[vpp-dev] acl ipv6 rule creation with VAPI. #acl #ipv6 #vapi

2021-09-02 Thread RaviKiran Veldanda
Hi Experts, I got tired trying several ways to add the IPV6 ACL rules using API. I couldn't successful. The same thing working fine with IPv4 rule. When I tried IPV6 rule, I am getting retval is -58, I am not able to figure out what is this error. Can anyone please help me to understand what

Re: [vpp-dev] ACL-->ABF--> Memif, Seeing arp request for the packets #acl #abf #policy #routing

2021-07-17 Thread RaviKiran Veldanda
Neale, This is really I never thought we can create VLAN for memif This saved enormous of amount my time... I am really excited and its working perfectly fine. //Ravi -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#19822):

Re: [vpp-dev] ACL-->ABF--> Memif, Seeing arp request for the packets #acl #abf #policy #routing

2021-07-17 Thread Neale Ranns
: Re: [vpp-dev] ACL-->ABF--> Memif, Seeing arp request for the packets #acl #abf #policy #routing [Edited Message Follows] Hi Neale, Thanks for your time. Yes I got that and I did created a dummy arp to make this work. ip neighbor memif1/0 192.168.1.3 dead.dead.dead set acl-plugin acl perm

Re: [vpp-dev] ACL-->ABF--> Memif, Seeing arp request for the packets #acl #abf #policy #routing

2021-07-16 Thread RaviKiran Veldanda
[Edited Message Follows] Hi Neale, Thanks for your time. Yes I got that and I did created a dummy arp to make this work. ip neighbor memif1/0 192.168.1.3 dead.dead.dead set acl-plugin acl permit dst 172.172.0.0/24 abf policy add id 0 acl 0 via 192.168.1.3 memif1/0 abf attach ip4 policy 0 

Re: [vpp-dev] ACL-->ABF--> Memif, Seeing arp request for the packets #acl #abf #policy #routing

2021-07-16 Thread RaviKiran Veldanda
Hi Neale, Thanks for your time. Yes I got that and I did created a dummy arp to make this work. ip neighbor memif1/0 192.168.1.3 dead.dead.dead set acl-plugin acl permit dst 172.172.0.0/24 abf policy add id 0 acl 0 via 192.168.1.3 memif1/0 abf attach ip4 policy 0  HundredGigabitEthernet12/0/0

Re: [vpp-dev] ACL-->ABF--> Memif, Seeing arp request for the packets #acl #abf #policy #routing

2021-07-16 Thread Neale Ranns
To: vpp-dev@lists.fd.io Subject: [vpp-dev] ACL-->ABF--> Memif, Seeing arp request for the packets #acl #abf #policy #routing [Edited Message Follows] Hi Experts, We are trying to implement forwarding dst X.X.X.X/X subnet packets on interface Y to the memif1/0 To achieve that we used ACL a

[vpp-dev] ACL-->ABF--> Memif, Seeing arp request for the packets #acl #abf #policy #routing

2021-07-16 Thread RaviKiran Veldanda
[Edited Message Follows] Hi Experts, We are trying to implement forwarding dst X.X.X.X/X subnet packets on interface Y to the memif1/0 To achieve that we used ACL and ABF policy rules. When I am trying to send traffic to "X.X.X.X" network I see ARP requests for that subnet on memif1/0. We don't

[vpp-dev] ACL-->ABF--> Memif, Seeing arp request for the packets #acl #abf #policy #routing

2021-07-16 Thread RaviKiran Veldanda
Hi Experts, We are trying to implement forwarding dst X.X.X.X/X subnet packets on interface Y to the memif1/0 To achieve that we used ACL and ABF policy rules. When I am trying to send traffic to "X.X.X.X" network I see ARP requests for that subnet on memif1/0. We don't need to send ARP for

Re: [vpp-dev] ACL IPV6 rule addition using the "set acl_plugin acl" command from "vppctl" #vppctl #acl #acl_plugin #ipv6

2021-07-15 Thread Andrew Yourtchenko
io/r/c/vpp/+/33142 > > /neale > > From: vpp-dev@lists.fd.io on behalf of Andrew > Yourtchenko via lists.fd.io > Date: Wednesday, 14 July 2021 at 23:53 > To: RaviKiran Veldanda , Jakub Grajciar > > Cc: vpp-dev@lists.fd.io > Subject: Re: [vpp-dev] ACL IPV6 rule additio

Re: [vpp-dev] ACL IPV6 rule addition using the "set acl_plugin acl" command from "vppctl" #vppctl #acl #acl_plugin #ipv6

2021-07-15 Thread Neale Ranns
Evidently a typo. Here you go: https://gerrit.fd.io/r/c/vpp/+/33142 /neale From: vpp-dev@lists.fd.io on behalf of Andrew Yourtchenko via lists.fd.io Date: Wednesday, 14 July 2021 at 23:53 To: RaviKiran Veldanda , Jakub Grajciar Cc: vpp-dev@lists.fd.io Subject: Re: [vpp-dev] ACL IPV6

Re: [vpp-dev] ACL IPV6 rule addition using the "set acl_plugin acl" command from "vppctl" #vppctl #acl #acl_plugin #ipv6

2021-07-14 Thread Andrew Yourtchenko
Ravi, appears that the commit 2f8cd914514fe54f91974c6d465d4769dfac8de8 has hardcoded the IP address family in the CLI handler to IPv4: 0490db79b src/plugins/acl/acl.c(Neale Ranns2020-03-24 15:09:41 + 2873) else if (unformat (line_input, "src %U/%d", bf883bb086

[vpp-dev] ACL IPV6 rule addition using the "set acl_plugin acl" command from "vppctl" #vppctl #acl #acl_plugin #ipv6

2021-07-14 Thread RaviKiran Veldanda
Hi Experts, We were trying to create some ACL rules for IPv6 addresses, *"set acl-plugin acl permit src 2001:5b0::1150::0/64 " in vppctl. * "set acl-plugin acl permit ipv6 src 2001:5b0::1150::0/64 " in vppctl. giving ACL index but when I check "show acl_plugin acl" its not giving any

[vpp-dev] ACL- IN and OUT interface

2020-09-25 Thread sachinpp777
[Edited Message Follows] Hello Team, Is there option to specify IN and OUT interface(sw_index) in ACL along with ACE? pseudo rule - drop src x.x.x.x dst y.y.y.y when in-interface is x1 and out interface is x2 -> like iptables Regards, Sachin -=-=-=-=-=-=-=-=-=-=-=- Links: You receive

[vpp-dev] ACL- IN and OUT interface

2020-09-25 Thread sachinpp777
Hello Team, Is there option to specify IN and OUT interface(sw_index) in ACL along with ACE? pseudo rule - drop src x.x.x.x dst y.y.y.y when in-interface is x1 and out interface is x2 Regards, Sachin -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online

Re: [vpp-dev] ACL panics in `hash_acl_set_heap`

2020-09-17 Thread Andrew Yourtchenko
Hi Mahdi, This patch should apply, ACL plugin had not seen much changes recently, but then you are not running a 20.05 anymore :-) I would strongly suggest to evaluate on what limitations prevent you from following the master branch as close as possible and address them. This may seem

Re: [vpp-dev] ACL panics in `hash_acl_set_heap`

2020-09-16 Thread Mahdi Varasteh
Hi Andrew, Thanks for you response. That makes sense. I will monitor my box memory usage. Unfortunately I'm using VPP 20.05. So I will try to forwardport( we have it? :D) this patch to it. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#17433):

Re: [vpp-dev] ACL panics in `hash_acl_set_heap`

2020-09-16 Thread Andrew Yourtchenko
ACL plugin historically uses its own heaps for hash lookup data. It should be just 64M by default. It’s been like that since day1, so you might need to look at your memory usage on that box overall... I am not sure if custom heaps use the huge pages or not - maybe you need to have less huge

[vpp-dev] ACL panics in `hash_acl_set_heap`

2020-09-16 Thread Mahdi Varasteh
Hi VPP folks, Setting ACL from VAPI, we have a panic `ACL plugin failed to allocate lookup heap of %U bytes` in `hash_acl_set_heap` function. It doesn't happen always. Time to time and randomly this problem occurs. My system has 8G of RAM. VPP is running with the default `startup.conf`. I've

Re: [vpp-dev] ACL plugin optimization

2020-05-29 Thread Govindarajan Mohandoss
; Jieqiang > Wang ; Honnappa Nagarahalli > ; nd > Subject: Re: [vpp-dev] ACL plugin optimization > > Hi Govind, > > 1) According to Jenkins, this patch permits some of the packets that should > be denied, hence JJB voted "-1". > > 2) If you suspect merely th

Re: [vpp-dev] ACL plugin optimization

2020-05-29 Thread Govindarajan Mohandoss
> ; nd > Subject: Re: [vpp-dev] ACL plugin optimization > > > Hi Govind, > > As well as removing the prefetches, you've also removed the per packet call > to acl_fa_find_session_with_hash(). So IIUC you've removed the per-packet > session lookup and instead re-use

Re: [vpp-dev] ACL plugin optimization

2020-05-28 Thread Neale Ranns via lists.fd.io
Hi Govind, As well as removing the prefetches, you've also removed the per packet call to acl_fa_find_session_with_hash(). So IIUC you've removed the per-packet session lookup and instead re-use the lookup of packet 0 each time. that'll make things quicker but it's not functionally correct.

Re: [vpp-dev] ACL plugin optimization

2020-05-27 Thread Andrew Yourtchenko
Hi Govind, 1) According to Jenkins, this patch permits some of the packets that should be denied, hence JJB voted "-1". 2) If you suspect merely the prefetches are the issue, just commenting out the body of prefetch_session_entry() in the original code should turn it into a no-op that doesn't

[vpp-dev] ACL plugin optimization

2020-05-27 Thread Govindarajan Mohandoss
Hi Andrew, While profiling the ACL plugin node using perf tool in ARM Neoverse platform, Bihash related prefetches were shown as bottleneck. Performance improvement is seen in ARM N1, TX2 and Intel Skylake servers after removing those prefetches. Testing is done with Ingress ACL/IPv4

