Sorry for spamming,
After going over the acl_plugin code I understood that the prefix length must
match the address othewise the acl_plugin doesn't accept the rules :-(
Error line ==> ret=inet_pton(AF_INET6,"fd01:: 1",&(acl->payload.r[0].dst_
prefix.address.un.ip6));
after changing the line to =
Hi Experts,
I got tired trying several ways to add the IPV6 ACL rules using API. I couldn't
successful.
The same thing working fine with IPv4 rule.
When I tried IPV6 rule, I am getting retval is -58, I am not able to figure out
what is this error.
Can anyone please help me to understand what coul
Neale,
This is really I never thought we can create VLAN for memif This saved
enormous of amount my time... I am really excited and its working perfectly
fine.
//Ravi
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#19822): https://lists.fd.io/g
: Re: [vpp-dev] ACL-->ABF--> Memif, Seeing arp request for the packets
#acl #abf #policy #routing
[Edited Message Follows]
Hi Neale,
Thanks for your time. Yes I got that and I did created a dummy arp to make this
work.
ip neighbor memif1/0 192.168.1.3 dead.dead.dead
set acl-plugin acl perm
[Edited Message Follows]
Hi Neale,
Thanks for your time. Yes I got that and I did created a dummy arp to make this
work.
ip neighbor memif1/0 192.168.1.3 dead.dead.dead
set acl-plugin acl permit dst 172.172.0.0/24
abf policy add id 0 acl 0 via 192.168.1.3 memif1/0
abf attach ip4 policy 0 Hun
Hi Neale,
Thanks for your time. Yes I got that and I did created a dummy arp to make this
work.
ip neighbor memif1/0 192.168.1.3 dead.dead.dead
set acl-plugin acl permit dst 172.172.0.0/24
abf policy add id 0 acl 0 via 192.168.1.3 memif1/0
abf attach ip4 policy 0 HundredGigabitEthernet12/0/0
To: vpp-dev@lists.fd.io
Subject: [vpp-dev] ACL-->ABF--> Memif, Seeing arp request for the packets #acl
#abf #policy #routing
[Edited Message Follows]
Hi Experts,
We are trying to implement forwarding dst X.X.X.X/X subnet packets on interface
Y to the memif1/0
To achieve that we used ACL a
[Edited Message Follows]
Hi Experts,
We are trying to implement forwarding dst X.X.X.X/X subnet packets on interface
Y to the memif1/0
To achieve that we used ACL and ABF policy rules.
When I am trying to send traffic to "X.X.X.X" network I see ARP requests for
that subnet on memif1/0.
We don't
Hi Experts,
We are trying to implement forwarding dst X.X.X.X/X subnet packets on interface
Y to the memif1/0
To achieve that we used ACL and ABF policy rules.
When I am trying to send traffic to "X.X.X.X" network I see ARP requests for
that subnet on memif1/0.
We don't need to send ARP for these
io/r/c/vpp/+/33142
>
> /neale
>
> From: vpp-dev@lists.fd.io on behalf of Andrew
> Yourtchenko via lists.fd.io
> Date: Wednesday, 14 July 2021 at 23:53
> To: RaviKiran Veldanda , Jakub Grajciar
>
> Cc: vpp-dev@lists.fd.io
> Subject: Re: [vpp-dev] ACL IPV6 rule additio
Evidently a typo. Here you go:
https://gerrit.fd.io/r/c/vpp/+/33142
/neale
From: vpp-dev@lists.fd.io on behalf of Andrew Yourtchenko
via lists.fd.io
Date: Wednesday, 14 July 2021 at 23:53
To: RaviKiran Veldanda , Jakub Grajciar
Cc: vpp-dev@lists.fd.io
Subject: Re: [vpp-dev] ACL IPV6
Ravi,
appears that the commit 2f8cd914514fe54f91974c6d465d4769dfac8de8 has
hardcoded the IP address family in the CLI handler to IPv4:
0490db79b src/plugins/acl/acl.c(Neale Ranns2020-03-24
15:09:41 + 2873) else if (unformat (line_input, "src %U/%d",
bf883bb086 src/plugin
Hi Experts,
We were trying to create some ACL rules for IPv6 addresses,
*"set acl-plugin acl permit src 2001:5b0::1150::0/64 " in vppctl.
