[vpp-dev] acl ipv6 rule creation with VAPI. #acl #ipv6 #vapi

Hi Experts, I got tired trying several ways to add the IPV6 ACL rules using API. I couldn't successful. The same thing working fine with IPv4 rule. When I tried IPV6 rule, I am getting retval is -58, I am not able to figure out what is this error. Can anyone please help me to understand what

Re: [vpp-dev] ACL-->ABF--> Memif, Seeing arp request for the packets #acl #abf #policy #routing

Neale, This is really I never thought we can create VLAN for memif This saved enormous of amount my time... I am really excited and its working perfectly fine. //Ravi -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#19822):

Re: [vpp-dev] ACL-->ABF--> Memif, Seeing arp request for the packets #acl #abf #policy #routing

: Re: [vpp-dev] ACL-->ABF--> Memif, Seeing arp request for the packets #acl #abf #policy #routing [Edited Message Follows] Hi Neale, Thanks for your time. Yes I got that and I did created a dummy arp to make this work. ip neighbor memif1/0 192.168.1.3 dead.dead.dead set acl-plugin acl perm

Re: [vpp-dev] ACL-->ABF--> Memif, Seeing arp request for the packets #acl #abf #policy #routing

[Edited Message Follows] Hi Neale, Thanks for your time. Yes I got that and I did created a dummy arp to make this work. ip neighbor memif1/0 192.168.1.3 dead.dead.dead set acl-plugin acl permit dst 172.172.0.0/24 abf policy add id 0 acl 0 via 192.168.1.3 memif1/0 abf attach ip4 policy 0 

Re: [vpp-dev] ACL-->ABF--> Memif, Seeing arp request for the packets #acl #abf #policy #routing

Hi Neale, Thanks for your time. Yes I got that and I did created a dummy arp to make this work. ip neighbor memif1/0 192.168.1.3 dead.dead.dead set acl-plugin acl permit dst 172.172.0.0/24 abf policy add id 0 acl 0 via 192.168.1.3 memif1/0 abf attach ip4 policy 0  HundredGigabitEthernet12/0/0

Re: [vpp-dev] ACL-->ABF--> Memif, Seeing arp request for the packets #acl #abf #policy #routing

To: vpp-dev@lists.fd.io Subject: [vpp-dev] ACL-->ABF--> Memif, Seeing arp request for the packets #acl #abf #policy #routing [Edited Message Follows] Hi Experts, We are trying to implement forwarding dst X.X.X.X/X subnet packets on interface Y to the memif1/0 To achieve that we used ACL a

[vpp-dev] ACL-->ABF--> Memif, Seeing arp request for the packets #acl #abf #policy #routing

[Edited Message Follows] Hi Experts, We are trying to implement forwarding dst X.X.X.X/X subnet packets on interface Y to the memif1/0 To achieve that we used ACL and ABF policy rules. When I am trying to send traffic to "X.X.X.X" network I see ARP requests for that subnet on memif1/0. We don't

[vpp-dev] ACL-->ABF--> Memif, Seeing arp request for the packets #acl #abf #policy #routing

Hi Experts, We are trying to implement forwarding dst X.X.X.X/X subnet packets on interface Y to the memif1/0 To achieve that we used ACL and ABF policy rules. When I am trying to send traffic to "X.X.X.X" network I see ARP requests for that subnet on memif1/0. We don't need to send ARP for

Re: [vpp-dev] ACL IPV6 rule addition using the "set acl_plugin acl" command from "vppctl" #vppctl #acl #acl_plugin #ipv6

io/r/c/vpp/+/33142 > > /neale > > From: vpp-dev@lists.fd.io on behalf of Andrew > Yourtchenko via lists.fd.io > Date: Wednesday, 14 July 2021 at 23:53 > To: RaviKiran Veldanda , Jakub Grajciar > > Cc: vpp-dev@lists.fd.io > Subject: Re: [vpp-dev] ACL IPV6 rule additio

Re: [vpp-dev] ACL IPV6 rule addition using the "set acl_plugin acl" command from "vppctl" #vppctl #acl #acl_plugin #ipv6

Evidently a typo. Here you go: https://gerrit.fd.io/r/c/vpp/+/33142 /neale From: vpp-dev@lists.fd.io on behalf of Andrew Yourtchenko via lists.fd.io Date: Wednesday, 14 July 2021 at 23:53 To: RaviKiran Veldanda , Jakub Grajciar Cc: vpp-dev@lists.fd.io Subject: Re: [vpp-dev] ACL IPV6

