[vpp-dev] RFC for generic flow in native avf

[Xu, Ting]

Hi,

I submitted a patch for supporting generic flow in native avf.  
https://gerrit.fd.io/r/c/vpp/+/37563

Generic flow related features were discussed and accepted in the past two 
releases, for example, generic flow in dpdk plugins and packetforge. This time 
we are willing to enable it in native avf.
However, since native avf does not support RSS now, we should also enable RSS 
function this time. It is the reason why we mark this patch as RFC.

We only enabled RSS functions needed by generic flow in this patch. It will 
parse the generic flow patterns and deliver the spec and mask to kernel driver 
through virtual channel. The same in FDIR. Native avf does not need to 
translate generic flow to hardware accepted flow profile. It is the work of 
kernel driver. We kept a position for common RSS process, but it will do 
nothing.

Since the original "avf_flow_add" functions are only for FDIR, we extend them 
for RSS and FDIR both. The flow rule type (RSS or FDIR) will be determined by 
the flow command, for example, the "test flow" command in vnet/flow CLI, 
"redirect-to-queue 3" means FDIR and "rss function default" means RSS.

[cid:image002.png@01D8EDDF.A64C5560]

I would be grateful if maintainers can have a look at this RFC patch, and give 
comments especially on RSS design in native avf. Thanks!

Best Regards
Xu Ting


image001.emz
Description: image001.emz


oledata.mso
Description: oledata.mso

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#22110): https://lists.fd.io/g/vpp-dev/message/22110
Mute This Topic: https://lists.fd.io/mt/94701971/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] snat support bind to specific subnets

[lihuawei]

Hi Filip,

Thanks for your suggestion, I will take into account all these.

Best regards,
Huawei LI

> 2022年11月1日 01:26，filvarga  写道：
> 
> Hi Li,
> 
> I would suggest looking into session logic implementation of NAT44-ED and 
> also into ACLs in VPP. The way to go would be to create a plugin that has 
> late limiting nodes. 
> Now you have two options on how to rate limit:
> 
> 1) based on interface(s) - the more straightforward and easy to implement 
> solution.
>  - enable nodes with vnet_feature_enable_disable on specific interfaces
>  - hold a hash / pool that defines interface / interface combination that 
> should be rate limited
>- hold counters
>- consider how to effectively share values between threads (atomic 
> operations etc.)
> 
> 2) based on network(s)
>  - the same enable nodes as mentioned in 1)
>  - now decide if the precedence is interface or ACL, or just use two 
> different types of rate limiting that shouldn't be used together
>  - use VPP ACL implementation to create rules that need to be checked
>  - again some pool that holds the data and ACL / hash returns an index to the 
> pool with the data.
> 
> As rate limiting rules are configuration options and not sessions like in nat 
> you wouldn't need to have per thread data. Creating hash records or whatever 
> you decide to use
> would be done only through API/CLI which are thread safe operations. Then 
> just stick with atomics on the values.
> 
> The last part is for you to decide / implement some type of algo that decides 
> if the packet should be passed or dropped. This can be a little bit tricky 
> because of the VPPs batch processing or in other words how the vector of 
> packets is processed instead of per packet.
> 
> I would really advise you not to try to extend NAT with this functionality. 
> Separate plugin is a better solution.
> 
> I could look into this in my free time - if I have enough of it. Feel free to 
> pass any notes / ideas.
> 
> Best regards,
> Filip Varga
> 
> 
> po 31. 10. 2022 o 16:56 lihuawei  > napísal(a):
> Hi Filip & community,
> 
> About the rate limiting with NAT session, does anyone have recommended 
> reference?
> 
> Best regards,
> Huawei LI
> 
>> 2022年10月29日 04:14，filvarga > > 写道：
>> 
>> Hi, Li
>> 
>> There is no such goal. It would’t be good idea to put rate limiting directly 
>> into NAT. For many good reasons.
>> 
>> Much better solution would be to implement a new rate limiting plugin.
>> 
>> If you need such a functionality feel free to contribute.
>> 
>> Best regards
>> 
>> On Fri, 28 Oct 2022 at 18:35, lihuawei > > wrote:
>> Hi Filip,
>> 
>> Yes, it’s "session rate limiting" what I mean.
>> 
>> Does community have any plan about "session rate limiting" in the classical 
>> flavours of nat?
>> 
>> 
>> Thanks & Regards,
>> Huawei LI
>> 
>>> 2022年10月28日 21:20，filvarga >> > 写道：
>>> 
>>> Hi Li,
>>> 
>>> What exactly do you mean by "new nat session rate limit" ? There is no 
>>> session rate limiting in the classical flavours of nat 
>>> (nat44-ed,nat44-ei,det44,nat64,nat66)
>>> 
>>> Best regards,
>>> Filip Varga
>>> 
>>> 
>>> pi 28. 10. 2022 o 3:09 lihuawei >> > napísal(a):
>>> Hi Filip,
>>> 
>>> Thanks very much for your detailed instructions and configuration examples. 
>>> I will try this method later on.
>>> 
>>> Another question about nat, is there any support for new nat session rate 
>>> limit in vpp? 
>>> 
>>> 
>>> Thanks & Regards,
>>> Huawei LI
>>> 
 2022年10月28日 01:22，filvarga >>> > 写道：
 