* "set acl-plugin acl permit ipv6 src 2001:5b0::1150::0/64 " in vppctl.
giving ACL index but when I check "show acl_plugin acl" its not giving any
info
[Edited Message Follows]
Hello Team,
Is there option to specify IN and OUT interface(sw_index) in ACL along with ACE?
pseudo rule - drop src x.x.x.x dst y.y.y.y when in-interface is x1 and out
interface is x2 -> like iptables
Regards,
Sachin
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive
Hello Team,
Is there option to specify IN and OUT interface(sw_index) in ACL along with ACE?
pseudo rule - drop src x.x.x.x dst y.y.y.y when in-interface is x1 and out
interface is x2
Regards,
Sachin
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online
Hi Mahdi,
This patch should apply, ACL plugin had not seen much changes recently, but
then you are not running a 20.05 anymore :-)
I would strongly suggest to evaluate on what limitations prevent you from
following the master branch as close as possible and address them. This may
seem daunting
Hi Andrew,
Thanks for you response. That makes sense. I will monitor my box memory usage.
Unfortunately I'm using VPP 20.05. So I will try to forwardport( we have it?
:D) this patch to it.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#17433): htt
ACL plugin historically uses its own heaps for hash lookup data. It should be
just 64M by default. It’s been like that since day1, so you might need to look
at your memory usage on that box overall...
I am not sure if custom heaps use the huge pages or not - maybe you need to
have less huge pa
Hi VPP folks,
Setting ACL from VAPI, we have a panic `ACL plugin failed to allocate lookup
heap of %U bytes` in `hash_acl_set_heap` function.
It doesn't happen always. Time to time and randomly this problem occurs. My
system has 8G of RAM. VPP is running with the default `startup.conf`. I've set
; Jieqiang
> Wang ; Honnappa Nagarahalli
> ; nd
> Subject: Re: [vpp-dev] ACL plugin optimization
>
> Hi Govind,
>
> 1) According to Jenkins, this patch permits some of the packets that should
> be denied, hence JJB voted "-1".
>
> 2) If you suspect merely th
> ; nd
> Subject: Re: [vpp-dev] ACL plugin optimization
>
>
> Hi Govind,
>
> As well as removing the prefetches, you've also removed the per packet call
> to acl_fa_find_session_with_hash(). So IIUC you've removed the per-packet
> session lookup and inste
Hi Govind,
As well as removing the prefetches, you've also removed the per packet call to
acl_fa_find_session_with_hash(). So IIUC you've removed the per-packet session
lookup and instead re-use the lookup of packet 0 each time. that'll make things
quicker but it's not functionally correct.
/
Hi Govind,
1) According to Jenkins, this patch permits some of the packets that
should be denied, hence JJB voted "-1".
2) If you suspect merely the prefetches are the issue, just commenting
out the body of prefetch_session_entry() in the original code should
turn it into a no-op that doesn't bre
Hi Andrew,
While profiling the ACL plugin node using perf tool in ARM Neoverse platform,
Bihash related prefetches were shown as bottleneck.
Performance improvement is seen in ARM N1, TX2 and Intel Skylake servers after
removing those prefetches. Testing is done with Ingress ACL/IPv4 forwardi
Thanks Neale. It works now.
From: Neale Ranns (nranns)
Sent: Saturday, May 2, 2020 8:15 AM
To: Govindarajan Mohandoss ; Andrew Yourtchenko
Cc: John Lo (loj) ; Paul Vinciguerra
; vpp-dev@lists.fd.io; nd ; Lijian
Zhang ; Jieqiang Wang
Subject: Re: [vpp-dev] ACL question
From: Govindarajan
From: Govindarajan Mohandoss
Date: Friday 1 May 2020 at 21:15
To: "Neale Ranns (nranns)" , Andrew Yourtchenko
Cc: "John Lo (loj)" , Paul Vinciguerra
, "vpp-dev@lists.fd.io" , nd
, Lijian Zhang , Jieqiang Wang
, nd
Subject: RE: [vpp-dev] ACL question
Hi Neale
; Lijian
Zhang ; Jieqiang Wang
Subject: Re: [vpp-dev] ACL question
Or in the latest version you can create ACLs on the CLI:
set acl-plugin acl ?
set acl-plugin interface ?
