Re: [vpp-dev] NAT44 and rate limiting
I used John's exact setup. I added policer to loop5 and lan0 configure policer name policy2 type 1r2c cir 500 cb 5000 rate kbps conform-action transmit exceed-action drop classify table mask l3 ip4 src classify session policer-hit-next policy2 table-index 0 match l3 ip4 src 10.8.200.2 set policer classify interface loop5 ip4-table 0 set policer classify interface lan0 ip4-table 20 sh int loop5 features loop5 ip4-unicast: nat44-in2out ip4-policer-classify sh int lan0 features lan0 ip4-unicast: ip4-not-enabled ip4-policer-classify "sh classify tables verbose" shows table has been added. "show classify policer type ip4" shows table has been added to loop5 and lan0. As you can see below it's ethernet-input l2-input l2-learn l2-fwd ip4-input nat44-in2out ip4-lookup ip4-policer-classify is not present after nat44-in2out. Packet 1 1:23:06:454709: dpdk-input lan0 rx queue 0 buffer 0xb3cf: current data 0, length 60, free-list 0, clone-count 0, totlen-nifb 0, trace 0x2 ext-hdr-valid l4-cksum-computed l4-cksum-correct PKT MBUF: port 3, nb_segs 1, pkt_len 60 buf_len 2176, data_len 60, ol_flags 0x180, data_off 128, phys_addr 0xe96cf440 packet_type 0x111 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0 rss 0x0 fdir.hi 0x0 fdir.lo 0x0 Packet Offload Flags PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid Packet Types RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension headers RTE_PTYPE_L4_TCP (0x0100) TCP packet IP4: ac:2e:33:1f:cc:3e -> ee:af:33:00:00:11 TCP: 10.155.6.109 -> 10.8.200.1 tos 0x00, ttl 128, length 40, checksum 0x3811 fragment id 0xdfad, flags DONT_FRAGMENT TCP: 49727 -> 5201 seq. 0x34aa7da4 ack 0x4578b6ae flags 0x10 ACK, tcp header: 20 bytes window 53248, checksum 0x77bc 01:23:06:454710: ethernet-input frame: flags 0x3, hw-if-index 4, sw-if-index 4 IP4: ac:2e:33:1f:cc:3e -> ee:af:33:00:00:11 01:23:06:454711: l2-input l2-input: sw_if_index 4 dst ee:af:33:00:00:11 src ac:2e:33:1f:cc:3e 01:23:06:454712: l2-learn l2-learn: sw_if_index 4 dst ee:af:33:00:00:11 src ac:2e:33:1f:cc:3e bd_index 1 01:23:06:454712: l2-fwd l2-fwd: sw_if_index 4 dst ee:af:33:00:00:11 src ac:2e:33:1f:cc:3e bd_index 1 result [0x70007, 7] static age-not bvi 01:23:06:454713: ip4-input TCP: 10.155.6.109 -> 10.8.200.1 tos 0x00, ttl 128, length 40, checksum 0x3811 fragment id 0xdfad, flags DONT_FRAGMENT TCP: 49727 -> 5201 seq. 0x34aa7da4 ack 0x4578b6ae flags 0x10 ACK, tcp header: 20 bytes window 53248, checksum 0x77bc 01:23:06:454713: nat44-in2out NAT44_IN2OUT_FAST_PATH: sw_if_index 7, next index 0, session 22 01:23:06:454714: ip4-lookup fib 0 dpo-idx 1 flow hash: 0x TCP: 10.8.200.2 -> 10.8.200.1 tos 0x00, ttl 128, length 40, checksum 0x770e fragment id 0xdfad, flags DONT_FRAGMENT TCP: 26849 -> 5201 seq. 0x34aa7da4 ack 0x4578b6ae flags 0x10 ACK, tcp header: 20 bytes window 53248, checksum 0x1018 01:23:06:454715: ip4-rewrite tx_sw_if_index 6 dpo-idx 1 : ipv4 via 10.8.200.1 wan0: mtu:9000 a0369f9be2e2083571eb70550800 flow hash: 0x : a0369f9be2e2083571eb705508004528dfad40007f06780e0a08c8020a08 0020: c80168e1145134aa7da44578b6ae5010d0001018 01:23:06:454716: wan0-output wan0 IP4: a2:12:53:ac:bf:3b -> 2b:dd:3e:22:ae:2e TCP: 10.8.200.2 -> 10.8.200.1 tos 0x00, ttl 127, length 40, checksum 0x780e fragment id 0xdfad, flags DONT_FRAGMENT TCP: 26849 -> 5201 seq. 0x34aa7da4 ack 0x4578b6ae flags 0x10 ACK, tcp header: 20 bytes window 53248, checksum 0x1018 01:23:06:454716: wan0-tx wan0 tx queue 1 buffer 0xb3cf: current data 0, length 60, free-list 0, clone-count 0, totlen-nifb 0, trace 0x2 ext-hdr-valid l4-cksum-computed l4-cksum-correct natted l2-hdr-offset 0 l3-hdr-offset 14 PKT MBUF: port 3, nb_segs 1, pkt_len 60 buf_len 2176, data_len 60, ol_flags 0x180, data_off 128, phys_addr 0xe96cf440 packet_type 0x111 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0 rss 0x0 fdir.hi 0x0 fdir.lo 0x0 Packet Offload Flags PKT_RX_IP_CKSUM_GOOD (0x0080) IP cksum of RX pkt. is valid PKT_RX_L4_CKSUM_GOOD (0x0100) L4 cksum of RX pkt. is valid Packet Types RTE_PTYPE_L2_ETHER (0x0001) Ethernet packet RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension headers RTE_PTYPE_L4_TCP (0x0100) TCP packet IP4: a2:12:53:ac:bf:3b -> 2b:dd:3e:22:ae:2e TCP: 10.8.200.2 -> 10.8.200.1 tos 0x00, ttl 127, length 40, checksum 0x780e fragment id 0xdfad, flags DONT_FRAGMENT TCP: 26849 -> 5201 seq. 0x34aa7da4 ack 0x4578b6ae flags 0x10 ACK, tcp header: 20 bytes window 53248, checksum 0x1018 Cheers On Thu, Apr 18, 2019 at 9:12 PM carlito nueno via Lists.Fd.Io wrote: > > John, > > from
Re: [vpp-dev] NAT44 and rate limiting
John, from your packet trace: 00:01:47:426336: ip4-input-no-checksum TCP: 10.8.200.1 -> 10.8.200.2 tos 0x00, ttl 64, length 52, checksum 0x96b0 fragment id 0x, flags DONT_FRAGMENT TCP: 80 -> 18995 seq. 0x732f1a24 ack 0x702b5a27 flags 0x12 SYN ACK, tcp header: 32 bytes window 29200, checksum 0xb6b3 00:01:47:426337: nat44-out2in NAT44_OUT2IN: sw_if_index 6, next index 1, session index 1 You can't use src 10.8.200.2 because packets entering wan0 are out to in, hence nat44_out2in, will have src of 10.8.200.1. Packets before nat44_out2in will have dst of 10.8.200.2. Hence your policer session will not work. from your packet trace: 00:01:47:426338: loop5-output loop5 IP4: de:ad:00:00:00:05 -> c0:56:27:90:3f:fc TCP: 10.8.200.1 -> 10.155.6.109 tos 0x00, ttl 63, length 52, checksum 0x58b3 fragment id 0x, flags DONT_FRAGMENT TCP: 80 -> 50051 Again, l2 src 08:25:a1:cb:40:55 won't work because packets after NAT are leaving out of loop5 with src de:ad:00:00:00:05. My hunch is this might work: classify session policer-hit-next policy1 table-index 1 match l2 src de:ad:00:00:00:05 set policer classify interface loop5 l2-table 1 Hope this helps. On Tue, Apr 16, 2019 at 8:28 PM John Pearson wrote: > > Hi all, > > I am using NAT44 and am trying to limit upload and download bandwidth > separately on wan0. > > setup: > file server <--> [wan0] VPP [loop5] <--> client > > Info: > file server > ip address: 10.8.200.1 > mac: a0:36:9f:9b:e2:e2 > > wan0 > ip addr: 10.8.200.2 > gateway: 10.8.200.1 > mac: 08:25:a1:cb:40:55 > > loop5 > ip addr: 10.155.6.1 > mac: de:ad:00:00:00:05 > > client > ip addr: 10.155.6.109 > mac: c0:56:27:90:3f:fc > > vpp.conf > > set int state wan0 up > set int ip address wan0 10.8.200.2/24 > ip route add 0.0.0.0/0 via 