[vpp-dev] Question about acl match/permit behavior.

[Venkat]

Hello Andrew,

I am doing a simple test by sending TCP flows from Trex traffic generator.
Traffic source is 16.0.0.1-16.0.0.100 and destination is 48.0.0.1-48.0.0.100.
I am sending TCP traffic with CPS=50 from 100 clients to 100 servers via Trex 
http profile.

I have a reflective ACL to permit the flow for the above src and dst.
I expect the packet to hit acl index 3 rule 0 and get permitted.
However, I see the following match in the packet trace which doesn't seem like 
it is hitting acl index 3 and rule 0 but hitting some other acl index (acl -1 
and lc_index -1).
What is the behavior here? Please provide some context here..

03:47:03:874624: acl-plugin-in-ip4-fa

acl-plugin: lc_index: -1, sw_if_index 1, next index 1, action: 3, match: acl -1 
rule 13309 trace_bits 80010303

pkt info 0000000000000000 0000000000000000 0000000000000000 4300003043000010 
0001010600502d14 0310ffff00000000

lc_index 0 l3 ip4 16.0.0.67 -> 48.0.0.67 l4 lsb_of_sw_if_index 1 proto 6 
l4_is_input 1 l4_slow_path 0 l4_flags 0x01 port 11540 -> 80 tcp flags (valid) 
10 rsvd 0

DBGvpp# show acl-plugin acl

acl-index 0 count 2 tag {99998-sra-inbound-sasefwpro-nags-explicit-deny-99998}

0: ipv4 deny src 0.0.0.0/0 dst 0.0.0.0/0 proto 0 sport 0 dport 0

1: ipv6 deny src ::/0 dst ::/0 proto 0 sport 0 dport 0

applied inbound on sw_if_index: 1

applied outbound on sw_if_index:

used in lookup context index: 1

acl-index 1 count 6 tag {99999-sra-inbound-sasefwpro-sase-default-fw-profile}

0: ipv4 permit+reflect src 0.0.0.0/0 dst 0.0.0.0/0 proto 6 sport 0-65535 dport 
0-65535

1: ipv6 permit+reflect src ::/0 dst ::/0 proto 6 sport 0-65535 dport 0-65535

2: ipv4 permit+reflect src 0.0.0.0/0 dst 0.0.0.0/0 proto 17 sport 0-65535 dport 
0-65535

3: ipv6 permit+reflect src ::/0 dst ::/0 proto 17 sport 0-65535 dport 0-65535

4: ipv4 permit+reflect src 0.0.0.0/0 dst 0.0.0.0/0 proto 1 sport 0-65535 dport 
0-65535

5: ipv4 permit+reflect src 0.0.0.0/0 dst 0.0.0.0/0 proto 1 sport 0-65535 dport 
0-65535

applied inbound on sw_if_index: 1

applied outbound on sw_if_index:

used in lookup context index: 1

acl-index 2 count 6 tag {99999-sra-outbound-sasefwpro-sase-default-fw-profile}

0: ipv4 deny src 0.0.0.0/0 dst 0.0.0.0/0 proto 6 sport 0-65535 dport 0-65535

1: ipv6 deny src ::/0 dst ::/0 proto 6 sport 0-65535 dport 0-65535

2: ipv4 deny src 0.0.0.0/0 dst 0.0.0.0/0 proto 17 sport 0-65535 dport 0-65535

3: ipv6 deny src ::/0 dst ::/0 proto 17 sport 0-65535 dport 0-65535

4: ipv4 deny src 0.0.0.0/0 dst 0.0.0.0/0 proto 1 sport 0-65535 dport 0-65535

5: ipv4 deny src 0.0.0.0/0 dst 0.0.0.0/0 proto 1 sport 0-65535 dport 0-65535

applied inbound on sw_if_index:

applied outbound on sw_if_index: 1

used in lookup context index: 0

acl-index 3 count 1 tag {100-allow-48}

0: ipv4 permit+reflect src 16.0.0.0/16 dst 48.0.0.0/16 proto 0 sport 0 dport 0

applied inbound on sw_if_index: 1

used in lookup context index: 1

DBGvpp#

DBGvpp# show acl-plugin tables

Stats counters enabled for interface ACLs: 0

Mask-type entries:

0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 
0000000000000000 0800ffffffffffff refcount 4

1: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 
000000ff00000000 0e00ffffffffffff refcount 24

2: 0000000000000000 0000000000000000 0000000000000000 0000ffff0000ffff 
0000000000000000 0800ffffffffffff refcount 2

Mask-ready ACL representations

acl-index 0 bitmask-ready layout

applied lc_index list: 1

0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 
0000000000000000 0000000000000000 base mask index 0 acl 0 rule 0 action 0

1: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 
0000000000000000 0800000000000000 base mask index 0 acl 0 rule 1 action 0

acl-index 1 bitmask-ready layout

applied lc_index list: 1

0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 
0000000600000000 0200000100000000 base mask index 1 acl 1 rule 0 action 2

1: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 
0000000600000000 0a00000100000000 base mask index 1 acl 1 rule 1 action 2

2: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 
0000001100000000 0200000100000000 base mask index 1 acl 1 rule 2 action 2

3: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 
0000001100000000 0a00000100000000 base mask index 1 acl 1 rule 3 action 2

4: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 
0000000100000000 0200000100000000 base mask index 1 acl 1 rule 4 action 2

5: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 
0000000100000000 0200000100000000 base mask index 1 acl 1 rule 5 action 2

acl-index 2 bitmask-ready layout

applied lc_index list: 0

0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 
0000000600000000 0200000100000000 base mask index 1 acl 2 rule 0 action 0

1: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 
0000000600000000 0a00000100000000 base mask index 1 acl 2 rule 1 action 0

2: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 
0000001100000000 0200000100000000 base mask index 1 acl 2 rule 2 action 0

3: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 
0000001100000000 0a00000100000000 base mask index 1 acl 2 rule 3 action 0

4: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 
0000000100000000 0200000100000000 base mask index 1 acl 2 rule 4 action 0

5: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 
0000000100000000 0200000100000000 base mask index 1 acl 2 rule 5 action 0

acl-index 3 bitmask-ready layout

applied lc_index list: 1

0: 0000000000000000 0000000000000000 0000000000000000 0000003000000010 
0000000000000000 0000000200000000 base mask index 2 acl 3 rule 0 action 2

Applied lookup entries for lookup contexts

lc_index 0:

applied acls: 2

applied mask info entries:

0: mask type index 1 first rule index 0 num_entries 6 max_collisions 2

lookup applied entries:

0: acl 2 rule 0 action 0 bitmask-ready rule 0 mask type index: 1 
colliding_rules: 1 collision_head_ae_idx 0 hitcount 0 acl_pos: 0

0: acl 2 ace 0 acl pos 0 pae index: 0

1: acl 2 rule 1 action 0 bitmask-ready rule 1 mask type index: 1 
colliding_rules: 1 collision_head_ae_idx 1 hitcount 0 acl_pos: 0

0: acl 2 ace 1 acl pos 0 pae index: 1

2: acl 2 rule 2 action 0 bitmask-ready rule 2 mask type index: 1 
colliding_rules: 1 collision_head_ae_idx 2 hitcount 0 acl_pos: 0

0: acl 2 ace 2 acl pos 0 pae index: 2

3: acl 2 rule 3 action 0 bitmask-ready rule 3 mask type index: 1 
colliding_rules: 1 collision_head_ae_idx 3 hitcount 0 acl_pos: 0

0: acl 2 ace 3 acl pos 0 pae index: 3

4: acl 2 rule 4 action 0 bitmask-ready rule 4 mask type index: 1 
colliding_rules: 2 collision_head_ae_idx 4 hitcount 0 acl_pos: 0