 Hi Li,
 
 NAT44-ED doesn't support ACL. There are other NAT plugins in VPP. For 
 example PNAT uses ACL rules. You should go through all of the options 
 there are and pick the correct NAT flavor that will suffice.
 
 Well your option is to do following:
 
 1)
 
 # lan1 interface belongs to vrf1
 # lan2 interface belongs to vrf2
 # wan0 interface belongs to default fib 0
 
 set interface nat44 in lan1
 set interface nat44 in lan2
 set interface nat44 out wan0
 
 nat44 add address <...address..> tenant-vrf 1
 nat44 add address <...address..> tenant-vrf 2
 
 2)
 
 # lan1 and wan0 interfaces belong to default fib 0
 # lan2 interface belongs to vrf1
 
 --||--
 
 nat44 add address <...address...>
 nat44 add address <...address..> tenant-vrf 1
 
 This is how you simply force the inside interface to use a specific NAT 
 pool address.
 
 Best regards,
 Filip Varga
 
 
 št 27. 10. 2022 o 18:58 lihuawei >>> > napísal(a):
 Hi Filip,
 
 I have searched your mail accounts, and didn’t find any acl configuration 
 used with nat44. Do you mean use acl with nat44 address to achive to my 
 target creating nat sessions 

Re: [vpp-dev] snat support bind to specific subnets

[filvarga]

Hi Li,

I would suggest looking into session logic implementation of NAT44-ED and
also into ACLs in VPP. The way to go would be to create a plugin that has
late limiting nodes.
Now you have two options on how to rate limit:

1) based on interface(s) - the more straightforward and easy to implement
solution.
 - enable nodes with vnet_feature_enable_disable on specific interfaces
 - hold a hash / pool that defines interface / interface combination that
should be rate limited
   - hold counters
   - consider how to effectively share values between threads (atomic
operations etc.)

2) based on network(s)
 - the same enable nodes as mentioned in 1)
 - now decide if the precedence is interface or ACL, or just use two
different types of rate limiting that shouldn't be used together
 - use VPP ACL implementation to create rules that need to be checked
 - again some pool that holds the data and ACL / hash returns an index to
the pool with the data.

As rate limiting rules are configuration options and not sessions like in
nat you wouldn't need to have per thread data. Creating hash records or
whatever you decide to use
would be done only through API/CLI which are thread safe operations. Then
just stick with atomics on the values.

The last part is for you to decide / implement some type of algo that
decides if the packet should be passed or dropped. This can be a little bit
tricky because of the VPPs batch processing or in other words how the
vector of packets is processed instead of per packet.

I would really advise you not to try to extend NAT with this functionality.
Separate plugin is a better solution.

I could look into this in my free time - if I have enough of it. Feel free
to pass any notes / ideas.

Best regards,
Filip Varga


po 31. 10. 2022 o 16:56 lihuawei  napísal(a):

