Hello Andrew, I am doing a simple test by sending TCP flows from Trex traffic generator. Traffic source is 16.0.0.1-16.0.0.100 and destination is 48.0.0.1-48.0.0.100. I am sending TCP traffic with CPS=50 from 100 clients to 100 servers via Trex http profile.
I have a reflective ACL to permit the flow for the above src and dst. I expect the packet to hit acl index 3 rule 0 and get permitted. However, I see the following match in the packet trace which doesn't seem like it is hitting acl index 3 and rule 0 but hitting some other acl index (acl -1 and lc_index -1). What is the behavior here? Please provide some context here.. 03:47:03:874624: acl-plugin-in-ip4-fa acl-plugin: lc_index: -1, sw_if_index 1, next index 1, action: 3, match: acl -1 rule 13309 trace_bits 80010303 pkt info 0000000000000000 0000000000000000 0000000000000000 4300003043000010 0001010600502d14 0310ffff00000000 lc_index 0 l3 ip4 16.0.0.67 -> 48.0.0.67 l4 lsb_of_sw_if_index 1 proto 6 l4_is_input 1 l4_slow_path 0 l4_flags 0x01 port 11540 -> 80 tcp flags (valid) 10 rsvd 0 DBGvpp# show acl-plugin acl acl-index 0 count 2 tag {99998-sra-inbound-sasefwpro-nags-explicit-deny-99998} 0: ipv4 deny src 0.0.0.0/0 dst 0.0.0.0/0 proto 0 sport 0 dport 0 1: ipv6 deny src ::/0 dst ::/0 proto 0 sport 0 dport 0 applied inbound on sw_if_index: 1 applied outbound on sw_if_index: used in lookup context index: 1 acl-index 1 count 6 tag {99999-sra-inbound-sasefwpro-sase-default-fw-profile} 0: ipv4 permit+reflect src 0.0.0.0/0 dst 0.0.0.0/0 proto 6 sport 0-65535 dport 0-65535 1: ipv6 permit+reflect src ::/0 dst ::/0 proto 6 sport 0-65535 dport 0-65535 2: ipv4 permit+reflect src 0.0.0.0/0 dst 0.0.0.0/0 proto 17 sport 0-65535 dport 0-65535 3: ipv6 permit+reflect src ::/0 dst ::/0 proto 17 sport 0-65535 dport 0-65535 4: ipv4 permit+reflect src 0.0.0.0/0 dst 0.0.0.0/0 proto 1 sport 0-65535 dport 0-65535 5: ipv4 permit+reflect src 0.0.0.0/0 dst 0.0.0.0/0 proto 1 sport 0-65535 dport 0-65535 applied inbound on sw_if_index: 1 applied outbound on sw_if_index: used in lookup context index: 1 acl-index 2 count 6 tag {99999-sra-outbound-sasefwpro-sase-default-fw-profile} 0: ipv4 deny src 0.0.0.0/0 dst 0.0.0.0/0 proto 6 sport 0-65535 dport 0-65535 1: ipv6 deny src ::/0 dst ::/0 proto 6 sport 0-65535 dport 0-65535 2: ipv4 deny src 0.0.0.0/0 dst 0.0.0.0/0 proto 17 sport 0-65535 dport 0-65535 3: ipv6 deny src ::/0 dst ::/0 proto 17 sport 0-65535 dport 0-65535 4: ipv4 deny src 0.0.0.0/0 dst 0.0.0.0/0 proto 1 sport 0-65535 dport 0-65535 5: ipv4 deny src 0.0.0.0/0 dst 0.0.0.0/0 proto 1 sport 0-65535 dport 0-65535 applied inbound on sw_if_index: applied outbound on sw_if_index: 1 used in lookup context index: 0 acl-index 3 count 1 tag {100-allow-48} 0: ipv4 permit+reflect src 16.0.0.0/16 dst 48.0.0.0/16 proto 0 sport 0 dport 0 applied inbound on sw_if_index: 1 used in lookup context index: 1 DBGvpp# DBGvpp# show acl-plugin tables Stats counters enabled for interface ACLs: 0 Mask-type entries: 0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0800ffffffffffff refcount 4 1: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 000000ff00000000 0e00ffffffffffff refcount 24 2: 0000000000000000 0000000000000000 0000000000000000 0000ffff0000ffff 0000000000000000 0800ffffffffffff refcount 2 Mask-ready ACL representations acl-index 0 bitmask-ready layout applied lc_index list: 1 0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 base mask index 0 acl 0 rule 0 action 0 1: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0800000000000000 base mask index 0 acl 0 rule 1 action 0 acl-index 1 bitmask-ready layout applied lc_index list: 1 0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000600000000 0200000100000000 base mask index 1 acl 1 rule 0 action 2 1: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000600000000 0a00000100000000 base mask index 1 acl 1 rule 1 action 2 2: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000001100000000 0200000100000000 base mask index 1 acl 1 rule 2 action 2 3: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000001100000000 0a00000100000000 base mask index 1 acl 1 rule 3 action 2 4: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000100000000 0200000100000000 base mask index 1 acl 1 rule 4 action 2 5: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000100000000 0200000100000000 base mask index 1 acl 1 rule 5 action 2 acl-index 2 bitmask-ready layout applied lc_index list: 0 0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000600000000 0200000100000000 base mask index 1 acl 2 rule 0 action 0 1: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000600000000 0a00000100000000 base mask index 1 acl 2 rule 1 action 0 2: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000001100000000 0200000100000000 base mask index 1 acl 2 rule 2 action 0 3: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000001100000000 0a00000100000000 base mask index 1 acl 2 rule 3 action 0 4: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000100000000 0200000100000000 base mask index 1 acl 2 rule 4 action 0 5: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000100000000 0200000100000000 base mask index 1 acl 2 rule 5 action 0 acl-index 3 bitmask-ready layout applied lc_index list: 1 0: 0000000000000000 0000000000000000 0000000000000000 0000003000000010 0000000000000000 0000000200000000 base mask index 2 acl 3 rule 0 action 2 Applied lookup entries for lookup contexts lc_index 0: applied acls: 2 applied mask info entries: 0: mask type index 1 first rule index 0 num_entries 6 max_collisions 2 lookup applied entries: 0: acl 2 rule 0 action 0 bitmask-ready rule 0 mask type index: 1 colliding_rules: 1 collision_head_ae_idx 0 hitcount 0 acl_pos: 0 0: acl 2 ace 0 acl pos 0 pae index: 0 1: acl 2 rule 1 action 0 bitmask-ready rule 1 mask type index: 1 colliding_rules: 1 collision_head_ae_idx 1 hitcount 0 acl_pos: 0 0: acl 2 ace 1 acl pos 0 pae index: 1 2: acl 2 rule 2 action 0 bitmask-ready rule 2 mask type index: 1 colliding_rules: 1 collision_head_ae_idx 2 hitcount 