Hi, Zach
I think there is a bug in patch : perf improvement of ipsec4_input_node
using flow cache (https://gerrit.fd.io/r/c/vpp/+/32903).
Based on current code , multiple spd rules were created that include some
bypass or discard rule . When one ESP packet was received , we expect it match
the protect rule,
but it is possible that will match the bypass or discard rule by flow cache
.
For exampl, on NAT-T scene, there is a bypass rule that need forward the
IKE packet to IKE daemon , the data packet EPS over UDP that will match
this rule.
[8] priority 2147483647 action bypass type ip4-inbound-bypass protocol UDP
local addr range 0.0.0.0 - 255.255.255.255 port range 4500 - 4500
remote addr range 0.0.0.0 - 255.255.255.255 port range 0 - 65535
packets 0 bytes 0
Thanks
Guangming
zhangguangm...@baicells.com
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#21931): https://lists.fd.io/g/vpp-dev/message/21931
Mute This Topic: https://lists.fd.io/mt/93942743/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