> Hi Filip & community,
>
> About the rate limiting with NAT session, does anyone have recommended
>  reference?
>
> Best regards,
> Huawei LI
>
> 2022年10月29日 04:14，filvarga  写道：
>
> Hi, Li
>
> There is no such goal. It would’t be good idea to put rate limiting
> directly into NAT. For many good reasons.
>
> Much better solution would be to implement a new rate limiting plugin.
>
> If you need such a functionality feel free to contribute.
>
> Best regards
>
> On Fri, 28 Oct 2022 at 18:35, lihuawei  wrote:
>
>> Hi Filip,
>>
>> Yes, it’s "session rate limiting" what I mean.
>>
>> Does community have any plan about "session rate limiting" in the
>> classical flavours of nat?
>>
>>
>> Thanks & Regards,
>> Huawei LI
>>
>> 2022年10月28日 21:20，filvarga  写道：
>>
>> Hi Li,
>>
>> What exactly do you mean by "new nat session rate limit" ? There is no
>> session rate limiting in the classical flavours of nat
>> (nat44-ed,nat44-ei,det44,nat64,nat66)
>>
>> Best regards,
>> Filip Varga
>>
>>
>> pi 28. 10. 2022 o 3:09 lihuawei  napísal(a):
>>
>>> Hi Filip,
>>>
>>> Thanks very much for your detailed instructions and configuration
>>> examples. I will try this method later on.
>>>
>>> Another question about nat, is there any support for new nat session
>>> rate limit in vpp?
>>>
>>>
>>> Thanks & Regards,
>>> Huawei LI
>>>
>>> 2022年10月28日 01:22，filvarga  写道：
>>>
>>> Hi Li,
>>>
>>> NAT44-ED doesn't support ACL. There are other NAT plugins in VPP. For
>>> example PNAT uses ACL rules. You should go through all of the options there
>>> are and pick the correct NAT flavor that will suffice.
>>>
>>> Well your option is to do following:
>>>
>>> 1)
>>>
>>> # lan1 interface belongs to vrf1
>>> # lan2 interface belongs to vrf2
>>> # wan0 interface belongs to default fib 0
>>>
>>> set interface nat44 in lan1
>>> set interface nat44 in lan2
>>> set interface nat44 out wan0
>>>
>>> nat44 add address <...address..> tenant-vrf 1
>>> nat44 add address <...address..> tenant-vrf 2
>>>
>>> 2)
>>>
>>> # lan1 and wan0 interfaces belong to default fib 0
>>> # lan2 interface belongs to vrf1
>>>
>>> --||--
>>>
>>> nat44 add address <...address...>
>>> nat44 add address <...address..> tenant-vrf 1
>>>
>>> This is how you simply force the inside interface to use a specific NAT
>>> pool address.
>>>
>>> Best regards,
>>> Filip Varga
>>>
>>>
>>> št 27. 10. 2022 o 18:58 lihuawei  napísal(a):
>>>
 Hi Filip,

 I have searched your mail accounts, and didn’t find any acl
 configuration used with nat44. Do you mean use acl with nat44 address to
 achive to my target creating nat sessions based packet’s source ip's
 network?

 How about multi nat addresses respectively used for multi-subnets in a
 vrf?

 Thanks & Regards,
 Huawei LI

 2022年10月27日 22:06，filvarga  写道：

 Hi Li,

 Yes, try to search one of my mail accounts (current/previous) for
 example fiva...@cisco.com, filipvarg...@gmail.com or my name.
 If you are looking for a feature that does ACL matching based on source
 address you should try to look in different implementations of nat44, there
 are more then one in vpp (one even supports acl 

Re: [vpp-dev] DNS Resolution over VCL

[Florin Coras]

Hi Anthony, 

Assuming the host os has network connectivity beyond vpp for dns resolution, 
this is surprising. Would be good to understand if anything actually makes its 
way into ldp during a gethostbyname() call. 

Native integration with vcl, as opposed to ldp, should solve the problem but 
that obviously means more work and it might not be possible in some cases. If 
your use case relies on more of vpp’s features, beyond host stack, tap/memif 
interfaces are also a good option. 

Regards, 
Florin

> On Oct 31, 2022, at 6:24 AM, Anthony Fee  wrote:
> 
> Hi Florin,
> 
> Thank you for the reply, much appreciated. I assume that gethostbyname() uses 
> something under the hood that LDP does intercept, otherwise it would continue 
> to use the Linux implementation to resolve hostnames. From what I can see, 
> right now LDP renders gethostbyname() unusable in the application. Are you 
> aware of this behaviour? If so, is there any workaround when using VCL or is 
> it better to just use another mechanism to interface with VPP?
> 
> I don't have the scope to look at this now, but I will likely need this 
> functionality in the future so would be interested in implementing it when 
> the time comes. I know that you are mainly focused on server side at the 
> moment so this probably isn't much of an issue. I'm getting asked more on the 
> client side these days so it is of interest to me.
> 
> Thanks again,
> Anthony 
> 
> 


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#22107): https://lists.fd.io/g/vpp-dev/message/22107
Mute This Topic: https://lists.fd.io/mt/94581374/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] snat support bind to specific subnets

[lihuawei]

Hi Filip & community,

About the rate limiting with NAT session, does anyone have recommended 
reference?

