On Wed, Feb 18, 2026 at 2:03 PM PRANAB DAS via lists.fd.io <pkdas.boston= [email protected]> wrote:
> Hi, > > I want host traffic to be always seen by the VPP IP stack for > ACL/NAT/IPsec. > But in L2 (tap) mode, linux-cp-x-ip4 bypasses VPP IP stack/FIB. > Hi, linux-cp-xc-ip4 should not do anything to bypass ACL, NAT, or IPsec if they are configured as output features on the VPP interface. If there are feature nodes enabled on interface-output, they should be traversed. It should just bypass the FIB lookup. Is there a way (config) linux-cp-x-ip4 to forward the host packet to VPP > ip4-lookup? > Not currently. You would have to modify the code in your build to do that. For instance there could be a SPD/SA on the VPP egress ethernet interface > which is an internal interface for pipelining/service-chaining. > As noted, output features should work correctly. If some output feature is not working, I could try to make a guess at the cause if you provide a packet trace and more information about your topology and how you have VPP configured. > Should I create the lcp interface in l3 (tun) mode? I am afraid that > in L3 mode, some of the Linux control plane functionality will not be > available. > The mode that you create the pair with depends on what type of VPP interface you are pairing with. If it's an interface type that passes ethernet frames (e.g. hardware/DPDK, GRE in TEB mode, vhost-user, memif in L2 mode), you should create the pair in tap mode. If it's a tunnel L3 interface (e.g. IP-IP, GRE in L3 mode), you should create the pair in tun mode. It's unlikely to work if you try to create a pair in tun mode with a VPP ethernet interface. -Matt
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#26824): https://lists.fd.io/g/vpp-dev/message/26824 Mute This Topic: https://lists.fd.io/mt/117881329/21656 Group Owner: [email protected] Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/14379924/21656/631435203/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