0 acl_pos: 0 0: acl 2 ace 2 acl pos 0 pae index: 2 3: acl 2 rule 3 action 0 bitmask-ready rule 3 mask type index: 1 colliding_rules: 1 collision_head_ae_idx 3 hitcount 0 acl_pos: 0 0: acl 2 ace 3 acl pos 0 pae index: 3 4: acl 2 rule 4 action 0 bitmask-ready rule 4 mask type index: 1 colliding_rules: 2 collision_head_ae_idx 4 hitcount 0 acl_pos: 0 0: acl 2 ace 4 acl pos 0 pae index: 4 1: acl 2 ace 5 acl pos 0 pae index: 5 5: acl 2 rule 5 action 0 bitmask-ready rule 5 mask type index: 1 colliding_rules: 0 collision_head_ae_idx 4 hitcount 0 acl_pos: 0 lc_index 1: applied acls: 3, 0, 1 applied mask info entries: 0: mask type index 2 first rule index 0 num_entries 1 max_collisions 1 1: mask type index 0 first rule index 1 num_entries 2 max_collisions 1 2: mask type index 1 first rule index 3 num_entries 6 max_collisions 2 lookup applied entries: 0: acl 3 rule 0 action 2 bitmask-ready rule 0 mask type index: 2 colliding_rules: 1 collision_head_ae_idx 0 hitcount 150001 acl_pos: 0 0: acl 3 ace 0 acl pos 0 pae index: 0 1: acl 0 rule 0 action 0 bitmask-ready rule 0 mask type index: 0 colliding_rules: 1 collision_head_ae_idx 1 hitcount 0 acl_pos: 1 0: acl 0 ace 0 acl pos 1 pae index: 1 2: acl 0 rule 1 action 0 bitmask-ready rule 1 mask type index: 0 colliding_rules: 1 collision_head_ae_idx 2 hitcount 0 acl_pos: 1 0: acl 0 ace 1 acl pos 1 pae index: 2 3: acl 1 rule 0 action 2 bitmask-ready rule 0 mask type index: 1 colliding_rules: 1 collision_head_ae_idx 3 hitcount 0 acl_pos: 2 0: acl 1 ace 0 acl pos 2 pae index: 3 4: acl 1 rule 1 action 2 bitmask-ready rule 1 mask type index: 1 colliding_rules: 1 collision_head_ae_idx 4 hitcount 0 acl_pos: 2 0: acl 1 ace 1 acl pos 2 pae index: 4 5: acl 1 rule 2 action 2 bitmask-ready rule 2 mask type index: 1 colliding_rules: 1 collision_head_ae_idx 5 hitcount 0 acl_pos: 2 0: acl 1 ace 2 acl pos 2 pae index: 5 6: acl 1 rule 3 action 2 bitmask-ready rule 3 mask type index: 1 colliding_rules: 1 collision_head_ae_idx 6 hitcount 0 acl_pos: 2 0: acl 1 ace 3 acl pos 2 pae index: 6 7: acl 1 rule 4 action 2 bitmask-ready rule 4 mask type index: 1 colliding_rules: 2 collision_head_ae_idx 7 hitcount 0 acl_pos: 2 0: acl 1 ace 4 acl pos 2 pae index: 7 1: acl 1 ace 5 acl pos 2 pae index: 8 8: acl 1 rule 5 action 2 bitmask-ready rule 5 mask type index: 1 colliding_rules: 0 collision_head_ae_idx 7 hitcount 0 acl_pos: 2 ACL lookup hash table: Hash table ACL plugin rule lookup bihash 13 active elements 13 active buckets 1 free lists 0 linear search buckets arena: base 7f7377ff0000, next 80d00 used 527616 b (0 Mbytes) of 67108864 b (64 Mbytes) DBGvpp# show acl-plugin sessions Sessions total: add 150002 - del 150002 = 0 Sessions active: add 150002 - deact 150002 = 0 Sessions being purged: deact 150002 - del 150002 = 0 now: 38259162493998 clocks per second: 2500000000 Per-thread data: Thread #0: connection add/del stats: sw_if_index 0: add 0 - del 0 = 0; epoch chg: 0 sw_if_index 1: add 150002 - del 150002 = 0; epoch chg: 0 sw_if_index 2: add 0 - del 0 = 0; epoch chg: 0 sw_if_index 3: add 0 - del 0 = 0; epoch chg: 0 sw_if_index 4: add 0 - del 0 = 0; epoch chg: 0 sw_if_index 5: add 0 - del 0 = 0; epoch chg: 0 sw_if_index 6: add 0 - del 0 = 0; epoch chg: 0 sw_if_index 7: add 0 - del 0 = 0; epoch chg: 0 sw_if_index 8: add 0 - del 0 = 0; epoch chg: 0 sw_if_index 9: add 0 - del 0 = 0; epoch chg: 0 connection timeout type lists: fa_conn_list_head[0]: -1 fa_conn_list_head[1]: -1 fa_conn_list_head[2]: -1 fa_conn_list_head[3]: -1 fa_conn_list_head[4]: -1 Next expiry time: 0 Requeue until time: 0 Current time wait interval: 0 Count of deleted sessions: 150002 Delete already deleted: 0 Session timers restarted: 150750 Swipe until this time: 0 sw_if_index serviced bitmap: 2 pending clear intfc bitmap : clear in progress: 0 interrupt is pending: 0 interrupt is needed: 0 interrupt is unwanted: 0 interrupt generation: 14572 received session change requests: 0 sent session change requests: 0 Conn cleaner thread counters: 33: delete_by_sw_index events 30: delete_by_sw_index handled ok 0: unknown events received 0: session idle timers restarted 14567: event wait with timeout called 5: event wait w/o timeout called 14571: total event cycles Interrupt generation: 14572 Sessions per interval: min 1 max 100 increment: 100 ms current: 500 ms Reclassify sessions: 0 IPv6 Session lookup hash table: Hash table ACL plugin FA IPv6 session bihash [empty, uninitialized] IPv4 Session lookup hash table: Hash table ACL plugin FA IPv4 session bihash 0 active elements 0 active buckets 5 free lists [len 1] 51199 free elts [len 2] 4504 free elts [len 4] 373 free elts [len 8] 9 free elts [len 16] 1 free elts 0 linear search buckets arena: base 7f5abb720000, next 7b84c0 used 8094912 b (7 Mbytes) of 1073741824 b (1024 Mbytes) DBGvpp# show nat44 addresses NAT44 pool addresses: 172.24.114.39 tenant VRF independent 0 busy udp ports 15001 busy tcp ports 0 busy icmp ports NAT44 twice-nat pool addresses: 10.40.1.254 tenant VRF independent 0 busy udp ports 0 busy tcp ports 0 busy icmp ports DBGvpp# Packet 50 03:47:03:874592: dpdk-input lan-ens6 rx queue 0 buffer 0x8b222: current data 0, length 54, buffer-pool 0, ref-count 1, totlen-nifb 0, trace handle 0x31 ext-hdr-valid l4-cksum-computed l4-cksum-correct PKT MBUF: port 0, nb_segs 1, pkt_len 54 buf_len 2176, data_len 54, ol_flags 0x0, data_off 128, phys_addr 0x6fec8900 packet_type 0x110 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0 rss 0x3aa73aa7 fdir.hi 0x0 fdir.lo 0x3aa73aa7 Packet Types RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension headers RTE_PTYPE_L4_TCP (0x0100) TCP packet IP4: 02:85:36:20:e4:87 -> 02:2e:53:e6:4f:e1 TCP: 16.0.0.67 -> 48.0.0.67 tos 0x00, ttl 128, length 40, checksum 0x80f9 fragment id 0x7951 TCP: 11540 -> 80 seq. 0x181a45db ack 0x181af226 flags 0x10 ACK, tcp header: 20 bytes window 32768, checksum 0x59b4 03:47:03:874606: ethernet-input frame: flags 0x3, hw-if-index 1, sw-if-index 1 IP4: 02:85:36:20:e4:87 -> 02:2e:53:e6:4f:e1 03:47:03:874620: ip4-input-no-checksum TCP: 