Re: [vpp-dev] Forwarding Specific Packet with LCP Plugin
Hi Burcu, Yes you are able to use VPP host stack implementation with LD_PRELOAD. Please refer to https://wiki.fd.io/view/VPP/HostStack/LDP/sshd . Best regards, Filip Varga ut 14. 2. 2023 o 14:50 Matthew Smith via lists.fd.io napísal(a): > > You set the next hop address to the same as the local interface address: > > On Tue, Feb 14, 2023 at 7:42 AM Burcu YUKSEL < > burcu.yuk...@ulakhaberlesme.com.tr> wrote: > > [...] > >> set int ip address memif0/0 10.10.1.1/24 >> > [...] > >> abf policy add id 0 acl 0 via 10.10.1.1 memif0/0 >> > > If you want packets matching the ACL to be sent to 10.10.1.4 as in your > original diagram, the abf policy should be via 10.10.1.4, not 10.10.1.1. > > -Matt > > > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#22592): https://lists.fd.io/g/vpp-dev/message/22592 Mute This Topic: https://lists.fd.io/mt/96850285/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] Forwarding Specific Packet with LCP Plugin
You set the next hop address to the same as the local interface address: On Tue, Feb 14, 2023 at 7:42 AM Burcu YUKSEL < burcu.yuk...@ulakhaberlesme.com.tr> wrote: [...] > set int ip address memif0/0 10.10.1.1/24 > [...] > abf policy add id 0 acl 0 via 10.10.1.1 memif0/0 > If you want packets matching the ACL to be sent to 10.10.1.4 as in your original diagram, the abf policy should be via 10.10.1.4, not 10.10.1.1. -Matt -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#22591): https://lists.fd.io/g/vpp-dev/message/22591 Mute This Topic: https://lists.fd.io/mt/96850285/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] Forwarding Specific Packet with LCP Plugin
Hi Matthew, According to the information that you gave us, we run the below configuration : VPP version : 23.02-rc0~219-g6903da2 set int ip address TwentyFiveGigabitEthernetd8/0/0 10.20.10.22/24 set interface state TwentyFiveGigabitEthernetd8/0/0 up create interface memif id 0 master set int ip address memif0/0 10.10.1.1/24 set int state memif0/0 up create interface memif id 1 master set acl-plugin acl permit src 0.0.0.0/0 dst 10.20.10.22/32 proto 0-255 sport 0-65535 dport 0-65535 abf policy add id 0 acl 0 via 10.10.1.1 memif0/0 abf attach ip4 policy 0 TwentyFiveGigabitEthernetd8/0/0 Even though adding memif0/0 interface as next hop, the output of "show abf attach" command is shown as dpo-drop ip4 . DBGvpp# show abf attach TwentyFiveGigabitEthernetd8/0/0 ipv4: abf-interface-attach: policy:0 priority:0 [@1]: dpo-drop ip4 As you can see in the trace log below, after abf-input-ip4, the packet enters ip4-drop but we expect to see memif-input node instead of ip4-drop . Is there anything missing on the above configuration? DBGvpp# sh trace 00:00:56:390399: dpdk-input TwentyFiveGigabitEthernetd8/0/0 rx queue 0 buffer 0x1fffe55: current data 0, length 1242, buffer-pool 1, ref-count 1, trace handle 0x0 ext-hdr-valid PKT MBUF: port 1, nb_segs 1, pkt_len 1242 buf_len 2176, data_len 1242, ol_flags 0x400180, data_off 128, phys_addr 0x7fff95c0 packet_type 0x291 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0 rss 0x0 fdir.hi 0x0 fdir.lo 0x0 Packet Offload Flags PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid PKT_RX_IP_CKSUM_NONE (0x0090) no IP cksum of RX pkt. PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid PKT_RX_L4_CKSUM_NONE (0x0108) no L4 cksum of RX pkt. PKT_RX_OUTER_L4_CKSUM_GOOD (0x4000) External L4 header checksum OK Packet Types RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet RTE_PTYPE_L3_IPV4_EXT_UNKNOWN (0x0090) IPv4 packet with or without extension headers RTE_PTYPE_L4_UDP (0x0200) UDP packet IP4: 3c:fd:fe:9c:6a:80 -> 40:a6:b7:82:1e:50 UDP: 10.20.10.19 -> 10.20.10.22 tos 0x00, ttl 64, length 1228, checksum 0x4a7e dscp CS0 ecn NON_ECN fragment id 0xc352, flags DONT_FRAGMENT UDP: 41669 -> 8891 length 1208, checksum 0x5813 00:00:56:390408: ethernet-input frame: flags 0x3, hw-if-index 2, sw-if-index 2 IP4: 3c:fd:fe:9c:6a:80 -> 40:a6:b7:82:1e:50 00:00:56:390414: ip4-input-no-checksum UDP: 10.20.10.19 -> 10.20.10.22 tos 0x00, ttl 64, length 1228, checksum 0x4a7e dscp CS0 ecn NON_ECN fragment id 0xc352, flags DONT_FRAGMENT UDP: 41669 -> 8891 length 1208, checksum 0x5813 00:00:56:390417: abf-input-ip4 next 1 index 0 00:00:56:390420: ip4-drop UDP: 10.20.10.19 -> 10.20.10.22 tos 0x00, ttl 64, length 1228, checksum 0x4a7e dscp CS0 ecn NON_ECN fragment id 0xc352, flags DONT_FRAGMENT UDP: 41669 -> 8891 length 1208, checksum 0x5813 00:00:56:390423: error-drop rx:TwentyFiveGigabitEthernetd8/0/0 00:00:56:390425: drop dpdk-input: no error Best Regards, Burcu -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#22590): https://lists.fd.io/g/vpp-dev/message/22590 Mute This Topic: https://lists.fd.io/mt/96850285/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] Forwarding Specific Packet with LCP Plugin
