[vpp-dev] ABF+ACL permit rule behavior ?

Sat, 30 Apr 2022 06:06:08 -0700 

Hi,

I'm working with combination ABF+ACL plugins, but I have a problem with ACL
permit rule.  ACL action "permit" is ignored and ABF drops packets. Please,
can someone confirm this is the correct behavior? Thanks

Regards
Petr B.



vpp# show version
vpp v22.06-rc0~378-g6120441f9

### note:
vlan 2501@enp3s0(pop1) + loop0(bvi) = bridge domain 192.168.95.100/24
ping from 192.168.95.17 => 10.0.0.100

1. add rules:
set acl-plugin acl permit dst 10.0.0.100/32
abf policy add id 0 acl 0 via 192.168.95.100 loop0
abf attach ip4 policy 0 loop0

2. show
vpp# show acl-plugin acl
acl-index 0 count 1 tag {cli}
          0: ipv4 permit src 0.0.0.0/0 dst 10.0.0.100/32 proto 0 sport
0-65535 dport 0-65535
  used in lookup context index: 0

vpp# show abf policy
abf:[0]: policy:0 acl:0
     path-list:[64] locks:1 flags:shared,no-uRPF, uRPF-list: None
      path:[88] pl-index:64 ip4 weight=1 pref=0 attached-nexthop:
 oper-flags:resolved,
        192.168.95.100 loop0
      [@0]: arp-ipv4: via 192.168.95.100 loop0

vpp# show abf attach loop0
ipv4:
 abf-interface-attach: policy:0 priority:0
  [@1]: arp-ipv4: via 192.168.95.100 loop0

3. show trace
Packet 4

00:06:31:315032: dpdk-input
  enp3s0 rx queue 0
  buffer 0x91ad3: current data 0, length 68, buffer-pool 0, ref-count 1,
trace handle 0x3000003
                  ext-hdr-valid
  PKT MBUF: port 1, nb_segs 1, pkt_len 68
    buf_len 2176, data_len 68, ol_flags 0x182, data_off 128, phys_addr
0x5dc6b540
    packet_type 0x11 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
    rss 0x52c93baa fdir.hi 0x0 fdir.lo 0x52c93baa
    Packet Offload Flags
      PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid
      PKT_RX_IP_CKSUM_NONE (0x0090) no IP cksum of RX pkt.
      PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid
      PKT_RX_L4_CKSUM_NONE (0x0108) no L4 cksum of RX pkt.
      PKT_RX_RSS_HASH (0x0002) RX packet with RSS hash result
    Packet Types
      RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet
      RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension headers
  IP4: 74:4d:28:8d:0d:22 -> 1a:24:b6:07:ca:16 802.1q vlan 2501
  ICMP: 192.168.95.17 -> 10.0.0.100
    tos 0x00, ttl 255, length 50, checksum 0xa899 dscp CS0 ecn NON_ECN
    fragment id 0xe913
  ICMP echo_request checksum 0x4637 id 39169
00:06:31:315041: ethernet-input
  frame: flags 0x3, hw-if-index 2, sw-if-index 2
  IP4: 74:4d:28:8d:0d:22 -> 1a:24:b6:07:ca:16 802.1q vlan 2501
00:06:31:315047: l2-input
  l2-input: sw_if_index 4 dst 1a:24:b6:07:ca:16 src 74:4d:28:8d:0d:22
[l2-input-vtr l2-learn l2-fwd l2-flood l2-flood ]
00:06:31:315049: l2-input-vtr
  l2-input-vtr: sw_if_index 4 dst 1a:24:b6:07:ca:16 src 74:4d:28:8d:0d:22
data 08 00 45 00 00 32 e9 13 00 00 ff 01
00:06:31:315049: l2-learn
  l2-learn: sw_if_index 4 dst 1a:24:b6:07:ca:16 src 74:4d:28:8d:0d:22
bd_index 1
00:06:31:315051: l2-fwd
  l2-fwd:   sw_if_index 4 dst 1a:24:b6:07:ca:16 src 74:4d:28:8d:0d:22
bd_index 1 result [0x70000000b, 11] static age-not bvi
00:06:31:315052: ip4-input
  ICMP: 192.168.95.17 -> 10.0.0.100
    tos 0x00, ttl 255, length 50, checksum 0xa899 dscp CS0 ecn NON_ECN
    fragment id 0xe913
  ICMP echo_request checksum 0x4637 id 39169
00:06:31:315054: abf-input-ip4
   next 1 index 28
00:06:31:315056: ip4-arp
    ICMP: 192.168.95.17 -> 10.0.0.100
      tos 0x00, ttl 255, length 50, checksum 0xa899 dscp CS0 ecn NON_ECN
      fragment id 0xe913
    ICMP echo_request checksum 0x4637 id 39169
00:06:31:315064: ip4-drop
    ICMP: 192.168.95.17 -> 10.0.0.100
      tos 0x00, ttl 255, length 50, checksum 0xa899 dscp CS0 ecn NON_ECN
      fragment id 0xe913
    ICMP echo_request checksum 0x4637 id 39169
00:06:31:315066: error-drop
  rx:loop0
00:06:31:315068: drop
  ip4-arp: ARP requests sent

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#21309): https://lists.fd.io/g/vpp-dev/message/21309
Mute This Topic: https://lists.fd.io/mt/90795177/21656
Group Owner: [email protected]
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to