帮我分析这段代码的功能并逐行讲解:MW_ERROR_NO_T onvif_discovery_acl_del(void)
{
UI32_T unit = 0;
AIR_ERROR_NO_T rc;
UI8_T i = 0;
MW_PARAM_CHK((onvif_discovery_acl_id == MW_ACL_ID_INVALID), MW_E_OK);
if(mw_acl_mutex_take() == MW_E_OK)
{
rc = air_acl_delAction(unit, onvif_discovery_acl_id);
if (rc != MW_E_OK)
{
onvif_discovery_err("Failed to delete ONVIF ACL rule entry-id %d action, rc %d", onvif_discovery_acl_id, rc);
}
rc = air_acl_delRule(unit, onvif_discovery_acl_id);
if (rc != MW_E_OK)
{
onvif_discovery_err("Failed to delete ONVIF ACL rule entry-id %d rule, rc %d", onvif_discovery_acl_id, rc);
}
onvif_discovery_acl_id = MW_ACL_ID_INVALID;
mw_acl_mutex_release();
}
MW_PARAM_CHK((onvif_discovery_port_acl_id_start == MW_ACL_ID_INVALID), MW_E_OK);
if(mw_acl_mutex_take() == MW_E_OK)
{
for (i = 0; i < PLAT_MAX_PORT_NUM; ++i)
{
rc = air_acl_delAction(unit, onvif_discovery_port_acl_id_start + i);
if (rc != MW_E_OK)
{
onvif_discovery_err("Failed to delete ONVIF PORT ACL rule entry-id %d action, rc %d", onvif_discovery_port_acl_id_start + i, rc);
}
rc = air_acl_delRule(unit, onvif_discovery_port_acl_id_start + i);
if (rc != MW_E_OK)
{
onvif_discovery_err("Failed to delete ONVIF PORT ACL rule entry-id %d rule, rc %d", onvif_discovery_port_acl_id_start + i, rc);
}
}
}
onvif_discovery_port_acl_id_start = MW_ACL_ID_INVALID;
for(i = 0; i < ONVIF_PORT_ACL_ATTACK_PREVENTION_NUM; i++)
{
if(onvif_acl_attack_prevention_id[i] != MW_ACL_ID_INVALID)
{
air_dos_clearRateLimitCfg(unit, onvif_acl_attack_prevention_id[i]);
onvif_acl_attack_prevention_id[i] = MW_ACL_ID_INVALID;
}
}
mw_acl_mutex_release();
return MW_E_OK;
}
MW_ERROR_NO_T onvif_discovery_acl_add(void)
{
MW_ERROR_NO_T rc = MW_E_OK;
const UI32_T unit = 0;
UI32_T rule_id = 103;
AIR_ACL_RULE_T acl_rule;
MW_PARAM_CHK((onvif_discovery_acl_id != MW_ACL_ID_INVALID), MW_E_OK);
// add snooping rule
if (mw_acl_mutex_take() == MW_E_OK)
{
for (; rule_id < AIR_MAX_NUM_OF_ACL_ENTRY; ++rule_id)
{
if (air_acl_getRule(unit, rule_id, &acl_rule) != MW_E_OK)
{
continue;
}
if (acl_rule.rule_en)
{
continue;
}
else
{
osapi_memset(&acl_rule, 0, sizeof(AIR_ACL_RULE_T));
acl_rule.rule_en = g_snp_status;
AIR_PORT_BITMAP_COPY(acl_rule.portmap, PLAT_PORT_BMP_TOTAL);
AIR_PORT_DEL(acl_rule.portmap, PLAT_CPU_PORT);
acl_rule.end = TRUE;
acl_rule.key.etype = ETHTYPE_IP;
acl_rule.mask.etype = 0x3;
acl_rule.key.dip = ONVIF_DISCOVERY_IP_HOST_ORDER; // 239.255.255.250 in network order//无
acl_rule.mask.dip = 0xf;//无
// acl_rule.key.dport = ONVIF_DISCOVERY_UDP_PORT; /* work failed! The second fragment packet does not have UDP header */
// acl_rule.mask.etype = 0x3;
acl_rule.key.next_header = MW_IPPROTO_UDP;//无
acl_rule.field_valid = ((1U << AIR_ACL_ETYPE_KEY) | (1U << AIR_ACL_DIP_KEY) | (1U << AIR_ACL_NEXT_HEADER_KEY));//后两个没有
