diff --git a/docs/README.acl.md b/docs/README.acl.md index e8d49c7..bf198c7 100644 --- a/docs/README.acl.md +++ b/docs/README.acl.md @@ -1,4 +1,221 @@ -# Use a simple routing topology as below to demonstrate SONiC VPP traffic filtering using ingress Access List +# Sonic-Mgmt ACL testing + +The Sonic-VPP ACL implementation has been updated to support testing with sonic-mgmt. + +The test cases in [`test_acl.py`](https://github.com/sonic-net/sonic-mgmt/blob/master/tests/acl/test_acl.py) can be executed on the T1 topology, subjet to the following limitations: + +1. Empty ACL tables cannot be applied on a port before the ACL table under test is configured. + +2. After config reload, the test must wait for the interfaces to come up before proceeding. + +These VPP limitations are codified in the following sonic-mgmt PR: https://github.com/sonic-net/sonic-mgmt/pull/18313 + +Future support on sonic-mgmt will include: + +- T1-lag / PortChannel support +- Incremental, Reload and PortToggle variations (800 tests) + +The following results summarize the current status of the ACL test runs on the T1 topology: + +``` +========= 188 passed, 612 skipped, 663 warnings in 1039.06s (0:17:19) ========== +SKIPPED [4] acl/test_acl.py:1000: Only run for egress +SKIPPED [600] acl/test_acl.py: Phase 2 enablement +SKIPPED [4] acl/test_acl.py:992: Only run for ingress +SKIPPED [4] acl/test_acl.py: Failure on VPP +PASSED test_ingress_unmatched_blocked[ipv4-ingress-downlink->uplink-default-no_vlan] +PASSED test_source_ip_match_forwarded[ipv4-ingress-downlink->uplink-default-no_vlan] +PASSED test_rules_priority_forwarded[ipv4-ingress-downlink->uplink-default-no_vlan] +PASSED test_rules_priority_dropped[ipv4-ingress-downlink->uplink-default-no_vlan] +PASSED test_dest_ip_match_forwarded[ipv4-ingress-downlink->uplink-default-no_vlan] +PASSED test_dest_ip_match_dropped[ipv4-ingress-downlink->uplink-default-no_vlan] +PASSED test_source_ip_match_dropped[ipv4-ingress-downlink->uplink-default-no_vlan] +PASSED test_udp_source_ip_match_forwarded[ipv4-ingress-downlink->uplink-default-no_vlan] +PASSED test_udp_source_ip_match_dropped[ipv4-ingress-downlink->uplink-default-no_vlan] +PASSED test_icmp_source_ip_match_dropped[ipv4-ingress-downlink->uplink-default-no_vlan] +PASSED test_icmp_source_ip_match_forwarded[ipv4-ingress-downlink->uplink-default-no_vlan] +PASSED test_l4_dport_match_forwarded[ipv4-ingress-downlink->uplink-default-no_vlan] +PASSED test_l4_sport_match_forwarded[ipv4-ingress-downlink->uplink-default-no_vlan] +PASSED test_l4_dport_range_match_forwarded[ipv4-ingress-downlink->uplink-default-no_vlan] +PASSED test_l4_sport_range_match_forwarded[ipv4-ingress-downlink->uplink-default-no_vlan] +PASSED test_l4_dport_range_match_dropped[ipv4-ingress-downlink->uplink-default-no_vlan] +PASSED test_l4_sport_range_match_dropped[ipv4-ingress-downlink->uplink-default-no_vlan] +PASSED test_ip_proto_match_forwarded[ipv4-ingress-downlink->uplink-default-no_vlan] +PASSED test_tcp_flags_match_forwarded[ipv4-ingress-downlink->uplink-default-no_vlan] +PASSED test_l4_dport_match_dropped[ipv4-ingress-downlink->uplink-default-no_vlan] +PASSED test_l4_sport_match_dropped[ipv4-ingress-downlink->uplink-default-no_vlan] +PASSED test_ip_proto_match_dropped[ipv4-ingress-downlink->uplink-default-no_vlan] +PASSED test_tcp_flags_match_dropped[ipv4-ingress-downlink->uplink-default-no_vlan] +PASSED test_icmp_match_forwarded[ipv4-ingress-downlink->uplink-default-no_vlan] +PASSED test_ingress_unmatched_blocked[ipv4-ingress-uplink->downlink-default-no_vlan] +PASSED test_source_ip_match_forwarded[ipv4-ingress-uplink->downlink-default-no_vlan] +PASSED test_rules_priority_forwarded[ipv4-ingress-uplink->downlink-default-no_vlan] +PASSED test_rules_priority_dropped[ipv4-ingress-uplink->downlink-default-no_vlan] +PASSED test_dest_ip_match_forwarded[ipv4-ingress-uplink->downlink-default-no_vlan] +PASSED test_dest_ip_match_dropped[ipv4-ingress-uplink->downlink-default-no_vlan] +PASSED test_source_ip_match_dropped[ipv4-ingress-uplink->downlink-default-no_vlan] +PASSED test_udp_source_ip_match_forwarded[ipv4-ingress-uplink->downlink-default-no_vlan] +PASSED test_udp_source_ip_match_dropped[ipv4-ingress-uplink->downlink-default-no_vlan] +PASSED test_icmp_source_ip_match_dropped[ipv4-ingress-uplink->downlink-default-no_vlan] +PASSED test_icmp_source_ip_match_forwarded[ipv4-ingress-uplink->downlink-default-no_vlan] +PASSED test_l4_dport_match_forwarded[ipv4-ingress-uplink->downlink-default-no_vlan] +PASSED test_l4_sport_match_forwarded[ipv4-ingress-uplink->downlink-default-no_vlan] +PASSED test_l4_dport_range_match_forwarded[ipv4-ingress-uplink->downlink-default-no_vlan] +PASSED test_l4_sport_range_match_forwarded[ipv4-ingress-uplink->downlink-default-no_vlan] +PASSED test_l4_dport_range_match_dropped[ipv4-ingress-uplink->downlink-default-no_vlan] +PASSED test_l4_sport_range_match_dropped[ipv4-ingress-uplink->downlink-default-no_vlan] +PASSED test_ip_proto_match_forwarded[ipv4-ingress-uplink->downlink-default-no_vlan] +PASSED test_tcp_flags_match_forwarded[ipv4-ingress-uplink->downlink-default-no_vlan] +PASSED test_l4_dport_match_dropped[ipv4-ingress-uplink->downlink-default-no_vlan] +PASSED test_l4_sport_match_dropped[ipv4-ingress-uplink->downlink-default-no_vlan] +PASSED test_ip_proto_match_dropped[ipv4-ingress-uplink->downlink-default-no_vlan] +PASSED test_tcp_flags_match_dropped[ipv4-ingress-uplink->downlink-default-no_vlan] +PASSED test_icmp_match_forwarded[ipv4-ingress-uplink->downlink-default-no_vlan] +PASSED test_source_ip_match_forwarded[ipv4-egress-downlink->uplink-default-no_vlan] +PASSED test_rules_priority_forwarded[ipv4-egress-downlink->uplink-default-no_vlan] +PASSED test_rules_priority_dropped[ipv4-egress-downlink->uplink-default-no_vlan] +PASSED