Re: [vpp-dev] ACL IPV6 rule addition using the "set acl_plugin acl" command from "vppctl" #vppctl #acl #acl_plugin #ipv6

Thu, 15 Jul 2021 01:28:59 -0700 

Oh cool, thanks, Neale! :-)

this makes much more sense! I was staring at the code yesterday late in the 
evening and questioning what was I missing… :)

--a

> On 15 Jul 2021, at 10:20, Neale Ranns <ne...@graphiant.com> wrote:
> 
> 
>  
> Evidently a typo. Here you go:
>   https://gerrit.fd.io/r/c/vpp/+/33142
>  
> /neale
>  
> From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> on behalf of Andrew 
> Yourtchenko via lists.fd.io <ayourtch=gmail....@lists.fd.io>
> Date: Wednesday, 14 July 2021 at 23:53
> To: RaviKiran Veldanda <ravi.jup...@gmail.com>, Jakub Grajciar 
> <jgraj...@cisco.com>
> Cc: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io>
> Subject: Re: [vpp-dev] ACL IPV6 rule addition using the "set acl_plugin acl" 
> command from "vppctl" #vppctl #acl #acl_plugin #ipv6
> 
> Ravi,
> 
> appears that the commit 2f8cd914514fe54f91974c6d465d4769dfac8de8 has
> hardcoded the IP address family in the CLI handler to IPv4:
> 
> 0490db79b src/plugins/acl/acl.c        (Neale Ranns        2020-03-24
> 15:09:41 +0000 2873)       else if (unformat (line_input, "src %U/%d",
> bf883bb086 src/plugins/acl/acl.c        (Neale Ranns        2020-04-23
> 16:01:20 +0000 2874)                      unformat_ip46_address, &src,
> IP46_TYPE_ANY,
> bf883bb086 src/plugins/acl/acl.c        (Neale Ranns        2020-04-23
> 16:01:20 +0000 2875)                      &src_prefix_length))
> 40490db79b src/plugins/acl/acl.c        (Neale Ranns        2020-03-24
> 15:09:41 +0000 2876)     {
> 40490db79b src/plugins/acl/acl.c        (Neale Ranns        2020-03-24
> 15:09:41 +0000 2877)       vec_validate_acl_rules (rules, rule_idx);
> 2f8cd91451 src/plugins/acl/acl.c        (Jakub Grajciar     2020-03-27
> 06:55:06 +0100 2878)       ip_address_encode (&src, IP46_TYPE_ANY,
> 2f8cd91451 src/plugins/acl/acl.c        (Jakub Grajciar     2020-03-27
> 06:55:06 +0100 2879)
> &rules[rule_idx].src_prefix.address);
> 2f8cd91451 src/plugins/acl/acl.c        (Jakub Grajciar     2020-03-27
> 06:55:06 +0100 2880)       rules[rule_idx].src_prefix.address.af =
> ADDRESS_IP4;
> 2f8cd91451 src/plugins/acl/acl.c        (Jakub Grajciar     2020-03-27
> 06:55:06 +0100 2881)       rules[rule_idx].src_prefix.len =
> src_prefix_length;
> 40490db79b src/plugins/acl/acl.c        (Neale Ranns        2020-03-24
> 15:09:41 +0000 2882)     }
> 40490db79b src/plugins/acl/acl.c        (Neale Ranns        2020-03-24
> 15:09:41 +0000 2883)       else if (unformat (line_input, "dst %U/%d",
> bf883bb086 src/plugins/acl/acl.c        (Neale Ranns        2020-04-23
> 16:01:20 +0000 2884)                      unformat_ip46_address, &dst,
> IP46_TYPE_ANY,
> 
> 
> I am including the commit author for the clarification on how that
> code is supposed to work for the IPv6 case.
> 
> Workaround is to use the "binary-api" command which will use vat code
> which will work for you:
> 
> vpp# binary-api acl_add_replace -1 permit src 2001:db8::1/128
> vl_api_acl_add_replace_reply_t_handler:72: ACL index: 0
> vpp# show acl acl
> acl-index 0 count 1 tag {}
>           0: ipv6 permit src 2001:db8::1/128 dst ::/0 proto 0 sport
> 0-65535 dport 0-65535
> vpp#
> 
> --a
> 
> 
> On 7/14/21, RaviKiran Veldanda <ravi.jup...@gmail.com> wrote:
> > Hi Experts,
> > We were trying to create some ACL rules for IPv6 addresses,
> > *"set acl-plugin acl permit src 2001:5b0:ffff:1150::0/64 " in vppctl.
> > * "set acl-plugin acl permit ipv6 src 2001:5b0:ffff:1150::0/64 " in vppctl.
> > giving ACL index but when I check "show acl_plugin acl" its not giving any
> > information.
> >
> > vpp# set acl-plugin acl ipv6 permit src 2001:5b0:ffff:1150::0/64
> > ACL index:1
> > vpp# show acl-plugin acl
> > acl-index 0 count 1 tag {cli}
> > 0: ipv4 permit src 172.25.169.0/24 dst 0.0.0.0/0 proto 0 sport 0-65535 dport
> > 0-65535
> > acl-index 1 count 0 tag {cli}
> > vpp#
> > We are using VPP 20.05 stable version. We couldn't able to set the ACL for
> > IPv6.
> > We are not seeing any error message on the logs.
> > We could able to set ACL for IPv4 without any issue.
> > We tried same thing from vpp_api_test, still we couldn't able to set IPv6
> > rule.
> > Can you please provide some pointer for creating "acl rule for IPV6."
> > Thanks for your help.
> >
> > //Ravi
> >

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#19780): https://lists.fd.io/g/vpp-dev/message/19780
Mute This Topic: https://lists.fd.io/mt/84212274/21656
Mute #acl_plugin:https://lists.fd.io/g/vpp-dev/mutehashtag/acl_plugin
Mute #ipv6:https://lists.fd.io/g/vpp-dev/mutehashtag/ipv6
Mute #vppctl:https://lists.fd.io/g/vpp-dev/mutehashtag/vppctl
Mute #acl:https://lists.fd.io/g/vpp-dev/mutehashtag/acl
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to