Best regards,
Huawei LI

> 2022年10月29日 04:14，filvarga  写道：
> 
> Hi, Li
> 
> There is no such goal. It would’t be good idea to put rate limiting directly 
> into NAT. For many good reasons.
> 
> Much better solution would be to implement a new rate limiting plugin.
> 
> If you need such a functionality feel free to contribute.
> 
> Best regards
> 
> On Fri, 28 Oct 2022 at 18:35, lihuawei  > wrote:
> Hi Filip,
> 
> Yes, it’s "session rate limiting" what I mean.
> 
> Does community have any plan about "session rate limiting" in the classical 
> flavours of nat?
> 
> 
> Thanks & Regards,
> Huawei LI
> 
>> 2022年10月28日 21:20，filvarga > > 写道：
>> 
>> Hi Li,
>> 
>> What exactly do you mean by "new nat session rate limit" ? There is no 
>> session rate limiting in the classical flavours of nat 
>> (nat44-ed,nat44-ei,det44,nat64,nat66)
>> 
>> Best regards,
>> Filip Varga
>> 
>> 
>> pi 28. 10. 2022 o 3:09 lihuawei > > napísal(a):
>> Hi Filip,
>> 
>> Thanks very much for your detailed instructions and configuration examples. 
>> I will try this method later on.
>> 
>> Another question about nat, is there any support for new nat session rate 
>> limit in vpp? 
>> 
>> 
>> Thanks & Regards,
>> Huawei LI
>> 
>>> 2022年10月28日 01:22，filvarga >> > 写道：
>>> 
>>> Hi Li,
>>> 
>>> NAT44-ED doesn't support ACL. There are other NAT plugins in VPP. For 
>>> example PNAT uses ACL rules. You should go through all of the options there 
>>> are and pick the correct NAT flavor that will suffice.
>>> 
>>> Well your option is to do following:
>>> 
>>> 1)
>>> 
>>> # lan1 interface belongs to vrf1
>>> # lan2 interface belongs to vrf2
>>> # wan0 interface belongs to default fib 0
>>> 
>>> set interface nat44 in lan1
>>> set interface nat44 in lan2
>>> set interface nat44 out wan0
>>> 
>>> nat44 add address <...address..> tenant-vrf 1
>>> nat44 add address <...address..> tenant-vrf 2
>>> 
>>> 2)
>>> 
>>> # lan1 and wan0 interfaces belong to default fib 0
>>> # lan2 interface belongs to vrf1
>>> 
>>> --||--
>>> 
>>> nat44 add address <...address...>
>>> nat44 add address <...address..> tenant-vrf 1
>>> 
>>> This is how you simply force the inside interface to use a specific NAT 
>>> pool address.
>>> 
>>> Best regards,
>>> Filip Varga
>>> 
>>> 
>>> št 27. 10. 2022 o 18:58 lihuawei >> > napísal(a):
>>> Hi Filip,
>>> 
>>> I have searched your mail accounts, and didn’t find any acl configuration 
>>> used with nat44. Do you mean use acl with nat44 address to achive to my 
>>> target creating nat sessions based packet’s source ip's network? 
>>> 
>>> How about multi nat addresses respectively used for multi-subnets in a vrf?
>>> 
>>> Thanks & Regards,
>>> Huawei LI
>>> 
 2022年10月27日 22:06，filvarga >>> > 写道：
 
 Hi Li,
 
 Yes, try to search one of my mail accounts (current/previous) for example 
 fiva...@cisco.com , filipvarg...@gmail.com 
  or my name.
 If you are looking for a feature that does ACL matching based on source 
 address you should try to look in different implementations of nat44, 
 there are more then one in vpp (one even supports acl matching).
 
 Yes, the support for matching based on source subnet is not part of 
 nat44-ed and It would greatly change the current state for it. I wouldn't 
 suggest doing such a radical change. You can ofc. use as I mentioned 
 previously VRF logic. The only thing you need is 1 extra vrf to put one of 
 the inside interfaces into in conjunction with nat44 add address ... 
 tenant-vrf . 
 
 Regarding your problem with the bridge in VPP. You can go about using a 
 bridge in linux and connecting both interfaces in VPP to it. You would 
 even be able to have both VPP interfaces in the same subnet.
 
 Best regards,
 Filip Varga
 
 
 št 27. 10. 2022 o 15:04 lihuawei >>> > napísal(a):
 Hi Filip,
 
 Sorry, I didn’t state the demands clearly. My demand is to let a nat ip 
 address just only work for specific src network prefix in a vpc, the nat 
 sessions using the nat ip address will be created only when the i2o 
 packets’s src ip matches the specific network prefix in the vpc.
 1) I saw the snat_address_t’s member net is used only for matching the 
 packets’s dst ip in nat_ed_alloc_addr_and_port.
 2) using multiple vrfs to isolate the network is a method, but will use 
 more other configures, and makes the traffic model more complex.
 