test_dest_ip_match_forwarded[ipv4-egress-downlink->uplink-default-no_vlan] +PASSED test_dest_ip_match_dropped[ipv4-egress-downlink->uplink-default-no_vlan] +PASSED test_source_ip_match_dropped[ipv4-egress-downlink->uplink-default-no_vlan] +PASSED test_udp_source_ip_match_forwarded[ipv4-egress-downlink->uplink-default-no_vlan] +PASSED test_udp_source_ip_match_dropped[ipv4-egress-downlink->uplink-default-no_vlan] +PASSED test_icmp_source_ip_match_dropped[ipv4-egress-downlink->uplink-default-no_vlan] +PASSED test_icmp_source_ip_match_forwarded[ipv4-egress-downlink->uplink-default-no_vlan] +PASSED test_l4_dport_match_forwarded[ipv4-egress-downlink->uplink-default-no_vlan] +PASSED test_l4_sport_match_forwarded[ipv4-egress-downlink->uplink-default-no_vlan] +PASSED test_l4_dport_range_match_forwarded[ipv4-egress-downlink->uplink-default-no_vlan] +PASSED test_l4_sport_range_match_forwarded[ipv4-egress-downlink->uplink-default-no_vlan] +PASSED test_l4_dport_range_match_dropped[ipv4-egress-downlink->uplink-default-no_vlan] +PASSED test_l4_sport_range_match_dropped[ipv4-egress-downlink->uplink-default-no_vlan] +PASSED test_ip_proto_match_forwarded[ipv4-egress-downlink->uplink-default-no_vlan] +PASSED test_tcp_flags_match_forwarded[ipv4-egress-downlink->uplink-default-no_vlan] +PASSED test_l4_dport_match_dropped[ipv4-egress-downlink->uplink-default-no_vlan] +PASSED test_l4_sport_match_dropped[ipv4-egress-downlink->uplink-default-no_vlan] +PASSED test_ip_proto_match_dropped[ipv4-egress-downlink->uplink-default-no_vlan] +PASSED test_tcp_flags_match_dropped[ipv4-egress-downlink->uplink-default-no_vlan] +PASSED test_icmp_match_forwarded[ipv4-egress-downlink->uplink-default-no_vlan] +PASSED test_source_ip_match_forwarded[ipv4-egress-uplink->downlink-default-no_vlan] +PASSED test_rules_priority_forwarded[ipv4-egress-uplink->downlink-default-no_vlan] +PASSED test_rules_priority_dropped[ipv4-egress-uplink->downlink-default-no_vlan] +PASSED test_dest_ip_match_forwarded[ipv4-egress-uplink->downlink-default-no_vlan] +PASSED test_dest_ip_match_dropped[ipv4-egress-uplink->downlink-default-no_vlan] +PASSED test_source_ip_match_dropped[ipv4-egress-uplink->downlink-default-no_vlan] +PASSED test_udp_source_ip_match_forwarded[ipv4-egress-uplink->downlink-default-no_vlan] +PASSED test_udp_source_ip_match_dropped[ipv4-egress-uplink->downlink-default-no_vlan] +PASSED test_icmp_source_ip_match_dropped[ipv4-egress-uplink->downlink-default-no_vlan] +PASSED test_icmp_source_ip_match_forwarded[ipv4-egress-uplink->downlink-default-no_vlan] +PASSED test_l4_dport_match_forwarded[ipv4-egress-uplink->downlink-default-no_vlan] +PASSED test_l4_sport_match_forwarded[ipv4-egress-uplink->downlink-default-no_vlan] +PASSED test_l4_dport_range_match_forwarded[ipv4-egress-uplink->downlink-default-no_vlan] +PASSED test_l4_sport_range_match_forwarded[ipv4-egress-uplink->downlink-default-no_vlan] +PASSED test_l4_dport_range_match_dropped[ipv4-egress-uplink->downlink-default-no_vlan] +PASSED test_l4_sport_range_match_dropped[ipv4-egress-uplink->downlink-default-no_vlan] +PASSED test_ip_proto_match_forwarded[ipv4-egress-uplink->downlink-default-no_vlan] +PASSED test_tcp_flags_match_forwarded[ipv4-egress-uplink->downlink-default-no_vlan] +PASSED test_l4_dport_match_dropped[ipv4-egress-uplink->downlink-default-no_vlan] +PASSED test_l4_sport_match_dropped[ipv4-egress-uplink->downlink-default-no_vlan] +PASSED test_ip_proto_match_dropped[ipv4-egress-uplink->downlink-default-no_vlan] +PASSED test_tcp_flags_match_dropped[ipv4-egress-uplink->downlink-default-no_vlan] +PASSED test_icmp_match_forwarded[ipv4-egress-uplink->downlink-default-no_vlan] +PASSED test_source_ip_match_forwarded[ipv6-egress-downlink->uplink-default-no_vlan] +PASSED test_rules_priority_forwarded[ipv6-egress-downlink->uplink-default-no_vlan] +PASSED test_rules_priority_dropped[ipv6-egress-downlink->uplink-default-no_vlan] +PASSED test_dest_ip_match_forwarded[ipv6-egress-downlink->uplink-default-no_vlan] +PASSED test_dest_ip_match_dropped[ipv6-egress-downlink->uplink-default-no_vlan] +PASSED test_source_ip_match_dropped[ipv6-egress-downlink->uplink-default-no_vlan] +PASSED test_udp_source_ip_match_forwarded[ipv6-egress-downlink->uplink-default-no_vlan] +PASSED test_udp_source_ip_match_dropped[ipv6-egress-downlink->uplink-default-no_vlan] +PASSED test_icmp_source_ip_match_dropped[ipv6-egress-downlink->uplink-default-no_vlan] +PASSED test_icmp_source_ip_match_forwarded[ipv6-egress-downlink->uplink-default-no_vlan] +PASSED test_l4_dport_match_forwarded[ipv6-egress-downlink->uplink-default-no_vlan] +PASSED test_l4_sport_match_forwarded[ipv6-egress-downlink->uplink-default-no_vlan] +PASSED test_l4_dport_range_match_forwarded[ipv6-egress-downlink->uplink-default-no_vlan] +PASSED test_l4_sport_range_match_forwarded[ipv6-egress-downlink->uplink-default-no_vlan] +PASSED test_l4_dport_range_match_dropped[ipv6-egress-downlink->uplink-default-no_vlan] +PASSED test_l4_sport_range_match_dropped[ipv6-egress-downlink->uplink-default-no_vlan] +PASSED test_ip_proto_match_forwarded[ipv6-egress-downlink->uplink-default-no_vlan] +PASSED test_tcp_flags_match_forwarded[ipv6-egress-downlink->uplink-default-no_vlan] +PASSED test_l4_dport_match_dropped[ipv6-egress-downlink->uplink-default-no_vlan] +PASSED test_l4_sport_match_dropped[ipv6-egress-downlink->uplink-default-no_vlan] +PASSED test_ip_proto_match_dropped[ipv6-egress-downlink->uplink-default-no_vlan] +PASSED test_tcp_flags_match_dropped[ipv6-egress-downlink->uplink-default-no_vlan] +PASSED test_icmp_match_forwarded[ipv6-egress-downlink->uplink-default-no_vlan] +PASSED test_source_ip_match_forwarded[ipv6-egress-uplink->downlink-default-no_vlan] +PASSED test_rules_priority_forwarded[ipv6-egress-uplink->downlink-default-no_vlan] +PASSED