Hi Andrew,
I have to work on make test test case. Before that, I would like to confirm
whether this is a problem (or) misconfiguration.
I added 50 rules using acl_add_replace in VAT CLI. In the ACL dump (show
acl-plugin acl 0), only 48 rules are present. 2 rules are missing and a default
rule of “permit all” is also getting added.
I have put the ACL config and ACL dump info in the attached file.
Thanks
Govind
From: John Lo (loj) <l...@cisco.com>
Sent: Tuesday, April 28, 2020 10:38 PM
To: Govindarajan Mohandoss <govindarajan.mohand...@arm.com>; Paul Vinciguerra
<pvi...@vinciconsulting.com>
Cc: Andrew 👽 Yourtchenko <ayour...@gmail.com>; vpp-dev@lists.fd.io; nd
<n...@arm.com>; Lijian Zhang <lijian.zh...@arm.com>; Jieqiang Wang
<jieqiang.w...@arm.com>; nd <n...@arm.com>
Subject: RE: [vpp-dev] ACL question
Try “make test TEST=acl_plugin”. -John
From: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>
<vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> On Behalf Of Govindarajan
Mohandoss
Sent: Tuesday, April 28, 2020 11:22 PM
To: Paul Vinciguerra
<pvi...@vinciconsulting.com<mailto:pvi...@vinciconsulting.com>>
Cc: Andrew 👽 Yourtchenko <ayour...@gmail.com<mailto:ayour...@gmail.com>>;
vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>; nd
<n...@arm.com<mailto:n...@arm.com>>; Lijian Zhang
<lijian.zh...@arm.com<mailto:lijian.zh...@arm.com>>; Jieqiang Wang
<jieqiang.w...@arm.com<mailto:jieqiang.w...@arm.com>>; nd
<n...@arm.com<mailto:n...@arm.com>>
Subject: Re: [vpp-dev] ACL question
Hi Paul,
How can I selectively run only the test_acl_plugin.py instead of running make
test ?
Thanks
Govind
From: Paul Vinciguerra
<pvi...@vinciconsulting.com<mailto:pvi...@vinciconsulting.com>>
Sent: Tuesday, April 28, 2020 9:22 PM
To: Govindarajan Mohandoss
<govindarajan.mohand...@arm.com<mailto:govindarajan.mohand...@arm.com>>
Cc: Andrew 👽 Yourtchenko <ayour...@gmail.com<mailto:ayour...@gmail.com>>;
vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>; nd
<n...@arm.com<mailto:n...@arm.com>>; Lijian Zhang
<lijian.zh...@arm.com<mailto:lijian.zh...@arm.com>>; Jieqiang Wang
<jieqiang.w...@arm.com<mailto:jieqiang.w...@arm.com>>
Subject: Re: [vpp-dev] ACL question
See: src/plugins/acl/test/test_acl_plugin.py
On Tue, Apr 28, 2020 at 7:19 PM Govindarajan Mohandoss
<govindarajan.mohand...@arm.com<mailto:govindarajan.mohand...@arm.com>> wrote:
Sure Andrew. Is there a unit test case for ACL plugin ?
From: Andrew 👽 Yourtchenko <ayour...@gmail.com<mailto:ayour...@gmail.com>>
Sent: Tuesday, April 28, 2020 4:57 PM
To: Govindarajan Mohandoss
<govindarajan.mohand...@arm.com<mailto:govindarajan.mohand...@arm.com>>
Cc: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>; nd
<n...@arm.com<mailto:n...@arm.com>>; Lijian Zhang
<lijian.zh...@arm.com<mailto:lijian.zh...@arm.com>>; Jieqiang Wang
<jieqiang.w...@arm.com<mailto:jieqiang.w...@arm.com>>
Subject: Re: [vpp-dev] ACL question
1-3: no.
4: please make a “make test” test case illustrating the problem and share it.
--a
On 28 Apr 2020, at 22:37, Govindarajan Mohandoss
<govindarajan.mohand...@arm.com<mailto:govindarajan.mohand...@arm.com>> wrote:
Hi Andrew,
I am working on ACL plugin SF+SL optimization on ARM servers.
I am finding prefetches in ACL node is becoming bottle neck. I see
performance improvements on both SL & SF mode, when SF mode bihash table
related prefetching is disabled.
