Open Ethernet Networking (OpEN) API Guide and Reference Manual
3.6.0.3
|
This document provides a brief description of the Access Control Lists (ACL) OpEN APIs. The ACL OpEN APIs allow processes outside of the ICOS main process (switchdrvr) access to the security access lists configuration. Specifically, named ACLs are supported for IP, IPv6, and MAC communication protocols.
Several APIs are available and used to create, delete and retrieve an access list. To create an ACL, the name of the ACL as well as the protocol type needs to be provided. The ACL identifier is then returned which is used as an id or index for that ACL for future access and reference. Here is a summary of ACL management related capabilities
Once an ACL has been created, one or more rules can then be added to the ACL. Each ACL can contain several rules. Each rule performs an action of either permit or deny. Here is a list of action related API capabilities;
Once an ACL and rule (permit or deny) has been created, one or more match conditions can then be added to the rule. There are several match conditions available, both standard and extended (source and destination comparisons). The ability to add and retrieve specific match conditions are indexed using the ACL id and rule ids. The following list shows some sample match conditions and is not all inclusive.
Please note that given the wide range and variety of ACLs, not all ACL capabilities are supported for every platform and/or ICOS image. Each ACL API performs a feature check and returns a OPEN_E_UNAVAIL code if the associated match condition is not available.
Once an ACL is defined, it can then be applied to an interface used to filter traffic. Physical, LAG (if supported), and Control Plane (CPU port) interfaces can be specified as well as VLANs. In addition to the interface, the direction (inbound or outbound) and optionally the evaluation order sequence number is defined. The following access group/traffic filter related commands are available;
All 'Set' operations affect the Switch behavior and configuration.
In the main function, the sample application initializes the OpEN API RPC service by calling openapiClientRegister() and waits for the RPC service in switchdrvr to start. A Client Handle is returned by openapiClientRegister() which is used while invoking the OpEN APIs. The application then exercises the associated OpEN APIs and logs informational and/or error messages on the console. The example application runs to its completion and exits.
acl_example.c is a sample application that demonstrates the use of the ACL OpEN API. acl_example is started from the command line. The acl_example is quite extensive in that it demonstrates most of the ACL features. The example first deletes the previously defined ACL named test_ip_renamed (if it exists) and creates a new ACL named test_ip. A total of 8 action rules (7 permits and 1 deny) are created with various match conditions. Similar ACLs are then created for both IPv6 and MAC with the names test_ipv6, test_ipv6_renamed, test_mac, and test_mac_renamed. Each match condition is typically verified by retrieving and comparing the associated protocol or attribute being set.
Once all three ACLs are created, access groups are created and assigned to various sample interfaces demonstrating traffic filter assignment. Before completion, the demonstration provides some general information such as the configured ACLs and their assignments.
The following is a list and sequence of these tests for the IP protocol sanity tests.
Please note that a display containing Feature not supported is shown in the output if appropriate.
# ./acl_example
Begin Sanity tests...
Create named IP ACL...
Sanity Success - testAclCreate - .
Sanity Success - testAclAddIpRules - PERMIT.
Sanity Success - testAclAddIpRules - Every.
Sanity Success - testAclAddIpRules - Assign Queue.
Sanity Success - testAclAddIpRules - Logging.
Sanity Success - testAclAddIpRules - Packet Mirroring Interface.
Sanity Success - testAclAddIpRules - PERMIT.
Sanity Success - testAclAddIpRules - Source IPv4 Address/Mask.
Sanity Success - testAclAddIpRules - Destination IPv4 Address/Mask.
Sanity Success - testAclAddIpRules - PIM Protocol.
Sanity Success - testAclAddIpRules - DSCP Value.
Sanity Success - testAclAddIpRules - IP Fragments.
Sanity Success - testAclAddIpRules - Precedence Value.
Sanity Success - testAclAddIpRules - ToS and Tos Mask Value.
Sanity Success - testAclAddIpRules - Packet Redirection Interface.
Sanity Success - testAclAddIpRules - PERMIT.