/neale
From: mailto:vpp-dev@lists.fd.io>> on behalf of Andrew
Yourtchenko mailto:ayour...@gmail.com>>
Dat
Thanks Neale.
From: Neale Ranns (nranns)
Sent: Wednesday, April 29, 2020 4:24 AM
To: Andrew Yourtchenko ; Govindarajan Mohandoss
Cc: John Lo (loj) ; Paul Vinciguerra
; vpp-dev@lists.fd.io; nd ; Lijian
Zhang ; Jieqiang Wang
Subject: Re: [vpp-dev] ACL question
Or in the latest version you
ndarajan Mohandoss
Cc: John Lo (loj) ; Paul Vinciguerra
; vpp-dev@lists.fd.io; nd ; Lijian
Zhang ; Jieqiang Wang
Subject: Re: [vpp-dev] ACL question
Hi Govind,
1) make an api trace and inspect the message there - whether it contains the
entries you are expecting.
1a) If it does, then
sts.fd.io" , nd
, Lijian Zhang , Jieqiang Wang
Subject: Re: [vpp-dev] ACL question
Hi Govind,
1) make an api trace and inspect the message there - whether it contains the
entries you are expecting.
1a) If it does, then you can trivially recreate the same message using the
python api just by
oj)
> Sent: Tuesday, April 28, 2020 10:38 PM
> To: Govindarajan Mohandoss ; Paul Vinciguerra
>
> Cc: Andrew 👽 Yourtchenko ; vpp-dev@lists.fd.io; nd
> ; Lijian Zhang ; Jieqiang Wang
> ; nd
> Subject: RE: [vpp-dev] ACL question
>
> Try “make test TEST=acl_plugin”.
Zhang ; Jieqiang Wang
; nd
Subject: RE: [vpp-dev] ACL question
Try “make test TEST=acl_plugin”. -John
From: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>
mailto:vpp-dev@lists.fd.io>> On Behalf Of Govindarajan
Mohandoss
Sent: Tuesday, April 28, 2020 11:22 PM
To: Paul
Thanks John.
From: John Lo (loj)
Sent: Tuesday, April 28, 2020 10:38 PM
To: Govindarajan Mohandoss ; Paul Vinciguerra
Cc: Andrew 👽 Yourtchenko ; vpp-dev@lists.fd.io; nd
; Lijian Zhang ; Jieqiang Wang
; nd
Subject: RE: [vpp-dev] ACL question
Try “make test TEST=acl_plugin”. -John
From
Try “make test TEST=acl_plugin”. -John
From: vpp-dev@lists.fd.io On Behalf Of Govindarajan
Mohandoss
Sent: Tuesday, April 28, 2020 11:22 PM
To: Paul Vinciguerra
Cc: Andrew 👽 Yourtchenko ; vpp-dev@lists.fd.io; nd
; Lijian Zhang ; Jieqiang Wang
; nd
Subject: Re: [vpp-dev] ACL question
Hi
: Re: [vpp-dev] ACL question
See: src/plugins/acl/test/test_acl_plugin.py
On Tue, Apr 28, 2020 at 7:19 PM Govindarajan Mohandoss
mailto:govindarajan.mohand...@arm.com>> wrote:
Sure Andrew. Is there a unit test case for ACL plugin ?
From: Andrew 👽 Yourtchenko mailto:ayour...@gmail.com&
Thanks Paul !
