Wolfgang Denk | 4646d2a | 2006-05-30 15:56:48 +0200 | [diff] [blame] | 1 | /** |
| 2 | * @file IxEthDBFirewall.c |
| 3 | * |
| 4 | * @brief Implementation of the firewall API |
| 5 | * |
| 6 | * @par |
| 7 | * IXP400 SW Release version 2.0 |
| 8 | * |
| 9 | * -- Copyright Notice -- |
| 10 | * |
| 11 | * @par |
| 12 | * Copyright 2001-2005, Intel Corporation. |
| 13 | * All rights reserved. |
| 14 | * |
| 15 | * @par |
| 16 | * Redistribution and use in source and binary forms, with or without |
| 17 | * modification, are permitted provided that the following conditions |
| 18 | * are met: |
| 19 | * 1. Redistributions of source code must retain the above copyright |
| 20 | * notice, this list of conditions and the following disclaimer. |
| 21 | * 2. Redistributions in binary form must reproduce the above copyright |
| 22 | * notice, this list of conditions and the following disclaimer in the |
| 23 | * documentation and/or other materials provided with the distribution. |
| 24 | * 3. Neither the name of the Intel Corporation nor the names of its contributors |
| 25 | * may be used to endorse or promote products derived from this software |
| 26 | * without specific prior written permission. |
| 27 | * |
| 28 | * @par |
| 29 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ``AS IS'' |
| 30 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| 31 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
| 32 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE |
| 33 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
| 34 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
| 35 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
| 36 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
| 37 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
| 38 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
| 39 | * SUCH DAMAGE. |
| 40 | * |
| 41 | * @par |
| 42 | * -- End of Copyright Notice -- |
| 43 | */ |
| 44 | |
| 45 | |
| 46 | #include "IxEthDB_p.h" |
| 47 | |
| 48 | /** |
| 49 | * @brief updates the NPE firewall operating mode and |
| 50 | * firewall address table |
| 51 | * |
| 52 | * @param portID ID of the port |
| 53 | * @param epDelta initial entry point for binary searches (NPE optimization) |
| 54 | * @param address address of the firewall MAC address table |
| 55 | * |
| 56 | * This function will send a message to the NPE configuring the |
| 57 | * firewall mode (white list or black list), invalid source |
| 58 | * address filtering and downloading a new MAC address database |
| 59 | * to be used for firewall matching. |
| 60 | * |
| 61 | * @return IX_ETH_DB_SUCCESS if the operation completed |
| 62 | * successfully or IX_ETH_DB_FAIL otherwise |
| 63 | * |
| 64 | * @internal |
| 65 | */ |
| 66 | IX_ETH_DB_PUBLIC |
| 67 | IxEthDBStatus ixEthDBFirewallUpdate(IxEthDBPortId portID, void *address, UINT32 epDelta) |
| 68 | { |
| 69 | IxNpeMhMessage message; |
| 70 | IX_STATUS result; |
| 71 | |
| 72 | UINT32 mode = 0; |
| 73 | PortInfo *portInfo = &ixEthDBPortInfo[portID]; |
| 74 | |
| 75 | mode = (portInfo->srcAddressFilterEnabled != FALSE) << 1 | (portInfo->firewallMode == IX_ETH_DB_FIREWALL_WHITE_LIST); |
| 76 | |
| 77 | FILL_SETFIREWALLMODE_MSG(message, |
| 78 | IX_ETH_DB_PORT_ID_TO_NPE_LOGICAL_ID(portID), |
| 79 | epDelta, |
