blob: 2dcb1f3b8dc2bc06e690af09a9a70e19c18cc67d [file] [log] [blame]
jdeniscoc5423572019-07-30 08:54:01 -04001.. _aclwithvpp:
2
Nathan Skrzypczak9ad39c02021-08-19 11:38:06 +02003Access Control Lists with VPP
4=============================
jdeniscoc5423572019-07-30 08:54:01 -04005
6This section is overview of the options available to implement ACLs in
7FD.io VPP. As there are a number of way's to address ACL-like functionality,
8it is worth a separate survey of these options with some commentary on
9features and performance
10
11All performance numbers and examples from this document are reused from
12the `FD.io CSIT v19.04 performance report <https://docs.fd.io/csit/rls1904/report/>`__
13All information and performance is accurate for
14`FD.io VPP 19.04 <https://git.fd.io/vpp/tag/?h=v19.04>`__ release. The
15sections *performance* & *operational data* below correlate directly with
16those sections from the FD.io CSIT performance report.
17
18Summary
19-------
20
21+---------------------+-----------+-----------------------------------+
22| Option | Relative | Features & Notes |
23| | Performan | |
24| | ce | |
25+=====================+===========+===================================+
26| :ref:`aclplugin` | Lowest | Match on restricted L2-L4 fields, |
27| | | stateful & stateless |
28+---------------------+-----------+-----------------------------------+
29| :ref:`vppcop` | Highest | Match on Layer 3 IPs, stateless |
30| | (software | |
31| | only) | |
32+---------------------+-----------+-----------------------------------+
33| :ref:`vppflow` | Highest | Match on restricted L2-L4 fields, |
34| | (accelera | stateless, limited number of |
35| | ted) | flows |
36+---------------------+-----------+-----------------------------------+
37| :ref:`classifiers` | TBD | Match on any field in the first |
38| | | 80 bytes, Not measured |
39+---------------------+-----------+-----------------------------------+
40
41FD.io VPP ACL Options
42---------------------
43
44.. _aclplugin:
45
46The FD.io VPP ACL Plugin
47~~~~~~~~~~~~~~~~~~~~~~~~
48
49The plugin was originally developed as part of FD.io VPP and OpenStack
50integration. The plugin needs to be enabled on specific interfaces.
51
52Supports stateful and stateless ACLs on …
53""""""""""""""""""""""""""""""""""""""""""
54
55- MACs
56- IPS
57- UDP Ports
58- TCP Ports & Flags
59- ICMP Messages
60
61Directional
62"""""""""""
63
64* Input ACLs
65
66 * Run before the IP flow classification.
67
68* ACLs
69
70 * Run before interface output.
71
72Actions
73"""""""
74- Permit (sl)
75- Drop (sf)
76- Permit+Reflect (sf)
77
78Stateful (sf)
79"""""""""""""
80
81- Actions: permit+reflect
82- Most heavily optimized, as are the most common use case.
83- Faster because stateful uses a flow cache, it means the ACL hit is only taken once, up front for the flow and then becomes just look-up.
84- Uses more memory, less deterministic as the flow cache makes it
85 more susceptible to the effects of the memory hierarchy and
86 locality.
87
88Stateless (sl)
89""""""""""""""
90
91- Actions : permit, drop
92- Less optimized, less common use case.
93- Slower as there is no flow-cache, every new packet incurs the same
94 amount ACL processing.
95- Uses less memory, and are more deterministic (compared to
96 stateful).
