Hi,
We are trying to use input ACL with NAT, but found it didn't work together.
Version: 17.10
Topology: lan -> bd -> loop0(inside) -> nat44 -> wan(outside)
Enable inacl on loop0 using:...vppctl classify session hit-next 4294967295
table-index 0 match l3 ip4 dst 192.168.20.22 action set-ip4-fib-id 210vppctl
set interface input acl intfc loop0 ip4-table 0
vpp# show interface features loop0
Driver feature paths configured on loop0...
....
ip4-unicast:
nat44-in2out
ip4-inacl
....
But we can not trace the packet go into the ip4-inacl feature as below.
Packet 1
11:28:26:100657: af-packet-input
af_packet: hw_if_index 1 next-index 4
tpacket2_hdr:
status 0x20000001 len 98 snaplen 98 mac 66 net 80
sec 0x5a3859b3 nsec 0x89d3c8d vlan 0 vlan_tpid 0
11:28:26:100692: ethernet-input
IP4: 52:99:aa:f0:c2:13 -> de:ad:00:00:00:00
11:28:26:100734: l2-input
l2-input: sw_if_index 1 dst de:ad:00:00:00:00 src 52:99:aa:f0:c2:13
11:28:26:100755: l2-learn
l2-learn: sw_if_index 1 dst de:ad:00:00:00:00 src 52:99:aa:f0:c2:13 bd_index 1
11:28:26:100784: l2-fwd
l2-fwd: sw_if_index 1 dst de:ad:00:00:00:00 src 52:99:aa:f0:c2:13 bd_index 1
11:28:26:100793: ip4-input
ICMP: 192.168.1.2 -> 192.168.20.22
tos 0x00, ttl 64, length 84, checksum 0x17dc
fragment id 0x8c64, flags DONT_FRAGMENT
ICMP echo_request checksum 0x8c1d
11:28:26:100817: nat44-in2out
NAT44_IN2OUT_FAST_PATH: sw_if_index 5, next index 3, session -1
11:28:26:100829: nat44-in2out-slowpath
NAT44_IN2OUT_SLOW_PATH: sw_if_index 5, next index 0, session 5
11:28:26:100897: ip4-lookup
fib 0 dpo-idx 15 flow hash: 0x00000000
ICMP: 192.168.20.20 -> 192.168.20.22
tos 0x00, ttl 64, length 84, checksum 0x04ca
fragment id 0x8c64, flags DONT_FRAGMENT
ICMP echo_request checksum 0x3892
11:28:26:100921: ip4-rewrite
tx_sw_if_index 3 dpo-idx 15 : ipv4 via 192.168.20.22 host-wan1:
4e258981d94102fea6c9441f0800 flow hash: 0x00000000
00000000: 4e258981d94102fea6c9441f0800450000548c6440003f0105cac0a81414c0a8
00000020: 141608003892a0b10001b359385a0000000072340200000000001011
11:28:26:100929: host-wan1-output
host-wan1
IP4: 02:fe:a6:c9:44:1f -> 4e:25:89:81:d9:41
ICMP: 192.168.20.20 -> 192.168.20.22
tos 0x00, ttl 63, length 84, checksum 0x05ca
fragment id 0x8c64, flags DONT_FRAGMENT
ICMP echo_request checksum 0x3892
============================================================================
If disable the nat44-in2out feature on loop0, we can see the trace go into the
ip4-inacl as below:
Packet 1
12:05:51:764284: af-packet-input
af_packet: hw_if_index 1 next-index 4
tpacket2_hdr:
status 0x20000001 len 98 snaplen 98 mac 66 net 80
sec 0x5a386277 nsec 0x1d5ad53b vlan 0 vlan_tpid 0
12:05:51:764324: ethernet-input
IP4: 52:99:aa:f0:c2:13 -> de:ad:00:00:00:00
12:05:51:764364: l2-input
l2-input: sw_if_index 1 dst de:ad:00:00:00:00 src 52:99:aa:f0:c2:13
12:05:51:764391: l2-learn
l2-learn: sw_if_index 1 dst de:ad:00:00:00:00 src 52:99:aa:f0:c2:13 bd_index 1
12:05:51:764424: l2-fwd
l2-fwd: sw_if_index 1 dst de:ad:00:00:00:00 src 52:99:aa:f0:c2:13 bd_index 1
12:05:51:764457: ip4-input
ICMP: 192.168.1.2 -> 192.168.20.22
tos 0x00, ttl 64, length 84, checksum 0x77f2
fragment id 0x2c4e, flags DONT_FRAGMENT
ICMP echo_request checksum 0x8246
12:05:51:764498: ip4-inacl
INACL: sw_if_index 5, next_index 1, table 0, offset 192
12:05:51:764513: ip4-lookup
fib 3 dpo-idx 12 flow hash: 0x00000000
ICMP: 192.168.1.2 -> 192.168.20.22
tos 0x00, ttl 64, length 84, checksum 0x77f2
fragment id 0x2c4e, flags DONT_FRAGMENT
ICMP echo_request checksum 0x8246
12:05:51:764541: ip4-arp
ICMP: 192.168.1.2 -> 192.168.20.22
tos 0x00, ttl 64, length 84, checksum 0x77f2
fragment id 0x2c4e, flags DONT_FRAGMENT
ICMP echo_request checksum 0x8246
12:05:51:764559: host-wan1-output
host-wan1
ARP: 02:fe:a6:c9:44:1f -> ff:ff:ff:ff:ff:ff
request, type ethernet/IP4, address size 6/4
02:fe:a6:c9:44:1f/192.168.20.20 -> 00:00:00:00:00:00/192.168.20.20
12:05:51:764584: error-drop
ip4-arp: ARP requests sent
So the question is how to do the classify on a inside(L3) interface during the
NAT?
BR,
xliao
_______________________________________________
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev
