Hi Yan, Historically the L2 and L3 packet path node graphs were very different, so the reason is probably just that - that you can’t have the fully unified processing in general.
I spent some effort in ACL plugin creating the “works in all modes the same” abstraction layer, it is at least possible for limited functions. That said, it’s not 100% trivial - for example in L3 mode on egress you will not have the access to Ethernet headers, so the code needs to account for that (as an example of a catch to be aware of) --a > On 9 Sep 2020, at 11:19, yan mo <comeon...@outlook.com> wrote: > > > Hi Andrew, > > Thanks for the quick response. Your answer is helpful to me. > > In addition, I would like to ask another question, why ACL rules must be > bound to the port mode, for example, when I configure as follows, the port > host-vpp1 does not match the packet. Only when I configure the port to L2 > mode ,then the packet will be matched. > DBGvpp# classify table mask l2 dst > DBGvpp# classify session acl-hit-next deny table-index 0 match l2 dst > 11:22:33:44:55:66 > DBGvpp# set interface input acl intfc host-vpp1 l2-table 0 > > Port is the default state. > Trace: > 00:02:04:696152: af-packet-input > af_packet: hw_if_index 2 next-index 4 > tpacket2_hdr: > status 0x1 len 42 snaplen 42 mac 66 net 80 > sec 0x5f5899fd nsec 0x1c35cad2 vlan 0 vlan_tpid 0 > 00:02:04:696377: ethernet-input > IP4: 33:33:33:33:33:33 -> 11:22:33:44:55:66 > 00:02:04:696418: ip4-input > ICMP: 192.0.2.1 -> 2.2.2.2 > tos 0x00, ttl 64, length 28, checksum 0xb4db dscp CS0 ecn NON_ECN > fragment id 0x0001 > ICMP echo_request checksum 0xf7ff > 00:02:04:696435: ip4-not-enabled > ICMP: 192.0.2.1 -> 2.2.2.2 > tos 0x00, ttl 64, length 28, checksum 0xb4db dscp CS0 ecn NON_ECN > fragment id 0x0001 > ICMP echo_request checksum 0xf7ff > 00:02:04:696446: error-drop > rx:host-vpp1 > 00:02:04:696478: drop > ethernet-input: no error > > When I config the port to L2, the packet is denied. > Trace: > 00:08:38:890559: af-packet-input > af_packet: hw_if_index 2 next-index 4 > tpacket2_hdr: > status 0x1 len 42 snaplen 42 mac 66 net 80 > sec 0x5f589b87 nsec 0xc3c6091 vlan 0 vlan_tpid 0 > 00:08:38:890777: ethernet-input > IP4: 33:33:33:33:33:33 -> 11:22:33:44:55:66 > 00:08:38:890803: l2-input > l2-input: sw_if_index 2 dst 11:22:33:44:55:66 src 33:33:33:33:33:33 > 00:08:38:890823: l2-input-acl > INACL: sw_if_index 2, next_index 0, table 0, offset 1200 > 00:08:38:890837: error-drop > rx:host-vpp1 > 00:08:38:890843: drop > l2-input-acl: input ACL session deny drops > > What I understand is that packets with this dst mac (11:22:33:44:55:66) will > be matched, no matter what the port mode is. > I want to know what is the purpose of this design or what configuration can > be used to achieve this matching. > > Thanks in advance. > > 发件人: Andrew 👽 Yourtchenko [mailto:ayour...@gmail.com] > 发送时间: 2020年9月9日 16:38 > 收件人: yan mo > 抄送: vpp-dev > 主题: Re: [vpp-dev] How to distinguish between l2-input-classify and > l2-input-acl > > L2-input classify is indeed a superset of l2-input-ACL, and allows some more > functionality like setting the next node index based on the match. You would > use ACL if you need the above “enhanced” functionality but also want to > maintain the ability to apply policy. > > --a > > > On 9 Sep 2020, at 10:08, yan mo <comeon...@outlook.com> wrote: > > > Dear all, > I have a question: what is the difference between l2-input-classify > and l2-input-acl. > They can all complete the ACL function, which one should I choose. > > I create a classify table and session follow this: > classify table mask l2 dst > classify session acl-hit-next deny table-index 0 match l2 dst > 11:22:33:44:55:66 > > > L2-input-acl > (set interface input acl intfc host-vpp1 l2-table 0) > Trace: > 00:09:52:891414: af-packet-input > af_packet: hw_if_index 2 next-index 4 > tpacket2_hdr: > status 0x1 len 42 snaplen 42 mac 66 net 80 > sec 0x5f588084 nsec 0x390f397c vlan 0 vlan_tpid 0 > 00:09:52:891634: ethernet-input > IP4: 33:33:33:33:33:33 -> 11:22:33:44:55:66 > 00:09:52:891662: l2-input > l2-input: sw_if_index 2 dst 11:22:33:44:55:66 src 33:33:33:33:33:33 > 00:09:52:891690: l2-input-acl > INACL: sw_if_index 2, next_index 0, table 0, offset 1200 > 00:09:52:891699: error-drop > rx:host-vpp1 > 00:09:52:891707: drop > l2-input-acl: input ACL session deny drops > > L2-input-classify > (set interface l2 input classify intfc host-vpp1 ip4-table 0) > Trace: > 00:05:11:825796: af-packet-input > af_packet: hw_if_index 2 next-index 4 > tpacket2_hdr: > status 0x1 len 42 snaplen 42 mac 66 net 80 > sec 0x5f587f6c nsec 0xd3080cf vlan 0 vlan_tpid 0 > 00:05:11:826012: ethernet-input > IP4: 33:33:33:33:33:33 -> 11:22:33:44:55:66 > 00:05:11:826046: l2-input > l2-input: sw_if_index 2 dst 11:22:33:44:55:66 src 33:33:33:33:33:33 > 00:05:11:826073: l2-input-classify > l2-classify: sw_if_index 2, table 0, offset 4b0, next 0 > 00:05:11:826086: error-drop > rx:host-vpp1 > 00:05:11:826094: drop > l2-input-classify: L2 Classify Drops >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#17354): https://lists.fd.io/g/vpp-dev/message/17354 Mute This Topic: https://lists.fd.io/mt/76728990/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