Sanity Success - testAclAddIpRules - TCP Protocol.
Sanity Success - testAclAddIpRules - Packet Redirect External Agent.
Sanity Success - testAclAddIpRules - Simple traffic rate-limit policing.
Sanity Success - testAclAddIpRules - Time based activation.
Sanity Success - testAclAddIpRules - Time Range status.
Sanity Success - testAclAddIpRules - PERMIT.
Sanity Success - testAclAddIpRules - ICMP Protocol.
Sanity Success - testAclAddIpRules - ICMP messaging for 'Echo'.
Sanity Success - testAclAddIpRules - PERMIT.
Sanity Success - testAclAddIpRules - IGMP Protocol.
Sanity Success - testAclAddIpRules - IGMP messaging for 'Multicast Traceroute'.
Sanity Success - testAclAddIpRules - PERMIT.
Sanity Success - testAclAddIpRules - TCP Protocol.
Sanity Success - testAclAddIpRules - Miscellaneous TCP Flags test.
Sanity Success - testAclAddIpRules - Source Layer 4 port 80.
Sanity Success - testAclAddIpRules - PERMIT.
Sanity Success - testAclAddIpRules - UDP Protocol.
Sanity Success - testAclAddIpRules - Source Layer 4 port < 10000.
Sanity Success - testAclAddIpRules - Destination Layer 4 port > 20000.
Sanity Success - testAclAddIpRules - DENY.
Create named IPv6 ACL...
Sanity Success - testAclCreate - .
Sanity Success - testAclAddIpv6Rules - PERMIT.
Sanity Success - testAclAddIpv6Rules - Every.
Sanity Success - testAclAddIpv6Rules - Assign Queue.
Sanity Success - testAclAddIpv6Rules - Logging.
Sanity Success - testAclAddIpv6Rules - Packet Mirroring Interface.
Sanity Success - testAclAddIpv6Rules - PERMIT.
Sanity Success - testAclAddIpv6Rules - PIM Protocol.
Sanity Success - testAclAddIpv6Rules - Source IPv6 Address/prefix.
Sanity Success - testAclAddIpv6Rules - Destination IPv6 Address/prefix.
Sanity Success - testAclAddIpv6Rules - DSCP Value.
Sanity Success - testAclAddIpv6Rules - IP Fragments.
Sanity Success - testAclAddIpv6Rules - Packet Redirection Interface.
Sanity Success - testAclAddIpv6Rules - PERMIT.
Sanity Success - testAclAddIpv6Rules - TCP Protocol.
Sanity Success - testAclAddIpv6Rules - Packet Redirect External Agent.
Sanity Success - testAclAddIpv6Rules - Simple traffic rate-limit policing.
Sanity Success - testAclAddIpv6Rules - Time based activation.
Sanity Success - testAclAddIpv6Rules - Time Range status.
Sanity Success - testAclAddIpv6Rules - Flow Label.
Sanity Success - testAclAddIpv6Rules - Routing Flag.
Sanity Success - testAclAddIpv6Rules - PERMIT.
Sanity Success - testAclAddIpv6Rules - ICMPv6 Protocol.
Sanity Success - testAclAddIpv6Rules - ICMPv6 messaging for 'Port-Unreachable'.
Sanity Success - testAclAddIpv6Rules - PERMIT.
Sanity Success - testAclAddIpv6Rules - TCP Protocol.
Sanity Success - testAclAddIpv6Rules - Miscellaneous TCP Flags test.
Sanity Success - testAclAddIpv6Rules - Source Layer 4 port range 20000 - 20010.
Sanity Success - testAclAddIpv6Rules - Destination Layer 4 port > 60000.
Sanity Success - testAclAddIpv6Rules - DENY.
Create named MAC ACL...
Sanity Success - testAclCreate - .
Sanity Success - testAclAddMacRules - PERMIT.
Sanity Success - testAclAddMacRules - Every.
Sanity Success - testAclAddMacRules - Assign Queue.
Sanity Success - testAclAddMacRules - Logging.
