Hi Andrew,
Here are a couple of test scenarios where I observed vpp crash while
experimenting with ABF configuration.
I will find time to translate them to make test cases soon.
Meanwhile here are the steps to reproduce the issues.
Issues 1: ABF and ACL attached to the same interface
-
In vpp VAT shell and configure bunch of ACL rules in a group
vat# acl_add_replace ipv4 permit src 30.30.30.1/32 dst 40.40.40.1/32 sport
1000 dport 1000, ipv4 permit+reflect src 10.10.10.0/24, ipv4 permit+reflect
src 20.20.20.0/24
vl_api_acl_add_replace_reply_t_handler:109: ACL index: 0
-
Attach ACL Group create above to lan interface
vat# acl_interface_set_acl_list sw_if_index 1 input 0
-
Following will be the state in vpp
DBGvpp# show version
vpp v19.08.1-282~ga6a98b546 built by root on 525c154d7fe6 at Tue Aug 4
21:10:49 UTC 2020
DBGvpp#
DBGvpp# show hardware-interfaces brief
Name Idx Link Hardware
lan 1 up lan
Link speed: 10 Gbps
local0 0 down local0
Link speed: unknown
loop0 3 up loop0
Link speed: unknown
loop1 5 up loop1
Link speed: unknown
tap0 4 up tap0
Link speed: unknown
wan 2 up wan
Link speed: 1 Gbps
DBGvpp# show acl-plugin acl
acl-index 0 count 3 tag {}
0: ipv4 permit src 30.30.30.1/32 dst 40.40.40.1/32 proto 0 sport
1000 dport 1000
1: ipv4 permit+reflect src 10.10.10.0/24 dst 0.0.0.0/0 proto 0
sport 0-65535 dport 0-65535
2: ipv4 permit+reflect src 20.20.20.0/24 dst 0.0.0.0/0 proto 0
sport 0-65535 dport 0-65535
applied inbound on sw_if_index: 1
used in lookup context index: 0
DBGvpp# show acl-plugin interface
sw_if_index 0:
sw_if_index 1:
input acl(s): 0
DBGvpp#
-
Create another ACL for ABF configuration
vat# acl_add_replace ipv4 permit src 11.11.11.0/24 proto 17
vl_api_acl_add_replace_reply_t_handler:109: ACL index: 1
DBGvpp# show acl-plugin acl
acl-index 0 count 3 tag {}
0: ipv4 permit src 30.30.30.1/32 dst 40.40.40.1/32 proto 0 sport
1000 dport 1000
1: ipv4 permit+reflect src 10.10.10.0/24 dst 0.0.0.0/0 proto 0
sport 0-65535 dport 0-65535
2: ipv4 permit+reflect src 20.20.20.0/24 dst 0.0.0.0/0 proto 0
sport 0-65535 dport 0-65535
applied inbound on sw_if_index: 1
used in lookup context index: 0
acl-index 1 count 1 tag {}
0: ipv4 permit src 11.11.11.0/24 dst 0.0.0.0/0 proto 17 sport
0-65535 dport 0-65535
DBGvpp#
-
Configure ABF Policy referring to the above created ACL
DBGvpp# abf policy add id 100 acl 1 via 10.39.27.227 wan
DBGvpp# show abf policy
abf:[0]: policy:100 acl:1
path-list:[47] locks:1 flags:shared,no-uRPF, uRPF-list: None
path:[47] pl-index:47 ip4 weight=1 pref=0 attached-nexthop:
oper-flags:resolved,
10.39.27.227 wan
[@0]: ipv4 via 10.39.27.227 wan: mtu:9000 b496915808e1b49691591f610800
DBGvpp# show abf attach lan
DBGvpp#
-
Attach ABF Policy to the same interface as ACL Group 0 was attached.
This will result in a vpp crash.
DBGvpp# abf attach ip4 policy 100 priority 100 lan
Issue 2: Delete ABF Policy that doesn’t have forwarding Path
-
Create another ACL for ABF configuration
vat# acl_add_replace ipv4 permit src 11.11.11.0/24 proto 17
vl_api_acl_add_replace_reply_t_handler:109: ACL index: 0
DBGvpp# show acl-plugin acl
acl-index 0 count 1 tag {}
0: ipv4 permit src 11.11.11.0/24 dst 0.0.0.0/0 proto 17 sport
0-65535 dport 0-65535
-
Configure ABF Policy referring to the above created ACL with no
forwarding path
DBGvpp# abf policy add id 100 acl 0
DBGvpp# show abf policy
abf:[0]: policy:100 acl:0
path-list:[47] locks:1 flags:shared,no-uRPF, uRPF-list: None
-
Delete ABF Policy and this results in a VPP crash
DBGvpp# abf policy del id 100 acl 0
On Fri, Aug 7, 2020 at 5:36 PM Andrew 👽 Yourtchenko <[email protected]>
wrote:
>
>
>
> On 8 Aug 2020, at 01:40, Venkat <[email protected]> wrote:
>
>
> Thank you Andrew for the response. Will invest time to put together the
> test cases. Could you please point me to sample test scripts for vpp for
> reference?
