1 /* SPDX-License-Identifier: BSD-3-Clause
2 * Copyright(c) 2010-2015 Intel Corporation
10 #include <netinet/in.h>
12 #include <rte_common.h>
13 #include <rte_hexdump.h>
14 #include <rte_malloc.h>
15 #include <cmdline_rdline.h>
16 #include <cmdline_parse.h>
17 #include <cmdline_parse_num.h>
18 #include <cmdline_parse_string.h>
21 #include "pipeline_common_fe.h"
22 #include "pipeline_firewall.h"
25 struct app_pipeline_firewall_rule {
26 struct pipeline_firewall_key key;
31 TAILQ_ENTRY(app_pipeline_firewall_rule) node;
34 struct app_pipeline_firewall {
40 TAILQ_HEAD(, app_pipeline_firewall_rule) rules;
42 uint32_t default_rule_present;
43 uint32_t default_rule_port_id;
44 void *default_rule_entry_ptr;
48 print_firewall_ipv4_rule(struct app_pipeline_firewall_rule *rule)
50 printf("Prio = %" PRId32 " (SA = %" PRIu32 ".%" PRIu32
51 ".%" PRIu32 ".%" PRIu32 "/%" PRIu32 ", "
52 "DA = %" PRIu32 ".%" PRIu32
53 ".%"PRIu32 ".%" PRIu32 "/%" PRIu32 ", "
54 "SP = %" PRIu32 "-%" PRIu32 ", "
55 "DP = %" PRIu32 "-%" PRIu32 ", "
56 "Proto = %" PRIu32 " / 0x%" PRIx32 ") => "
57 "Port = %" PRIu32 " (entry ptr = %p)\n",
61 (rule->key.key.ipv4_5tuple.src_ip >> 24) & 0xFF,
62 (rule->key.key.ipv4_5tuple.src_ip >> 16) & 0xFF,
63 (rule->key.key.ipv4_5tuple.src_ip >> 8) & 0xFF,
64 rule->key.key.ipv4_5tuple.src_ip & 0xFF,
65 rule->key.key.ipv4_5tuple.src_ip_mask,
67 (rule->key.key.ipv4_5tuple.dst_ip >> 24) & 0xFF,
68 (rule->key.key.ipv4_5tuple.dst_ip >> 16) & 0xFF,
69 (rule->key.key.ipv4_5tuple.dst_ip >> 8) & 0xFF,
70 rule->key.key.ipv4_5tuple.dst_ip & 0xFF,
71 rule->key.key.ipv4_5tuple.dst_ip_mask,
73 rule->key.key.ipv4_5tuple.src_port_from,
74 rule->key.key.ipv4_5tuple.src_port_to,
76 rule->key.key.ipv4_5tuple.dst_port_from,
77 rule->key.key.ipv4_5tuple.dst_port_to,
79 rule->key.key.ipv4_5tuple.proto,
80 rule->key.key.ipv4_5tuple.proto_mask,
86 static struct app_pipeline_firewall_rule *
87 app_pipeline_firewall_rule_find(struct app_pipeline_firewall *p,
88 struct pipeline_firewall_key *key)
90 struct app_pipeline_firewall_rule *r;
92 TAILQ_FOREACH(r, &p->rules, node)
95 sizeof(struct pipeline_firewall_key)) == 0)
102 app_pipeline_firewall_ls(
103 struct app_params *app,
104 uint32_t pipeline_id)
106 struct app_pipeline_firewall *p;
107 struct app_pipeline_firewall_rule *rule;
111 /* Check input arguments */
115 p = app_pipeline_data_fe(app, pipeline_id, &pipeline_firewall);
119 n_rules = p->n_rules;
120 for (priority = 0; n_rules; priority++)
121 TAILQ_FOREACH(rule, &p->rules, node)
122 if (rule->priority == priority) {
123 print_firewall_ipv4_rule(rule);
127 if (p->default_rule_present)
128 printf("Default rule: port %" PRIu32 " (entry ptr = %p)\n",
129 p->default_rule_port_id,
130 p->default_rule_entry_ptr);
132 printf("Default rule: DROP\n");
140 app_pipeline_firewall_init(struct pipeline_params *params,
141 __rte_unused void *arg)
143 struct app_pipeline_firewall *p;
146 /* Check input arguments */
147 if ((params == NULL) ||
148 (params->n_ports_in == 0) ||
149 (params->n_ports_out == 0))
152 /* Memory allocation */
153 size = RTE_CACHE_LINE_ROUNDUP(sizeof(struct app_pipeline_firewall));
154 p = rte_zmalloc(NULL, size, RTE_CACHE_LINE_SIZE);
159 p->n_ports_in = params->n_ports_in;
160 p->n_ports_out = params->n_ports_out;
162 TAILQ_INIT(&p->rules);
164 p->default_rule_present = 0;
165 p->default_rule_port_id = 0;
166 p->default_rule_entry_ptr = NULL;
172 app_pipeline_firewall_free(void *pipeline)
174 struct app_pipeline_firewall *p = pipeline;
176 /* Check input arguments */
181 while (!TAILQ_EMPTY(&p->rules)) {
182 struct app_pipeline_firewall_rule *rule;
184 rule = TAILQ_FIRST(&p->rules);
185 TAILQ_REMOVE(&p->rules, rule, node);
194 app_pipeline_firewall_key_check_and_normalize(struct pipeline_firewall_key *key)
197 case PIPELINE_FIREWALL_IPV4_5TUPLE:
199 uint32_t src_ip_depth = key->key.ipv4_5tuple.src_ip_mask;
200 uint32_t dst_ip_depth = key->key.ipv4_5tuple.dst_ip_mask;
201 uint16_t src_port_from = key->key.ipv4_5tuple.src_port_from;
202 uint16_t src_port_to = key->key.ipv4_5tuple.src_port_to;
203 uint16_t dst_port_from = key->key.ipv4_5tuple.dst_port_from;
204 uint16_t dst_port_to = key->key.ipv4_5tuple.dst_port_to;
206 uint32_t src_ip_netmask = 0;
207 uint32_t dst_ip_netmask = 0;
209 if ((src_ip_depth > 32) ||
210 (dst_ip_depth > 32) ||
211 (src_port_from > src_port_to) ||
212 (dst_port_from > dst_port_to))
216 src_ip_netmask = (~0U) << (32 - src_ip_depth);
219 dst_ip_netmask = ((~0U) << (32 - dst_ip_depth));
221 key->key.ipv4_5tuple.src_ip &= src_ip_netmask;
222 key->key.ipv4_5tuple.dst_ip &= dst_ip_netmask;
233 app_pipeline_firewall_load_file(char *filename,
234 struct pipeline_firewall_key *keys,
235 uint32_t *priorities,
244 /* Check input arguments */
245 if ((filename == NULL) ||
247 (priorities == NULL) ||
248 (port_ids == NULL) ||
257 /* Open input file */
258 f = fopen(filename, "r");
265 for (i = 0, l = 1; i < *n_keys; l++) {
267 uint32_t n_tokens = RTE_DIM(tokens);
269 uint32_t priority = 0;
270 struct in_addr sipaddr;
271 uint32_t sipdepth = 0;
272 struct in_addr dipaddr;
273 uint32_t dipdepth = 0;
279 uint8_t protomask = 0;
280 uint32_t port_id = 0;
284 if (fgets(file_buf, sizeof(file_buf), f) == NULL)
287 status = parse_tokenize_string(file_buf, tokens, &n_tokens);
291 if ((n_tokens == 0) || (tokens[0][0] == '#'))
294 if ((n_tokens != 15) ||
295 strcmp(tokens[0], "priority") ||
296 parser_read_uint32(&priority, tokens[1]) ||
297 strcmp(tokens[2], "ipv4") ||
298 parse_ipv4_addr(tokens[3], &sipaddr) ||
299 parser_read_uint32(&sipdepth, tokens[4]) ||
300 parse_ipv4_addr(tokens[5], &dipaddr) ||
301 parser_read_uint32(&dipdepth, tokens[6]) ||
302 parser_read_uint16(&sport0, tokens[7]) ||
303 parser_read_uint16(&sport1, tokens[8]) ||
304 parser_read_uint16(&dport0, tokens[9]) ||
305 parser_read_uint16(&dport1, tokens[10]) ||
306 parser_read_uint8(&proto, tokens[11]) ||
307 parser_read_uint8_hex(&protomask, tokens[12]) ||
308 strcmp(tokens[13], "port") ||
309 parser_read_uint32(&port_id, tokens[14]))
312 keys[i].type = PIPELINE_FIREWALL_IPV4_5TUPLE;
313 keys[i].key.ipv4_5tuple.src_ip =
314 rte_be_to_cpu_32(sipaddr.s_addr);
315 keys[i].key.ipv4_5tuple.src_ip_mask = sipdepth;
316 keys[i].key.ipv4_5tuple.dst_ip =
317 rte_be_to_cpu_32(dipaddr.s_addr);
318 keys[i].key.ipv4_5tuple.dst_ip_mask = dipdepth;
319 keys[i].key.ipv4_5tuple.src_port_from = sport0;
320 keys[i].key.ipv4_5tuple.src_port_to = sport1;
321 keys[i].key.ipv4_5tuple.dst_port_from = dport0;
322 keys[i].key.ipv4_5tuple.dst_port_to = dport1;