I need some help with right ACL config to verify my patch.
I did the testing with Ingress ACL -- 1 Rule and 50 Rules (Rule: <SIP, DIP,
UDP, SPORT, DPORT> - DPORT is incremented). The Traffic match all the 50 rules.
When I tried to add 100 rules on the same rule set in SF mode:
"acl_add_replace -1 ipv4 permit+reflect src
192.81.1.1/32<http://192.81.1.1/32> dst 192.82.1.1/32<http://192.82.1.1/32>
proto 17 sport 100 dport 1,
... ,
ipv4 permit+reflect src 192.81.1.1/32<http://192.81.1.1/32> dst
192.82.1.1/32<http://192.82.1.1/32> proto 17 sport 100 dport 100",
I see only 48 rules in show tables and 48th rule is added as “permit” all
and not “permit + reflect”. Does it mean <0 – 47> rules will be SF and the rest
will be in SL mode ?
"
vpp# show acl-plugin acl
acl-index 0 count 49 tag {}
0: ipv4 permit+reflect src 192.81.1.1/32<http://192.81.1.1/32> dst
192.82.1.1/32<http://192.82.1.1/32> proto 17 sport 100 dport 1
....
47: ipv4 permit+reflect src 192.81.1.1/32<http://192.81.1.1/32> dst
192.82.1.1/32<http://192.82.1.1/32> proto 17 sport 100 dport 48
48: ipv4 permit src 0.0.0.0/0<http://0.0.0.0/0> dst
0.0.0.0/0<http://0.0.0.0/0> proto 0 sport 0-65535 dport 0-65535
applied inbound on sw_if_index: 1
used in lookup context index: 0
"
1. Is there a limit of 48 on number of rules that can be added into the Rule
table (acl-index 0) in SF mode ?
2. Whether 48 rules in a ruleset is good enough to verify my optimization
patch (Traffic flow will match all the 48 rules) ?
3. Can I associate more than 1 ACL rule set to an ingress interface (like
“vat# acl_interface_set_acl_list TenGigabitEthernet1/0/0 input 0 1 2”) ? Each
Rule set 0, 1, 2 will have different ACL rules. Do I need to test this case
also to study the performance gain ?
4. In SL mode, When I tried to add 100 rules, only 53 rules are seen in show
table. 53rd rule is added as permit all (Should I read it as permit all ?). Is
there a limit on number of rules in SL mode ?
“
vpp# show acl-plugin acl
acl-index 0 count 54 tag {}
0: ipv4 permit src 192.81.1.1/32<http://192.81.1.1/32> dst
192.82.1.1/32<http://192.82.1.1/32> proto 17 sport 100 dport 1
….
52: ipv4 permit src 192.81.1.1/32<http://192.81.1.1/32> dst
192.82.1.1/32<http://192.82.1.1/32> proto 17 sport 100 dport 53
53: ipv4 permit src 0.0.0.0/0<http://0.0.0.0/0> dst
0.0.0.0/0<http://0.0.0.0/0> proto 0 sport 0-65535 dport 0-65535
applied inbound on sw_if_index: 1
used in lookup context index: 0
“
Thanks
Govind
> -----Original Message-----
> From: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>
> <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> On Behalf Of Govindarajan
> Mohandoss via Lists.Fd.Io<http://Lists.Fd.Io>
> Sent: Friday, March 27, 2020 11:32 AM
> To: Andrew 👽 Yourtchenko <ayour...@gmail.com<mailto:ayour...@gmail.com>>
> Cc: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>
> Subject: Re: [vpp-dev] ACL question
>
> Thank you very much Andrew !! I will do some benchmarks and get back to
> you to understand it better.
>
> Thanks
> Govind
>
> > -----Original Message-----
> > From: Andrew 👽 Yourtchenko <ayour...@gmail.com<mailto:ayour...@gmail.com>>
> > Sent: Friday, March 27, 2020 7:52 AM
> > To: Govindarajan Mohandoss
> > <govindarajan.mohand...@arm.com<mailto:govindarajan.mohand...@arm.com>>
> > Cc: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>; nd
> > <n...@arm.com<mailto:n...@arm.com>>
> > Subject: Re: [vpp-dev] ACL question
> >
> > > On 27 Mar 2020, at 00:47, Govindarajan Mohandoss
> > <govindarajan.mohand...@arm.com<mailto:govindarajan.mohand...@arm.com>>
> > wrote:
> > >
> > >
> > >
> > > Hi Andrew,
> > >
> > > I just found out that ACL action differentiates SF or SL.