test_rules_priority_dropped[ipv6-egress-uplink->downlink-default-no_vlan] +PASSED test_dest_ip_match_forwarded[ipv6-egress-uplink->downlink-default-no_vlan] +PASSED test_dest_ip_match_dropped[ipv6-egress-uplink->downlink-default-no_vlan] +PASSED test_source_ip_match_dropped[ipv6-egress-uplink->downlink-default-no_vlan] +PASSED test_udp_source_ip_match_forwarded[ipv6-egress-uplink->downlink-default-no_vlan] +PASSED test_udp_source_ip_match_dropped[ipv6-egress-uplink->downlink-default-no_vlan] +PASSED test_icmp_source_ip_match_dropped[ipv6-egress-uplink->downlink-default-no_vlan] +PASSED test_icmp_source_ip_match_forwarded[ipv6-egress-uplink->downlink-default-no_vlan] +PASSED test_l4_dport_match_forwarded[ipv6-egress-uplink->downlink-default-no_vlan] +PASSED test_l4_sport_match_forwarded[ipv6-egress-uplink->downlink-default-no_vlan] +PASSED test_l4_dport_range_match_forwarded[ipv6-egress-uplink->downlink-default-no_vlan] +PASSED test_l4_sport_range_match_forwarded[ipv6-egress-uplink->downlink-default-no_vlan] +PASSED test_l4_dport_range_match_dropped[ipv6-egress-uplink->downlink-default-no_vlan] +PASSED test_l4_sport_range_match_dropped[ipv6-egress-uplink->downlink-default-no_vlan] +PASSED test_ip_proto_match_forwarded[ipv6-egress-uplink->downlink-default-no_vlan] +PASSED test_tcp_flags_match_forwarded[ipv6-egress-uplink->downlink-default-no_vlan] +PASSED test_l4_dport_match_dropped[ipv6-egress-uplink->downlink-default-no_vlan] +PASSED test_l4_sport_match_dropped[ipv6-egress-uplink->downlink-default-no_vlan] +PASSED test_ip_proto_match_dropped[ipv6-egress-uplink->downlink-default-no_vlan] +PASSED test_tcp_flags_match_dropped[ipv6-egress-uplink->downlink-default-no_vlan] +PASSED test_icmp_match_forwarded[ipv6-egress-uplink->downlink-default-no_vlan] +PASSED test_ingress_unmatched_blocked[ipv6-ingress-downlink->uplink-default-no_vlan] +PASSED test_source_ip_match_forwarded[ipv6-ingress-downlink->uplink-default-no_vlan] +PASSED test_rules_priority_forwarded[ipv6-ingress-downlink->uplink-default-no_vlan] +PASSED test_rules_priority_dropped[ipv6-ingress-downlink->uplink-default-no_vlan] +PASSED test_dest_ip_match_forwarded[ipv6-ingress-downlink->uplink-default-no_vlan] +PASSED test_dest_ip_match_dropped[ipv6-ingress-downlink->uplink-default-no_vlan] +PASSED test_source_ip_match_dropped[ipv6-ingress-downlink->uplink-default-no_vlan] +PASSED test_udp_source_ip_match_forwarded[ipv6-ingress-downlink->uplink-default-no_vlan] +PASSED test_udp_source_ip_match_dropped[ipv6-ingress-downlink->uplink-default-no_vlan] +PASSED test_icmp_source_ip_match_dropped[ipv6-ingress-downlink->uplink-default-no_vlan] +PASSED test_icmp_source_ip_match_forwarded[ipv6-ingress-downlink->uplink-default-no_vlan] +PASSED test_l4_dport_match_forwarded[ipv6-ingress-downlink->uplink-default-no_vlan] +PASSED test_l4_sport_match_forwarded[ipv6-ingress-downlink->uplink-default-no_vlan] +PASSED test_l4_dport_range_match_forwarded[ipv6-ingress-downlink->uplink-default-no_vlan] +PASSED test_l4_sport_range_match_forwarded[ipv6-ingress-downlink->uplink-default-no_vlan] +PASSED test_l4_dport_range_match_dropped[ipv6-ingress-downlink->uplink-default-no_vlan] +PASSED test_l4_sport_range_match_dropped[ipv6-ingress-downlink->uplink-default-no_vlan] +PASSED test_ip_proto_match_forwarded[ipv6-ingress-downlink->uplink-default-no_vlan] +PASSED test_tcp_flags_match_forwarded[ipv6-ingress-downlink->uplink-default-no_vlan] +PASSED test_l4_dport_match_dropped[ipv6-ingress-downlink->uplink-default-no_vlan] +PASSED test_l4_sport_match_dropped[ipv6-ingress-downlink->uplink-default-no_vlan] +PASSED test_ip_proto_match_dropped[ipv6-ingress-downlink->uplink-default-no_vlan] +PASSED test_tcp_flags_match_dropped[ipv6-ingress-downlink->uplink-default-no_vlan] +PASSED test_icmp_match_forwarded[ipv6-ingress-downlink->uplink-default-no_vlan] +PASSED test_ingress_unmatched_blocked[ipv6-ingress-uplink->downlink-default-no_vlan] +PASSED test_source_ip_match_forwarded[ipv6-ingress-uplink->downlink-default-no_vlan] +PASSED test_rules_priority_forwarded[ipv6-ingress-uplink->downlink-default-no_vlan] +PASSED test_rules_priority_dropped[ipv6-ingress-uplink->downlink-default-no_vlan] +PASSED test_dest_ip_match_forwarded[ipv6-ingress-uplink->downlink-default-no_vlan] +PASSED test_dest_ip_match_dropped[ipv6-ingress-uplink->downlink-default-no_vlan] +PASSED test_source_ip_match_dropped[ipv6-ingress-uplink->downlink-default-no_vlan] +PASSED test_udp_source_ip_match_forwarded[ipv6-ingress-uplink->downlink-default-no_vlan] +PASSED test_udp_source_ip_match_dropped[ipv6-ingress-uplink->downlink-default-no_vlan] +PASSED test_icmp_source_ip_match_dropped[ipv6-ingress-uplink->downlink-default-no_vlan] +PASSED test_icmp_source_ip_match_forwarded[ipv6-ingress-uplink->downlink-default-no_vlan] +PASSED test_l4_dport_match_forwarded[ipv6-ingress-uplink->downlink-default-no_vlan] +PASSED test_l4_sport_match_forwarded[ipv6-ingress-uplink->downlink-default-no_vlan] +PASSED test_l4_dport_range_match_forwarded[ipv6-ingress-uplink->downlink-default-no_vlan] +PASSED test_l4_sport_range_match_forwarded[ipv6-ingress-uplink->downlink-default-no_vlan] +PASSED test_l4_dport_range_match_dropped[ipv6-ingress-uplink->downlink-default-no_vlan] +PASSED test_l4_sport_range_match_dropped[ipv6-ingress-uplink->downlink-default-no_vlan] +PASSED test_ip_proto_match_forwarded[ipv6-ingress-uplink->downlink-default-no_vlan] +PASSED test_tcp_flags_match_forwarded[ipv6-ingress-uplink->downlink-default-no_vlan] +PASSED test_l4_dport_match_dropped[ipv6-ingress-uplink->downlink-default-no_vlan] +PASSED test_l4_sport_match_dropped[ipv6-ingress-uplink->downlink-default-no_vlan] +PASSED test_ip_proto_match_dropped[ipv6-ingress-uplink->downlink-default-no_vlan] +PASSED test_tcp_flags_match_dropped[ipv6-ingress-uplink->downlink-default-no_vlan] +PASSED