Hi Experts,
I got tired trying several ways to add the IPV6 ACL rules using API. I couldn't
successful.
The same thing working fine with IPv4 rule.
When I tried IPV6 rule, I am getting retval is -58, I am not able to figure out
what is this error.
Can anyone please help me to understand what
Neale,
This is really I never thought we can create VLAN for memif This saved
enormous of amount my time... I am really excited and its working perfectly
fine.
//Ravi
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#19822):
: Re: [vpp-dev] ACL-->ABF--> Memif, Seeing arp request for the packets
#acl #abf #policy #routing
[Edited Message Follows]
Hi Neale,
Thanks for your time. Yes I got that and I did created a dummy arp to make this
work.
ip neighbor memif1/0 192.168.1.3 dead.dead.dead
set acl-plugin acl perm
[Edited Message Follows]
Hi Neale,
Thanks for your time. Yes I got that and I did created a dummy arp to make this
work.
ip neighbor memif1/0 192.168.1.3 dead.dead.dead
set acl-plugin acl permit dst 172.172.0.0/24
abf policy add id 0 acl 0 via 192.168.1.3 memif1/0
abf attach ip4 policy 0
Hi Neale,
Thanks for your time. Yes I got that and I did created a dummy arp to make this
work.
ip neighbor memif1/0 192.168.1.3 dead.dead.dead
set acl-plugin acl permit dst 172.172.0.0/24
abf policy add id 0 acl 0 via 192.168.1.3 memif1/0
abf attach ip4 policy 0 HundredGigabitEthernet12/0/0
To: vpp-dev@lists.fd.io
Subject: [vpp-dev] ACL-->ABF--> Memif, Seeing arp request for the packets #acl
#abf #policy #routing
[Edited Message Follows]
Hi Experts,
We are trying to implement forwarding dst X.X.X.X/X subnet packets on interface
Y to the memif1/0
To achieve that we used ACL a
[Edited Message Follows]
Hi Experts,
We are trying to implement forwarding dst X.X.X.X/X subnet packets on interface
Y to the memif1/0
To achieve that we used ACL and ABF policy rules.
When I am trying to send traffic to "X.X.X.X" network I see ARP requests for
that subnet on memif1/0.
We don't
Hi Experts,
We are trying to implement forwarding dst X.X.X.X/X subnet packets on interface
Y to the memif1/0
To achieve that we used ACL and ABF policy rules.
When I am trying to send traffic to "X.X.X.X" network I see ARP requests for
that subnet on memif1/0.
We don't need to send ARP for
io/r/c/vpp/+/33142
>
> /neale
>
> From: vpp-dev@lists.fd.io on behalf of Andrew
> Yourtchenko via lists.fd.io
> Date: Wednesday, 14 July 2021 at 23:53
> To: RaviKiran Veldanda , Jakub Grajciar
>
> Cc: vpp-dev@lists.fd.io
> Subject: Re: [vpp-dev] ACL IPV6 rule additio
Evidently a typo. Here you go:
https://gerrit.fd.io/r/c/vpp/+/33142
/neale
From: vpp-dev@lists.fd.io on behalf of Andrew Yourtchenko
via lists.fd.io
Date: Wednesday, 14 July 2021 at 23:53
To: RaviKiran Veldanda , Jakub Grajciar
Cc: vpp-dev@lists.fd.io
Subject: Re: [vpp-dev] ACL IPV6
Ravi,
appears that the commit 2f8cd914514fe54f91974c6d465d4769dfac8de8 has
hardcoded the IP address family in the CLI handler to IPv4:
0490db79b src/plugins/acl/acl.c(Neale Ranns2020-03-24
15:09:41 + 2873) else if (unformat (line_input, "src %U/%d",
bf883bb086
Hi Experts,
We were trying to create some ACL rules for IPv6 addresses,
*"set acl-plugin acl permit src 2001:5b0::1150::0/64 " in vppctl.
* "set acl-plugin acl permit ipv6 src 2001:5b0::1150::0/64 " in vppctl.
giving ACL index but when I check "show acl_plugin acl" its not giving any
[Edited Message Follows]
Hello Team,
Is there option to specify IN and OUT interface(sw_index) in ACL along with ACE?
pseudo rule - drop src x.x.x.x dst y.y.y.y when in-interface is x1 and out
interface is x2 -> like iptables
Regards,
Sachin
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive
Hello Team,
Is there option to specify IN and OUT interface(sw_index) in ACL along with ACE?
pseudo rule - drop src x.x.x.x dst y.y.y.y when in-interface is x1 and out
interface is x2
Regards,
Sachin
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online
Hi Mahdi,
This patch should apply, ACL plugin had not seen much changes recently, but
then you are not running a 20.05 anymore :-)
I would strongly suggest to evaluate on what limitations prevent you from
following the master branch as close as possible and address them. This may
seem
Hi Andrew,
Thanks for you response. That makes sense. I will monitor my box memory usage.
Unfortunately I'm using VPP 20.05. So I will try to forwardport( we have it?
:D) this patch to it.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#17433):
ACL plugin historically uses its own heaps for hash lookup data. It should be
just 64M by default. It’s been like that since day1, so you might need to look
at your memory usage on that box overall...
I am not sure if custom heaps use the huge pages or not - maybe you need to
have less huge
Hi VPP folks,
Setting ACL from VAPI, we have a panic `ACL plugin failed to allocate lookup
heap of %U bytes` in `hash_acl_set_heap` function.
It doesn't happen always. Time to time and randomly this problem occurs. My
system has 8G of RAM. VPP is running with the default `startup.conf`. I've
; Jieqiang
> Wang ; Honnappa Nagarahalli
> ; nd
> Subject: Re: [vpp-dev] ACL plugin optimization
>
> Hi Govind,
>
> 1) According to Jenkins, this patch permits some of the packets that should
> be denied, hence JJB voted "-1".
>
> 2) If you suspect merely th
> ; nd
> Subject: Re: [vpp-dev] ACL plugin optimization
>
>
> Hi Govind,
>
> As well as removing the prefetches, you've also removed the per packet call
> to acl_fa_find_session_with_hash(). So IIUC you've removed the per-packet
> session lookup and instead re-use
Hi Govind,
As well as removing the prefetches, you've also removed the per packet call to
acl_fa_find_session_with_hash(). So IIUC you've removed the per-packet session
lookup and instead re-use the lookup of packet 0 each time. that'll make things
quicker but it's not functionally correct.
Hi Govind,
1) According to Jenkins, this patch permits some of the packets that
should be denied, hence JJB voted "-1".
2) If you suspect merely the prefetches are the issue, just commenting
out the body of prefetch_session_entry() in the original code should
turn it into a no-op that doesn't
Hi Andrew,
While profiling the ACL plugin node using perf tool in ARM Neoverse platform,
Bihash related prefetches were shown as bottleneck.
Performance improvement is seen in ARM N1, TX2 and Intel Skylake servers after
removing those prefetches. Testing is done with Ingress ACL/IPv4
Thanks Neale. It works now.
From: Neale Ranns (nranns)
Sent: Saturday, May 2, 2020 8:15 AM
To: Govindarajan Mohandoss ; Andrew Yourtchenko
Cc: John Lo (loj) ; Paul Vinciguerra
; vpp-dev@lists.fd.io; nd ; Lijian
Zhang ; Jieqiang Wang
Subject: Re: [vpp-dev] ACL question
From: Govindarajan
From: Govindarajan Mohandoss
Date: Friday 1 May 2020 at 21:15
To: "Neale Ranns (nranns)" , Andrew Yourtchenko
Cc: "John Lo (loj)" , Paul Vinciguerra
, "vpp-dev@lists.fd.io" , nd
, Lijian Zhang , Jieqiang Wang
, nd
Subject: RE: [vpp-dev] ACL question
Hi N
; Lijian
Zhang ; Jieqiang Wang
Subject: Re: [vpp-dev] ACL question
Or in the latest version you can create ACLs on the CLI:
set acl-plugin acl ?
set acl-plugin interface ?