From: Paul Vinciguerra
Sent: Tuesday, April 28, 2020 9:22 PM
To: Govindarajan Mohandoss
Cc: Andrew 👽 Yourtchenko ; vpp-dev@lists.fd.io; nd
; Lijian Zhang ; Jieqiang Wang
Subject: Re: [vpp-dev] ACL question
See: src/plugins/acl/test/test_acl_plugin.py
On Tue, Apr 28, 2020 at
l 28, 2020 4:57 PM
> *To:* Govindarajan Mohandoss
> *Cc:* vpp-dev@lists.fd.io; nd ; Lijian Zhang <
> lijian.zh...@arm.com>; Jieqiang Wang
> *Subject:* Re: [vpp-dev] ACL question
>
>
>
> 1-3: no.
>
> 4: please make a “make test” test case illustrating the problem and share
Sure Andrew. Is there a unit test case for ACL plugin ?
From: Andrew 👽 Yourtchenko
Sent: Tuesday, April 28, 2020 4:57 PM
To: Govindarajan Mohandoss
Cc: vpp-dev@lists.fd.io; nd ; Lijian Zhang
; Jieqiang Wang
Subject: Re: [vpp-dev] ACL question
1-3: no.
4: please make a “make test” test case
> > Thank you very much Andrew !! I will do some benchmarks and get back to
> > you to understand it better.
> >
> > Thanks
> > Govind
> >
> > > -Original Message-
> > > From: Andrew 👽 Yourtchenko
> > > Sent: Friday, Mar
gt; To: Andrew 👽 Yourtchenko
> Cc: vpp-dev@lists.fd.io
> Subject: Re: [vpp-dev] ACL question
>
> Thank you very much Andrew !! I will do some benchmarks and get back to
> you to understand it better.
>
> Thanks
> Govind
>
> > -Original Message-
code for the bihash memory usage have been tested with half a
> million sessions - so you can extrapolate from those with some ballpark
> (though bihash memory usage is not linear wrt the entries, and also there is
> some extra memory churn due to bucket reallocations when the size
> in
lpark (though bihash memory usage is not linear wrt
the entries, and also there is some extra memory churn due to bucket
reallocations when the size increases).
—a
>
>
> Thanks
>
> Govind
>
>
>
> From: vpp-dev@lists.fd.io On Behalf Of Govindarajan
> Mohandoss via Lis
needed compared to SL mode ?
Thanks
Govind
From: vpp-dev@lists.fd.io On Behalf Of Govindarajan
Mohandoss via Lists.Fd.Io
Sent: Thursday, March 26, 2020 12:37 PM
To: Andrew 👽 Yourtchenko
Cc: vpp-dev@lists.fd.io
Subject: Re: [vpp-dev] ACL question
Hi Andrew,
Thanks for the document.
Can
; nd
Subject: Re: [vpp-dev] ACL question
As an acl plugin author I can say both stateful and stateless ACLs are used for
different consumers.
Various matching implementations in vpp are used in different use cases... and
there is not a single silver bullet magic answer, because the trade offs
As an acl plugin author I can say both stateful and stateless ACLs are used for
different consumers.
Various matching implementations in vpp are used in different use cases... and
there is not a single silver bullet magic answer, because the trade offs are
different.
https://nonsns.github.io/
Hello ACL Maintainer,
We want to measure and optimize the ACL performance for ARM servers. As per
the foll. link, there are 4 different implementation of ACLs in VPP.
https://fd.io/docs/vpp/master/usecases/acls.html
We would like to start with most commonly used ACL implementation in VPP
up VirtualEthernet0/0/2
>> Link speed: unknown
>> Ethernet address fa:16:3c:05:66:7c
>> VirtualEthernet0/0/3 6 up VirtualEthernet0/0/3
>> Link speed: unknown
>> Ethernet address fa:16:3c:f0:21:0a
>> VirtualEthernet0/0/4 7
; Link speed: 40 Gbps
> Ethernet address 02:fe:27:ea:09:82
> flags: admin-up
>
> It looks like there doesn’t even exist an acl for VirtualEthernet0/0/3? Is
> that why it is dropped?
