See: src/plugins/acl/test/test_acl_plugin.py
On Tue, Apr 28, 2020 at 7:19 PM Govindarajan Mohandoss <
govindarajan.mohand...@arm.com> wrote:
> Sure Andrew. Is there a unit test case for ACL plugin ?
>
>
>
> *From:* Andrew đź‘˝ Yourtchenko <ayour...@gmail.com>
> *Sent:* Tuesday, April 28, 2020 4:57 PM
> *To:* Govindarajan Mohandoss <govindarajan.mohand...@arm.com>
> *Cc:* vpp-dev@lists.fd.io; nd <n...@arm.com>; Lijian Zhang <
> lijian.zh...@arm.com>; Jieqiang Wang <jieqiang.w...@arm.com>
> *Subject:* Re: [vpp-dev] ACL question
>
>
>
> 1-3: no.
>
> 4: please make a “make test” test case illustrating the problem and share
> it.
>
> --a
>
>
>
> On 28 Apr 2020, at 22:37, Govindarajan Mohandoss <
> govindarajan.mohand...@arm.com> wrote:
>
> 
>
> Hi Andrew,
>
> I am working on ACL plugin SF+SL optimization on ARM servers.
>
> I am finding prefetches in ACL node is becoming bottle neck. I see
> performance improvements on both SL & SF mode, when SF mode bihash table
> related prefetching is disabled.
>
> I need some help with right ACL config to verify my patch.
>
>
>
> I did the testing with Ingress ACL -- 1 Rule and 50 Rules (Rule: <SIP,
> DIP, UDP, SPORT, DPORT> - DPORT is incremented). The Traffic match all the
> 50 rules.
>
>
>
> When I tried to add 100 rules on the same rule set in SF mode:
>
> "acl_add_replace -1 ipv4 permit+reflect src 192.81.1.1/32 dst
> 192.82.1.1/32 proto 17 sport 100 dport 1,
>
> ... ,
>
> ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17 sport
> 100 dport 100",
>
>
>
> I see only 48 rules in show tables and 48th rule is added as “permit”
> all and not “permit + reflect”. Does it mean <0 – 47> rules will be SF and
> the rest will be in SL mode ?
>
>
>
> "
>
> vpp# show acl-plugin acl
>
> acl-index 0 count 49 tag {}
>
> 0: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto
> 17 sport 100 dport 1
>
> ....
>
> 47: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto
> 17 sport 100 dport 48
>
> 48: ipv4 permit src 0.0.0.0/0 dst 0.0.0.0/0 proto 0 sport 0-65535
> dport 0-65535
>
> applied inbound on sw_if_index: 1
>
> used in lookup context index: 0
>
> "
>
>
>
> 1. Is there a limit of 48 on number of rules that can be added into
> the Rule table (acl-index 0) in SF mode ?
> 2. Whether 48 rules in a ruleset is good enough to verify my
> optimization patch (Traffic flow will match all the 48 rules) ?
> 3. Can I associate more than 1 ACL rule set to an ingress interface
> (like “vat# acl_interface_set_acl_list TenGigabitEthernet1/0/0 input 0 1
> 2”) ? Each Rule set 0, 1, 2 will have different ACL rules. Do I need to
> test this case also to study the performance gain ?
> 4. In SL mode, When I tried to add 100 rules, only 53 rules are seen
> in show table. 53rd rule is added as permit all (Should I read it as
> permit all ?). Is there a limit on number of rules in SL mode ?
>
> “
>
> vpp# show acl-plugin acl
>
> acl-index 0 count 54 tag {}
>
> 0: ipv4 permit src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
> sport 100 dport 1
>
> ….
>
> 52: ipv4 permit src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
> sport 100 dport 53
>
> 53: ipv4 permit src 0.0.0.0/0 dst 0.0.0.0/0 proto 0 sport
> 0-65535 dport 0-65535
>
> applied inbound on sw_if_index: 1
>
> used in lookup context index: 0
>
> “
>
>
>
> Thanks
>
> Govind
>
>
>
> > -----Original Message-----
>
> > From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of
> Govindarajan
>
> > Mohandoss via Lists.Fd.Io
>
> > Sent: Friday, March 27, 2020 11:32 AM
>
> > To: Andrew đź‘˝ Yourtchenko <ayour...@gmail.com>
>
> > Cc: vpp-dev@lists.fd.io
>
> > Subject: Re: [vpp-dev] ACL question
>
> >
>
> > Thank you very much Andrew !! I will do some benchmarks and get back to
>
> > you to understand it better.