/neale
From: mailto:vpp-dev@lists.fd.io>> on behalf of Andrew
Yourtchenko mailto:ayour...@gmail.com>>
Dat
Thanks Neale.
From: Neale Ranns (nranns)
Sent: Wednesday, April 29, 2020 4:24 AM
To: Andrew Yourtchenko ; Govindarajan Mohandoss
Cc: John Lo (loj) ; Paul Vinciguerra
; vpp-dev@lists.fd.io; nd ; Lijian
Zhang ; Jieqiang Wang
Subject: Re: [vpp-dev] ACL question
Or in the latest version you
ndarajan Mohandoss
Cc: John Lo (loj) ; Paul Vinciguerra
; vpp-dev@lists.fd.io; nd ; Lijian
Zhang ; Jieqiang Wang
Subject: Re: [vpp-dev] ACL question
Hi Govind,
1) make an api trace and inspect the message there - whether it contains the
entries you are expecting.
1a) If it does, then you can t
sts.fd.io" , nd
, Lijian Zhang , Jieqiang Wang
Subject: Re: [vpp-dev] ACL question
Hi Govind,
1) make an api trace and inspect the message there - whether it contains the
entries you are expecting.
1a) If it does, then you can trivially recreate the same message using the
python api just by
Lo (loj)
> Sent: Tuesday, April 28, 2020 10:38 PM
> To: Govindarajan Mohandoss ; Paul Vinciguerra
>
> Cc: Andrew Yourtchenko ; vpp-dev@lists.fd.io; nd
> ; Lijian Zhang ; Jieqiang Wang
> ; nd
> Subject: RE: [vpp-dev] ACL question
>
> Try “make test TEST=acl_plugin”.
Zhang ; Jieqiang Wang
; nd
Subject: RE: [vpp-dev] ACL question
Try “make test TEST=acl_plugin”. -John
From: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>
mailto:vpp-dev@lists.fd.io>> On Behalf Of Govindarajan
Mohandoss
Sent: Tuesday, April 28, 2020 11:22 PM
To: Paul Vinciguerra
Thanks John.
From: John Lo (loj)
Sent: Tuesday, April 28, 2020 10:38 PM
To: Govindarajan Mohandoss ; Paul Vinciguerra
Cc: Andrew Yourtchenko ; vpp-dev@lists.fd.io; nd
; Lijian Zhang ; Jieqiang Wang
; nd
Subject: RE: [vpp-dev] ACL question
Try “make test TEST=acl_plugin”. -John
From
Try “make test TEST=acl_plugin”. -John
From: vpp-dev@lists.fd.io On Behalf Of Govindarajan
Mohandoss
Sent: Tuesday, April 28, 2020 11:22 PM
To: Paul Vinciguerra
Cc: Andrew Yourtchenko ; vpp-dev@lists.fd.io; nd
; Lijian Zhang ; Jieqiang Wang
; nd
Subject: Re: [vpp-dev] ACL question
Hi
: Re: [vpp-dev] ACL question
See: src/plugins/acl/test/test_acl_plugin.py
On Tue, Apr 28, 2020 at 7:19 PM Govindarajan Mohandoss
mailto:govindarajan.mohand...@arm.com>> wrote:
Sure Andrew. Is there a unit test case for ACL plugin ?
From: Andrew Yourtchenko mailto:ayour...@gmail.com&
Thanks Paul !
From: Paul Vinciguerra
Sent: Tuesday, April 28, 2020 9:22 PM
To: Govindarajan Mohandoss
Cc: Andrew Yourtchenko ; vpp-dev@lists.fd.io; nd
; Lijian Zhang ; Jieqiang Wang
Subject: Re: [vpp-dev] ACL question
See: src/plugins/acl/test/test_acl_plugin.py
On Tue, Apr 28, 2020 at 7
, April 28, 2020 4:57 PM
> *To:* Govindarajan Mohandoss
> *Cc:* vpp-dev@lists.fd.io; nd ; Lijian Zhang <
> lijian.zh...@arm.com>; Jieqiang Wang
> *Subject:* Re: [vpp-dev] ACL question
>
>
>
> 1-3: no.
>
> 4: please make a “make test” test case illustrating the problem and share
192.81.1.1/32 dst 192.82.1.1/32 proto 17 sport
> 100 dport 53
> 53: ipv4 permit src 0.0.0.0/0 dst 0.0.0.0/0 proto 0 sport 0-65535
> dport 0-65535
> applied inbound on sw_if_index: 1
> used in lookup context index: 0
> “
>
> Thanks
> Govind
>
> > ----
> To: Andrew Yourtchenko
> Cc: vpp-dev@lists.fd.io
> Subject: Re: [vpp-dev] ACL question
>
> Thank you very much Andrew !! I will do some benchmarks and get back to
> you to understand it better.
>
> Thanks
> Govind
>
> > -Original Message-
for the bihash memory usage have been tested with half a
> million sessions - so you can extrapolate from those with some ballpark
> (though bihash memory usage is not linear wrt the entries, and also there is
> some extra memory churn due to bucket reallocations when the size
> increa
ark (though bihash memory usage is not linear wrt
the entries, and also there is some extra memory churn due to bucket
reallocations when the size increases).
—a
>
>
> Thanks
>
> Govind
>
>
>
> From: vpp-dev@lists.fd.io On Behalf Of Govindarajan
> Mohandoss via Lists.F
is needed compared to SL mode ?
Thanks
Govind
From: vpp-dev@lists.fd.io On Behalf Of Govindarajan
Mohandoss via Lists.Fd.Io
Sent: Thursday, March 26, 2020 12:37 PM
To: Andrew Yourtchenko
Cc: vpp-dev@lists.fd.io
Subject: Re: [vpp-dev] ACL question
Hi Andrew,
Thanks for the document.
Can you
; nd
Subject: Re: [vpp-dev] ACL question
As an acl plugin author I can say both stateful and stateless ACLs are used for
different consumers.
Various matching implementations in vpp are used in different use cases... and
there is not a single silver bullet magic answer, because the trade
As an acl plugin author I can say both stateful and stateless ACLs are used for
different consumers.
Various matching implementations in vpp are used in different use cases... and
there is not a single silver bullet magic answer, because the trade offs are
different.
Hello ACL Maintainer,
We want to measure and optimize the ACL performance for ARM servers. As per
the foll. link, there are 4 different implementation of ACLs in VPP.
https://fd.io/docs/vpp/master/usecases/acls.html
We would like to start with most commonly used ACL implementation in
hernet0/0/2
>> Link speed: unknown
>> Ethernet address fa:16:3c:05:66:7c
>> VirtualEthernet0/0/3 6 up VirtualEthernet0/0/3
>> Link speed: unknown
>> Ethernet address fa:16:3c:f0:21:0a
>> VirtualEthernet0/0/4 7 up Virtu
Gbps
> Ethernet address 02:fe:27:ea:09:82
> flags: admin-up
>
> It looks like there doesn’t even exist an acl for VirtualEthernet0/0/3? Is
> that why it is dropped?
>
> Eyle
>
> From: Andrew Yourtchenko
> Date: Thursday, 5
address 02:fe:99:32:82:4f
> flags: admin-up promiscuous
> rdma1 2 up rdma1
> Link speed: 40 Gbps
> Ethernet address 02:fe:27:ea:09:82
> flags: admin-up
>
> It looks like there doesn’t even exist an acl for VirtualEthernet0/0/3? Is
>
From: mailto:vpp-dev@lists.fd.io>> on behalf of Andrew
Yourtchenko mailto:ayour...@gmail.com>>
Date: Thursday, September 5, 2019 at 7:20 AM
To: Eyle Brinkhuis mailto:eyle.brinkh...@surfnet.nl>>
Cc: "vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>"
mailto:vp
> From: on behalf of Andrew Yourtchenko
>
> Date: Thursday, September 5, 2019 at 7:20 AM
> To: Eyle Brinkhuis
> Cc: "vpp-dev@lists.fd.io"
> Subject: Re: [vpp-dev] ACL drops while pinging another interface
>
> Thanks for the traces !
>
> MACIP acl us
table 12, offset -1
00:53:47:316361: error-drop
rx:VirtualEthernet0/0/3
-Naveen
From: on behalf of Andrew Yourtchenko
Date: Thursday, September 5, 2019 at 7:20 AM
To: Eyle Brinkhuis
Cc: "vpp-dev@lists.fd.io"
Subject: Re: [vpp-dev] ACL drops while pinging another interface
Thank
Thanks for the traces !
MACIP acl uses the classifier-bases “ip-acl”; so it sounds like it is not
programmed with the source Mac of your packets.
“Show acl-plugin macip” will help to see what the acl plugin sees, and if it
looks legit, then you can check the classifier tables applied as input
Hi vpp-dev,
I'm testing security group functions on VPP19.08, and got some questions here.
I have two vms: A(172.16.0.1/24, using vxlan_tunnel10 / bridge 10) and
B(172.16.1.1/24, using vxlan_tunnel11 / bridge 11). Both these two networks'
gateway is X.254, configured on VPP bridges (10 and
Thanks Andrew, I've successfully done acl_plugin test.
BTW, just reply here for latecomers, do "V=2 EXTENDED_TESTS=1 TEST=acl_plugin*
make test" to do more test and print verbosely.
Since I'm testing stateful ACL by watching behavior of
test_acl_plugin_conns.py, along with explaination from
The VPP packet tracer might tell a bit more what is going on.
https://wiki.fd.io/view/VPP/Command-line_Interface_(CLI)_Guide#packet_tracer
Also you can do “TEST=acl_plugin* make test” and examine the logs of successful
testcase runs and compare with what you have.
--a
> On 3 Sep 2019, at
More info about acl plugin
vpp# show acl-plugin acl
acl-index 4 count 2 tag {}
0: ipv4 deny src 0.0.0.0/0 dst 0.0.0.0/0 proto 1 sport 0-65535 dport 0-65535
1: ipv4 permit src 0.0.0.0/0 dst 0.0.0.0/0 proto 6 sport 0-65535 dport 0-65535
applied inbound on sw_if_index: 1
applied outbound on
Hi vpp-dev,
I'm testing security group functions on VPP19.08, and got some questions here.
I have two vms: A(172.16.0.1/24, using vxlan_tunnel10 / bridge 10) and
B(172.16.1.1/24, using vxlan_tunnel11 / bridge 11). Both these two networks'
gateway is X.254, configured on VPP bridges (10 and
Hi!
No, it isn’t...
--a
> On 28 Feb 2019, at 02:33, mahdy.varas...@gmail.com wrote:
>
> Hi
>
> I wondered if we can use ACLs instead of classifier tables in Policies. How
> is it possible? ( if it is possible)
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
>
Hi
I wondered if we can use ACLs instead of classifier tables in Policies. How is
it possible? ( if it is possible)
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#12382): https://lists.fd.io/g/vpp-dev/message/12382
Mute This Topic:
Hi all,
for those of you using in some fashion the acl-plugin code, wanted to
get your eyes on this in-the-works patch:
https://gerrit.fd.io/r/#/c/9689/
as well as get your opinion on the following:
(1) should I KEEP the default as it is now (which is to retain the
sessions which are already
Dear Andrew
Unfortunately I can't reproduce this case. It's really a rare situation.
Regards
On Tue, Dec 12, 2017 at 5:43 PM, khers wrote:
> Dear Andrew
>
> This is a good explanation of how session add and delete works,
> I think this not a benign operation, I could
Dear Andrew
This is a good explanation of how session add and delete works,
I think this not a benign operation, I could produce the rare scenario you
explained. I will send backtrace and other details tomorrow.
On Tue, Dec 12, 2017 at 2:46 PM, Andrew Yourtchenko
wrote:
>
Dear Khers,
I think you are right. Normally the entry in the session hash table is
deleted before any operations with the per-worker pool, so we should
not end up on that line. Also, the deletion itself usually happens as
a result of the idle timeout - meaning, no packets hit the session for
a
Dear Andrew
I'm working on d594711a5d79859a7d0bde83a516f7ab52051d9b commit on
stable/1710 branch. sorry for less info.
I can't reproduce last issue I have reported, forgot the commit I were
working on.
Regards,
Khers
On Mon, Dec 11, 2017 at 12:24 PM, Andrew Yourtchenko
Dear VPP folks,
The get_session_ptr function may return null pointer, while we do not check
this situation in code, for example fa_node.c line 1029, if the sess equals
null, we get segmentation fault in next usage of sess.
Please share your thought about this.
Regards,
Khers
Khers,
Thanks! Just after I sent you the reply Dave had pointed out coverity was
unhappy with some of the code, including that particular line. So I got rid of
memcpy altogether and while at it fixed the values for both this place and the
other one I told you about - in change 9611.
--a
> On
Dear Andrew
Thanks for your attention, Yes of course I pushed to gerrit with id 9615.
Regards,
Khers
On Tue, Nov 28, 2017 at 8:37 PM, Andrew Yourtchenko
wrote:
> Dear Khers,
>
> I believe you are right. That might not be all though... “dot1q”/“dot1ad”
> mask value constant
Dear Khers,
I believe you are right. That might not be all though... “dot1q”/“dot1ad” mask
value constant does not appear to make sense to me now.
They should be “XX XX” to mask out the bits and also should be set accordingly
to the proper values during the addition of the sessions. (I suppose
I tried some ACL config, but it does not work as I expected.
I send traffic into interface 1, and vpp should send the traffic out
through interface 2.
For ACL, I first add this ACL.
acl_add_replace ipv4 src 10.0.0.0/8 deny
Then, I send traffic after adding each of the following 4 configs.
Folks,
So, yeah, I was just blind-sided by an API change in the ACL code.
Not to name names, or anything by it was
commit 36ea2d6d3a67a60534a7c2b58551688858a1ce7f
One armed NAT (VPP-1035)
Use a single physical interface in order to accomplish NAT44/NAT64.
That patch also
It works! Thanks.
Another question: if I want to use ACL plugin in non-debug build (say,
build-release), is can I use vat? Or I need to use the python code?
On Mon, Nov 13, 2017 at 12:06 PM, Andrew Yourtchenko
wrote:
> “Make build” in the VPP directory will get you a debug
“Make build” in the VPP directory will get you a debug build. The $1 and such
is just standard shell scripting, in case I need to pass some parameters to
vat. I don’t think I had ever needed them...
--a
> On 13 Nov 2017, at 17:40, Yuliang Li wrote:
>
> Maybe this is a
Maybe this is a stupid question.. Does vat have to work with debug builds?
And how to do the debug builds? What are the $1~$5 in your script?
Thanks,
Yuliang
On Mon, Nov 13, 2017 at 3:03 AM, Andrew Yourtchenko
wrote:
> When just running vat from within the source tree, it
When just running vat from within the source tree, it needs to know the path
for the plugins, for debug builds I usually have the following small shell
script which takes care of this without requiring me thinking every time (of
course needs to be launched from the vpp top directory since it
Thanks for the quick reply.
I still fail to use the vat to configure ACL. After make build-release, I
use sudo build-root/build-vpp-native/vpp/vpp_api_test, but it tell me:
'acl_plugin_get_version': function not found
Other ACL commands have the same problem.
I also tried make build-vat, but it
Hi Yuliang,
You can look at the test/test_acl_plugin_*.py files for the examples
of interactions with plugin from python code.
Alternatively, you can use VPP API test tool (vat) which is built
together with VPP and then issue the API calls directly from there.
Shout if you have any questions,
Hi,
I want to use the ACL plugin https://wiki.fd.io/view/VPP/SecurityGroups. It
seems it can only be configured via API. I only used vppctl before. Can
anyone please tell how to use the API to configure? Or is there other ways
to configre?
Thanks,
--
Yuliang Li
PhD student
Department of
Quoting Jon Loeliger (2017-11-10 23:11:36)
>First, this is draconian for no really good reason. Second, it should be
>fixed. Third, I would do that except I am stupid and need a clue where
>or how to fix this situation so the tests are less draconian. (Can we
>get a "less than
Chris,
On Fri, Nov 10, 2017 at 8:27 PM, Luke, Chris wrote:
> If you’re wondering where the tests are:
>
>
>
> $ ls test/*acl*
>
> test/test_acl_plugin_conns.py test/test_acl_plugin_macip.py
>
> test/test_acl_plugin_l2l3.py test/test_acl_plugin.py
>
Ah, excellent!
>
gt;
Cc: vpp-dev <vpp-dev@lists.fd.io>
Subject: Re: [vpp-dev] ACL Build/Test Issues
On Fri, Nov 10, 2017 at 5:54 PM, Andrew Yourtchenko
<ayour...@gmail.com<mailto:ayour...@gmail.com>> wrote:
Hi Jon,
On 10 Nov 2017, at 23:11, Jon Loeliger
<j...@netgate.com<mailto:j...@netg
On Fri, Nov 10, 2017 at 5:54 PM, Andrew Yourtchenko
wrote:
> Hi Jon,
>
> On 10 Nov 2017, at 23:11, Jon Loeliger wrote:
>
> Folks,
>
> Every error from the ACL implementation is -1. Generically bad.
> Without regard for what might be more useful to an
Hi Jon,
> On 10 Nov 2017, at 23:11, Jon Loeliger wrote:
>
> Folks,
>
> Every error from the ACL implementation is -1. Generically bad.
> Without regard for what might be more useful to an upper-layer UI.
When we discussed with the openstack folks the way they are treating
Folks,
Every error from the ACL implementation is -1. Generically bad.
Without regard for what might be more useful to an upper-layer UI.
So I submitted a patch to help this situation some.
https://gerrit.fd.io/r/#/c/9383/
I have built and tested it locally, but it fails the Verify Tests
Hi,
If we you talk about acl plugin then the ACLs are evaluated in the order of
them applied and same about the ACEs within an acl - to change the order you
can apply a differently sorted list or call acl_add_replace with new contents
of the ACL.
If you talk the built in ACLs using classifier
Hi all,
Does vpp acl sourpport ajust priority?
I have configured ten acl rules, if i want to move the tenth acl to be the
first acl, is there a easy way to do this?
Regards,
Ewan
yug...@telincn.com
___
vpp-dev mailing list
vpp-dev@lists.fd.io
gust 27, 2017 6:30 AM
> To: Wang, Yipeng1 <yipeng1.w...@intel.com>
> Cc: vpp-dev@lists.fd.io; zhang...@yunshan.net.cn
> Subject: Re: [vpp-dev] ACL Match in fa_node.c
>
> Hi Yipeng,
>
> It's already there - just have a look through hash_* files in the ACL plug
> > From: "Andrew Yourtchenko";
> > Date: Tue, May 23, 2017 07:56 PM
> > To: "张攀";
> > Cc: "vpp-dev";
> > Subject: Re: [vpp-dev] ACL Match in fa_node.c
> >
> >
> > Hi!
> >
> > On 5/23/17, 张攀
Hi Burt,
Makes sense. Quickly looking at the code it shouldn't be affecting,
but that file should be indeed with everything else.
So I rebuilt it from 48_8 one in the master, and the gerrit is here:
https://gerrit.fd.io/r/#/c/7937/
Hopefully Damjan can review and +2 it.
