[vpp-dev] 回复: 回复: ACL match tunnel interface

[薛欣颖]

A detailed description of my problem：
I would like to match src 1.1.1.2 in gre0,but it did not work. Is there 
anything wrong in my configuration：

vpp1：
create gre tun src 2.1.1.1 dst 2.1.1.2
set int ip address gre0 100.1.1.1/24
set int state gre0 up
ip route add 192.168.1.1/24  via 100.1.1.2 gre0
vpp2：
create gre tun src 2.1.1.2 dst 2.1.1.1
set int ip address gre0 100.1.1.2/24
set int state gre0 up
ip route add 1.1.1.2/24  via 100.1.1.1 gre0
classify  table mask l3 ip4 src  current-data-flag 1 current-data-offset 24
classify session acl-hit-next deny  table-index 0 match l3 ip4 src  1.1.1.2
set interface input acl intfc gre0  ip4-table 0
 

I have tried current-data-offset value 4、20、24、38，but it did not hit anyone：
DBGvpp#  show classify table verbose
  TableIdx  Sessions   NextTbl  NextNode
         0         1        -1        -1
  Heap: 3 objects, 172 of 1k used, 76 free, 0 reclaimed, 1k overhead, 2044k 
capacity
  nbuckets 2, skip 1 match 1 flag 1 offset 24
  mask 00000000000000000000ffffffff0000
[1]: heap offset 192, len 1
    0: [192]: next_index 0 advance 0 opaque -1 action 0 metadata 42832
        k: 00000000000000000000010101020000
        hits 0, last_heard 0.00

    1 active elements
    1 free lists 

Thanks,
xyxue

发件人： xy...@fiberhome.com
发送时间： 2017-05-03 19:03
收件人： John Lo (loj); vpp-dev
主题： 回复: RE: [vpp-dev] ACL match tunnel interface

Thank you for your reply!
Do you mean that I need to skip the outer package when I'm matching the inner 
data？I tried ‘ current-data-offset’in 'classify table', but it didn't work.
Are the parameters I'm studying right ?

Thanks,
xyxue
 
发件人： John Lo (loj)
发送时间： 2017-05-02 15:18
收件人： 薛欣颖; vpp-dev@lists.fd.io
主题： RE: [vpp-dev] ACL match tunnel interface
If you are using classification CLI’s high level parameters to match l2/l3 etc, 
it is generating bit mask for tables and match hex values for sessions assuming 
matching from start of the received packet, thus always matching the outer L2 
and L3 headers. These high level CLI parameter will not work if you have a VLAN 
tag in the received packet, such as on a VLAN sub-interface, that causes the 
bit mast and hex value to not be at the right offset from the start of the 
packet.
 
The most flexible (and tedious) way is to use raw bit-mask with skip value on 
classify table and hex values on classify session to perform matching, as deep 
as you want into the packet, assuming you know the incoming packet layout whose 
L2/L3/L4 header fields always matches what you specified. 
 
Regards,
John
 
From: vpp-dev-boun...@lists.fd.io [mailto:vpp-dev-boun...@lists.fd.io] On 
Behalf Of ???
Sent: Monday, May 01, 2017 10:04 PM
To: vpp-dev@lists.fd.io
Subject: [vpp-dev] ACL match tunnel interface
 
 
Hi guys，
 
There are some questions about acl in tunnel interface:
I can only match the tunnel  rather than the desired inner flow;
What should I do to match the inner flow?
 
Thanks,
xyxue
 
 

_______________________________________________
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev