Hi,
okay, so I think what happens is that on the IP OUTACL path the
classifier table needs to look differently, but i am not sure there is
an easy way to deal with this within the "friendly" version of the
debug CLI...
Take a look at test/test_classifier.py, class
TestClassifierIPOut(TestClassifier), you can use this diff as a start
to play with it:
--- a/test/test_classifier.py
+++ b/test/test_classifier.py
@@ -716,9 +716,13 @@ class TestClassifierIPOut(TestClassifier):
key = 'ip_out'
self.create_classify_table(
key, self.build_ip_mask(src_ip='ffffffff'), data_offset=0)
+ # try the debug CLI
+ # self.logger.info(self.vapi.ppcli("classify session
acl-hit-next deny table-index %s match l3 ip4 src %s" %
(self.acl_tbl_idx.get(key), self.pg1.remote_ip4)))
+ # use the API
self.create_classify_session(
self.acl_tbl_idx.get(key),
self.build_ip_match(src_ip=self.pg1.remote_ip4))
+ self.logger.info(self.vapi.ppcli("show classify tables index
%s verbose" % (self.acl_tbl_idx.get(key))))
self.output_acl_set_interface(self.pg0, self.acl_tbl_idx.get(key))
self.acl_active_table = key
And to run the test do
"TEST=test_classifier.TestClassifierIPOut.test_acl_ip_out make
test-debug"
This is what the classifier table looks like from a successful run:
11:12:10,733 show classify tables index 0 verbose
TableIdx Sessions NextTbl NextNode
0 1 -1 0
Heap: total: 2.06M, used: 1.33K, free: 2.06M, trimmable: 2.06M
no traced allocations
nbuckets 2, skip 0 match 1 flag 1 offset 0
mask 000000000000000000000000ffffffff
linear-search buckets 0
[1]: heap offset 1200, elts 2, normal
0: [1200]: next_index -1 advance 0 opaque 0 action 0 metadata 0
k: 000000000000000000000000ac100202
hits 0, last_heard 0.00
1 active elements
1 free lists
0 linear-search buckets
If I put the CLI command in place, this is what the table looks like:
11:11:12,088 show classify tables index 0 verbose
TableIdx Sessions NextTbl NextNode
0 1 -1 0
Heap: total: 2.06M, used: 1.33K, free: 2.06M, trimmable: 2.06M
no traced allocations
nbuckets 2, skip 0 match 1 flag 1 offset 0
mask 000000000000000000000000ffffffff
linear-search buckets 0
[0]: heap offset 1200, elts 2, normal
0: [1200]: next_index 0 advance 0 opaque -1 action 0 metadata 0
k: 00000000000000000000000000000000
hits 0, last_heard 0.00
1 active elements
1 free lists
0 linear-search buckets
Note how it is different from a simple testcase of configuring it via
CLI via the following two commands:
classify table mask l3 ip4 src
classify session acl-hit-next deny table-index 0 match l3 ip4 src 172.16.2.2
1) table has skip=0, current-data-flag=1, current-data-offset=0
2) mask is aligned differently
3) user-friendly debug cli for the mask does not add the entry in an
expected way with this table setup
lets try the following debug CLI:
DBGvpp# show classify table index 0 verbose
TableIdx Sessions NextTbl NextNode
0 0 -1 -1
Heap: total: 2.06M, used: 1.09K, free: 2.06M, trimmable: 2.06M
no traced allocations
nbuckets 2, skip 0 match 1 flag 1 offset 0
mask 00000000000000000000ffffffff0000
linear-search buckets 0
0 active elements
0 free lists
0 linear-search buckets
DBGvpp#
better, but the mask is wrong now...
classify table mask hex 000000000000000000000000ffffffff
current-data-flag 1 current-data-offset 0 skip 0
DBGvpp# show classify table index 0 verbose
TableIdx Sessions NextTbl NextNode
0 0 -1 -1
Heap: total: 2.06M, used: 1.09K, free: 2.06M, trimmable: 2.06M
no traced allocations
nbuckets 2, skip 0 match 1 flag 1 offset 0
mask 000000000000000000000000ffffffff
linear-search buckets 0
0 active elements
0 free lists
0 linear-search buckets
DBGvpp#
now let's add the entry, as I said we will need to use the "hex" mask:
DBGvpp# classify session acl-hit-next deny table-index 0 match hex
00000000000000000000000011223344
DBGvpp# show classify table index 0 verbose
TableIdx Sessions NextTbl NextNode
0 1 -1 -1
Heap: total: 2.06M, used: 1.33K, free: 2.06M, trimmable: 2.06M
no traced allocations
nbuckets 2, skip 0 match 1 flag 1 offset 0
mask 000000000000000000000000ffffffff
linear-search buckets 0
[0]: heap offset 1200, elts 2, normal
0: [1200]: next_index 0 advance 0 opaque -1 action 0 metadata 0
k: 00000000000000000000000011223344
hits 0, last_heard 0.00
1 active elements
1 free lists
0 linear-search buckets
So this looks like this approach should make it work for your case.