0: acl 2 ace 4 acl pos 0 pae index: 4

1: acl 2 ace 5 acl pos 0 pae index: 5

5: acl 2 rule 5 action 0 bitmask-ready rule 5 mask type index: 1 
colliding_rules: 0 collision_head_ae_idx 4 hitcount 0 acl_pos: 0

lc_index 1:

applied acls: 3, 0, 1

applied mask info entries:

0: mask type index 2 first rule index 0 num_entries 1 max_collisions 1

1: mask type index 0 first rule index 1 num_entries 2 max_collisions 1

2: mask type index 1 first rule index 3 num_entries 6 max_collisions 2

lookup applied entries:

0: acl 3 rule 0 action 2 bitmask-ready rule 0 mask type index: 2 
colliding_rules: 1 collision_head_ae_idx 0 hitcount 150001 acl_pos: 0

0: acl 3 ace 0 acl pos 0 pae index: 0

1: acl 0 rule 0 action 0 bitmask-ready rule 0 mask type index: 0 
colliding_rules: 1 collision_head_ae_idx 1 hitcount 0 acl_pos: 1

0: acl 0 ace 0 acl pos 1 pae index: 1

2: acl 0 rule 1 action 0 bitmask-ready rule 1 mask type index: 0 
colliding_rules: 1 collision_head_ae_idx 2 hitcount 0 acl_pos: 1

0: acl 0 ace 1 acl pos 1 pae index: 2

3: acl 1 rule 0 action 2 bitmask-ready rule 0 mask type index: 1 
colliding_rules: 1 collision_head_ae_idx 3 hitcount 0 acl_pos: 2

0: acl 1 ace 0 acl pos 2 pae index: 3

4: acl 1 rule 1 action 2 bitmask-ready rule 1 mask type index: 1 
colliding_rules: 1 collision_head_ae_idx 4 hitcount 0 acl_pos: 2

0: acl 1 ace 1 acl pos 2 pae index: 4

5: acl 1 rule 2 action 2 bitmask-ready rule 2 mask type index: 1 
colliding_rules: 1 collision_head_ae_idx 5 hitcount 0 acl_pos: 2

0: acl 1 ace 2 acl pos 2 pae index: 5

6: acl 1 rule 3 action 2 bitmask-ready rule 3 mask type index: 1 
colliding_rules: 1 collision_head_ae_idx 6 hitcount 0 acl_pos: 2

0: acl 1 ace 3 acl pos 2 pae index: 6

7: acl 1 rule 4 action 2 bitmask-ready rule 4 mask type index: 1 
colliding_rules: 2 collision_head_ae_idx 7 hitcount 0 acl_pos: 2

0: acl 1 ace 4 acl pos 2 pae index: 7

1: acl 1 ace 5 acl pos 2 pae index: 8

8: acl 1 rule 5 action 2 bitmask-ready rule 5 mask type index: 1 
colliding_rules: 0 collision_head_ae_idx 7 hitcount 0 acl_pos: 2

ACL lookup hash table:

Hash table ACL plugin rule lookup bihash

13 active elements 13 active buckets

1 free lists

0 linear search buckets

arena: base 7f7377ff0000, next 80d00

used 527616 b (0 Mbytes) of 67108864 b (64 Mbytes)

DBGvpp# show acl-plugin sessions

Sessions total: add 150002 - del 150002 = 0

Sessions active: add 150002 - deact 150002 = 0

Sessions being purged: deact 150002 - del 150002 = 0

now: 38259162493998 clocks per second: 2500000000

Per-thread data:

Thread #0:

connection add/del stats:

sw_if_index 0: add 0 - del 0 = 0; epoch chg: 0

sw_if_index 1: add 150002 - del 150002 = 0; epoch chg: 0

sw_if_index 2: add 0 - del 0 = 0; epoch chg: 0

sw_if_index 3: add 0 - del 0 = 0; epoch chg: 0

sw_if_index 4: add 0 - del 0 = 0; epoch chg: 0

sw_if_index 5: add 0 - del 0 = 0; epoch chg: 0

sw_if_index 6: add 0 - del 0 = 0; epoch chg: 0

sw_if_index 7: add 0 - del 0 = 0; epoch chg: 0

sw_if_index 8: add 0 - del 0 = 0; epoch chg: 0

sw_if_index 9: add 0 - del 0 = 0; epoch chg: 0

connection timeout type lists:

fa_conn_list_head[0]: -1

fa_conn_list_head[1]: -1

fa_conn_list_head[2]: -1

fa_conn_list_head[3]: -1

fa_conn_list_head[4]: -1

Next expiry time: 0

Requeue until time: 0

Current time wait interval: 0

Count of deleted sessions: 150002

Delete already deleted: 0

Session timers restarted: 150750

Swipe until this time: 0

sw_if_index serviced bitmap: 2

pending clear intfc bitmap :

clear in progress: 0

interrupt is pending: 0

interrupt is needed: 0

interrupt is unwanted: 0

interrupt generation: 14572

received session change requests: 0

sent session change requests: 0

Conn cleaner thread counters:

33: delete_by_sw_index events

30: delete_by_sw_index handled ok

0: unknown events received

0: session idle timers restarted

14567: event wait with timeout called

5: event wait w/o timeout called

14571: total event cycles

Interrupt generation: 14572

Sessions per interval: min 1 max 100 increment: 100 ms current: 500 ms

Reclassify sessions: 0

IPv6 Session lookup hash table:

Hash table ACL plugin FA IPv6 session bihash

[empty, uninitialized]

IPv4 Session lookup hash table:

Hash table ACL plugin FA IPv4 session bihash

0 active elements 0 active buckets

5 free lists

[len 1] 51199 free elts

[len 2] 4504 free elts

[len 4] 373 free elts

[len 8] 9 free elts

[len 16] 1 free elts

0 linear search buckets

arena: base 7f5abb720000, next 7b84c0

used 8094912 b (7 Mbytes) of 1073741824 b (1024 Mbytes)

DBGvpp# show nat44 addresses

NAT44 pool addresses:

172.24.114.39

tenant VRF independent

0 busy udp ports

15001 busy tcp ports

0 busy icmp ports

NAT44 twice-nat pool addresses:

10.40.1.254

tenant VRF independent

0 busy udp ports

0 busy tcp ports

0 busy icmp ports

DBGvpp#

Packet 50

03:47:03:874592: dpdk-input

lan-ens6 rx queue 0

buffer 0x8b222: current data 0, length 54, buffer-pool 0, ref-count 1, 
totlen-nifb 0, trace handle 0x31

ext-hdr-valid

l4-cksum-computed l4-cksum-correct

PKT MBUF: port 0, nb_segs 1, pkt_len 54

buf_len 2176, data_len 54, ol_flags 0x0, data_off 128, phys_addr 0x6fec8900

packet_type 0x110 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0

rss 0x3aa73aa7 fdir.hi 0x0 fdir.lo 0x3aa73aa7

Packet Types

RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension headers

RTE_PTYPE_L4_TCP (0x0100) TCP packet

IP4: 02:85:36:20:e4:87 -> 02:2e:53:e6:4f:e1

TCP: 16.0.0.67 -> 48.0.0.67

tos 0x00, ttl 128, length 40, checksum 0x80f9

fragment id 0x7951

TCP: 11540 -> 80

seq. 0x181a45db ack 0x181af226

flags 0x10 ACK, tcp header: 20 bytes

window 32768, checksum 0x59b4

03:47:03:874606: ethernet-input

frame: flags 0x3, hw-if-index 1, sw-if-index 1

IP4: 02:85:36:20:e4:87 -> 02:2e:53:e6:4f:e1

03:47:03:874620: ip4-input-no-checksum

TCP: 16.0.0.67 -> 48.0.0.67

tos 0x00, ttl 128, length 40, checksum 0x80f9

fragment id 0x7951

TCP: 11540 -> 80

seq. 0x181a45db ack 0x181af226

flags 0x10 ACK, tcp header: 20 bytes

window 32768, checksum 0x59b4

03:47:03:874624: acl-plugin-in-ip4-fa

acl-plugin: lc_index: -1, sw_if_index 1, next index 1, action: 3, match: acl -1 
rule 13309 trace_bits 80010303

pkt info 0000000000000000 0000000000000000 0000000000000000 4300003043000010 
0001010600502d14 0310ffff00000000

lc_index 0 l3 ip4 16.0.0.67 -> 48.0.0.67 l4 lsb_of_sw_if_index 1 proto 6 
l4_is_input 1 l4_slow_path 0 l4_flags 0x01 port 11540 -> 80 tcp flags (valid) 
10 rsvd 0