Hi Burcu, You can probably use ABF (https://wiki.fd.io/view/VPP/ABF) to do this. When you have linux-cp enabled and an interface is added to a linux-cp interface pair, the normal behavior is that packets received on that interface which are destined to the interface IP address will be punted to the host over the linux-cp tap. This occurs after the FIB lookup that occurs at the end of the ip4-unicast feature arc. ABF policies are evaluated earlier on the feature arc and can match packets and forward them elsewhere before they are punted to linux-cp. You can create an ACL that has rules like this: 1. ipv4 deny src 0.0.0.0/0 dst 10.20.10.22/32 proto 6 sport 0 dport 22 - this deny rule will cause the tcp/22 packets to be excluded from ABF processing, so they will follow the normal path into linux-cp 2. ipv4 permit src 0.0.0.0/0 dst 10.20.10.22/32 proto 0 sport 0-65535 dport 0-65535 - this will match all the other packets which would normally be punted to linux-cp and cause them to be forwarded using ABF policy instead Then you can add an ABF policy referencing the ACL you created which sends packets 'via 10.10.1.4 memif0' and attach that policy to the hardware interface. The patch that enables the use of deny rules to exclude packets from ABF processing was added after the stable/2210 branch was created. So the above will only work on a build from VPP's master branch. -Matt On Thu, Feb 9, 2023 at 4:13 AM Burcu YUKSEL < burcu.yuk...@ulakhaberlesme.com.tr> wrote: > Hello Everyone, > > We want to transfer the SSH packets coming from Device A to Linux Stack, > other packets to Application B full duplex. We transferred packets with > using LCP plugin. However in this case we have transferred all the packets > to Linux stack. Is there a way to forward only TCP packets with port 22 to > Linux with LCP? > > > > VPP: > > lcp create TwentyFiveGigabitEthernetd8/0/0 host-if vpp-host > set interface state TwentyFiveGigabitEthernetd8/0/0 up > set interface ip address TwentyFiveGigabitEthernetd8/0/0 10.20.10.22/24 > ip route add 0.0.0.0/0 via 10.20.10.22 TwentyFiveGigabitEthernetd8/0/0 > > Linux Server: > > sudo ip link set vpp-host up > sudo ip addr add 10.20.10.22/24 dev vpp-host > sudo route add default gw 10.20.10.1 > > Best Regards, > Burcu > > Bu elektronik posta ve onunla iletilen bütün dosyalar sadece göndericisi > tarafından alması amaçlanan yetkili, gerçek ya da tüzel kişinin kullanımı > içindir. Eğer söz konusu yetkili alıcı değilseniz, bu elektronik postanın > içeriğini açıklamanız, kopyalamanız, yönlendirmeniz ve kullanmanız > kesinlikle yasaktır ve bu elektronik postayı derhal silmeniz gerekmektedir. > Şirketimiz bu mesajın içerdiği bilgilerin doğruluğu veya eksiksiz olduğu > konusunda herhangi bir garanti vermemektedir. Bu nedenle, bu bilgilerin ne > şekilde olursa olsun içeriğinden, iletilmesinden, alınmasından ve > saklanmasından sorumlu değildir. Bu mesajdaki görüşler yalnızca gönderen > kişiye aittir ve Şirketimizin görüşlerini yansıtmayabilir. Tarafınız ile > paylaşılan kişisel verilerin, 6698 sayılı Kişisel Verilerin Korunması > Kanununa uygun olarak işlenmesi gereğini bilginize sunarız. > -- > > This e-mail and all files sent with it are intended for authorized natural > or legal persons, who should be the only persons to open and read them. If > you are not an authorized recipient, you are strictly prohibited from > disclosing, copying, forwarding, and using the contents of this e-mail, and > you must immediately delete it. Our company does not guarantee the accuracy > or thoroughness of the information contained in this message. It is > therefore in no way responsible for the content, sending, retrieval and > storage of this information. The opinions contained in this message are the > views of the sender only and do not necessarily reflect the views of the > company. We would like to inform you that any personal data shared with you > should be processed in accordance with the Law on Protection of Personal > Data numbered 6698. > > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#22575): https://lists.fd.io/g/vpp-dev/message/22575 Mute This Topic: https://lists.fd.io/mt/96850285/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] Forwarding Specific Packet with LCP Plugin