323 keys[i].key.ipv4_5tuple.proto = proto;
324 keys[i].key.ipv4_5tuple.proto_mask = protomask;
326 port_ids[i] = port_id;
327 priorities[i] = priority;
329 if (app_pipeline_firewall_key_check_and_normalize(&keys[i]))
347 app_pipeline_firewall_add_rule(struct app_params *app,
348 uint32_t pipeline_id,
349 struct pipeline_firewall_key *key,
353 struct app_pipeline_firewall *p;
354 struct app_pipeline_firewall_rule *rule;
355 struct pipeline_firewall_add_msg_req *req;
356 struct pipeline_firewall_add_msg_rsp *rsp;
359 /* Check input arguments */
362 (key->type != PIPELINE_FIREWALL_IPV4_5TUPLE))
365 p = app_pipeline_data_fe(app, pipeline_id, &pipeline_firewall);
369 if (port_id >= p->n_ports_out)
372 if (app_pipeline_firewall_key_check_and_normalize(key) != 0)
375 /* Find existing rule or allocate new rule */
376 rule = app_pipeline_firewall_rule_find(p, key);
377 new_rule = (rule == NULL);
379 rule = rte_malloc(NULL, sizeof(*rule), RTE_CACHE_LINE_SIZE);
385 /* Allocate and write request */
386 req = app_msg_alloc(app);
393 req->type = PIPELINE_MSG_REQ_CUSTOM;
394 req->subtype = PIPELINE_FIREWALL_MSG_REQ_ADD;
395 memcpy(&req->key, key, sizeof(*key));
396 req->priority = priority;
397 req->port_id = port_id;
399 /* Send request and wait for response */
400 rsp = app_msg_send_recv(app, pipeline_id, req, MSG_TIMEOUT_DEFAULT);
407 /* Read response and write rule */
409 (rsp->entry_ptr == NULL) ||
410 ((new_rule == 0) && (rsp->key_found == 0)) ||
411 ((new_rule == 1) && (rsp->key_found == 1))) {
412 app_msg_free(app, rsp);
418 memcpy(&rule->key, key, sizeof(*key));
419 rule->priority = priority;
420 rule->port_id = port_id;
421 rule->entry_ptr = rsp->entry_ptr;
425 TAILQ_INSERT_TAIL(&p->rules, rule, node);
429 print_firewall_ipv4_rule(rule);
432 app_msg_free(app, rsp);
438 app_pipeline_firewall_delete_rule(struct app_params *app,
439 uint32_t pipeline_id,
440 struct pipeline_firewall_key *key)
442 struct app_pipeline_firewall *p;
443 struct app_pipeline_firewall_rule *rule;
444 struct pipeline_firewall_del_msg_req *req;
445 struct pipeline_firewall_del_msg_rsp *rsp;
447 /* Check input arguments */
450 (key->type != PIPELINE_FIREWALL_IPV4_5TUPLE))
453 p = app_pipeline_data_fe(app, pipeline_id, &pipeline_firewall);
457 if (app_pipeline_firewall_key_check_and_normalize(key) != 0)
461 rule = app_pipeline_firewall_rule_find(p, key);
465 /* Allocate and write request */
466 req = app_msg_alloc(app);
470 req->type = PIPELINE_MSG_REQ_CUSTOM;
471 req->subtype = PIPELINE_FIREWALL_MSG_REQ_DEL;
472 memcpy(&req->key, key, sizeof(*key));
474 /* Send request and wait for response */
475 rsp = app_msg_send_recv(app, pipeline_id, req, MSG_TIMEOUT_DEFAULT);
480 if (rsp->status || !rsp->key_found) {
481 app_msg_free(app, rsp);
486 TAILQ_REMOVE(&p->rules, rule, node);
491 app_msg_free(app, rsp);
497 app_pipeline_firewall_add_bulk(struct app_params *app,
498 uint32_t pipeline_id,
499 struct pipeline_firewall_key *keys,
501 uint32_t *priorities,
504 struct app_pipeline_firewall *p;
505 struct pipeline_firewall_add_bulk_msg_req *req;
506 struct pipeline_firewall_add_bulk_msg_rsp *rsp;
508 struct app_pipeline_firewall_rule **rules;
517 /* Check input arguments */
521 p = app_pipeline_data_fe(app, pipeline_id, &pipeline_firewall);
