src/vnet/classify/in_out_acl.c


1
2
3
4
5
6
7
8
9
10
11

@media only all and (prefers-color-scheme: dark) {
.highlight .hll { background-color: #49483e }
.highlight .c { color: #75715e } /* Comment */
.highlight .err { color: #960050; background-color: #1e0010 } /* Error */
.highlight .k { color: #66d9ef } /* Keyword */
.highlight .l { color: #ae81ff } /* Literal */
.highlight .n { color: #f8f8f2 } /* Name */
.highlight .o { color: #f92672 } /* Operator */
.highlight .p { color: #f8f8f2 } /* Punctuation */
.highlight .ch { color: #75715e } /* Comment.Hashbang */
.highlight .cm { color: #75715e } /* Comment.Multiline */
.highlight .cp { color: #75715e } /* Comment.Preproc */
.highlight .cpf { color: #75715e } /* Comment.PreprocFile */
.highlight .c1 { color: #75715e } /* Comment.Single */
.highlight .cs { color: #75715e } /* Comment.Special */
.highlight .gd { color: #f92672 } /* Generic.Deleted */
.highlight .ge { font-style: italic } /* Generic.Emph */
.highlight .gi { color: #a6e22e } /* Generic.Inserted */
.highlight .gs { font-weight: bold } /* Generic.Strong */
.highlight .gu { color: #75715e } /* Generic.Subheading */
.highlight .kc { color: #66d9ef } /* Keyword.Constant */
.highlight .kd { color: #66d9ef } /* Keyword.Declaration */
.highlight .kn { color: #f92672 } /* Keyword.Namespace */
.highlight .kp { color: #66d9ef } /* Keyword.Pseudo */
.highlight .kr { color: #66d9ef } /* Keyword.Reserved */
.highlight .kt { color: #66d9ef } /* Keyword.Type */
.highlight .ld { color: #e6db74 } /* Literal.Date */
.highlight .m { color: #ae81ff } /* Literal.Number */
.highlight .s { color: #e6db74 } /* Literal.String */
.highlight .na { color: #a6e22e } /* Name.Attribute */
.highlight .nb { color: #f8f8f2 } /* Name.Builtin */
.highlight .nc { color: #a6e22e } /* Name.Class */
.highlight .no { color: #66d9ef } /* Name.Constant */
.highlight .nd { color: #a6e22e } /* Name.Decorator */
.highlight .ni { color: #f8f8f2 } /* Name.Entity */
.highlight .ne { color: #a6e22e } /* Name.Exception */
.highlight .nf { color: #a6e22e } /* Name.Function */
.highlight .nl { color: #f8f8f2 } /* Name.Label */
.highlight .nn { color: #f8f8f2 } /* Name.Namespace */
.highlight .nx { color: #a6e22e } /* Name.Other */
.highlight .py { color: #f8f8f2 } /* Name.Property */
.highlight .nt { color: #f92672 } /* Name.Tag */
.highlight .nv { color: #f8f8f2 } /* Name.Variable */
.highlight .ow { color: #f92672 } /* Operator.Word */
.highlight .w { color: #f8f8f2 } /* Text.Whitespace */
.highlight .mb { color: #ae81ff } /* Literal.Number.Bin */
.highlight .mf { color: #ae81ff } /* Literal.Number.Float */
.highlight .mh { color: #ae81ff } /* Literal.Number.Hex */
.highlight .mi { color: #ae81ff } /* Literal.Number.Integer */
.highlight .mo { color: #ae81ff } /* Literal.Number.Oct */
.highlight .sa { color: #e6db74 } /* Literal.String.Affix */
.highlight .sb { color: #e6db74 } /* Literal.String.Backtick */
.highlight .sc { color: #e6db74 } /* Literal.String.Char */
.highlight .dl { color: #e6db74 } /* Literal.String.Delimiter */
.highlight .sd { color: #e6db74 } /* Literal.String.Doc */
.highlight .s2 { color: #e6db74 } /* Literal.String.Double */
.highlight .se { color: #ae81ff } /* Literal.String.Escape */
.highlight .sh { color: #e6db74 } /* Literal.String.Heredoc */
.highlight .si { color: #e6db74 } /* Literal.String.Interpol */
.highlight .sx { color: #e6db74 } /* Literal.String.Other */
.highlight .sr { color: #e6db74 } /* Literal.String.Regex */
.highlight .s1 { color: #e6db74 } /* Literal.String.Single */
.highlight .ss { color: #e6db74 } /* Literal.String.Symbol */
.highlight .bp { color: #f8f8f2 } /* Name.Builtin.Pseudo */
.highlight .fm { color: #a6e22e } /* Name.Function.Magic */
.highlight .vc { color: #f8f8f2 } /* Name.Variable.Class */
.highlight .vg { color: #f8f8f2 } /* Name.Variable.Global */
.highlight .vi { color: #f8f8f2 } /* Name.Variable.Instance */
.highlight .vm { color: #f8f8f2 } /* Name.Variable.Magic */
.highlight .il { color: #ae81ff } /* Literal.Number.Integer.Long */
}
@media (prefers-color-scheme: light) {
.highlight .hll { background-color: #ffffcc }
.highlight .c { color: #888888 } /* Comment */
.highlight .err { color: #a61717; background-color: #e3d2d2 } /* Error */
.highlight .k { color: #008800; font-weight: bold } /* Keyword */
.highlight .ch { color: #888888 } /* Comment.Hashbang */
.highlight .cm { color: #888888 } /* Comment.Multiline */
.highlight .cp { color: #cc0000; font-weight: bold } /* Comment.Preproc */