Re: [vpp-dev] ACL IPV6 rule addition using the "set acl_plugin acl" command from "vppctl" #vppctl #acl #acl_plugin #ipv6

Ravi, appears that the commit 2f8cd914514fe54f91974c6d465d4769dfac8de8 has hardcoded the IP address family in the CLI handler to IPv4: 0490db79b src/plugins/acl/acl.c(Neale Ranns2020-03-24 15:09:41 + 2873) else if (unformat (line_input, "src %U/%d", bf883bb086

[vpp-dev] ACL IPV6 rule addition using the "set acl_plugin acl" command from "vppctl" #vppctl #acl #acl_plugin #ipv6

Hi Experts, We were trying to create some ACL rules for IPv6 addresses, *"set acl-plugin acl permit src 2001:5b0::1150::0/64 " in vppctl. * "set acl-plugin acl permit ipv6 src 2001:5b0::1150::0/64 " in vppctl. giving ACL index but when I check "show acl_plugin acl" its not giving any

[vpp-dev] ACL- IN and OUT interface

[Edited Message Follows] Hello Team, Is there option to specify IN and OUT interface(sw_index) in ACL along with ACE? pseudo rule - drop src x.x.x.x dst y.y.y.y when in-interface is x1 and out interface is x2 -> like iptables Regards, Sachin -=-=-=-=-=-=-=-=-=-=-=- Links: You receive

[vpp-dev] ACL- IN and OUT interface

Hello Team, Is there option to specify IN and OUT interface(sw_index) in ACL along with ACE? pseudo rule - drop src x.x.x.x dst y.y.y.y when in-interface is x1 and out interface is x2 Regards, Sachin -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online

Re: [vpp-dev] ACL panics in `hash_acl_set_heap`

Hi Mahdi, This patch should apply, ACL plugin had not seen much changes recently, but then you are not running a 20.05 anymore :-) I would strongly suggest to evaluate on what limitations prevent you from following the master branch as close as possible and address them. This may seem

Re: [vpp-dev] ACL panics in `hash_acl_set_heap`

Hi Andrew, Thanks for you response. That makes sense. I will monitor my box memory usage. Unfortunately I'm using VPP 20.05. So I will try to forwardport( we have it? :D) this patch to it. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#17433):

Re: [vpp-dev] ACL panics in `hash_acl_set_heap`

ACL plugin historically uses its own heaps for hash lookup data. It should be just 64M by default. It’s been like that since day1, so you might need to look at your memory usage on that box overall... I am not sure if custom heaps use the huge pages or not - maybe you need to have less huge

[vpp-dev] ACL panics in `hash_acl_set_heap`

Hi VPP folks, Setting ACL from VAPI, we have a panic `ACL plugin failed to allocate lookup heap of %U bytes` in `hash_acl_set_heap` function. It doesn't happen always. Time to time and randomly this problem occurs. My system has 8G of RAM. VPP is running with the default `startup.conf`. I've

Re: [vpp-dev] ACL plugin optimization

; Jieqiang > Wang ; Honnappa Nagarahalli > ; nd > Subject: Re: [vpp-dev] ACL plugin optimization > > Hi Govind, > > 1) According to Jenkins, this patch permits some of the packets that should > be denied, hence JJB voted "-1". > > 2) If you suspect merely th

Re: [vpp-dev] ACL plugin optimization

> ; nd > Subject: Re: [vpp-dev] ACL plugin optimization > > > Hi Govind, > > As well as removing the prefetches, you've also removed the per packet call > to acl_fa_find_session_with_hash(). So IIUC you've removed the per-packet > session lookup and instead re-use

Re: [vpp-dev] ACL plugin optimization

Hi Govind, As well as removing the prefetches, you've also removed the per packet call to acl_fa_find_session_with_hash(). So IIUC you've removed the per-packet session lookup and instead re-use the lookup of packet 0 each time. that'll make things quicker but it's not functionally correct.

Re: [vpp-dev] ACL plugin optimization

Hi Govind, 1) According to Jenkins, this patch permits some of the packets that should be denied, hence JJB voted "-1". 2) If you suspect merely the prefetches are the issue, just commenting out the body of prefetch_session_entry() in the original code should turn it into a no-op that doesn't

[vpp-dev] ACL plugin optimization

Hi Andrew, While profiling the ACL plugin node using perf tool in ARM Neoverse platform, Bihash related prefetches were shown as bottleneck. Performance improvement is seen in ARM N1, TX2 and Intel Skylake servers after removing those prefetches. Testing is done with Ingress ACL/IPv4