> > > Following
> > command enables SF and provides better performance.
> > >
> > > “acl_add_replace -1 ipv4 permit+reflect dst
> > > 192.82.1.1/32<http://192.82.1.1/32>”
> > >
> > >
> > >
> > > Few more questions:
> > >
> > > =================
> > >
> > > Choosing between VPP Classifiers and ACL Plugin:
> > >
> > >
> > > https://lists.fd.io/g/vpp-dev/message/5716?p=,,,20,0,0,0::relevance,
> > > ,A
> > > CL,20,2,60,10641995
> > >
> > > You mentioned that VPP classifiers are faster than ACL plugin.
> > > For <L2, L3, L4> field based classification, which one provides
> > > better data
> > plane perf ?
> >
> >
> > It depends. If you wanna simultaneously match on all three, there is
> > currently no mechanism to generically do so.
> >
> > But then every time I looked at the use cases claiming to require
> > that, turned out it was a bad idea to represent the data this way -
> > because of combinatorial explosion. Even ACLs themselves suffer from
> > this issue - N sources times M destinations times K servces equal
> > N*M*K rules, which quickly skyrockets.
> >
> > > Does classifier support ranges ?
> >
> >
> > Classifier supports chained masked lookups. You might emulate ranges
> there.
> >
> > That said, I had seen ranges used only in a tiny percentage of the
> > cases. So they are a corner case imho.
> >
> >
> > > Which one is better if the rate of ACL rule add/del is high / low?
> >
> >
> > Classifier single table is your best bet probably. ACL plugin
> > deliberately does not have an API to add/del a single rule - you
> > always download the entire ACL.
> >
> > > Whether ACL rule priority is supported in both the schemes ?
> >
> >
> > First match for Acl and multi table classify case. Single table is
> > just a hash lookup because the entries don’t overlap by definition
> >
> > > Whether ACL Plugin SF mode will perform better than classifier ?
> >
> >
> > I did not benchmark them. It's somewhat different use cases.
> >
> > > Whether classifier also has SF mode ?
> >
> >
> > Nope.
> >
> > >
> > >
> > > ACL Plugin:
> > >
> > > SF mode – How much of extra memory is needed compared to SL mode ?
> >
> >
> > Depending on the number of active sessions... each session creates two
> > binash table entries, and consumes an entry in the session pool. The
> > default values in the code for the bihash memory usage have been
> > tested with half a million sessions - so you can extrapolate from
> > those with some ballpark (though bihash memory usage is not linear wrt
> > the entries, and also there is some extra memory churn due to bucket
> > reallocations when the size increases).
> >
> > —a
> >
> > >
> > >
> > > Thanks
> > >
> > > Govind
> > >
> > >
> > >
> > > From: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>
> > > <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> On Behalf Of
> > > Govindarajan Mohandoss via Lists.Fd.Io<http://Lists.Fd.Io>
> > > Sent: Thursday, March 26, 2020 12:37 PM
> > > To: Andrew 👽 Yourtchenko <ayour...@gmail.com<mailto:ayour...@gmail.com>>
> > > Cc: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>
> > > Subject: Re: [vpp-dev] ACL question
> > >
> > >
> > >
> > > Hi Andrew,
> > >
> > > Thanks for the document.
> > >
> > > Can you please share the documents related to ACL plugin CLI
> > > config for
> > both stateful & stateless modes ?
> > >
> > >
> > >
> > > I tried the following commands for input ACL in VAT CLI. Not sure
> > whether this is SL / SF ?
> > >
> > > “
> > >
> > > vat# acl_add_replace -1 ipv4 permit dst
> > > 192.82.1.1/32<http://192.82.1.1/32>
> > >
> > > vl_api_acl_add_replace_reply_t_handler:70: ACL index: 0
> > >
> > > vat# acl_interface_set_acl_list TenGigabitEthernet13/0/0 input 0
> > >
> > > vat# acl_interface_list_dump TenGigabitEthernet13/0/0
> > >
> > > vl_api_acl_interface_list_details_t_handler:115: sw_if_index: 3,
> > > count: 1, n_input: 1
> > >
> > > input 0
> > >
> > >
> > >
> > > vat# help acl_add_replace
> > >
> > > usage: acl_add_replace <acl-idx> [<ipv4|ipv6>]
> > <permit|permit+reflect|deny|action N> [src IP/plen] [dst IP/plen]
> > [sport X-Y] [dport X-Y] [proto P] [tcpflags FL MASK], ... , ...
