yes. MacIP ACLs are just for "first hop security". for arbitrary matching, rather than macip acls, might be more interesting to add support for the classifier-based ACLs, which can be checking the odd places in the packet with bitmask...
--a On 3/18/19, Neale Ranns via Lists.Fd.Io <nranns=cisco....@lists.fd.io> wrote: > > Hi Raj, > > ABF, which is a feature that runs in the L3 path, has not (to my knowledge > anyway) been tested with MACIP ACLs – this ACL type is usually applied to L2 > traffic. Try an L3 ACL instead (i.e. use acl_add_replace to create the ACL, > not macip_acl_rule). > > Regards, > neale > > > De : <vpp-dev@lists.fd.io> au nom de Raj <rajlistu...@gmail.com> > Date : lundi 18 mars 2019 à 15:08 > À : vpp-dev <vpp-dev@lists.fd.io> > Objet : Re: [vpp-dev] Crash while configuring ABF > > Hi, > > Tested again in 18.10, same result. > > Configuration: > > sh version > vpp v18.10-22~g13f5dcf91 built by raj on vpp-dev-01 at Mon Mar 18 18:38:14 > IST 2019 > DBGvpp# > DBGvpp# > DBGvpp# set int state GigabitEthernet86/0/3 up > DBGvpp# set int ip address GigabitEthernet86/0/3 xxx.xx.223.14/29 > DBGvpp# set int ip address GigabitEthernet86/0/3 2001:470:xxxx:xxx::600/64 > DBGvpp# ip route add 0.0.0.0/0<http://0.0.0.0/0> via xxx.xx.223.9 > GigabitEthernet86/0/3 > DBGvpp# ip route add ::/0 via 2001:470:xxxx:xxx::1 GigabitEthernet86/0/3 > DBGvpp# set int state GigabitEthernet86/0/2 up > DBGvpp# set int ip address GigabitEthernet86/0/2 > 100.69.1.1/24<http://100.69.1.1/24> > DBGvpp# set int ip address GigabitEthernet86/0/2 2001:xxx:xxxx:600::1/56 > DBGvpp# set int ip addr GigabitEthernet86/0/0 > 192.168.20.1/29<http://192.168.20.1/29> > DBGvpp# set int state GigabitEthernet86/0/0 up > DBGvpp# sh acl-plugin macip acl > MACIP acl_index: 0, count: 1 (true len 1) tag {} is free pool slot: 0 > ip4_table_index 5, ip6_table_index 5, l2_table_index 5 > out_ip4_table_index -1, out_ip6_table_index -1, out_l2_table_index -1 > rule 0: ipv4 action 1 ip 100.69.1.4/32<http://100.69.1.4/32> mac > 00:00:00:00:00:00 mask 00:00:00:00:00:00 > DBGvpp# > DBGvpp# abf policy add id 0 acl 0 via 192.168.20.2 GigabitEthernet86/0/0 > DBGvpp# abf attach ip4 policy 0 priority 1 GigabitEthernet86/0/2 > > API > > PUT > https://{{machine}}/restconf/config/ietf-access-control-list:access-lists/acl/vpp-acl:vpp-macip-acl/macip-acl-2 > body > > { > "acl": [ > { > "acl-name": "macip-acl-2", > "acl-type": "vpp-acl:vpp-macip-acl", > "access-list-entries": { > "ace": [ > { > "rule-name": "macip-rule-1", > "matches": { > "vpp-macip-ace-nodes": { > "source-ipv4-network": > "100.69.1.4/32<http://100.69.1.4/32>", > "source-mac-address": "00:00:00:00:00:00", > "source-mac-address-mask": "00:00:00:00:00:00" > } > }, > "actions": { > "permit": [null] > } > } > > ] > } > } > ] > } > > GDB output: > > Thread 1 "vpp_main" received signal SIGABRT, Aborted. > __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51 > 51 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. > (gdb) > (gdb) bt > #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51 > #1 0x00007ffff5b40801 in __GI_abort () at abort.c:79 > #2 0x000055555555ce54 in os_panic () at > /home/raj/vpp-build/src/vpp/vnet/main.c:325 > #3 0x00007ffff5f2dadf in debugger () at > /home/raj/vpp-build/src/vppinfra/error.c:84 > #4 0x00007ffff5f2df1a in _clib_error (how_to_die=2, function_name=0x0, > line_number=0, fmt=0x7fffb4ecce50 "%s:%d (%s) assertion `%s' fails") at > /home/raj/vpp-build/src/vppinfra/error.c:143 > #5 0x00007fffb4ec690a in hash_multi_acl_match_5tuple > (p_acl_main=0x7fffb4eb7a00 <acl_main>, lc_index=0, > pkt_5tuple=0x7fffb55ffb50, is_ip6=0, action=0x7fffb55ffad7 "", > acl_pos_p=0x7fffb55ffae0, > acl_match_p=0x7fffb55ffadc, rule_match_p=0x7fffb55ffae4, > trace_bitmap=0x7fffb55ffae8) at > /home/raj/vpp-build/src/plugins/acl/public_inlines.h:651 > #6 0x00007fffb4ec6b49 in acl_plugin_match_5tuple_inline > (p_acl_main=0x7fffb4eb7a00 <acl_main>, lc_index=0, > pkt_5tuple=0x7fffb55ffb50, is_ip6=0, r_action=0x7fffb55ffad7 "", > r_acl_pos_p=0x7fffb55ffae0, > r_acl_match_p=0x7fffb55ffadc, r_rule_match_p=0x7fffb55ffae4, > trace_bitmap=0x7fffb55ffae8) at > /home/raj/vpp-build/src/plugins/acl/public_inlines.h:690 > #7 0x00007fffb4ec93fe in abf_input_inline (vm=0x7ffff694b240 > <vlib_global_main>, node=0x7fffb537fb80, frame=0x7fffb5ec1640, > fproto=FIB_PROTOCOL_IP4) > at /home/raj/vpp-build/src/plugins/abf/abf_itf_attach.c:569 > #8 0x00007fffb4ec9662 in abf_input_ip4 (vm=0x7ffff694b240 > <vlib_global_main>, node=0x7fffb537fb80, frame=0x7fffb5ec1640) at > /home/raj/vpp-build/src/plugins/abf/abf_itf_attach.c:625 > #9 0x00007ffff66c6ad4 in dispatch_node (vm=0x7ffff694b240 > <vlib_global_main>, node=0x7fffb537fb80, type=VLIB_NODE_TYPE_INTERNAL, > dispatch_state=VLIB_NODE_STATE_POLLING, frame=0x7fffb5ec1640, > last_time_stamp=1155022497203244) at > /home/raj/vpp-build/src/vlib/main.c:989 > #10 0x00007ffff66c708d in dispatch_pending_node (vm=0x7ffff694b240 > <vlib_global_main>, pending_frame_index=1, last_time_stamp=1155022497203244) > at /home/raj/vpp-build/src/vlib/main.c:1139 > #11 0x00007ffff66c8c8b in vlib_main_or_worker_loop (vm=0x7ffff694b240 > <vlib_global_main>, is_main=1) at /home/raj/vpp-build/src/vlib/main.c:1555 > #12 0x00007ffff66c9464 in vlib_main_loop (vm=0x7ffff694b240 > <vlib_global_main>) at /home/raj/vpp-build/src/vlib/main.c:1629 > #13 0x00007ffff66ca037 in vlib_main (vm=0x7ffff694b240 <vlib_global_main>, > input=0x7fffb55fffb0) at /home/raj/vpp-build/src/vlib/main.c:1820 > #14 0x00007ffff672148a in thread0 (arg=140737330328128) at > /home/raj/vpp-build/src/vlib/unix/main.c:607 > #15 0x00007ffff5f5085c in clib_calljmp () from > /home/raj/vpp-build/build-root/install-vpp_debug-native/vpp/lib/libvppinfra.so.18.10 > #16 0x00007fffffffd120 in ?? () > #17 0x00007ffff672193b in vlib_unix_main (argc=43, argv=0x55555588e510) at > /home/raj/vpp-build/src/vlib/unix/main.c:676 > #18 0x000055555555c898 in main (argc=43, argv=0x55555588e510) at > /home/raj/vpp-build/src/vpp/vnet/main.c:264 > > Thanks and Regards, > > Raj > > > On Mon, Mar 18, 2019 at 3:53 PM Raj via Lists.Fd.Io<http://Lists.Fd.Io> > <rajlistuser=gmail....