>
> Eyle
>
> From: Andrew 👽 Yourtchenko
Ethernet address 02:fe:99:32:82:4f
> flags: admin-up promiscuous
> rdma1 2 up rdma1
> Link speed: 40 Gbps
> Ethernet address 02:fe:27:ea:09:82
> flags: admin-up
>
> It looks like there doesn’t even exist an acl for VirtualEthernet0/0/
3
-Naveen
From: mailto:vpp-dev@lists.fd.io>> on behalf of Andrew
Yourtchenko mailto:ayour...@gmail.com>>
Date: Thursday, September 5, 2019 at 7:20 AM
To: Eyle Brinkhuis mailto:eyle.brinkh...@surfnet.nl>>
Cc: "vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>"
mailto:vp
> From: on behalf of Andrew Yourtchenko
>
> Date: Thursday, September 5, 2019 at 7:20 AM
> To: Eyle Brinkhuis
> Cc: "vpp-dev@lists.fd.io"
> Subject: Re: [vpp-dev] ACL drops while pinging another interface
>
> Thanks for the traces !
>
> MACIP acl us
table 12, offset -1
00:53:47:316361: error-drop
rx:VirtualEthernet0/0/3
-Naveen
From: on behalf of Andrew Yourtchenko
Date: Thursday, September 5, 2019 at 7:20 AM
To: Eyle Brinkhuis
Cc: "vpp-dev@lists.fd.io"
Subject: Re: [vpp-dev] ACL drops while pinging another interface
Thank
Thanks for the traces !
MACIP acl uses the classifier-bases “ip-acl”; so it sounds like it is not
programmed with the source Mac of your packets.
“Show acl-plugin macip” will help to see what the acl plugin sees, and if it
looks legit, then you can check the classifier tables applied as input a
Hi guys,
I’m using VPP 19.08 with networking-vpp in an openstack stein environment,
where we are busy building an open environment that is specifically built for
NFV applications. One of those functions is a firewall setup, where we firewall
a customer’s traffic and provide said customer with a
Hi vpp-dev,
I'm testing security group functions on VPP19.08, and got some questions here.
I have two vms: A(172.16.0.1/24, using vxlan_tunnel10 / bridge 10) and
B(172.16.1.1/24, using vxlan_tunnel11 / bridge 11). Both these two networks'
gateway is X.254, configured on VPP bridges (10 and 11).
Hi Cipher,
Reply below inline
> On 4 Sep 2019, at 12:36, Cipher Chen wrote:
>
> Thanks Andrew, I've successfully done acl_plugin test.
>
> BTW, just reply here for latecomers, do "V=2 EXTENDED_TESTS=1
> TEST=acl_plugin* make test" to do more test and print verbosely.
Yeah the connection tra
Thanks Andrew, I've successfully done acl_plugin test.
BTW, just reply here for latecomers, do "V=2 EXTENDED_TESTS=1 TEST=acl_plugin*
make test" to do more test and print verbosely.
Since I'm testing stateful ACL by watching behavior of
test_acl_plugin_conns.py, along with explaination from Sta
The VPP packet tracer might tell a bit more what is going on.
https://wiki.fd.io/view/VPP/Command-line_Interface_(CLI)_Guide#packet_tracer
Also you can do “TEST=acl_plugin* make test” and examine the logs of successful
testcase runs and compare with what you have.
--a
> On 3 Sep 2019, at 16:2
More info about acl plugin
vpp# show acl-plugin acl
acl-index 4 count 2 tag {}
0: ipv4 deny src 0.0.0.0/0 dst 0.0.0.0/0 proto 1 sport 0-65535 dport 0-65535
1: ipv4 permit src 0.0.0.0/0 dst 0.0.0.0/0 proto 6 sport 0-65535 dport 0-65535
applied inbound on sw_if_index: 1
applied outbound on sw_if_ind
Hi vpp-dev,
I'm testing security group functions on VPP19.08, and got some questions here.
I have two vms: A(172.16.0.1/24, using vxlan_tunnel10 / bridge 10) and
B(172.16.1.1/24, using vxlan_tunnel11 / bridge 11). Both these two networks'
gateway is X.254, configured on VPP bridges (10 and 11).
Hi!
No, it isn’t...