525 rules = rte_malloc(NULL,
526 n_keys * sizeof(struct app_pipeline_firewall_rule *),
527 RTE_CACHE_LINE_SIZE);
531 new_rules = rte_malloc(NULL,
532 n_keys * sizeof(int),
533 RTE_CACHE_LINE_SIZE);
534 if (new_rules == NULL) {
539 /* check data integrity and add to rule list */
540 for (i = 0; i < n_keys; i++) {
541 if (port_ids[i] >= p->n_ports_out) {
547 if (app_pipeline_firewall_key_check_and_normalize(&keys[i]) != 0) {
553 rules[i] = app_pipeline_firewall_rule_find(p, &keys[i]);
554 new_rules[i] = (rules[i] == NULL);
555 if (rules[i] == NULL) {
556 rules[i] = rte_malloc(NULL,
558 RTE_CACHE_LINE_SIZE);
560 if (rules[i] == NULL) {
563 for (j = 0; j <= i; j++)
574 keys_found = rte_malloc(NULL,
575 n_keys * sizeof(int),
576 RTE_CACHE_LINE_SIZE);
577 if (keys_found == NULL) {
580 for (j = 0; j < n_keys; j++)
589 entries_ptr = rte_malloc(NULL,
590 n_keys * sizeof(struct rte_pipeline_table_entry *),
591 RTE_CACHE_LINE_SIZE);
592 if (entries_ptr == NULL) {
595 for (j = 0; j < n_keys; j++)
601 rte_free(keys_found);
604 for (i = 0; i < n_keys; i++) {
605 entries_ptr[i] = rte_malloc(NULL,
606 sizeof(struct rte_pipeline_table_entry),
607 RTE_CACHE_LINE_SIZE);
609 if (entries_ptr[i] == NULL) {
612 for (j = 0; j < n_keys; j++)
616 for (j = 0; j <= i; j++)
617 rte_free(entries_ptr[j]);
621 rte_free(keys_found);
622 rte_free(entries_ptr);
627 /* Allocate and write request */
628 req = app_msg_alloc(app);
632 for (j = 0; j < n_keys; j++)
636 for (j = 0; j < n_keys; j++)
637 rte_free(entries_ptr[j]);
641 rte_free(keys_found);
642 rte_free(entries_ptr);
646 req->type = PIPELINE_MSG_REQ_CUSTOM;
647 req->subtype = PIPELINE_FIREWALL_MSG_REQ_ADD_BULK;
650 req->n_keys = n_keys;
651 req->port_ids = port_ids;
652 req->priorities = priorities;
653 req->keys_found = keys_found;
654 req->entries_ptr = entries_ptr;
656 /* Send request and wait for response */
657 rsp = app_msg_send_recv(app, pipeline_id, req, MSG_TIMEOUT_DEFAULT);
661 for (j = 0; j < n_keys; j++)
665 for (j = 0; j < n_keys; j++)
666 rte_free(entries_ptr[j]);
670 rte_free(keys_found);
671 rte_free(entries_ptr);
676 for (i = 0; i < n_keys; i++)
680 for (i = 0; i < n_keys; i++)
681 rte_free(entries_ptr[i]);
687 for (i = 0; i < n_keys; i++) {
688 if (entries_ptr[i] == NULL ||
689 ((new_rules[i] == 0) && (keys_found[i] == 0)) ||
690 ((new_rules[i] == 1) && (keys_found[i] == 1))) {
691 for (i = 0; i < n_keys; i++)
695 for (i = 0; i < n_keys; i++)
696 rte_free(entries_ptr[i]);
703 for (i = 0; i < n_keys; i++) {
704 memcpy(&rules[i]->key, &keys[i], sizeof(keys[i]));
705 rules[i]->priority = priorities[i];
706 rules[i]->port_id = port_ids[i];
707 rules[i]->entry_ptr = entries_ptr[i];
711 TAILQ_INSERT_TAIL(&p->rules, rules[i], node);
715 print_firewall_ipv4_rule(rules[i]);
719 app_msg_free(app, rsp);
722 rte_free(keys_found);
723 rte_free(entries_ptr);
729 app_pipeline_firewall_delete_bulk(struct app_params *app,
730 uint32_t pipeline_id,
731 struct pipeline_firewall_key *keys,
734 struct app_pipeline_firewall *p;
735 struct pipeline_firewall_del_bulk_msg_req *req;
736 struct pipeline_firewall_del_bulk_msg_rsp *rsp;
738 struct app_pipeline_firewall_rule **rules;
744 /* Check input arguments */