Re: [vpp-dev] ACL question

Thanks Neale. It works now. From: Neale Ranns (nranns) Sent: Saturday, May 2, 2020 8:15 AM To: Govindarajan Mohandoss ; Andrew Yourtchenko Cc: John Lo (loj) ; Paul Vinciguerra ; vpp-dev@lists.fd.io; nd ; Lijian Zhang ; Jieqiang Wang Subject: Re: [vpp-dev] ACL question From: Govindarajan

Re: [vpp-dev] ACL question

From: Govindarajan Mohandoss Date: Friday 1 May 2020 at 21:15 To: "Neale Ranns (nranns)" , Andrew Yourtchenko Cc: "John Lo (loj)" , Paul Vinciguerra , "vpp-dev@lists.fd.io" , nd , Lijian Zhang , Jieqiang Wang , nd Subject: RE: [vpp-dev] ACL question Hi N

Re: [vpp-dev] ACL question

; Lijian Zhang ; Jieqiang Wang Subject: Re: [vpp-dev] ACL question Or in the latest version you can create ACLs on the CLI: set acl-plugin acl ? set acl-plugin interface ? /neale From: mailto:vpp-dev@lists.fd.io>> on behalf of Andrew Yourtchenko mailto:ayour...@gmail.com>> Dat

Re: [vpp-dev] ACL question

Thanks Neale. From: Neale Ranns (nranns) Sent: Wednesday, April 29, 2020 4:24 AM To: Andrew Yourtchenko ; Govindarajan Mohandoss Cc: John Lo (loj) ; Paul Vinciguerra ; vpp-dev@lists.fd.io; nd ; Lijian Zhang ; Jieqiang Wang Subject: Re: [vpp-dev] ACL question Or in the latest version you

Re: [vpp-dev] ACL question

ndarajan Mohandoss Cc: John Lo (loj) ; Paul Vinciguerra ; vpp-dev@lists.fd.io; nd ; Lijian Zhang ; Jieqiang Wang Subject: Re: [vpp-dev] ACL question Hi Govind, 1) make an api trace and inspect the message there - whether it contains the entries you are expecting. 1a) If it does, then you can t

Re: [vpp-dev] ACL question

sts.fd.io" , nd , Lijian Zhang , Jieqiang Wang Subject: Re: [vpp-dev] ACL question Hi Govind, 1) make an api trace and inspect the message there - whether it contains the entries you are expecting. 1a) If it does, then you can trivially recreate the same message using the python api just by

Re: [vpp-dev] ACL question

Lo (loj) > Sent: Tuesday, April 28, 2020 10:38 PM > To: Govindarajan Mohandoss ; Paul Vinciguerra > > Cc: Andrew  Yourtchenko ; vpp-dev@lists.fd.io; nd > ; Lijian Zhang ; Jieqiang Wang > ; nd > Subject: RE: [vpp-dev] ACL question > > Try “make test TEST=acl_plugin”.

Re: [vpp-dev] ACL question

Zhang ; Jieqiang Wang ; nd Subject: RE: [vpp-dev] ACL question Try “make test TEST=acl_plugin”. -John From: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> mailto:vpp-dev@lists.fd.io>> On Behalf Of Govindarajan Mohandoss Sent: Tuesday, April 28, 2020 11:22 PM To: Paul Vinciguerra

Re: [vpp-dev] ACL question

Thanks John. From: John Lo (loj) Sent: Tuesday, April 28, 2020 10:38 PM To: Govindarajan Mohandoss ; Paul Vinciguerra Cc: Andrew  Yourtchenko ; vpp-dev@lists.fd.io; nd ; Lijian Zhang ; Jieqiang Wang ; nd Subject: RE: [vpp-dev] ACL question Try “make test TEST=acl_plugin”. -John From

Re: [vpp-dev] ACL question

Try “make test TEST=acl_plugin”. -John From: vpp-dev@lists.fd.io On Behalf Of Govindarajan Mohandoss Sent: Tuesday, April 28, 2020 11:22 PM To: Paul Vinciguerra Cc: Andrew  Yourtchenko ; vpp-dev@lists.fd.io; nd ; Lijian Zhang ; Jieqiang Wang ; nd Subject: Re: [vpp-dev] ACL question Hi

Re: [vpp-dev] ACL question

: Re: [vpp-dev] ACL question See: src/plugins/acl/test/test_acl_plugin.py On Tue, Apr 28, 2020 at 7:19 PM Govindarajan Mohandoss mailto:govindarajan.mohand...@arm.com>> wrote: Sure Andrew. Is there a unit test case for ACL plugin ? From: Andrew  Yourtchenko mailto:ayour...@gmail.com&