10.8.200.1 > > set int state lan0 up > > create loopback interface instance 5 > set int l2 bridge loop5 5 bvi > set int ip address loop5 10.155.6.1/24 > set int state loop5 up > set int l2 bridge lan0 5 > > nat44 add interface address wan0 > set interface nat44 in loop5 out wan0 > > Packet trace of 2 packets: https://pastebin.com/PZLMpG1i > > What I tried: > > configure policer name policy1 type 1r2c cir 500 cb 5000 rate kbps > conform-action transmit exceed-action drop > classify table mask l3 ip4 src > classify session policer-hit-next policy1 table-index 0 match l3 ip4 src > 10.8.200.2 > set policer classify interface wan0 ip4-table 0 > > - > > configure policer name policy1 type 1r2c cir 500 cb 5000 rate kbps > conform-action transmit exceed-action drop > classify table mask l2 src > classify session policer-hit-next policy1 table-index 1 match l2 src > 08:25:a1:cb:40:55 > set policer classify interface wan0 l2-table 0 > > Please let me know where I am making a mistake. > > Thanks! > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > > View/Reply Online (#12802): https://lists.fd.io/g/vpp-dev/message/12802 > Mute This Topic: https://lists.fd.io/mt/31208381/675621 > Group Owner: vpp-dev+ow...@lists.fd.io > Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [carlitonu...@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#12820): https://lists.fd.io/g/vpp-dev/message/12820 Mute This Topic: https://lists.fd.io/mt/31208381/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[vpp-dev] NAT44 and rate limiting
Hi all, I am using NAT44 and am trying to limit upload and download bandwidth separately on wan0. setup: file server <--> [wan0] VPP [loop5] <--> client Info: file server ip address: 10.8.200.1 mac: a0:36:9f:9b:e2:e2 wan0 ip addr: 10.8.200.2 gateway: 10.8.200.1 mac: 08:25:a1:cb:40:55 loop5 ip addr: 10.155.6.1 mac: de:ad:00:00:00:05 client ip addr: 10.155.6.109 mac: c0:56:27:90:3f:fc vpp.conf set int state wan0 up set int ip address wan0 10.8.200.2/24 ip route add 0.0.0.0/0 via 10.8.200.1 set int state lan0 up create loopback interface instance 5 set int l2 bridge loop5 5 bvi set int ip address loop5 10.155.6.1/24 set int state loop5 up set int l2 bridge lan0 5 nat44 add interface address wan0 set interface nat44 in loop5 out wan0 Packet trace of 2 packets: https://pastebin.com/PZLMpG1i What I tried: configure policer name policy1 type 1r2c cir 500 cb 5000 rate kbps conform-action transmit exceed-action drop classify table mask l3 ip4 src classify session policer-hit-next policy1 table-index 0 match l3 ip4 src 10.8.200.2 set policer classify interface wan0 ip4-table 0 - configure policer name policy1 type 1r2c cir 500 cb 5000 rate kbps conform-action transmit exceed-action drop classify table mask l2 src classify session policer-hit-next policy1 table-index 1 match l2 src 08:25:a1:cb:40:55 set policer classify interface wan0 l2-table 0 Please let me know where I am making a mistake. Thanks! -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#12802): https://lists.fd.io/g/vpp-dev/message/12802 Mute This Topic: https://lists.fd.io/mt/31208381/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-