From: Govindarajan Mohandoss <govindarajan.mohand...@arm.com>
Date: Friday 1 May 2020 at 21:15
To: "Neale Ranns (nranns)" <nra...@cisco.com>, Andrew Yourtchenko
<ayour...@gmail.com>
Cc: "John Lo (loj)" <l...@cisco.com>, Paul Vinciguerra
<pvi...@vinciconsulting.com>, "vpp-dev@lists.fd.io" <vpp-dev@lists.fd.io>, nd
<n...@arm.com>, Lijian Zhang <lijian.zh...@arm.com>, Jieqiang Wang
<jieqiang.w...@arm.com>, nd <n...@arm.com>
Subject: RE: [vpp-dev] ACL question
Hi Neale,
I tried to use the CLI for ACL in master. But the following command is not
associating the ACL to ingress interface.
Show command is not listing anything and “show run time” doesn’t show the ACL
node.
Am I missing any config ?
vpp# set acl-plugin acl permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32
proto 17 sport 100 dport 1
ACL index:0
vpp# show acl-plugin acl
acl-index 0 count 1 tag {cli}
0: ipv4 permit+reflect src 192.81.1.1/32 dst 192.82.1.1/32 proto 17
sport 100 dport 1
vpp# set acl-plugin ?
set acl-plugin acl set acl-plugin acl <permit|deny> src
<PREFIX> dst <PREFIX> proto X sport X-Y dport X-Y [tag FOO] {use comma
separated list for multiple rules}
set acl-plugin interface set acl-plugin interface <interface>
<input|output> <acl INDEX> [del]
set acl-plugin set acl-plugin session timeout {{udp
idle}|tcp {idle|transient}} <seconds>
vpp# set acl-plugin interface TenGigabitEthernet7/0/0 input 0
you have to specify which ACL you want to bind to the interface:
set acl-plugin interface TenGigabitEthernet7/0/0 input 0 acl 0
/neale
vpp# show acl-plugin interface <<< No output.
Thanks
Govind
From: Neale Ranns (nranns) <nra...@cisco.com>
Sent: Wednesday, April 29, 2020 4:24 AM
To: Andrew Yourtchenko <ayour...@gmail.com>; Govindarajan Mohandoss
<govindarajan.mohand...@arm.com>
Cc: John Lo (loj) <l...@cisco.com>; Paul Vinciguerra
<pvi...@vinciconsulting.com>; vpp-dev@lists.fd.io; nd <n...@arm.com>; Lijian
Zhang <lijian.zh...@arm.com>; Jieqiang Wang <jieqiang.w...@arm.com>
Subject: Re: [vpp-dev] ACL question
Or in the latest version you can create ACLs on the CLI:
set acl-plugin acl ?
set acl-plugin interface ?
/neale
From: <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> on behalf of Andrew
Yourtchenko <ayour...@gmail.com<mailto:ayour...@gmail.com>>
Date: Wednesday 29 April 2020 at 10:59
To: Govindarajan Mohandoss
<govindarajan.mohand...@arm.com<mailto:govindarajan.mohand...@arm.com>>
Cc: "John Lo (loj)" <l...@cisco.com<mailto:l...@cisco.com>>, Paul Vinciguerra
<pvi...@vinciconsulting.com<mailto:pvi...@vinciconsulting.com>>,
"vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>"
<vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>>, nd
<n...@arm.com<mailto:n...@arm.com>>, Lijian Zhang
<lijian.zh...@arm.com<mailto:lijian.zh...@arm.com>>, Jieqiang Wang
<jieqiang.w...@arm.com<mailto:jieqiang.w...@arm.com>>
Subject: Re: [vpp-dev] ACL question
Hi Govind,
1) make an api trace and inspect the message there - whether it contains the
entries you are expecting.
1a) If it does, then you can trivially recreate the same message using the
python api just by hacking an existing testcase.
1b) if it doesn’t - run the vat itself under gdb and trace how the api message
is built before it’s sent. I suspect what you are seeing is some issue between
the command line that you are putting in and the api message being formed.
Also, it may give more clues if you do the above side by side on x86 and arm
and compare the behaviors.