Re: [vpp-dev] ACL question

2020-05-03 Thread Govindarajan Mohandoss
Thanks Neale. It works now. From: Neale Ranns (nranns) Sent: Saturday, May 2, 2020 8:15 AM To: Govindarajan Mohandoss ; Andrew Yourtchenko Cc: John Lo (loj) ; Paul Vinciguerra ; vpp-dev@lists.fd.io; nd ; Lijian Zhang ; Jieqiang Wang Subject: Re: [vpp-dev] ACL question From: Govindarajan

Re: [vpp-dev] ACL question

2020-05-02 Thread Neale Ranns via lists.fd.io
From: Govindarajan Mohandoss Date: Friday 1 May 2020 at 21:15 To: "Neale Ranns (nranns)" , Andrew Yourtchenko Cc: "John Lo (loj)" , Paul Vinciguerra , "vpp-dev@lists.fd.io" , nd , Lijian Zhang , Jieqiang Wang , nd Subject: RE: [vpp-dev] ACL question Hi N

Re: [vpp-dev] ACL question

2020-05-01 Thread Govindarajan Mohandoss
; Lijian Zhang ; Jieqiang Wang Subject: Re: [vpp-dev] ACL question Or in the latest version you can create ACLs on the CLI: set acl-plugin acl ? set acl-plugin interface ? /neale From: mailto:vpp-dev@lists.fd.io>> on behalf of Andrew Yourtchenko mailto:ayour...@gmail.com>> Dat

Re: [vpp-dev] ACL question

2020-04-29 Thread Govindarajan Mohandoss
Thanks Neale. From: Neale Ranns (nranns) Sent: Wednesday, April 29, 2020 4:24 AM To: Andrew Yourtchenko ; Govindarajan Mohandoss Cc: John Lo (loj) ; Paul Vinciguerra ; vpp-dev@lists.fd.io; nd ; Lijian Zhang ; Jieqiang Wang Subject: Re: [vpp-dev] ACL question Or in the latest version you

Re: [vpp-dev] ACL question

2020-04-29 Thread Govindarajan Mohandoss
ndarajan Mohandoss Cc: John Lo (loj) ; Paul Vinciguerra ; vpp-dev@lists.fd.io; nd ; Lijian Zhang ; Jieqiang Wang Subject: Re: [vpp-dev] ACL question Hi Govind, 1) make an api trace and inspect the message there - whether it contains the entries you are expecting. 1a) If it does, then you can t

Re: [vpp-dev] ACL question

2020-04-29 Thread Neale Ranns via lists.fd.io
sts.fd.io" , nd , Lijian Zhang , Jieqiang Wang Subject: Re: [vpp-dev] ACL question Hi Govind, 1) make an api trace and inspect the message there - whether it contains the entries you are expecting. 1a) If it does, then you can trivially recreate the same message using the python api just by

Re: [vpp-dev] ACL question

2020-04-29 Thread Andrew Yourtchenko
Lo (loj) > Sent: Tuesday, April 28, 2020 10:38 PM > To: Govindarajan Mohandoss ; Paul Vinciguerra > > Cc: Andrew  Yourtchenko ; vpp-dev@lists.fd.io; nd > ; Lijian Zhang ; Jieqiang Wang > ; nd > Subject: RE: [vpp-dev] ACL question > > Try “make test TEST=acl_plugin”.

Re: [vpp-dev] ACL question

2020-04-28 Thread Govindarajan Mohandoss
Zhang ; Jieqiang Wang ; nd Subject: RE: [vpp-dev] ACL question Try “make test TEST=acl_plugin”. -John From: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> mailto:vpp-dev@lists.fd.io>> On Behalf Of Govindarajan Mohandoss Sent: Tuesday, April 28, 2020 11:22 PM To: Paul Vinciguerra

Re: [vpp-dev] ACL question

2020-04-28 Thread Govindarajan Mohandoss
Thanks John. From: John Lo (loj) Sent: Tuesday, April 28, 2020 10:38 PM To: Govindarajan Mohandoss ; Paul Vinciguerra Cc: Andrew  Yourtchenko ; vpp-dev@lists.fd.io; nd ; Lijian Zhang ; Jieqiang Wang ; nd Subject: RE: [vpp-dev] ACL question Try “make test TEST=acl_plugin”. -John From

Re: [vpp-dev] ACL question

2020-04-28 Thread John Lo (loj) via lists.fd.io
Try “make test TEST=acl_plugin”. -John From: vpp-dev@lists.fd.io On Behalf Of Govindarajan Mohandoss Sent: Tuesday, April 28, 2020 11:22 PM To: Paul Vinciguerra Cc: Andrew  Yourtchenko ; vpp-dev@lists.fd.io; nd ; Lijian Zhang ; Jieqiang Wang ; nd Subject: Re: [vpp-dev] ACL question Hi

Re: [vpp-dev] ACL question

2020-04-28 Thread Govindarajan Mohandoss
: Re: [vpp-dev] ACL question See: src/plugins/acl/test/test_acl_plugin.py On Tue, Apr 28, 2020 at 7:19 PM Govindarajan Mohandoss mailto:govindarajan.mohand...@arm.com>> wrote: Sure Andrew. Is there a unit test case for ACL plugin ? From: Andrew  Yourtchenko mailto:ayour...@gmail.com&

