Dear Andrew, It's hardcoded as it was simple and fast solution for our default scenario implementation. As you correctly mentioned in previous email one of the bug fixes was the restriction. Also another one is preventing reply packets pass through even if those packets are matched with an acl rule. In another word these reply packets are not belong to any echo request in reverse direction.
Thanks, Sincerely ________________________________ From: Andrew π½ Yourtchenko <ayour...@gmail.com> Sent: Tuesday, September 18, 2018 4:06 PM To: Rubina Bianchi Cc: vpp-dev@lists.fd.io Subject: Re: [vpp-dev] Odd problem in adding new session on vpp when its session table is full Dear Rubina, On 9/18/18, Rubina Bianchi <r_bian...@outlook.com> wrote: > Dear Andrew, > > Our changes is provided to you by creating a patch which is attached to this > email. > I didn't commit it to gerrit due to our specific scenario (permit+reflect on > all inputs, permit+reflect or deny on all outputs). Why do you hardcode it as opposed to making it part of configuration ? permit+reflect in one direction and deny except established sessions is a fairly standard config. > In addition to ICMP timeout handling, our code fixes some ICMP bugs. Do you mean the "strict" enforcement of the one-request-one-response policy for ICMP that this code does ? --a > Although, I think code is clear for you, I can explain it in details if you > ask. > > Thanks, > Sincerely > ________________________________ > From: Andrew π½ Yourtchenko <ayour...@gmail.com> > Sent: Tuesday, September 18, 2018 11:27 AM > To: Rubina Bianchi > Cc: vpp-dev@lists.fd.io > Subject: Re: [vpp-dev] Odd problem in adding new session on vpp when its > session table is full > > > > > Hi Rubina, > > On 18 Sep 2018, at 11:14, Rubina Bianchi > <r_bian...@outlook.com<mailto:r_bian...@outlook.com>> wrote: > > Hi Dear Andrew > > 1) I just attached my init.conf to this email. As you guessed session table > size is 1000000. This problem is occurred on vpp stable/1807. > > Ah, cool, that helps, thanks! > > > 2) Yes, there is 6 timeout list. We added a list for handling icmp > timeouts. > > That is not the stable/1807, then βΊοΈ would you mind submitting the change to > gerrit so we could take a look at it and ideally incorporate into the master > ? > > βa > > > ________________________________ > From: Andrew π½ Yourtchenko <ayour...@gmail.com<mailto:ayour...@gmail.com>> > Sent: Monday, September 17, 2018 8:03 PM > To: Rubina Bianchi > Cc: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> > Subject: Re: [vpp-dev] Odd problem in adding new session on vpp when its > session table is full > > Dear Rubina, > > looking at the outputs, there are a few anomalies that hopefully you > can clarify: > > 1) the max session count is 1000000. The latest master has the default > limit of 500000, and I do not see any startup config parameters > changing that. Which version are you testing with/building off ? > > 2) there are 6 fa_conn_list_head elements in each worker for your > outputs. That number was initially 3, and in the early spring when I > introduced the purgatory list and the reserved unused list this number > has increased to 5. The vectors are initialized at a start with a > constant, so I am wondering why your outputs have a different number. > > Would be able to comment on these observations ? > > Thank you! > > --a > > On 9/17/18, Rubina Bianchi > <r_bian...@outlook.com<mailto:r_bian...@outlook.com>> wrote: >> * Dear VPP >> >> I ran a test on VPP configured with permit+reflect ACl rules with t-rex. >> In >> this test, I put two interfaces on one bridge-domain and had an ACL on >> all >> of its input and output interfaces. The ACL had just one rule which was >> allowing any traffic. I ran my test until VPP's session table was full. I >> run t-rex whith following command: >> >> "./t-rex-64 -f cap2/sfr.yaml -m 10 -d 10000" >> >> >> After a couple of days, I took another test on VPP. I tried to establish >> a >> ssh session between two clients via my VPP. But session could not be >> established. When I checked VPP trace, All of my ssh packets where >> dropped >> due to following error: >> >> "acl-plugin-in-ip4-l2: too many sessions to add new" >> >> when I checked VPP's session table, I realized that it was full. No >> session >> where deleted since my previous test and no session where going to be >> added >> to session table.I also checked my /var/log/hawk.log file and saw >> following >> error: >> >> "acl_fa_node_fn:516: BUG: session LSB16(sw_if_index) and 5-tuple >> collision!" >> >> I could not fix this problem so I restarted my VPP service. After that, >> I could not reproduce this state again. Does anyone have any idea on >> what my problem on VPP was? >> >> I attached my hawk.log, vpp trace, "vppctl sh acl-plugin sessions" output >> and startup.conf file to this email. >> >> >> >> >> > <init.conf> >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#10621): https://lists.fd.io/g/vpp-dev/message/10621 Mute This Topic: https://lists.fd.io/mt/25722080/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