97
98Operational Data
99----------------
100
101Input/Stateless
102~~~~~~~~~~~~~~~
103
104Test Case: 10ge2p1x520-ethip4udp-ip4base-iacl1sl-10kflows-ndrpdr
105""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
106
107.. code-block:: console
108
Nathan Skrzypczak9ad39c02021-08-19 11:38:06 +0200109 DUT1:
110 Thread 0 vpp_main (lcore 1)
111 Time 3.8, average vectors/node 0.00, last 128 main loops 0.00 per node 0.00
112 vector rates in 0.0000e0, out 0.0000e0, drop 0.0000e0, punt 0.0000e0
113 Name State Calls Vectors Suspends Clocks Vectors/Call
114 acl-plugin-fa-cleaner-process any wait 0 0 14 1.29e3 0.00
115 acl-plugin-fa-worker-cleaner-pinterrupt wa 7 0 0 9.18e2 0.00
116 api-rx-from-ring active 0 0 52 8.96e4 0.00
117 dpdk-process any wait 0 0 1 1.35e4 0.00
118 fib-walk any wait 0 0 2 2.69e3 0.00
119 ip6-icmp-neighbor-discovery-ev any wait 0 0 4 1.32e3 0.00
120 lisp-retry-service any wait 0 0 2 2.90e3 0.00
121 unix-epoll-input polling 7037 0 0 1.25e6 0.00
122 vpe-oam-process any wait 0 0 2 2.28e3 0.00
jdeniscoc5423572019-07-30 08:54:01 -0400123
Nathan Skrzypczak9ad39c02021-08-19 11:38:06 +0200124 Thread 1 vpp_wk_0 (lcore 2)
125 Time 3.8, average vectors/node 249.02, last 128 main loops 32.00 per node 273.07
126 vector rates in 6.1118e6, out 6.1118e6, drop 0.0000e0, punt 0.0000e0
127 Name State Calls Vectors Suspends Clocks Vectors/Call
128 TenGigabitEtherneta/0/0-output active 47106 11721472 0 9.47e0 248.83
129 TenGigabitEtherneta/0/0-tx active 47106 11721472 0 4.22e1 248.83
130 TenGigabitEtherneta/0/1-output active 47106 11721472 0 1.02e1 248.83
131 TenGigabitEtherneta/0/1-tx active 47106 11721472 0 4.18e1 248.83
132 acl-plugin-fa-worker-cleaner-pinterrupt wa 7 0 0 1.39e3 0.00
133 acl-plugin-in-ip4-fa active 94107 23442944 0 1.75e2 249.11
134 dpdk-input polling 47106 23442944 0 4.64e1 497.66
135 ethernet-input active 94212 23442944 0 1.55e1 248.83
136 ip4-input-no-checksum active 94107 23442944 0 3.23e1 249.11
137 ip4-lookup active 94107 23442944 0 2.91e1 249.11
138 ip4-rewrite active 94107 23442944 0 2.48e1 249.11
jdeniscoc5423572019-07-30 08:54:01 -0400139 unix-epoll-input polling 46 0 0 1.54e3 0.00
140
141Input/Stateful
142~~~~~~~~~~~~~~
143
144Test Case: 64b-1t1c-ethip4udp-ip4base-iacl1sf-10kflows-ndrpdr
145"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
146
147.. code-block:: console
148
Nathan Skrzypczak9ad39c02021-08-19 11:38:06 +0200149 DUT1:
150 Thread 0 vpp_main (lcore 1)
151 Time 3.9, average vectors/node 0.00, last 128 main loops 0.00 per node 0.00
152 vector rates in 0.0000e0, out 0.0000e0, drop 0.0000e0, punt 0.0000e0
153 Name State Calls Vectors Suspends Clocks Vectors/Call
154 acl-plugin-fa-cleaner-process any wait 0 0 16 1.40e3 0.00
155 acl-plugin-fa-worker-cleaner-pinterrupt wa 8 0 0 8.97e2 0.00
156 api-rx-from-ring active 0 0 52 7.12e4 0.00
157 dpdk-process any wait 0 0 1 1.69e4 0.00
158 fib-walk any wait 0 0 2 2.55e3 0.00
159 ip4-reassembly-expire-walk any wait 0 0 1 1.27e4 0.00