Re: [vpp-dev] ACL question

Thanks Paul ! From: Paul Vinciguerra Sent: Tuesday, April 28, 2020 9:22 PM To: Govindarajan Mohandoss Cc: Andrew  Yourtchenko ; vpp-dev@lists.fd.io; nd ; Lijian Zhang ; Jieqiang Wang Subject: Re: [vpp-dev] ACL question See: src/plugins/acl/test/test_acl_plugin.py On Tue, Apr 28, 2020 at 7

Re: [vpp-dev] ACL question

, April 28, 2020 4:57 PM > *To:* Govindarajan Mohandoss > *Cc:* vpp-dev@lists.fd.io; nd ; Lijian Zhang < > lijian.zh...@arm.com>; Jieqiang Wang > *Subject:* Re: [vpp-dev] ACL question > > > > 1-3: no. > > 4: please make a “make test” test case illustrating the problem and share

Re: [vpp-dev] ACL question

192.81.1.1/32 dst 192.82.1.1/32 proto 17 sport > 100 dport 53 > 53: ipv4 permit src 0.0.0.0/0 dst 0.0.0.0/0 proto 0 sport 0-65535 > dport 0-65535 > applied inbound on sw_if_index: 1 > used in lookup context index: 0 > “ > > Thanks > Govind > > > ----

Re: [vpp-dev] ACL question

> To: Andrew  Yourtchenko > Cc: vpp-dev@lists.fd.io > Subject: Re: [vpp-dev] ACL question > > Thank you very much Andrew !! I will do some benchmarks and get back to > you to understand it better. > > Thanks > Govind > > > -Original Message-

Re: [vpp-dev] ACL question

for the bihash memory usage have been tested with half a > million sessions - so you can extrapolate from those with some ballpark > (though bihash memory usage is not linear wrt the entries, and also there is > some extra memory churn due to bucket reallocations when the size > increa

Re: [vpp-dev] ACL question

ark (though bihash memory usage is not linear wrt the entries, and also there is some extra memory churn due to bucket reallocations when the size increases). —a > > > Thanks > > Govind > > > > From: vpp-dev@lists.fd.io On Behalf Of Govindarajan > Mohandoss via Lists.F

Re: [vpp-dev] ACL question

is needed compared to SL mode ? Thanks Govind From: vpp-dev@lists.fd.io On Behalf Of Govindarajan Mohandoss via Lists.Fd.Io Sent: Thursday, March 26, 2020 12:37 PM To: Andrew  Yourtchenko Cc: vpp-dev@lists.fd.io Subject: Re: [vpp-dev] ACL question Hi Andrew, Thanks for the document. Can you

Re: [vpp-dev] ACL question

; nd Subject: Re: [vpp-dev] ACL question As an acl plugin author I can say both stateful and stateless ACLs are used for different consumers. Various matching implementations in vpp are used in different use cases... and there is not a single silver bullet magic answer, because the trade

Re: [vpp-dev] ACL question

As an acl plugin author I can say both stateful and stateless ACLs are used for different consumers. Various matching implementations in vpp are used in different use cases... and there is not a single silver bullet magic answer, because the trade offs are different.

[vpp-dev] ACL question

Hello ACL Maintainer, We want to measure and optimize the ACL performance for ARM servers. As per the foll. link, there are 4 different implementation of ACLs in VPP. https://fd.io/docs/vpp/master/usecases/acls.html We would like to start with most commonly used ACL implementation in

Re: [vpp-dev] ACL drops while pinging another interface

hernet0/0/2 >> Link speed: unknown >> Ethernet address fa:16:3c:05:66:7c >> VirtualEthernet0/0/3 6 up VirtualEthernet0/0/3 >> Link speed: unknown >> Ethernet address fa:16:3c:f0:21:0a >> VirtualEthernet0/0/4 7 up Virtu

Re: [vpp-dev] ACL drops while pinging another interface

Gbps > Ethernet address 02:fe:27:ea:09:82 > flags: admin-up > > It looks like there doesn’t even exist an acl for VirtualEthernet0/0/3? Is > that why it is dropped? > > Eyle > > From: Andrew  Yourtchenko > Date: Thursday, 5

Re: [vpp-dev] ACL drops while pinging another interface

address 02:fe:99:32:82:4f > flags: admin-up promiscuous > rdma1 2 up rdma1 > Link speed: 40 Gbps > Ethernet address 02:fe:27:ea:09:82 > flags: admin-up > > It looks like there doesn’t even exist an acl for VirtualEthernet0/0/3? Is >

