]>
Commit | Line | Data |
---|---|---|
ba94a1bb WD |
1 | /** |
2 | * @file IxEthDBFirewall.c | |
3 | * | |
4 | * @brief Implementation of the firewall API | |
5 | * | |
6 | * @par | |
7 | * IXP400 SW Release version 2.0 | |
8 | * | |
9 | * -- Copyright Notice -- | |
10 | * | |
11 | * @par | |
12 | * Copyright 2001-2005, Intel Corporation. | |
13 | * All rights reserved. | |
14 | * | |
15 | * @par | |
16 | * Redistribution and use in source and binary forms, with or without | |
17 | * modification, are permitted provided that the following conditions | |
18 | * are met: | |
19 | * 1. Redistributions of source code must retain the above copyright | |
20 | * notice, this list of conditions and the following disclaimer. | |
21 | * 2. Redistributions in binary form must reproduce the above copyright | |
22 | * notice, this list of conditions and the following disclaimer in the | |
23 | * documentation and/or other materials provided with the distribution. | |
24 | * 3. Neither the name of the Intel Corporation nor the names of its contributors | |
25 | * may be used to endorse or promote products derived from this software | |
26 | * without specific prior written permission. | |
27 | * | |
28 | * @par | |
29 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ``AS IS'' | |
30 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
31 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
32 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE | |
33 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
34 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
35 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
36 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
37 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
38 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
39 | * SUCH DAMAGE. | |
40 | * | |
41 | * @par | |
42 | * -- End of Copyright Notice -- | |
43 | */ | |
44 | ||
45 | ||
46 | #include "IxEthDB_p.h" | |
47 | ||
48 | /** | |
49 | * @brief updates the NPE firewall operating mode and | |
50 | * firewall address table | |
51 | * | |
52 | * @param portID ID of the port | |
53 | * @param epDelta initial entry point for binary searches (NPE optimization) | |
54 | * @param address address of the firewall MAC address table | |
55 | * | |
56 | * This function will send a message to the NPE configuring the | |
57 | * firewall mode (white list or black list), invalid source | |
58 | * address filtering and downloading a new MAC address database | |
59 | * to be used for firewall matching. | |
60 | * | |
61 | * @return IX_ETH_DB_SUCCESS if the operation completed | |
62 | * successfully or IX_ETH_DB_FAIL otherwise | |
63 | * | |
64 | * @internal | |
65 | */ | |
66 | IX_ETH_DB_PUBLIC | |
67 | IxEthDBStatus ixEthDBFirewallUpdate(IxEthDBPortId portID, void *address, UINT32 epDelta) | |
68 | { | |
69 | IxNpeMhMessage message; | |
70 | IX_STATUS result; | |
71 | ||
72 | UINT32 mode = 0; | |
73 | PortInfo *portInfo = &ixEthDBPortInfo[portID]; | |
74 | ||
75 | mode = (portInfo->srcAddressFilterEnabled != FALSE) << 1 | (portInfo->firewallMode == IX_ETH_DB_FIREWALL_WHITE_LIST); | |
76 | ||
77 | FILL_SETFIREWALLMODE_MSG(message, | |
78 | IX_ETH_DB_PORT_ID_TO_NPE_LOGICAL_ID(portID), | |
79 | epDelta, | |
80 | mode, | |
