Re: [vpp-dev] ACL question

Tue, 28 Apr 2020 16:19:23 -0700 

Sure Andrew. Is there a unit test case for ACL plugin ?

From: Andrew đź‘˝ Yourtchenko <ayour...@gmail.com>
Sent: Tuesday, April 28, 2020 4:57 PM
To: Govindarajan Mohandoss <govindarajan.mohand...@arm.com>
Cc: vpp-dev@lists.fd.io; nd <n...@arm.com>; Lijian Zhang 
<lijian.zh...@arm.com>; Jieqiang Wang <jieqiang.w...@arm.com>
Subject: Re: [vpp-dev] ACL question

1-3: no.
4: please make a “make test” test case illustrating the problem and share it.
--a


On 28 Apr 2020, at 22:37, Govindarajan Mohandoss 
<govindarajan.mohand...@arm.com<mailto:govindarajan.mohand...@arm.com>> wrote:


Hi Andrew,

  I am working on ACL plugin SF+SL optimization on ARM servers.

  I am finding prefetches in ACL node is becoming bottle neck. I see 
performance improvements on both SL & SF mode, when SF mode bihash table 
related prefetching is disabled.

  I need some help with right ACL config to verify my patch.



 I did the testing with Ingress ACL -- 1 Rule and 50 Rules (Rule: <SIP, DIP, 
UDP, SPORT, DPORT> - DPORT is incremented). The Traffic match all the 50 rules.



  When I tried to add 100 rules on the same rule set in SF mode:

  "acl_add_replace -1 ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 
proto 17 sport 100 dport 1,

   ... ,

   ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17 sport 100 
dport 100",



   I see only 48 rules in show tables and 48th rule is added as “permit” all 
and not “permit + reflect”. Does it mean <0 – 47> rules will be SF and the rest 
will be in SL mode ?



"

vpp# show acl-plugin acl

acl-index 0 count 49 tag {}

       0: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17 
sport 100 dport 1

       ....

      47: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17 
sport 100 dport 48

      48: ipv4 permit src 0.0.0.0/0 dst 0.0.0.0/0 proto 0 sport 0-65535 dport 
0-65535

  applied inbound on sw_if_index: 1

  used in lookup context index: 0

"



  1.  Is there a limit of 48 on number of rules that can be added into the Rule 
table (acl-index 0) in SF mode ?
  2.  Whether 48 rules in a ruleset is good enough to verify my optimization 
patch (Traffic flow will match all the 48 rules) ?
  3.  Can I associate more than 1 ACL rule set to an ingress interface (like 
“vat# acl_interface_set_acl_list TenGigabitEthernet1/0/0 input 0 1 2”) ? Each 
Rule set 0, 1, 2 will have different ACL rules. Do I need to test this case 
also to study the performance gain ?
  4.  In SL mode, When I tried to add 100 rules, only 53 rules are seen in show 
table. 53rd rule is added as permit all (Should I read it as permit all ?). Is 
there a limit on number of rules in SL mode ?

“

vpp# show acl-plugin acl

acl-index 0 count 54 tag {}

          0: ipv4 permit src 192.81.1.1/32 dst 192.82.1.1/32 proto 17 sport 100 
dport 1

          ….

         52: ipv4 permit src 192.81.1.1/32 dst 192.82.1.1/32 proto 17 sport 100 
dport 53

         53: ipv4 permit src 0.0.0.0/0 dst 0.0.0.0/0 proto 0 sport 0-65535 
dport 0-65535

  applied inbound on sw_if_index: 1

  used in lookup context index: 0

“



Thanks

Govind



> -----Original Message-----

> From: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> 
> <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> On Behalf Of Govindarajan

> Mohandoss via Lists.Fd.Io

> Sent: Friday, March 27, 2020 11:32 AM

> To: Andrew đź‘˝ Yourtchenko <ayour...@gmail.com<mailto:ayour...@gmail.com>>

> Cc: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>

> Subject: Re: [vpp-dev] ACL question

>

> Thank you very much Andrew !! I will do some benchmarks and get back to

> you to understand it better.