Re: [vpp-dev] ACL drops while pinging another interface

From: mailto:vpp-dev@lists.fd.io>> on behalf of Andrew Yourtchenko mailto:ayour...@gmail.com>> Date: Thursday, September 5, 2019 at 7:20 AM To: Eyle Brinkhuis mailto:eyle.brinkh...@surfnet.nl>> Cc: "vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>" mailto:vp

Re: [vpp-dev] ACL drops while pinging another interface

> From: on behalf of Andrew Yourtchenko > > Date: Thursday, September 5, 2019 at 7:20 AM > To: Eyle Brinkhuis > Cc: "vpp-dev@lists.fd.io" > Subject: Re: [vpp-dev] ACL drops while pinging another interface > > Thanks for the traces ! > > MACIP acl us

Re: [vpp-dev] ACL drops while pinging another interface

table 12, offset -1 00:53:47:316361: error-drop rx:VirtualEthernet0/0/3 -Naveen From: on behalf of Andrew Yourtchenko Date: Thursday, September 5, 2019 at 7:20 AM To: Eyle Brinkhuis Cc: "vpp-dev@lists.fd.io" Subject: Re: [vpp-dev] ACL drops while pinging another interface Thank

Re: [vpp-dev] ACL drops while pinging another interface

Thanks for the traces ! MACIP acl uses the classifier-bases “ip-acl”; so it sounds like it is not programmed with the source Mac of your packets. “Show acl-plugin macip” will help to see what the acl plugin sees, and if it looks legit, then you can check the classifier tables applied as input

[vpp-dev] ACL based security group of VPP

Hi vpp-dev, I'm testing security group functions on VPP19.08, and got some questions here. I have two vms: A(172.16.0.1/24, using vxlan_tunnel10 / bridge 10) and B(172.16.1.1/24, using vxlan_tunnel11 / bridge 11). Both these two networks' gateway is X.254, configured on VPP bridges (10 and

Re: [vpp-dev] ACL not working #vpp

Thanks Andrew, I've successfully done acl_plugin test. BTW, just reply here for latecomers, do "V=2 EXTENDED_TESTS=1 TEST=acl_plugin* make test" to do more test and print verbosely. Since I'm testing stateful ACL by watching behavior of test_acl_plugin_conns.py, along with explaination from

Re: [vpp-dev] ACL not working #vpp

The VPP packet tracer might tell a bit more what is going on. https://wiki.fd.io/view/VPP/Command-line_Interface_(CLI)_Guide#packet_tracer Also you can do “TEST=acl_plugin* make test” and examine the logs of successful testcase runs and compare with what you have. --a > On 3 Sep 2019, at

Re: [vpp-dev] ACL not working #vpp

More info about acl plugin vpp# show acl-plugin acl acl-index 4 count 2 tag {} 0: ipv4 deny src 0.0.0.0/0 dst 0.0.0.0/0 proto 1 sport 0-65535 dport 0-65535 1: ipv4 permit src 0.0.0.0/0 dst 0.0.0.0/0 proto 6 sport 0-65535 dport 0-65535 applied inbound on sw_if_index: 1 applied outbound on

[vpp-dev] ACL not working #vpp

Hi vpp-dev, I'm testing security group functions on VPP19.08, and got some questions here. I have two vms: A(172.16.0.1/24, using vxlan_tunnel10 / bridge 10) and B(172.16.1.1/24, using vxlan_tunnel11 / bridge 11). Both these two networks' gateway is X.254, configured on VPP bridges (10 and

Re: [vpp-dev] ACL and Policier

Hi! No, it isn’t... --a > On 28 Feb 2019, at 02:33, mahdy.varas...@gmail.com wrote: > > Hi > > I wondered if we can use ACLs instead of classifier tables in Policies. How > is it possible? ( if it is possible) > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. >

[vpp-dev] ACL and Policier

Hi I wondered if we can use ACLs instead of classifier tables in Policies. How is it possible? ( if it is possible) -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#12382): https://lists.fd.io/g/vpp-dev/message/12382 Mute This Topic:

[vpp-dev] acl-plugin gerrit 9689: should I change the (default) behavior to reclassify existing sessions not permitted by updated policy ?

Hi all, for those of you using in some fashion the acl-plugin code, wanted to get your eyes on this in-the-works patch: https://gerrit.fd.io/r/#/c/9689/ as well as get your opinion on the following: (1) should I KEEP the default as it is now (which is to retain the sessions which are already

Re: [vpp-dev] ACL Plugin: check for null session

Dear Andrew Unfortunately I can't reproduce this case. It's really a rare situation. Regards On Tue, Dec 12, 2017 at 5:43 PM, khers wrote: > Dear Andrew > > This is a good explanation of how session add and delete works, > I think this not a benign operation, I could

Re: [vpp-dev] ACL Plugin: check for null session

Dear Andrew This is a good explanation of how session add and delete works, I think this not a benign operation, I could produce the rare scenario you explained. I will send backtrace and other details tomorrow. On Tue, Dec 12, 2017 at 2:46 PM, Andrew  Yourtchenko wrote: >

Re: [vpp-dev] ACL Plugin: check for null session

Dear Khers, I think you are right. Normally the entry in the session hash table is deleted before any operations with the per-worker pool, so we should not end up on that line. Also, the deletion itself usually happens as a result of the idle timeout - meaning, no packets hit the session for a

Re: [vpp-dev] ACL Plugin: check for null session

Dear Andrew I'm working on d594711a5d79859a7d0bde83a516f7ab52051d9b commit on stable/1710 branch. sorry for less info. I can't reproduce last issue I have reported, forgot the commit I were working on. Regards, Khers On Mon, Dec 11, 2017 at 12:24 PM, Andrew Yourtchenko

[vpp-dev] ACL Plugin: check for null session

Dear VPP folks, The get_session_ptr function may return null pointer, while we do not check this situation in code, for example fa_node.c line 1029, if the sess equals null, we get segmentation fault in next usage of sess. Please share your thought about this. Regards, Khers

Re: [vpp-dev] ACL Plugin: tagged interface

Khers, Thanks! Just after I sent you the reply Dave had pointed out coverity was unhappy with some of the code, including that particular line. So I got rid of memcpy altogether and while at it fixed the values for both this place and the other one I told you about - in change 9611. --a > On

Re: [vpp-dev] ACL Plugin: tagged interface

Dear Andrew Thanks for your attention, Yes of course I pushed to gerrit with id 9615. Regards, Khers On Tue, Nov 28, 2017 at 8:37 PM, Andrew Yourtchenko wrote: > Dear Khers, > > I believe you are right. That might not be all though... “dot1q”/“dot1ad” > mask value constant

Re: [vpp-dev] ACL Plugin: tagged interface

Dear Khers, I believe you are right. That might not be all though... “dot1q”/“dot1ad” mask value constant does not appear to make sense to me now. They should be “XX XX” to mask out the bits and also should be set accordingly to the proper values during the addition of the sessions. (I suppose

Re: [vpp-dev] ACL

I tried some ACL config, but it does not work as I expected. I send traffic into interface 1, and vpp should send the traffic out through interface 2. For ACL, I first add this ACL. acl_add_replace ipv4 src 10.0.0.0/8 deny Then, I send traffic after adding each of the following 4 configs.

[vpp-dev] ACL API Change

Folks, So, yeah, I was just blind-sided by an API change in the ACL code. Not to name names, or anything by it was commit 36ea2d6d3a67a60534a7c2b58551688858a1ce7f One armed NAT (VPP-1035) Use a single physical interface in order to accomplish NAT44/NAT64. That patch also

Re: [vpp-dev] ACL

It works! Thanks. Another question: if I want to use ACL plugin in non-debug build (say, build-release), is can I use vat? Or I need to use the python code? On Mon, Nov 13, 2017 at 12:06 PM, Andrew Yourtchenko wrote: > “Make build” in the VPP directory will get you a debug

Re: [vpp-dev] ACL

“Make build” in the VPP directory will get you a debug build. The $1 and such is just standard shell scripting, in case I need to pass some parameters to vat. I don’t think I had ever needed them... --a > On 13 Nov 2017, at 17:40, Yuliang Li wrote: > > Maybe this is a

Re: [vpp-dev] ACL

Maybe this is a stupid question.. Does vat have to work with debug builds? And how to do the debug builds? What are the $1~$5 in your script? Thanks, Yuliang On Mon, Nov 13, 2017 at 3:03 AM, Andrew Yourtchenko wrote: > When just running vat from within the source tree, it

Re: [vpp-dev] ACL

When just running vat from within the source tree, it needs to know the path for the plugins, for debug builds I usually have the following small shell script which takes care of this without requiring me thinking every time (of course needs to be launched from the vpp top directory since it

Re: [vpp-dev] ACL

Thanks for the quick reply. I still fail to use the vat to configure ACL. After make build-release, I use sudo build-root/build-vpp-native/vpp/vpp_api_test, but it tell me: 'acl_plugin_get_version': function not found Other ACL commands have the same problem. I also tried make build-vat, but it