 By view the codes about nat44-ed, I don’t think there is any configuration 
 examples about the demand I mentioned above. Do you have any keywords 
 

Re: [vpp-dev] snat support bind to specific subnets

[filvarga]

Hi Li,

Glad to help.

Best regards,

Filip

On Mon, 31 Oct 2022 at 16:52, lihuawei  wrote:

> Hi Filip,
>
> I have tried to use extra vrf for routing the nat packets in my nat
> traffic scenario, it worked good, just caused a little bit of a problem
> and could be circumvented. I also tried the other way to add network
> prefix member in struct snat_address_t, it worked well too, and this method
> will simplify the traffic model and reduce vpp configuration in my
> scenario. I'll take it all into consideration, and chose the better one
> for me.
>
> Best regards,
> Huawei LI
>
> 2022年10月28日 01:22，filvarga  写道：
>
> Hi Li,
>
> NAT44-ED doesn't support ACL. There are other NAT plugins in VPP. For
> example PNAT uses ACL rules. You should go through all of the options there
> are and pick the correct NAT flavor that will suffice.
>
> Well your option is to do following:
>
> 1)
>
> # lan1 interface belongs to vrf1
> # lan2 interface belongs to vrf2
> # wan0 interface belongs to default fib 0
>
> set interface nat44 in lan1
> set interface nat44 in lan2
> set interface nat44 out wan0
>
> nat44 add address <...address..> tenant-vrf 1
> nat44 add address <...address..> tenant-vrf 2
>
> 2)
>
> # lan1 and wan0 interfaces belong to default fib 0
> # lan2 interface belongs to vrf1
>
> --||--
>
> nat44 add address <...address...>
> nat44 add address <...address..> tenant-vrf 1
>
> This is how you simply force the inside interface to use a specific NAT
> pool address.
>
> Best regards,
> Filip Varga
>
>
> št 27. 10. 2022 o 18:58 lihuawei  napísal(a):
>
>> Hi Filip,
>>
>> I have searched your mail accounts, and didn’t find any acl configuration
>> used with nat44. Do you mean use acl with nat44 address to achive to my
>> target creating nat sessions based packet’s source ip's network?
>>
>> How about multi nat addresses respectively used for multi-subnets in a
>> vrf?
>>
>> Thanks & Regards,
>> Huawei LI
>>
>> 2022年10月27日 22:06，filvarga  写道：
>>
>> Hi Li,
>>
>> Yes, try to search one of my mail accounts (current/previous) for example
>>  fiva...@cisco.com, filipvarg...@gmail.com or my name.
>> If you are looking for a feature that does ACL matching based on source
>> address you should try to look in different implementations of nat44, there
>> are more then one in vpp (one even supports acl matching).
>>
>> Yes, the support for matching based on source subnet is not part of
>> nat44-ed and It would greatly change the current state for it. I wouldn't
>> suggest doing such a radical change. You can ofc. use as I mentioned
>> previously VRF logic. The only thing you need is 1 extra vrf to put one of
>> the inside interfaces into in conjunction with nat44 add address ...
>> tenant-vrf .
>>
>> Regarding your problem with the bridge in VPP. You can go about using a
>> bridge in linux and connecting both interfaces in VPP to it. You would even
>> be able to have both VPP interfaces in the same subnet.
>>
>> Best regards,
>> Filip Varga
>>
>>
>> št 27. 10. 2022 o 15:04 lihuawei  napísal(a):
>>
>>> Hi Filip,
>>>
>>> Sorry, I didn’t state the demands clearly. My demand is to let a nat ip
>>> address just only work for specific src network prefix in a vpc, the nat
>>> sessions using the nat ip address will be created only when the i2o
>>> packets’s src ip matches the specific network prefix in the vpc.
>>> 1) I saw the snat_address_t’s member net is used only for matching the
>>> packets’s dst ip in nat_ed_alloc_addr_and_port.
>>> 2) using multiple vrfs to isolate the network is a method, but will use
>>> more other configures, and makes the traffic model more complex.
>>>
>>> By view the codes about nat44-ed, I don’t think there is any
>>> configuration examples about the demand I mentioned above. Do you have any
>>> keywords about the configuration examples? I want to try a search in
>>> mailing list with them.
>>>
>>> Do I understand this right? Looking forward to hearing any further
>>> ideas or suggestions from you.
>>>
>>> Thanks & Regards,
>>> Huawei LI
>>>
>>> 2022年10月27日 16:52，filvarga  写道：
>>>
>>> Hi Li,
>>>
>>> There are few errors in your statement.
>>>
>>> 1) SNAT - is an obsolete name for the old nat plugin.
>>> 2) NAT is split among multiple plugins
>>> 3) one of the plugins - nat44-ed (the most used and preferred) does
>>> support all of the things you have mentioned
>>>
>>> Please feel free to search in the community mailing list for
>>> configuration examples. There is also .rst file in the nat44-ed plugin
>>> directory (may not contain all of the supported configuration). Also check
>>> the api.c and cli.c for all available configuration options.
>>>
>>> After you have done above mentioned feel free to ask regarding specific
>>> configuration issue.
>>>
>>> Best regards,
>>> Filip Varga
>>>
>>>
>>> pi 21. 10. 2022 o 4:01 lihuawei  napísal(a):
>>>
 Hi John & Everyone & Community,