160 ip6-icmp-neighbor-discovery-ev any wait 0 0 4 1.09e3 0.00
161 ip6-reassembly-expire-walk any wait 0 0 1 2.57e3 0.00
162 lisp-retry-service any wait 0 0 2 1.18e4 0.00
163 statseg-collector-process time wait 0 0 1 6.38e3 0.00
164 unix-epoll-input polling 6320 0 0 1.41e6 0.00
165 vpe-oam-process any wait 0 0 2 7.53e3 0.00
jdeniscoc5423572019-07-30 08:54:01 -0400166
Nathan Skrzypczak9ad39c02021-08-19 11:38:06 +0200167 Thread 1 vpp_wk_0 (lcore 2)
168 Time 3.9, average vectors/node 252.74, last 128 main loops 32.00 per node 273.07
169 vector rates in 7.5833e6, out 7.5833e6, drop 0.0000e0, punt 0.0000e0
170 Name State Calls Vectors Suspends Clocks Vectors/Call
171 TenGigabitEtherneta/0/0-output active 58325 14738944 0 9.41e0 252.70
172 TenGigabitEtherneta/0/0-tx active 58325 14738944 0 4.32e1 252.70
173 TenGigabitEtherneta/0/1-output active 58323 14738944 0 1.02e1 252.71
174 TenGigabitEtherneta/0/1-tx active 58323 14738944 0 4.31e1 252.71
175 acl-plugin-fa-worker-cleaner-pinterrupt wa 8 0 0 1.62e3 0.00
176 acl-plugin-in-ip4-fa active 116628 29477888 0 1.01e2 252.75
177 dpdk-input polling 58325 29477888 0 4.63e1 505.41
178 ethernet-input active 116648 29477888 0 1.53e1 252.71
179 ip4-input-no-checksum active 116628 29477888 0 3.21e1 252.75
180 ip4-lookup active 116628 29477888 0 2.90e1 252.75
181 ip4-rewrite active 116628 29477888 0 2.48e1 252.75
182 unix-epoll-input polling 57 0 0 2.39e3 0.00
183
jdeniscoc5423572019-07-30 08:54:01 -0400184Output/Stateless
185~~~~~~~~~~~~~~~~
186
187Test Case: 64b-1t1c-ethip4udp-ip4base-oacl10sl-10kflows-ndrpdr
188""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
189
190 .. code-block:: console
191
Nathan Skrzypczak9ad39c02021-08-19 11:38:06 +0200192 DUT1:
193 Thread 0 vpp_main (lcore 1)
194 Time 3.8, average vectors/node 0.00, last 128 main loops 0.00 per node 0.00
195 vector rates in 0.0000e0, out 0.0000e0, drop 0.0000e0, punt 0.0000e0
196 Name State Calls Vectors Suspends Clocks Vectors/Call
197 acl-plugin-fa-cleaner-process any wait 0 0 14 1.43e3 0.00
198 acl-plugin-fa-worker-cleaner-pinterrupt wa 7 0 0 9.23e2 0.00
199 api-rx-from-ring active 0 0 52 8.01e4 0.00
200 dpdk-process any wait 0 0 1 1.59e6 0.00
201 fib-walk any wait 0 0 2 6.81e3 0.00
202 ip6-icmp-neighbor-discovery-ev any wait 0 0 4 2.81e3 0.00
203 lisp-retry-service any wait 0 0 2 3.64e3 0.00
204 unix-epoll-input polling 4842 0 0 1.81e6 0.00
205 vpe-oam-process any wait 0 0 1 2.24e4 0.00
206
207 Thread 1 vpp_wk_0 (lcore 2)
208 Time 3.8, average vectors/node 249.29, last 128 main loops 36.00 per node 271.06
209 vector rates in 5.9196e6, out 5.9196e6, drop 0.0000e0, punt 0.0000e0
210 Name State Calls Vectors Suspends Clocks Vectors/Call
211 TenGigabitEtherneta/0/0-output active 45595 11363584 0 9.22e0 249.23
212 TenGigabitEtherneta/0/0-tx active 45595 11363584 0 4.25e1 249.23
213 TenGigabitEtherneta/0/1-output active 45594 11363584 0 9.75e0 249.23
214 TenGigabitEtherneta/0/1-tx active 45594 11363584 0 4.21e1 249.23
215 acl-plugin-fa-worker-cleaner-pinterrupt wa 7 0 0 1.28e3 0.00
216 acl-plugin-out-ip4-fa active 91155 22727168 0 1.78e2 249.32
217 dpdk-input polling 45595 22727168 0 4.64e1 498.46
218 ethernet-input active 91189 22727168 0 1.56e1 249.23
219 interface-output active 91155 22727168 0 1.13e1 249.32
220 ip4-input-no-checksum active 91155 22727168 0 1.95e1 249.32
221 ip4-lookup active 91155 22727168 0 2.88e1 249.32
222 ip4-rewrite active 91155 22727168 0 3.53e1 249.32
223 unix-epoll-input polling 44 0 0 1.53e3 0.00
224
jdeniscoc5423572019-07-30 08:54:01 -0400225Output/Stateful
226~~~~~~~~~~~~~~~
227
228Test Case: 64b-1t1c-ethip4udp-ip4base-oacl10sf-10kflows-ndrpdr
229""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
230
231.. code-block:: console
232
Nathan Skrzypczak9ad39c02021-08-19 11:38:06 +0200233 DUT1:
234 Thread 0 vpp_main (lcore 1)
235 Time 3.8, average vectors/node 0.00, last 128 main loops 0.00 per node 0.00
236 vector rates in 0.0000e0, out 0.0000e0, drop 0.0000e0, punt 0.0000e0
237 Name State Calls Vectors Suspends Clocks Vectors/Call
238 acl-plugin-fa-cleaner-process any wait 0 0 16 1.47e3 0.00
239 acl-plugin-fa-worker-cleaner-pinterrupt wa 8 0 0 8.51e2 0.00
240 api-rx-from-ring active 0 0 50 7.24e4 0.00
241 dpdk-process any wait 0 0 2 1.93e4 0.00
242 fib-walk any wait 0 0 2 2.02e3 0.00
243 ip4-reassembly-expire-walk any wait 0 0 1 3.96e3 0.00
244 ip6-icmp-neighbor-discovery-ev any wait 0 0 4 9.84e2 0.00
245 ip6-reassembly-expire-walk any wait 0 0 1 3.76e3 0.00
246 lisp-retry-service any wait 0 0 2 1.49e4 0.00
247 statseg-collector-process time wait 0 0 1 4.98e3 0.00
248 unix-epoll-input polling 5653 0 0 1.55e6 0.00
249 vpe-oam-process any wait 0 0 2 1.90e3 0.00
250
251 Thread 1 vpp_wk_0 (lcore 2)
252 Time 3.8, average vectors/node 250.85, last 128 main loops 36.00 per node 271.06
253 vector rates in 7.2686e6, out 7.2686e6, drop 0.0000e0, punt 0.0000e0
254 Name State Calls Vectors Suspends Clocks Vectors/Call
255 TenGigabitEtherneta/0/0-output active 55639 13930752 0 9.33e0 250.38
256 TenGigabitEtherneta/0/0-tx active 55639 13930752 0 4.27e1 250.38
257 TenGigabitEtherneta/0/1-output active 55636 13930758 0 9.81e0 250.39
258 TenGigabitEtherneta/0/1-tx active 55636 13930758 0 4.33e1 250.39
259 acl-plugin-fa-worker-cleaner-pinterrupt wa 8 0 0 1.62e3 0.00
260 acl-plugin-out-ip4-fa active 110988 27861510 0 1.04e2 251.03
261 dpdk-input polling 55639 27861510 0 4.62e1 500.76
262 ethernet-input active 111275 27861510 0 1.55e1 250.38
263 interface-output active 110988 27861510 0 1.21e1 251.03
264 ip4-input-no-checksum active 110988 27861510 0 1.95e1 251.03
265 ip4-lookup active 110988 27861510 0 2.89e1 251.03
266 ip4-rewrite active 110988 27861510 0 3.55e1 251.03
267 unix-epoll-input polling 54 0 0 2.43e3 0.00
268
jdeniscoc5423572019-07-30 08:54:01 -0400269Performance
270-----------
271
272+---------------------------------------+-------+-------------------+
273| Test Case | MPPS | Cycles per packet |
274+---------------------------------------+-------+-------------------+