Re: [vpp-dev] ACL

Hi Yuliang, You can look at the test/test_acl_plugin_*.py files for the examples of interactions with plugin from python code. Alternatively, you can use VPP API test tool (vat) which is built together with VPP and then issue the API calls directly from there. Shout if you have any questions,

[vpp-dev] ACL

Hi, I want to use the ACL plugin https://wiki.fd.io/view/VPP/SecurityGroups. It seems it can only be configured via API. I only used vppctl before. Can anyone please tell how to use the API to configure? Or is there other ways to configre? Thanks, -- Yuliang Li PhD student Department of

Re: [vpp-dev] ACL Build/Test Issues

Quoting Jon Loeliger (2017-11-10 23:11:36) >First, this is draconian for no really good reason.  Second, it should be >fixed.  Third, I would do that except I am stupid and need a clue where >or how to fix this situation so the tests are less draconian.  (Can we >get a "less than

Re: [vpp-dev] ACL Build/Test Issues

Chris, On Fri, Nov 10, 2017 at 8:27 PM, Luke, Chris wrote: > If you’re wondering where the tests are: > > > > $ ls test/*acl* > > test/test_acl_plugin_conns.py test/test_acl_plugin_macip.py > > test/test_acl_plugin_l2l3.py test/test_acl_plugin.py > Ah, excellent! >

Re: [vpp-dev] ACL Build/Test Issues

gt; Cc: vpp-dev <vpp-dev@lists.fd.io> Subject: Re: [vpp-dev] ACL Build/Test Issues On Fri, Nov 10, 2017 at 5:54 PM, Andrew Yourtchenko <ayour...@gmail.com<mailto:ayour...@gmail.com>> wrote: Hi Jon, On 10 Nov 2017, at 23:11, Jon Loeliger <j...@netgate.com<mailto:j...@netg

Re: [vpp-dev] ACL Build/Test Issues

On Fri, Nov 10, 2017 at 5:54 PM, Andrew Yourtchenko wrote: > Hi Jon, > > On 10 Nov 2017, at 23:11, Jon Loeliger wrote: > > Folks, > > Every error from the ACL implementation is -1. Generically bad. > Without regard for what might be more useful to an

Re: [vpp-dev] ACL Build/Test Issues

Hi Jon, > On 10 Nov 2017, at 23:11, Jon Loeliger wrote: > > Folks, > > Every error from the ACL implementation is -1. Generically bad. > Without regard for what might be more useful to an upper-layer UI. When we discussed with the openstack folks the way they are treating

[vpp-dev] ACL Build/Test Issues

Folks, Every error from the ACL implementation is -1. Generically bad. Without regard for what might be more useful to an upper-layer UI. So I submitted a patch to help this situation some. https://gerrit.fd.io/r/#/c/9383/ I have built and tested it locally, but it fails the Verify Tests

Re: [vpp-dev] acl priority

Hi, If we you talk about acl plugin then the ACLs are evaluated in the order of them applied and same about the ACEs within an acl - to change the order you can apply a differently sorted list or call acl_add_replace with new contents of the ACL. If you talk the built in ACLs using classifier

[vpp-dev] acl priority

Hi all, Does vpp acl sourpport ajust priority? I have configured ten acl rules, if i want to move the tenth acl to be the first acl, is there a easy way to do this? Regards, Ewan yug...@telincn.com ___ vpp-dev mailing list vpp-dev@lists.fd.io

Re: [vpp-dev] ACL Match in fa_node.c

gust 27, 2017 6:30 AM > To: Wang, Yipeng1 <yipeng1.w...@intel.com> > Cc: vpp-dev@lists.fd.io; zhang...@yunshan.net.cn > Subject: Re: [vpp-dev] ACL Match in fa_node.c > > Hi Yipeng, > > It's already there - just have a look through hash_* files in the ACL plug

Re: [vpp-dev] ACL Match in fa_node.c

> > From: "Andrew  Yourtchenko"; > > Date: Tue, May 23, 2017 07:56 PM > > To: "张攀"; > > Cc: "vpp-dev"; > > Subject: Re: [vpp-dev] ACL Match in fa_node.c > > > > > > Hi! > > > > On 5/23/17, 张攀

Re: [vpp-dev] acl-plugin now uses its own memory heap (master & stable/1707)

Hi Burt, Makes sense. Quickly looking at the code it shouldn't be affecting, but that file should be indeed with everything else. So I rebuilt it from 48_8 one in the master, and the gerrit is here: https://gerrit.fd.io/r/#/c/7937/ Hopefully Damjan can review and +2 it. --a On 8/8/17, Burt