rc = air_acl_setRule(unit, rule_id, &acl_rule);
if (rc != MW_E_OK)
{
onvif_discovery_err("Add ONVIF Discovery ACL rule entry-id %d Failed, rc=%d", rule_id, rc);
continue;
}
if (_onvif_discovery_acl_setOnlyCpu(rule_id, FALSE) != MW_E_OK) /* copy to CPU */
{
air_acl_delRule(unit, rule_id);
continue;
}
onvif_discovery_acl_id = rule_id;
onvif_discovery_dbg("Add ACL done, rule id = %u, g_snp_status = %u", onvif_discovery_acl_id, g_snp_status);
break;
// return MW_E_OK;
}
}
mw_acl_mutex_release();
}
// add probe rule
if (mw_acl_mutex_take() == MW_E_OK)
{
UI8_T i = 0;
for (i = 0; i < PLAT_MAX_PORT_NUM; ++i)
{
for (rule_id = onvif_discovery_acl_id + i + 1; rule_id < AIR_MAX_NUM_OF_ACL_ENTRY; ++rule_id)
{
if (air_acl_getRule(unit, rule_id, &acl_rule) != MW_E_OK)
{
continue;
}
if (acl_rule.rule_en)
{
continue;
}
else
{
AIR_PORT_BITMAP_T acl_pbmp = {0};
AIR_PORT_ADD(acl_pbmp, i + 1);
osapi_memset(&acl_rule, 0, sizeof(AIR_ACL_RULE_T));
acl_rule.rule_en = FALSE;
AIR_PORT_BITMAP_COPY(acl_rule.portmap, acl_pbmp);
AIR_PORT_DEL(acl_rule.portmap, PLAT_CPU_PORT);
acl_rule.end = TRUE;
acl_rule.key.etype = ETHTYPE_IP;
acl_rule.mask.etype = 0x3;
acl_rule.key.dip = ntohl(g_ip_switch.addr); // switch ip in host network bytes order
acl_rule.mask.dip = 0xf;
// acl_rule.key.dport = ONVIF_DISCOVERY_UDP_PORT; /* work failed! The second fragment packet does not have UDP header */
// acl_rule.mask.etype = 0x3;
acl_rule.key.next_header = MW_IPPROTO_UDP;
acl_rule.field_valid = ((1U << AIR_ACL_ETYPE_KEY) | (1U << AIR_ACL_DIP_KEY) | (1U << AIR_ACL_NEXT_HEADER_KEY));
rc = air_acl_setRule(unit, rule_id, &acl_rule);
if (rc != MW_E_OK)
{
onvif_discovery_err("Add ONVIF Discovery ACL rule entry-id %d Failed, rc=%d", rule_id, rc);
continue;
}
if (_onvif_discovery_acl_setOnlyCpu(rule_id, TRUE) != MW_E_OK) /* copy to CPU */
{
air_acl_delRule(unit, rule_id);
continue;
}
// mw_acl_mutex_release();
if (i == 0)
{
onvif_discovery_port_acl_id_start = rule_id;
onvif_discovery_dbg("Add Probe ACL done, rule id = %u", onvif_discovery_port_acl_id_start);
}
onvif_discovery_dbg("Add Probe ACL done, port = %u, rule id = %u", i + 1, rule_id);
// return MW_E_OK;
break;
}
}
}
_onvif_discovery_set_attack_prevention(unit); // get 5 attack_prevention id
if ((onvif_acl_attack_prevention_id[ONVIF_PORT_ACL_ATTACK_PREVENTION_NUM - 1] == -1) || (onvif_acl_attack_prevention_id[ONVIF_PORT_ACL_ATTACK_PREVENTION_NUM - 1] >= AIR_MAX_NUM_OF_ATTACK_PREVENTION_ID))
{
onvif_discovery_err("Get free ACL acl_attack_prevention_id failed !\n");
}
mw_acl_mutex_release();
return rc;
}
onvif_discovery_err("Get free ACL rule-id for onvif_discovery failed !");
return MW_E_ENTRY_REACH_END;
}
本文详细解释了PortACL的概念及其如何应用于二层接口,包括配置示例和注意事项。重点介绍了ACL在二层接口的唯一性及与EtherChannel的区别。
扫一扫
331
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