Re: [vpp-dev] ACL question

2020-04-28 Thread Govindarajan Mohandoss
Thanks Paul ! From: Paul Vinciguerra Sent: Tuesday, April 28, 2020 9:22 PM To: Govindarajan Mohandoss Cc: Andrew  Yourtchenko ; vpp-dev@lists.fd.io; nd ; Lijian Zhang ; Jieqiang Wang Subject: Re: [vpp-dev] ACL question See: src/plugins/acl/test/test_acl_plugin.py On Tue, Apr 28, 2020 at 7

Re: [vpp-dev] ACL question

2020-04-28 Thread Paul Vinciguerra
, April 28, 2020 4:57 PM > *To:* Govindarajan Mohandoss > *Cc:* vpp-dev@lists.fd.io; nd ; Lijian Zhang < > lijian.zh...@arm.com>; Jieqiang Wang > *Subject:* Re: [vpp-dev] ACL question > > > > 1-3: no. > > 4: please make a “make test” test case illustrating the problem and share

Re: [vpp-dev] ACL question

2020-04-28 Thread Andrew Yourtchenko
192.81.1.1/32 dst 192.82.1.1/32 proto 17 sport > 100 dport 53 > 53: ipv4 permit src 0.0.0.0/0 dst 0.0.0.0/0 proto 0 sport 0-65535 > dport 0-65535 > applied inbound on sw_if_index: 1 > used in lookup context index: 0 > “ > > Thanks > Govind > > > ----

Re: [vpp-dev] ACL question

2020-04-28 Thread Govindarajan Mohandoss
> To: Andrew  Yourtchenko > Cc: vpp-dev@lists.fd.io > Subject: Re: [vpp-dev] ACL question > > Thank you very much Andrew !! I will do some benchmarks and get back to > you to understand it better. > > Thanks > Govind > > > -Original Message-

Re: [vpp-dev] ACL question

2020-03-27 Thread Govindarajan Mohandoss
for the bihash memory usage have been tested with half a > million sessions - so you can extrapolate from those with some ballpark > (though bihash memory usage is not linear wrt the entries, and also there is > some extra memory churn due to bucket reallocations when the size > increa

Re: [vpp-dev] ACL question

2020-03-27 Thread Andrew Yourtchenko
ark (though bihash memory usage is not linear wrt the entries, and also there is some extra memory churn due to bucket reallocations when the size increases). —a > > > Thanks > > Govind > > > > From: vpp-dev@lists.fd.io On Behalf Of Govindarajan > Mohandoss via Lists.F

Re: [vpp-dev] ACL question

2020-03-26 Thread Govindarajan Mohandoss
is needed compared to SL mode ? Thanks Govind From: vpp-dev@lists.fd.io On Behalf Of Govindarajan Mohandoss via Lists.Fd.Io Sent: Thursday, March 26, 2020 12:37 PM To: Andrew  Yourtchenko Cc: vpp-dev@lists.fd.io Subject: Re: [vpp-dev] ACL question Hi Andrew, Thanks for the document. Can you

Re: [vpp-dev] ACL question

2020-03-26 Thread Govindarajan Mohandoss
; nd Subject: Re: [vpp-dev] ACL question As an acl plugin author I can say both stateful and stateless ACLs are used for different consumers. Various matching implementations in vpp are used in different use cases... and there is not a single silver bullet magic answer, because the trade

Re: [vpp-dev] ACL question

2020-03-26 Thread Andrew Yourtchenko
As an acl plugin author I can say both stateful and stateless ACLs are used for different consumers. Various matching implementations in vpp are used in different use cases... and there is not a single silver bullet magic answer, because the trade offs are different.

[vpp-dev] ACL question

2020-03-25 Thread Govindarajan Mohandoss
Hello ACL Maintainer, We want to measure and optimize the ACL performance for ARM servers. As per the foll. link, there are 4 different implementation of ACLs in VPP. https://fd.io/docs/vpp/master/usecases/acls.html We would like to start with most commonly used ACL implementation in

Re: [vpp-dev] ACL drops while pinging another interface

2019-09-06 Thread Andrew Yourtchenko
hernet0/0/2 >> Link speed: unknown >> Ethernet address fa:16:3c:05:66:7c >> VirtualEthernet0/0/3 6 up VirtualEthernet0/0/3 >> Link speed: unknown >> Ethernet address fa:16:3c:f0:21:0a >> VirtualEthernet0/0/4 7 up Virtu

Re: [vpp-dev] ACL drops while pinging another interface

2019-09-06 Thread Eyle Brinkhuis
Gbps > Ethernet address 02:fe:27:ea:09:82 > flags: admin-up > > It looks like there doesn’t even exist an acl for VirtualEthernet0/0/3? Is > that why it is dropped? > > Eyle > > From: Andrew  Yourtchenko > Date: Thursday, 5

Re: [vpp-dev] ACL drops while pinging another interface

2019-09-06 Thread Andrew Yourtchenko
address 02:fe:99:32:82:4f > flags: admin-up promiscuous > rdma1 2 up rdma1 > Link speed: 40 Gbps > Ethernet address 02:fe:27:ea:09:82 > flags: admin-up > > It looks like there doesn’t even exist an acl for VirtualEthernet0/0/3? Is >