275| ethip4-ip4base | 18.26 | 136 |
276+---------------------------------------+-------+-------------------+
277| ethip4ip4udp-ip4base-iacl1sl-10kflows | 9.134 | 273 |
278+---------------------------------------+-------+-------------------+
279| ethip4ip4udp-ip4base-iacl1sf-10kflows | 11.06 | 226 |
280+---------------------------------------+-------+-------------------+
281
282Input ACLS (SKX)
283~~~~~~~~~~~~~~~~
284
285.. figure:: /_images/ip4-2n-iacl.png
286
287Output ACLs (HSW)
288~~~~~~~~~~~~~~~~~
289
290.. figure:: /_images/ip4-3n-oacl.png
291
292Configuration
293-------------
294
295Stateful
296~~~~~~~~
297
298.. code-block:: console
299
Nathan Skrzypczak9ad39c02021-08-19 11:38:06 +0200300 $ sudo vppctl ip_add_del_route 20.20.20.0/24 via 1.1.1.2 sw_if_index 1 resolve-attempts 10 count 1
301 $ sudo vppctl acl_add_replace ipv4 permit src 30.30.30.1/32 dst 40.40.40.1/32 sport 1000 dport 1000, ipv4 permit+reflect src 10.10.10.0/24, ipv4 permit+reflect src 20.20.20.0/24
302 $ sudo vppctl acl_interface_set_acl_list sw_if_index 2 input 0
303 $ sudo vppctl acl_interface_set_acl_list sw_if_index 1 input 0
304
jdeniscoc5423572019-07-30 08:54:01 -0400305Stateless
306~~~~~~~~~
307
308.. code-block:: console
309
Nathan Skrzypczak9ad39c02021-08-19 11:38:06 +0200310 $ sudo vppctl ip_add_del_route 20.20.20.0/24 via 1.1.1.2 sw_if_index 1 resolve-attempts 10 count 1
311 $ sudo vppctl acl_add_replace ipv4 permit src 30.30.30.1/32 dst 40.40.40.1/32 sport 1000 dport 1000, ipv4 permit src 10.10.10.0/24, ipv4 permit src 20.20.20.0/24
312 $ sudo vppctl acl_interface_set_acl_list sw_if_index 2 input 0
jdeniscoc5423572019-07-30 08:54:01 -0400313 $ sudo vppctl acl_interface_set_acl_list sw_if_index 1 input 0
Nathan Skrzypczak9ad39c02021-08-19 11:38:06 +0200314
jdeniscoc5423572019-07-30 08:54:01 -0400315Links
316~~~~~
317
318- `FD.io Security Groups overview <https://wiki.fd.io/view/VPP/SecurityGroups>`__
319- `Reflexive Access Control Lists <https://packetlife.net/blog/2008/nov/25/reflexive-access-lists/>`__
320- `Andrew Yuort's Blog on ACLs <http://stdio.be/blog/2017-12-09-Debugging-VPP-MACIP-ACLs/>`__
321
322.. _vppcop:
323
324FD.io VPP COP
325-------------
326
327IPv4/IPv6 white-lists using the FD.io VPP FIB, with support for multiple
328nested white-lists.
329
330Design notes:
331~~~~~~~~~~~~~
332
333- The cop graph nodes (input & white-list) make reuse of the FD.io VPP in FIB 2.0 implementation. Essentially
334 a successful lookup in the FIB, indicates that a packet has been white-listed and may be forwarded.
335
336- cop-input: Determines if the frame is IPv4 or IPv6, and forwards to ipN-copwhitelist graph node.
337
338- ipN-copwhitelist: uses the ip4_fib_[mtrie,lookup] functions to confirm the packet's ip matches a route in the white-list fib.
339
340- Match: if it matches, it is then either sent to the next whitelist or to the ip layer.
341
342- No Match: if it there is not match, it is sent to error-drop.
343
344Operational Data
345~~~~~~~~~~~~~~~~
346
347Note: the double-pass of the ip4-lookup and ip4-rewrite.
348
349.. code-block:: console
350
Nathan Skrzypczak9ad39c02021-08-19 11:38:06 +0200351 DUT1:
352 Thread 0 vpp_main (lcore 1)
353 Time 3.9, average vectors/node 0.00, last 128 main loops 0.00 per node 0.00
354 vector rates in 0.0000e0, out 0.0000e0, drop 0.0000e0, punt 0.0000e0
355 Name State Calls Vectors Suspends Clocks Vectors/Call
356 api-rx-from-ring active 0 0 53 4.20e4 0.00
357 dpdk-process any wait 0 0 1 1.75e4 0.00
358 fib-walk any wait 0 0 2 1.59e3 0.00
359 ip4-reassembly-expire-walk any wait 0 0 1 2.20e3 0.00
360 ip6-icmp-neighbor-discovery-ev any wait 0 0 4 1.14e3 0.00
361 ip6-reassembly-expire-walk any wait 0 0 1 1.50e3 0.00
362 lisp-retry-service any wait 0 0 2 2.19e3 0.00
363 statseg-collector-process time wait 0 0 1 2.48e3 0.00
364 unix-epoll-input polling 2800 0 0 3.15e6 0.00
365 vpe-oam-process any wait 0 0 2 7.00e2 0.00
jdeniscoc5423572019-07-30 08:54:01 -0400366
Nathan Skrzypczak9ad39c02021-08-19 11:38:06 +0200367 Thread 1 vpp_wk_0 (lcore 2)
368 Time 3.9, average vectors/node 220.84, last 128 main loops 20.87 per node 190.86
369 vector rates in 1.0724e7, out 1.0724e7, drop 0.0000e0, punt 0.0000e0
370 Name State Calls Vectors Suspends Clocks Vectors/Call
371 TenGigabitEtherneta/0/0-output active 94960 20698112 0 1.03e1 217.97
372 TenGigabitEtherneta/0/0-tx active 94960 20698112 0 3.97e1 217.97
373 TenGigabitEtherneta/0/1-output active 92238 20698112 0 9.92e0 224.39
374 TenGigabitEtherneta/0/1-tx active 92238 20698112 0 4.26e1 224.39
375 cop-input active 94960 20698112 0 1.98e1 217.97
376 dpdk-input polling 95154 41396224 0 4.58e1 435.04
377 ethernet-input active 92238 20698112 0 1.59e1 224.39
378 ip4-cop-whitelist active 94960 20698112 0 3.24e1 217.97
379 ip4-input active 94960 20698112 0 3.13e1 217.97
380 ip4-input-no-checksum active 92238 20698112 0 2.23e1 224.39
381 ip4-lookup active 187198 41396224 0 3.08e1 221.14
382 ip4-rewrite active 187198 41396224 0 2.47e1 221.14
383 unix-epoll-input polling 93 0 0 1.35e3 0.00
384
jdeniscoc5423572019-07-30 08:54:01 -0400385Performance
386~~~~~~~~~~~
387
388+-------------------------------+-------+-------------------+
389| Test Case | MPPS | Cycles per packet |
390+-------------------------------+-------+-------------------+
391| ethip4-ip4base | 18.81 | 132 |
392+-------------------------------+-------+-------------------+
393| ethip4-ip4base-copwhtlistbase | 15.12 | 165 |
394+-------------------------------+-------+-------------------+
395
396.. figure:: /_images/ip4-acl-features-ndr.png
397
398Configuration
399~~~~~~~~~~~~~
400
401Note: a new VRF 1 is created which holds the whitelist, which then
402applied to the interface 1.
