FD.io VPP  v19.04.2-12-g66b1689
Vector Packet Processing
acl.api
Go to the documentation of this file.
1 /* Hey Emacs use -*- mode: C -*- */
2 /*
3  * Copyright (c) 2016 Cisco and/or its affiliates.
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at:
7  *
8  * http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 /** \file
18  This file defines the vpp control-plane API messages
19  used to control the ACL plugin
20 */
21 
22 option version = "1.0.1";
23 
24 /** \brief Get the plugin version
25  @param client_index - opaque cookie to identify the sender
26  @param context - sender context, to match reply w/ request
27 */
28 
29 define acl_plugin_get_version
30 {
33 };
34 
35 /** \brief Reply to get the plugin version
36  @param context - returned sender context, to match reply w/ request
37  @param major - Incremented every time a known breaking behavior change is introduced
38  @param minor - Incremented with small changes, may be used to avoid buggy versions
39 */
40 
41 define acl_plugin_get_version_reply
42 {
46 };
47 
48 /** \brief Control ping from client to api server request
49  @param client_index - opaque cookie to identify the sender
50  @param context - sender context, to match reply w/ request
51 */
52 define acl_plugin_control_ping
53 {
56 };
57 
58 /** \brief Control ping from the client to the server response
59  @param client_index - opaque cookie to identify the sender
60  @param context - sender context, to match reply w/ request
61  @param retval - return code for the request
62  @param vpe_pid - the pid of the vpe, returned by the server
63 */
64 define acl_plugin_control_ping_reply
65 {
70 };
71 
72 /** \brief Get Connection table max entries
73  @param client_index - opaque cookie to identify the sender
74  @param context - sender context, to match reply w/ request
75 */
76 
77 define acl_plugin_get_conn_table_max_entries
78 {
81 };
82 
83 /** \brief Reply to get connection table max entries
84  @param context - sender context, to match reply w/ request
85  @param conn_table_max_entries - the value of maximum entries of connection table
86 */
87 define acl_plugin_get_conn_table_max_entries_reply
88 {
91 };
92 
93 /** \brief Access List Rule entry
94  @param is_permit - deny (0), permit (1), or permit+reflect(2) action on this rule.
95  @param is_ipv6 - IP addresses in this rule are IPv6 (1) or IPv4 (0)
96  @param src_ip_addr - Source prefix value
97  @param src_ip_prefix_len - Source prefix length
98  @param dst_ip_addr - Destination prefix value
99  @param dst_ip_prefix_len - Destination prefix length
100  @param proto - L4 protocol (http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml)
101  @param srcport_or_icmptype_first - beginning of source port or ICMP4/6 type range
102  @param srcport_or_icmptype_last - end of source port or ICMP4/6 type range
103  @param dstport_or_icmpcode_first - beginning of destination port or ICMP4/6 code range
104  @param dstport_or_icmpcode_last - end of destination port or ICMP4/6 code range
105  @param tcp_flags_mask - if proto==6, match masked TCP flags with this value
106  @param tcp_flags_value - if proto==6, mask to AND the TCP flags in the packet with
107 */
108 
109 typeonly manual_print define acl_rule
110 {
113  u8 src_ip_addr[16];
115  u8 dst_ip_addr[16];
117 /*
118  * L4 protocol. IANA number. 1 = ICMP, 58 = ICMPv6, 6 = TCP, 17 = UDP.
119  * 0 => ignore L4 and ignore the ports/tcpflags when matching.
120  */
122 /*
123  * If the L4 protocol is TCP or UDP, the below
124  * hold ranges of ports, else if the L4 is ICMP/ICMPv6
125  * they hold ranges of ICMP(v6) types/codes.
126  *
127  * Ranges are inclusive, i.e. to match "any" TCP/UDP port,
128  * use first=0,last=65535. For ICMP(v6),
129  * use first=0,last=255.
130  */
135 /*
136  * for proto = 6, this matches if the
137  * TCP flags in the packet, ANDed with tcp_flags_mask,
138  * is equal to tcp_flags_value.
139  */
142 };
143 
144 /** \brief MACIP Access List Rule entry
145  @param is_permit - deny (0), permit (1) action on this rule.
