Sorry for spamming,
After going over the acl_plugin code I understood that the prefix length must
match the address othewise the acl_plugin doesn't accept the rules :-(
Error line ==> ret=inet_pton(AF_INET6,"fd01:: 1",&(acl->payload.r[0].dst_
prefix.address.un.ip6));
after changing the line to =
Neale,
This is really I never thought we can create VLAN for memif This saved
enormous of amount my time... I am really excited and its working perfectly
fine.
//Ravi
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#19822): https://lists.fd.io/g
: Re: [vpp-dev] ACL-->ABF--> Memif, Seeing arp request for the packets
#acl #abf #policy #routing
[Edited Message Follows]
Hi Neale,
Thanks for your time. Yes I got that and I did created a dummy arp to make this
work.
ip neighbor memif1/0 192.168.1.3 dead.dead.dead
set acl-plugin acl perm
[Edited Message Follows]
Hi Neale,
Thanks for your time. Yes I got that and I did created a dummy arp to make this
work.
ip neighbor memif1/0 192.168.1.3 dead.dead.dead
set acl-plugin acl permit dst 172.172.0.0/24
abf policy add id 0 acl 0 via 192.168.1.3 memif1/0
abf attach ip4 policy 0 Hun
Hi Neale,
Thanks for your time. Yes I got that and I did created a dummy arp to make this
work.
ip neighbor memif1/0 192.168.1.3 dead.dead.dead
set acl-plugin acl permit dst 172.172.0.0/24
abf policy add id 0 acl 0 via 192.168.1.3 memif1/0
abf attach ip4 policy 0 HundredGigabitEthernet12/0/0
Hi Ravi,
A memif interface is not p2p, so your ABF policy path needs a next-hop:
abf policy add id 0 acl 0 via 192.168.1.X memif1/0
where .X is the host on the other end.
/neale
From: vpp-dev@lists.fd.io on behalf of RaviKiran Veldanda
via lists.fd.io
Date: Friday, 16 July 2021 at 17:15
T
io/r/c/vpp/+/33142
>
> /neale
>
> From: vpp-dev@lists.fd.io on behalf of Andrew
> Yourtchenko via lists.fd.io
> Date: Wednesday, 14 July 2021 at 23:53
> To: RaviKiran Veldanda , Jakub Grajciar
>
> Cc: vpp-dev@lists.fd.io
> Subject: Re: [vpp-dev] ACL IPV6 rule additio
Evidently a typo. Here you go:
https://gerrit.fd.io/r/c/vpp/+/33142
/neale
From: vpp-dev@lists.fd.io on behalf of Andrew Yourtchenko
via lists.fd.io
Date: Wednesday, 14 July 2021 at 23:53
To: RaviKiran Veldanda , Jakub Grajciar
Cc: vpp-dev@lists.fd.io
Subject: Re: [vpp-dev] ACL IPV6
Ravi,
appears that the commit 2f8cd914514fe54f91974c6d465d4769dfac8de8 has
hardcoded the IP address family in the CLI handler to IPv4:
0490db79b src/plugins/acl/acl.c(Neale Ranns2020-03-24
15:09:41 + 2873) else if (unformat (line_input, "src %U/%d",
bf883bb086 src/plugin
Hi Mahdi,
This patch should apply, ACL plugin had not seen much changes recently, but
then you are not running a 20.05 anymore :-)
I would strongly suggest to evaluate on what limitations prevent you from
following the master branch as close as possible and address them. This may
seem daunting
Hi Andrew,
Thanks for you response. That makes sense. I will monitor my box memory usage.
Unfortunately I'm using VPP 20.05. So I will try to forwardport( we have it?
:D) this patch to it.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#17433): htt
ACL plugin historically uses its own heaps for hash lookup data. It should be
just 64M by default. It’s been like that since day1, so you might need to look
at your memory usage on that box overall...
I am not sure if custom heaps use the huge pages or not - maybe you need to
have less huge pa
; Jieqiang
> Wang ; Honnappa Nagarahalli
> ; nd
> Subject: Re: [vpp-dev] ACL plugin optimization
>
> Hi Govind,
>
> 1) According to Jenkins, this patch permits some of the packets that should
> be denied, hence JJB voted "-1".
