-
Notifications
You must be signed in to change notification settings - Fork 158
Expand file tree
/
Copy pathacl.cc
More file actions
99 lines (86 loc) · 3.47 KB
/
acl.cc
File metadata and controls
99 lines (86 loc) · 3.47 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
// Copyright (c) 2016-2017, Nefeli Networks, Inc.
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are met:
//
// * Redistributions of source code must retain the above copyright notice, this
// list of conditions and the following disclaimer.
//
// * Redistributions in binary form must reproduce the above copyright notice,
// this list of conditions and the following disclaimer in the documentation
// and/or other materials provided with the distribution.
//
// * Neither the names of the copyright holders nor the names of their
// contributors may be used to endorse or promote products derived from this
// software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
// ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
// LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
// SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
// CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
// POSSIBILITY OF SUCH DAMAGE.
#include "acl.h"
#include "../utils/ether.h"
#include "../utils/ip.h"
#include "../utils/udp.h"
const Commands ACL::cmds = {
{"add", bess::pb::ACLArg::descriptor(), MODULE_CMD_FUNC(&ACL::CommandAdd),
Command::THREAD_UNSAFE},
{"clear", bess::pb::EmptyArg::descriptor(),
MODULE_CMD_FUNC(&ACL::CommandClear), Command::THREAD_UNSAFE}};
CommandResponse ACL::Init(const bess::pb::ACLArg &arg) {
for (const auto &rule : arg.rules()) {
ACLRule new_rule = {
.src_ip = Ipv4Prefix(rule.src_ip()),
.dst_ip = Ipv4Prefix(rule.dst_ip()),
.src_port = be16_t(static_cast<uint16_t>(rule.src_port())),
.dst_port = be16_t(static_cast<uint16_t>(rule.dst_port())),
.drop = rule.drop()};
rules_.push_back(new_rule);
}
return CommandSuccess();
}
CommandResponse ACL::CommandAdd(const bess::pb::ACLArg &arg) {
Init(arg);
return CommandSuccess();
}
CommandResponse ACL::CommandClear(const bess::pb::EmptyArg &) {
rules_.clear();
return CommandSuccess();
}
void ACL::ProcessBatch(Context *ctx, bess::PacketBatch *batch) {
using bess::utils::Ethernet;
using bess::utils::Ipv4;
using bess::utils::Udp;
gate_idx_t incoming_gate = ctx->current_igate;
int cnt = batch->cnt();
for (int i = 0; i < cnt; i++) {
bess::Packet *pkt = batch->pkts()[i];
Ethernet *eth = pkt->head_data<Ethernet *>();
Ipv4 *ip = reinterpret_cast<Ipv4 *>(eth + 1);
size_t ip_bytes = ip->header_length << 2;
Udp *udp =
reinterpret_cast<Udp *>(reinterpret_cast<uint8_t *>(ip) + ip_bytes);
bool emitted = false;
for (const auto &rule : rules_) {
if (rule.Match(ip->src, ip->dst, udp->src_port, udp->dst_port)) {
if (!rule.drop) {
emitted = true;
EmitPacket(ctx, pkt, incoming_gate);
}
break; // Stop matching other rules
}
}
if (!emitted) {
DropPacket(ctx, pkt);
}
}
}
ADD_MODULE(ACL, "acl", "ACL module from NetBricks")