Hi Mina, The packet is forwarded in IP4 forwarding path so the ACL should definitely be placed with the ip4-table option and not l2-table option.
According to the packet trace, ip4-inacl node is invoked on packet received on sw_if_index 9 and used classify table index 1 to process it. You can look at the output of “show interface” to see which interface has an index of 9 to know which interface ip4-acl acted upon. I would guess it is the interface that corresponds to vlan 1 as shown in the packet trace. You can also use “show inacl type ip4” to see which table is configured for input ACL in the IP4 forwarding path of which interface. Regards, John From: vpp-dev-boun...@lists.fd.io [mailto:vpp-dev-boun...@lists.fd.io] On Behalf Of Mina Jafari Sent: Friday, May 12, 2017 2:19 PM To: vpp-dev@lists.fd.io Subject: [vpp-dev] ACL + classifier table does not work on subinterface as expected Hi all, I have defined a classify table with no session and its acl-miss-next is drop and assigned it to all interfaces including subinterface. I also defined another classify table with a session that permit packets with specific src and dst address according to my intended subinterface. I also assigned this classify table to all my interfaces including my subinterface. So, I expect that this subinterface permit packets with specific src and dst to pass. But it does not happen and I see that they drop because of the acl set on the parent interface of my subinterface. Why does this happen? I actually expect that packets match with the second classify table and its session. Here is the trace of packet: Packet 1 06:26:50:769490: dpdk-input GigabitEthernet3/0/0 rx queue 0 buffer 0xa416: current data 0, length 102, free-list 0, totlen-nifb 0, trace 0x0 PKT MBUF: port 0, nb_segs 1, pkt_len 102 buf_len 2176, data_len 102, ol_flags 0x0, data_off 128, phys_addr 0x5c08c480 packet_type 0x10 Packet Types RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension headers IP4: 00:50:56:92:75:7f -> 00:50:56:92:78:10 802.1q vlan 1 ICMP: 30.30.30.127 -> 40.40.40.126 tos 0x00, ttl 64, length 84, checksum 0xa068 fragment id 0x0cfe, flags DONT_FRAGMENT ICMP echo_request checksum 0xb2dc 06:26:50:769510: ethernet-input IP4: 00:50:56:92:75:7f -> 00:50:56:92:78:10 802.1q vlan 1 06:26:50:769519: ip4-input ICMP: 30.30.30.127 -> 40.40.40.126 tos 0x00, ttl 64, length 84, checksum 0xa068 fragment id 0x0cfe, flags DONT_FRAGMENT ICMP echo_request checksum 0xb2dc 06:26:50:769522: ip4-inacl INACL: sw_if_index 9, next_index 0, table 1, offset -1 06:26:50:769526: error-drop ip4-input: input ACL table-miss drops Should I use classify table with l2 option for traffic filtering on subinterface? I have defined both of my classify tables with l3 option. This seems like that the parent interface drop the packet. So, the other table and session that is intended to match the packets entering the subinterface never get the packets.
_______________________________________________ vpp-dev mailing list vpp-dev@lists.fd.io https://lists.fd.io/mailman/listinfo/vpp-dev