81 | IX_OSAL_MMU_VIRT_TO_PHYS(address)); | |
82 | ||
83 | IX_ETHDB_SEND_NPE_MSG(IX_ETH_DB_PORT_ID_TO_NPE(portID), message, result); | |
84 | ||
85 | return result; | |
86 | } | |
87 | ||
88 | /** | |
89 | * @brief configures the firewall white list/black list | |
90 | * access mode | |
91 | * | |
92 | * @param portID ID of the port | |
93 | * @param mode firewall filtering mode (IX_ETH_DB_FIREWALL_WHITE_LIST | |
94 | * or IX_ETH_DB_FIREWALL_BLACK_LIST) | |
95 | * | |
96 | * Note that this function is documented in the main component | |
97 | * header file, IxEthDB.h. | |
98 | * | |
99 | * @return IX_ETH_DB_SUCCESS if the operation completed | |
100 | * successfully or an appropriate error message otherwise | |
101 | */ | |
102 | IX_ETH_DB_PUBLIC | |
103 | IxEthDBStatus ixEthDBFirewallModeSet(IxEthDBPortId portID, IxEthDBFirewallMode mode) | |
104 | { | |
105 | IX_ETH_DB_CHECK_PORT(portID); | |
106 | ||
107 | IX_ETH_DB_CHECK_SINGLE_NPE(portID); | |
108 | ||
109 | IX_ETH_DB_CHECK_FEATURE(portID, IX_ETH_DB_FIREWALL); | |
110 | ||
111 | if (mode != IX_ETH_DB_FIREWALL_WHITE_LIST | |
112 | && mode != IX_ETH_DB_FIREWALL_BLACK_LIST) | |
113 | { | |
114 | return IX_ETH_DB_INVALID_ARG; | |
115 | } | |
116 | ||
117 | ixEthDBPortInfo[portID].firewallMode = mode; | |
118 | ||
119 | return ixEthDBFirewallTableDownload(portID); | |
120 | } | |
121 | ||
122 | /** | |
123 | * @brief enables or disables the invalid source MAC address filter | |
124 | * | |
125 | * @param portID ID of the port | |
126 | * @param enable TRUE to enable invalid source MAC address filtering | |
127 | * or FALSE to disable it | |
128 | * | |
129 | * The invalid source MAC address filter will discard, when enabled, | |
130 | * frames whose source MAC address is a multicast or the broadcast MAC | |
131 | * address. | |
132 | * | |
133 | * Note that this function is documented in the main component | |
134 | * header file, IxEthDB.h. | |
135 | * | |
136 | * @return IX_ETH_DB_SUCCESS if the operation completed | |
137 | * successfully or an appropriate error message otherwise | |
138 | */ | |
139 | IX_ETH_DB_PUBLIC | |
140 | IxEthDBStatus ixEthDBFirewallInvalidAddressFilterEnable(IxEthDBPortId portID, BOOL enable) | |
141 | { | |
142 | IX_ETH_DB_CHECK_PORT(portID); | |
143 | ||
144 | IX_ETH_DB_CHECK_SINGLE_NPE(portID); | |
145 | ||
146 | IX_ETH_DB_CHECK_FEATURE(portID, IX_ETH_DB_FIREWALL); | |
147 | ||
148 | ixEthDBPortInfo[portID].srcAddressFilterEnabled = enable; | |
149 | ||
150 | return ixEthDBFirewallTableDownload(portID); | |
151 | } | |
152 | ||
153 | /** | |
154 | * @brief adds a firewall record | |
155 | * | |
156 | * @param portID ID of the port | |
157 | * @param macAddr MAC address of the new record | |
158 | * | |
159 | * This function will add a new firewall record | |
160 | * on the specified port, using the specified | |
161 | * MAC address. If the record already exists this | |
162 | * function will silently return IX_ETH_DB_SUCCESS, | |
163 | * although no duplicate records are added. | |
164 | * | |
165 | * Note that this function is documented in the main | |
166 | * component header file, IxEthDB.h. | |
167 | * | |
168 | * @return IX_ETH_DB_SUCCESS if the operation completed | |
169 | * successfully or an appropriate error message otherwise | |
