Skip to Content.

rare-dev - Re: [rare-dev] PBR flow label access-list

Subject: Rare project developers

List archive


Re: [rare-dev] PBR flow label access-list


Chronological Thread 
    < Chronological >      < Thread >
  • From: Carmen Misa Moreira <>
  • To: <>
  • Subject: Re: [rare-dev] PBR flow label access-list
  • Date: Tue, 30 Nov 2021 13:36:27 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 188.184.36.16) smtp.rcpttodomain=lists.geant.org smtp.mailfrom=cern.ch; dmarc=bestguesspass action=none header.from=cern.ch; dkim=none (message not signed); arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=kWBRx0StIgELXjMAiAXJx9sdCc7TiqRqUnhdnO/EJuw=; b=i57lIKOW0XN2YQtL2Plo1WUdxGH5xgG7AYPRwJBEUiWq0aJXsOa3xOv/X4i27PDL+nkXd4ieIumnUWyKcNBjwfgF7bMnOhP9DSKfU5Zdz67wQkvCktqwepLsWgNl8o+kZaQJcJvSKs/IDMGS4Qp1FDqSN1ed2RxHkmSMLuDellEzGVWwqL6b7wuI4UzXKw/pwXPoQdfka9u/+OeoQqo1Wg/bALU/xRuqYhDdjKjjYWTJ5LCyNhAfPJzI+zjhXhBtOR1ZDUYY91MbAVzXrYtUcAdBxjDrRSKnx7AL/ZWIc2b0q+QdTLzacgrfRNe4P6k67CXNaqDIFtQDh57oLkqOlA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XnhsDuoKnQLQKYRCs1q0kJF8S/JypDS1K+uEYQ5T7VzHMZmXoNM5ywx8I+CRlB/YpDiN+iBqMCCo1Aw9gNs9kT/ZD5M+ywIfNbhuIg0ZpRxLC8b54pncWgv3p4nYwMQ6VrTNQ3Vy9AOspp3+per1HeF4Ub8usYSDCIVuMzzYnsnv4F6ltQbR8sXGHbrdle6nG8ALZq7CVrPvGcvKbmX5HIlxEQeimmdotu7QwvTEWPzlLUGdDkqzItEHYyGo0ideNam7KyzF/Edv+lVyIrfY591gH7P7olX/vwU6suVia2vsVtaYt3u45aCTLt1ujDUauG5WBjd8x3uhrerkbyyi+Q==
Hi Csaba,

Thanks, that was one of my first thoughts :)

Also, I noted that the PBR is executed on the first PBR declared, for example:

ipv6 pbr inet sequence 10 ipv6_flowlabel_10 inet nexthop fc01:10::2

ipv6 pbr inet sequence 20 ipv6_flowlabel_20 inet nexthop fc01:10::2

ipv6 pbr inet sequence 30 ipv6_flowlabel_30 inet nexthop fc01:10::2

Will works for the first one, it will route to fc01:10::2 all the traffic label with fl=10 but not for fl=20 and 30

BUT

If I change the order in the declaration, for example to this one:

ipv6 pbr inet sequence 10 ipv6_flowlabel_20 inet nexthop fc01:10::2

ipv6 pbr inet sequence 20 ipv6_flowlabel_10 inet nexthop fc01:10::2

ipv6 pbr inet sequence 30 ipv6_flowlabel_30 inet nexthop fc01:10::2

It will route to fc01:10::2 all the traffic label with fl=20 but not for fl=10 and 30

There is some priority in the declaration? Or maybe it can be only one PBR declaration per link?

Thanks for your time!

Best regards,

Carmen Misa


On 30.11.21 13:15, mc36 wrote:
hi,
at the moment of writing, the p4 dataplanes can only match against a single flow label...
adding ranges could be done but as far as i know should be avoided, at least on tofino....
but on the other hand, the p4 code currently matches against masks on flowlabel, but
as i've seen in freerouter it does not yet takes advantage of this when exporting.... :)
regards,
cs


On 11/30/21 13:07, Carmen Misa Moreira wrote:
Hi all,

I see something weird in my access-list declarations...

If I declare the access-list like this (just with a single value) it works:

access-list ipv6_flowlabel_10
 sequence 10 permit all any all any all flow 10
 exit

But if I declare it with a range of values, it doesn't work:

access-list ipv6_flowlabel_10
 sequence 10 permit all any all any all flow 10-20
 exit

There is one example on the FreeRtr self-test but is using access-group-in: http://sources.nop.hu/cfg/crypt-acl72.tst

I was wondering if there is a limitation to match just a single flow label value in the access-list.

Best regards,

Carmen Misa


Archive powered by MHonArc 2.6.19.

Top of Page