.highlight .cpf { color: #888888 } /* Comment.PreprocFile */
.highlight .c1 { color: #888888 } /* Comment.Single */
.highlight .cs { color: #cc0000; font-weight: bold; background-color: #fff0f0 } /* Comment.Special */
.highlight .gd { color: #000000; background-color: #ffdddd } /* Generic.Deleted */
.highlight .ge { font-style: italic } /* Generic.Emph */
.highlight .gr { color: #aa0000 } /* Generic.Error */
.highlight .gh { color: #333333 } /* Generic.Heading */
.highlight .gi { color: #000000; background-color: #ddffdd } /* Generic.Inserted */
.highlight .go { color: #888888 } /* Generic.Output */
.highlight .gp { color: #555555 } /* Generic.Prompt */
.highlight .gs { font-weight: bold } /* Generic.Strong */
.highlight .gu { color: #666666 } /* Generic.Subheading */
.highlight .gt { color: #aa0000 } /* Generic.Traceback */
.highlight .kc { color: #008800; font-weight: bold } /* Keyword.Constant */
.highlight .kd { color: #008800; font-weight: bold } /* Keyword.Declaration */
.highlight .kn { color: #008800; font-weight: bold } /* Keyword.Namespace */
.highlight .kp { color: #008800 } /* Keyword.Pseudo */
.highlight .kr { color: #008800; font-weight: bold } /* Keyword.Reserved */
.highlight .kt { color: #888888; font-weight: bold } /* Keyword.Type */
.highlight .m { color: #0000DD; font-weight: bold } /* Literal.Number */
.highlight .s { color: #dd2200; background-color: #fff0f0 } /* Literal.String */
.highlight .na { color: #336699 } /* Name.Attribute */
.highlight .nb { color: #003388 } /* Name.Builtin */
.highlight .nc { color: #bb0066; font-weight: bold } /* Name.Class */
.highlight .no { color: #003366; font-weight: bold } /* Name.Constant */
.highlight .nd { color: #555555 } /* Name.Decorator */
.highlight .ne { color: #bb0066; font-weight: bold } /* Name.Exception */
.highlight .nf { color: #0066bb; font-weight: bold } /* Name.Function */
.highlight .nl { color: #336699; font-style: italic } /* Name.Label */
.highlight .nn { color: #bb0066; font-weight: bold } /* Name.Namespace */
.highlight .py { color: #336699; font-weight: bold } /* Name.Property */
.highlight .nt { color: #bb0066; font-weight: bold } /* Name.Tag */
.highlight .nv { color: #336699 } /* Name.Variable */
.highlight .ow { color: #008800 } /* Operator.Word */
.highlight .w { color: #bbbbbb } /* Text.Whitespace */
.highlight .mb { color: #0000DD; font-weight: bold } /* Literal.Number.Bin */
.highlight .mf { color: #0000DD; font-weight: bold } /* Literal.Number.Float */
.highlight .mh { color: #0000DD; font-weight: bold } /* Literal.Number.Hex */
.highlight .mi { color: #0000DD; font-weight: bold } /* Literal.Number.Integer */
.highlight .mo { color: #0000DD; font-weight: bold } /* Literal.Number.Oct */
.highlight .sa { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Affix */
.highlight .sb { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Backtick */
.highlight .sc { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Char */
.highlight .dl { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Delimiter */
.highlight .sd { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Doc */
.highlight .s2 { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Double */
.highlight .se { color: #0044dd; background-color: #fff0f0 } /* Literal.String.Escape */
.highlight .sh { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Heredoc */
.highlight .si { color: #3333bb; background-color: #fff0f0 } /* Literal.String.Interpol */
.highlight .sx { color: #22bb22; background-color: #f0fff0 } /* Literal.String.Other */
.highlight .sr { color: #008800; background-color: #fff0ff } /* Literal.String.Regex */
.highlight .s1 { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Single */
.highlight .ss { color: #aa6600; background-color: #fff0f0 } /* Literal.String.Symbol */
.highlight .bp { color: #003388 } /* Name.Builtin.Pseudo */
.highlight .fm { color: #0066bb; font-weight: bold } /* Name.Function.Magic */
.highlight .vc { color: #336699 } /* Name.Variable.Class */
.highlight .vg { color: #dd7700 } /* Name.Variable.Global */
.highlight .vi { color: #3333bb } /* Name.Variable.Instance */
.highlight .vm { color: #336699 } /* Name.Variable.Magic */
.highlight .il { color: #0000DD; font-weight: bold } /* Literal.Number.Integer.Long */
}
# Copyright (c) 2016 Cisco Systems, Inc.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at:
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