Given that the classifier tables are kind of "dumb", I am tempted to
call this a limitation of friendliness of the current debug CLI... we
do not really have the semantics in the table itself to tell which
"layer" it starts from, and on the ip-output-acl path there is no L2
info added yet to the packet, so this creates this confusion...
What do you think ?
--a
On 4/4/19, 薛欣颖 <[email protected]> wrote:
> Hi ,
>
> The classify table info is shown below, Thank you very much for your reply.
>
> VPP1810# show classify tables verbose
> TableIdx Sessions NextTbl NextNode
> 0 1 -1 -1
> Heap: total: 2.06M, used: 13405245765845824, free: 2.06M, trimmable:
> 2.06M
> no traced allocations
>
> nbuckets 2, skip 1 match 1 flag 0 offset 0
> mask 00000000000000000000ffffffff0000
> linear-search buckets 0
>
> [1]: heap offset 696, elts 2, normal
> 0: [696]: next_index 0 advance 0 opaque -1 action 0 metadata 0
> k: 000000000000000000000a0000020000
> hits 0, last_heard 0.00
>
> 1 active elements
> 1 free lists
> 0 linear-search buckets
>
> Thanks,
> Xue
>
>
>
>
> From: Andrew Yourtchenko
> Date: 2019-04-04 17:17
> To: 薛欣颖
> CC: vpp-dev
> Subject: Re: [vpp-dev] question about output ACL
> hi Xue,
>
> could you send the output of "show classify tables index 0 verbose"
> after you set that table as outacl ?
>
> Thanks!
>
> --a
>
> On 4/4/19, xyxue <[email protected]> wrote:
>>
>> Hi guys,
>>
>> I am trying to test ACL funtion, input ACL is OK, But output ACL is not
>> effective
>>
>> my configuration as below, is there anything wrong in my configuration?
>> Thanks for your response
>>
>> VPP1810# show version
>> vpp v18.10-7~g6ff8790-dirty built by root on localhost.localdomain at Mon
>> Apr 1 15:06:48 EDT 2019
>>
>> VPP1810# classify table mask l3 ip4 src
>> VPP1810# classify session acl-hit-next deny table-index 0 match l3 ip4
>> src
>> 10.0.0.2
>> VPP1810# set interface output acl intfc host-eth8 ip4-table 0
>>
>>
>> Packet 1
>>
>> 00:04:29:245976: af-packet-input
>> af_packet: hw_if_index 5 next-index 4
>> tpacket2_hdr:
>> status 0x1 len 124 snaplen 124 mac 66 net 80
>> sec 0x5ca3021e nsec 0x1d5674aa vlan 0 vlan_tpid 0
>> 00:04:29:245984: ethernet-input
>> IP4: 00:10:94:00:00:02 -> ff:ff:ff:ff:ff:ff
>> 00:04:29:245989: ip4-input
>> unknown 253: 10.0.0.2 -> 10.1.1.2
>> tos 0x00, ttl 255, length 110, checksum 0xa585
>> fragment id 0x0009
>> 00:04:29:245994: ip4-lookup
>> fib 0 dpo-idx 2 flow hash: 0x00000000
>> unknown 253: 10.0.0.2 -> 10.1.1.2
>>
>>
>>
>> tos 0x00, ttl 255, length 110, checksum 0xa585
>> fragment id 0x0009
>> 00:04:29:245999: ip4-rewrite
>> tx_sw_if_index 3 dpo-idx 2 : ipv4 via 10.1.1.2 host-eth8: mtu:0
>> 000c295a9070000c298abc980800 flow hash: 0x00000000
>> 00000000:
>> 000c295a9070000c298abc9808004500006e00090000fefda6850a0000020a01
>> 00000020: 01020000000000000000000000000000000000000000000000000000
>> 00:04:29:246003: ip4-outacl
>> OUTACL: sw_if_index 3, next_index 1, table 0, offset -1
>> 00:04:29:246061: host-eth8-output
>> host-eth8
>> IP4: 00:0c:29:8a:bc:98 -> 00:0c:29:5a:90:70
>> unknown 253: 10.0.0.2 -> 10.1.1.2
>> tos 0x00, ttl 254, length 110, checksum 0xa685
>> fragment id 0x0009
>>
>> Thanks,
>> Xue
>>
>>
>>
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
>
> View/Reply Online (#12701): https://lists.fd.io/g/vpp-dev/message/12701
> Mute This Topic: https://lists.fd.io/mt/30894420/675372
> Group Owner: [email protected]
> Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [[email protected]]
> -=-=-=-=-=-=-=-=-=-=-=-
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#12703): https://lists.fd.io/g/vpp-dev/message/12703
Mute This Topic: https://lists.fd.io/mt/30894420/21656
Group Owner: [email protected]
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
