Skip to Content.

rare-dev - Re: [rare-dev] PBR flow label access-list

Subject: Rare project developers

List archive


Re: [rare-dev] PBR flow label access-list


Chronological Thread 
    < Chronological >      < Thread >
  • From: mc36 <>
  • To: Maria Del Carmen Misa Moreira <>
  • Cc: "" <>
  • Subject: Re: [rare-dev] PBR flow label access-list
  • Date: Wed, 8 Dec 2021 17:57:16 +0100
after rereading, i should append a sentence and correcting the equation....
so please ignore the previous mail... :)

On 12/8/21 17:51, mc36 wrote:
hi,

fist of all sorry for my cryptic phrasing in the original mail...

hopefully i'll do better this time... :)

exactly... so this is what hardware can do at the moment very efficiently...
but as the mask and the required-bits can be anything, you can express
basically
really random stuff like 0x120012 & 0xff00ff or so...

the only thing need to be kept in mind is the originally linked code
snippet does some black magic to align the cisco ios behaviour...
that is, you can easily express ... flow 128-255 and it'll be translated
by "return mat.rangeMin + " " + (max - mat.rangeMax + mat.rangeMin);"
to 128 & (1048575-255+127=0xFFF7F)... that is, it'll care only about
all the bits except the 0x80, because that one will be masked out...
>
now we only need to reverse the equalation if we want to express
120012&ff00ff:
so the 120012 wont change as it'll be sent as is to the asic, but to have the
mask we have to solve for x in x=1048575-0xff00ff+0x120012...
(please note that i've just written in the fields:))

so finally you'll config your ace like ... flow 1179666-solvedX...
this was a bad example as flowlabel's max is fffff...



and finally, i bet you for now you caught this pokemon, but if still
have questions, surely we can have a vc...

and yeahh, you're very welcome to do any hacks on the code! :)

regards,
cs

On 12/8/21 17:24, Maria Del Carmen Misa Moreira wrote:
Hi Csaba,

I'm very interesting in this 'random match' bits so I will be more than happy to work with you. Also, maybe this random bit approach could be useful to another features. I look at the function that you mention here on github 'numat2str' and the bitmask operation 0x80 & 0xfffe0 but it's not clear to me how to reverse the operation.

0x80 = 1000 0000 -> most significant bit
0xfffe0 = 1111 1111 1111 1110 0000 -> 15th most signicant bits

but what about the rest of the bits in the middle?

I was thinking on this feature and maybe it can be added something like that:

access-list ipv6_flowlabel_10
sequence 10 permit all any all any all flow 10 from 7 to 12
exit

Note the 'from 7 to 12' which can means 'match bits from 7 to 12 of the
20-bits'.

If you want we can have a brief talk on zoom where you can explain this in a more detailed way and tell me if I can help you in the development of this feature in freeRtr, you can count with me.

Cheers,
Carmen Misa


On 01/12/2021 16:59 mc36 <> wrote:

hi,
so as far as i understand the asic internals, it's just using a generic
prefix and mask approach
so you could be able to mask out arbitrary bits and match against only the
needed ones...
however, with the current freerouter exporter, it will be a bit hard to
implement such
matches as it tries to convert the access list's range construct to bitmask
operation,
and assumes that you're matching on bit boundaries like 128-255, which then
translated
to 0x80 & 0xfffe0 for the hardware... i'm not saying that it's impossible to
achieve,
but you'll have to do the reverse what freerouter does for it to happen:
https://github.com/mc36/freeRouter/blob/68b609eb2d5bb4d8b9c4304ccb39b562374a4235/src/net/freertr/serv/servP4lang.java#L4507
regards,
cs



On 12/1/21 12:15, Carmen Misa Moreira wrote:
Hi all,

I'm glad to hear that I'm not the only pokemon nerd here on the team [actually
> 40 level in Pokemon Go] :)

Regarding the possibility of using masks I was thinking about the possibility
of matching just some bits in the middle of the 20-bits available, for
example, xxxxx 01234 xxxxx
xxxxx or something like that. @Csaba do you have an idea about how flexible
could it be?

Best regards,

Carmen Misa


On 30.11.21 15:43, mc36 wrote:
hi,
it was a bit bigger one but a good pokemon to catch... :)
https://github.com/mc36/freeRouter/commit/f491e34217fed441a94cfa38dbefbb5c87313390
now some testing then it should be out by at tomorrow morning...
if your switch have internet access then issue "flash upgrade"...
if not, then you'll have to manually upgrade rtr.jar from
freertr.net/rtr.jar...
regards,
cs




On 11/30/21 14:07, mc36 wrote:
hi,
so exporting the masks was easy-peasy:
https://github.com/mc36/freeRouter/commit/b77d1d537da0500b93c7efb2a4a6df1d0b5440b9
now the more entries will follow...
regards,
cs