Re: [vpp-dev] ACL drops while pinging another interface

2019-09-06 Thread Eyle Brinkhuis
From: mailto:vpp-dev@lists.fd.io>> on behalf of Andrew Yourtchenko mailto:ayour...@gmail.com>> Date: Thursday, September 5, 2019 at 7:20 AM To: Eyle Brinkhuis mailto:eyle.brinkh...@surfnet.nl>> Cc: "vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>" mailto:vp

Re: [vpp-dev] ACL drops while pinging another interface

2019-09-05 Thread Andrew Yourtchenko
> From: on behalf of Andrew Yourtchenko > > Date: Thursday, September 5, 2019 at 7:20 AM > To: Eyle Brinkhuis > Cc: "vpp-dev@lists.fd.io" > Subject: Re: [vpp-dev] ACL drops while pinging another interface > > Thanks for the traces ! > > MACIP acl us

Re: [vpp-dev] ACL drops while pinging another interface

2019-09-05 Thread Naveen Joy via Lists.Fd.Io
table 12, offset -1 00:53:47:316361: error-drop rx:VirtualEthernet0/0/3 -Naveen From: on behalf of Andrew Yourtchenko Date: Thursday, September 5, 2019 at 7:20 AM To: Eyle Brinkhuis Cc: "vpp-dev@lists.fd.io" Subject: Re: [vpp-dev] ACL drops while pinging another interface Thank

Re: [vpp-dev] ACL drops while pinging another interface

2019-09-05 Thread Andrew Yourtchenko
Thanks for the traces ! MACIP acl uses the classifier-bases “ip-acl”; so it sounds like it is not programmed with the source Mac of your packets. “Show acl-plugin macip” will help to see what the acl plugin sees, and if it looks legit, then you can check the classifier tables applied as input

[vpp-dev] ACL based security group of VPP

2019-09-04 Thread cipher.chen2012
Hi vpp-dev, I'm testing security group functions on VPP19.08, and got some questions here. I have two vms: A(172.16.0.1/24, using vxlan_tunnel10 / bridge 10) and B(172.16.1.1/24, using vxlan_tunnel11 / bridge 11). Both these two networks' gateway is X.254, configured on VPP bridges (10 and

Re: [vpp-dev] ACL not working #vpp

2019-09-04 Thread Cipher Chen
Thanks Andrew, I've successfully done acl_plugin test. BTW, just reply here for latecomers, do "V=2 EXTENDED_TESTS=1 TEST=acl_plugin* make test" to do more test and print verbosely. Since I'm testing stateful ACL by watching behavior of test_acl_plugin_conns.py, along with explaination from

Re: [vpp-dev] ACL not working #vpp

2019-09-03 Thread Andrew Yourtchenko
The VPP packet tracer might tell a bit more what is going on. https://wiki.fd.io/view/VPP/Command-line_Interface_(CLI)_Guide#packet_tracer Also you can do “TEST=acl_plugin* make test” and examine the logs of successful testcase runs and compare with what you have. --a > On 3 Sep 2019, at

Re: [vpp-dev] ACL not working #vpp

2019-09-03 Thread Cipher Chen
More info about acl plugin vpp# show acl-plugin acl acl-index 4 count 2 tag {} 0: ipv4 deny src 0.0.0.0/0 dst 0.0.0.0/0 proto 1 sport 0-65535 dport 0-65535 1: ipv4 permit src 0.0.0.0/0 dst 0.0.0.0/0 proto 6 sport 0-65535 dport 0-65535 applied inbound on sw_if_index: 1 applied outbound on

[vpp-dev] ACL not working #vpp

2019-09-03 Thread cipher . chen2012
Hi vpp-dev, I'm testing security group functions on VPP19.08, and got some questions here. I have two vms: A(172.16.0.1/24, using vxlan_tunnel10 / bridge 10) and B(172.16.1.1/24, using vxlan_tunnel11 / bridge 11). Both these two networks' gateway is X.254, configured on VPP bridges (10 and

Re: [vpp-dev] ACL and Policier

2019-02-28 Thread Andrew Yourtchenko
Hi! No, it isn’t... --a > On 28 Feb 2019, at 02:33, mahdy.varas...@gmail.com wrote: > > Hi > > I wondered if we can use ACLs instead of classifier tables in Policies. How > is it possible? ( if it is possible) > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. >

[vpp-dev] ACL and Policier

2019-02-27 Thread mahdy . varasteh
Hi I wondered if we can use ACLs instead of classifier tables in Policies. How is it possible? ( if it is possible) -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#12382): https://lists.fd.io/g/vpp-dev/message/12382 Mute This Topic:

[vpp-dev] acl-plugin gerrit 9689: should I change the (default) behavior to reclassify existing sessions not permitted by updated policy ?

