Copying in Piotr, Fan and some other folks for awareness/any input.
Best,
Zach
On 28/09/2022 09:07, Zachary Leaf via lists.fd.io wrote:
> Hi Guangming,
>
> Thanks for the report. I think you may have uncovered some of the bugs
> in the general inbound matching logic.
>
> I think there are 2 problems with the logic for the standard linear
> search (not flow cache, but impacts flow cache):
> 1. Only matches source/dest ip, and doesn't match source/dest ports
> or protocol
> 2. First looks for a match in a vector of all PROTECT policies, then in
> BYPASS, then finally in DISCARD if nothing matched above
>
> In contrast the way I think the matching logic should work is matching a
> full 5-tuple of {sip/dip, sp/dp, proto} as per outbound side, with all
> policies searched in one vector so priorities are respected [1].
>
> From what you've said I think what may cause your issue is a
> combination of the 2 above problems, flow cache activation and the
> particular policy you included:
>
> - First packet enters, does not match any PROTECT rules, so searches and
> matches BYPASS rule for catch all 0.0.0.0-255.255.255.255 /0 range
> (inbound logic does not check port ranges or protocol)
> - Now flow cache has an entry for 0.0.0.0-255.255.255.255 that will
> match every packet in future
>
> Obviously the inbound logic is pretty broken, I think it really needs a
> full re-write to align with outbound side. In hindsight it would have
> been better to fix all this before adding flow cache but these issues
> weren't really clear before.
>
> As far as fixing your problem, disabling flow cache would work to match
> the PROTECT policy because of the ordering of the linear search (see 2
> above), but doesn't fix any of the other possible issues.
>
> Otherwise really any 0.0.0.0-255.255.255.255 range is going to mess up
> and match everything in flow cache if the first packet that enters
> matches one of these rules.
>
> You can try using the new fast path functionality, but from a quick look
> this also might only be matching sip/dip and not a full 5-tuple so
> possibly will have the same issue.
>
> Best,
>
> Zach
>
> 1:
> https://gerrit.fd.io/r/c/vpp/+/34252/3#message-958bacb4654a030e835502af5e486f614c5a1433
>
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#21939): https://lists.fd.io/g/vpp-dev/message/21939
Mute This Topic: https://lists.fd.io/mt/93942743/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