>
> 2) If you suspect merely th
> ; nd
> Subject: Re: [vpp-dev] ACL plugin optimization
>
>
> Hi Govind,
>
> As well as removing the prefetches, you've also removed the per packet call
> to acl_fa_find_session_with_hash(). So IIUC you've removed the per-packet
> session lookup and inste
Hi Govind,
As well as removing the prefetches, you've also removed the per packet call to
acl_fa_find_session_with_hash(). So IIUC you've removed the per-packet session
lookup and instead re-use the lookup of packet 0 each time. that'll make things
quicker but it's not functionally correct.
/
Hi Govind,
1) According to Jenkins, this patch permits some of the packets that
should be denied, hence JJB voted "-1".
2) If you suspect merely the prefetches are the issue, just commenting
out the body of prefetch_session_entry() in the original code should
turn it into a no-op that doesn't bre
Thanks Neale. It works now.
From: Neale Ranns (nranns)
Sent: Saturday, May 2, 2020 8:15 AM
To: Govindarajan Mohandoss ; Andrew Yourtchenko
Cc: John Lo (loj) ; Paul Vinciguerra
; vpp-dev@lists.fd.io; nd ; Lijian
Zhang ; Jieqiang Wang
Subject: Re: [vpp-dev] ACL question
From: Govindarajan
From: Govindarajan Mohandoss
Date: Friday 1 May 2020 at 21:15
To: "Neale Ranns (nranns)" , Andrew Yourtchenko
Cc: "John Lo (loj)" , Paul Vinciguerra
, "vpp-dev@lists.fd.io" , nd
, Lijian Zhang , Jieqiang Wang
, nd
Subject: RE: [vpp-dev] ACL question
Hi Neale
; Lijian
Zhang ; Jieqiang Wang
Subject: Re: [vpp-dev] ACL question
Or in the latest version you can create ACLs on the CLI:
set acl-plugin acl ?
set acl-plugin interface ?
/neale
From: mailto:vpp-dev@lists.fd.io>> on behalf of Andrew
Yourtchenko mailto:ayour...@gmail.com>>
Dat
Thanks Neale.
From: Neale Ranns (nranns)
Sent: Wednesday, April 29, 2020 4:24 AM
To: Andrew Yourtchenko ; Govindarajan Mohandoss
Cc: John Lo (loj) ; Paul Vinciguerra
; vpp-dev@lists.fd.io; nd ; Lijian
Zhang ; Jieqiang Wang
Subject: Re: [vpp-dev] ACL question
Or in the latest version you
ndarajan Mohandoss
Cc: John Lo (loj) ; Paul Vinciguerra
; vpp-dev@lists.fd.io; nd ; Lijian
Zhang ; Jieqiang Wang
Subject: Re: [vpp-dev] ACL question
Hi Govind,
1) make an api trace and inspect the message there - whether it contains the
entries you are expecting.
1a) If it does, then
sts.fd.io" , nd
, Lijian Zhang , Jieqiang Wang
Subject: Re: [vpp-dev] ACL question
Hi Govind,
1) make an api trace and inspect the message there - whether it contains the
entries you are expecting.
1a) If it does, then you can trivially recreate the same message using the
python api just by
oj)
> Sent: Tuesday, April 28, 2020 10:38 PM
> To: Govindarajan Mohandoss ; Paul Vinciguerra
>
> Cc: Andrew 👽 Yourtchenko ; vpp-dev@lists.fd.io; nd
> ; Lijian Zhang ; Jieqiang Wang
> ; nd
> Subject: RE: [vpp-dev] ACL question
>
> Try “make test TEST=acl_plugin”.
Zhang ; Jieqiang Wang
; nd
Subject: RE: [vpp-dev] ACL question
Try “make test TEST=acl_plugin”. -John
From: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>
mailto:vpp-dev@lists.fd.io>> On Behalf Of Govindarajan
Mohandoss
Sent: Tuesday, April 28, 2020 11:22 PM
To: Paul
Thanks John.