| 80 | mode, |
| 81 | IX_OSAL_MMU_VIRT_TO_PHYS(address)); |
| 82 | |
| 83 | IX_ETHDB_SEND_NPE_MSG(IX_ETH_DB_PORT_ID_TO_NPE(portID), message, result); |
| 84 | |
| 85 | return result; |
| 86 | } |
| 87 | |
| 88 | /** |
| 89 | * @brief configures the firewall white list/black list |
| 90 | * access mode |
| 91 | * |
| 92 | * @param portID ID of the port |
| 93 | * @param mode firewall filtering mode (IX_ETH_DB_FIREWALL_WHITE_LIST |
| 94 | * or IX_ETH_DB_FIREWALL_BLACK_LIST) |
| 95 | * |
| 96 | * Note that this function is documented in the main component |
| 97 | * header file, IxEthDB.h. |
| 98 | * |
| 99 | * @return IX_ETH_DB_SUCCESS if the operation completed |
| 100 | * successfully or an appropriate error message otherwise |
| 101 | */ |
| 102 | IX_ETH_DB_PUBLIC |
| 103 | IxEthDBStatus ixEthDBFirewallModeSet(IxEthDBPortId portID, IxEthDBFirewallMode mode) |
| 104 | { |
| 105 | IX_ETH_DB_CHECK_PORT(portID); |
| 106 | |
| 107 | IX_ETH_DB_CHECK_SINGLE_NPE(portID); |
| 108 | |
| 109 | IX_ETH_DB_CHECK_FEATURE(portID, IX_ETH_DB_FIREWALL); |
| 110 | |
| 111 | if (mode != IX_ETH_DB_FIREWALL_WHITE_LIST |
| 112 | && mode != IX_ETH_DB_FIREWALL_BLACK_LIST) |
| 113 | { |
| 114 | return IX_ETH_DB_INVALID_ARG; |
| 115 | } |
| 116 | |
| 117 | ixEthDBPortInfo[portID].firewallMode = mode; |
| 118 | |
| 119 | return ixEthDBFirewallTableDownload(portID); |
| 120 | } |
| 121 | |
| 122 | /** |
| 123 | * @brief enables or disables the invalid source MAC address filter |
| 124 | * |
| 125 | * @param portID ID of the port |
| 126 | * @param enable TRUE to enable invalid source MAC address filtering |
| 127 | * or FALSE to disable it |
| 128 | * |
| 129 | * The invalid source MAC address filter will discard, when enabled, |
| 130 | * frames whose source MAC address is a multicast or the broadcast MAC |
| 131 | * address. |
| 132 | * |
| 133 | * Note that this function is documented in the main component |
| 134 | * header file, IxEthDB.h. |
| 135 | * |
| 136 | * @return IX_ETH_DB_SUCCESS if the operation completed |
| 137 | * successfully or an appropriate error message otherwise |
| 138 | */ |
| 139 | IX_ETH_DB_PUBLIC |
| 140 | IxEthDBStatus ixEthDBFirewallInvalidAddressFilterEnable(IxEthDBPortId portID, BOOL enable) |
| 141 | { |
| 142 | IX_ETH_DB_CHECK_PORT(portID); |
| 143 | |
| 144 | IX_ETH_DB_CHECK_SINGLE_NPE(portID); |
| 145 | |
| 146 | IX_ETH_DB_CHECK_FEATURE(portID, IX_ETH_DB_FIREWALL); |
| 147 | |
| 148 | ixEthDBPortInfo[portID].srcAddressFilterEnabled = enable; |
| 149 | |
| 150 | return ixEthDBFirewallTableDownload(portID); |
| 151 | } |
| 152 | |
| 153 | /** |
| 154 | * @brief adds a firewall record |
| 155 | * |
| 156 | * @param portID ID of the port |
| 157 | * @param macAddr MAC address of the new record |
| 158 | * |
| 159 | * This function will add a new firewall record |
| 160 | * on the specified port, using the specified |
| 161 | * MAC address. If the record already exists this |
| 162 | * function will silently return IX_ETH_DB_SUCCESS, |
| 163 | * although no duplicate records are added. |
| 164 | * |
| 165 | * Note that this function is documented in the main |
| 166 | * component header file, IxEthDB.h. |
| 167 | * |
| 168 | * @return IX_ETH_DB_SUCCESS if the operation completed |
| 169 | * successfully or an appropriate error message otherwise |
