[vpp-dev] PPPoE with ACL not working

Tue, 11 Dec 2018 03:02:18 -0800 

Dear All, 

 

I am trying to configure ACL on a particular PPPoE session. I have
successfully established a PPPoE session over interface
VirtualEthernet0/0/0, and I am able to ping VPP from the PPPoE client side
and my packets are being routed correctly. However, when I add ACL (default
drop) to this interface, the classifier is not correctly classifying the
packets. 

 

Here is an example packet trace: 

 

00:02:57:507936: vhost-user-input

     VirtualEthernet0/0/0 queue 0

   virtio flags:

    INDIRECT Indirect descriptor

   virtio_net_hdr first_desc_len 12

     flags 0x00 gso_type 0

     num_buff 0

00:02:57:507938: ethernet-input

  PPPOE_SESSION: 52:54:00:0a:d3:37 -> 02:fe:5a:08:c1:10

00:02:57:507939: pppoe-input

  PPPoE decap from pppoe_session0 session_id 1 next 1 error 0

00:02:57:507939: ip4-input

  ICMP: 192.168.11.10 -> 10.0.0.2

    tos 0x00, ttl 64, length 84, checksum 0x0c62

    fragment id 0x5893, flags DONT_FRAGMENT

  ICMP echo_request checksum 0xf578

00:02:57:507940: ip4-inacl

  INACL: sw_if_index 3, next_index 0, table 0, offset -1

00:02:57:507940: ip4-drop

    ICMP: 192.168.11.10 -> 10.0.0.2

      tos 0x00, ttl 64, length 84, checksum 0x0c62

      fragment id 0x5893, flags DONT_FRAGMENT

    ICMP echo_request checksum 0xf578

00:02:57:507940: error-drop

  ip4-input: input ACL table-miss drops

 

Configurations for ACL: 

 

vpp# classify table acl-miss-next deny mask l3 ip4 src

vpp# classify session acl-hit-next permit table-index 0 match l3 ip4 src
192.168.11.10

vpp# set interface input acl intfc VirtualEthernet0/0/0 ip4-table 0

 

vpp#  show classify tables verbose

  TableIdx  Sessions   NextTbl  NextNode

         0         1        -1         0

  Heap: total: 2.06M, used: 1.27K, free: 2.06M, trimmable: 2.06M

no traced allocations

 

  nbuckets 2, skip 1 match 1 flag 0 offset 0

  mask 00000000000000000000ffffffff0000

  linear-search buckets 0

 

[0]: heap offset 1136, elts 2, normal

    0: [1136]: next_index -1 advance 0 opaque -1 action 0 metadata 0

        k: 00000000000000000000c0a80b0a0000

        hits 0, last_heard 0.00

 

    1 active elements

    1 free lists

    0 linear-search buckets

 

vpp# show inacl type ip4

Intfc idx      Classify table          Interface name

         3                   0          VirtualEthernet0/0/0

 

ACL is working fine without the PPPoE. Do I need to add some kind of offset
to the classify table? Classify should be treating this packet in the same
way as the ppp header was decapsulated by the "pppoe-input" node. 

 

It would really helpful if someone can point out me towards right direction.


 

Regards,

Alp Arslan


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#11556): https://lists.fd.io/g/vpp-dev/message/11556
Mute This Topic: https://lists.fd.io/mt/28718105/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to