vppplugins_LTLIBRARIES += ixge_plugin.la

ixge_plugin_la_SOURCES = ixge/ixge.c

noinst_HEADERS += ixge/ixge.h

# vi:syntax=automake
/*
 * Copyright (c) 2015 Cisco and/or its affiliates.
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at:
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
#include <vnet/ip/ip.h>
#include <vnet/classify/vnet_classify.h>
#include <vnet/classify/in_out_acl.h>
#include <vnet/l2/l2_output.h>
#include <vnet/l2/l2_input.h>

in_out_acl_main_t in_out_acl_main;

static int
vnet_in_out_acl_ip_feature_enable (vlib_main_t * vnm,
				   in_out_acl_main_t * am,
				   u32 sw_if_index,
				   in_out_acl_table_id_t tid,
				   int feature_enable, int is_output)
{

  if (tid == IN_OUT_ACL_TABLE_L2)
    {
      if (is_output)
	l2output_intf_bitmap_enable (sw_if_index, L2OUTPUT_FEAT_ACL,
				     feature_enable);
      else
	l2input_intf_bitmap_enable (sw_if_index, L2INPUT_FEAT_ACL,
				    feature_enable);
    }
  else
    {				/* IP[46] */
      vnet_feature_config_main_t *fcm;
      u8 arc;