--a
> On 28 Feb 2019, at 02:33, mahdy.varas...@gmail.com wrote:
>
> Hi
>
> I wondered if we can use ACLs instead of classifier tables in Policies. How
> is it possible? ( if it is possible)
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
>
Hi
I wondered if we can use ACLs instead of classifier tables in Policies. How is
it possible? ( if it is possible)
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#12382): https://lists.fd.io/g/vpp-dev/message/12382
Mute This Topic: https://lists.f
Hi all,
for those of you using in some fashion the acl-plugin code, wanted to
get your eyes on this in-the-works patch:
https://gerrit.fd.io/r/#/c/9689/
as well as get your opinion on the following:
(1) should I KEEP the default as it is now (which is to retain the
sessions which are already cr
Dear Andrew
Unfortunately I can't reproduce this case. It's really a rare situation.
Regards
On Tue, Dec 12, 2017 at 5:43 PM, khers wrote:
> Dear Andrew
>
> This is a good explanation of how session add and delete works,
> I think this not a benign operation, I could produce the rare scenario
Dear Andrew
This is a good explanation of how session add and delete works,
I think this not a benign operation, I could produce the rare scenario you
explained. I will send backtrace and other details tomorrow.
On Tue, Dec 12, 2017 at 2:46 PM, Andrew 👽 Yourtchenko
wrote:
> Dear Khers,
>
> I th
Dear Khers,
I think you are right. Normally the entry in the session hash table is
deleted before any operations with the per-worker pool, so we should
not end up on that line. Also, the deletion itself usually happens as
a result of the idle timeout - meaning, no packets hit the session for
a com
Dear Andrew
I'm working on d594711a5d79859a7d0bde83a516f7ab52051d9b commit on
stable/1710 branch. sorry for less info.
I can't reproduce last issue I have reported, forgot the commit I were
working on.
Regards,
Khers
On Mon, Dec 11, 2017 at 12:24 PM, Andrew Yourtchenko
wrote:
> Dear Khers,
>
>
Dear Khers,
At least the exact commit# you are working with to get more context would be
useful - line 1029 on master points to a call acl_fill_5tuple to me...
Also, I have not heard - were you able to reproduce the issue you contacted
about a while ago ?
--a
> On 11 Dec 2017, at 08:46, khers
Dear VPP folks,
The get_session_ptr function may return null pointer, while we do not check
this situation in code, for example fa_node.c line 1029, if the sess equals
null, we get segmentation fault in next usage of sess.
Please share your thought about this.
Regards,
Khers
_
Khers,
Thanks! Just after I sent you the reply Dave had pointed out coverity was
unhappy with some of the code, including that particular line. So I got rid of
memcpy altogether and while at it fixed the values for both this place and the
other one I told you about - in change 9611.
--a
> On
Dear Andrew
Thanks for your attention, Yes of course I pushed to gerrit with id 9615.
Regards,
Khers
On Tue, Nov 28, 2017 at 8:37 PM, Andrew Yourtchenko
wrote:
> Dear Khers,
>
> I believe you are right. That might not be all though... “dot1q”/“dot1ad”
> mask value constant does not appear to m
Dear Khers,
I believe you are right. That might not be all though... “dot1q”/“dot1ad” mask
value constant does not appear to make sense to me now.
They should be “XX XX” to mask out the bits and also should be set accordingly
to the proper values during the addition of the sessions. (I suppose
Dear vpp folks
I think following line if function acl_add_vlan_session in acl.c line 635
memset (&match[idx], 0x00, 2);
should change to
memset (&match[idx], 0xff, 2);
because dot1ad_5tuple_mask and dot1q_5tuple_mask must have mask for IPv4/6,
so memset to ff reset those mask to default va
Assuming your input interface is a subinterface then you would need the build
which includes https://gerrit.fd.io/r/#/c/8519/ - and if that is the case
already, then I would need to see the full sequence of steps needed to recreate
the problem, to say something about it.
--a
> On 19 Nov 2017,
I tried some ACL config, but it does not work as I expected.
I send traffic into interface 1, and vpp should send the traffic out
through interface 2.
For ACL, I first add this ACL.
acl_add_replace ipv4 src 10.0.0.0/8 deny
Then, I send traffic after adding each of the following 4 configs.
acl_in
Cool!