748 p = app_pipeline_data_fe(app, pipeline_id, &pipeline_firewall);
752 rules = rte_malloc(NULL,
753 n_keys * sizeof(struct app_pipeline_firewall_rule *),
754 RTE_CACHE_LINE_SIZE);
758 for (i = 0; i < n_keys; i++) {
759 if (app_pipeline_firewall_key_check_and_normalize(&keys[i]) != 0) {
763 rules[i] = app_pipeline_firewall_rule_find(p, &keys[i]);
766 keys_found = rte_malloc(NULL,
767 n_keys * sizeof(int),
768 RTE_CACHE_LINE_SIZE);
769 if (keys_found == NULL) {
774 /* Allocate and write request */
775 req = app_msg_alloc(app);
778 rte_free(keys_found);
782 req->type = PIPELINE_MSG_REQ_CUSTOM;
783 req->subtype = PIPELINE_FIREWALL_MSG_REQ_DEL_BULK;
786 req->n_keys = n_keys;
787 req->keys_found = keys_found;
789 /* Send request and wait for response */
790 rsp = app_msg_send_recv(app, pipeline_id, req, MSG_TIMEOUT_DEFAULT);
793 rte_free(keys_found);
802 for (i = 0; i < n_keys; i++) {
803 if (keys_found[i] == 0) {
809 for (i = 0; i < n_keys; i++) {
810 TAILQ_REMOVE(&p->rules, rules[i], node);
816 app_msg_free(app, rsp);
818 rte_free(keys_found);
824 app_pipeline_firewall_add_default_rule(struct app_params *app,
825 uint32_t pipeline_id,
828 struct app_pipeline_firewall *p;
829 struct pipeline_firewall_add_default_msg_req *req;
830 struct pipeline_firewall_add_default_msg_rsp *rsp;
832 /* Check input arguments */
836 p = app_pipeline_data_fe(app, pipeline_id, &pipeline_firewall);
840 if (port_id >= p->n_ports_out)
843 /* Allocate and write request */
844 req = app_msg_alloc(app);
848 req->type = PIPELINE_MSG_REQ_CUSTOM;
849 req->subtype = PIPELINE_FIREWALL_MSG_REQ_ADD_DEFAULT;
850 req->port_id = port_id;
852 /* Send request and wait for response */
853 rsp = app_msg_send_recv(app, pipeline_id, req, MSG_TIMEOUT_DEFAULT);
857 /* Read response and write rule */
858 if (rsp->status || (rsp->entry_ptr == NULL)) {
859 app_msg_free(app, rsp);
863 p->default_rule_port_id = port_id;
864 p->default_rule_entry_ptr = rsp->entry_ptr;
867 p->default_rule_present = 1;
870 app_msg_free(app, rsp);
876 app_pipeline_firewall_delete_default_rule(struct app_params *app,
877 uint32_t pipeline_id)
879 struct app_pipeline_firewall *p;
880 struct pipeline_firewall_del_default_msg_req *req;
881 struct pipeline_firewall_del_default_msg_rsp *rsp;
883 /* Check input arguments */
887 p = app_pipeline_data_fe(app, pipeline_id, &pipeline_firewall);
891 /* Allocate and write request */
892 req = app_msg_alloc(app);
896 req->type = PIPELINE_MSG_REQ_CUSTOM;
897 req->subtype = PIPELINE_FIREWALL_MSG_REQ_DEL_DEFAULT;
899 /* Send request and wait for response */
900 rsp = app_msg_send_recv(app, pipeline_id, req, MSG_TIMEOUT_DEFAULT);
904 /* Read response and write rule */
906 app_msg_free(app, rsp);
911 p->default_rule_present = 0;
914 app_msg_free(app, rsp);
923 * p <pipelineid> firewall add priority <priority>
924 * ipv4 <sipaddr> <sipdepth> <dipaddr> <dipdepth>
925 * <sport0> <sport1> <dport0> <dport1> <proto> <protomask>
927 * Note: <protomask> is a hex value
929 * p <pipelineid> firewall add bulk <file>
931 * firewall add default:
932 * p <pipelineid> firewall add default <port ID>
935 * p <pipelineid> firewall del
936 * ipv4 <sipaddr> <sipdepth> <dipaddr> <dipdepth>
937 * <sport0> <sport1> <dport0> <dport1> <proto> <protomask>
939 * p <pipelineid> firewall del bulk <file>