03:47:03:874634: ip4-lookup

fib 0 dpo-idx 53 flow hash: 0x00000000

TCP: 16.0.0.67 -> 48.0.0.67

tos 0x00, ttl 128, length 40, checksum 0x80f9

fragment id 0x7951

TCP: 11540 -> 80

seq. 0x181a45db ack 0x181af226

flags 0x10 ACK, tcp header: 20 bytes

window 32768, checksum 0x59b4

03:47:03:874639: ip4-load-balance

fib 0 dpo-idx 14 flow hash: 0x00000000

TCP: 16.0.0.67 -> 48.0.0.67

tos 0x00, ttl 128, length 40, checksum 0x80f9

fragment id 0x7951

TCP: 11540 -> 80

seq. 0x181a45db ack 0x181af226

flags 0x10 ACK, tcp header: 20 bytes

window 32768, checksum 0x59b4

03:47:03:874655: ip4-rewrite

tx_sw_if_index 2 dpo-idx 14 : ipv4 via 172.24.115.166 wan-ens7: mtu:9000 
02fcbaad303302c6e54357a50800 flow hash: 0x00000000

00000000: 02fcbaad303302c6e54357a5080045000028795100007f0681f9100000433000

00000020: 00432d140050181a45db181af2265010800059b400002a2a2a2a2a2a

03:47:03:874660: nat44-ed-in2out-output

NAT44_IN2OUT_ED_FAST_PATH: sw_if_index 1, next index 0, session 34066

03:47:03:874681: wan-ens7-output

wan-ens7 l4-cksum-computed l4-cksum-correct natted l2_hdr_offset_valid 
l3_hdr_offset_valid

IP4: 02:c6:e5:43:57:a5 -> 02:fc:ba:ad:30:33

TCP: 172.24.114.39 -> 48.0.0.67

tos 0x00, ttl 127, length 40, checksum 0x73fc

fragment id 0x7951

TCP: 8447 -> 80

seq. 0x181a45db ack 0x181af226

flags 0x10 ACK, tcp header: 20 bytes

window 32768, checksum 0x57cc

03:47:03:874685: wan-ens7-tx

wan-ens7 tx queue 0

buffer 0x8b222: current data 0, length 54, buffer-pool 0, ref-count 1, 
totlen-nifb 0, trace handle 0x31

ext-hdr-valid

l4-cksum-computed l4-cksum-correct natted l2-hdr-offset 0 l3-hdr-offset 14

PKT MBUF: port 0, nb_segs 1, pkt_len 54

buf_len 2176, data_len 54, ol_flags 0x0, data_off 128, phys_addr 0x6fec8900

packet_type 0x110 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0

rss 0x3aa73aa7 fdir.hi 0x0 fdir.lo 0x3aa73aa7

Packet Types

RTE_PTYPE_L3_IPV4 (0x0010) IPv4 packet without extension headers

RTE_PTYPE_L4_TCP (0x0100) TCP packet

IP4: 02:c6:e5:43:57:a5 -> 02:fc:ba:ad:30:33

TCP: 172.24.114.39 -> 48.0.0.67

tos 0x00, ttl 127, length 40, checksum 0x73fc

fragment id 0x7951

TCP: 8447 -> 80

seq. 0x181a45db ack 0x181af226

flags 0x10 ACK, tcp header: 20 bytes

window 32768, checksum 0x57cc

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#17391): https://lists.fd.io/g/vpp-dev/message/17391
Mute This Topic: https://lists.fd.io/mt/76852206/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-