>
>
> You can look in the “test” subdirectories of the ABF and acl plug-ins for
> the inspiration, hopefully should be a simple tweak to combine the two...
>
> Or shall I compile a list of test cases I am executing using vpp dbg shell
> CLI commands?
>
> Also, do you think there are significant changes between 1908 vs 2001 or
> 2005 VPP stable branches for ABF plugin code making a case to upgrade vpp?
>
>
> ACLs didn’t change for quite a while - not sure about the ABF...
>
> You can do git log —oneline | egrep “acl|abf” on master branch to see what
> changes were there...
>
> —a
>
> Please advise.
>
> thanks
> Venkat
>
>
> On Fri, Aug 7, 2020 at 4:25 PM Andrew 👽 Yourtchenko <[email protected]>
> wrote:
>
>> Sure. Neither me nor Neale have k8s or ligato.
>>
>> If you invest some effort into building a small “make test” script(s)
>> that show the issues then:
>> 1) it will be possible for at least one of us to take a look at them
>> 2) they won’t resurface again.
>>
>> Does this make sense?
>>
>> Also, probably ligato folks have some testing as well - have you
>> discussed with them what kind of scenarios they tested ?
>>
>> --a
>>
>> On 7 Aug 2020, at 21:35, Venkat <[email protected]> wrote:
>>
>>
>> Just to give more context on my test environment... I am using contiv
>> vpp Kubernetes environment and configuring ABFs via etcdctl.
>>
>> eg.
>>
>> / # etcdctl --endpoints=10.43.255.42:12379 put
>> /vnf-agent/eos-branch-1/config/vpp/abfs/v2/abf/4
>> '{"index":4,"acl_name":"023-sjcf
>>
>>
>> w-icmp-deny","attached_interfaces":[{"input_interface":"lan","priority":5}],"forwarding_paths":[{"interface_name":"sjc-blr-tunne
>>
>> l"}]}'
>>
>>
>> Just wondering of ABF feature is mature enough in vpp. I am facing a good
>> number of issues as I try to experiment with various scenarios.
>> I seeing issues when NAT is enabled on the interface, then ABF is not
>> exercised.
>> I am not sure how to setup deny rules on the interface, if we cannot have
>> ABF and ACL co-exist on the interface.
>> Observing crashes in VPP while performing some of these tests.
>>
>> DBGvpp# show version
>>
>> vpp v19.08.1-282~ga6a98b546 built by root on 525c154d7fe6 at Tue Aug 4
>> 21:10:49 UTC 2020
>>
>> DBGvpp#
>>
>> thanks
>> Venkat
>>
>> On Fri, Aug 7, 2020 at 10:27 AM Andrew 👽 Yourtchenko <[email protected]>
>> wrote:
>>
>>> A contribution to “make test” that covers this scenario would be very
>>> much appreciated...
>>>
>>> --a
>>>
>>> On 7 Aug 2020, at 19:07, Venkat <[email protected]> wrote:
>>>
>>>
>>> Thank you for the response Balaji.
>>> I have noticed VPP crashes when I configure an ABF on the interface that
>>> already has an non-abf ACL attached to the interface.
>>> And when I don't have non-abf ACL, then I am able to install ABF rule.
>>> Hence was wondering if it's a misconfiguration to have both ABF and non-abf
>>> ACL on the same interface. I agree, in any case, it should not result in a
>>> crash.
>>>
>>> thanks
>>> Venkat
>>>
>>>
>>> On Fri, Aug 7, 2020 at 9:59 AM Balaji Venkatraman via lists.fd.io
>>> <[email protected]> wrote:
>>>
>>>> Hi Venkat,
>>>>
>>>>
>>>>
>>>> Underlying the ABF is another ACL. When we attach an ABF to the
>>>> interface, the ACL it inherits gets applied to the interface. Not sure if
>>>> another ACL independent of the above can be attached to the same interface.
>>>> But, in any case, it should not crash 😊
>>>>
>>>> Thanks!
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> Regards,
>>>>
>>>> Balaji.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> *From: *<[email protected]> on behalf of "[email protected]" <
>>>> [email protected]>
>>>> *Date: *Friday, August 7, 2020 at 9:36 AM
>>>> *To: *"[email protected]" <[email protected]>
>>>> *Subject: *[vpp-dev] ABF and ACL co-existence on an Interface
>>>>
>>>>
>>>>
>>>> Hello,
>>>> Experimenting ABF in VPP. Had a question regarding the co-existence of
>>>> ABF and ACL on an interface.
>>>> Seems like we can either attach ABF or ACL to an interface and not
>>>> both.
>>>> Is this the behavior or am I missing anything?
>>>> When I try to install ABF rule on an interface that already has ACL
>>>> attached, I see vpp resulting in a crash.
>>>> Please confirm.
>>>> thanks
>>>> Venkat
>>>>
>>>>
>>>
>>>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#17183): https://lists.fd.io/g/vpp-dev/message/17183
Mute This Topic: https://lists.fd.io/mt/76052836/21656
Group Owner: [email protected]
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