941 * firewall del default:
942 * p <pipelineid> firewall del default
945 * p <pipelineid> firewall ls
948 struct cmd_firewall_result {
949 cmdline_fixed_string_t p_string;
950 uint32_t pipeline_id;
951 cmdline_fixed_string_t firewall_string;
952 cmdline_multi_string_t multi_string;
955 static void cmd_firewall_parsed(void *parsed_result,
956 __attribute__((unused)) struct cmdline *cl,
959 struct cmd_firewall_result *params = parsed_result;
960 struct app_params *app = data;
964 uint32_t n_tokens = RTE_DIM(tokens);
966 status = parse_tokenize_string(params->multi_string, tokens, &n_tokens);
968 printf(CMD_MSG_TOO_MANY_ARGS, "firewall");
973 if ((n_tokens >= 2) &&
974 (strcmp(tokens[0], "add") == 0) &&
975 (strcmp(tokens[1], "priority") == 0)) {
976 struct pipeline_firewall_key key;
978 struct in_addr sipaddr;
980 struct in_addr dipaddr;
990 memset(&key, 0, sizeof(key));
992 if (n_tokens != 16) {
993 printf(CMD_MSG_MISMATCH_ARGS, "firewall add");
997 if (parser_read_uint32(&priority, tokens[2])) {
998 printf(CMD_MSG_INVALID_ARG, "priority");
1002 if (strcmp(tokens[3], "ipv4")) {
1003 printf(CMD_MSG_ARG_NOT_FOUND, "ipv4");
1007 if (parse_ipv4_addr(tokens[4], &sipaddr)) {
1008 printf(CMD_MSG_INVALID_ARG, "sipaddr");
1012 if (parser_read_uint32(&sipdepth, tokens[5])) {
1013 printf(CMD_MSG_INVALID_ARG, "sipdepth");
1017 if (parse_ipv4_addr(tokens[6], &dipaddr)) {
1018 printf(CMD_MSG_INVALID_ARG, "dipaddr");
1022 if (parser_read_uint32(&dipdepth, tokens[7])) {
1023 printf(CMD_MSG_INVALID_ARG, "dipdepth");
1027 if (parser_read_uint16(&sport0, tokens[8])) {
1028 printf(CMD_MSG_INVALID_ARG, "sport0");
1032 if (parser_read_uint16(&sport1, tokens[9])) {
1033 printf(CMD_MSG_INVALID_ARG, "sport1");
1037 if (parser_read_uint16(&dport0, tokens[10])) {
1038 printf(CMD_MSG_INVALID_ARG, "dport0");
1042 if (parser_read_uint16(&dport1, tokens[11])) {
1043 printf(CMD_MSG_INVALID_ARG, "dport1");
1047 if (parser_read_uint8(&proto, tokens[12])) {
1048 printf(CMD_MSG_INVALID_ARG, "proto");
1052 if (parser_read_uint8_hex(&protomask, tokens[13])) {
1053 printf(CMD_MSG_INVALID_ARG, "protomask");
1057 if (strcmp(tokens[14], "port")) {
1058 printf(CMD_MSG_ARG_NOT_FOUND, "port");
1062 if (parser_read_uint32(&port_id, tokens[15])) {
1063 printf(CMD_MSG_INVALID_ARG, "portid");
1067 key.type = PIPELINE_FIREWALL_IPV4_5TUPLE;
1068 key.key.ipv4_5tuple.src_ip = rte_be_to_cpu_32(sipaddr.s_addr);
1069 key.key.ipv4_5tuple.src_ip_mask = sipdepth;
1070 key.key.ipv4_5tuple.dst_ip = rte_be_to_cpu_32(dipaddr.s_addr);
1071 key.key.ipv4_5tuple.dst_ip_mask = dipdepth;
1072 key.key.ipv4_5tuple.src_port_from = sport0;
1073 key.key.ipv4_5tuple.src_port_to = sport1;
1074 key.key.ipv4_5tuple.dst_port_from = dport0;
1075 key.key.ipv4_5tuple.dst_port_to = dport1;
1076 key.key.ipv4_5tuple.proto = proto;
1077 key.key.ipv4_5tuple.proto_mask = protomask;
1079 status = app_pipeline_firewall_add_rule(app,
1080 params->pipeline_id,
1085 printf(CMD_MSG_FAIL, "firewall add");
1088 } /* firewall add */
1090 /* firewall add bulk */
1091 if ((n_tokens >= 2) &&
1092 (strcmp(tokens[0], "add") == 0) &&
1093 (strcmp(tokens[1], "bulk") == 0)) {
1094 struct pipeline_firewall_key *keys;
1095 uint32_t *priorities, *port_ids, n_keys, line;