>

> Thanks

> Govind

>

> > -----Original Message-----

> > From: Andrew đź‘˝ Yourtchenko <ayour...@gmail.com<mailto:ayour...@gmail.com>>

> > Sent: Friday, March 27, 2020 7:52 AM

> > To: Govindarajan Mohandoss 
> > <govindarajan.mohand...@arm.com<mailto:govindarajan.mohand...@arm.com>>

> > Cc: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>; nd 
> > <n...@arm.com<mailto:n...@arm.com>>

> > Subject: Re: [vpp-dev] ACL question

> >

> > > On 27 Mar 2020, at 00:47, Govindarajan Mohandoss

> > <govindarajan.mohand...@arm.com<mailto:govindarajan.mohand...@arm.com>> 
> > wrote:

> > >

> > >

> > >

> > > Hi Andrew,

> > >

> > >    I just found out that ACL action differentiates SF or SL.

> > > Following

> > command enables SF and provides better performance.

> > >

> > >    “acl_add_replace -1 ipv4 permit+reflect dst 192.82.1.1/32”

> > >

> > >

> > >

> > >    Few more questions:

> > >

> > >    =================

> > >

> > >    Choosing between VPP Classifiers and ACL Plugin:

> > >

> > >

> > > https://lists.fd.io/g/vpp-dev/message/5716?p=,,,20,0,0,0::relevance,

> > > ,A

> > > CL,20,2,60,10641995

> > >

> > > You mentioned that VPP classifiers are faster than ACL plugin.

> > > For <L2, L3, L4> field based classification, which one provides

> > > better data

> > plane perf ?

> >

> >

> > It depends. If you wanna simultaneously match on all three, there is

> > currently no mechanism to generically do so.

> >

> > But then every time I looked at the use cases claiming to require

> > that, turned out it was a bad idea to represent the data this way -

> > because of combinatorial explosion. Even ACLs themselves suffer from

> > this issue - N sources times M destinations times K servces equal

> > N*M*K rules, which quickly skyrockets.

> >

> > > Does classifier support ranges ?

> >

> >

> > Classifier supports chained masked lookups. You might emulate ranges

> there.

> >

> > That said, I had seen ranges used only in a tiny percentage of the

> > cases. So they are a corner case imho.

> >

> >

> > > Which one is better if the rate of ACL rule add/del is high / low?

> >

> >

> > Classifier single table is your best bet probably. ACL plugin

> > deliberately does not have an API to add/del a single rule - you

> > always download the entire ACL.

> >

> > > Whether ACL rule priority is supported in both the schemes ?

> >

> >

> > First match for Acl and multi table classify case. Single table is

> > just a hash lookup because the entries don’t overlap by definition

> >

> > > Whether ACL Plugin SF mode will perform better than classifier ?

> >

> >

> > I did not benchmark them. It's somewhat different use cases.

> >

> > > Whether classifier also has SF mode ?

> >

> >

> > Nope.

> >

> > >

> > >

> > >    ACL Plugin:

> > >

> > > SF mode – How much of extra memory is needed compared to SL mode ?

> >

> >

> > Depending on the number of active sessions... each session creates two

> > binash table entries, and consumes an entry in the session pool. The

> > default values in the code for the bihash memory usage have been

> > tested with half a million sessions - so you can extrapolate from

> > those with some ballpark (though bihash memory usage is not linear wrt

> > the entries, and also there is some extra memory churn due to bucket

> > reallocations when the size increases).

> >

> > —a

> >

> > >

> > >

> > > Thanks

> > >

> > > Govind

> > >

> > >

> > >

> > > From: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> 
> > > <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> On Behalf Of

> > > Govindarajan Mohandoss via Lists.Fd.Io

> > > Sent: Thursday, March 26, 2020 12:37 PM

> > > To: Andrew đź‘˝ Yourtchenko <ayour...@gmail.com<mailto:ayour...@gmail.com>>

> > > Cc: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>

> > > Subject: Re: [vpp-dev] ACL question

> > >

> > >

> > >

> > > Hi Andrew,

> > >

> > >   Thanks for the document.

> > >

> > >   Can you please share the documents related to ACL plugin CLI

> > > config for

> > both stateful & stateless modes ?