      if (tid == IN_OUT_ACL_TABLE_IP4)
	{
	  char *arc_name = is_output ? "ip4-output" : "ip4-unicast";
	  vnet_feature_enable_disable (arc_name,
				       is_output ? "ip4-outacl" : "ip4-inacl",
				       sw_if_index, feature_enable, 0, 0);
	  arc = vnet_get_feature_arc_index (arc_name);
	}
      else
	{
	  char *arc_name = is_output ? "ip6-output" : "ip6-unicast";
	  vnet_feature_enable_disable (arc_name,
				       is_output ? "ip6-outacl" : "ip6-inacl",
				       sw_if_index, feature_enable, 0, 0);
	  arc = vnet_get_feature_arc_index (arc_name);
	}

      fcm = vnet_get_feature_arc_config_main (arc);
      am->vnet_config_main[is_output][tid] = &fcm->config_main;
    }

  return 0;
}

int
vnet_set_in_out_acl_intfc (vlib_main_t * vm, u32 sw_if_index,
			   u32 ip4_table_index,
			   u32 ip6_table_index, u32 l2_table_index,
			   u32 is_add, u32 is_output)
{
  in_out_acl_main_t *am = &in_out_acl_main;
  vnet_classify_main_t *vcm = am->vnet_classify_main;
  u32 acl[IN_OUT_ACL_N_TABLES] = { ip4_table_index, ip6_table_index,
    l2_table_index
  };
  u32 ti;

  /* Assume that we've validated sw_if_index in the API layer */

  for (ti = 0; ti < IN_OUT_ACL_N_TABLES; ti++)
    {
      if (acl[ti] == ~0)
	continue;

      if (pool_is_free_index (vcm->tables, acl[ti]))
	return VNET_API_ERROR_NO_SUCH_TABLE;

      vec_validate_init_empty
	(am->classify_table_index_by_sw_if_index[is_output][ti], sw_if_index,
	 ~0);

      /* Reject any DEL operation with wrong sw_if_index */
      if (!is_add &&
	  (acl[ti] !=
	   am->classify_table_index_by_sw_if_index[is_output][ti]
	   [sw_if_index]))
	{
	  clib_warning
	    ("Non-existent intf_idx=%d with table_index=%d for delete",
	     sw_if_index, acl[ti]);
	  return VNET_API_ERROR_NO_SUCH_TABLE;
	}

      /* Return ok on ADD operaton if feature is already enabled */
      if (is_add &&
	  am->classify_table_index_by_sw_if_index[is_output][ti][sw_if_index]
	  != ~0)
	return 0;

      vnet_in_out_acl_ip_feature_enable (vm, am, sw_if_index, ti, is_add,
					 is_output);

      if (is_add)
	am->classify_table_index_by_sw_if_index[is_output][ti][sw_if_index] =
	  acl[ti];
      else
	am->classify_table_index_by_sw_if_index[is_output][ti][sw_if_index] =
	  ~0;
    }

  return 0;
}

int
vnet_set_input_acl_intfc (vlib_main_t * vm, u32 sw_if_index,
			  u32 ip4_table_index,
			  u32 ip6_table_index, u32 l2_table_index, u32 is_add)
{
  return vnet_set_in_out_acl_intfc (vm, sw_if_index, ip4_table_index,
				    ip6_table_index, l2_table_index, is_add,
				    IN_OUT_ACL_INPUT_TABLE_GROUP);
}

int
vnet_set_output_acl_intfc (vlib_main_t * vm, u32 sw_if_index,
			   u32 ip4_table_index,
			   u32 ip6_table_index, u32 l2_table_index,
			   u32 is_add)
{
  return vnet_set_in_out_acl_intfc (vm, sw_if_index, ip4_table_index,
				    ip6_table_index, l2_table_index, is_add,
				    IN_OUT_ACL_OUTPUT_TABLE_GROUP);
}