1098 if (n_tokens != 3) {
1099 printf(CMD_MSG_MISMATCH_ARGS, "firewall add bulk");
1103 filename = tokens[2];
1105 n_keys = APP_PIPELINE_FIREWALL_MAX_RULES_IN_FILE;
1106 keys = malloc(n_keys * sizeof(struct pipeline_firewall_key));
1108 printf(CMD_MSG_OUT_OF_MEMORY);
1111 memset(keys, 0, n_keys * sizeof(struct pipeline_firewall_key));
1113 priorities = malloc(n_keys * sizeof(uint32_t));
1114 if (priorities == NULL) {
1115 printf(CMD_MSG_OUT_OF_MEMORY);
1120 port_ids = malloc(n_keys * sizeof(uint32_t));
1121 if (port_ids == NULL) {
1122 printf(CMD_MSG_OUT_OF_MEMORY);
1128 status = app_pipeline_firewall_load_file(filename,
1135 printf(CMD_MSG_FILE_ERR, filename, line);
1142 status = app_pipeline_firewall_add_bulk(app,
1143 params->pipeline_id,
1149 printf(CMD_MSG_FAIL, "firewall add bulk");
1155 } /* firewall add bulk */
1157 /* firewall add default */
1158 if ((n_tokens >= 2) &&
1159 (strcmp(tokens[0], "add") == 0) &&
1160 (strcmp(tokens[1], "default") == 0)) {
1163 if (n_tokens != 3) {
1164 printf(CMD_MSG_MISMATCH_ARGS, "firewall add default");
1168 if (parser_read_uint32(&port_id, tokens[2])) {
1169 printf(CMD_MSG_INVALID_ARG, "portid");
1173 status = app_pipeline_firewall_add_default_rule(app,
1174 params->pipeline_id,
1177 printf(CMD_MSG_FAIL, "firewall add default");
1180 } /* firewall add default */
1183 if ((n_tokens >= 2) &&
1184 (strcmp(tokens[0], "del") == 0) &&
1185 (strcmp(tokens[1], "ipv4") == 0)) {
1186 struct pipeline_firewall_key key;
1187 struct in_addr sipaddr;
1189 struct in_addr dipaddr;
1198 memset(&key, 0, sizeof(key));
1200 if (n_tokens != 12) {
1201 printf(CMD_MSG_MISMATCH_ARGS, "firewall del");
1205 if (parse_ipv4_addr(tokens[2], &sipaddr)) {
1206 printf(CMD_MSG_INVALID_ARG, "sipaddr");
1210 if (parser_read_uint32(&sipdepth, tokens[3])) {
1211 printf(CMD_MSG_INVALID_ARG, "sipdepth");
1215 if (parse_ipv4_addr(tokens[4], &dipaddr)) {
1216 printf(CMD_MSG_INVALID_ARG, "dipaddr");
1220 if (parser_read_uint32(&dipdepth, tokens[5])) {
1221 printf(CMD_MSG_INVALID_ARG, "dipdepth");
1225 if (parser_read_uint16(&sport0, tokens[6])) {
1226 printf(CMD_MSG_INVALID_ARG, "sport0");
1230 if (parser_read_uint16(&sport1, tokens[7])) {
1231 printf(CMD_MSG_INVALID_ARG, "sport1");
1235 if (parser_read_uint16(&dport0, tokens[8])) {
1236 printf(CMD_MSG_INVALID_ARG, "dport0");
1240 if (parser_read_uint16(&dport1, tokens[9])) {
1241 printf(CMD_MSG_INVALID_ARG, "dport1");
1245 if (parser_read_uint8(&proto, tokens[10])) {
1246 printf(CMD_MSG_INVALID_ARG, "proto");
1250 if (parser_read_uint8_hex(&protomask, tokens[11])) {
1251 printf(CMD_MSG_INVALID_ARG, "protomask");
1255 key.type = PIPELINE_FIREWALL_IPV4_5TUPLE;
1256 key.key.ipv4_5tuple.src_ip = rte_be_to_cpu_32(sipaddr.s_addr);
1257 key.key.ipv4_5tuple.src_ip_mask = sipdepth;
1258 key.key.ipv4_5tuple.dst_ip = rte_be_to_cpu_32(dipaddr.s_addr);
1259 key.key.ipv4_5tuple.dst_ip_mask = dipdepth;
1260 key.key.ipv4_5tuple.src_port_from = sport0;
1261 key.key.ipv4_5tuple.src_port_to = sport1;
1262 key.key.ipv4_5tuple.dst_port_from = dport0;
1263 key.key.ipv4_5tuple.dst_port_to = dport1;
1264 key.key.ipv4_5tuple.proto = proto;
1265 key.key.ipv4_5tuple.proto_mask = protomask;
1267 status = app_pipeline_firewall_delete_rule(app,
1268 params->pipeline_id,