> > >

> > >

> > >

> > >    I tried the following commands for input ACL in VAT CLI. Not sure

> > whether this is SL / SF ?

> > >

> > > “

> > >

> > > vat# acl_add_replace -1 ipv4 permit dst 192.82.1.1/32

> > >

> > > vl_api_acl_add_replace_reply_t_handler:70: ACL index: 0

> > >

> > > vat# acl_interface_set_acl_list TenGigabitEthernet13/0/0 input 0

> > >

> > > vat# acl_interface_list_dump TenGigabitEthernet13/0/0

> > >

> > > vl_api_acl_interface_list_details_t_handler:115: sw_if_index: 3,

> > > count: 1, n_input: 1

> > >

> > >    input 0

> > >

> > >

> > >

> > > vat# help acl_add_replace

> > >

> > > usage: acl_add_replace <acl-idx> [<ipv4|ipv6>]

> > <permit|permit+reflect|deny|action N> [src IP/plen] [dst IP/plen]

> > [sport X-Y] [dport X-Y] [proto P] [tcpflags FL MASK], ... , ...

> > >

> > > “

> > >

> > >

> > >

> > > Thanks

> > >

> > > Govind

> > >

> > >

> > >

> > > From: Andrew đź‘˝ Yourtchenko <ayour...@gmail.com<mailto:ayour...@gmail.com>>

> > > Sent: Thursday, March 26, 2020 4:49 AM

> > > To: Govindarajan Mohandoss 
> > > <govindarajan.mohand...@arm.com<mailto:govindarajan.mohand...@arm.com>>

> > > Cc: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>; Lijian Zhang 
> > > <lijian.zh...@arm.com<mailto:lijian.zh...@arm.com>>;

> > > Jieqiang Wang <jieqiang.w...@arm.com<mailto:jieqiang.w...@arm.com>>; nd 
> > > <n...@arm.com<mailto:n...@arm.com>>

> > > Subject: Re: [vpp-dev] ACL question

> > >

> > >

> > >

> > > As an acl plugin author I can say both stateful and stateless ACLs

> > > are used

> > for different consumers.

> > >

> > >

> > >

> > > Various matching implementations in vpp are used in different use

> cases...

> > and there is not a single silver bullet magic answer, because the

> > trade offs are different.

> > >

> > >

> > >

> > >  https://nonsns.github.io/paper/rossi19ton.pdf

> > >

> > >

> > >

> > > Is a reasonable read on the subject - also because it relates to VPP

> > > and the

> > real project that we did a while ago.

> > >

> > >

> > >

> > > --a

> > >

> > >

> > >>

> > >> On 25 Mar 2020, at 17:26, Govindarajan Mohandoss

> > <govindarajan.mohand...@arm.com<mailto:govindarajan.mohand...@arm.com>> 
> > wrote:

> > >>

> > >>

> > >>

> > >> Hello ACL Maintainer,

> > >>

> > >>   We want to measure and optimize the ACL performance for ARM

> > servers.  As per the foll. link, there are 4 different implementation

> > of ACLs in VPP.

> > >>

> > >>   https://fd.io/docs/vpp/master/usecases/acls.html

> > >>

> > >>   We would like to start with most commonly used ACL implementation

> > >> in

> > VPP which can cover L2, L3 and L4 fields. As per the link above and

> > CSIT reports (link below), it looks like ACL plugin is the right match.

> > >>

> > >>   Can you please confirm ? ACL plugin has 2 variants – Stateful &

> Stateless.

> > Which is common and widely used in VPP ?

> > >>

> > >>

> > >> https://docs.fd.io/csit/master/report/detailed_test_results/vpp_per

> > >> fo

> > >> rmance_results/index.html

> > >>

> > >>

> > >>

> > >> Thanks

> > >>

> > >> Govind

> > >>

> > >> IMPORTANT NOTICE: The contents of this email and any attachments

> > >> are

> > confidential and may also be privileged. If you are not the intended

> > recipient, please notify the sender immediately and do not disclose

> > the contents to any other person, use it for any purpose, or store or

> > copy the information in any medium. Thank you.

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#16188): https://lists.fd.io/g/vpp-dev/message/16188
Mute This Topic: https://lists.fd.io/mt/72544608/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to