--a
On 29 Apr 2020, at 06:27, Govindarajan Mohandoss
<govindarajan.mohand...@arm.com<mailto:govindarajan.mohand...@arm.com>> wrote:
Hi Andrew,
I have to work on make test test case. Before that, I would like to confirm
whether this is a problem (or) misconfiguration.
I added 50 rules using acl_add_replace in VAT CLI. In the ACL dump (show
acl-plugin acl 0), only 48 rules are present. 2 rules are missing and a default
rule of “permit all” is also getting added.
I have put the ACL config and ACL dump info in the attached file.
Thanks
Govind
From: John Lo (loj) <l...@cisco.com<mailto:l...@cisco.com>>
Sent: Tuesday, April 28, 2020 10:38 PM
To: Govindarajan Mohandoss
<govindarajan.mohand...@arm.com<mailto:govindarajan.mohand...@arm.com>>; Paul
Vinciguerra <pvi...@vinciconsulting.com<mailto:pvi...@vinciconsulting.com>>
Cc: Andrew 👽 Yourtchenko <ayour...@gmail.com<mailto:ayour...@gmail.com>>;
vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>; nd
<n...@arm.com<mailto:n...@arm.com>>; Lijian Zhang
<lijian.zh...@arm.com<mailto:lijian.zh...@arm.com>>; Jieqiang Wang
<jieqiang.w...@arm.com<mailto:jieqiang.w...@arm.com>>; nd
<n...@arm.com<mailto:n...@arm.com>>
Subject: RE: [vpp-dev] ACL question
Try “make test TEST=acl_plugin”. -John
From: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>
<vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> On Behalf Of Govindarajan
Mohandoss
Sent: Tuesday, April 28, 2020 11:22 PM
To: Paul Vinciguerra
<pvi...@vinciconsulting.com<mailto:pvi...@vinciconsulting.com>>
Cc: Andrew 👽 Yourtchenko <ayour...@gmail.com<mailto:ayour...@gmail.com>>;
vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>; nd
<n...@arm.com<mailto:n...@arm.com>>; Lijian Zhang
<lijian.zh...@arm.com<mailto:lijian.zh...@arm.com>>; Jieqiang Wang
<jieqiang.w...@arm.com<mailto:jieqiang.w...@arm.com>>; nd
<n...@arm.com<mailto:n...@arm.com>>
Subject: Re: [vpp-dev] ACL question
Hi Paul,
How can I selectively run only the test_acl_plugin.py instead of running make
test ?
Thanks
Govind
From: Paul Vinciguerra
<pvi...@vinciconsulting.com<mailto:pvi...@vinciconsulting.com>>
Sent: Tuesday, April 28, 2020 9:22 PM
To: Govindarajan Mohandoss
<govindarajan.mohand...@arm.com<mailto:govindarajan.mohand...@arm.com>>
Cc: Andrew 👽 Yourtchenko <ayour...@gmail.com<mailto:ayour...@gmail.com>>;
vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>; nd
<n...@arm.com<mailto:n...@arm.com>>; Lijian Zhang
<lijian.zh...@arm.com<mailto:lijian.zh...@arm.com>>; Jieqiang Wang
<jieqiang.w...@arm.com<mailto:jieqiang.w...@arm.com>>
Subject: Re: [vpp-dev] ACL question
See: src/plugins/acl/test/test_acl_plugin.py
On Tue, Apr 28, 2020 at 7:19 PM Govindarajan Mohandoss
<govindarajan.mohand...@arm.com<mailto:govindarajan.mohand...@arm.com>> wrote:
Sure Andrew. Is there a unit test case for ACL plugin ?
From: Andrew 👽 Yourtchenko <ayour...@gmail.com<mailto:ayour...@gmail.com>>
Sent: Tuesday, April 28, 2020 4:57 PM
To: Govindarajan Mohandoss
<govindarajan.mohand...@arm.com<mailto:govindarajan.mohand...@arm.com>>
Cc: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>; nd
<n...@arm.com<mailto:n...@arm.com>>; Lijian Zhang
<lijian.zh...@arm.com<mailto:lijian.zh...@arm.com>>; Jieqiang Wang
<jieqiang.w...@arm.com<mailto:jieqiang.w...@arm.com>>
Subject: Re: [vpp-dev] ACL question
1-3: no.
4: please make a “make test” test case illustrating the problem and share it.
--a
On 28 Apr 2020, at 22:37, Govindarajan Mohandoss
<govindarajan.mohand...@arm.com<mailto:govindarajan.mohand...@arm.com>> wrote:
Hi Andrew,
I am working on ACL plugin SF+SL optimization on ARM servers.
I am finding prefetches in ACL node is becoming bottle neck. I see
performance improvements on both SL & SF mode, when SF mode bihash table
related prefetching is disabled.
I need some help with right ACL config to verify my patch.
I did the testing with Ingress ACL -- 1 Rule and 50 Rules (Rule: <SIP, DIP,
UDP, SPORT, DPORT> - DPORT is incremented). The Traffic match all the 50 rules.
When I tried to add 100 rules on the same rule set in SF mode:
"acl_add_replace -1 ipv4 permit+reflect src
192.81.1.1/32<http://192.81.1.1/32> dst 192.82.1.1/32<http://192.82.1.1/32>
proto 17 sport 100 dport 1,
... ,
ipv4 permit+reflect src 192.81.1.1/32<http://192.81.1.1/32> dst
192.82.1.1/32<http://192.82.1.1/32> proto 17 sport 100 dport 100",
I see only 48 rules in show tables and 48th rule is added as “permit” all
and not “permit + reflect”. Does it mean <0 – 47> rules will be SF and the rest
will be in SL mode ?
"
vpp# show acl-plugin acl
acl-index 0 count 49 tag {}
0: ipv4 permit+reflect src 192.81.1.1/32<http://192.81.1.1/32> dst
192.82.1.1/32<http://192.82.1.1/32> proto 17 sport 100 dport 1
....
47: ipv4 permit+reflect src 192.81.1.1/32<http://192.81.1.1/32> dst
192.82.1.1/32<http://192.82.1.1/32> proto 17 sport 100 dport 48
48: ipv4 permit src 0.0.0.0/0<http://0.0.0.0/0> dst
0.0.0.0/0<http://0.0.0.0/0> proto 0 sport 0-65535 dport 0-65535
applied inbound on sw_if_index: 1
used in lookup context index: 0
"
1. Is there a limit of 48 on number of rules that can be added into the
Rule table (acl-index 0) in SF mode ?
2. Whether 48 rules in a ruleset is good enough to verify my optimization
patch (Traffic flow will match all the 48 rules) ?
3. Can I associate more than 1 ACL rule set to an ingress interface (like
“vat# acl_interface_set_acl_list TenGigabitEthernet1/0/0 input 0 1 2”) ? Each
Rule set 0, 1, 2 will have different ACL rules. Do I need to test this case
also to study the performance gain ?
4. In SL mode, When I tried to add 100 rules, only 53 rules are seen in
show table. 53rd rule is added as permit all (Should I read it as permit all
?). Is there a limit on number of rules in SL mode ?
“
vpp# show acl-plugin acl
acl-index 0 count 54 tag {}
0: ipv4 permit src 192.81.1.1/32<http://192.81.1.1/32> dst
192.82.1.1/32<http://192.82.1.1/32> proto 17 sport 100 dport 1
….
52: ipv4 permit src 192.81.1.1/32<http://192.81.1.1/32> dst
192.82.1.1/32<http://192.82.1.1/32> proto 17 sport 100 dport 53
53: ipv4 permit src 0.0.0.0/0<http://0.0.0.0/0> dst
0.0.0.0/0<http://0.0.0.0/0> proto 0 sport 0-65535 dport 0-65535
applied inbound on sw_if_index: 1
used in lookup context index: 0
“
Thanks
Govind
> -----Original Message-----
> From: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>
> <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> On Behalf Of Govindarajan
> Mohandoss via Lists.Fd.Io<http://Lists.Fd.Io>
> Sent: Friday, March 27, 2020 11:32 AM
> To: Andrew 👽 Yourtchenko <ayour...@gmail.com<mailto:ayour...@gmail.com>>
> Cc: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>
> Subject: Re: [vpp-dev] ACL question
>
> Thank you very much Andrew !! I will do some benchmarks and get back to
> you to understand it better.
>
> Thanks
> Govind
>
> > -----Original Message-----
> > From: Andrew 👽 Yourtchenko <ayour...@gmail.com<mailto:ayour...@gmail.com>>
> > Sent: Friday, March 27, 2020 7:52 AM
> > To: Govindarajan Mohandoss
> > <govindarajan.mohand...@arm.com<mailto:govindarajan.mohand...@arm.com>>
> > Cc: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>; nd
> > <n...@arm.com<mailto:n...@arm.com>>
> > Subject: Re: [vpp-dev] ACL question
> >
> > > On 27 Mar 2020, at 00:47, Govindarajan Mohandoss
> > <govindarajan.mohand...@arm.com<mailto:govindarajan.mohand...@arm.com>>
> > wrote:
> > >
> > >
> > >
> > > Hi Andrew,
> > >
> > > I just found out that ACL action differentiates SF or SL.
> > > Following
> > command enables SF and provides better performance.
> > >
> > > “acl_add_replace -1 ipv4 permit+reflect dst
> > > 192.82.1.1/32<http://192.82.1.1/32>”
> > >
> > >
> > >
> > > Few more questions:
> > >
> > > =================
> > >
> > > Choosing between VPP Classifiers and ACL Plugin:
> > >
> > >
> > > https://lists.fd.io/g/vpp-dev/message/5716?p=,,,20,0,0,0::relevance,
> > > ,A
> > > CL,20,2,60,10641995
> > >
> > > You mentioned that VPP classifiers are faster than ACL plugin.
> > > For <L2, L3, L4> field based classification, which one provides
> > > better data
> > plane perf ?
> >
> >
> > It depends. If you wanna simultaneously match on all three, there is
> > currently no mechanism to generically do so.
> >
> > But then every time I looked at the use cases claiming to require
> > that, turned out it was a bad idea to represent the data this way -
> > because of combinatorial explosion. Even ACLs themselves suffer from
> > this issue - N sources times M destinations times K servces equal
> > N*M*K rules, which quickly skyrockets.
> >
> > > Does classifier support ranges ?
> >
> >
> > Classifier supports chained masked lookups. You might emulate ranges
> there.
> >
> > That said, I had seen ranges used only in a tiny percentage of the
> > cases. So they are a corner case imho.
> >
> >
> > > Which one is better if the rate of ACL rule add/del is high / low?
> >
> >
> > Classifier single table is your best bet probably. ACL plugin
> > deliberately does not have an API to add/del a single rule - you
> > always download the entire ACL.
> >
> > > Whether ACL rule priority is supported in both the schemes ?
> >
> >
> > First match for Acl and multi table classify case. Single table is
> > just a hash lookup because the entries don’t overlap by definition
> >
> > > Whether ACL Plugin SF mode will perform better than classifier ?
> >
> >
> > I did not benchmark them. It's somewhat different use cases.
> >
> > > Whether classifier also has SF mode ?
> >
> >
> > Nope.
> >
> > >
> > >
> > > ACL Plugin:
> > >
> > > SF mode – How much of extra memory is needed compared to SL mode ?
> >
> >
> > Depending on the number of active sessions... each session creates two
> > binash table entries, and consumes an entry in the session pool. The
> > default values in the code for the bihash memory usage have been
> > tested with half a million sessions - so you can extrapolate from
> > those with some ballpark (though bihash memory usage is not linear wrt
> > the entries, and also there is some extra memory churn due to bucket
> > reallocations when the size increases).
> >
> > —a
> >
> > >
> > >
> > > Thanks
> > >
> > > Govind
> > >
> > >
> > >
> > > From: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>
> > > <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> On Behalf Of
> > > Govindarajan Mohandoss via Lists.Fd.Io<http://Lists.Fd.Io>
> > > Sent: Thursday, March 26, 2020 12:37 PM
> > > To: Andrew 👽 Yourtchenko <ayour...@gmail.com<mailto:ayour...@gmail.com>>
> > > Cc: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>
> > > Subject: Re: [vpp-dev] ACL question
> > >
> > >
> > >
> > > Hi Andrew,
> > >
> > > Thanks for the document.
> > >
> > > Can you please share the documents related to ACL plugin CLI
> > > config for
> > both stateful & stateless modes ?
