Re: [vpp-dev] Issues adding ACL with binary_api

[Andrew Yourtchenko]

Have a look at https://git.fd.io/vpp/tree/src/plugins/acl/acl_test.c#n565 to 
check what you need to specify.

“T” in VAT stands for “test”, so there may be not enough TLC harness around. 
Feel free to submit changes that improve the user friendliness :)

--a

> On 23 Aug 2021, at 21:36, satish amara  wrote:
> 
> 
> [Edited Message Follows]
> 
> Hi,
>I tried to add ACL rule by following commands.  There was no error. A new 
> ACL index is created. When I do show  ACL , count is 0, and the  ACL rule is 
> not displayed.
> 
> vat# acl_add_replace  ipv4 permit src 30.30.30.1/32 dst 40.40.40.1/32 sport 
> 1000 dport 1000, ipv4 permit src 10.10.10.0/24, ipv4 permit src 20.20.20.0/24
> vl_api_acl_add_replace_reply_t_handler:73: ACL index: 0
> 
> 
> vat# acl_dump
> vl_api_acl_details_t_handler:194: acl_index: 0, count: 0
>tag {}
> vat#
> 
>  
> If I  use debug CLI it works, for example 
> set acl-plugin acl permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 
> 17 sport 100 dport 1
>  
>  
> Thanks,
> Satish K Amara
> 
> 
> 

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#20014): https://lists.fd.io/g/vpp-dev/message/20014
Mute This Topic: https://lists.fd.io/mt/85093357/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[vpp-dev] Linux CP: crash in lcp_node.c

[Pim van Pelt]

Hoi,

I've noticed that when a linuxcp enabled VPP 21.06 with multiple threads
receives many ARP requests, eventually it crashes in lcp_arp_phy_node in
lcp_node.c:675 and :775 because we do a vlib_buffer_copy() which returns
NULL, after which we try to dereference the result. How to repro:
1) create a few interfaces/subints and give them IP addresses in Linux and
VPP. I made 5 phy subints and 5 subints on a bondethernet.
2) rapidly fping the Linux CP and at the same time continuously flush the
neighbor cache on the Linux namespace:
On the vpp machine in 'dataplane' namespace:
  while :; do ip nei flush all; done
On a Linux machine connected to VPP:
  while :; do fping -c 1 -B 1 -p 10 10.1.1.2 10.1.2.2 10.1.3.2 10.1.4.2
10.1.5.2 10.0.1.2 10.0.2.2 10.0.3.2 10.0.4.2 10.0.5.2 2001:db8:1:1::2
2001:db8:1:2::2 2001:db8:1:3::2 2001:db8:1:4::2 2001:db8:1:5::2
2001:db8:0:1::2 2001:db8:0:2::2 2001:db8:0:3::2 2001:db8:0:4::2
2001:db8:0:5::2; done

VPP will now be seeing lots of ARP traffic to and from the host. After a
while, c0 or c1 from lcp_node.c:675 and lcp_node.c:775 will be NULL and
cause a crash.
I temporarily worked around this by simply adding:

@@ -675,6 +675,10 @@ VLIB_NODE_FN (lcp_arp_phy_node)

  c0 = vlib_buffer_copy (vm, b0);

  vlib_buffer_advance (b0, len0);



+ // pim(2021-08-24) -- address SIGSEGV when copy returns
NULL

+ if (!c0)

+   continue;

+

  /* Send to the host */

  vnet_buffer (c0)->sw_if_index[VLIB_TX] =

lip0->lip_host_sw_if_index;

but I'm not very comfortable in this part of VPP, and I'm sure there's a
better way to catch the buffer copy failing? I haven't quite understood
this code yet, but shouldn't we free c0 and c1 in these functions? It seems
that when I'm doing my rapid ping/arp/flush exercise above, VPP is slowly
consuming more memory (as seen by show memory main-heap; all 4 threads are
monotonously growing by a few hundred kB per minute of runtime).

If somebody could help me take a look, I'd appreciate it.

groet,
Pim
-- 
Pim van Pelt 
PBVP1-RIPE - http://www.ipng.nl/

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#20013): https://lists.fd.io/g/vpp-dev/message/20013
Mute This Topic: https://lists.fd.io/mt/85107134/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-