Hoi, Linux CP forwards all (unicast, multicast, ARP) through the TAP tunnel to the Linux kernel. It's not possible to add a classifier that selectively forwards some but not all traffic. Matthew mentioned in a thread about NAT (which kind of wants to do the same thing, perform NAT on some of the inbound ports using session matching, but forward the rest to Linux), which has some interesting observations which help explain the current behavior: https://lists.fd.io/g/vpp-dev/topic/96783537#22553 groet, Pim On Thu, Feb 9, 2023 at 11:05 AM Burcu YUKSEL < burcu.yuk...@ulakhaberlesme.com.tr> wrote: > Hello Everyone, > > We want to transfer the SSH packets coming from Device A to Linux Stack, > other packets to Application B full duplex. We transferred packets with > using LCP plugin. However in this case we have transferred all the packets > to Linux stack. Is there a way to forward only TCP packets with port 22 to > Linux with LCP? > > VPP: > > lcp create TwentyFiveGigabitEthernetd8/0/0 host-if vpp-host > set interface state TwentyFiveGigabitEthernetd8/0/0 up > set interface ip address TwentyFiveGigabitEthernetd8/0/0 10.20.10.22/24 > ip route add 0.0.0.0/0 via 10.20.10.22 TwentyFiveGigabitEthernetd8/0/0 > > Linux Server: > > sudo ip link set vpp-host up > sudo ip addr add 10.20.10.22/24 dev vpp-host > sudo route add default gw 10.20.10.1 > > Best Regards, > Burcu > > Bu elektronik posta ve onunla iletilen bütün dosyalar sadece göndericisi > tarafından alması amaçlanan yetkili, gerçek ya da tüzel kişinin kullanımı > içindir. Eğer söz konusu yetkili alıcı değilseniz, bu elektronik postanın > içeriğini açıklamanız, kopyalamanız, yönlendirmeniz ve kullanmanız > kesinlikle yasaktır ve bu elektronik postayı derhal silmeniz gerekmektedir. > Şirketimiz bu mesajın içerdiği bilgilerin doğruluğu veya eksiksiz olduğu > konusunda herhangi bir garanti vermemektedir. Bu nedenle, bu bilgilerin ne > şekilde olursa olsun içeriğinden, iletilmesinden, alınmasından ve > saklanmasından sorumlu değildir. Bu mesajdaki görüşler yalnızca gönderen > kişiye aittir ve Şirketimizin görüşlerini yansıtmayabilir. Tarafınız ile > paylaşılan kişisel verilerin, 6698 sayılı Kişisel Verilerin Korunması > Kanununa uygun olarak işlenmesi gereğini bilginize sunarız. > -- > > This e-mail and all files sent with it are intended for authorized natural > or legal persons, who should be the only persons to open and read them. If > you are not an authorized recipient, you are strictly prohibited from > disclosing, copying, forwarding, and using the contents of this e-mail, and > you must immediately delete it. Our company does not guarantee the accuracy > or thoroughness of the information contained in this message. It is > therefore in no way responsible for the content, sending, retrieval and > storage of this information. The opinions contained in this message are the > views of the sender only and do not necessarily reflect the views of the > company. We would like to inform you that any personal data shared with you > should be processed in accordance with the Law on Protection of Personal > Data numbered 6698. > > > > -- Pim van Pelt PBVP1-RIPE - http://www.ipng.nl/ -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#22573): https://lists.fd.io/g/vpp-dev/message/22573 Mute This Topic: https://lists.fd.io/mt/96850285/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[vpp-dev] Forwarding Specific Packet with LCP Plugin
Hello Everyone, We want to transfer the SSH packets coming from Device A to Linux Stack, other packets to Application B full duplex. We transferred packets with using LCP plugin. However in this case we have transferred all the packets to Linux stack. Is there a way to forward only TCP packets with port 22 to Linux with LCP? [cid:8b3b3746-3cd7-46c1-8bed-5916e86a2ef5] VPP: lcp create TwentyFiveGigabitEthernetd8/0/0 host-if vpp-host set interface state TwentyFiveGigabitEthernetd8/0/0 up set interface ip address TwentyFiveGigabitEthernetd8/0/0 10.20.10.22/24 ip route add 0.0.0.0/0 via 10.20.10.22 TwentyFiveGigabitEthernetd8/0/0 Linux Server: sudo ip link set vpp-host up sudo ip addr add 10.20.10.22/24 dev vpp-host sudo route add default gw 10.20.10.1 Best Regards, Burcu Bu elektronik posta ve onunla iletilen bütün dosyalar sadece göndericisi tarafından alması