[vpp-dev] some confusions about l2 forward and flood

Hi everyone! When I was testing the bridge function，everything worked fine with the following configuration： > > BD-ID   Index   BSN  Age(min)   Learn     Forwrd    UU-Flood    Flood    > ARP-Term  ARP-ufwd   BVI-Intf > 1       1      0     off       off        on       flood        on      >

Re: [vpp-dev] CGNAT port assignment

Marcos, > I’m aware that VPP NAT Plugin has a limitation of 1000 ports per inside > users, but eventually that amount of connections is not enough. > > I would like to get some guidance on how to change that VPP logic When > assigning ports to users when working with deterministic nat, so

[vpp-dev] CGNAT port assignment

Hello VPP Experts / developers, I'm aware that VPP NAT Plugin has a limitation of 1000 ports per inside users, but eventually that amount of connections is not enough. I would like to get some guidance on how to change that VPP logic When assigning ports to users when working with

Re: [vpp-dev] problem with updating incomplete adj nbr entries upon MAC address change

Hi Neale, inline On Wed, Aug 11, 2021 at 6:36 PM Neale Ranns wrote: > Dear Ivan, > > > > That’s the best bug report I’ve seen in ages, so thank you! > You're welcome :) > I’ll take your patch as a starting point, but I’ll think I move the > responsibility for walking the incomplete

Re: [vpp-dev] problem with updating incomplete adj nbr entries upon MAC address change

Dear Ivan, That’s the best bug report I’ve seen in ages, so thank you! I’ll take your patch as a starting point, but I’ll think I move the responsibility for walking the incomplete adjacencies into the adj code; it seems a little unfair for the ip-neighbour module to be responsible for

Re: [vpp-dev] memif: failed: no source address for egress interface

On Tue, Aug 10, 2021 at 2:39 AM Neale Ranns wrote > > > Again: GCP does this. Calico for K8s (the most used K8s CNI plugin) does > this. Its basically the direction Cloud is going in the generic. > > > > Ah well, that’s different, if all the cool kids are doing it, then it must > be the right

[vpp-dev] problem with updating incomplete adj nbr entries upon MAC address change

Hi, I've stumbled upon a problem in the neighbor adj code that handles incomplete entries. These entries are pre-created under some circumstances such as creation of a VXLAN tunnel and used to make Ethernet headers for outbound ARP requests. Problem is, when the MAC address of the interface

Re: [vpp-dev] Regarding Traffic selectors (IP and port range) usage in vnet/ipsec encrypt

Hi Neale, Thank you for the valuable information. I shall use the spd header file as reference. Regards. On Wed, Aug 11, 2021 at 5:51 PM Neale Ranns wrote: > Hi Vijay, > > > > Use the APIs in ipsec_spd.h > > > > /neale > > > > *From: *Vijay Kumar > *Date: *Wednesday, 11 August 2021 at

Re: [vpp-dev] Regarding Traffic selectors (IP and port range) usage in vnet/ipsec encrypt

Hi Vijay, Use the APIs in ipsec_spd.h /neale From: Vijay Kumar Date: Wednesday, 11 August 2021 at 14:05 To: Neale Ranns Cc: vpp-dev Subject: Re: [vpp-dev] Regarding Traffic selectors (IP and port range) usage in vnet/ipsec encrypt Hi Neale, Thanks for the clarification. We are not using

Re: [vpp-dev] Regarding Traffic selectors (IP and port range) usage in vnet/ipsec encrypt

Hi Neale, Thanks for the clarification. We are not using the VPP IKEv2 plugin. In our product, we use a different IKE stack but we program the SA keys and create IPSEC SA by calling ipsec_sa_add_and_lrock() API of vnet/ipsec. What is your suggestion If we wanted to implement policy (SPD) based

Re: [vpp-dev] Regarding Traffic selectors (IP and port range) usage in vnet/ipsec encrypt

Hi Vijay, VPP’s IKE implementation only supports route-based VPNs (where a tunnel interface is created) and not policy based (where the SPD is used). /neale From: vpp-dev@lists.fd.io on behalf of Vijay Kumar via lists.fd.io Date: Wednesday, 11 August 2021 at 13:00 To: vpp-dev Subject:

[vpp-dev] Regarding Traffic selectors (IP and port range) usage in vnet/ipsec encrypt

Hi Neale, I was looking at* ipsec_sa_add_and_lock*() function which is called by ikev2 to install IPSEC SA but I was NOT able to find anywhere the IKEv2 negotiated traffic selectors: IP addr range (start, stop) and port range (start, stop) being programmed to the vnet/ipsec. In such a case, how

Re: [vpp-dev] Python API fails to connect to vpp #vapi #vpp_papi #vpp

Hyong, > Thanks for the info, and using 'use_socket=True' did solve the issue > ('VPPApiClient' was already in use as it was imported as 'VPP' in my code). > Out of curiosity, why is the python shared memory transport deprecated? 1) there was no performance gain using shared memory over UDS

Re: [vpp-dev] There is a problem with the vppacl test

Hi, The previous screenshot shows ipv4(acl_dump) Very strange -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#19948): https://lists.fd.io/g/vpp-dev/message/19948 Mute This Topic: https://lists.fd.io/mt/84811042/21656 Group Owner:

Re: [vpp-dev] There is a problem with the vppacl test

Thanks for testing ! The l4 “port” values without l4 protocol value set do not make sense and thus are ignored. (Since they mean totally different things for TCP and ICMP). So your rule becomes “permit+reflect any any” which is what you observe in your test. See function

[vpp-dev] There is a problem with the vppacl test

acl_add_replace permit+reflect dport 21 acl_add_replace deny acl_interface_set_acl_list enp10s0 input 9 output 8 9 ssh can be accessed, but I don’t understand VPP version：v21.06 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#19946):