 In my scene, it is the demand to put multiple subnets in one BD. A few
 days ago, I have found the other proper idea 

Re: [vpp-dev] snat support bind to specific subnets

[lihuawei]

Hi Filip,

I have tried to use extra vrf for routing the nat packets in my nat traffic 
scenario, it worked good, just caused a little bit of a problem and could be 
circumvented. I also tried the other way to add network prefix member in struct 
snat_address_t, it worked well too, and this method will simplify the traffic 
model and reduce vpp configuration in my scenario. I'll take it all into 
consideration, and chose the better one for me.

Best regards,
Huawei LI

> 2022年10月28日 01:22，filvarga  写道：
> 
> Hi Li,
> 
> NAT44-ED doesn't support ACL. There are other NAT plugins in VPP. For example 
> PNAT uses ACL rules. You should go through all of the options there are and 
> pick the correct NAT flavor that will suffice.
> 
> Well your option is to do following:
> 
> 1)
> 
> # lan1 interface belongs to vrf1
> # lan2 interface belongs to vrf2
> # wan0 interface belongs to default fib 0
> 
> set interface nat44 in lan1
> set interface nat44 in lan2
> set interface nat44 out wan0
> 
> nat44 add address <...address..> tenant-vrf 1
> nat44 add address <...address..> tenant-vrf 2
> 
> 2)
> 
> # lan1 and wan0 interfaces belong to default fib 0
> # lan2 interface belongs to vrf1
> 
> --||--
> 
> nat44 add address <...address...>
> nat44 add address <...address..> tenant-vrf 1
> 
> This is how you simply force the inside interface to use a specific NAT pool 
> address.
> 
> Best regards,
> Filip Varga
> 
> 
> št 27. 10. 2022 o 18:58 lihuawei  > napísal(a):
> Hi Filip,
> 
> I have searched your mail accounts, and didn’t find any acl configuration 
> used with nat44. Do you mean use acl with nat44 address to achive to my 
> target creating nat sessions based packet’s source ip's network? 
> 
> How about multi nat addresses respectively used for multi-subnets in a vrf?
> 
> Thanks & Regards,
> Huawei LI
> 
>> 2022年10月27日 22:06，filvarga > > 写道：
>> 
>> Hi Li,
>> 
>> Yes, try to search one of my mail accounts (current/previous) for example 
>> fiva...@cisco.com , filipvarg...@gmail.com 
>>  or my name.
>> If you are looking for a feature that does ACL matching based on source 
>> address you should try to look in different implementations of nat44, there 
>> are more then one in vpp (one even supports acl matching).
>> 
>> Yes, the support for matching based on source subnet is not part of nat44-ed 
>> and It would greatly change the current state for it. I wouldn't suggest 
>> doing such a radical change. You can ofc. use as I mentioned previously VRF 
>> logic. The only thing you need is 1 extra vrf to put one of the inside 
>> interfaces into in conjunction with nat44 add address ... tenant-vrf 
>> . 
>> 
>> Regarding your problem with the bridge in VPP. You can go about using a 
>> bridge in linux and connecting both interfaces in VPP to it. You would even 
>> be able to have both VPP interfaces in the same subnet.
>> 
>> Best regards,
>> Filip Varga
>> 
>> 
>> št 27. 10. 2022 o 15:04 lihuawei > > napísal(a):
>> Hi Filip,
>> 
>> Sorry, I didn’t state the demands clearly. My demand is to let a nat ip 
>> address just only work for specific src network prefix in a vpc, the nat 
>> sessions using the nat ip address will be created only when the i2o 
>> packets’s src ip matches the specific network prefix in the vpc.
>> 1) I saw the snat_address_t’s member net is used only for matching the 
>> packets’s dst ip in nat_ed_alloc_addr_and_port.
>> 2) using multiple vrfs to isolate the network is a method, but will use more 
>> other configures, and makes the traffic model more complex.
>> 
>> By view the codes about nat44-ed, I don’t think there is any configuration 
>> examples about the demand I mentioned above. Do you have any keywords about 
>> the configuration examples? I want to try a search in mailing list with them.
>> 
>> Do I understand this right? Looking forward to hearing any further ideas or 
>> suggestions from you.
>> 
>> Thanks & Regards,
>> Huawei LI
>> 
>>> 2022年10月27日 16:52，filvarga >> > 写道：
>>> 
>>> Hi Li,
>>> 
>>> There are few errors in your statement.
>>> 
>>> 1) SNAT - is an obsolete name for the old nat plugin.
>>> 2) NAT is split among multiple plugins
>>> 3) one of the plugins - nat44-ed (the most used and preferred) does support 
>>> all of the things you have mentioned
>>> 
>>> Please feel free to search in the community mailing list for configuration 
>>> examples. There is also .rst file in the nat44-ed plugin directory (may not 
>>> contain all of the supported configuration). Also check the api.c and cli.c 
>>> for all available configuration options.
>>> 
>>> After you have done above mentioned feel free to ask regarding specific 
>>> configuration issue.
>>> 
>>> Best regards,
>>> Filip Varga
>>> 
>>> 
>>> pi 21. 10. 2022 o 4:01 lihuawei >> > napísal(a):
>>> Hi John & Everyone & 