403
404.. code-block:: console
405
Nathan Skrzypczak9ad39c02021-08-19 11:38:06 +0200406 $ sudo vppctl ip_add_del_route 10.10.10.0/24 via 1.1.1.1 sw_if_index 2 resolve-attempts 10 count 1
407 $ sudo vppctl ip_table_add_del table 1
408 $ sudo vppctl ip_add_del_route 20.20.20.0/24 vrf 1 resolve-attempts 10 count 1 local
409 $ sudo vppctl cop_whitelist_enable_disable sw_if_index 1 ip4 fib-id 1
410 $ sudo vppctl cop_interface_enable_disable sw_if_index 1
411
jdeniscoc5423572019-07-30 08:54:01 -0400412Links
413~~~~~
414
415- `FIB 2.0: Hierarchical, Protocol Independent. <https://wiki.fd.io/images/7/71/FIB_2.0_-_Hierarchical,_Protocol_Independent..pdf>`__
416
417.. _vppflow:
418
419FD.io VPP Flow
420--------------
421
422FD.io VPP Flow adds the ability for FD.io VPP to support matching of
423flows and taking an associated action. This information is then used to
424program hardware accelerations such as those available on network cards,
425e.g. Intel® Ethernet Flow Director technology on the Intel® Ethernet
426Controller X710/XXV710/XL710.
427
428Supports
429~~~~~~~~
430
431Actions
432"""""""
433
434- Count: don't now what this does, presume it count's matches.
435- Mark: Associate a matched flow with arbitrary data such as vxlan tunnel, for a lookup in the redirect graph node.
436- Buffer Advance: Can be used advance to an encapsulated ethernet or ip header.
437- Redirect to node: When you see a packet from flow xyz, the next node in FD.io VPP is the indicated graph node.
438- Redirect to queue: When you see a packet from flow xyz, is to redirect to rx queue n.
439- Drop: When you see a packet from flow xyz, drop the packet (next node is error drop).
440
441Design Notes
442~~~~~~~~~~~~
443
444- Currently the only place in FD.io VPP that this is used, is to accelerate VXLAN bypassing the Ethernet and IP Layers.
445- Flow uses DPDK rte_flow API under the hood for those network interfaces programmed through DPDK.
446- Redirect to node: worth remember that if you are bypassing a graph, you are bypassing all the checks in the graph node, e.e time-to-live, crcs and the like.
447
448Operational Data
449~~~~~~~~~~~~~~~~
450
451FD.io CSIT numbers for VXLan do not use FD.io Flow support.
452
453Performance
454~~~~~~~~~~~
455
456FD.io CSIT numbers for VXLan do not use FD.io Flow support.
457
458Configuration
459~~~~~~~~~~~~~
460
461- `Flow API <https://git.fd.io/vpp/tree/src/vnet/flow/flow.h>`__
462
463.. _classifiers:
464
465FD.io VPP Classifiers
466---------------------
467
468The most flexible form of ACLs in FD.io VPP enable the user to match anywhere in the first
46980 bytes of the packet header.
470
471Configuration
472~~~~~~~~~~~~~
473
474Match an IPv6….
475
476.. code-block:: console
477
478 $ sudo vppctl classify table mask l3 ip6 dst buckets 64
479 $ sudo vppctl classify session hit-next 0 table-index 0 match l3 ip6 dst 2001:db8:1::2 opaque-index 42
480 $ sudo vppctl set interface l2 input classify intfc host-s0_s1 ip6-table 0
Nathan Skrzypczak9ad39c02021-08-19 11:38:06 +0200481
jdeniscoc5423572019-07-30 08:54:01 -0400482Links
483~~~~~
484
Paul Vinciguerra7fa3dd22019-10-27 17:28:10 -0400485- `Overview of classifiers <https://wiki.fd.io/view/VPP/SecurityGroups#Existing_functionality>`__
jdeniscoc5423572019-07-30 08:54:01 -0400486- `FD.io VPP Classifiers Overview <https://wiki.fd.io/view/VPP/Introduction_To_N-tuple_Classifiers>`__
487- `FD.io VPP Classifiers CLI <https://docs.fd.io/vpp/19.04/clicmd_src_vnet_classify.html>`__
488- `Sample Code from Andrew Yourt <http://stdio.be/vpp/t/aytest-bridge-tap-py.txt>`__