146  @param is_ipv6 - IP addresses in this rule are IPv6 (1) or IPv4 (0)
147  @param src_mac - match masked source MAC address against this value
148  @param src_mac_mask - AND source MAC address with this value before matching
149  @param src_ip_addr - Source prefix value
150  @param src_ip_prefix_len - Source prefix length
151 */
152 
153 typeonly manual_print define macip_acl_rule
154 {
157 /*
158  * The source mac of the packet ANDed with src_mac_mask.
159  * The source ip[46] address in the packet is matched
160  * against src_ip_addr, with src_ip_prefix_len set to 0.
161  *
162  * For better performance, minimize the number of
163  * (src_mac_mask, src_ip_prefix_len) combinations
164  * in a MACIP ACL.
165  */
166  u8 src_mac[6];
167  u8 src_mac_mask[6];
168  u8 src_ip_addr[16];
170 };
171 
172 /** \brief Replace an existing ACL in-place or create a new ACL
173  @param client_index - opaque cookie to identify the sender
174  @param context - sender context, to match reply w/ request
175  @param acl_index - an existing ACL entry (0..0xfffffffe) to replace, or 0xffffffff to make new ACL
176  @param tag - a string value stored along with the ACL, for descriptive purposes
177  @param count - number of ACL rules
178  @r - Rules for this access-list
179 */
180 
181 manual_print manual_endian define acl_add_replace
182 {
185  u32 acl_index; /* ~0 to add, existing ACL# to replace */
186  u8 tag[64]; /* What gets in here gets out in the corresponding tag field when dumping the ACLs. */
189 };
190 
191 /** \brief Reply to add/replace ACL
192  @param context - returned sender context, to match reply w/ request
193  @param acl_index - index of the updated or newly created ACL
194  @param retval 0 - no error
195 */
196 
197 define acl_add_replace_reply
198 {
202 };
203 
204 /** \brief Delete an ACL
205  @param client_index - opaque cookie to identify the sender
206  @param context - sender context, to match reply w/ request
207  @param acl_index - ACL index to delete
208 */
209 
210 autoreply manual_print define acl_del
211 {
215 };
216 
217 /* acl_interface_add_del(_reply) to be deprecated in lieu of acl_interface_set_acl_list */
218 /** \brief Use acl_interface_set_acl_list instead
219  Append/remove an ACL index to/from the list of ACLs checked for an interface
220  @param client_index - opaque cookie to identify the sender
221  @param context - sender context, to match reply w/ request
222  @param is_add - add or delete the ACL index from the list
223  @param is_input - check the ACL on input (1) or output (0)
224  @param sw_if_index - the interface to alter the list of ACLs on
225  @param acl_index - index of ACL for the operation
226 */
227 
228 autoreply manual_print define acl_interface_add_del
229 {
233 /*
234  * is_input = 0 => ACL applied on interface egress
235  * is_input = 1 => ACL applied on interface ingress
236  */
240 };
241 
242 /** \brief Set the vector of input/output ACLs checked for an interface
243  @param client_index - opaque cookie to identify the sender
244  @param context - sender context, to match reply w/ request
245  @param sw_if_index - the interface to alter the list of ACLs on
246  @param count - total number of ACL indices in the vector
247  @param n_input - this many first elements correspond to input ACLs, the rest - output
248  @param acls - vector of ACL indices
249 */
250 
251 autoreply manual_print define acl_interface_set_acl_list
252 {
257  u8 n_input; /* First n_input ACLs are set as a list of input ACLs, the rest are applied as output */
258  u32 acls[count];
259 };
260 
261 /** \brief Reply to set the ACL list on an interface
262  @param context - returned sender context, to match reply w/ request
263  @param retval 0 - no error
264 */
265 
266 /** \brief Dump the specific ACL contents or all of the ACLs' contents
267  @param client_index - opaque cookie to identify the sender
268  @param context - sender context, to match reply w/ request
269  @param acl_index - ACL index to dump, ~0 to dump all ACLs
270 */
271 
272 define acl_dump
273 {
276  u32 acl_index; /* ~0 for all ACLs */
277 };
278 
279 /** \brief Details about a single ACL contents
280  @param context - returned sender context, to match reply w/ request
281  @param acl_index - ACL index whose contents are being sent in this message
