was there any resolution provided for this issue>?
I noticed https://jira.fd.io/browse/VPP-1795 (
https://jira.fd.io/browse/VPP-1795 )
does show any fix or activity. Please comment.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#17327):
Thank you Andrew for taking the time and responding to my questions.
Much appreciated.
On Tue, Sep 15, 2020 at 2:01 AM Andrew Yourtchenko
wrote:
> Hi Venkat,
>
> Before doing ACL checks, acl-plugin checks the establshed sessions on
> the given interface.
>
> If an already e
Hello Andrew,
I am doing a simple test by sending TCP flows from Trex traffic generator.
Traffic source is 16.0.0.1-16.0.0.100 and destination is 48.0.0.1-48.0.0.100.
I am sending TCP traffic with CPS=50 from 100 clients to 100 servers via Trex
http profile.
I have a reflective ACL to permit
Just curious to know if the fix is verified and merged?
Haven't seen any feedback or confirmation from Berna.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#17257): https://lists.fd.io/g/vpp-dev/message/17257
Mute This Topic:
I just verified applying the patch mentioned above to 19.08 VPP version which
is what we are using.
The patch doesn't address the issue. I don't see traffic going to ABF feature
if we have Out NAT enabled on the same interface.
Appreciate any help in this regards.
thanks
Venkat
But you could probably work around it by having the ACLs on the inner
interface.
[VENKAT]: We currently are following that approach. Setting ACLs on the LAN
interface. But it comes with its own problems.
- First, the WAN interface is wide open to the internet without any FW
rules
for the original Source/Dest
IP pair prior to SNAT.
Return traffic coming into the WAN interface comes with WAN IP (public IP),
gets dropped because of Deny all input ACL and the purpose of stateful ACL
is lost.
How is this scenario typically addressed?
thanks
Venkat
On Thu, Sep 17, 2020 at 3:19 PM
packet.
thanks again for the response
regards
Venkat
On Tue, Sep 22, 2020 at 11:48 AM Matthew Smith wrote:
>
> On Tue, Sep 22, 2020 at 12:21 PM Andrew Yourtchenko
> wrote:
>
>> I suggest making a unit test that captures this behavior and fails, then
>> we can look
instead of waiting for the sessions to reclaim and reclassify.
thanks
Venkat
On Thu, Sep 17, 2020 at 10:39 AM Andrew Yourtchenko
wrote:
>
>
> On 17 Sep 2020, at 19:29, Venkat wrote:
>
>
> Andrew,
>
> I have a few follow up questions on the stated behavior.
>
up again based on the current state of ACLs rule? I
would assume, it's the latter case, otherwise, modified ACL would never hit
if traffic continues to flow.
On Thu, Sep 17, 2020 at 10:39 AM Andrew Yourtchenko
wrote:
>
>
> On 17 Sep 2020, at 19:29, Venkat wrote:
>
>
&
stateful ACL hit
would result in the creation of such a session and subsequent packets would
by-pass ACL rules and continue to be served by special-case "-1".
thanks
Venkat
On Tue, Sep 15, 2020 at 2:01 AM Andrew Yourtchenko
wrote:
> Hi Venkat,
>
> Before doing ACL
in the range of ~300 secs. I haven't quantified the
behavior with TCP NAT sessions yet.
Are you aware of this issue if persist in VPP 19.08 version?
thanks
Venkat
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#17461): https://lists.fd.io/g/vpp
and non-abf
ACL on the same interface. I agree, in any case, it should not result in a
crash.
thanks
Venkat
On Fri, Aug 7, 2020 at 9:59 AM Balaji Venkatraman via lists.fd.io wrote:
> Hi Venkat,
>
>
>
> Underlying the ABF is another ACL. When we attach an ABF to the inter
s.
DBGvpp# show version
vpp v19.08.1-282~ga6a98b546 built by root on 525c154d7fe6 at Tue Aug 4
21:10:49 UTC 2020
DBGvpp#
thanks
Venkat
On Fri, Aug 7, 2020 at 10:27 AM Andrew Yourtchenko
wrote:
> A contribution to “make test” that covers this scenario would be very much
> appreciated.
012500 ,
p=0x7fffb5774000, f=0x0, last_time_stamp=0)
at /w/workspace/vpp-merge-2005-ubuntu1804/src/vlib/main.c:1569
On Tue, Aug 11, 2020 at 9:46 AM Venkat via lists.fd.io wrote:
> Andres/Neale,
>
> I confirm to see the same behavior when using ligato etcd proto models
> which I believe
for Neale to comment on the backtrace provided and hopefully get
a fix from him soon.
thanks
Venkat
On Wed, Aug 12, 2020 at 1:47 AM Andrew Yourtchenko
wrote:
> Hi Venkat,
>
> Cool, thanks a lot!
>
> So the first issue is acl-related,
> you can try out the https://gerrit.fd.
between 1908 vs 2001 or
2005 VPP stable branches for ABF plugin code making a case to upgrade vpp?
Please advise.
thanks
Venkat
On Fri, Aug 7, 2020 at 4:25 PM Andrew Yourtchenko
wrote:
> Sure. Neither me nor Neale have k8s or ligato.
>
> If you invest some effort into building a small “
with a fix for the issue 1
works.
thanks
Venkat
On Wed, Aug 12, 2020 at 10:05 AM Neale Ranns (nranns)
wrote:
> Hi Venkat,
>
> No fix from me soon, I'm on leave. In the meantime, don't add policies
> with no forwarding paths ;)
>
> /neale
>
>
-list:[47] locks:1 flags:shared,no-uRPF, uRPF-list: None
-
Delete ABF Policy and this results in a VPP crash
DBGvpp# abf policy del id 100 acl 0
On Fri, Aug 7, 2020 at 5:36 PM Andrew Yourtchenko
wrote:
>
>
>
> On 8 Aug 2020, at 01:40, Venkat wrote:
>
>
as they
provide independent functions, especially when they are matching against
different criteria.
+1. Those two are orthogonal functions. ABF uses the acl as a service infra
to select which traffic it deals with - but that’s it.
+1 [ VENKAT] I expected the same behavior but it doesn't look like
Perhaps someone from MLNX can confirm, but this is what we received from
them...but we haven’t had a chance to verify yet.
Since DPDK 17.11 Mellanox PMD moved to work on top of upstream user space
libraries (rdma-core) instead of the Mellanox proprietary ones.
So the
21 matches
Mail list logo