static clib_error_t *
set_in_out_acl_command_fn (vlib_main_t * vm,
			   unformat_input_t * input, vlib_cli_command_t * cmd,
			   u32 is_output)
{
  vnet_main_t *vnm = vnet_get_main ();
  u32 sw_if_index = ~0;
  u32 ip4_table_index = ~0;
  u32 ip6_table_index = ~0;
  u32 l2_table_index = ~0;
  u32 is_add = 1;
  u32 idx_cnt = 0;
  int rv;

  while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
    {
      if (unformat (input, "intfc %U", unformat_vnet_sw_interface,
		    vnm, &sw_if_index))
	;
      else if (unformat (input, "ip4-table %d", &ip4_table_index))
	idx_cnt++;
      else if (unformat (input, "ip6-table %d", &ip6_table_index))
	idx_cnt++;
      else if (unformat (input, "l2-table %d", &l2_table_index))
	idx_cnt++;
      else if (unformat (input, "del"))
	is_add = 0;
      else
	break;
    }

  if (sw_if_index == ~0)
    return clib_error_return (0, "Interface must be specified.");

  if (!idx_cnt)
    return clib_error_return (0, "Table index should be specified.");

  if (idx_cnt > 1)
    return clib_error_return (0, "Only one table index per API is allowed.");

  rv = vnet_set_in_out_acl_intfc (vm, sw_if_index, ip4_table_index,
				  ip6_table_index, l2_table_index, is_add,
				  is_output);

  switch (rv)
    {
    case 0:
      break;

    case VNET_API_ERROR_NO_MATCHING_INTERFACE:
      return clib_error_return (0, "No such interface");

    case VNET_API_ERROR_NO_SUCH_ENTRY:
      return clib_error_return (0, "No such classifier table");
    }
  return 0;
}

static clib_error_t *
set_input_acl_command_fn (vlib_main_t * vm,
			  unformat_input_t * input, vlib_cli_command_t * cmd)
{
  return set_in_out_acl_command_fn (vm, input, cmd,
				    IN_OUT_ACL_INPUT_TABLE_GROUP);
}

static clib_error_t *
set_output_acl_command_fn (vlib_main_t * vm,
			   unformat_input_t * input, vlib_cli_command_t * cmd)
{
  return set_in_out_acl_command_fn (vm, input, cmd,
				    IN_OUT_ACL_OUTPUT_TABLE_GROUP);
}

/*
 * Configure interface to enable/disble input/output ACL features:
 * intfc - interface name to be configured as input ACL
 * Ip4-table <index> [del] - enable/disable IP4 input ACL
 * Ip6-table <index> [del] - enable/disable IP6 input ACL
 * l2-table <index> [del] - enable/disable Layer2 input ACL
 *
 * Note: Only one table index per API call is allowed.
 *
 */
/* *INDENT-OFF* */
VLIB_CLI_COMMAND (set_input_acl_command, static) = {
    .path = "set interface input acl",
    .short_help =
    "set interface input acl intfc <int> [ip4-table <index>]\n"
    "  [ip6-table <index>] [l2-table <index>] [del]",
    .function = set_input_acl_command_fn,
};
VLIB_CLI_COMMAND (set_output_acl_command, static) = {
    .path = "set interface output acl",
    .short_help =
    "set interface output acl intfc <int> [ip4-table <index>]\n"
    "  [ip6-table <index>] [l2-table <index>] [del]",
    .function = set_output_acl_command_fn,
};
/* *INDENT-ON* */

clib_error_t *
in_out_acl_init (vlib_main_t * vm)
{
  in_out_acl_main_t *am = &in_out_acl_main;

  am->vlib_main = vm;
  am->vnet_main = vnet_get_main ();
  am->vnet_classify_main = &vnet_classify_main;

  return 0;
}
/* *INDENT-OFF* */
VLIB_INIT_FUNCTION (in_out_acl_init) =
{
  .runs_after = VLIB_INITS("ip_in_out_acl_init"),
};
/* *INDENT-ON* */

