From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <shrivastav.shyam@gmail.com>
Received: from mail-qt0-f169.google.com (mail-qt0-f169.google.com
 [209.85.216.169]) by dpdk.org (Postfix) with ESMTP id 976F569D8;
 Fri, 17 Mar 2017 06:52:55 +0100 (CET)
Received: by mail-qt0-f169.google.com with SMTP id x35so55109126qtc.2;
 Thu, 16 Mar 2017 22:52:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:from:date:message-id:subject:to:cc;
 bh=Lb1F622F974+a9O4BLjIZsdOBuVI9/G+gFhZ5b36wMY=;
 b=BkEA9Iv+kpWovRt5W6TWkM6EeQE0Nw/GtfUJdFdyjfcW4RFXkt0ED47EoISRyoJIJQ
 3wpQhY8EiNjniijKDJgGUOcoYJVPZ9QE0b2vPAnmqFwkmsS1ikxFBpRMo6+EzKS8uyru
 1I9dYunBA1gGOXQFNlCZXBIDVuscgQlIInI9tvinwIk0Fe95rhVSUaz+vP9tph8VuR+Z
 L1Ah9k4wyPzbtR1Xzr7BXcSqMKEWPp74sFtI1fvwdDmZE7Lb+h0T9Ou3vho9eW4D1WXb
 KDrJOm1L7P0agar6Cab1reEM/vnNxs43eeQ96Y2SlAMUe4Qx4fjczh3Lhrc1qYNUueou
 OMHA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc;
 bh=Lb1F622F974+a9O4BLjIZsdOBuVI9/G+gFhZ5b36wMY=;
 b=f2JbkJ4auJWbqf6h3+TEL/mYv83DExPP+CQ2JI3BBQFqSi+d91AslWT5ORAymZ3+N0
 0E+Y7mzLnTSLne3BtMfiIr45bStDOS3sjf3GGAEsyHDFycs43L04ESaXH5bY8eUBSVzP
 ZpXayLUqkV/uQOYwreU8NktI6xpDuH8cBciH7xi9cEQUQqlPeKIJDrEp42Lt4sW8fa6l
 9KMxvkebpDXHMJuxRFbhEGkN+1ax+xgFzqdKSme6PGieM69L6q2H1l7VhIWRe2X714WD
 cquqk+0MqcM6HoARNfdg96pr0TKpGWW+4xvyeoXdQKJkjRfu7Iu5t+tEZp03Ky7QGekF
 Fa5Q==
X-Gm-Message-State: AFeK/H1sMkQzRHeJsv6QdcTRgxTbYdeJhgZf6aMEGpSXR7LRMEbMUMt6QlD4VDz47M8E1ZnuiJnYuetvE6ddSQ==
X-Received: by 10.200.41.42 with SMTP id y39mr11637668qty.37.1489729975005;
 Thu, 16 Mar 2017 22:52:55 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.12.156.15 with HTTP; Thu, 16 Mar 2017 22:52:54 -0700 (PDT)
From: Shyam Shrivastav <shrivastav.shyam@gmail.com>
Date: Fri, 17 Mar 2017 11:22:54 +0530
Message-ID: <CAGSp03kNzs_oiaQ4faqEyMAh=iWZx+9U+Bfzg6jUyS9YRO_koA@mail.gmail.com>
To: dev@dpdk.org, users@dpdk.org
Cc: Shyam Shrivastav <shrivastav.shyam@gmail.com>
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.15
Subject: [dpdk-dev] ip_pipeline firewall : fragmented ipv4 packets handling
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <http://dpdk.org/ml/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <http://dpdk.org/ml/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Mar 2017 05:52:55 -0000

Again sending this issue as no response on original post. As per my
understanding if we are supporting ACL on tcp/usp port ranges then ipv4
packets must be reassembled before  checking against ACL, then fragmented
if required during forwarding. So there are three cases

1) My understanding is wrong then please correct me.
2) We correct this in examples wherever we are supporting access control on
udp/tcp ports.
3) We document this clearly.


-------------------------------------------------
Below is my original post

-------------------------------------------------
Hi All

Filtering based on TCP/UDP fields like src/dest port range works correctly
only on non-fragmented packets , that means reassembly must be done before
packets hit firewall rules table. Also  packets must be fragmented before
transmission if larger than port mtu. This is unsupported currently, any
plans for this in near future?

Regards