From: John Lo (loj)
Sent: Tuesday, April 28, 2020 10:38 PM
To: Govindarajan Mohandoss ; Paul Vinciguerra
Cc: Andrew 👽 Yourtchenko ; vpp-dev@lists.fd.io; nd
; Lijian Zhang ; Jieqiang Wang
; nd
Subject: RE: [vpp-dev] ACL question
Try “make test TEST=acl_plugin”. -John
From
Try “make test TEST=acl_plugin”. -John
From: vpp-dev@lists.fd.io On Behalf Of Govindarajan
Mohandoss
Sent: Tuesday, April 28, 2020 11:22 PM
To: Paul Vinciguerra
Cc: Andrew 👽 Yourtchenko ; vpp-dev@lists.fd.io; nd
; Lijian Zhang ; Jieqiang Wang
; nd
Subject: Re: [vpp-dev] ACL question
Hi
: Re: [vpp-dev] ACL question
See: src/plugins/acl/test/test_acl_plugin.py
On Tue, Apr 28, 2020 at 7:19 PM Govindarajan Mohandoss
mailto:govindarajan.mohand...@arm.com>> wrote:
Sure Andrew. Is there a unit test case for ACL plugin ?
From: Andrew 👽 Yourtchenko mailto:ayour...@gmail.com&
Thanks Paul !
From: Paul Vinciguerra
Sent: Tuesday, April 28, 2020 9:22 PM
To: Govindarajan Mohandoss
Cc: Andrew 👽 Yourtchenko ; vpp-dev@lists.fd.io; nd
; Lijian Zhang ; Jieqiang Wang
Subject: Re: [vpp-dev] ACL question
See: src/plugins/acl/test/test_acl_plugin.py
On Tue, Apr 28, 2020 at
l 28, 2020 4:57 PM
> *To:* Govindarajan Mohandoss
> *Cc:* vpp-dev@lists.fd.io; nd ; Lijian Zhang <
> lijian.zh...@arm.com>; Jieqiang Wang
> *Subject:* Re: [vpp-dev] ACL question
>
>
>
> 1-3: no.
>
> 4: please make a “make test” test case illustrating the problem and share
Sure Andrew. Is there a unit test case for ACL plugin ?
From: Andrew 👽 Yourtchenko
Sent: Tuesday, April 28, 2020 4:57 PM
To: Govindarajan Mohandoss
Cc: vpp-dev@lists.fd.io; nd ; Lijian Zhang
; Jieqiang Wang
Subject: Re: [vpp-dev] ACL question
1-3: no.
4: please make a “make test” test case
> > Thank you very much Andrew !! I will do some benchmarks and get back to
> > you to understand it better.
> >
> > Thanks
> > Govind
> >
> > > -Original Message-
> > > From: Andrew 👽 Yourtchenko
> > > Sent: Friday, Mar
gt; To: Andrew 👽 Yourtchenko
> Cc: vpp-dev@lists.fd.io
> Subject: Re: [vpp-dev] ACL question
>
> Thank you very much Andrew !! I will do some benchmarks and get back to
> you to understand it better.
>
> Thanks
> Govind
>
> > -Original Message-
code for the bihash memory usage have been tested with half a
> million sessions - so you can extrapolate from those with some ballpark
> (though bihash memory usage is not linear wrt the entries, and also there is
> some extra memory churn due to bucket reallocations when the size
> in
lpark (though bihash memory usage is not linear wrt
the entries, and also there is some extra memory churn due to bucket
reallocations when the size increases).
—a
>
>
> Thanks
>
> Govind
>
>
>
> From: vpp-dev@lists.fd.io On Behalf Of Govindarajan
> Mohandoss via Lis
needed compared to SL mode ?
Thanks
Govind
From: vpp-dev@lists.fd.io On Behalf Of Govindarajan
Mohandoss via Lists.Fd.Io
Sent: Thursday, March 26, 2020 12:37 PM
To: Andrew 👽 Yourtchenko
Cc: vpp-dev@lists.fd.io
Subject: Re: [vpp-dev] ACL question
Hi Andrew,
Thanks for the document.
Can
; nd
Subject: Re: [vpp-dev] ACL question
As an acl plugin author I can say both stateful and stateless ACLs are used for
different consumers.
Various matching implementations in vpp are used in different use cases... and
there is not a single silver bullet magic answer, because the trade offs
As an acl plugin author I can say both stateful and stateless ACLs are used for
different consumers.