[vpp-dev] confusion about bvi && bridge-domain && l2fib

[lihuawei]

Hi community,

I tested and studied the bvi && bridge-domain && l2fib recently, and have a 
confusion about them.

When config "set interface l2 bridge loop1 1 bvi", only one bvi interface can 
be set in a bridge doamin,  checked and used at l2 flood process.
When config "l2fib add 00:50:56:95:a9:b2 1 loop1 bvi", multiple bvi interfaces 
can be set in a bridge doamin, checked and used at l2 fwd process.

Is the design about bvi set in a bridge domain normal? Or use different 
concepts to distinguish the above two scenarios?

Best regards,
Huawei LI


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#22103): https://lists.fd.io/g/vpp-dev/message/22103
Mute This Topic: https://lists.fd.io/mt/94687250/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] Are some VPP releases considered LTS releases?

[Andrew Yourtchenko]

Hi Elias,

No, there is no VPP LTS releases.

However, VPP FD.io infra retains the config to have Jenkins jobs for CI for the 
current and the previous release, on a rolling basis - and the fixes may be 
cherry-picked there by the community members wishing to do so.

--a

> On 31 Oct 2022, at 10:15, Elias Rudberg  wrote:
> 
> Hello VPP experts,
> 
> Are some VPP releases considered LTS (long-term support) releases?
> If so, which is the latest LTS version at this time?
> 
> Best regards,
> Elias
> 
> 
> 
> 

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#22102): https://lists.fd.io/g/vpp-dev/message/22102
Mute This Topic: https://lists.fd.io/mt/94681424/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] DNS Resolution over VCL

[Anthony Fee]

Hi Florin,

Thank you for the reply, much appreciated. I assume that gethostbyname() uses 
something under the hood that LDP does intercept, otherwise it would continue 
to use the Linux implementation to resolve hostnames. From what I can see, 
right now LDP renders gethostbyname() unusable in the application. Are you 
aware of this behaviour? If so, is there any workaround when using VCL or is it 
better to just use another mechanism to interface with VPP?

I don't have the scope to look at this now, but I will likely need this 
functionality in the future so would be interested in implementing it when the 
time comes. I know that you are mainly focused on server side at the moment so 
this probably isn't much of an issue. I'm getting asked more on the client side 
these days so it is of interest to me.

Thanks again,
Anthony

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#22101): https://lists.fd.io/g/vpp-dev/message/22101
Mute This Topic: https://lists.fd.io/mt/94581374/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] Gerrit Review Id 37559

[filvarga]

On it.