170 | */ | |
171 | IX_ETH_DB_PUBLIC | |
172 | IxEthDBStatus ixEthDBFirewallEntryAdd(IxEthDBPortId portID, IxEthDBMacAddr *macAddr) | |
173 | { | |
174 | MacDescriptor recordTemplate; | |
175 | ||
176 | IX_ETH_DB_CHECK_PORT(portID); | |
177 | ||
178 | IX_ETH_DB_CHECK_SINGLE_NPE(portID); | |
179 | ||
180 | IX_ETH_DB_CHECK_REFERENCE(macAddr); | |
181 | ||
182 | IX_ETH_DB_CHECK_FEATURE(portID, IX_ETH_DB_FIREWALL); | |
183 | ||
184 | memcpy(recordTemplate.macAddress, macAddr, sizeof (IxEthDBMacAddr)); | |
185 | ||
186 | recordTemplate.type = IX_ETH_DB_FIREWALL_RECORD; | |
187 | recordTemplate.portID = portID; | |
188 | ||
189 | return ixEthDBAdd(&recordTemplate, NULL); | |
190 | } | |
191 | ||
192 | /** | |
193 | * @brief removes a firewall record | |
194 | * | |
195 | * @param portID ID of the port | |
196 | * @param macAddr MAC address of the record to remove | |
197 | * | |
198 | * This function will attempt to remove a firewall | |
199 | * record from the given port, using the specified | |
200 | * MAC address. | |
201 | * | |
202 | * Note that this function is documented in the main | |
203 | * component header file, IxEthDB.h. | |
204 | * | |
205 | * @return IX_ETH_DB_SUCCESS if the operation completed | |
206 | * successfully of an appropriate error message otherwise | |
207 | */ | |
208 | IX_ETH_DB_PUBLIC | |
209 | IxEthDBStatus ixEthDBFirewallEntryRemove(IxEthDBPortId portID, IxEthDBMacAddr *macAddr) | |
210 | { | |
211 | MacDescriptor recordTemplate; | |
212 | ||
213 | IX_ETH_DB_CHECK_PORT(portID); | |
214 | ||
215 | IX_ETH_DB_CHECK_SINGLE_NPE(portID); | |
216 | ||
217 | IX_ETH_DB_CHECK_REFERENCE(macAddr); | |
218 | ||
219 | IX_ETH_DB_CHECK_FEATURE(portID, IX_ETH_DB_FIREWALL); | |
220 | ||
221 | memcpy(recordTemplate.macAddress, macAddr, sizeof (IxEthDBMacAddr)); | |
222 | ||
223 | recordTemplate.type = IX_ETH_DB_FIREWALL_RECORD; | |
224 | recordTemplate.portID = portID; | |
225 | ||
226 | return ixEthDBRemove(&recordTemplate, NULL); | |
227 | } | |
228 | ||
229 | /** | |
230 | * @brief downloads the firewall address table to an NPE | |
231 | * | |
232 | * @param portID ID of the port | |
233 | * | |
234 | * This function will download the firewall address table to | |
235 | * an NPE port. | |
236 | * | |
237 | * Note that this function is documented in the main | |
238 | * component header file, IxEthDB.h. | |
239 | * | |
240 | * @return IX_ETH_DB_SUCCESS if the operation completed | |
241 | * successfully or IX_ETH_DB_FAIL otherwise | |
242 | */ | |
243 | IX_ETH_DB_PUBLIC | |
244 | IxEthDBStatus ixEthDBFirewallTableDownload(IxEthDBPortId portID) | |
245 | { | |
246 | IxEthDBPortMap query; | |
247 | IxEthDBStatus result; | |
248 | ||
249 | IX_ETH_DB_CHECK_PORT(portID); | |
250 | ||
251 | IX_ETH_DB_CHECK_SINGLE_NPE(portID); | |
252 | ||
253 | IX_ETH_DB_CHECK_FEATURE(portID, IX_ETH_DB_FIREWALL); | |
254 | ||
255 | SET_DEPENDENCY_MAP(query, portID); | |
256 | ||
257 | ixEthDBUpdateLock(); | |
258 | ||
259 | ixEthDBPortInfo[portID].updateMethod.searchTree = ixEthDBQuery(NULL, query, IX_ETH_DB_FIREWALL_RECORD, MAX_FW_SIZE); | |
260 | ||
261 | result = ixEthDBNPEUpdateHandler(portID, IX_ETH_DB_FIREWALL_RECORD); | |
262 | ||
263 | ixEthDBUpdateUnlock(); | |
264 | ||
265 | return result; | |
266 | } |