test_icmp_match_forwarded[ipv6-ingress-uplink->downlink-default-no_vlan] +``` + +# Simple Topology Testing + +You can use a simple routing topology as below to demonstrate SONiC VPP traffic filtering using ingress Access List Host1 --------------------- Sonic-VPP-Router1 -------------- Sonic-VPP-Router2 ---------------- Host2 diff --git a/saivpp/src/SwitchStateBaseAcl.cpp b/saivpp/src/SwitchStateBaseAcl.cpp index cd48fa6..b55703a 100644 --- a/saivpp/src/SwitchStateBaseAcl.cpp +++ b/saivpp/src/SwitchStateBaseAcl.cpp @@ -190,7 +190,7 @@ static sai_status_t acl_icmp_field_to_vpp_acl_rule( _In_ const sai_attribute_value_t *value, _Out_ vpp_acl_rule_t *rule) { - uint16_t data = 0, mask = 0; + uint16_t first = 0, last = 0; uint16_t new_data, new_mask; assert((SAI_ACL_ENTRY_ATTR_FIELD_ICMP_CODE == attr_id) || @@ -201,25 +201,21 @@ static sai_status_t acl_icmp_field_to_vpp_acl_rule( new_data = (value->aclfield.enable) ? value->aclfield.data.u8 : 0; new_mask = (value->aclfield.enable) ? value->aclfield.mask.u8 : 0; + first = new_data & new_mask; + last = new_data | (~new_mask & 0xFF); switch (attr_id) { case SAI_ACL_ENTRY_ATTR_FIELD_ICMP_CODE: case SAI_ACL_ENTRY_ATTR_FIELD_ICMPV6_CODE: - data = (uint16_t) ((data & 0xFF) | (new_data << 8)); - mask = (uint16_t) ((mask & 0xFF) | (new_mask << 8)); - - rule->dstport_or_icmpcode_first = data; - rule->srcport_or_icmptype_last = mask; + rule->dstport_or_icmpcode_first = first; + rule->dstport_or_icmpcode_last = last; break; case SAI_ACL_ENTRY_ATTR_FIELD_ICMP_TYPE: case SAI_ACL_ENTRY_ATTR_FIELD_ICMPV6_TYPE: - data = (uint16_t) ((data & 0xFF00) | new_data); - mask = (uint16_t) ((mask & 0xFF00) | new_mask); - - rule->srcport_or_icmptype_first = data; - rule->srcport_or_icmptype_last = mask; + rule->srcport_or_icmptype_first = first; + rule->srcport_or_icmptype_last = last; break; @@ -267,20 +263,34 @@ static sai_status_t acl_rule_port_range_vpp_acl_set( switch (type) { case SAI_ACL_RANGE_TYPE_L4_SRC_PORT_RANGE: - rule->srcport_or_icmptype_first = (uint16_t) range->min; - rule->srcport_or_icmptype_last = (uint16_t) range->max; - SWSS_LOG_INFO("SRC port range %u-%u", range->min, range->max); + if (rule->proto != 0 && rule->proto != IPPROTO_TCP) { + SWSS_LOG_ERROR( + "Conflicting protocol settings: " + "src port range requires TCP, but proto is already set to %u", + rule->proto); + return SAI_STATUS_FAILURE; + } + rule->proto = IPPROTO_TCP; + rule->srcport_or_icmptype_first = (uint16_t) range->min; + rule->srcport_or_icmptype_last = (uint16_t) range->max; break; case SAI_ACL_RANGE_TYPE_L4_DST_PORT_RANGE: - rule->dstport_or_icmpcode_first = (uint16_t) range->min; - rule->dstport_or_icmpcode_last = (uint16_t) range->max; - SWSS_LOG_INFO("DST port range %u-%u", range->min, range->max); + if (rule->proto != 0 && rule->proto != IPPROTO_TCP) { + SWSS_LOG_ERROR( + "Conflicting protocol settings: " + "dst port range requires TCP, but proto is already set to %u", + rule->proto); + return SAI_STATUS_FAILURE; + } + rule->proto = IPPROTO_TCP; + rule->dstport_or_icmpcode_first = (uint16_t) range->min; + rule->dstport_or_icmpcode_last = (uint16_t) range->max; break; default: SWSS_LOG_INFO("Range type %d is not supported\n", type); - break; + break; } return SAI_STATUS_SUCCESS; @@ -339,15 +349,15 @@ static void acl_rule_set_action( _Out_ vpp_acl_rule_t *rule) { - switch (value->aclaction.parameter.s32) { - case SAI_PACKET_ACTION_FORWARD: - rule->action = VPP_ACL_ACTION_API_PERMIT_STFULL; - break; - - case SAI_PACKET_ACTION_DROP: - rule->action = VPP_ACL_ACTION_API_DENY; - break; - } + switch (value->aclaction.parameter.s32) { + case SAI_PACKET_ACTION_FORWARD: + rule->action = VPP_ACL_ACTION_API_PERMIT; + break; + + case SAI_PACKET_ACTION_DROP: + rule->action = VPP_ACL_ACTION_API_DENY; + break; + } } sai_status_t acl_rule_field_update( @@ -373,33 +383,99 @@ sai_status_t acl_rule_field_update( break; case SAI_ACL_ENTRY_ATTR_FIELD_ACL_IP_TYPE: - status = acl_ip_type_field_to_vpp_acl_rule(attr_id, value, rule); + status = acl_ip_type_field_to_vpp_acl_rule(attr_id, value, rule); break; - case SAI_ACL_ENTRY_ATTR_FIELD_ICMP_CODE: case SAI_ACL_ENTRY_ATTR_FIELD_ICMP_TYPE: + if (rule->proto != 0 && rule->proto != IPPROTO_ICMP) { + SWSS_LOG_ERROR( + "Conflicting protocol settings: " + "ICMP requires ICMP protocol, but proto is already set to %u", + rule->proto); + return SAI_STATUS_FAILURE; + } + rule->proto = IPPROTO_ICMP; + status = acl_icmp_field_to_vpp_acl_rule(attr_id, value, rule); + break; + case SAI_ACL_ENTRY_ATTR_FIELD_ICMPV6_CODE: case SAI_ACL_ENTRY_ATTR_FIELD_ICMPV6_TYPE: - status = acl_icmp_field_to_vpp_acl_rule(attr_id, - value, rule); + if (rule->proto != 0 && rule->proto != IPPROTO_ICMPV6) { + SWSS_LOG_ERROR( + "Conflicting protocol settings: " + "ICMPv6 requires ICMPv6 protocol, but proto is already set to %u", + rule->proto); + return SAI_STATUS_FAILURE; + } + rule->proto = IPPROTO_ICMPV6; + status = acl_icmp_field_to_vpp_acl_rule(attr_id, value, rule); break; case SAI_ACL_ENTRY_ATTR_FIELD_L4_SRC_PORT: case SAI_ACL_ENTRY_ATTR_FIELD_L4_DST_PORT: - status = acl_entry_port_to_vpp_acl_rule(attr_id, value, rule); - break; + if (rule->proto != 0 && rule->proto != IPPROTO_TCP) { + SWSS_LOG_ERROR( + "Conflicting protocol settings: " + "src/dst port requires TCP, but proto is already set to %u", + rule->proto); + return SAI_STATUS_FAILURE; + } + rule->proto = IPPROTO_TCP; + status = acl_entry_port_to_vpp_acl_rule(attr_id, value, rule); + break; case SAI_ACL_ENTRY_ATTR_FIELD_IP_PROTOCOL: - rule->proto = value->aclfield.data.u8 & value->aclfield.mask.u8; - status = SAI_STATUS_SUCCESS; - break; + if (rule->proto != 0 && rule->proto != (value->aclfield.data.u8 & value->aclfield.mask.u8)) { + SWSS_LOG_ERROR( + "Conflicting protocol settings: " + "IP_PROTOCOL specified but proto is already set to %u", + rule->proto); + return SAI_STATUS_FAILURE; + } + rule->proto = value->aclfield.data.u8 & value->aclfield.mask.u8; + status = SAI_STATUS_SUCCESS; + break; + + case SAI_ACL_ENTRY_ATTR_FIELD_TCP_FLAGS: + if (rule->proto != 0 && rule->proto != IPPROTO_TCP) { + SWSS_LOG_ERROR( + "Conflicting protocol settings: " + "TCP flags require TCP, but proto is already set to %u", + rule->proto); + return SAI_STATUS_FAILURE; + } + rule->proto = IPPROTO_TCP; + rule->tcp_flags_mask = value->aclfield.mask.u8; + rule->tcp_flags_value = value->aclfield.data.u8; + break; + + case SAI_ACL_ENTRY_ATTR_FIELD_IPV6_NEXT_HEADER: + if (rule->proto != 0 && rule->proto != (value->aclfield.data.u8 & value->aclfield.mask.u8)) { + SWSS_LOG_ERROR( + "Conflicting protocol settings: " + "IPV6_NEXT_HEADER specified but proto is already set to %u", + rule->proto); + return SAI_STATUS_FAILURE; + } + rule->proto = value->aclfield.data.u8 & value->aclfield.mask.u8; + break; case SAI_ACL_ENTRY_ATTR_ACTION_PACKET_ACTION: - acl_rule_set_action(value, rule); - break; + acl_rule_set_action(value, rule); + break; + + case SAI_ACL_ENTRY_ATTR_PRIORITY: + case SAI_ACL_ENTRY_ATTR_TABLE_ID: + case SAI_ACL_ENTRY_ATTR_ADMIN_STATE: + case SAI_ACL_TABLE_ATTR_FIELD_ETHER_TYPE: + case SAI_ACL_ENTRY_ATTR_ACTION_COUNTER: + // NOOP here - these are either handled elsewhere or not currently applicable + break; + default: + SWSS_LOG_ERROR("Unhandled ACL entry attribute ID: %d", attr_id); break; } @@ -810,6 +886,16 @@ sai_status_t SwitchStateBase::fill_acl_rules( status = acl_rule_field_update((sai_acl_entry_attr_t) attr->id, &attr->value, rule); } + if (rule && (rule->srcport_or_icmptype_first != 0 || rule->dstport_or_icmpcode_first != 0)) { + SWSS_LOG_DEBUG( + "Attribute %d ranges: " + "srcport_or_icmptype = %u - %u, " + "dstport_or_icmpcode = %u - %u", + attr->id, + rule->srcport_or_icmptype_first, rule->srcport_or_icmptype_last, + rule->dstport_or_icmpcode_first, rule->dstport_or_icmpcode_last); + } + if(status != SAI_STATUS_SUCCESS) { SWSS_LOG_ERROR("Failed to fill acl rule, status: %d", status); return SAI_STATUS_FAILURE; diff --git a/saivpp/src/SwitchStateBaseRif.cpp b/saivpp/src/SwitchStateBaseRif.cpp index e8a6552..348476d 100644 --- a/saivpp/src/SwitchStateBaseRif.cpp +++ b/saivpp/src/SwitchStateBaseRif.cpp @@ -142,7 +142,7 @@ bool vpp_get_intf_name_for_prefix ( if (ifname.length() != 0) { - SWSS_LOG_NOTICE("%s interface name with prefix %s is %s", (is_v6 ? "IPv6" : "IPv4"), prefix.to_string(), ifname.c_str()); + SWSS_LOG_NOTICE("%s interface name with prefix %s is %s", (is_v6 ? "IPv6" : "IPv4"), prefix.to_string().c_str(), ifname.c_str()); return true; } else { return false; diff --git a/saivpp/src/vppxlate/SaiVppXlate.c b/saivpp/src/vppxlate/SaiVppXlate.c index 212b3d3..4c43ffa 100644 --- a/saivpp/src/vppxlate/SaiVppXlate.c +++ b/saivpp/src/vppxlate/SaiVppXlate.c @@ -617,7 +617,7 @@ vl_api_want_interface_events_reply_t_handler (vl_api_want_interface_events_reply set_reply_status(ntohl(msg->retval)); SAIVPP_DEBUG("sw interface events enable %s(%d)", - msg->retval ? "failed" : "successful", msg->retval); + msg->retval ? "failed" : "successful", ntohl(msg->retval)); } static void @@ -728,7 +728,7 @@ vl_api_create_subif_reply_t_handler (vl_api_create_subif_reply_t *msg) set_reply_status(ntohl(msg->retval)); - SAIVPP_DEBUG("subinterface creation %s(%d)", msg->retval ? "failed" : "successful", msg->retval); + SAIVPP_DEBUG("subinterface creation %s(%d)", msg->retval ? "failed" : "successful", ntohl(msg->retval)); } static void @@ -736,7 +736,7 @@ vl_api_delete_subif_reply_t_handler (vl_api_delete_subif_reply_t *msg) { set_reply_status(ntohl(msg->retval)); - SAIVPP_DEBUG("subinterface deletion %s(%d)", msg->retval ? "failed" : "successful", msg->retval); + SAIVPP_DEBUG("subinterface deletion %s(%d)", msg->retval ? "failed" : "successful", ntohl(msg->retval)); } static void @@ -744,7 +744,7 @@ vl_api_sw_interface_set_table_reply_t_handler (vl_api_sw_interface_set_table_rep { set_reply_status(ntohl(msg->retval)); - SAIVPP_DEBUG("sw interface vrf set %s(%d)", msg->retval ? "failed" : "successful", msg->retval); + SAIVPP_DEBUG("sw interface vrf set %s(%d)", msg->retval ? "failed" : "successful", ntohl(msg->retval)); } static void @@ -752,7 +752,7 @@ vl_api_sw_interface_add_del_address_reply_t_handler (vl_api_sw_interface_add_del { set_reply_status(ntohl(msg->retval)); - SAIVPP_DEBUG("sw interface address add/del %s(%d)", msg->retval ? "failed" : "successful", msg->retval); + SAIVPP_DEBUG("sw interface address add/del %s(%d)", msg->retval ? "failed" : "successful", ntohl(msg->retval)); } static void @@ -760,7 +760,7 @@ vl_api_sw_interface_set_flags_reply_t_handler (vl_api_sw_interface_set_flags_rep { set_reply_status(ntohl(msg->retval)); - SAIVPP_DEBUG("sw interface state set %s(%d)", msg->retval ? "failed" : "successful", msg->retval); + SAIVPP_DEBUG("sw interface state set %s(%d)", msg->retval ? "failed" : "successful", ntohl(msg->retval)); } static void @@ -768,21 +768,21 @@ vl_api_sw_interface_set_mtu_reply_t_handler (vl_api_sw_interface_set_mtu_reply_t { set_reply_status(ntohl(msg->retval)); - SAIVPP_DEBUG("sw interface mtu set %s(%d)", msg->retval ? "failed" : "successful", msg->retval); + SAIVPP_DEBUG("sw interface mtu set %s(%d)", msg->retval ? "failed" : "successful", ntohl(msg->retval)); } static void vl_api_sw_interface_set_mac_address_reply_t_handler (vl_api_sw_interface_set_mac_address_reply_t *msg) { set_reply_status(ntohl(msg->retval)); - SAIVPP_DEBUG("sw interface mac set %s(%d)", msg->retval ? "failed" : "successful", msg->retval); + SAIVPP_DEBUG("sw interface mac set %s(%d)", msg->retval ? "failed" : "successful", ntohl(msg->retval)); } static void