Hi Xyxue, With current-data-flag set to 1, I believe the classification match will start at the current_data pointer of the packet. After GRE tunnel decap, I believe the current_data pointer should be at the inner IP header. In order to match the source IP address of this inner header, the mask needs to be 0x000000000000000000000000ffffffff and the value in the session needs to be 0x00000000000000000000000001010102 without any skip nor offset. May be you should try to specify these raw hex values without specifying any offset and try how it works? classify table mask hex 0x000000000000000000000000ffffffff current-data-flag 1 classify session acl-hit-next deny table-index 0 match hex 0x00000000000000000000000001010102
As I mentioned in my original reply to you, the high level “match l3 ip-src..” will produce a mask that matches from start of packet assuming the presence of an Ethernet header with no VLAN tag and thus not quite usable. Regards, John From: 薛欣颖 [mailto:xy...@fiberhome.com] Sent: Wednesday, May 03, 2017 10:11 PM To: John Lo (loj) <l...@cisco.com>; vpp-dev <vpp-dev@lists.fd.io> Subject: 回复: 回复: [vpp-dev] ACL match tunnel interface A detailed description of my problem: I would like to match src 1.1.1.2 in gre0,but it did not work. Is there anything wrong in my configuration: vpp1: create gre tun src 2.1.1.1 dst 2.1.1.2 set int ip address gre0 100.1.1.1/24 set int state gre0 up ip route add 192.168.1.1/24 via 100.1.1.2 gre0 vpp2: create gre tun src 2.1.1.2 dst 2.1.1.1 set int ip address gre0 100.1.1.2/24 set int state gre0 up ip route add 1.1.1.2/24 via 100.1.1.1 gre0 classify table mask l3 ip4 src current-data-flag 1 current-data-offset 24 classify session acl-hit-next deny table-index 0 match l3 ip4 src 1.1.1.2 set interface input acl intfc gre0 ip4-table 0 I have tried current-data-offset value 4、20、24、38,but it did not hit anyone: DBGvpp# show classify table verbose TableIdx Sessions NextTbl NextNode 0 1 -1 -1 Heap: 3 objects, 172 of 1k used, 76 free, 0 reclaimed, 1k overhead, 2044k capacity nbuckets 2, skip 1 match 1 flag 1 offset 24 mask 00000000000000000000ffffffff0000 [1]: heap offset 192, len 1 0: [192]: next_index 0 advance 0 opaque -1 action 0 metadata 42832 k: 00000000000000000000010101020000 hits 0, last_heard 0.00 1 active elements 1 free lists Thanks, xyxue 发件人: xy...@fiberhome.com<mailto:xy...@fiberhome.com> 发送时间: 2017-05-03 19:03 收件人: John Lo (loj)<mailto:l...@cisco.com>; vpp-dev<mailto:vpp-dev@lists.fd.io> 主题: 回复: RE: [vpp-dev] ACL match tunnel interface Thank you for your reply! Do you mean that I need to skip the outer package when I'm matching the inner data?I tried ‘ current-data-offset’in 'classify table', but it didn't work. Are the parameters I'm studying right ? Thanks, xyxue 发件人: John Lo (loj)<mailto:l...@cisco.com> 发送时间: 2017-05-02 15:18 收件人: 薛欣颖<mailto:xy...@fiberhome.com>; vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> 主题: RE: [vpp-dev] ACL match tunnel interface If you are using classification CLI’s high level parameters to match l2/l3 etc, it is generating bit mask for tables and match hex values for sessions assuming matching from start of the received packet, thus always matching the outer L2 and L3 headers. These high level CLI parameter will not work if you have a VLAN tag in the received packet, such as on a VLAN sub-interface, that causes the bit mast and hex value to not be at the right offset from the start of the packet. The most flexible (and tedious) way is to use raw bit-mask with skip value on classify table and hex values on classify session to perform matching, as deep as you want into the packet, assuming you know the incoming packet layout whose L2/L3/L4 header fields always matches what you specified. Regards, John From: vpp-dev-boun...@lists.fd.io<mailto:vpp-dev-boun...@lists.fd.io> [mailto:vpp-dev-boun...@lists.fd.io] On Behalf Of ??? Sent: Monday, May 01, 2017 10:04 PM To: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> Subject: [vpp-dev] ACL match tunnel interface Hi guys, There are some questions about acl in tunnel interface: I can only match the tunnel rather than the desired inner flow; What should I do to match the inner flow? Thanks, xyxue
_______________________________________________ vpp-dev mailing list vpp-dev@lists.fd.io https://lists.fd.io/mailman/listinfo/vpp-dev