> > >
> > > “
> > >
> > >
> > >
> > > Thanks
> > >
> > > Govind
> > >
> > >
> > >
> > > From: Andrew 👽 Yourtchenko <ayour...@gmail.com<mailto:ayour...@gmail.com>>
> > > Sent: Thursday, March 26, 2020 4:49 AM
> > > To: Govindarajan Mohandoss
> > > <govindarajan.mohand...@arm.com<mailto:govindarajan.mohand...@arm.com>>
> > > Cc: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>; Lijian Zhang
> > > <lijian.zh...@arm.com<mailto:lijian.zh...@arm.com>>;
> > > Jieqiang Wang <jieqiang.w...@arm.com<mailto:jieqiang.w...@arm.com>>; nd
> > > <n...@arm.com<mailto:n...@arm.com>>
> > > Subject: Re: [vpp-dev] ACL question
> > >
> > >
> > >
> > > As an acl plugin author I can say both stateful and stateless ACLs
> > > are used
> > for different consumers.
> > >
> > >
> > >
> > > Various matching implementations in vpp are used in different use
> cases...
> > and there is not a single silver bullet magic answer, because the
> > trade offs are different.
> > >
> > >
> > >
> > > https://nonsns.github.io/paper/rossi19ton.pdf
> > >
> > >
> > >
> > > Is a reasonable read on the subject - also because it relates to VPP
> > > and the
> > real project that we did a while ago.
> > >
> > >
> > >
> > > --a
> > >
> > >
> > >>
> > >> On 25 Mar 2020, at 17:26, Govindarajan Mohandoss
> > <govindarajan.mohand...@arm.com<mailto:govindarajan.mohand...@arm.com>>
> > wrote:
> > >>
> > >>
> > >>
> > >> Hello ACL Maintainer,
> > >>
> > >> We want to measure and optimize the ACL performance for ARM
> > servers. As per the foll. link, there are 4 different implementation
> > of ACLs in VPP.
> > >>
> > >> https://fd.io/docs/vpp/master/usecases/acls.html
> > >>
> > >> We would like to start with most commonly used ACL implementation
> > >> in
> > VPP which can cover L2, L3 and L4 fields. As per the link above and
> > CSIT reports (link below), it looks like ACL plugin is the right match.
> > >>
> > >> Can you please confirm ? ACL plugin has 2 variants – Stateful &
> Stateless.
> > Which is common and widely used in VPP ?
> > >>
> > >>
> > >> https://docs.fd.io/csit/master/report/detailed_test_results/vpp_per
> > >> fo
> > >> rmance_results/index.html
> > >>
> > >>
> > >>
> > >> Thanks
> > >>
> > >> Govind
> > >>
> > >> IMPORTANT NOTICE: The contents of this email and any attachments
> > >> are
> > confidential and may also be privileged. If you are not the intended
> > recipient, please notify the sender immediately and do not disclose
> > the contents to any other person, use it for any purpose, or store or
> > copy the information in any medium. Thank you.