2018-03-07 Thread Andrew Yourtchenko
Hi all, for those of you using in some fashion the acl-plugin code, wanted to get your eyes on this in-the-works patch: https://gerrit.fd.io/r/#/c/9689/ as well as get your opinion on the following: (1) should I KEEP the default as it is now (which is to retain the sessions which are already

Re: [vpp-dev] ACL Plugin: check for null session

2017-12-19 Thread khers
Dear Andrew Unfortunately I can't reproduce this case. It's really a rare situation. Regards On Tue, Dec 12, 2017 at 5:43 PM, khers wrote: > Dear Andrew > > This is a good explanation of how session add and delete works, > I think this not a benign operation, I could

Re: [vpp-dev] ACL Plugin: check for null session

2017-12-12 Thread khers
Dear Andrew This is a good explanation of how session add and delete works, I think this not a benign operation, I could produce the rare scenario you explained. I will send backtrace and other details tomorrow. On Tue, Dec 12, 2017 at 2:46 PM, Andrew  Yourtchenko wrote: >

Re: [vpp-dev] ACL Plugin: check for null session

2017-12-12 Thread Andrew  Yourtchenko
Dear Khers, I think you are right. Normally the entry in the session hash table is deleted before any operations with the per-worker pool, so we should not end up on that line. Also, the deletion itself usually happens as a result of the idle timeout - meaning, no packets hit the session for a

Re: [vpp-dev] ACL Plugin: check for null session

2017-12-11 Thread khers
Dear Andrew I'm working on d594711a5d79859a7d0bde83a516f7ab52051d9b commit on stable/1710 branch. sorry for less info. I can't reproduce last issue I have reported, forgot the commit I were working on. Regards, Khers On Mon, Dec 11, 2017 at 12:24 PM, Andrew Yourtchenko

[vpp-dev] ACL Plugin: check for null session

2017-12-11 Thread khers
Dear VPP folks, The get_session_ptr function may return null pointer, while we do not check this situation in code, for example fa_node.c line 1029, if the sess equals null, we get segmentation fault in next usage of sess. Please share your thought about this. Regards, Khers

Re: [vpp-dev] ACL Plugin: tagged interface

2017-11-29 Thread Andrew Yourtchenko
Khers, Thanks! Just after I sent you the reply Dave had pointed out coverity was unhappy with some of the code, including that particular line. So I got rid of memcpy altogether and while at it fixed the values for both this place and the other one I told you about - in change 9611. --a > On

Re: [vpp-dev] ACL Plugin: tagged interface

2017-11-28 Thread khers
Dear Andrew Thanks for your attention, Yes of course I pushed to gerrit with id 9615. Regards, Khers On Tue, Nov 28, 2017 at 8:37 PM, Andrew Yourtchenko wrote: > Dear Khers, > > I believe you are right. That might not be all though... “dot1q”/“dot1ad” > mask value constant

Re: [vpp-dev] ACL Plugin: tagged interface

2017-11-28 Thread Andrew Yourtchenko
Dear Khers, I believe you are right. That might not be all though... “dot1q”/“dot1ad” mask value constant does not appear to make sense to me now. They should be “XX XX” to mask out the bits and also should be set accordingly to the proper values during the addition of the sessions. (I suppose

Re: [vpp-dev] ACL

2017-11-19 Thread Yuliang Li
I tried some ACL config, but it does not work as I expected. I send traffic into interface 1, and vpp should send the traffic out through interface 2. For ACL, I first add this ACL. acl_add_replace ipv4 src 10.0.0.0/8 deny Then, I send traffic after adding each of the following 4 configs.

[vpp-dev] ACL API Change

2017-11-13 Thread Jon Loeliger
Folks, So, yeah, I was just blind-sided by an API change in the ACL code. Not to name names, or anything by it was commit 36ea2d6d3a67a60534a7c2b58551688858a1ce7f One armed NAT (VPP-1035) Use a single physical interface in order to accomplish NAT44/NAT64. That patch also

Re: [vpp-dev] ACL

2017-11-13 Thread Yuliang Li
It works! Thanks. Another question: if I want to use ACL plugin in non-debug build (say, build-release), is can I use vat? Or I need to use the python code? On Mon, Nov 13, 2017 at 12:06 PM, Andrew Yourtchenko wrote: > “Make build” in the VPP directory will get you a debug

Re: [vpp-dev] ACL

2017-11-13 Thread Andrew Yourtchenko
“Make build” in the VPP directory will get you a debug build. The $1 and such is just standard shell scripting, in case I need to pass some parameters to vat. I don’t think I had ever needed them... --a > On 13 Nov 2017, at 17:40, Yuliang Li wrote: > > Maybe this is a

Re: [vpp-dev] ACL

2017-11-13 Thread Yuliang Li
Maybe this is a stupid question.. Does vat have to work with debug builds? And how to do the debug builds? What are the $1~$5 in your script? Thanks, Yuliang On Mon, Nov 13, 2017 at 3:03 AM, Andrew Yourtchenko wrote: > When just running vat from within the source tree, it

Re: [vpp-dev] ACL

2017-11-13 Thread Andrew Yourtchenko
When just running vat from within the source tree, it needs to know the path for the plugins, for debug builds I usually have the following small shell script which takes care of this without requiring me thinking every time (of course needs to be launched from the vpp top directory since it

Re: [vpp-dev] ACL

2017-11-12 Thread Yuliang Li
Thanks for the quick reply. I still fail to use the vat to configure ACL. After make build-release, I use sudo build-root/build-vpp-native/vpp/vpp_api_test, but it tell me: 'acl_plugin_get_version': function not found Other ACL commands have the same problem. I also tried make build-vat, but it