Best regards,
Filip Varga


po 31. 10. 2022 o 14:13 lihuawei  napísal(a):

> Hi community,
>
> I have added a fix as gerrit review id 37559.
>
> *gerrit link: https://gerrit.fd.io/r/c/vpp/+/37559
> *
>
> *short description: *Fix byte order error about the struct
> snat_address_t's member net. For example configurations:
> set interface ip table loop1 1
> set interface ip addr loop1 10.10.10.2/24
> nat44 add address 10.10.10.2 tenant-vrf 1
> The snat address's net should be "as_u8 = {0xa, 0xa, 0xa, 0x0}", but now
> it's "as_u8 = {0x0, 0xa, 0xa, 0x2}" because of missing transition of byte
> order about the member net of snat_address_t.
> (gdb) p/x *snat_main->addresses $3 = {addr = {data = {0xa, 0xa, 0xa, 0x2},
> data_u32 = 0x20a0a0a, as_u8 = {0xa, 0xa, 0xa, 0x2}, as_u16 = {0xa0a,
> 0x20a}, as_u32 = 0x20a0a0a}, net = {data = {0x0, 0xa, 0xa, 0x2}, data_u32 =
> 0x20a0a00, as_u8 = {0x0, 0xa, 0xa, 0x2}, as_u16 = {0xa00, 0x20a}, as_u32 =
> 0x20a0a00}, sw_if_index = 0x3, fib_index = 0x1,addr_len = 0x18}
> (gdb).
>
> Please have a look at my patch and review it.
>
> Best Regards,
> Huawei LI
>
>
> 
>
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#22100): https://lists.fd.io/g/vpp-dev/message/22100
Mute This Topic: https://lists.fd.io/mt/94684683/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[vpp-dev] Gerrit Review Id 37559

[lihuawei]

Hi community,
 
I have added a fix as gerrit review id 37559.

gerrit link: https://gerrit.fd.io/r/c/vpp/+/37559 


short description: Fix byte order error about the struct snat_address_t's 
member net. For example configurations: 
set interface ip table loop1 1 
set interface ip addr loop1 10.10.10.2/24  
nat44 add address 10.10.10.2  tenant-vrf 1 
The snat address's net should be "as_u8 = {0xa, 0xa, 0xa, 0x0}", but now it's 
"as_u8 = {0x0, 0xa, 0xa, 0x2}" because of missing transition of byte order 
about the member net of snat_address_t.
(gdb) p/x *snat_main->addresses
$3 = {addr = {data = {0xa, 0xa, 0xa, 0x2}, data_u32 = 0x20a0a0a,
  as_u8 = {0xa, 0xa, 0xa, 0x2}, as_u16 = {0xa0a, 0x20a},
  as_u32 = 0x20a0a0a}, net = {data = {0x0, 0xa, 0xa, 0x2},
  data_u32 = 0x20a0a00, as_u8 = {0x0, 0xa, 0xa, 0x2},
  as_u16 = {0xa00, 0x20a}, as_u32 = 0x20a0a00},
  sw_if_index = 0x3, fib_index = 0x1,addr_len = 0x18}
(gdb).

Please have a look at my patch and review it.

Best Regards,
Huawei LI


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#22099): https://lists.fd.io/g/vpp-dev/message/22099
Mute This Topic: https://lists.fd.io/mt/94684683/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[vpp-dev] gerrit GPG account issue

[filvarga]

Hi guys,

I was trying to set up a GPG signature for signing my commits. I followed
github guides [0] [1] that I used previously for setting up my github
account with GPG signing.

I face an issue when I try to add my exported public key into the New GPG
key gerrit field. Basically what happens is that I receive following error:

Error 400 (Bad Request): Problems with public key 8DC0D124 Filip Varga <
filipvarg...@gmail.com> (2423 8FAC 8EA1 571B 8799 0C96 6769 C6D2 8DC0
D124): Error checking user IDs for key Endpoint: /r/accounts/self/gpgkeys

I went through this process on my previous company account. I didn't face
this issue back then.

Export command used:
`gpg --armor --export`

Any help will be appreciated. Thank you in advance.

[0]
https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key
[1]
https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key

Best regards,
Filip Varga

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#22098): https://lists.fd.io/g/vpp-dev/message/22098
Mute This Topic: https://lists.fd.io/mt/94682179/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[vpp-dev] Are some VPP releases considered LTS releases?

[Elias Rudberg]

Hello VPP experts,

Are some VPP releases considered LTS (long-term support) releases?
If so, which is the latest LTS version at this time?

Best regards,
Elias


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#22097): https://lists.fd.io/g/vpp-dev/message/22097
Mute This Topic: https://lists.fd.io/mt/94681424/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-