1271 printf(CMD_MSG_FAIL, "firewall del");
1274 } /* firewall del */
1276 /* firewall del bulk */
1277 if ((n_tokens >= 2) &&
1278 (strcmp(tokens[0], "del") == 0) &&
1279 (strcmp(tokens[1], "bulk") == 0)) {
1280 struct pipeline_firewall_key *keys;
1281 uint32_t *priorities, *port_ids, n_keys, line;
1284 if (n_tokens != 3) {
1285 printf(CMD_MSG_MISMATCH_ARGS, "firewall del bulk");
1289 filename = tokens[2];
1291 n_keys = APP_PIPELINE_FIREWALL_MAX_RULES_IN_FILE;
1292 keys = malloc(n_keys * sizeof(struct pipeline_firewall_key));
1294 printf(CMD_MSG_OUT_OF_MEMORY);
1297 memset(keys, 0, n_keys * sizeof(struct pipeline_firewall_key));
1299 priorities = malloc(n_keys * sizeof(uint32_t));
1300 if (priorities == NULL) {
1301 printf(CMD_MSG_OUT_OF_MEMORY);
1306 port_ids = malloc(n_keys * sizeof(uint32_t));
1307 if (port_ids == NULL) {
1308 printf(CMD_MSG_OUT_OF_MEMORY);
1314 status = app_pipeline_firewall_load_file(filename,
1321 printf(CMD_MSG_FILE_ERR, filename, line);
1328 status = app_pipeline_firewall_delete_bulk(app,
1329 params->pipeline_id,
1333 printf(CMD_MSG_FAIL, "firewall del bulk");
1339 } /* firewall del bulk */
1341 /* firewall del default */
1342 if ((n_tokens >= 2) &&
1343 (strcmp(tokens[0], "del") == 0) &&
1344 (strcmp(tokens[1], "default") == 0)) {
1345 if (n_tokens != 2) {
1346 printf(CMD_MSG_MISMATCH_ARGS, "firewall del default");
1350 status = app_pipeline_firewall_delete_default_rule(app,
1351 params->pipeline_id);
1353 printf(CMD_MSG_FAIL, "firewall del default");
1357 } /* firewall del default */
1360 if ((n_tokens >= 1) && (strcmp(tokens[0], "ls") == 0)) {
1361 if (n_tokens != 1) {
1362 printf(CMD_MSG_MISMATCH_ARGS, "firewall ls");
1366 status = app_pipeline_firewall_ls(app, params->pipeline_id);
1368 printf(CMD_MSG_FAIL, "firewall ls");
1373 printf(CMD_MSG_MISMATCH_ARGS, "firewall");
1376 static cmdline_parse_token_string_t cmd_firewall_p_string =
1377 TOKEN_STRING_INITIALIZER(struct cmd_firewall_result, p_string, "p");
1379 static cmdline_parse_token_num_t cmd_firewall_pipeline_id =
1380 TOKEN_NUM_INITIALIZER(struct cmd_firewall_result, pipeline_id, UINT32);
1382 static cmdline_parse_token_string_t cmd_firewall_firewall_string =
1383 TOKEN_STRING_INITIALIZER(struct cmd_firewall_result, firewall_string,
1386 static cmdline_parse_token_string_t cmd_firewall_multi_string =
1387 TOKEN_STRING_INITIALIZER(struct cmd_firewall_result, multi_string,
1388 TOKEN_STRING_MULTI);
1390 static cmdline_parse_inst_t cmd_firewall = {
1391 .f = cmd_firewall_parsed,
1393 .help_str = "firewall add / add bulk / add default / del / del bulk"
1394 " / del default / ls",
1396 (void *) &cmd_firewall_p_string,
1397 (void *) &cmd_firewall_pipeline_id,
1398 (void *) &cmd_firewall_firewall_string,
1399 (void *) &cmd_firewall_multi_string,
1404 static cmdline_parse_ctx_t pipeline_cmds[] = {
1405 (cmdline_parse_inst_t *) &cmd_firewall,
1409 static struct pipeline_fe_ops pipeline_firewall_fe_ops = {
1410 .f_init = app_pipeline_firewall_init,
1411 .f_post_init = NULL,
1412 .f_free = app_pipeline_firewall_free,
1413 .f_track = app_pipeline_track_default,
1414 .cmds = pipeline_cmds,
1417 struct pipeline_type pipeline_firewall = {
1419 .be_ops = &pipeline_firewall_be_ops,
1420 .fe_ops = &pipeline_firewall_fe_ops,