>
> >
>
> > Thanks
>
> > Govind
>
> >
>
> > > -----Original Message-----
>
> > > From: Andrew đź‘˝ Yourtchenko <ayour...@gmail.com>
>
> > > Sent: Friday, March 27, 2020 7:52 AM
>
> > > To: Govindarajan Mohandoss <govindarajan.mohand...@arm.com>
>
> > > Cc: vpp-dev@lists.fd.io; nd <n...@arm.com>
>
> > > Subject: Re: [vpp-dev] ACL question
>
> > >
>
> > > > On 27 Mar 2020, at 00:47, Govindarajan Mohandoss
>
> > > <govindarajan.mohand...@arm.com> wrote:
>
> > > >
>
> > > >
>
> > > >
>
> > > > Hi Andrew,
>
> > > >
>
> > > > I just found out that ACL action differentiates SF or SL.
>
> > > > Following
>
> > > command enables SF and provides better performance.
>
> > > >
>
> > > > “acl_add_replace -1 ipv4 permit+reflect dst 192.82.1.1/32”
>
> > > >
>
> > > >
>
> > > >
>
> > > > Few more questions:
>
> > > >
>
> > > > =================
>
> > > >
>
> > > > Choosing between VPP Classifiers and ACL Plugin:
>
> > > >
>
> > > >
>
> > > > https://lists.fd.io/g/vpp-dev/message/5716?p=,,,20,0,0,0::relevance,
>
> > > > ,A
>
> > > > CL,20,2,60,10641995
>
> > > >
>
> > > > You mentioned that VPP classifiers are faster than ACL plugin.
>
> > > > For <L2, L3, L4> field based classification, which one provides
>
> > > > better data
>
> > > plane perf ?
>
> > >
>
> > >
>
> > > It depends. If you wanna simultaneously match on all three, there is
>
> > > currently no mechanism to generically do so.
>
> > >
>
> > > But then every time I looked at the use cases claiming to require
>
> > > that, turned out it was a bad idea to represent the data this way -
>
> > > because of combinatorial explosion. Even ACLs themselves suffer from
>
> > > this issue - N sources times M destinations times K servces equal
>
> > > N*M*K rules, which quickly skyrockets.
>
> > >
>
> > > > Does classifier support ranges ?
>
> > >
>
> > >
>
> > > Classifier supports chained masked lookups. You might emulate ranges
>
> > there.
>
> > >
>
> > > That said, I had seen ranges used only in a tiny percentage of the
>
> > > cases. So they are a corner case imho.
>
> > >
>
> > >
>
> > > > Which one is better if the rate of ACL rule add/del is high / low?
>
> > >
>
> > >
>
> > > Classifier single table is your best bet probably. ACL plugin
>
> > > deliberately does not have an API to add/del a single rule - you
>
> > > always download the entire ACL.
>
> > >
>
> > > > Whether ACL rule priority is supported in both the schemes ?
>
> > >
>
> > >
>
> > > First match for Acl and multi table classify case. Single table is
>
> > > just a hash lookup because the entries don’t overlap by definition
>
> > >
>
> > > > Whether ACL Plugin SF mode will perform better than classifier ?
>
> > >
>
> > >
>
> > > I did not benchmark them. It's somewhat different use cases.
>
> > >
>
> > > > Whether classifier also has SF mode ?
>
> > >
>
> > >
>
> > > Nope.
>
> > >
>
> > > >
>
> > > >
>
> > > > ACL Plugin:
>
> > > >
>
> > > > SF mode – How much of extra memory is needed compared to SL mode ?
>
> > >
>
> > >
>
> > > Depending on the number of active sessions... each session creates two
>
> > > binash table entries, and consumes an entry in the session pool. The
>
> > > default values in the code for the bihash memory usage have been
>
> > > tested with half a million sessions - so you can extrapolate from
>
> > > those with some ballpark (though bihash memory usage is not linear wrt
>
> > > the entries, and also there is some extra memory churn due to bucket
>
> > > reallocations when the size increases).
>
> > >
>
> > > —a
>
> > >
>
> > > >
>
> > > >
>
> > > > Thanks
>
> > > >
>
> > > > Govind
>
> > > >
>
> > > >
>
> > > >
>
> > > > From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of
>
> > > > Govindarajan Mohandoss via Lists.Fd.Io
>
> > > > Sent: Thursday, March 26, 2020 12:37 PM
>
> > > > To: Andrew đź‘˝ Yourtchenko <ayour...@gmail.com>
>
> > > > Cc: vpp-dev@lists.fd.io
>
> > > > Subject: Re: [vpp-dev] ACL question
>
> > > >
>
> > > >
>
> > > >
>
> > > > Hi Andrew,
>
> > > >
>
> > > > Thanks for the document.
>
> > > >
>
> > > > Can you please share the documents related to ACL plugin CLI
>
> > > > config for
>
> > > both stateful & stateless modes ?