Re: [vpp-dev] ACL

2017-11-12 Thread Andrew  Yourtchenko
Hi Yuliang, You can look at the test/test_acl_plugin_*.py files for the examples of interactions with plugin from python code. Alternatively, you can use VPP API test tool (vat) which is built together with VPP and then issue the API calls directly from there. Shout if you have any questions,

[vpp-dev] ACL

2017-11-12 Thread Yuliang Li
Hi, I want to use the ACL plugin https://wiki.fd.io/view/VPP/SecurityGroups. It seems it can only be configured via API. I only used vppctl before. Can anyone please tell how to use the API to configure? Or is there other ways to configre? Thanks, -- Yuliang Li PhD student Department of

Re: [vpp-dev] ACL Build/Test Issues

2017-11-11 Thread Klement Sekera -X (ksekera - PANTHEON TECHNOLOGIES at Cisco)
Quoting Jon Loeliger (2017-11-10 23:11:36) >First, this is draconian for no really good reason.  Second, it should be >fixed.  Third, I would do that except I am stupid and need a clue where >or how to fix this situation so the tests are less draconian.  (Can we >get a "less than

Re: [vpp-dev] ACL Build/Test Issues

2017-11-10 Thread Jon Loeliger
Chris, On Fri, Nov 10, 2017 at 8:27 PM, Luke, Chris wrote: > If you’re wondering where the tests are: > > > > $ ls test/*acl* > > test/test_acl_plugin_conns.py test/test_acl_plugin_macip.py > > test/test_acl_plugin_l2l3.py test/test_acl_plugin.py > Ah, excellent! >

Re: [vpp-dev] ACL Build/Test Issues

2017-11-10 Thread Luke, Chris
gt; Cc: vpp-dev <vpp-dev@lists.fd.io> Subject: Re: [vpp-dev] ACL Build/Test Issues On Fri, Nov 10, 2017 at 5:54 PM, Andrew Yourtchenko <ayour...@gmail.com<mailto:ayour...@gmail.com>> wrote: Hi Jon, On 10 Nov 2017, at 23:11, Jon Loeliger <j...@netgate.com<mailto:j...@netg

Re: [vpp-dev] ACL Build/Test Issues

2017-11-10 Thread Jon Loeliger
On Fri, Nov 10, 2017 at 5:54 PM, Andrew Yourtchenko wrote: > Hi Jon, > > On 10 Nov 2017, at 23:11, Jon Loeliger wrote: > > Folks, > > Every error from the ACL implementation is -1. Generically bad. > Without regard for what might be more useful to an

Re: [vpp-dev] ACL Build/Test Issues

2017-11-10 Thread Andrew Yourtchenko
Hi Jon, > On 10 Nov 2017, at 23:11, Jon Loeliger wrote: > > Folks, > > Every error from the ACL implementation is -1. Generically bad. > Without regard for what might be more useful to an upper-layer UI. When we discussed with the openstack folks the way they are treating

[vpp-dev] ACL Build/Test Issues

2017-11-10 Thread Jon Loeliger
Folks, Every error from the ACL implementation is -1. Generically bad. Without regard for what might be more useful to an upper-layer UI. So I submitted a patch to help this situation some. https://gerrit.fd.io/r/#/c/9383/ I have built and tested it locally, but it fails the Verify Tests

Re: [vpp-dev] acl priority

2017-09-06 Thread Andrew Yourtchenko
Hi, If we you talk about acl plugin then the ACLs are evaluated in the order of them applied and same about the ACEs within an acl - to change the order you can apply a differently sorted list or call acl_add_replace with new contents of the ACL. If you talk the built in ACLs using classifier

[vpp-dev] acl priority

2017-09-06 Thread yug...@telincn.com
Hi all, Does vpp acl sourpport ajust priority? I have configured ten acl rules, if i want to move the tenth acl to be the first acl, is there a easy way to do this? Regards, Ewan yug...@telincn.com ___ vpp-dev mailing list vpp-dev@lists.fd.io

Re: [vpp-dev] ACL Match in fa_node.c

2017-08-29 Thread Andrew  Yourtchenko
gust 27, 2017 6:30 AM > To: Wang, Yipeng1 <yipeng1.w...@intel.com> > Cc: vpp-dev@lists.fd.io; zhang...@yunshan.net.cn > Subject: Re: [vpp-dev] ACL Match in fa_node.c > > Hi Yipeng, > > It's already there - just have a look through hash_* files in the ACL plug

Re: [vpp-dev] ACL Match in fa_node.c

2017-08-27 Thread Andrew Yourtchenko
> > From: "Andrew  Yourtchenko"; > > Date: Tue, May 23, 2017 07:56 PM > > To: "张攀"; > > Cc: "vpp-dev"; > > Subject: Re: [vpp-dev] ACL Match in fa_node.c > > > > > > Hi! > > > > On 5/23/17, 张攀

Re: [vpp-dev] acl-plugin now uses its own memory heap (master & stable/1707)

2017-08-08 Thread Andrew  Yourtchenko
Hi Burt, Makes sense. Quickly looking at the code it shouldn't be affecting, but that file should be indeed with everything else. So I rebuilt it from 48_8 one in the master, and the gerrit is here: https://gerrit.fd.io/r/#/c/7937/ Hopefully Damjan can review and +2 it. --a On 8/8/17, Burt