> > >
> > >
> > >
> > > I tried the following commands for input ACL in VAT CLI. Not sure
> > whether this is SL / SF ?
> > >
> > > “
> > >
> > > vat# acl_add_replace -1 ipv4 permit dst
> > > 192.82.1.1/32<http://192.82.1.1/32>
> > >
> > > vl_api_acl_add_replace_reply_t_handler:70: ACL index: 0
> > >
> > > vat# acl_interface_set_acl_list TenGigabitEthernet13/0/0 input 0
> > >
> > > vat# acl_interface_list_dump TenGigabitEthernet13/0/0
> > >
> > > vl_api_acl_interface_list_details_t_handler:115: sw_if_index: 3,
> > > count: 1, n_input: 1
> > >
> > > input 0
> > >
> > >
> > >
> > > vat# help acl_add_replace
> > >
> > > usage: acl_add_replace <acl-idx> [<ipv4|ipv6>]
> > <permit|permit+reflect|deny|action N> [src IP/plen] [dst IP/plen]
> > [sport X-Y] [dport X-Y] [proto P] [tcpflags FL MASK], ... , ...
> > >
> > > “
> > >
> > >
> > >
> > > Thanks
> > >
> > > Govind
> > >
> > >
> > >
> > > From: Andrew 👽 Yourtchenko <ayour...@gmail.com<mailto:ayour...@gmail.com>>
> > > Sent: Thursday, March 26, 2020 4:49 AM
> > > To: Govindarajan Mohandoss
> > > <govindarajan.mohand...@arm.com<mailto:govindarajan.mohand...@arm.com>>
> > > Cc: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>; Lijian Zhang
> > > <lijian.zh...@arm.com<mailto:lijian.zh...@arm.com>>;
> > > Jieqiang Wang <jieqiang.w...@arm.com<mailto:jieqiang.w...@arm.com>>; nd
> > > <n...@arm.com<mailto:n...@arm.com>>
> > > Subject: Re: [vpp-dev] ACL question
> > >
> > >
> > >
> > > As an acl plugin author I can say both stateful and stateless ACLs
> > > are used
> > for different consumers.
> > >
> > >
> > >
> > > Various matching implementations in vpp are used in different use
> cases...
> > and there is not a single silver bullet magic answer, because the
> > trade offs are different.
> > >
> > >
> > >
> > > https://nonsns.github.io/paper/rossi19ton.pdf
> > >
> > >
> > >
> > > Is a reasonable read on the subject - also because it relates to VPP
> > > and the
> > real project that we did a while ago.
> > >
> > >
> > >
> > > --a
> > >
> > >
> > >>
> > >> On 25 Mar 2020, at 17:26, Govindarajan Mohandoss
> > <govindarajan.mohand...@arm.com<mailto:govindarajan.mohand...@arm.com>>
> > wrote:
> > >>
> > >>
> > >>
> > >> Hello ACL Maintainer,
> > >>
> > >> We want to measure and optimize the ACL performance for ARM
> > servers. As per the foll. link, there are 4 different implementation
> > of ACLs in VPP.
> > >>
> > >> https://fd.io/docs/vpp/master/usecases/acls.html
> > >>
> > >> We would like to start with most commonly used ACL implementation
> > >> in
> > VPP which can cover L2, L3 and L4 fields. As per the link above and
> > CSIT reports (link below), it looks like ACL plugin is the right match.
> > >>
> > >> Can you please confirm ? ACL plugin has 2 variants – Stateful &
> Stateless.
> > Which is common and widely used in VPP ?
> > >>
> > >>
> > >> https://docs.fd.io/csit/master/report/detailed_test_results/vpp_per
> > >> fo
> > >> rmance_results/index.html
> > >>
> > >>
> > >>
> > >> Thanks
> > >>
> > >> Govind
> > >>
> > >> IMPORTANT NOTICE: The contents of this email and any attachments
> > >> are
> > confidential and may also be privileged. If you are not the intended
> > recipient, please notify the sender immediately and do not disclose
> > the contents to any other person, use it for any purpose, or store or
> > copy the information in any medium. Thank you.
<acl_command_and_dump.txt>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#16221): https://lists.fd.io/g/vpp-dev/message/16221
Mute This Topic: https://lists.fd.io/mt/72544608/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