Various matching implementations in vpp are used in different use cases... and
there is not a single silver bullet magic answer, because the trade offs are
different.
https://nonsns.github.io/
up VirtualEthernet0/0/2
>> Link speed: unknown
>> Ethernet address fa:16:3c:05:66:7c
>> VirtualEthernet0/0/3 6 up VirtualEthernet0/0/3
>> Link speed: unknown
>> Ethernet address fa:16:3c:f0:21:0a
>> VirtualEthernet0/0/4 7
; Link speed: 40 Gbps
> Ethernet address 02:fe:27:ea:09:82
> flags: admin-up
>
> It looks like there doesn’t even exist an acl for VirtualEthernet0/0/3? Is
> that why it is dropped?
>
> Eyle
>
> From: Andrew 👽 Yourtchenko
Ethernet address 02:fe:99:32:82:4f
> flags: admin-up promiscuous
> rdma1 2 up rdma1
> Link speed: 40 Gbps
> Ethernet address 02:fe:27:ea:09:82
> flags: admin-up
>
> It looks like there doesn’t even exist an acl for VirtualEthernet0/0/
3
-Naveen
From: mailto:vpp-dev@lists.fd.io>> on behalf of Andrew
Yourtchenko mailto:ayour...@gmail.com>>
Date: Thursday, September 5, 2019 at 7:20 AM
To: Eyle Brinkhuis mailto:eyle.brinkh...@surfnet.nl>>
Cc: "vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>"
mailto:vp
> From: on behalf of Andrew Yourtchenko
>
> Date: Thursday, September 5, 2019 at 7:20 AM
> To: Eyle Brinkhuis
> Cc: "vpp-dev@lists.fd.io"
> Subject: Re: [vpp-dev] ACL drops while pinging another interface
>
> Thanks for the traces !
>
> MACIP acl us
table 12, offset -1
00:53:47:316361: error-drop
rx:VirtualEthernet0/0/3
-Naveen
From: on behalf of Andrew Yourtchenko
Date: Thursday, September 5, 2019 at 7:20 AM
To: Eyle Brinkhuis
Cc: "vpp-dev@lists.fd.io"
Subject: Re: [vpp-dev] ACL drops while pinging another interface
Thank
Thanks for the traces !
MACIP acl uses the classifier-bases “ip-acl”; so it sounds like it is not
programmed with the source Mac of your packets.
“Show acl-plugin macip” will help to see what the acl plugin sees, and if it
looks legit, then you can check the classifier tables applied as input a
Hi Cipher,
Reply below inline
> On 4 Sep 2019, at 12:36, Cipher Chen wrote:
>
> Thanks Andrew, I've successfully done acl_plugin test.
>
> BTW, just reply here for latecomers, do "V=2 EXTENDED_TESTS=1
> TEST=acl_plugin* make test" to do more test and print verbosely.
Yeah the connection tra
Thanks Andrew, I've successfully done acl_plugin test.
BTW, just reply here for latecomers, do "V=2 EXTENDED_TESTS=1 TEST=acl_plugin*
make test" to do more test and print verbosely.
Since I'm testing stateful ACL by watching behavior of
test_acl_plugin_conns.py, along with explaination from Sta
The VPP packet tracer might tell a bit more what is going on.
https://wiki.fd.io/view/VPP/Command-line_Interface_(CLI)_Guide#packet_tracer
Also you can do “TEST=acl_plugin* make test” and examine the logs of successful
testcase runs and compare with what you have.
--a
> On 3 Sep 2019, at 16:2
More info about acl plugin
vpp# show acl-plugin acl
acl-index 4 count 2 tag {}
0: ipv4 deny src 0.0.0.0/0 dst 0.0.0.0/0 proto 1 sport 0-65535 dport 0-65535
1: ipv4 permit src 0.0.0.0/0 dst 0.0.0.0/0 proto 6 sport 0-65535 dport 0-65535
applied inbound on sw_if_index: 1
applied outbound on sw_if_ind
Hi!
No, it isn’t...
--a
> On 28 Feb 2019, at 02:33, mahdy.varas...@gmail.com wrote:
>
> Hi
>
> I wondered if we can use ACLs instead of classifier tables in Policies. How
> is it possible? ( if it is possible)
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
>
Dear Andrew
Unfortunately I can't reproduce this case. It's really a rare situation.
Regards
On Tue, Dec 12, 2017 at 5:43 PM, khers wrote:
> Dear Andrew
>
> This is a good explanation of how session add and delete works,
> I think this not a benign operation, I could produce the rare scenario
Dear Andrew
This is a good explanation of how session add and delete works,
I think this not a benign operation, I could produce the rare scenario you
explained. I will send backtrace and other details tomorrow.
