[vpp-dev] MACIP ACL replace causes ip4_table_index change?

Fri, 08 Dec 2017 08:56:34 -0800 

Hey VPP Fans,

I've detected a slight anomaly in the handling of MACIP ACLs, and
would like some help tracking down the right solution.

I start by making a MACIP ACL. vppctl shows:

vpp# show acl-plugin macip acl
MACIP acl_index: 0, count: 1 (true len 1) tag {bob} is free pool slot: 0
  ip4_table_index 3, ip6_table_index 3, l2_table_index 3
    rule 0: ipv4 action 1 ip 0.0.0.0/0 mac 00:00:00:00:00:00 mask
00:00:00:00:00:00

I then attach that to an interface, and vppctl still shows:

vpp# show acl-plugin macip acl
MACIP acl_index: 0, count: 1 (true len 1) tag {bob} is free pool slot: 0
  ip4_table_index 3, ip6_table_index 3, l2_table_index 3
    rule 0: ipv4 action 1 ip 0.0.0.0/0 mac 00:00:00:00:00:00 mask
00:00:00:00:00:00

Then, I change the MACIP rule from permit to deny using the
API call macip_acl_add_replace to adjust it in-place.  Now vppctl shows:

vpp# show acl-plugin macip acl
MACIP acl_index: 0, count: 1 (true len 1) tag {bob} is free pool slot: 0
  ip4_table_index 0, ip6_table_index 0, l2_table_index 0
    rule 0: ipv4 action 0 ip 0.0.0.0/0 mac 00:00:00:00:00:00 mask
00:00:00:00:00:00

Notice that the ip4_table_index has changed from 3 in the first two 'show'
command outputs, while it is now 0 in the 3rd 'show' output.

My guess is it should be a consistent value throughout, and I think it
should
be table 3, but I'm not certain yet.

When I then go to remove the MACIP from the interface, I am told error -65,
which is "No such table."

So.

Should it have copied the ip4_table_index 3 to the replaced MACIP as it
stands
after the macip_add_replace API call?

Or should the original MACIP ACL have inherited the table number 0 from the
interface when it was first bound there?

Given that the complaint (upon deletion) is about table 0 being invalid (as
it should
because that table is "permanently present", right?), I suspect that it
should have
copied the 3 to the new (after replacement) MACIP.

I'll go digging some more, but thought I'd just throw this out there in case
anyone knows better or more than I.

Thanks,
jdl

_______________________________________________
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev

Reply via email to