (fd); vec_free(file_name); return ret; } static int api_acl_del (vat_main_t * vam) { unformat_input_t * i = vam->input; vl_api_acl_del_t * mp; u32 acl_index = ~0; int ret; if (!unformat (i, "%d", &acl_index)) { errmsg ("missing acl index\n"); return -99; } /* Construct the API message */ M(ACL_DEL, mp); mp->acl_index = ntohl(acl_index); /* send it... */ S(mp); /* Wait for a reply... */ W (ret); return ret; } static int api_macip_acl_del (vat_main_t * vam) { unformat_input_t * i = vam->input; vl_api_acl_del_t * mp; u32 acl_index = ~0; int ret; if (!unformat (i, "%d", &acl_index)) { errmsg ("missing acl index\n"); return -99; } /* Construct the API message */ M(MACIP_ACL_DEL, mp); mp->acl_index = ntohl(acl_index); /* send it... */ S(mp); /* Wait for a reply... */ W (ret); return ret; } static int api_acl_interface_add_del (vat_main_t * vam) { unformat_input_t * i = vam->input; vl_api_acl_interface_add_del_t * mp; u32 sw_if_index = ~0; u32 acl_index = ~0; u8 is_input = 0; u8 is_add = 0; int ret; // acl_interface_add_del <intfc> | sw_if_index <if-idx> acl_index <acl-idx> [out] [del] while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) { if (unformat (i, "%d", &acl_index)) ; else break; } /* Parse args required to build the message */ while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) { if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index)) ; else if (unformat (i, "sw_if_index %d", &sw_if_index)) ; else if (unformat (i, "add")) is_add = 1; else if (unformat (i, "del")) is_add = 0; else if (unformat (i, "acl %d", &acl_index)) ; else if (unformat (i, "input")) is_input = 1; else if (unformat (i, "output")) is_input = 0; else break; } if (sw_if_index == ~0) { errmsg ("missing interface name / explicit sw_if_index number \n"); return -99; } if (acl_index == ~0) { errmsg ("missing ACL index\n"); return -99; } /* Construct the API message */ M(ACL_INTERFACE_ADD_DEL, mp); mp->acl_index = ntohl(acl_index); mp->sw_if_index = ntohl(sw_if_index); mp->is_add = is_add; mp->is_input = is_input; /* send it... */ S(mp); /* Wait for a reply... */ W (ret); return ret; } static int api_macip_acl_interface_add_del (vat_main_t * vam) { unformat_input_t * i = vam->input; vl_api_macip_acl_interface_add_del_t * mp; u32 sw_if_index = ~0; u32 acl_index = ~0; u8 is_add = 0; int ret; /* Parse args required to build the message */ while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) { if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index)) ; else if (unformat (i, "sw_if_index %d", &sw_if_index)) ; else if (unformat (i, "add")) is_add = 1; else if (unformat (i, "del")) is_add = 0; else if (unformat (i, "acl %d", &acl_index)) ; else break; } if (sw_if_index == ~0) { errmsg ("missing interface name / explicit sw_if_index number \n"); return -99; } if (acl_index == ~0) { errmsg ("missing ACL index\n"); return -99; } /* Construct the API message */ M(MACIP_ACL_INTERFACE_ADD_DEL, mp); mp->acl_index = ntohl(acl_index); mp->sw_if_index = ntohl(sw_if_index); mp->is_add = is_add; /* send it... */ S(mp); /* Wait for a reply... */ W (ret); return ret; } static int api_acl_interface_set_acl_list (vat_main_t * vam) { unformat_input_t * i = vam->input; vl_api_acl_interface_set_acl_list_t * mp; u32 sw_if_index = ~0; u32 acl_index = ~0; u32 *inacls = 0; u32 *outacls = 0; u8 is_input = 0; int ret; // acl_interface_set_acl_list <intfc> | sw_if_index <if-idx> input [acl-idx list] output [acl-idx list] /* Parse args required to build the message */ while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) { if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index)) ; else if (unformat (i, "sw_if_index %d", &sw_if_index)) ; else if (unformat (i, "%d", &acl_index)) { if(is_input) vec_add1(inacls, htonl(acl_index)); else vec_add1(outacls, htonl(acl_index)); } else if (unformat (i, "acl %d", &acl_index)) ; else if (unformat (i, "input")) is_input = 1; else if (unformat (i, "output")) is_input = 0; else break; } if (sw_if_index == ~0) { errmsg ("missing interface name / explicit sw_if_index number \n"); return -99; } /* Construct the API message */ M2(ACL_INTERFACE_SET_ACL_LIST, mp, sizeof(u32) * (vec_len(inacls) + vec_len(outacls))); mp->sw_if_index = ntohl(sw_if_index); mp->n_input = vec_len(inacls); mp->count = vec_len(inacls) + vec_len(outacls); vec_append(inacls, outacls); if (vec_len(inacls) > 0) clib_memcpy(mp->acls, inacls, vec_len(inacls)*sizeof(u32)); /* send it... */ S(mp); /* Wait for a reply... */ W (ret); return ret; } static int api_acl_interface_set_etype_whitelist (vat_main_t * vam) { unformat_input_t * i = vam->input; vl_api_acl_interface_set_etype_whitelist_t * mp; u32 sw_if_index = ~0; u32 ethertype = ~0; u16 *etypes_in = 0; u16 *etypes_out = 0; u8 is_input = 1; int ret; // acl_interface_set_etype_whitelist <intfc> | sw_if_index <if-idx> input [ethertype list] output [ethertype list] /* Parse args required to build the message */ while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) { if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index)) ; else if (unformat (i, "sw_if_index %d", &sw_if_index)) ; else if (unformat (i, "%x", ðertype)) { ethertype = ethertype & 0xffff; if(is_input) vec_add1(etypes_in, htons(ethertype)); else vec_add1(etypes_out, htons(ethertype)); } else if (unformat (i, "input")) is_input = 1; else if (unformat (i, "output")) is_input = 0; else break; } if (sw_if_index == ~0) { errmsg ("missing interface name / explicit sw_if_index number \n"); return -99; } /* Construct the API message */ M2(ACL_INTERFACE_SET_ETYPE_WHITELIST, mp, sizeof(u32) * (vec_len(etypes_in) + vec_len(etypes_out))); mp->sw_if_index = ntohl(sw_if_index); mp->n_input = vec_len(etypes_in); mp->count = vec_len(etypes_in) + vec_len(etypes_out); vec_append(etypes_in, etypes_out); if (vec_len(etypes_in) > 0) clib_memcpy(mp->whitelist, etypes_in, vec_len(etypes_in)*sizeof(etypes_in[0])); /* send it... */ S(mp); /* Wait for a reply... */ W (ret); return ret; } static void api_acl_send_control_ping(vat_main_t *vam) { vl_api_acl_plugin_control_ping_t *mp_ping; M(ACL_PLUGIN_CONTROL_PING, mp_ping); S(mp_ping); } static int api_acl_interface_list_dump (vat_main_t * vam) { unformat_input_t * i = vam->input; u32 sw_if_index = ~0; vl_api_acl_interface_list_dump_t * mp; int ret; /* Parse args required to build the message */ while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) { if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index)) ; else if (unformat (i, "sw_if_index %d", &sw_if_index)) ; else break; } /* Construct the API message */ M(ACL_INTERFACE_LIST_DUMP, mp); mp->sw_if_index = ntohl (sw_if_index); /* send it... */ S(mp); /* Use control ping for synchronization */ api_acl_send_control_ping(vam); /* Wait for a reply... */ W (ret); return ret; } static int api_acl_dump (vat_main_t * vam) { unformat_input_t * i = vam->input; u32 acl_index = ~0; vl_api_acl_dump_t * mp; int ret; /* Parse args required to build the message */ while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) { if (unformat (i, "%d", &acl_index)) ; else break; } /* Construct the API message */ M(ACL_DUMP, mp); mp->acl_index = ntohl (acl_index); /* send it... */ S(mp); /* Use control ping for synchronization */ api_acl_send_control_ping(vam); /* Wait for a reply... */ W (ret); return ret; } static int api_macip_acl_dump (vat_main_t * vam) { unformat_input_t * i = vam->input; u32 acl_index = ~0; vl_api_acl_dump_t * mp; int ret; /* Parse args required to build the message */ while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) { if (unformat (i, "%d", &acl_index)) ; else break; } /* Construct the API message */ M(MACIP_ACL_DUMP, mp); mp->acl_index = ntohl (acl_index); /* send it... */ S(mp); /* Use control ping for synchronization */ api_acl_send_control_ping(vam); /* Wait for a reply... */ W (ret); return ret; } static int api_acl_interface_etype_whitelist_dump (vat_main_t * vam) { unformat_input_t * i = vam->input; u32 sw_if_index = ~0; vl_api_acl_interface_etype_whitelist_dump_t * mp; int ret; /* Parse args required to build the message */ while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) { if (unformat (i, "%U", unformat_sw_if_index, vam, &sw_if_index)) ; else if (unformat (i, "sw_if_index %d", &sw_if_index)) ; else break; } /* Construct the API message */ M(ACL_INTERFACE_ETYPE_WHITELIST_DUMP, mp); mp->sw_if_index = ntohl (sw_if_index); /* send it... */ S(mp); /* Use control ping for synchronization */ api_acl_send_control_ping(vam); /* Wait for a reply... */ W (ret); return ret; } #define vec_validate_macip_acl_rules(v, idx) \ do { \ if (vec_len(v) < idx+1) { \ vec_validate(v, idx); \ v[idx].is_permit = 0x1; \ } \ } while (0) static int api_macip_acl_add (vat_main_t * vam) { acl_test_main_t * sm = &acl_test_main; unformat_input_t * i = vam->input; vl_api_macip_acl_add_t * mp; u32 msg_size = sizeof (*mp); /* without the rules */ vl_api_macip_acl_rule_t *rules = 0; int rule_idx = 0; int n_rules = 0; int n_rules_override = -1; u32 src_prefix_length = 0; u32 action = 0; ip4_address_t src_v4address; ip6_address_t src_v6address; u8 src_mac[6]; u8 *tag = 0; u8 mac_mask_all_1[6] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; int ret; while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) { if (unformat (i, "ipv6")) { vec_validate_macip_acl_rules(rules, rule_idx); rules[rule_idx].is_ipv6 = 1; } else if (unformat (i, "ipv4")) { vec_validate_macip_acl_rules(rules, rule_idx); rules[rule_idx].is_ipv6 = 0; } else if (unformat (i, "permit")) { vec_validate_macip_acl_rules(rules, rule_idx); rules[rule_idx].is_permit = 1; } else if (unformat (i, "deny")) { vec_validate_macip_acl_rules(rules, rule_idx); rules[rule_idx].is_permit = 0; } else if (unformat (i, "count %d", &n_rules_override)) { /* we will use this later */ } else if (unformat (i, "action %d", &action)) { vec_validate_macip_acl_rules(rules, rule_idx); rules[rule_idx].is_permit = action; } else if (unformat (i, "ip %U/%d", unformat_ip4_address, &src_v4address, &src_prefix_length) || unformat (i, "ip %U", unformat_ip4_address, &src_v4address)) { if (src_prefix_length == 0) src_prefix_length = 32; vec_validate_macip_acl_rules(rules, rule_idx); memcpy (rules[rule_idx].src_ip_addr, &src_v4address, 4); rules[rule_idx].src_ip_prefix_len = src_prefix_length; rules[rule_idx].is_ipv6 = 0; } else if (unformat (i, "src")) { /* Everything in MACIP is "source" but allow this verbosity */ } else if (unformat (i, "ip %U/%d", unformat_ip6_address, &src_v6address, &src_prefix_length) || unformat (i, "ip %U", unformat_ip6_address, &src_v6address)) { if (src_prefix_length == 0) src_prefix_length = 