On Tue, Dec 12, 2017 at 2:46 PM, Andrew 👽 Yourtchenko
wrote:
> Dear Khers,
>
> I th
Dear Khers,
I think you are right. Normally the entry in the session hash table is
deleted before any operations with the per-worker pool, so we should
not end up on that line. Also, the deletion itself usually happens as
a result of the idle timeout - meaning, no packets hit the session for
a com
Dear Andrew
I'm working on d594711a5d79859a7d0bde83a516f7ab52051d9b commit on
stable/1710 branch. sorry for less info.
I can't reproduce last issue I have reported, forgot the commit I were
working on.
Regards,
Khers
On Mon, Dec 11, 2017 at 12:24 PM, Andrew Yourtchenko
wrote:
> Dear Khers,
>
>
Dear Khers,
At least the exact commit# you are working with to get more context would be
useful - line 1029 on master points to a call acl_fill_5tuple to me...
Also, I have not heard - were you able to reproduce the issue you contacted
about a while ago ?
--a
> On 11 Dec 2017, at 08:46, khers
Khers,
Thanks! Just after I sent you the reply Dave had pointed out coverity was
unhappy with some of the code, including that particular line. So I got rid of
memcpy altogether and while at it fixed the values for both this place and the
other one I told you about - in change 9611.
--a
> On
Dear Andrew
Thanks for your attention, Yes of course I pushed to gerrit with id 9615.
Regards,
Khers
On Tue, Nov 28, 2017 at 8:37 PM, Andrew Yourtchenko
wrote:
> Dear Khers,
>
> I believe you are right. That might not be all though... “dot1q”/“dot1ad”
> mask value constant does not appear to m
Dear Khers,
I believe you are right. That might not be all though... “dot1q”/“dot1ad” mask
value constant does not appear to make sense to me now.
They should be “XX XX” to mask out the bits and also should be set accordingly
to the proper values during the addition of the sessions. (I suppose
Assuming your input interface is a subinterface then you would need the build
which includes https://gerrit.fd.io/r/#/c/8519/ - and if that is the case
already, then I would need to see the full sequence of steps needed to recreate
the problem, to say something about it.
--a
> On 19 Nov 2017,
I tried some ACL config, but it does not work as I expected.
I send traffic into interface 1, and vpp should send the traffic out
through interface 2.
For ACL, I first add this ACL.
acl_add_replace ipv4 src 10.0.0.0/8 deny
Then, I send traffic after adding each of the following 4 configs.
acl_in
Cool!
Sure, you can use vat in that case as well.
--a
> On 13 Nov 2017, at 22:08, Yuliang Li wrote:
>
> It works! Thanks.
>
> Another question: if I want to use ACL plugin in non-debug build (say,
> build-release), is can I use vat? Or I need to use the python code?
>
>> On Mon, Nov 13, 201
It works! Thanks.
Another question: if I want to use ACL plugin in non-debug build (say,
build-release), is can I use vat? Or I need to use the python code?
On Mon, Nov 13, 2017 at 12:06 PM, Andrew Yourtchenko
wrote:
> “Make build” in the VPP directory will get you a debug build. The $1 and
> s
“Make build” in the VPP directory will get you a debug build. The $1 and such
is just standard shell scripting, in case I need to pass some parameters to
vat. I don’t think I had ever needed them...
--a
> On 13 Nov 2017, at 17:40, Yuliang Li wrote:
>
> Maybe this is a stupid question.. Does v
Maybe this is a stupid question.. Does vat have to work with debug builds?
And how to do the debug builds? What are the $1~$5 in your script?
Thanks,
Yuliang
On Mon, Nov 13, 2017 at 3:03 AM, Andrew Yourtchenko
wrote:
> When just running vat from within the source tree, it needs to know the
> pa
When just running vat from within the source tree, it needs to know the path
for the plugins, for debug builds I usually have the following small shell
script which takes care of this without requiring me thinking every time (of
course needs to be launched from the vpp top directory since it has
Thanks for the quick reply.
I still fail to use the vat to configure ACL. After make build-release, I
use sudo build-root/build-vpp-native/vpp/vpp_api_test, but it tell me:
'acl_plugin_get_version': function not found
Other ACL commands have the same problem.
