Hi Petr, Thanks for sharing the solution for future readers. Regarding doc improvements, we'd love more contributions 😊
Best ben > -----Original Message----- > From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of Petr BoltÃk > Sent: Saturday, April 30, 2022 17:54 > To: Petr BoltÃk <petr.bol...@gmail.com> > Cc: vpp-dev <vpp-dev@lists.fd.io> > Subject: Re: [vpp-dev] ABF+ACL permit rule behavior ? > > Hi, > > I will reply myself to close this question and help others in the future. > This is not an issue, this was my misunderstanding of how ABF works with > rules. Any improvement in documentation will be greatly appreciated. > > 1. set acl-plugin acl permit dst 10.0.0.100/32 <http://10.0.0.100/32> > > create acl with source 0.0.0.0/0 <http://0.0.0.0/0> dst 10.0.0.100/32 > <http://10.0.0.100/32> action permit > > 2. abf policy add id 0 acl 0 via 10.10.15.1 enp2s0 > create policy 0 with acl 0 with rule patch via 10.10.15.1 enp2s0 > (interface can be omnited for L3 routes) > >>> if action is deny => drop packets > >>> if action is permit, compare "ip fib" path (dst 10.0.0.100/32 > <http://10.0.0.100/32> via 10.10.15.1@enp2s0 ) to configured policy 0 > gateway and interface. If match => permit. If not match => drop. > > 3. abf attach ip4 policy 0 loop0 > > attach policy 0 to the input interface (in my scenario it is loop0) > > Thanks > Petr B. > > > so 30. 4. 2022 v 15:06 odesÃlatel Petr BoltÃk via lists.fd.io > <http://lists.fd.io> <petr.boltik=gmail....@lists.fd.io > <mailto:gmail....@lists.fd.io> > napsal: > > > Hi, > > I'm working with combination ABF+ACL plugins, but I have a problem > with ACL permit rule. ACL action "permit" is ignored and ABF drops > packets. Please, can someone confirm this is the correct behavior? Thanks > > Regards > Petr B. > > > > vpp# show version > vpp v22.06-rc0~378-g6120441f9 > > > ### note: > vlan 2501@enp3s0(pop1) + loop0(bvi) = bridge domain > 192.168.95.100/24 <http://192.168.95.100/24> > ping from 192.168.95.17 => 10.0.0.100 > > 1. add rules: > set acl-plugin acl permit dst 10.0.0.100/32 <http://10.0.0.100/32> > abf policy add id 0 acl 0 via 192.168.95.100 loop0 > > abf attach ip4 policy 0 loop0 > > 2. show > vpp# show acl-plugin acl > acl-index 0 count 1 tag {cli} > 0: ipv4 permit src 0.0.0.0/0 <http://0.0.0.0/0> dst > 10.0.0.100/32 <http://10.0.0.100/32> proto 0 sport 0-65535 dport 0-65535 > used in lookup context index: 0 > > > vpp# show abf policy > abf:[0]: policy:0 acl:0 > path-list:[64] locks:1 flags:shared,no-uRPF, uRPF-list: None > path:[88] pl-index:64 ip4 weight=1 pref=0 attached-nexthop: > oper-flags:resolved, > 192.168.95.100 loop0 > [@0]: arp-ipv4: via 192.168.95.100 loop0 > > > vpp# show abf attach loop0 > ipv4: > abf-interface-attach: policy:0 priority:0 > [@1]: arp-ipv4: via 192.168.95.100 loop0 > > > 3. show trace > Packet 4 > > 00:06:31:315032: dpdk-input > enp3s0 rx queue 0 > buffer 0x91ad3: current data 0, length 68, buffer-pool 0, ref- > count 1, trace handle 0x3000003 > ext-hdr-valid > PKT MBUF: port 1, nb_segs 1, pkt_len 68 > buf_len 2176, data_len 68, ol_flags 0x182, data_off 128, > phys_addr 0x5dc6b540 > packet_type 0x11 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len > 0 > rss 0x52c93baa fdir.hi 0x0 fdir.lo 0x52c93baa > Packet Offload Flags > PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid > PKT_RX_IP_CKSUM_NONE (0x0090) no IP cksum of RX pkt. > PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid > PKT_RX_L4_CKSUM_NONE (0x0108) no L4 cksum of RX pkt. > PKT_RX_RSS_HASH (0x0002) RX packet with RSS hash result > Packet Types > RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet > RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension > headers > IP4: 74:4d:28:8d:0d:22 -> 1a:24:b6:07:ca:16 802.1q vlan 2501 > ICMP: 192.168.95.17 -> 10.0.0.100 > tos 0x00, ttl 255, length 50, checksum 0xa899 dscp CS0 ecn > NON_ECN > fragment id 0xe913 > ICMP echo_request checksum 0x4637 id 39169 > 00:06:31:315041: ethernet-input > frame: flags 0x3, hw-if-index 2, sw-if-index 2 > IP4: 74:4d:28:8d:0d:22 -> 1a:24:b6:07:ca:16 802.1q vlan 2501 > 00:06:31:315047: l2-input > l2-input: sw_if_index 4 dst 1a:24:b6:07:ca:16 src > 74:4d:28:8d:0d:22 [l2-input-vtr l2-learn l2-fwd l2-flood l2-flood ] > 00:06:31:315049: l2-input-vtr > l2-input-vtr: sw_if_index 4 dst 1a:24:b6:07:ca:16 src > 74:4d:28:8d:0d:22 data 08 00 45 00 00 32 e9 13 00 00 ff 01 > 00:06:31:315049: l2-learn > l2-learn: sw_if_index 4 dst 1a:24:b6:07:ca:16 src > 74:4d:28:8d:0d:22 bd_index 1 > 00:06:31:315051: l2-fwd > l2-fwd: sw_if_index 4 dst 1a:24:b6:07:ca:16 src > 74:4d:28:8d:0d:22 bd_index 1 result [0x70000000b, 11] static age-not bvi > 00:06:31:315052: ip4-input > ICMP: 192.168.95.17 -> 10.0.0.100 > tos 0x00, ttl 255, length 50, checksum 0xa899 dscp CS0 ecn > NON_ECN > fragment id 0xe913 > ICMP echo_request checksum 0x4637 id 39169 > 00:06:31:315054: abf-input-ip4 > next 1 index 28 > 00:06:31:315056: ip4-arp > ICMP: 192.168.95.17 -> 10.0.0.100 > tos 0x00, ttl 255, length 50, checksum 0xa899 dscp CS0 ecn > NON_ECN > fragment id 0xe913 > ICMP echo_request checksum 0x4637 id 39169 > 00:06:31:315064: ip4-drop > ICMP: 192.168.95.17 -> 10.0.0.100 > tos 0x00, ttl 255, length 50, checksum 0xa899 dscp CS0 ecn > NON_ECN > fragment id 0xe913 > ICMP echo_request checksum 0x4637 id 39169 > 00:06:31:315066: error-drop > rx:loop0 > 00:06:31:315068: drop > ip4-arp: ARP requests sent > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#21342): https://lists.fd.io/g/vpp-dev/message/21342 Mute This Topic: https://lists.fd.io/mt/90795177/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
