Hi Jens, Thanks for the report !
There are two issues. First, if a parameter is omitted, it is implicitly initialized to 0.0.0.0/0 - as a shortcut for the debugging. So even the “working” case is not correct - you end up with ipv6 source and ipv4 destination, which may give you unpredictable results. https://gerrit.fd.io/r/c/vpp/+/31770 will address this by preventing the creation of rules with source and destination being different address families. So, long story short - best to specify both src/dst explicitly. Which gets us to the second part of the issue - incorrect parsing. This looks like a regression introduced by commit dd2f12ba - which changed the way the parsing of the IP prefix works… and the ::/0 prefix is interpreted as an IPv4 of 0.0.0.0, with unhappy results, due to the function “ip46_address_is_ip4” returning true for a whole set of valid IPv6 prefixes… which resets the address family of the prefix to a wrong value (IPv4), which then makes the ACL code unhappy. To fix this, I made a small change https://gerrit.fd.io/r/c/vpp/+/37602 which essentially returns the old behavior but without the problem that the previous fix was fixing, if Benoit is happy with it then it will take care of the incorrect parsing of an “any” prefix. --a > On 8 Nov 2022, at 16:50, Jens Rösiger via lists.fd.io > <jensr=tops....@lists.fd.io> wrote: > > > Dear VPP Dev Team, > > i found a problem with creating a VPP ACL with IPv6 SRC / DST Address. The > ACL created incorrectly. The problem occurs when "any" ::/0 is used as the > SRC address. > > Example (correct) > vpp# set acl-plugin acl permit src 2a00:c940::/32 > ACL index:35 > vpp# show acl-plugin acl index 35 > acl-index 35 count 1 tag {cli} > 0: ipv6 permit src 2a00:c940::/32 dst ::/0 proto 0 sport 0-65535 > dport 0-65535 > > Example (wrong): > vpp# set acl-plugin acl permit dst 2a00:c940::/32 > ACL index:36 > vpp# show acl-plugin acl index 36 > acl-index 36 count 1 tag {cli} > 0: ipv4 permit src 0.0.0.0/0 dst 0.0.0.0/32 proto 0 sport 0-65535 > dport 0-65535 > > The ACL 36 is IPv4, not IPv6. I found no way to create a ACL with ::/0 as > source (with "set acl-plugin acl") > > My workaround is use "binary-api acl_add_replace" instand of "set acl-plugin > acl". But i think, the better way is fix this issue. > > Mit freundlichen Grüßen > Jens Rösiger > > ----------------------------------------------------------------------------------- > Jens Rösiger tops.net GmbH u. > Co KG > Linux Systemadministrator Holtorfer > Straße. 35 > D-53229 Bonn / > Germany > E-Mail: je...@tops.net Tel: +49 228 > 9771 111 > www : http://www.tops.net Fax: +49 228 > 9771 199 > ----------------------------------------------------------------------------------- > Handelsregister Bonn: HRA 4251 > Geschäftsführerin: tops.net GmbH, Holtorfer Straße 35, 53229 Bonn > > Handelsregister Bonn: HRB 7323 > Vertreten einzeln durch den Geschäftsführer: Tamás Lányi > > tops.net wird ausschließlich auf der Grundlage seiner jeweils > aktuellen Allgemeinen Geschäftsbedingungen tätig, die jederzeit > zugänglich unter http://agb.tops.net hinterlegt sind. > Änderungen, Irrtümer und Tippfehler vorbehalten. > Preisangaben verstehen sich zuzüglich der jeweils geltenden > gesetzlichen Umsatzsteuer von derzeit 19%. > ----------------------------------------------------------------------------------- > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#22152): https://lists.fd.io/g/vpp-dev/message/22152 Mute This Topic: https://lists.fd.io/mt/94893014/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