amaçlanan yetkili, gerçek ya da tüzel kişinin kullanımı içindir. Eğer söz konusu yetkili alıcı değilseniz, bu elektronik postanın içeriğini açıklamanız, kopyalamanız, yönlendirmeniz ve kullanmanız kesinlikle yasaktır ve bu elektronik postayı derhal silmeniz gerekmektedir. Şirketimiz bu mesajın içerdiği bilgilerin doğruluğu veya eksiksiz olduğu konusunda herhangi bir garanti vermemektedir. Bu nedenle, bu bilgilerin ne şekilde olursa olsun içeriğinden, iletilmesinden, alınmasından ve saklanmasından sorumlu değildir. Bu mesajdaki görüşler yalnızca gönderen kişiye aittir ve Şirketimizin görüşlerini yansıtmayabilir. Tarafınız ile paylaşılan kişisel verilerin, 6698 sayılı Kişisel Verilerin Korunması Kanununa uygun olarak işlenmesi gereğini bilginize sunarız. This e-mail and all files sent with it are intended for authorized natural or legal persons, who should be the only persons to open and read them. If you are not an authorized recipient, you are strictly prohibited from disclosing, copying, forwarding, and using the contents of this e-mail, and you must immediately delete it. Our company does not guarantee the accuracy or thoroughness of the information contained in this message. It is therefore in no way responsible for the content, sending, retrieval and storage of this information. The opinions contained in this message are the views of the sender only and do not necessarily reflect the views of the company. We would like to inform you that any personal data shared with you should be processed in accordance with the Law on Protection of Personal Data numbered 6698. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#22572): https://lists.fd.io/g/vpp-dev/message/22572 Mute This Topic: https://lists.fd.io/mt/96850285/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[vpp-dev] Forwarding Specific Packet with LCP Plugin
Hello Everyone, We want to transfer the SSH packets coming from Device A to Linux Stack, other packets to Application B full duplex. We transferred packets with using LCP plugin. However in this case we have transferred all the packets to Linux stack. Is there a way to forward only TCP packets with port 22 to Linux with LCP? VPP: lcp create TwentyFiveGigabitEthernetd8/0/0 host-if vpp-host set interface state TwentyFiveGigabitEthernetd8/0/0 up set interface ip address TwentyFiveGigabitEthernetd8/0/0 10.20.10.22/24 ip route add 0.0.0.0/0 via 10.20.10.22 TwentyFiveGigabitEthernetd8/0/0 Linux Server: sudo ip link set vpp-host up sudo ip addr add 10.20.10.22/24 dev vpp-host sudo route add default gw 10.20.10.1 Best Regards, Burcu Bu elektronik posta ve onunla iletilen bütün dosyalar sadece göndericisi tarafından alması amaçlanan yetkili, gerçek ya da tüzel kişinin kullanımı içindir. Eğer söz konusu yetkili alıcı değilseniz, bu elektronik postanın içeriğini açıklamanız, kopyalamanız, yönlendirmeniz ve kullanmanız kesinlikle yasaktır ve bu elektronik postayı derhal silmeniz gerekmektedir. Şirketimiz bu mesajın içerdiği bilgilerin doğruluğu veya eksiksiz olduğu konusunda herhangi bir garanti vermemektedir. Bu nedenle, bu bilgilerin ne şekilde olursa olsun içeriğinden, iletilmesinden, alınmasından ve saklanmasından sorumlu değildir. Bu mesajdaki görüşler yalnızca gönderen kişiye aittir ve Şirketimizin görüşlerini yansıtmayabilir. Tarafınız ile paylaşılan kişisel verilerin, 6698 sayılı Kişisel Verilerin Korunması Kanununa uygun olarak işlenmesi gereğini bilginize sunarız. This e-mail and all files sent with it are intended for authorized natural or legal persons, who should be the only persons to open and read them. If you are not an authorized recipient, you are strictly prohibited from disclosing, copying, forwarding, and using the contents of this e-mail, and you must immediately delete it. Our company does not guarantee the accuracy or thoroughness of the information contained in this message. It is therefore in no way responsible for the content, sending, retrieval and storage of this information. The opinions contained in this message are the views of the sender only and do not necessarily reflect the views of the company. We would like to inform you that any personal data shared with you should be processed in accordance with the Law on Protection of Personal Data numbered 6698. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#22571): https://lists.fd.io/g/vpp-dev/message/22571 Mute This Topic: https://lists.fd.io/mt/96850156/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