Sanity Success - testAclAddMacRules - Packet Mirroring Interface.
Sanity Success - testAclAddMacRules - PERMIT.
Sanity Success - testAclAddMacRules - Source MAC Address/Mask.
Sanity Success - testAclAddMacRules - Destination MAC Address/Mask.
Sanity Success - testAclAddMacRules - Packet Redirection Interface.
Sanity Success - testAclAddMacRules - PERMIT.
Sanity Success - testAclAddMacRules - Packet Redirect External Agent.
Sanity Success - testAclAddMacRules - Simple traffic rate-limit policing.
Sanity Success - testAclAddMacRules - Time based activation.
Sanity Success - testAclAddMacRules - Time Range status.
Sanity Success - testAclAddMacRules - Ethertype 0x809B.
Sanity Success - testAclAddMacRules - CoS 0.
Sanity Success - testAclAddMacRules - Secondary CoS 7.
Sanity Success - testAclAddMacRules - VLAN ID Range 2 - 100.
Sanity Success - testAclAddMacRules - Secondary VLAN ID 200.
Sanity Success - testAclAddMacRules - DENY.
Perform some generic retrieval tests...
Sanity Success - openapiAclGetFirst - IP ACL.
Sanity Success - testAclCreate - .
Sanity Success - testAclCreate - temporary.
Sanity Success - testAclRetrieval - openapiAclGetNext.
Rename then Delete ACLs...
Sanity Success - Renamed - test_ip_renamed.
Sanity Success - Renamed - test_ipv6_renamed.
Sanity Success - Renamed - test_mac_renamed.
Demonstrate traffic filter assignment for interfaces...
Sanity Success - testAclTrafficFilterIntfAdd - ACL:test_ip_renamed intf:1 dir:0 seq:100.
Sanity Success - testAclTrafficFilterIntfAdd - ACL:test_ip_renamed intf:2 dir:0 seq:200.
Sanity Success - testAclTrafficFilterIntfAdd - ACL:test_ipv6_renamed intf:3 dir:0 seq:300.
Sanity Success - testAclTrafficFilterIntfAdd - ACL:test_mac_renamed intf:4 dir:0 seq:400.
Demonstrate traffic filter assignment for VLANs...
Sanity Success - testAclTrafficFilterVlanAdd - ACL:test_ip_renamed VLAN:5 dir:0 seq:500.
Sanity Success - testAclTrafficFilterVlanAdd - ACL:test_ip_renamed VLAN:6 dir:0 seq:600.
Sanity Success - testAclTrafficFilterVlanAdd - ACL:test_ipv6_renamed VLAN:7 dir:0 seq:700.
Sanity Success - testAclTrafficFilterVlanAdd - ACL:test_mac_renamed VLAN:8 dir:0 seq:800.
Demonstrate traffic filter removal of interface...
Demonstrate traffic filter removal of VLAN...
Display various ACL lists and information...
ACL interface direction assignments
Interface Direction
------— ------—
1 Inbound
3 Inbound
4 Inbound
ACL Interface 1, Inbound details
ACL id Type Seq Num
---— -— ----—
1000 1 100
ACL test_ip_renamed Inbound Interfaces
Interface
------—
1
ACL test_ip_renamed Inbound VLANs
VLAN
—
6
Sanity Success - openapiCpuIntfGet - CPU Control Plane Interface ... 129.
Sanity Success - openapiAclMaxAclIntfCountGet - Number of allowed ACL Interfaces ... 160.
Sanity Success - openapiAclMaxAclVlanCountGet - Number of allowed ACL VLANs ... 24.
Sanity Success - openapiAclCountGet - Total number of configured ACLs ... 3.
Sanity Success - openapiAclMacCountGet - Number of configured MAC ACLs ... 1.
Complete.
In addition to acl_example.c, a python implementation has also been provided for demonstration purposes. This python acl_example.py script essentially duplicates the acl_example.c implementation.
In addition to acl_example.c, a ruby implementation has also been provided for demonstration purposes. This ruby acl_example.rb application essentially duplicates the acl_example.c implementation.