Hi Florin I have 2 dpdk ifaces in the bridge domain instrumented with loop BVI having 30.22.0.201. I want all packets coming from one dpdk with any combination of src and dst ip first to come to VCL app being modified somehow inside the app and then go out via another dpdk. For that I do
session rule add appns default proto tcp 0.0.0.0/0 443 0.0.0.0/0 443 action 3 where 3 is idx of VCL app running either as native VCL or via LD_PRELOAD Since this session rule feature is not very well documented, I'm just experimenting. My assumptions: 1. that 3 is actually a VCL app index as reported by sh app. Some people say (also GPT) that it's type of action instead and in 25.10 just 2 of them exist : #define SESSION_RULES_TABLE_ACTION_DROP (MMA_TABLE_INVALID_INDEX - 1) #define SESSION_RULES_TABLE_ACTION_ALLOW (MMA_TABLE_INVALID_INDEX - 2) the above is session_rule_table.h: 62 2. proto tcp 0.0.0.0/0 443 0.0.0.0/0 443 is just 5-tuple filter meaning that tcp packets with any src ip and port and dst ip and port is to be transported to app 3 and nothing like NAT happens. 3. what is not clear for me - on which ip my VCL app needs to bind in vppcom_session_bind( please confirm what is valid On Fri, Nov 21, 2025 at 5:40 AM Florin Coras via lists.fd.io <fcoras.lists= [email protected]> wrote: > Hi Kirill, > > That is probably accurate, although I’ve never tried it. The rules table > does apply to listeners but the listener lookup logic (see > app_listener_lookup) will just use the action_index to find an app > listener. So if there is an app listener with that index, bind will report > port is in use. > > Could you provide a bit more details about your usecase? > > Regards, > Florin > > On Nov 20, 2025, at 4:35 AM, Kirill Shileev via lists.fd.io <kshileev= > [email protected]> wrote: > > Hi folks > > I'm trying to do something like that: > vppctl ses rule add appns default proto tcp 0.0.0.0/0 443 {ssl}/32 443 > action 3 > > then bind some VCL app to port 443, this fails. > > According to GPT: > > The bind fails because: > > > *Port 443 is reserved by a VPP session rule → VCL apps cannot bind to > ports controlled by rules.* > Fix: > > vppctl session rule del lcl 0.0.0.0/0 443 rmt 30.22.0.201/32 443 > > please confirm that this is indeed impossible! And if GPT's wrong, please > point me in the right direction with some good example? > > > -- > Best wishes, Kirill > > > > > > > > -- Best wishes, Kirill
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#26541): https://lists.fd.io/g/vpp-dev/message/26541 Mute This Topic: https://lists.fd.io/mt/116389781/21656 Group Owner: [email protected] Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/14379924/21656/631435203/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