Sure, you can use vat in that case as well.
--a
> On 13 Nov 2017, at 22:08, Yuliang Li wrote:
>
> It works! Thanks.
>
> Another question: if I want to use ACL plugin in non-debug build (say,
> build-release), is can I use vat? Or I need to use the python code?
>
>> On Mon, Nov 13, 201
Folks,
So, yeah, I was just blind-sided by an API change in the ACL code.
Not to name names, or anything by it was
commit 36ea2d6d3a67a60534a7c2b58551688858a1ce7f
One armed NAT (VPP-1035)
Use a single physical interface in order to accomplish NAT44/NAT64.
That patch also introduced
It works! Thanks.
Another question: if I want to use ACL plugin in non-debug build (say,
build-release), is can I use vat? Or I need to use the python code?
On Mon, Nov 13, 2017 at 12:06 PM, Andrew Yourtchenko
wrote:
> “Make build” in the VPP directory will get you a debug build. The $1 and
> s
“Make build” in the VPP directory will get you a debug build. The $1 and such
is just standard shell scripting, in case I need to pass some parameters to
vat. I don’t think I had ever needed them...
--a
> On 13 Nov 2017, at 17:40, Yuliang Li wrote:
>
> Maybe this is a stupid question.. Does v
Maybe this is a stupid question.. Does vat have to work with debug builds?
And how to do the debug builds? What are the $1~$5 in your script?
Thanks,
Yuliang
On Mon, Nov 13, 2017 at 3:03 AM, Andrew Yourtchenko
wrote:
> When just running vat from within the source tree, it needs to know the
> pa
When just running vat from within the source tree, it needs to know the path
for the plugins, for debug builds I usually have the following small shell
script which takes care of this without requiring me thinking every time (of
course needs to be launched from the vpp top directory since it has
Thanks for the quick reply.
I still fail to use the vat to configure ACL. After make build-release, I
use sudo build-root/build-vpp-native/vpp/vpp_api_test, but it tell me:
'acl_plugin_get_version': function not found
Other ACL commands have the same problem.
I also tried make build-vat, but it g
Hi Yuliang,
You can look at the test/test_acl_plugin_*.py files for the examples
of interactions with plugin from python code.
Alternatively, you can use VPP API test tool (vat) which is built
together with VPP and then issue the API calls directly from there.
Shout if you have any questions, wi
Hi,
I want to use the ACL plugin https://wiki.fd.io/view/VPP/SecurityGroups. It
seems it can only be configured via API. I only used vppctl before. Can
anyone please tell how to use the API to configure? Or is there other ways
to configre?
Thanks,
--
Yuliang Li
PhD student
Department of Computer
Quoting Jon Loeliger (2017-11-10 23:11:36)
>First, this is draconian for no really good reason. Second, it should be
>fixed. Third, I would do that except I am stupid and need a clue where
>or how to fix this situation so the tests are less draconian. (Can we
>get a "less than 0
Chris,
On Fri, Nov 10, 2017 at 8:27 PM, Luke, Chris wrote:
> If you’re wondering where the tests are:
>
>
>
> $ ls test/*acl*
>
> test/test_acl_plugin_conns.py test/test_acl_plugin_macip.py
>
> test/test_acl_plugin_l2l3.py test/test_acl_plugin.py
>
Ah, excellent!
> Chris.
>
Thanks!
jdl
_
: Re: [vpp-dev] ACL Build/Test Issues
On Fri, Nov 10, 2017 at 5:54 PM, Andrew Yourtchenko
mailto:ayour...@gmail.com>> wrote:
Hi Jon,
On 10 Nov 2017, at 23:11, Jon Loeliger
mailto:j...@netgate.com>> wrote:
Folks,
Every error from the ACL implementation is -1. Generically bad.
Withou
On Fri, Nov 10, 2017 at 5:54 PM, Andrew Yourtchenko
wrote:
> Hi Jon,
>
> On 10 Nov 2017, at 23:11, Jon Loeliger wrote:
>
> Folks,
>
> Every error from the ACL implementation is -1. Generically bad.