[vpp-dev] acl-plugin now uses its own memory heap (master & stable/1707)

2017-08-08 Thread Andrew  Yourtchenko
Hi all, Just a heads-up: I am currently working on a few issues in acl-plugin that the system testing as part of the open stack setup has uncovered, one of them was a memory corruption in the new hash-table based matching code. Those are always a pain to debug also because they of course can trip

Re: [vpp-dev] ACL commands

2017-07-08 Thread Andrew Yourtchenko
There are two different mechanisms in VPP which you can use: 1) classifier-based ACLs https://wiki.fd.io/view/VPP/Introduction_To_N-tuple_Classifiers It is faster than acl plugin, and allows only stateless operation which is essentially bitmask-based. 2) acl plugin

[vpp-dev] ACL commands

2017-07-07 Thread Yuliang Li
Hi, Does anyone knows how to configure ACL in vpp? Is there any document? Thanks, -- Yuliang Li PhD student Department of Computer Science Yale University ___ vpp-dev mailing list vpp-dev@lists.fd.io https://lists.fd.io/mailman/listinfo/vpp-dev

Re: [vpp-dev] ACL Match in fa_node.c

2017-05-25 Thread zhang...@yunshan.net.cn
hand-on experiences, looking forwared to collaborating with you :p Best Regards, Pan zhang...@yunshan.net.cn From: Andrew  Yourtchenko Date: 2017-05-24 02:48 To: 张攀 CC: vpp-dev Subject: Re: [vpp-dev] ACL Match in fa_node.c Hi Pan! On 5/23/17, 张攀 <zhang...@yunshan.net.cn> wrote: >

Re: [vpp-dev] ACL Match in fa_node.c

2017-05-23 Thread 张攀
Hi Andrew! -- Original -- From: "Andrew  Yourtchenko"<ayour...@gmail.com>; Date: Tue, May 23, 2017 07:56 PM To: "张攀"<zhang...@yunshan.net.cn>; Cc: "vpp-dev"<vpp-dev@lists.fd.io>; Subject: Re: [vpp-de

[vpp-dev] ACL Match in fa_node.c

2017-05-23 Thread 张攀
Hi guys, I looked into the source code of vpp/src/plugin/acl/fa_node.c, in function full_acl_match_5tuple(), it seems that every ingress packet is matching against each ACL rule stored in acl_main->acls in a for-loop manner. This seems not fairly effective. Besides, I notice that in

Re: [vpp-dev] ACL API Questions

2017-05-17 Thread Andrew  Yourtchenko
Hi Jon, On 5/17/17, Jon Loeliger wrote: > On Wed, May 17, 2017 at 4:35 PM, Andrew  Yourtchenko > wrote: > >> Jon, >> >> No, you are not missing anything, there is a ping missing there indeed... >> :-) >> > > Hi Andrew, > > OK, *phew*. Not this time then.

Re: [vpp-dev] ACL API Questions

2017-05-17 Thread Jon Loeliger
On Wed, May 17, 2017 at 4:35 PM, Andrew  Yourtchenko wrote: > Jon, > > No, you are not missing anything, there is a ping missing there indeed... > :-) > Hi Andrew, OK, *phew*. Not this time then. Good to know! > At the time I could not figure out how to get the

Re: [vpp-dev] ACL API Questions

2017-05-17 Thread Andrew  Yourtchenko
Jon, No, you are not missing anything, there is a ping missing there indeed... :-) At the time I could not figure out how to get the CONTROL_PING to be sent from within the VAT, and since the main use case was programmatic-API driven (I had used VAT primarily during the initial debugging/sanity

[vpp-dev] ACL API Questions

2017-05-17 Thread Jon Loeliger
Folks, I have two questions about the ACL plugin's API. First, when there are no ACLs configured and an ACL_DUMP is requested, there is no way for the API to reply except to not send a message and let the "wait for message" time-out and indicate failure. The same problem exists if one requests

Re: [vpp-dev] ACL + classifier table does not work on subinterface as expected

2017-05-12 Thread John Lo (loj)
ACL in the IP4 forwarding path of which interface. Regards, John From: vpp-dev-boun...@lists.fd.io [mailto:vpp-dev-boun...@lists.fd.io] On Behalf Of Mina Jafari Sent: Friday, May 12, 2017 2:19 PM To: vpp-dev@lists.fd.io Subject: [vpp-dev] ACL + classifier table does not work on subinterface

Re: [vpp-dev] acl packet trace interpretation help

2017-05-03 Thread Andrew  Yourtchenko
Hi juraj, Sorry for the delay. Minus 1 means for the acl# means no acl had matched, so this should be default deny, however the odd output from the dump means it needs a closer look. Please me the saved binary API trace from the moment of startup to the observation of the problem + the packet

Re: [vpp-dev] ACL match tunnel interface

2017-05-02 Thread John Lo (loj)
: Monday, May 01, 2017 10:04 PM To: vpp-dev@lists.fd.io Subject: [vpp-dev] ACL match tunnel interface Hi guys, There are some questions about acl in tunnel interface: I can only match the tunnel rather than the desired inner flow; What should I do to match the inner flow? Thanks, xyxue

  1   2   >