On 11/30/21 13:56, mc36 wrote:
hi,
so it's an issue how freerouter exports the acls...
at the moment, only the first rule is exported...
the dataplanes have no limitation at all, they could
accommodate arbitrary combinations...
when this was done, i was thinking on how it could be done
with a single match-action table, and allowing any mix of permit/deny...
then soon i figured out that if we would want to keep the single table
approach then only one can work.. keeping permit/deny or allowing more
entries to be exported... here is a sample showing the issue with both:

access-list acl1
deny all any all any all flow 11-111
permit all any all any all flow 0-1111

access-list acl2
permit all any all any all flow 22

so if it would be exported sequentially, then packets with flow 22
would match on the first acl, and as the action is already taken,
the asic would not examine the table further... so for this to work
correctly, two tables would be needed... but from this example, it's
easy to any number of acls that needs more and more tables to work...

but imho, keeping these in mind, it would be much nicer if freerouter
at least tries to export not just the first entry, and drop a warning
when it encounters an invalid combination.... afterall it's not a big
deal so imho i'll jump into this soon...

regards,
cs

ps: the same could be observed with asr9k and policy-maps:



RP/0/RP0/CPU0:a7a(config)#show configuration
Tue Nov 30 12:48:51.042 UTC
Building configuration...
!! IOS XR Configuration 7.3.2
ipv4 access-list a1
10 deny icmp any any
20 permit ipv4 any any
!
!
class-map match-any cm1
match access-group ipv4 a1
end-class-map
!
!
policy-map pm1
class cm1
police rate 100000 bps
!
!
class class-default
!
end-policy-map
!
interface GigabitEthernet0/0/0/1
service-policy output pm1
!
end

RP/0/RP0/CPU0:a7a(config)#commit
Tue Nov 30 12:48:54.422 UTC

% Failed to commit one or more configuration items during a pseudo-atomic
operation. All changes made have been reverted. Please issue 'show
configuration failed [inheritance]'
from this session to view the errors
RP/0/RP0/CPU0:a7a(config)#show configuration failed
Tue Nov 30 12:48:57.524 UTC
!! SEMANTIC ERRORS: This configuration was rejected by
!! the system due to semantic errors. The individual
!! errors with each failed configuration command can be
!! found below.


interface GigabitEthernet0/0/0/1
service-policy output pm1
!!% 'sunstone-km' detected the 'warning' condition 'Deny ace not supported in
access-list'
!
end

RP/0/RP0/CPU0:a7a(config)#








On 11/30/21 13:36, Carmen Misa Moreira wrote:
Hi Csaba,

Thanks, that was one of my first thoughts :)

Also, I noted that the PBR is executed on the first PBR declared, for example:

ipv6 pbr inet sequence 10 ipv6_flowlabel_10 inet nexthop fc01:10::2

ipv6 pbr inet sequence 20 ipv6_flowlabel_20 inet nexthop fc01:10::2

ipv6 pbr inet sequence 30 ipv6_flowlabel_30 inet nexthop fc01:10::2

Will works for the first one, it will route to fc01:10::2 all the traffic
label with fl=10 but not for fl=20 and 30

BUT

If I change the order in the declaration, for example to this one:

ipv6 pbr inet sequence 10 ipv6_flowlabel_20 inet nexthop fc01:10::2

ipv6 pbr inet sequence 20 ipv6_flowlabel_10 inet nexthop fc01:10::2

ipv6 pbr inet sequence 30 ipv6_flowlabel_30 inet nexthop fc01:10::2

It will route to fc01:10::2 all the traffic label with fl=20 but not for
fl=10 and 30

There is some priority in the declaration? Or maybe it can be only one PBR
declaration per link?

Thanks for your time!

Best regards,

Carmen Misa


On 30.11.21 13:15, mc36 wrote:
hi,
at the moment of writing, the p4 dataplanes can only match against a single
flow label...
adding ranges could be done but as far as i know should be avoided, at least
on tofino....
but on the other hand, the p4 code currently matches against masks on
flowlabel, but
as i've seen in freerouter it does not yet takes advantage of this when
exporting.... :)
regards,
cs


On 11/30/21 13:07, Carmen Misa Moreira wrote:
Hi all,

I see something weird in my access-list declarations...

If I declare the access-list like this (just with a single value) it works:

access-list ipv6_flowlabel_10
sequence 10 permit all any all any all flow 10
exit

But if I declare it with a range of values, it doesn't work:

access-list ipv6_flowlabel_10
sequence 10 permit all any all any all flow 10-20
exit

There is one example on the FreeRtr self-test but is using access-group-in:
http://sources.nop.hu/cfg/crypt-acl72.tst

I was wondering if there is a limitation to match just a single flow label
value in the access-list.

Best regards,

Carmen Misa


Archive powered by MHonArc 2.6.19.

Top of Page