vl_api_hw_interface_set_mtu_reply_t_handler (vl_api_hw_interface_set_mtu_reply_t *msg) { set_reply_status(ntohl(msg->retval)); - SAIVPP_DEBUG("hw interface mtu set %s(%d)", msg->retval ? "failed" : "successful", msg->retval); + SAIVPP_DEBUG("hw interface mtu set %s(%d)", msg->retval ? "failed" : "successful", ntohl(msg->retval)); } static void @@ -790,7 +790,7 @@ vl_api_ip_table_add_del_reply_t_handler (vl_api_ip_table_add_del_reply_t *msg) { set_reply_status(ntohl(msg->retval)); - SAIVPP_DEBUG("ip vrf add %s(%d)", msg->retval ? "failed" : "successful", msg->retval); + SAIVPP_DEBUG("ip vrf add %s(%d)", msg->retval ? "failed" : "successful", ntohl(msg->retval)); } static void @@ -798,7 +798,7 @@ vl_api_ip_route_add_del_reply_t_handler (vl_api_ip_route_add_del_reply_t *msg) { set_reply_status(ntohl(msg->retval)); - SAIVPP_DEBUG("ip route add %s(%d)", msg->retval ? "failed" : "successful", msg->retval); + SAIVPP_DEBUG("ip route add %s(%d)", msg->retval ? "failed" : "successful", ntohl(msg->retval)); } static void @@ -807,7 +807,7 @@ vl_api_sw_interface_ip6_enable_disable_reply_t_handler( { set_reply_status(ntohl(msg->retval)); - SAIVPP_DEBUG("ip6 enable/disable %s(%d)", msg->retval ? "failed" : "successful", msg->retval); + SAIVPP_DEBUG("ip6 enable/disable %s(%d)", msg->retval ? "failed" : "successful", ntohl(msg->retval)); } static void @@ -815,7 +815,7 @@ vl_api_set_ip_flow_hash_v2_reply_t_handler (vl_api_ip_route_add_del_reply_t *msg { set_reply_status(ntohl(msg->retval)); - SAIVPP_DEBUG("ip flow has set %s(%d)", msg->retval ? "failed" : "successful", msg->retval); + SAIVPP_DEBUG("ip flow has set %s(%d)", msg->retval ? "failed" : "successful", ntohl(msg->retval)); } static void @@ -823,7 +823,7 @@ vl_api_ip_neighbor_add_del_reply_t_handler (vl_api_ip_neighbor_add_del_reply_t * { set_reply_status(ntohl(msg->retval)); - SAIVPP_DEBUG("ip neighbor add/del %s(%d)", msg->retval ? "failed" : "successful", msg->retval); + SAIVPP_DEBUG("ip neighbor add/del %s(%d)", msg->retval ? "failed" : "successful", ntohl(msg->retval)); } static void @@ -831,8 +831,8 @@ vl_api_bridge_domain_add_del_reply_t_handler (vl_api_bridge_domain_add_del_reply { set_reply_status(ntohl(msg->retval)); - SAIVPP_DEBUG("l2 add/del %s(%d)", msg->retval ? "failed" : "successful", msg->retval); - //SAIVPP_ERROR("l2 add del reply handler called %s(%d)",msg->retval ? "failed" : "successful", msg->retval); + SAIVPP_DEBUG("l2 add/del %s(%d)", msg->retval ? "failed" : "successful", ntohl(msg->retval)); + //SAIVPP_ERROR("l2 add del reply handler called %s(%d)",msg->retval ? "failed" : "successful", ntohl(msg->retval)); } static void @@ -840,8 +840,8 @@ vl_api_sw_interface_set_l2_bridge_reply_t_handler (vl_api_sw_interface_set_l2_br { set_reply_status(ntohl(msg->retval)); - SAIVPP_DEBUG("sw inteface set l2 bridge reply handler %s(%d)", msg->retval ? "failed" : "successful", msg->retval); - //SAIVPP_ERROR("l2 add del reply handler called %s(%d)",msg->retval ? "failed" : "successful", msg->retval); + SAIVPP_DEBUG("sw inteface set l2 bridge reply handler %s(%d)", msg->retval ? "failed" : "successful", ntohl(msg->retval)); + //SAIVPP_ERROR("l2 add del reply handler called %s(%d)",msg->retval ? "failed" : "successful", ntohl(msg->retval)); } static void @@ -849,8 +849,8 @@ vl_api_l2_interface_vlan_tag_rewrite_reply_t_handler (vl_api_l2_interface_vlan_t { set_reply_status(ntohl(msg->retval)); - SAIVPP_DEBUG("l2 interface vlan tag rewrite reply handler %s(%d)", msg->retval ? "failed" : "successful", msg->retval); - //SAIVPP_ERROR("l2 add del reply handler called %s(%d)",msg->retval ? "failed" : "successful", msg->retval); + SAIVPP_DEBUG("l2 interface vlan tag rewrite reply handler %s(%d)", msg->retval ? "failed" : "successful", ntohl(msg->retval)); + //SAIVPP_ERROR("l2 add del reply handler called %s(%d)",msg->retval ? "failed" : "successful", ntohl(msg->retval)); } static void @@ -858,7 +858,7 @@ vl_api_bvi_create_reply_t_handler (vl_api_bvi_create_reply_t *msg) { set_reply_status(ntohl(msg->retval)); - SAIVPP_WARN("bvi create reply handler %s(%d)", msg->retval ? "failed" : "successful", msg->retval); + SAIVPP_WARN("bvi create reply handler %s(%d)", msg->retval ? "failed" : "successful", ntohl(msg->retval)); } static void @@ -866,7 +866,7 @@ vl_api_bvi_delete_reply_t_handler (vl_api_bvi_delete_reply_t *msg) { set_reply_status(ntohl(msg->retval)); - SAIVPP_WARN("bvi delete reply handler %s(%d)", msg->retval ? "failed" : "successful", msg->retval); + SAIVPP_WARN("bvi delete reply handler %s(%d)", msg->retval ? "failed" : "successful", ntohl(msg->retval)); } static void @@ -874,7 +874,7 @@ vl_api_bridge_flags_reply_t_handler (vl_api_bridge_flags_reply_t *msg) { set_reply_status(ntohl(msg->retval)); - SAIVPP_WARN("bridge flags reply handler %s(%d)", msg->retval ? "failed" : "successful", msg->retval); + SAIVPP_WARN("bridge flags reply handler %s(%d)", msg->retval ? "failed" : "successful", ntohl(msg->retval)); } static void @@ -882,8 +882,8 @@ vl_api_l2fib_add_del_reply_t_handler (vl_api_l2fib_add_del_reply_t *msg) { set_reply_status(ntohl(msg->retval)); - SAIVPP_DEBUG("l2fib add del reply handler %s(%d)", msg->retval ? "failed" : "successful", msg->retval); - //SAIVPP_ERROR("l2fib add del reply handler %s(%d)",msg->retval ? "failed" : "successful", msg->retval); + SAIVPP_DEBUG("l2fib add del reply handler %s(%d)", msg->retval ? "failed" : "successful", ntohl(msg->retval)); + //SAIVPP_ERROR("l2fib add del reply handler %s(%d)",msg->retval ? "failed" : "successful", ntohl(msg->retval)); } static void @@ -891,8 +891,8 @@ vl_api_l2fib_flush_all_reply_t_handler (vl_api_l2fib_flush_all_reply_t *msg) { set_reply_status(ntohl(msg->retval)); - SAIVPP_DEBUG("l2fib flush all reply handler %s(%d)", msg->retval ? "failed" : "successful", msg->retval); - //SAIVPP_ERROR("l2fib