128; vec_validate_macip_acl_rules(rules, rule_idx); memcpy (rules[rule_idx].src_ip_addr, &src_v6address, 16); rules[rule_idx].src_ip_prefix_len = src_prefix_length; rules[rule_idx].is_ipv6 = 1; } else if (unformat (i, "mac %U", my_unformat_mac_address, &src_mac)) { vec_validate_macip_acl_rules(rules, rule_idx); memcpy (rules[rule_idx].src_mac, &src_mac, 6); memcpy (rules[rule_idx].src_mac_mask, &mac_mask_all_1, 6); } else if (unformat (i, "mask %U", my_unformat_mac_address, &src_mac)) { vec_validate_macip_acl_rules(rules, rule_idx); memcpy (rules[rule_idx].src_mac_mask, &src_mac, 6); } else if (unformat (i, "tag %s", &tag)) { } else if (unformat (i, ",")) { rule_idx++; vec_validate_macip_acl_rules(rules, rule_idx); } else break; } /* Construct the API message */ vam->result_ready = 0; if(rules) n_rules = vec_len(rules); if (n_rules_override >= 0) n_rules = n_rules_override; msg_size += n_rules*sizeof(rules[0]); mp = vl_msg_api_alloc_as_if_client(msg_size); clib_memset (mp, 0, msg_size); mp->_vl_msg_id = ntohs (VL_API_MACIP_ACL_ADD + sm->msg_id_base); mp->client_index = vam->my_client_index; if ((n_rules > 0) && rules) clib_memcpy(mp->r, rules, n_rules*sizeof (mp->r[0])); if (tag) { if (vec_len(tag) >= sizeof(mp->tag)) { tag[sizeof(mp->tag)-1] = 0; _vec_len(tag) = sizeof(mp->tag); } clib_memcpy(mp->tag, tag, vec_len(tag)); vec_free(tag); } mp->count = htonl(n_rules); /* send it... */ S(mp); /* Wait for a reply... */ W (ret); return ret; } static int api_macip_acl_add_replace (vat_main_t * vam) { acl_test_main_t * sm = &acl_test_main; unformat_input_t * i = vam->input; vl_api_macip_acl_add_replace_t * mp; u32 acl_index = ~0; u32 msg_size = sizeof (*mp); /* without the rules */ vl_api_macip_acl_rule_t *rules = 0; int rule_idx = 0; int n_rules = 0; int n_rules_override = -1; u32 src_prefix_length = 0; u32 action = 0; ip4_address_t src_v4address; ip6_address_t src_v6address; u8 src_mac[6]; u8 *tag = 0; u8 mac_mask_all_1[6] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; int ret; if (!unformat (i, "%d", &acl_index)) { /* Just assume -1 */ } while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) { if (unformat (i, "ipv6")) { vec_validate_macip_acl_rules(rules, rule_idx); rules[rule_idx].is_ipv6 = 1; } else if (unformat (i, "ipv4")) { vec_validate_macip_acl_rules(rules, rule_idx); rules[rule_idx].is_ipv6 = 0; } else if (unformat (i, "permit")) { vec_validate_macip_acl_rules(rules, rule_idx); rules[rule_idx].is_permit = 1; } else if (unformat (i, "deny")) { vec_validate_macip_acl_rules(rules, rule_idx); rules[rule_idx].is_permit = 0; } else if (unformat (i, "count %d", &n_rules_override)) { /* we will use this later */ } else if (unformat (i, "action %d", &action)) { vec_validate_macip_acl_rules(rules, rule_idx); rules[rule_idx].is_permit = action; } else if (unformat (i, "ip %U/%d", unformat_ip4_address, &src_v4address, &src_prefix_length) || unformat (i, "ip %U", unformat_ip4_address, &src_v4address)) { if (src_prefix_length == 0) src_prefix_length = 32; vec_validate_macip_acl_rules(rules, rule_idx); memcpy (rules[rule_idx].src_ip_addr, &src_v4address, 4); rules[rule_idx].src_ip_prefix_len = src_prefix_length; rules[rule_idx].is_ipv6 = 0; } else if (unformat (i, "src")) { /* Everything in MACIP is "source" but allow this verbosity */ } else if (unformat (i, "ip %U/%d", unformat_ip6_address, &src_v6address, &src_prefix_length) || unformat (i, "ip %U", unformat_ip6_address, &src_v6address)) { if (src_prefix_length == 0) src_prefix_length = 128; vec_validate_macip_acl_rules(rules, rule_idx); memcpy (rules[rule_idx].src_ip_addr, &src_v6address, 16); rules[rule_idx].src_ip_prefix_len = src_prefix_length; rules[rule_idx].is_ipv6 = 1; } else if (unformat (i, "mac %U", my_unformat_mac_address, &src_mac)) { vec_validate_macip_acl_rules(rules, rule_idx); memcpy (rules[rule_idx].src_mac, &src_mac, 6); memcpy (rules[rule_idx].src_mac_mask, &mac_mask_all_1, 6); } else if (unformat (i, "mask %U", my_unformat_mac_address, &src_mac)) { vec_validate_macip_acl_rules(rules, rule_idx); memcpy (rules[rule_idx].src_mac_mask, &src_mac, 6); } else if (unformat (i, "tag %s", &tag)) { } else if (unformat (i, ",")) { rule_idx++; vec_validate_macip_acl_rules(rules, rule_idx); } else break; } if (!rules) { errmsg ("rule/s required\n"); return -99; } /* Construct the API message */ vam->result_ready = 0; if(rules) n_rules = vec_len(rules); if (n_rules_override >= 0) n_rules = n_rules_override; msg_size += n_rules*sizeof(rules[0]); mp = vl_msg_api_alloc_as_if_client(msg_size); clib_memset (mp, 0, msg_size); mp->_vl_msg_id = ntohs (VL_API_MACIP_ACL_ADD_REPLACE + sm->msg_id_base); mp->client_index = vam->my_client_index; if ((n_rules > 0) && rules) clib_memcpy(mp->r, rules, n_rules*sizeof (mp->r[0])); if (tag) { if (vec_len(tag) >= sizeof(mp->tag)) { tag[sizeof(mp->tag)-1] = 0; _vec_len(tag) = sizeof(mp->tag); } clib_memcpy(mp->tag, tag, vec_len(tag)); vec_free(tag); } mp->acl_index = ntohl(acl_index); mp->count = htonl(n_rules); /* send it... */ S(mp); /* Wait for a reply... */ W (ret); return ret; } /* * List of messages that the api test plugin sends, * and that the data plane plugin processes */ #define foreach_vpe_api_msg \ _(acl_plugin_get_version, "") \ _(acl_add_replace, "<acl-idx> [<ipv4|ipv6> <permit|permit+reflect|deny|action N> [src IP/plen] [dst IP/plen] [sport X-Y] [dport X-Y] [proto P] [tcpflags FL MASK], ... , ...") \ _(acl_add_replace_from_file, "filename <file> [permit] [append-default-permit]") \ _(acl_del, "<acl-idx>") \ _(acl_dump, "[<acl-idx>]") \ _(acl_interface_add_del, "<intfc> | sw_if_index <if-idx> [add|del] [input|output] acl <acl-idx>") \ _(acl_interface_set_acl_list, "<intfc> | sw_if_index <if-idx> input [acl-idx list] output [acl-idx list]") \ _(acl_interface_set_etype_whitelist, "<intfc> | sw_if_index <if-idx> input [ethertype list] output [ethertype list]") \ _(acl_interface_etype_whitelist_dump, "[<intfc> | sw_if_index <if-idx>]") \ _(acl_interface_list_dump, "[<intfc> | sw_if_index <if-idx>]") \ _(macip_acl_add, "...") \ _(macip_acl_add_replace, "<acl-idx> [<ipv4|ipv6> <permit|deny|action N> [count <count>] [src] ip <ipaddress/[plen]> mac <mac> mask <mac_mask>, ... , ...") \ _(macip_acl_del, "<acl-idx>")\ _(macip_acl_dump, "[<acl-idx>]") \ _(macip_acl_interface_add_del, "<intfc> | sw_if_index <if-idx> [add|del] acl <acl-idx>") \ _(macip_acl_interface_get, "") \ _(acl_plugin_get_conn_table_max_entries, "") \ _(acl_stats_intf_counters_enable, "[disable]") static void acl_api_hookup (vat_main_t *vam) { acl_test_main_t * sm = &acl_test_main; /* Hook up handlers for replies from the data plane plug-in */ #define _(N,n) \ vl_msg_api_set_handlers((VL_API_##N + sm->msg_id_base), \ #n, \ vl_api_##n##_t_handler, \ vl_noop_handler, \ vl_api_##n##_t_endian, \ vl_api_##n##_t_print, \ sizeof(vl_api_##n##_t), 1); foreach_vpe_api_reply_msg; #undef _ /* API messages we can send */ #define _(n,h) hash_set_mem (vam->function_by_name, #n, api_##n); foreach_vpe_api_msg; #undef _ /* Help strings */ #define _(n,h) hash_set_mem (vam->help_by_name, #n, h); foreach_vpe_api_msg; #undef _ } VAT_PLUGIN_REGISTER(acl);