[vpp-dev] acl-plugin now uses its own memory heap (master & stable/1707)

Hi all, Just a heads-up: I am currently working on a few issues in acl-plugin that the system testing as part of the open stack setup has uncovered, one of them was a memory corruption in the new hash-table based matching code. Those are always a pain to debug also because they of course can trip

Re: [vpp-dev] ACL commands

There are two different mechanisms in VPP which you can use: 1) classifier-based ACLs https://wiki.fd.io/view/VPP/Introduction_To_N-tuple_Classifiers It is faster than acl plugin, and allows only stateless operation which is essentially bitmask-based. 2) acl plugin

[vpp-dev] ACL commands

Hi, Does anyone knows how to configure ACL in vpp? Is there any document? Thanks, -- Yuliang Li PhD student Department of Computer Science Yale University ___ vpp-dev mailing list vpp-dev@lists.fd.io https://lists.fd.io/mailman/listinfo/vpp-dev

Re: [vpp-dev] ACL Match in fa_node.c

hand-on experiences, looking forwared to collaborating with you :p Best Regards, Pan zhang...@yunshan.net.cn From: Andrew  Yourtchenko Date: 2017-05-24 02:48 To: 张攀 CC: vpp-dev Subject: Re: [vpp-dev] ACL Match in fa_node.c Hi Pan! On 5/23/17, 张攀 <zhang...@yunshan.net.cn> wrote: >

Re: [vpp-dev] ACL Match in fa_node.c

Hi Andrew! -- Original -- From: "Andrew  Yourtchenko"<ayour...@gmail.com>; Date: Tue, May 23, 2017 07:56 PM To: "张攀"<zhang...@yunshan.net.cn>; Cc: "vpp-dev"<vpp-dev@lists.fd.io>; Subject: Re: [vpp-de

[vpp-dev] ACL Match in fa_node.c

Hi guys, I looked into the source code of vpp/src/plugin/acl/fa_node.c, in function full_acl_match_5tuple(), it seems that every ingress packet is matching against each ACL rule stored in acl_main->acls in a for-loop manner. This seems not fairly effective. Besides, I notice that in

Re: [vpp-dev] ACL API Questions

Hi Jon, On 5/17/17, Jon Loeliger wrote: > On Wed, May 17, 2017 at 4:35 PM, Andrew  Yourtchenko > wrote: > >> Jon, >> >> No, you are not missing anything, there is a ping missing there indeed... >> :-) >> > > Hi Andrew, > > OK, *phew*. Not this time then.

Re: [vpp-dev] ACL API Questions

On Wed, May 17, 2017 at 4:35 PM, Andrew  Yourtchenko wrote: > Jon, > > No, you are not missing anything, there is a ping missing there indeed... > :-) > Hi Andrew, OK, *phew*. Not this time then. Good to know! > At the time I could not figure out how to get the

Re: [vpp-dev] ACL API Questions

Jon, No, you are not missing anything, there is a ping missing there indeed... :-) At the time I could not figure out how to get the CONTROL_PING to be sent from within the VAT, and since the main use case was programmatic-API driven (I had used VAT primarily during the initial debugging/sanity

[vpp-dev] ACL API Questions

Folks, I have two questions about the ACL plugin's API. First, when there are no ACLs configured and an ACL_DUMP is requested, there is no way for the API to reply except to not send a message and let the "wait for message" time-out and indicate failure. The same problem exists if one requests

Re: [vpp-dev] ACL + classifier table does not work on subinterface as expected

ACL in the IP4 forwarding path of which interface. Regards, John From: vpp-dev-boun...@lists.fd.io [mailto:vpp-dev-boun...@lists.fd.io] On Behalf Of Mina Jafari Sent: Friday, May 12, 2017 2:19 PM To: vpp-dev@lists.fd.io Subject: [vpp-dev] ACL + classifier table does not work on subinterface

Re: [vpp-dev] acl packet trace interpretation help

Hi juraj, Sorry for the delay. Minus 1 means for the acl# means no acl had matched, so this should be default deny, however the odd output from the dump means it needs a closer look. Please me the saved binary API trace from the moment of startup to the observation of the problem + the packet

Re: [vpp-dev] ACL match tunnel interface

: Monday, May 01, 2017 10:04 PM To: vpp-dev@lists.fd.io Subject: [vpp-dev] ACL match tunnel interface Hi guys， There are some questions about acl in tunnel interface: I can only match the tunnel rather than the desired inner flow; What should I do to match the inner flow? Thanks, xyxue

  1   2   >