[vpp-dev] ACL + classifier table does not work on subinterface as expected

Fri, 12 May 2017 11:19:46 -0700 

Hi all,

I have defined a classify table with no session and its acl-miss-next is
drop and assigned it to all interfaces including subinterface. I also
defined another classify table with a session that permit packets with
specific src and dst address according to my intended subinterface. I also
assigned this classify table to all my interfaces including my
subinterface. So, I expect that this subinterface permit packets with
specific src and dst to pass. But it does not happen and I see that they
drop because of the acl set on the parent interface of my subinterface. Why
does this happen? I actually expect that packets match with the second
classify table and its session.
Here is the trace of packet:

Packet 1

06:26:50:769490: dpdk-input
  GigabitEthernet3/0/0 rx queue 0
  buffer 0xa416: current data 0, length 102, free-list 0, totlen-nifb 0,
trace 0x0
  PKT MBUF: port 0, nb_segs 1, pkt_len 102
    buf_len 2176, data_len 102, ol_flags 0x0, data_off 128, phys_addr
0x5c08c480
    packet_type 0x10
    Packet Types
      RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension headers
  IP4: 00:50:56:92:75:7f -> 00:50:56:92:78:10 802.1q vlan 1
  ICMP: 30.30.30.127 -> 40.40.40.126
    tos 0x00, ttl 64, length 84, checksum 0xa068
    fragment id 0x0cfe, flags DONT_FRAGMENT
  ICMP echo_request checksum 0xb2dc
06:26:50:769510: ethernet-input
  IP4: 00:50:56:92:75:7f -> 00:50:56:92:78:10 802.1q vlan 1
06:26:50:769519: ip4-input
  ICMP: 30.30.30.127 -> 40.40.40.126
    tos 0x00, ttl 64, length 84, checksum 0xa068
    fragment id 0x0cfe, flags DONT_FRAGMENT
  ICMP echo_request checksum 0xb2dc
06:26:50:769522: ip4-inacl
  INACL: sw_if_index 9, next_index 0, table 1, offset -1
06:26:50:769526: error-drop
  ip4-input: *input ACL table-miss drops*

Should I use classify table with l2 option for traffic filtering on
subinterface?
I have defined both of my classify tables with l3 option.
This seems like that the parent interface drop the packet. So, the other
table and session that is intended to match the packets entering the
subinterface never get the packets.

_______________________________________________
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev

Reply via email to