@lists.fd.io<mailto:gmail....@lists.fd.io>> wrote: > Thanks Andrew for looking into it. > > In the crash I sent, I missed adding ACL. But I was working with 18.10 > previously and there I am sure I added ACL, but there was still some > thing amiss. I am now doing the testing once more in 18.10 and will > get back with result. > > Thanks and Regards, > > Raj > > On Mon, Mar 18, 2019 at 3:41 PM Andrew 👽 Yourtchenko > <ayour...@gmail.com<mailto:ayour...@gmail.com>> wrote: >> >> Raj, >> >> yeah so looking further at it - the abf plugin does not handle the >> error code correctly for the case when the ACL does not exist, and >> rather than erroring out, just keeps going. Hence the assert later on >> when it tries to perform the lookup in the context that has not been >> properly setup.. >> >> --a >> >> On 3/18/19, Raj <rajlistu...@gmail.com<mailto:rajlistu...@gmail.com>> >> wrote: >> > Hello all, >> > >> > I am testing ABF functionality and was able to crash VPP. >> > >> > I was using v19.04-rc0~458-g53ba544d7. Configured VPP using following >> > commands: >> > >> > set int state GigabitEthernet86/0/3 up >> > set int ip address GigabitEthernet86/0/3 xxx.xx.223.14/29 >> > set int ip address GigabitEthernet86/0/3 2001:470:xxxx:xxx::600/64 >> > >> > ip route add 0.0.0.0/0<http://0.0.0.0/0> via xxx.xx.223.9 >> > GigabitEthernet86/0/3 >> > ip route add ::/0 via 2001:470:xxxx:xxx::1 GigabitEthernet86/0/3 >> > >> > set int state GigabitEthernet86/0/2 up >> > set int ip address GigabitEthernet86/0/2 >> > 100.69.1.1/24<http://100.69.1.1/24> >> > set int ip address GigabitEthernet86/0/2 2001:470:yyyy:yyy::1/56 >> > >> > set int ip addr GigabitEthernet86/0/0 >> > 192.168.20.1/29<http://192.168.20.1/29> >> > set int state GigabitEthernet86/0/0 up >> > >> > abf policy add id 0 acl 0 via 192.168.20.2 GigabitEthernet86/0/0 >> > abf attach ip4 policy 0 priority 1 GigabitEthernet86/0/2 >> > >> > Running VPP under gdb, the back trace is: >> > >> > Thread 1 "vpp_main" received signal SIGABRT, Aborted. >> > __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51 >> > 51 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. >> > (gdb) >> > (gdb) >> > (gdb) bt >> > #0 __GI_raise (sig=sig@entry=6) at >> > ../sysdeps/unix/sysv/linux/raise.c:51 >> > #1 0x00007ffff5912801 in __GI_abort () at abort.c:79 >> > #2 0x000055555555c4c8 in os_panic () at >> > /home/raj/vpp/src/vpp/vnet/main.c:335 >> > #3 0x00007ffff5d0125f in debugger () at >> > /home/raj/vpp/src/vppinfra/error.c:84 >> > #4 0x00007ffff5d0169a in _clib_error (how_to_die=2, >> > function_name=0x0, line_number=0, fmt=0x7fffb4860d40 "%s:%d (%s) >> > assertion `%s' fails") at /home/raj/vpp/src/vppinfra/error.c:143 >> > #5 0x00007fffb485a720 in hash_multi_acl_match_5tuple >> > (p_acl_main=0x7fffb48513e0 <acl_main>, lc_index=0, >> > pkt_5tuple=0x7fffb6bffac0, is_ip6=0, action=0x7fffb6bffa47 "", >> > acl_pos_p=0x7fffb6bffa50, acl_match_p=0x7fffb6bffa4c, >> > rule_match_p=0x7fffb6bffa54, trace_bitmap=0x7fffb6bffa58) at >> > /home/raj/vpp/src/plugins/acl/public_inlines.h:636 >> > #6 0x00007fffb485a95f in acl_plugin_match_5tuple_inline >> > (p_acl_main=0x7fffb48513e0 <acl_main>, lc_index=0, >> > pkt_5tuple=0x7fffb6bffac0, is_ip6=0, r_action=0x7fffb6bffa47 "", >> > r_acl_pos_p=0x7fffb6bffa50, r_acl_match_p=0x7fffb6bffa4c, >> > r_rule_match_p=0x7fffb6bffa54, trace_bitmap=0x7fffb6bffa58) at >> > /home/raj/vpp/src/plugins/acl/public_inlines.h:675 >> > #7 0x00007fffb485d214 in abf_input_inline (vm=0x7ffff6512600 >> > <vlib_global_main>, node=0x7fffb5f36980, frame=0x7fffb6dfc400, >> > fproto=FIB_PROTOCOL_IP4) >> > at /home/raj/vpp/src/plugins/abf/abf_itf_attach.c:569 >> > #8 0x00007fffb485d478 in abf_input_ip4 (vm=0x7ffff6512600 >> > <vlib_global_main>, node=0x7fffb5f36980, frame=0x7fffb6dfc400) at >> > /home/raj/vpp/src/plugins/abf/abf_itf_attach.c:625 >> > #9 0x00007ffff6280614 in dispatch_node (vm=0x7ffff6512600 >> > <vlib_global_main>, node=0x7fffb5f36980, type=VLIB_NODE_TYPE_INTERNAL, >> > dispatch_state=VLIB_NODE_STATE_POLLING, >> > frame=0x7fffb6dfc400, last_time_stamp=1082092493908744) at >> > /home/raj/vpp/src/vlib/main.c:1209 >> > #10 0x00007ffff6280dd5 in dispatch_pending_node (vm=0x7ffff6512600 >> > <vlib_global_main>, pending_frame_index=2, >> > last_time_stamp=1082092493908744) at >> > /home/raj/vpp/src/vlib/main.c:1376 >> > #11 0x00007ffff6282b01 in vlib_main_or_worker_loop (vm=0x7ffff6512600 >> > <vlib_global_main>, is_main=1) at /home/raj/vpp/src/vlib/main.c:1820 >> > #12 0x00007ffff628337c in vlib_main_loop (vm=0x7ffff6512600 >> > <vlib_global_main>) at /home/raj/vpp/src/vlib/main.c:1922 >> > #13 0x00007ffff6284109 in vlib_main (vm=0x7ffff6512600 >> > <vlib_global_main>, input=0x7fffb6bfffb0) at >> > /home/raj/vpp/src/vlib/main.c:2111 >> > #14 0x00007ffff62e13c0 in thread0 (arg=140737325901312) at >> > /home/raj/vpp/src/vlib/unix/main.c:612 >> > #15 0x00007ffff5d24544 in clib_calljmp () from >> > /home/raj/vpp/build-root/install-vpp_debug-native/vpp/lib/libvppinfra.so.19.04 >> > #16 0x00007fffffffd170 in ?? () >> > #17 0x00007ffff62e188d in vlib_unix_main (argc=43, >> > argv=0x55555586f500) at /home/raj/vpp/src/vlib/unix/main.c:681 >> > #18 0x000055555555bf0c in main (argc=43, argv=0x55555586f500) at >> > /home/raj/vpp/src/vpp/vnet/main.c:274 >> > >> > Thanks and Regards, >> > >> > Raj >> > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > > View/Reply Online (#12571): https://lists.fd.io/g/vpp-dev/message/12571 > Mute This Topic: https://lists.fd.io/mt/30471670/157026 > Group Owner: vpp-dev+ow...@lists.fd.io<mailto:vpp-dev%2bow...@lists.fd.io> > Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub > [rajlistu...@gmail.com<mailto:rajlistu...@gmail.com>] > -=-=-=-=-=-=-=-=-=-=-=- >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#12583): https://lists.fd.io/g/vpp-dev/message/12583 Mute This Topic: https://lists.fd.io/mt/30471670/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