> Without regard for what might be more useful to an upper-layer UI.
>
>
> When we discussed with
Hi Jon,
> On 10 Nov 2017, at 23:11, Jon Loeliger wrote:
>
> Folks,
>
> Every error from the ACL implementation is -1. Generically bad.
> Without regard for what might be more useful to an upper-layer UI.
When we discussed with the openstack folks the way they are treating errors was
all as c
Folks,
Every error from the ACL implementation is -1. Generically bad.
Without regard for what might be more useful to an upper-layer UI.
So I submitted a patch to help this situation some.
https://gerrit.fd.io/r/#/c/9383/
I have built and tested it locally, but it fails the Verify Tests becaus
Thanks
yug...@telincn.com
From: Andrew Yourtchenko
Date: 2017-09-06 18:24
To: yug...@telincn.com
CC: vpp-dev
Subject: Re: [vpp-dev] acl priority
Hi,
If we you talk about acl plugin then the ACLs are evaluated in the order of
them applied and same about the ACEs within an acl - to change the
Hi,
If we you talk about acl plugin then the ACLs are evaluated in the order of
them applied and same about the ACEs within an acl - to change the order you
can apply a differently sorted list or call acl_add_replace with new contents
of the ACL.
If you talk the built in ACLs using classifier
Hi all,
Does vpp acl sourpport ajust priority?
I have configured ten acl rules, if i want to move the tenth acl to be the
first acl, is there a easy way to do this?
Regards,
Ewan
yug...@telincn.com
___
vpp-dev mailing list
vpp-dev@lists.fd.io
https:
ts.fd.io; zhang...@yunshan.net.cn
> Subject: Re: [vpp-dev] ACL Match in fa_node.c
>
> Hi Yipeng,
>
> yeah, this case should be handled as well - note that the ACL lookup hash is
> 48x8,
> while the session lookup hash is 40x8, and the fa_5tuple_t (being 48 bytes in
> size
---
>
>> From: "Andrew Yourtchenko"> gmail.com<https://lists.fd.io/mailman/listinfo/vpp-dev>>;
>
>> Date: Tue, May 23, 2017 07:56 PM
>
>> To: "张攀"> yunshan.net.cn<https://lists.fd.io/mailman/listinfo/vpp-dev>>;
>
>>
...@yunshan.net.cn
Subject: Re: [vpp-dev] ACL Match in fa_node.c
Hi Yipeng,
It's already there - just have a look through hash_* files in the ACL plugin
directory on the master or latest stable/1707 :-)
There are several things more that can be taken care of (e.g. the determination
of the "ACE no
: "Andrew Yourtchenko";
> > Date: Tue, May 23, 2017 07:56 PM
> > To: "张攀";
> > Cc: "vpp-dev";
> > Subject: Re: [vpp-dev] ACL Match in fa_node.c
> >
> >
> > Hi!
> >
> > On 5/23/17, 张攀 wrote:
> &g
, 2017 07:56 PM
> To: "张攀" yunshan.net.cn<https://lists.fd.io/mailman/listinfo/vpp-dev>>;
> Cc: "vpp-dev" lists.fd.io<https://lists.fd.io/mailman/listinfo/vpp-dev>>;
> Subject: Re: [vpp-dev] ACL Match in fa_node.c
>
>
> Hi!
>
> On 5/23/17,
Hi Burt,
Makes sense. Quickly looking at the code it shouldn't be affecting,
but that file should be indeed with everything else.
So I rebuilt it from 48_8 one in the master, and the gerrit is here:
https://gerrit.fd.io/r/#/c/7937/
Hopefully Damjan can review and +2 it.
--a
On 8/8/17, Burt Sil
Hi Andrew,
As long as you mention issues in acl plugin, I found something strange in
bihash_40_8.h: there is no definition of BIHASH_KVP_CACHE_SIZE. So when you
get to bihash_template.h, that will be obtaining BIHASH_KVP_CACHE_SIZE from
whatever bihash_x_y.h happens to be last in the included head
1 - 100 of 119 matches
Mail list logo