--a
On 8/8/17, Burt
Hi all,
Just a heads-up: I am currently working on a few issues in acl-plugin
that the system testing as part of the open stack setup has uncovered,
one of them was a memory corruption in the new hash-table based
matching code. Those are always a pain to debug also because they of
course can trip
There are two different mechanisms in VPP which you can use:
1) classifier-based ACLs
https://wiki.fd.io/view/VPP/Introduction_To_N-tuple_Classifiers
It is faster than acl plugin, and allows only stateless operation which is
essentially bitmask-based.
2) acl plugin
Hi,
Does anyone knows how to configure ACL in vpp? Is there any document?
Thanks,
--
Yuliang Li
PhD student
Department of Computer Science
Yale University
___
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev
hand-on experiences,
looking forwared to collaborating with you :p
Best Regards,
Pan
zhang...@yunshan.net.cn
From: Andrew Yourtchenko
Date: 2017-05-24 02:48
To: 张攀
CC: vpp-dev
Subject: Re: [vpp-dev] ACL Match in fa_node.c
Hi Pan!
On 5/23/17, 张攀 <zhang...@yunshan.net.cn> wrote:
>
Hi Andrew!
-- Original --
From: "Andrew Yourtchenko"<ayour...@gmail.com>;
Date: Tue, May 23, 2017 07:56 PM
To: "张攀"<zhang...@yunshan.net.cn>;
Cc: "vpp-dev"<vpp-dev@lists.fd.io>;
Subject: Re: [vpp-de
Hi guys,
I looked into the source code of vpp/src/plugin/acl/fa_node.c,
in function full_acl_match_5tuple(), it seems that every ingress packet is
matching against each ACL rule stored in acl_main->acls in a for-loop manner.
This seems not fairly effective.
Besides, I notice that in
Hi Jon,
On 5/17/17, Jon Loeliger wrote:
> On Wed, May 17, 2017 at 4:35 PM, Andrew Yourtchenko
> wrote:
>
>> Jon,
>>
>> No, you are not missing anything, there is a ping missing there indeed...
>> :-)
>>
>
> Hi Andrew,
>
> OK, *phew*. Not this time then.
On Wed, May 17, 2017 at 4:35 PM, Andrew Yourtchenko
wrote:
> Jon,
>
> No, you are not missing anything, there is a ping missing there indeed...
> :-)
>
Hi Andrew,
OK, *phew*. Not this time then. Good to know!
> At the time I could not figure out how to get the
Jon,
No, you are not missing anything, there is a ping missing there indeed... :-)
At the time I could not figure out how to get the CONTROL_PING to be
sent from within the VAT, and since the main use case was
programmatic-API driven (I had used VAT primarily during the initial
debugging/sanity
Folks,
I have two questions about the ACL plugin's API.
First, when there are no ACLs configured and an ACL_DUMP is requested,
there is no way for the API to reply except to not send a message and let
the "wait for message" time-out and indicate failure. The same problem
exists if one requests
ACL in the IP4
forwarding path of which interface.
Regards,
John
From: vpp-dev-boun...@lists.fd.io [mailto:vpp-dev-boun...@lists.fd.io] On
Behalf Of Mina Jafari
Sent: Friday, May 12, 2017 2:19 PM
To: vpp-dev@lists.fd.io
Subject: [vpp-dev] ACL + classifier table does not work on subinterface
Hi juraj,
Sorry for the delay.
Minus 1 means for the acl# means no acl had matched, so this should be default
deny, however the odd output from the dump means it needs a closer look.
Please me the saved binary API trace from the moment of startup to the
observation of the problem + the packet
: Monday, May 01, 2017 10:04 PM
To: vpp-dev@lists.fd.io
Subject: [vpp-dev] ACL match tunnel interface
Hi guys,
There are some questions about acl in tunnel interface:
I can only match the tunnel rather than the desired inner flow;
What should I do to match the inner flow?
Thanks,
xyxue
1 - 100 of 103 matches
Mail list logo