16.0.0.67 -> 48.0.0.67 tos 0x00, ttl 128, length 40, checksum 0x80f9 fragment id 0x7951 TCP: 11540 -> 80 seq. 0x181a45db ack 0x181af226 flags 0x10 ACK, tcp header: 20 bytes window 32768, checksum 0x59b4 03:47:03:874624: acl-plugin-in-ip4-fa acl-plugin: lc_index: -1, sw_if_index 1, next index 1, action: 3, match: acl -1 rule 13309 trace_bits 80010303 pkt info 0000000000000000 0000000000000000 0000000000000000 4300003043000010 0001010600502d14 0310ffff00000000 lc_index 0 l3 ip4 16.0.0.67 -> 48.0.0.67 l4 lsb_of_sw_if_index 1 proto 6 l4_is_input 1 l4_slow_path 0 l4_flags 0x01 port 11540 -> 80 tcp flags (valid) 10 rsvd 0 03:47:03:874634: ip4-lookup fib 0 dpo-idx 53 flow hash: 0x00000000 TCP: 16.0.0.67 -> 48.0.0.67 tos 0x00, ttl 128, length 40, checksum 0x80f9 fragment id 0x7951 TCP: 11540 -> 80 seq. 0x181a45db ack 0x181af226 flags 0x10 ACK, tcp header: 20 bytes window 32768, checksum 0x59b4 03:47:03:874639: ip4-load-balance fib 0 dpo-idx 14 flow hash: 0x00000000 TCP: 16.0.0.67 -> 48.0.0.67 tos 0x00, ttl 128, length 40, checksum 0x80f9 fragment id 0x7951 TCP: 11540 -> 80 seq. 0x181a45db ack 0x181af226 flags 0x10 ACK, tcp header: 20 bytes window 32768, checksum 0x59b4 03:47:03:874655: ip4-rewrite tx_sw_if_index 2 dpo-idx 14 : ipv4 via 172.24.115.166 wan-ens7: mtu:9000 02fcbaad303302c6e54357a50800 flow hash: 0x00000000 00000000: 02fcbaad303302c6e54357a5080045000028795100007f0681f9100000433000 00000020: 00432d140050181a45db181af2265010800059b400002a2a2a2a2a2a 03:47:03:874660: nat44-ed-in2out-output NAT44_IN2OUT_ED_FAST_PATH: sw_if_index 1, next index 0, session 34066 03:47:03:874681: wan-ens7-output wan-ens7 l4-cksum-computed l4-cksum-correct natted l2_hdr_offset_valid l3_hdr_offset_valid IP4: 02:c6:e5:43:57:a5 -> 02:fc:ba:ad:30:33 TCP: 172.24.114.39 -> 48.0.0.67 tos 0x00, ttl 127, length 40, checksum 0x73fc fragment id 0x7951 TCP: 8447 -> 80 seq. 0x181a45db ack 0x181af226 flags 0x10 ACK, tcp header: 20 bytes window 32768, checksum 0x57cc 03:47:03:874685: wan-ens7-tx wan-ens7 tx queue 0 buffer 0x8b222: current data 0, length 54, buffer-pool 0, ref-count 1, totlen-nifb 0, trace handle 0x31 ext-hdr-valid l4-cksum-computed l4-cksum-correct natted l2-hdr-offset 0 l3-hdr-offset 14 PKT MBUF: port 0, nb_segs 1, pkt_len 54 buf_len 2176, data_len 54, ol_flags 0x0, data_off 128, phys_addr 0x6fec8900 packet_type 0x110 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0 rss 0x3aa73aa7 fdir.hi 0x0 fdir.lo 0x3aa73aa7 Packet Types RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension headers RTE_PTYPE_L4_TCP (0x0100) TCP packet IP4: 02:c6:e5:43:57:a5 -> 02:fc:ba:ad:30:33 TCP: 172.24.114.39 -> 48.0.0.67 tos 0x00, ttl 127, length 40, checksum 0x73fc fragment id 0x7951 TCP: 8447 -> 80 seq. 0x181a45db ack 0x181af226 flags 0x10 ACK, tcp header: 20 bytes window 32768, checksum 0x57cc
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#17391): https://lists.fd.io/g/vpp-dev/message/17391 Mute This Topic: https://lists.fd.io/mt/76852206/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-