282  @param tag - Descriptive tag value which was supplied at ACL creation
283  @param count - Number of rules in this ACL
284  @param r - Array of rules within this ACL
285 */
286 
287 manual_endian manual_print define acl_details
288 {
291  u8 tag[64]; /* Same blob that was supplied to us when creating the ACL, one hopes. */
294 };
295 
296 /** \brief Dump the list(s) of ACL applied to specific or all interfaces
297  @param client_index - opaque cookie to identify the sender
298  @param context - sender context, to match reply w/ request
299  @param sw_if_index - interface to dump the ACL list for
300 */
301 
302 define acl_interface_list_dump
303 {
306  u32 sw_if_index; /* ~0 for all interfaces */
307 };
308 
309 /** \brief Details about a single ACL contents
310  @param context - returned sender context, to match reply w/ request
311  @param sw_if_index - interface for which the list of ACLs is applied
312  @param count - total length of acl indices vector
313  @param n_input - this many of indices in the beginning are input ACLs, the rest - output
314  @param acls - the vector of ACL indices
315 */
316 
317 define acl_interface_list_details
318 {
323  u32 acls[count];
324 };
325 
326 /** \brief Add a MACIP ACL
327  @param client_index - opaque cookie to identify the sender
328  @param context - sender context, to match reply w/ request
329  @param tag - descriptive value for this MACIP ACL
330  @param count - number of rules in this MACIP ACL
331  @param r - vector of MACIP ACL rules
332 */
333 
334 manual_endian manual_print define macip_acl_add
335 {
338  u8 tag[64];
341 };
342 
343 /** \brief Reply to add MACIP ACL
344  @param context - returned sender context, to match reply w/ request
345  @param acl_index - index of the newly created MACIP ACL
346  @param retval 0 - no error
347 */
348 
349 define macip_acl_add_reply
350 {
354 };
355 
356 /** \brief Add/Replace a MACIP ACL
357  @param client_index - opaque cookie to identify the sender
358  @param context - sender context, to match reply w/ request
359  @param acl_index - an existing MACIP ACL entry (0..0xfffffffe) to replace, or 0xffffffff to make new MACIP ACL
360  @param tag - descriptive value for this MACIP ACL
361  @param count - number of rules in this MACIP ACL
362  @param r - vector of MACIP ACL rules
363 */
364 
365 manual_endian manual_print define macip_acl_add_replace
366 {
369  u32 acl_index; /* ~0 to add, existing MACIP ACL# to replace */
370  u8 tag[64];
373 };
374 
375 /** \brief Reply to add/replace MACIP ACL
376  @param context - returned sender context, to match reply w/ request
377  @param acl_index - index of the newly created MACIP ACL
378  @param retval 0 - no error
379 */
380 
381 define macip_acl_add_replace_reply
382 {
386 };
387 
388 /** \brief Delete a MACIP ACL
389  @param client_index - opaque cookie to identify the sender
390  @param context - sender context, to match reply w/ request
391  @param acl_index - MACIP ACL index to delete
392 */
393 
394 autoreply manual_print define macip_acl_del
395 {
399 };
400 
401 /** \brief Add or delete a MACIP ACL to/from interface
402  @param client_index - opaque cookie to identify the sender
403  @param context - sender context, to match reply w/ request
404  @param is_add - add (1) or delete (0) MACIP ACL from being used on an interface
405  @param sw_if_index - interface to apply the action to
406  @param acl_index - MACIP ACL index
407 */
408 
409 autoreply manual_print define macip_acl_interface_add_del
410 {
414  /* MACIP ACLs are always input */
417 };
418 
419 /** \brief Dump one or all defined MACIP ACLs
420  @param client_index - opaque cookie to identify the sender
421  @param context - sender context, to match reply w/ request
422  @param acl_index - MACIP ACL index or ~0 to dump all MACIP ACLs
423 */
424 
425 define macip_acl_dump
426 {
429  u32 acl_index; /* ~0 for all ACLs */
430 };
431 
432 /** \brief Details about one MACIP ACL
433  @param context - returned sender context, to match reply w/ request
434  @param acl_index - index of this MACIP ACL
435  @param tag - descriptive tag which was supplied during the creation
436  @param count - length of the vector of MACIP ACL rules
437  @param r - rules comprising this MACIP ACL