I also tried make build-vat, but it g
Hi Yuliang,
You can look at the test/test_acl_plugin_*.py files for the examples
of interactions with plugin from python code.
Alternatively, you can use VPP API test tool (vat) which is built
together with VPP and then issue the API calls directly from there.
Shout if you have any questions, wi
Quoting Jon Loeliger (2017-11-10 23:11:36)
>First, this is draconian for no really good reason. Second, it should be
>fixed. Third, I would do that except I am stupid and need a clue where
>or how to fix this situation so the tests are less draconian. (Can we
>get a "less than 0
Chris,
On Fri, Nov 10, 2017 at 8:27 PM, Luke, Chris wrote:
> If you’re wondering where the tests are:
>
>
>
> $ ls test/*acl*
>
> test/test_acl_plugin_conns.py test/test_acl_plugin_macip.py
>
> test/test_acl_plugin_l2l3.py test/test_acl_plugin.py
>
Ah, excellent!
> Chris.
>
Thanks!
jdl
_
: Re: [vpp-dev] ACL Build/Test Issues
On Fri, Nov 10, 2017 at 5:54 PM, Andrew Yourtchenko
mailto:ayour...@gmail.com>> wrote:
Hi Jon,
On 10 Nov 2017, at 23:11, Jon Loeliger
mailto:j...@netgate.com>> wrote:
Folks,
Every error from the ACL implementation is -1. Generically bad.
Withou
On Fri, Nov 10, 2017 at 5:54 PM, Andrew Yourtchenko
wrote:
> Hi Jon,
>
> On 10 Nov 2017, at 23:11, Jon Loeliger wrote:
>
> Folks,
>
> Every error from the ACL implementation is -1. Generically bad.
> Without regard for what might be more useful to an upper-layer UI.
>
>
> When we discussed with
Hi Jon,
> On 10 Nov 2017, at 23:11, Jon Loeliger wrote:
>
> Folks,
>
> Every error from the ACL implementation is -1. Generically bad.
> Without regard for what might be more useful to an upper-layer UI.
When we discussed with the openstack folks the way they are treating errors was
all as c
Thanks
yug...@telincn.com
From: Andrew Yourtchenko
Date: 2017-09-06 18:24
To: yug...@telincn.com
CC: vpp-dev
Subject: Re: [vpp-dev] acl priority
Hi,
If we you talk about acl plugin then the ACLs are evaluated in the order of
them applied and same about the ACEs within an acl - to change the
Hi,
If we you talk about acl plugin then the ACLs are evaluated in the order of
them applied and same about the ACEs within an acl - to change the order you
can apply a differently sorted list or call acl_add_replace with new contents
of the ACL.
If you talk the built in ACLs using classifier
ts.fd.io; zhang...@yunshan.net.cn
> Subject: Re: [vpp-dev] ACL Match in fa_node.c
>
> Hi Yipeng,
>
> yeah, this case should be handled as well - note that the ACL lookup hash is
> 48x8,
> while the session lookup hash is 40x8, and the fa_5tuple_t (being 48 bytes in
> size
---
>
>> From: "Andrew Yourtchenko"> gmail.com<https://lists.fd.io/mailman/listinfo/vpp-dev>>;
>
>> Date: Tue, May 23, 2017 07:56 PM
>
>> To: "张攀"> yunshan.net.cn<https://lists.fd.io/mailman/listinfo/vpp-dev>>;
>
>>
...@yunshan.net.cn
Subject: Re: [vpp-dev] ACL Match in fa_node.c
Hi Yipeng,
It's already there - just have a look through hash_* files in the ACL plugin
directory on the master or latest stable/1707 :-)
There are several things more that can be taken care of (e.g. the determination
of the "ACE no
: "Andrew Yourtchenko";
> > Date: Tue, May 23, 2017 07:56 PM
> > To: "张攀";
> > Cc: "vpp-dev";
> > Subject: Re: [vpp-dev] ACL Match in fa_node.c
> >
> >
> > Hi!
> >
> > On 5/23/17, 张攀 wrote:
> &g
, 2017 07:56 PM
> To: "张攀" yunshan.net.cn<https://lists.fd.io/mailman/listinfo/vpp-dev>>;
> Cc: "vpp-dev" lists.fd.io<https://lists.fd.io/mailman/listinfo/vpp-dev>>;
> Subject: Re: [vpp-dev] ACL Match in fa_node.c
>
>
> Hi!