| 170 | */ |
| 171 | IX_ETH_DB_PUBLIC |
| 172 | IxEthDBStatus ixEthDBFirewallEntryAdd(IxEthDBPortId portID, IxEthDBMacAddr *macAddr) |
| 173 | { |
| 174 | MacDescriptor recordTemplate; |
| 175 | |
| 176 | IX_ETH_DB_CHECK_PORT(portID); |
| 177 | |
| 178 | IX_ETH_DB_CHECK_SINGLE_NPE(portID); |
| 179 | |
| 180 | IX_ETH_DB_CHECK_REFERENCE(macAddr); |
| 181 | |
| 182 | IX_ETH_DB_CHECK_FEATURE(portID, IX_ETH_DB_FIREWALL); |
| 183 | |
| 184 | memcpy(recordTemplate.macAddress, macAddr, sizeof (IxEthDBMacAddr)); |
| 185 | |
| 186 | recordTemplate.type = IX_ETH_DB_FIREWALL_RECORD; |
| 187 | recordTemplate.portID = portID; |
| 188 | |
| 189 | return ixEthDBAdd(&recordTemplate, NULL); |
| 190 | } |
| 191 | |
| 192 | /** |
| 193 | * @brief removes a firewall record |
| 194 | * |
| 195 | * @param portID ID of the port |
| 196 | * @param macAddr MAC address of the record to remove |
| 197 | * |
| 198 | * This function will attempt to remove a firewall |
| 199 | * record from the given port, using the specified |
| 200 | * MAC address. |
| 201 | * |
| 202 | * Note that this function is documented in the main |
| 203 | * component header file, IxEthDB.h. |
| 204 | * |
| 205 | * @return IX_ETH_DB_SUCCESS if the operation completed |
| 206 | * successfully of an appropriate error message otherwise |
| 207 | */ |
| 208 | IX_ETH_DB_PUBLIC |
| 209 | IxEthDBStatus ixEthDBFirewallEntryRemove(IxEthDBPortId portID, IxEthDBMacAddr *macAddr) |
| 210 | { |
| 211 | MacDescriptor recordTemplate; |
| 212 | |
| 213 | IX_ETH_DB_CHECK_PORT(portID); |
| 214 | |
| 215 | IX_ETH_DB_CHECK_SINGLE_NPE(portID); |
| 216 | |
| 217 | IX_ETH_DB_CHECK_REFERENCE(macAddr); |
| 218 | |
| 219 | IX_ETH_DB_CHECK_FEATURE(portID, IX_ETH_DB_FIREWALL); |
| 220 | |
| 221 | memcpy(recordTemplate.macAddress, macAddr, sizeof (IxEthDBMacAddr)); |
| 222 | |
| 223 | recordTemplate.type = IX_ETH_DB_FIREWALL_RECORD; |
| 224 | recordTemplate.portID = portID; |
| 225 | |
| 226 | return ixEthDBRemove(&recordTemplate, NULL); |
| 227 | } |
| 228 | |
| 229 | /** |
| 230 | * @brief downloads the firewall address table to an NPE |
| 231 | * |
| 232 | * @param portID ID of the port |
| 233 | * |
| 234 | * This function will download the firewall address table to |
| 235 | * an NPE port. |
| 236 | * |
| 237 | * Note that this function is documented in the main |
| 238 | * component header file, IxEthDB.h. |
| 239 | * |
| 240 | * @return IX_ETH_DB_SUCCESS if the operation completed |
| 241 | * successfully or IX_ETH_DB_FAIL otherwise |
| 242 | */ |
| 243 | IX_ETH_DB_PUBLIC |
| 244 | IxEthDBStatus ixEthDBFirewallTableDownload(IxEthDBPortId portID) |
| 245 | { |
| 246 | IxEthDBPortMap query; |
| 247 | IxEthDBStatus result; |
| 248 | |
| 249 | IX_ETH_DB_CHECK_PORT(portID); |
| 250 | |
| 251 | IX_ETH_DB_CHECK_SINGLE_NPE(portID); |
| 252 | |
| 253 | IX_ETH_DB_CHECK_FEATURE(portID, IX_ETH_DB_FIREWALL); |
| 254 | |
| 255 | SET_DEPENDENCY_MAP(query, portID); |
| 256 | |
| 257 | ixEthDBUpdateLock(); |
| 258 | |
| 259 | ixEthDBPortInfo[portID].updateMethod.searchTree = ixEthDBQuery(NULL, query, IX_ETH_DB_FIREWALL_RECORD, MAX_FW_SIZE); |
| 260 | |
| 261 | result = ixEthDBNPEUpdateHandler(portID, IX_ETH_DB_FIREWALL_RECORD); |
| 262 | |
| 263 | ixEthDBUpdateUnlock(); |
| 264 | |
| 265 | return result; |
| 266 | } |