438 */
439 
440 manual_endian manual_print define macip_acl_details
441 {
444  u8 tag[64];
447 };
448 
449 /** \brief Get the vector of MACIP ACL IDs applied to the interfaces
450  @param client_index - opaque cookie to identify the sender
451  @param context - sender context, to match reply w/ request
452 */
453 
454 define macip_acl_interface_get
455 {
458 };
459 
460 /** \brief Reply with the vector of MACIP ACLs by sw_if_index
461  @param context - returned sender context, to match reply w/ request
462  @param count - total number of elements in the vector
463  @param acls - the vector of active MACIP ACL indices per sw_if_index
464 */
465 
466 define macip_acl_interface_get_reply
467 {
470  u32 acls[count];
471 };
472 
473 /** \brief Dump the list(s) of MACIP ACLs applied to specific or all interfaces
474  @param client_index - opaque cookie to identify the sender
475  @param context - sender context, to match reply w/ request
476  @param sw_if_index - interface to dump the MACIP ACL list for
477 */
478 
479 define macip_acl_interface_list_dump
480 {
483  u32 sw_if_index; /* ~0 for all interfaces */
484 };
485 
486 /** \brief Details about a single MACIP ACL contents
487  @param context - returned sender context, to match reply w/ request
488  @param sw_if_index - interface for which the list of MACIP ACLs is applied
489  @param count - total length of acl indices vector
490  @param acls - the vector of MACIP ACL indices
491 */
492 
493 define macip_acl_interface_list_details
494 {
498  u32 acls[count];
499 };
500 
501 /** \brief Set the ethertype whitelists on an interface. Takes effect when applying ACLs on the interface, so must be given prior.
502  @param client_index - opaque cookie to identify the sender
503  @param context - sender context, to match reply w/ request
504  @param sw_if_index - the interface to alter the list of ACLs on
505  @param count - total number of whitelisted ethertypes in the vector
506  @param n_input - this many first elements correspond to input whitelisted ethertypes, the rest - output
507  @param whitelist - vector of whitelisted ethertypes
508 */
509 
510 autoreply manual_print define acl_interface_set_etype_whitelist
511 {
515  u8 count; /* Total number of ethertypes in the whitelist */
516  u8 n_input; /* first n_input ethertypes are input, the rest - output */
517  u16 whitelist[count];
518 };
519 
520 /** \brief Dump the list(s) of Ethertype whitelists applied to specific or all interfaces
521  @param client_index - opaque cookie to identify the sender
522  @param context - sender context, to match reply w/ request
523  @param sw_if_index - interface to dump the ethertype whitelist for
524 */
525 
526 define acl_interface_etype_whitelist_dump
527 {
530  u32 sw_if_index; /* ~0 for all interfaces */
531 };
532 
533 /** \brief Details about ethertype whitelist on a single interface
534  @param context - returned sender context, to match reply w/ request
535  @param sw_if_index - interface for which the list of MACIP ACLs is applied
536  @param count - total number of whitelisted ethertypes in the vector
537  @param n_input - this many first elements correspond to input whitelisted ethertypes, the rest - output
538  @param whitelist - vector of whitelisted ethertypes
539 */
540 
541 define acl_interface_etype_whitelist_details
542 {
546  u8 n_input; /* first n_input ethertypes are input, the rest - output */
547  u16 whitelist[count];
548 };
549 
unsigned long u64
Definition: types.h:89
Access List Rule entry.
Definition: acl.api:109
u16 dstport_or_icmpcode_last
Definition: acl.api:134
option version
Definition: acl.api:22
unsigned char u8
Definition: types.h:56
u16 dstport_or_icmpcode_first
Definition: acl.api:133
u8 src_ip_prefix_len
Definition: acl.api:114
u8 tcp_flags_value
Definition: acl.api:141
unsigned int u32
Definition: types.h:88
unsigned short u16
Definition: types.h:57
u16 srcport_or_icmptype_first
Definition: acl.api:131
u16 srcport_or_icmptype_last
Definition: acl.api:132
signed int i32
Definition: types.h:77
MACIP Access List Rule entry.
Definition: acl.api:153
u8 dst_ip_prefix_len
Definition: acl.api:116
size_t count
Definition: vapi.c:47
u32 client_index
Definition: acl.api:212
u32 client_index
Definition: acl.api:274