>
> On 5/23/17,
Hi Burt,
Makes sense. Quickly looking at the code it shouldn't be affecting,
but that file should be indeed with everything else.
So I rebuilt it from 48_8 one in the master, and the gerrit is here:
https://gerrit.fd.io/r/#/c/7937/
Hopefully Damjan can review and +2 it.
--a
On 8/8/17, Burt Sil
Hi Andrew,
As long as you mention issues in acl plugin, I found something strange in
bihash_40_8.h: there is no definition of BIHASH_KVP_CACHE_SIZE. So when you
get to bihash_template.h, that will be obtaining BIHASH_KVP_CACHE_SIZE from
whatever bihash_x_y.h happens to be last in the included head
There are two different mechanisms in VPP which you can use:
1) classifier-based ACLs
https://wiki.fd.io/view/VPP/Introduction_To_N-tuple_Classifiers
It is faster than acl plugin, and allows only stateless operation which is
essentially bitmask-based.
2) acl plugin
https://wiki.fd.io/view/VPP
hand-on experiences,
looking forwared to collaborating with you :p
Best Regards,
Pan
zhang...@yunshan.net.cn
From: Andrew Yourtchenko
Date: 2017-05-24 02:48
To: 张攀
CC: vpp-dev
Subject: Re: [vpp-dev] ACL Match in fa_node.c
Hi Pan!
On 5/23/17, 张攀 wrote:
> Hi And
Hi Pan!
On 5/23/17, 张攀 wrote:
> Hi Andrew!
>
>
> -- Original --
> From: "Andrew 👽 Yourtchenko";
> Date: Tue, May 23, 2017 07:56 PM
> To: "张攀";
> Cc: "vpp-dev";
> Subject: Re: [vpp-dev] ACL Match in
Hi Andrew!
-- Original --
From: "Andrew 👽 Yourtchenko";
Date: Tue, May 23, 2017 07:56 PM
To: "张攀";
Cc: "vpp-dev";
Subject: Re: [vpp-dev] ACL Match in fa_node.c
Hi!
On 5/23/17, 张攀 wrote:
> Hi guys,
>
>
>
Hi!
On 5/23/17, 张攀 wrote:
> Hi guys,
>
>
> I looked into the source code of vpp/src/plugin/acl/fa_node.c,
> in function full_acl_match_5tuple(), it seems that every ingress packet is
> matching against each ACL rule stored in acl_main->acls in a for-loop
> manner. This seems not fairly effective.
Hi Jon,
On 5/17/17, Jon Loeliger wrote:
> On Wed, May 17, 2017 at 4:35 PM, Andrew 👽 Yourtchenko
> wrote:
>
>> Jon,
>>
>> No, you are not missing anything, there is a ping missing there indeed...
>> :-)
>>
>
> Hi Andrew,
>
> OK, *phew*. Not this time then. Good to know!
>
>
>> At the time I cou
On Wed, May 17, 2017 at 4:35 PM, Andrew 👽 Yourtchenko
wrote:
> Jon,
>
> No, you are not missing anything, there is a ping missing there indeed...
> :-)
>
Hi Andrew,
OK, *phew*. Not this time then. Good to know!
> At the time I could not figure out how to get the CONTROL_PING to be
> sent fr
Jon,
No, you are not missing anything, there is a ping missing there indeed... :-)
At the time I could not figure out how to get the CONTROL_PING to be
sent from within the VAT, and since the main use case was
programmatic-API driven (I had used VAT primarily during the initial
debugging/sanity c
Hi Mina,
The packet is forwarded in IP4 forwarding path so the ACL should definitely be
placed with the ip4-table option and not l2-table option.
According to the packet trace, ip4-inacl node is invoked on packet received on
sw_if_index 9 and used classify table index 1 to process it. You can l
Hi juraj,
Sorry for the delay.
Minus 1 means for the acl# means no acl had matched, so this should be default
deny, however the odd output from the dump means it needs a closer look.
Please me the saved binary API trace from the moment of startup to the
observation of the problem + the packet
If you are using classification CLI’s high level parameters to match l2/l3 etc,
it is generating bit mask for tables and match hex values for sessions assuming
matching from start of the received packet, thus always matching the outer L2
and L3 headers. These high level CLI parameter will not wo
91 matches
Mail list logo