>
> > > >
>
> > > >
>
> > > >
>
> > > > I tried the following commands for input ACL in VAT CLI. Not sure
>
> > > whether this is SL / SF ?
>
> > > >
>
> > > > “
>
> > > >
>
> > > > vat# acl_add_replace -1 ipv4 permit dst 192.82.1.1/32
>
> > > >
>
> > > > vl_api_acl_add_replace_reply_t_handler:70: ACL index: 0
>
> > > >
>
> > > > vat# acl_interface_set_acl_list TenGigabitEthernet13/0/0 input 0
>
> > > >
>
> > > > vat# acl_interface_list_dump TenGigabitEthernet13/0/0
>
> > > >
>
> > > > vl_api_acl_interface_list_details_t_handler:115: sw_if_index: 3,
>
> > > > count: 1, n_input: 1
>
> > > >
>
> > > > input 0
>
> > > >
>
> > > >
>
> > > >
>
> > > > vat# help acl_add_replace
>
> > > >
>
> > > > usage: acl_add_replace <acl-idx> [<ipv4|ipv6>]
>
> > > <permit|permit+reflect|deny|action N> [src IP/plen] [dst IP/plen]
>
> > > [sport X-Y] [dport X-Y] [proto P] [tcpflags FL MASK], ... , ...
>
> > > >
>
> > > > “
>
> > > >
>
> > > >
>
> > > >
>
> > > > Thanks
>
> > > >
>
> > > > Govind
>
> > > >
>
> > > >
>
> > > >
>
> > > > From: Andrew đź‘˝ Yourtchenko <ayour...@gmail.com>
>
> > > > Sent: Thursday, March 26, 2020 4:49 AM
>
> > > > To: Govindarajan Mohandoss <govindarajan.mohand...@arm.com>
>
> > > > Cc: vpp-dev@lists.fd.io; Lijian Zhang <lijian.zh...@arm.com>;
>
> > > > Jieqiang Wang <jieqiang.w...@arm.com>; nd <n...@arm.com>
>
> > > > Subject: Re: [vpp-dev] ACL question
>
> > > >
>
> > > >
>
> > > >
>
> > > > As an acl plugin author I can say both stateful and stateless ACLs
>
> > > > are used
>
> > > for different consumers.
>
> > > >
>
> > > >
>
> > > >
>
> > > > Various matching implementations in vpp are used in different use
>
> > cases...
>
> > > and there is not a single silver bullet magic answer, because the
>
> > > trade offs are different.
>
> > > >
>
> > > >
>
> > > >
>
> > > > https://nonsns.github.io/paper/rossi19ton.pdf
>
> > > >
>
> > > >
>
> > > >
>
> > > > Is a reasonable read on the subject - also because it relates to VPP
>
> > > > and the
>
> > > real project that we did a while ago.
>
> > > >
>
> > > >
>
> > > >
>
> > > > --a
>
> > > >
>
> > > >
>
> > > >>
>
> > > >> On 25 Mar 2020, at 17:26, Govindarajan Mohandoss
>
> > > <govindarajan.mohand...@arm.com> wrote:
>
> > > >>
>
> > > >>
>
> > > >>
>
> > > >> Hello ACL Maintainer,
>
> > > >>
>
> > > >> We want to measure and optimize the ACL performance for ARM
>
> > > servers. As per the foll. link, there are 4 different implementation
>
> > > of ACLs in VPP.
>
> > > >>
>
> > > >> https://fd.io/docs/vpp/master/usecases/acls.html
>
> > > >>
>
> > > >> We would like to start with most commonly used ACL implementation
>
> > > >> in
>
> > > VPP which can cover L2, L3 and L4 fields. As per the link above and
>
> > > CSIT reports (link below), it looks like ACL plugin is the right match.
>
> > > >>
>
> > > >> Can you please confirm ? ACL plugin has 2 variants – Stateful &
>
> > Stateless.
>
> > > Which is common and widely used in VPP ?
>
> > > >>
>
> > > >>
>
> > > >> https://docs.fd.io/csit/master/report/detailed_test_results/vpp_per
>
> > > >> fo
>
> > > >> rmance_results/index.html
>
> > > >>
>
> > > >>
>
> > > >>
>
> > > >> Thanks
>
> > > >>
>
> > > >> Govind
>
> > > >>
>
> > > >> IMPORTANT NOTICE: The contents of this email and any attachments
>
> > > >> are
>
> > > confidential and may also be privileged. If you are not the intended
>
> > > recipient, please notify the sender immediately and do not disclose
>
> > > the contents to any other person, use it for any purpose, or store or
>
> > > copy the information in any medium. Thank you.
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#16191): https://lists.fd.io/g/vpp-dev/message/16191
Mute This Topic: https://lists.fd.io/mt/72544608/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