uword
unformat_acl_type (unformat_input_t * input, va_list * args)
{
  u32 *acl_type = va_arg (*args, u32 *);
  u32 tid = IN_OUT_ACL_N_TABLES;

  while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
    {
      if (unformat (input, "ip4"))
	tid = IN_OUT_ACL_TABLE_IP4;
      else if (unformat (input, "ip6"))
	tid = IN_OUT_ACL_TABLE_IP6;
      else if (unformat (input, "l2"))
	tid = IN_OUT_ACL_TABLE_L2;
      else
	break;
    }

  *acl_type = tid;
  return 1;
}

u8 *
format_vnet_in_out_acl_info (u8 * s, va_list * va)
{
  in_out_acl_main_t *am = va_arg (*va, in_out_acl_main_t *);
  int sw_if_idx = va_arg (*va, int);
  u32 tid = va_arg (*va, u32);

  if (tid == ~0)
    {
      s = format (s, "%10s%20s\t\t%s", "Intfc idx", "Classify table",
		  "Interface name");
      return s;
    }

  s = format (s, "%10d%20d\t\t%U", sw_if_idx, tid,
	      format_vnet_sw_if_index_name, am->vnet_main, sw_if_idx);

  return s;
}

static clib_error_t *
show_in_out_acl_command_fn (vlib_main_t * vm,
			    unformat_input_t * input,
			    vlib_cli_command_t * cmd, u32 is_output)
{
  in_out_acl_main_t *am = &in_out_acl_main;
  u32 type = IN_OUT_ACL_N_TABLES;
  int i;
  u32 *vec_tbl;

  while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
    {
      if (unformat (input, "type %U", unformat_acl_type, &type))
	;
      else
	break;
    }

  if (type == IN_OUT_ACL_N_TABLES)
    return clib_error_return (0, is_output ? "Invalid output ACL table type."
			      : "Invalid input ACL table type.");

  vec_tbl = am->classify_table_index_by_sw_if_index[is_output][type];

  if (vec_len (vec_tbl))
    vlib_cli_output (vm, "%U", format_vnet_in_out_acl_info, am, ~0 /* hdr */ ,
		     ~0);
  else
    vlib_cli_output (vm, is_output ? "No output ACL tables configured"
		     : "No input ACL tables configured");

  for (i = 0; i < vec_len (vec_tbl); i++)
    {
      if (vec_elt (vec_tbl, i) == ~0)
	continue;

      vlib_cli_output (vm, "%U", format_vnet_in_out_acl_info,
		       am, i, vec_elt (vec_tbl, i));
    }

  return 0;
}

static clib_error_t *
show_inacl_command_fn (vlib_main_t * vm,
		       unformat_input_t * input, vlib_cli_command_t * cmd)
{
  return show_in_out_acl_command_fn (vm, input, cmd,
				     IN_OUT_ACL_INPUT_TABLE_GROUP);
}

static clib_error_t *
show_outacl_command_fn (vlib_main_t * vm,
			unformat_input_t * input, vlib_cli_command_t * cmd)
{
  return show_in_out_acl_command_fn (vm, input, cmd,
				     IN_OUT_ACL_OUTPUT_TABLE_GROUP);
}

/* *INDENT-OFF* */
VLIB_CLI_COMMAND (show_inacl_command, static) = {
    .path = "show inacl",
    .short_help = "show inacl type [ip4|ip6|l2]",
    .function = show_inacl_command_fn,
};
VLIB_CLI_COMMAND (show_outacl_command, static) = {
    .path = "show outacl",
    .short_help = "show outacl type [ip4|ip6|l2]",
    .function = show_outacl_command_fn,
};
/* *INDENT-ON* */

/*
 * fd.io coding-style-patch-verification: ON
 *
 * Local Variables:
 * eval: (c-set-style "gnu")
 * End:
 */