flush all reply handler %s(%d)",msg->retval ? "failed" : "successful", msg->retval); + SAIVPP_DEBUG("l2fib flush all reply handler %s(%d)", msg->retval ? "failed" : "successful", ntohl(msg->retval)); + //SAIVPP_ERROR("l2fib flush all reply handler %s(%d)",msg->retval ? "failed" : "successful", ntohl(msg->retval)); } static void @@ -900,8 +900,8 @@ vl_api_l2fib_flush_int_reply_t_handler (vl_api_l2fib_flush_int_reply_t *msg) { set_reply_status(ntohl(msg->retval)); - SAIVPP_DEBUG("l2fib flush int reply handler %s(%d)", msg->retval ? "failed" : "successful", msg->retval); - //SAIVPP_ERROR("l2fib flush int reply handler %s(%d)",msg->retval ? "failed" : "successful", msg->retval); + SAIVPP_DEBUG("l2fib flush int reply handler %s(%d)", msg->retval ? "failed" : "successful", ntohl(msg->retval)); + //SAIVPP_ERROR("l2fib flush int reply handler %s(%d)",msg->retval ? "failed" : "successful", ntohl(msg->retval)); } @@ -910,8 +910,8 @@ vl_api_l2fib_flush_bd_reply_t_handler (vl_api_l2fib_flush_bd_reply_t *msg) { set_reply_status(ntohl(msg->retval)); - SAIVPP_DEBUG("l2fib flush bd reply handler %s(%d)", msg->retval ? "failed" : "successful", msg->retval); - //SAIVPP_ERROR("l2fib flush bd reply handler %s(%d)",msg->retval ? "failed" : "successful", msg->retval); + SAIVPP_DEBUG("l2fib flush bd reply handler %s(%d)", msg->retval ? "failed" : "successful", ntohl(msg->retval)); + //SAIVPP_ERROR("l2fib flush bd reply handler %s(%d)",msg->retval ? "failed" : "successful", ntohl(msg->retval)); } @@ -920,7 +920,7 @@ vl_api_bfd_udp_add_reply_t_handler (vl_api_bfd_udp_add_reply_t *msg) { set_reply_status(ntohl(msg->retval)); - SAIVPP_DEBUG("bfd udp add reply handler %s(%d)", msg->retval ? "failed" : "successful", msg->retval); + SAIVPP_DEBUG("bfd udp add reply handler %s(%d)", msg->retval ? "failed" : "successful", ntohl(msg->retval)); } @@ -929,7 +929,7 @@ vl_api_bfd_udp_del_reply_t_handler (vl_api_bfd_udp_del_reply_t *msg) { set_reply_status(ntohl(msg->retval)); - SAIVPP_DEBUG("bfd udp del reply handler %s(%d)", msg->retval ? "failed" : "successful", msg->retval); + SAIVPP_DEBUG("bfd udp del reply handler %s(%d)", msg->retval ? "failed" : "successful", ntohl(msg->retval)); } @@ -938,7 +938,7 @@ vl_api_want_bfd_events_reply_t_handler (vl_api_want_bfd_events_reply_t *msg) { set_reply_status(ntohl(msg->retval)); - SAIVPP_DEBUG("bfd events enable %s(%d)", msg->retval ? "failed" : "successful", msg->retval); + SAIVPP_DEBUG("bfd events enable %s(%d)", msg->retval ? "failed" : "successful", ntohl(msg->retval)); } static void @@ -946,7 +946,7 @@ vl_api_bfd_udp_enable_multihop_reply_t_handler (vl_api_bfd_udp_enable_multihop_r { set_reply_status(ntohl(msg->retval)); - SAIVPP_DEBUG("bfd enable multihop %s(%d)", msg->retval ? "failed" : "successful", msg->retval); + SAIVPP_DEBUG("bfd enable multihop %s(%d)", msg->retval ? "failed" : "successful", ntohl(msg->retval)); } static void @@ -1022,7 +1022,7 @@ vl_api_tunterm_acl_add_replace_reply_t_handler(vl_api_tunterm_acl_add_replace_re *tunterm_index = ntohl(msg->tunterm_acl_index); SAIVPP_DEBUG("tunterm acl add_replace %s(%d) tunterm_index index %u", msg->retval ? "failed" : "successful", - msg->retval, *tunterm_index); + ntohl(msg->retval), *tunterm_index); release_index(msg->context); } @@ -1031,7 +1031,7 @@ vl_api_tunterm_acl_del_reply_t_handler(vl_api_tunterm_acl_del_reply_t *msg) { set_reply_status(ntohl(msg->retval)); - SAIVPP_DEBUG("tunterm acl del %s(%d)", msg->retval ? "failed" : "successful", msg->retval); + SAIVPP_DEBUG("tunterm acl del %s(%d)", msg->retval ? "failed" : "successful", ntohl(msg->retval)); } static void @@ -1040,7 +1040,7 @@ vl_api_tunterm_acl_interface_add_del_reply_t_handler(vl_api_tunterm_acl_interfac set_reply_status(ntohl(msg->retval)); SAIVPP_DEBUG("tunterm acl interface set/reset %s(%d)", msg->retval ? "failed" : "successful", - msg->retval); + ntohl(msg->retval)); } static void @@ -1053,13 +1053,13 @@ vl_api_bond_create_reply_t_handler (vl_api_bond_create_reply_t *msg) *swif_idx = ntohl(msg->sw_if_index); } - SAIVPP_WARN("bond add %s(%d)", msg->retval ? "failed" : "successful", msg->retval); + SAIVPP_WARN("bond add %s(%d)", msg->retval ? "failed" : "successful", ntohl(msg->retval)); if (!msg->retval) { uint32_t bond_if_index = ntohl(msg->sw_if_index); SAIVPP_WARN("created bond if index%d", bond_if_index); } - //SAIVPP_ERROR("l2 add del reply handler called %s(%d)",msg->retval ? "failed" : "successful", msg->retval); + //SAIVPP_ERROR("l2 add del reply handler called %s(%d)",msg->retval ? "failed" : "successful", ntohl(msg->retval)); } @@ -1068,7 +1068,7 @@ vl_api_bond_delete_reply_t_handler (vl_api_bond_delete_reply_t *msg) { set_reply_status(ntohl(msg->retval)); - SAIVPP_WARN("bond delete %s(%d)", msg->retval ? "failed" : "successful", msg->retval); + SAIVPP_WARN("bond delete %s(%d)", msg->retval ? "failed" : "successful", ntohl(msg->retval)); } static void @@ -1076,7 +1076,7 @@ vl_api_bond_add_member_reply_t_handler (vl_api_bond_add_member_reply_t *msg) { set_reply_status(ntohl(msg->retval)); - SAIVPP_WARN("bond add member %s(%d)", msg->retval ? "failed" : "successful", msg->retval); + SAIVPP_WARN("bond add member %s(%d)", msg->retval ? "failed" : "successful", ntohl(msg->retval)); } static void @@ -1084,7 +1084,7 @@ vl_api_bond_detach_member_reply_t_handler (vl_api_bond_detach_member_reply_t *ms { set_reply_status(ntohl(msg->retval)); - SAIVPP_WARN("bond detach member %s(%d)", msg->retval ? "failed" : "successful", msg->retval); + SAIVPP_WARN("bond detach member %s(%d)", msg->retval ? "failed" : "successful", ntohl(msg->retval)); } static void @@ -1093,7 +1093,7 @@ vl_api_sr_localsid_add_del_reply_t_handler(vl_api_sr_localsid_add_del_reply_t *m set_reply_status(ntohl(msg->retval)); SAIVPP_DEBUG("sr local sid add/del %s(%d)", - msg->retval ? "failed" : "successful", msg->retval); + msg->retval ? "failed" : "successful", ntohl(msg->retval)); } static void @@ -1102,7 +1102,7 @@ vl_api_sr_policy_add_v2_reply_t_handler(vl_api_sr_policy_add_v2_reply_t *msg) set_reply_status(ntohl(msg->retval)); SAIVPP_DEBUG("sr policy add %s(%d)", - msg->retval ? "failed" : "successful", msg->retval); + msg->retval ? "failed" : "successful", ntohl(msg->retval)); } static void @@ -1111,7 +1111,7 @@ vl_api_sr_policy_del_reply_t_handler(vl_api_sr_policy_del_reply_t *msg) set_reply_status(ntohl(msg->retval)); SAIVPP_DEBUG("sr policy del %s(%d)", - msg->retval ? "failed" : "successful", msg->retval); + msg->retval ? "failed" : "successful", ntohl(msg->retval)); } static void @@ -1120,7 +1120,7 @@ vl_api_sr_steering_add_del_reply_t_handler(vl_api_sr_steering_add_del_reply_t *m set_reply_status(ntohl(msg->retval)); SAIVPP_DEBUG("sr steer add/del %s(%d)", - msg->retval ? "failed" : "successful", msg->retval); + msg->retval ? "failed" : "successful", ntohl(msg->retval)); } static void @@ -1129,7 +1129,7 @@ vl_api_sr_set_encap_source_reply_t_handler(vl_api_sr_set_encap_source_reply_t *m set_reply_status(ntohl(msg->retval)); SAIVPP_DEBUG("sr set encap source %s(%d)", - msg->retval ? "failed" : "successful", msg->retval); + msg->retval ? "failed" : "successful", ntohl(msg->retval)); } #define vl_api_get_first_msg_id_reply_t_handler vl_noop_handler @@ -1248,14 +1248,14 @@ static void vl_api_lcp_itf_pair_add_del_reply_t_handler(vl_api_lcp_itf_pair_add_ { set_reply_status(ntohl(msg->retval)); - SAIVPP_DEBUG("linux_cp hostif creation %s(%d)", msg->retval ? "failed" : "successful", msg->retval); + SAIVPP_DEBUG("linux_cp hostif creation %s(%d)", msg->retval ? "failed" : "successful", ntohl(msg->retval)); } static void vl_api_lcp_ethertype_enable_reply_t_handler(vl_api_lcp_ethertype_enable_reply_t *msg) { set_reply_status(ntohl(msg->retval)); - SAIVPP_WARN("linux_cp ethertype enabled %s(%d)", msg->retval ? "failed" : "successful", msg->retval); + SAIVPP_WARN("linux_cp ethertype enabled %s(%d)", msg->retval ? "failed" : "successful", ntohl(msg->retval)); } static void vl_api_acl_add_replace_reply_t_handler(vl_api_acl_add_replace_reply_t *msg) @@ -1266,7 +1266,7 @@ static void vl_api_acl_add_replace_reply_t_handler(vl_api_acl_add_replace_reply_ *acl_index = ntohl(msg->acl_index); SAIVPP_DEBUG("acl add_replace %s(%d) acl index %u", msg->retval ? "failed" : "successful", - msg->retval, *acl_index); + ntohl(msg->retval), *acl_index); release_index(msg->context); } @@ -1274,7 +1274,7 @@ static void vl_api_acl_del_reply_t_handler(vl_api_acl_del_reply_t *msg) { set_reply_status(ntohl(msg->retval)); - SAIVPP_DEBUG("acl del %s(%d)", msg->retval ? "failed" : "successful", msg->retval); + SAIVPP_DEBUG("acl del %s(%d)", msg->retval ? "failed" : "successful", ntohl(msg->retval)); } static void @@ -1291,7 +1291,7 @@ vl_api_acl_interface_add_del_reply_t_handler(vl_api_acl_interface_add_del_reply_ set_reply_status(ntohl(msg->retval)); SAIVPP_DEBUG("acl interface set/reset %s(%d)", msg->retval ? "failed" : "successful", - msg->retval); + ntohl(msg->retval)); } #define LCP_MSG_ID(id) \ @@ -2158,8 +2158,8 @@ int vpp_acl_add_replace (vpp_acl_t *in_acl, uint32_t *acl_index, bool is_replace memcpy(api_addr->un.ip6, &ip6->sin6_addr.s6_addr, sizeof(api_addr->un.ip6)); vpp_rule->src_prefix.len = ipv6_mask_len(in_rule->src_prefix_mask.addr.ip6.sin6_addr.s6_addr); } else { - SAIVPP_WARN("Unknown protocol in source prefix"); - /* return -EINVAL; */ + memset(api_addr, 0, sizeof(*api_addr)); + vpp_rule->src_prefix.len = 0; } addr = &in_rule->dst_prefix; @@ -2176,8 +2176,8 @@ int vpp_acl_add_replace (vpp_acl_t *in_acl, uint32_t *acl_index, bool is_replace memcpy(api_addr->un.ip6, &ip6->sin6_addr.s6_addr, sizeof(api_addr->un.ip6)); vpp_rule->dst_prefix.len = ipv6_mask_len(in_rule->dst_prefix_mask.addr.ip6.sin6_addr.s6_addr); } else { - SAIVPP_WARN("Unknown protocol in destination prefix"); - /* return -EINVAL; */ + memset(api_addr, 0, sizeof(*api_addr)); + vpp_rule->dst_prefix.len = 0; } vpp_rule->proto = in_rule->proto; @@ -2185,7 +2185,42 @@ int vpp_acl_add_replace (vpp_acl_t *in_acl, uint32_t *acl_index, bool is_replace vpp_rule->srcport_or_icmptype_last = htons(in_rule->srcport_or_icmptype_last); vpp_rule->dstport_or_icmpcode_first = htons(in_rule->dstport_or_icmpcode_first); vpp_rule->dstport_or_icmpcode_last = htons(in_rule->dstport_or_icmpcode_last); + + if (vpp_rule->proto != 0) { + if (vpp_rule->srcport_or_icmptype_first == 0 && vpp_rule->srcport_or_icmptype_last == 0) { + vpp_rule->srcport_or_icmptype_first = htons(0); + vpp_rule->srcport_or_icmptype_last = htons(0xFFFF); + } + if (vpp_rule->dstport_or_icmpcode_first == 0 && vpp_rule->dstport_or_icmpcode_last == 0) { + vpp_rule->dstport_or_icmpcode_first = htons(0); + vpp_rule->dstport_or_icmpcode_last = htons(0xFFFF); + } + } + + vpp_rule->tcp_flags_mask = in_rule->tcp_flags_mask; + vpp_rule->tcp_flags_value = in_rule->tcp_flags_value; vpp_rule->is_permit = in_rule->action; + + if (idx != (acl_count - 1) && + vpp_rule->src_prefix.len == 0 && + vpp_rule->dst_prefix.len == 0 && + vpp_rule->proto == 0) { + SAIVPP_WARN("WARNING: VPP Rule %u is not last but will match and %s all!", + idx, vpp_rule->is_permit ? "permit" : "deny"); + } + + SAIVPP_DEBUG("VPP Rule %u: proto: %u, " + "srcport/icmptype: %u-%u, dstport/icmpcode: %u-%u, " + "tcp_flags: mask=0x%x, value=0x%x, action: %s", + idx, + vpp_rule->proto, + ntohs(vpp_rule->srcport_or_icmptype_first), + ntohs(vpp_rule->srcport_or_icmptype_last), + ntohs(vpp_rule->dstport_or_icmpcode_first), + ntohs(vpp_rule->dstport_or_icmpcode_last), + vpp_rule->tcp_flags_mask, + vpp_rule->tcp_flags_value, + vpp_rule->is_permit ? "permit" : "deny"); } mp->context = store_ptr(acl_index);