// -*- c-basic-offset: 4; tab-width: 8; indent-tabs-mode: t -*- // Copyright (c) 2001-2007 International Computer Science Institute // // Permission is hereby granted, free of charge, to any person obtaining a // copy of this software and associated documentation files (the "Software") // to deal in the Software without restriction, subject to the conditions // listed in the XORP LICENSE file. These conditions include: you must // preserve this copyright notice, and you cannot mention the copyright // holders in advertising related to the Software without their permission. // The Software is provided WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED. This // notice is a summary of the XORP LICENSE file; the license in that file is // legally binding. // $XORP: xorp/fea/xrl_packet_acl.hh,v 1.5 2007/02/16 22:45:53 pavlin Exp $ #ifndef __FEA_XRL_PACKET_ACL_HH__ #define __FEA_XRL_PACKET_ACL_HH__ #include <map> #include "libxorp/xlog.h" #include "libxipc/xrl_cmd_map.hh" #include "libxorp/eventloop.hh" #include "libxorp/status_codes.h" #include "libxorp/transaction.hh" #include "libxipc/xrl_router.hh" #include "pa_entry.hh" #include "pa_table.hh" #include "pa_transaction.hh" #include "xrl/targets/packet_acl_base.hh" /** * Helper class for helping with packet ACL configuration transactions * via an Xrl interface. * * The class provides error messages suitable for Xrl return values * and does some extra checking not in the PaTransactionManager class. */ class XrlPacketAclTarget : public XrlPacketAclTargetBase { protected: /** * Used to hold state for clients reading snapshots of the ACL tables. */ struct PaBrowseState { public: PaBrowseState(const XrlPacketAclTarget& xpa, const XorpTimer& timeout_timer, const PaSnapshot4* snap4, size_t idx = 0); PaBrowseState(const XrlPacketAclTarget& xpa, const PaSnapshot4* snap4, size_t idx = 0); ~PaBrowseState(); inline size_t index() const { return _idx; } inline void set_index(size_t idx) { _idx = idx; } inline const PaSnapshot4* snap4() const { return _snap4; } void defer_timeout(); void cancel_timeout(); private: const XrlPacketAclTarget& _xpa; XorpTimer _timeout_timer; const PaSnapshot4* _snap4; // XXX: not refcnted! size_t _idx; }; typedef map<uint32_t, PaBrowseState> PaBrowseDB; EventLoop& _e; PaTransactionManager& _pat; uint32_t _browse_timeout_ms; uint32_t _next_token; PaBrowseDB _bdb; void crank_token(); void timeout_browse(uint32_t token); public: inline const EventLoop& eventloop() const { return _e; } inline uint32_t browse_timeout_ms() const { return _browse_timeout_ms; } enum { BROWSE_TIMEOUT_MS = 15000 }; /** * Constructor. * * @param eventloop an EventLoop which will be used for scheduling timers. * @param cmds an XrlCmdMap that the commands associated with the target * should be added to. This is typically the XrlRouter * associated with the target. * @param pat a PaTransactionManager which manages accesses to the * underlying ACL tables. */ XrlPacketAclTarget(XrlCmdMap* cmds, EventLoop& e, PaTransactionManager& pat, uint32_t browse_timeout_ms = BROWSE_TIMEOUT_MS); /** * Destructor. * * Dissociates instance commands from command map. */ virtual ~XrlPacketAclTarget(); /** * Set command map. * * @param cmds pointer to command map to associate commands with. This * argument is typically a pointer to the XrlRouter associated with the * target. * * @return true on success, false if cmds is null or a command map has * already been supplied. */ bool set_command_map(XrlCmdMap* cmds); /** * Get Xrl instance name associated with command map. */ inline const string& name() const { return _cmds->name(); } /** * Get version string of instance. */ inline const char* version() const { return "packet_acl/0.1"; } protected: /* ---------------------------------------------------------------- */ /* XRL common interface methods */ /** * Function that needs to be implemented to: * * Get name of Xrl Target */ XrlCmdError common_0_1_get_target_name( // Output values, string& name); /** * Function that needs to be implemented to: * * Get version string from Xrl Target */ XrlCmdError common_0_1_get_version( // Output values, string& version); /** * Function that needs to be implemented to: * * Get status of Xrl Target */ XrlCmdError common_0_1_get_status( // Output values, uint32_t& status, string& reason); /** * Function that needs to be implemented to: * * Request clean shutdown of Xrl Target */ XrlCmdError common_0_1_shutdown(); /* ---------------------------------------------------------------- */ /* XRL packet_acl interface: global methods */ /** * Function that needs to be implemented to: * Get the name of the ACL back-end provider currently in use. */ XrlCmdError packet_acl_0_1_get_backend( // Output values, string& name); /** * Function that needs to be implemented to: * Set the underlying packet ACL provider type in use. NOTE: If XORP rules * currently exist, this operation will perform an implicit flush and * reload when switching to the new provider. */ XrlCmdError packet_acl_0_1_set_backend( // Input values, const string& name); /** * Function that needs to be implemented to: * Get the underlying packet ACL provider version in use. */ XrlCmdError packet_acl_0_1_get_version( // Output values, string& version); /* ---------------------------------------------------------------- */ /* XRL packet_acl interface: transaction control methods */ /** * Function that needs to be implemented to: * Start an ACL configuration transaction. * * @param tid The number of the newly started transaction. */ XrlCmdError packet_acl_0_1_start_transaction( // Output values, uint32_t& tid); /** * Function that needs to be implemented to: * Commit a previously started ACL configuration transaction. * * @param tid The number of the transaction to commit. */ XrlCmdError packet_acl_0_1_commit_transaction( // Input values, const uint32_t& tid); /** * Function that needs to be implemented to: * Abort an ACL configuration transaction in progress. * * @param tid The number of the transaction to abort. */ XrlCmdError packet_acl_0_1_abort_transaction( // Input values, const uint32_t& tid); /* ---------------------------------------------------------------- */ /* XRL packet_acl interface: per-transaction methods */ /** * Function that needs to be implemented to: * Add an IPv6 family ACL entry. * * @param tid The number of the transaction for this operation. * @param ifname Name of the interface where this filter is to be applied. * @param vifname Name of the vif where this filter is to be applied. * @param src Source IPv6 address with network prefix. * @param dst Destination IPv6 address with network prefix. * @param proto IP protocol number for match (0-255, 255 is wildcard). * @param sport Source TCP/UDP port (0-65535, 0 is wildcard). * @param dport Destination TCP/UDP port (0-65535, 0 is wildcard). * @param action Action to take when this ACL entry is matched. */ XrlCmdError packet_acl_0_1_add_entry4( // Input values, const uint32_t& tid, const string& ifname, const string& vifname, const IPv4Net& src, const IPv4Net& dst, const uint32_t& proto, const uint32_t& sport, const uint32_t& dport, const string& action); /** * Function that needs to be implemented to: * Delete an IPv4 family ACL entry. * * @param tid The number of the transaction for this operation. * @param ifname Name of the interface where this filter is to be deleted. * @param vifname Name of the vif where this filter is to be deleted. * @param src Source IPv4 address with network prefix. * @param dst Destination IPv4 address with network prefix. * @param proto IP protocol number for match (0-255, 255 is wildcard). * @param sport Source TCP/UDP port (0-65535, 0 is wildcard). * @param dport Destination TCP/UDP port (0-65535, 0 is wildcard). */ XrlCmdError packet_acl_0_1_delete_entry4( // Input values, const uint32_t& tid, const string& ifname, const string& vifname, const IPv4Net& src, const IPv4Net& dst, const uint32_t& proto, const uint32_t& sport, const uint32_t& dport); /** * Function that needs to be implemented to: * Delete all IPv4 family ACL entries. * * @param tid The number of the transaction for this operation. */ XrlCmdError packet_acl_0_1_delete_all_entries4( // Input values, const uint32_t& tid); XrlCmdError packet_acl_0_1_get_entry_list_start4( // Output values, uint32_t& token, bool& more); XrlCmdError packet_acl_0_1_get_entry_list_next4( // Input values, const uint32_t& token, // Output values, string& ifname, string& vifname, IPv4Net& src, IPv4Net& dst, uint32_t& proto, uint32_t& sport, uint32_t& dport, string& action, bool& more); /** * Function that needs to be implemented to: * Add an IPv6 family ACL entry. * * @param tid The number of the transaction for this operation. * @param ifname Name of the interface where this filter is to be applied. * @param vifname Name of the vif where this filter is to be applied. * @param src Source IPv6 address with network prefix. * @param dst Destination IPv6 address with network prefix. * @param proto IP protocol number for match (0-255, 255 is wildcard). * @param sport Source TCP/UDP port (0-65535, 0 is wildcard). * @param dport Destination TCP/UDP port (0-65535, 0 is wildcard). * @param action Action to take when this filter is matched. */ XrlCmdError packet_acl_0_1_add_entry6( // Input values, const uint32_t& tid, const string& ifname, const string& vifname, const IPv6Net& src, const IPv6Net& dst, const uint32_t& proto, const uint32_t& sport, const uint32_t& dport, const string& action); /** * Function that needs to be implemented to: * Delete an IPv6 family ACL entry. * * @param tid The number of the transaction for this operation. * @param ifname Name of the interface where this filter is to be deleted. * @param vifname Name of the vif where this filter is to be deleted. * @param src Source IPv6 address with network prefix. * @param dst Destination IPv6 address with network prefix. * @param proto IP protocol number for match (0-255, 255 is wildcard). * @param sport Source TCP/UDP port (0-65535, 0 is wildcard). * @param dport Destination TCP/UDP port (0-65535, 0 is wildcard). */ XrlCmdError packet_acl_0_1_delete_entry6( // Input values, const uint32_t& tid, const string& ifname, const string& vifname, const IPv6Net& src, const IPv6Net& dst, const uint32_t& proto, const uint32_t& sport, const uint32_t& dport); /** * Function that needs to be implemented to: * Delete all IPv6 family ACL entries. * * @param tid The number of the transaction for this operation. */ XrlCmdError packet_acl_0_1_delete_all_entries6( // Input values, const uint32_t& tid); }; #endif /* __FEA_XRL_PACKET_ACL_HH__ */