50 rules are added in SF mode by incrementing the destination UDP port only:
============================================================================
vat# acl_add_replace -1 ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32
proto 17 sport 100 dport 1, ipv4 permit+reflect src 192.81.1.1/32 dst
192.82.1.1/32 proto 17 sport 100 dport 2, ipv4 permit+reflect src 192.81.1.1/32
dst 192.82.1.1/32 proto 17 sport 100 dport 3, ipv4 permit+reflect src
192.81.1.1/32 dst 192.82.1.1/32 proto 17 sport 100 dport 4, ipv4 permit+reflect
src 192.81.1.1/32 dst 192.82.1.1/32 proto 17 sport 100 dport 5, ipv4
permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17 sport 100 dport 6,
ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17 sport 100
dport 7, ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17 sport
100 dport 8, ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 9, ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32
proto 17 sport 100 dport 10, ipv4 permit+reflect src 192.81.1.1/32 dst
192.82.1.1/32 proto 17 sport 100 dport 11, ipv4 permit+reflect src
192.81.1.1/32 dst 192.82.1.1/32 proto 17 sport 100 dport 12, ipv4
permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17 sport 100 dport 13,
ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17 sport 100
dport 14, ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 15, ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32
proto 17 sport 100 dport 16, ipv4 permit+reflect src 192.81.1.1/32 dst
192.82.1.1/32 proto 17 sport 100 dport 17, ipv4 permit+reflect src
192.81.1.1/32 dst 192.82.1.1/32 proto 17 sport 100 dport 18, ipv4
permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17 sport 100 dport 19,
ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17 sport 100
dport 20, ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 21, ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32
proto 17 sport 100 dport 22, ipv4 permit+reflect src 192.81.1.1/32 dst
192.82.1.1/32 proto 17 sport 100 dport 23, ipv4 permit+reflect src
192.81.1.1/32 dst 192.82.1.1/32 proto 17 sport 100 dport 24, ipv4
permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17 sport 100 dport 25,
ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17 sport 100
dport 26, ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 27, ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32
proto 17 sport 100 dport 28, ipv4 permit+reflect src 192.81.1.1/32 dst
192.82.1.1/32 proto 17 sport 100 dport 29, ipv4 permit+reflect src
192.81.1.1/32 dst 192.82.1.1/32 proto 17 sport 100 dport 30, ipv4
permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17 sport 100 dport 31,
ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17 sport 100
dport 32, ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 33, ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32
proto 17 sport 100 dport 34, ipv4 permit+reflect src 192.81.1.1/32 dst
192.82.1.1/32 proto 17 sport 100 dport 35, ipv4 permit+reflect src
192.81.1.1/32 dst 192.82.1.1/32 proto 17 sport 100 dport 36, ipv4
permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17 sport 100 dport 37,
ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17 sport 100
dport 38, ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 39, ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32
proto 17 sport 100 dport 40, ipv4 permit+reflect src 192.81.1.1/32 dst
192.82.1.1/32 proto 17 sport 100 dport 41, ipv4 permit+reflect src
192.81.1.1/32 dst 192.82.1.1/32 proto 17 sport 100 dport 42, ipv4
permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17 sport 100 dport 43,
ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17 sport 100
dport 44, ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 45, ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32
proto 17 sport 100 dport 46, ipv4 permit+reflect src 192.81.1.1/32 dst
192.82.1.1/32 proto 17 sport 100 dport 47, ipv4 permit+reflect src
192.81.1.1/32 dst 192.82.1.1/32 proto 17 sport 100 dport 48, ipv4
permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17 sport 100 dport 49,
ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17 sport 100
dport 50
vl_api_acl_add_replace_reply_t_handler:70: ACL index: 0
vat# acl_interface_set_acl_list TenGigabitEthernet1/0/0 input 0
============================================================================================================
vpp# show acl-plugin acl 0
acl-index 0 count 49 tag {}
0: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 1
1: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 2
2: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 3
3: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 4
4: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 5
5: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 6
6: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 7
7: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 8
8: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 9
9: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 10
10: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 11
11: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 12
12: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 13
13: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 14
14: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 15
15: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 16
16: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 17
17: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 18
18: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 19
19: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 20
20: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 21
21: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 22
22: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 23
23: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 24
24: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 25
25: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 26
26: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 27
27: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 28
28: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 29
29: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 30
30: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 31
31: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 32
32: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 33
33: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 34
34: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 35
35: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 36
36: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 37
37: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 38
38: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 39
39: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 40
40: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 41
41: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 42
42: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 43
43: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 44
44: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 45
45: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 46
46: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 47
47: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 48 << Only 48 rules are added. dport 49 & 50 are missing.
48: ipv4 permit src 0.0.0.0/0 dst 0.0.0.0/0 proto 0 sport 0-65535
dport 0-65535 << "Permit all" rule is also getting added automatically.
applied inbound on sw_if_index: 1
used in lookup context index: 0
unknown input `0'
vpp#
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#16198): https://lists.fd.io/g/vpp-dev/message/16198
Mute This Topic: https://lists.fd.io/mt/72544608/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
