From: "Ananyev, Konstantin" <konstantin.ananyev@intel.com>
To: Zi Hu <huzilucky@gmail.com>, "dev@dpdk.org" <dev@dpdk.org>
Subject: Re: [dpdk-dev] DPDK ACL bug? pkt matches the wrong ACL rule.
Date: Fri, 15 May 2015 10:10:34 +0000 [thread overview]
Message-ID: <2601191342CEEE43887BDE71AB9772582142F2A7@irsmsx105.ger.corp.intel.com> (raw)
In-Reply-To: <CAOV85Hy2uZ07vBjV3HjB7fhAOv7G=vSCOXJizrJYGRf+E5u46w@mail.gmail.com>
Hi Zi,
> -----Original Message-----
> From: dev [mailto:dev-bounces@dpdk.org] On Behalf Of Zi Hu
> Sent: Friday, May 15, 2015 1:27 AM
> To: dev@dpdk.org
> Subject: [dpdk-dev] DPDK ACL bug? pkt matches the wrong ACL rule.
>
> Hi, there,
>
> I recently noticed that sometimes packets are matched with the wrong ACL
> rules when using the DPDK ACL library.
>
> I tested it with the "testacl" under dpdk/build/app:
> Here are my rule file and trace file:
> cat test_data/rule1
> @192.168.0.0/24 192.168.0.0/24 400 : 500 0 : 52 6/0xff
> @192.168.0.0/24 192.168.0.0/24 400 : 500 54 : 65280 6/0xff
> @192.168.0.0/24 192.168.0.0/24 400 : 500 0 : 65535 6/0xff
>
> cat test_data/trace1
> 0xc0a80005 0xc0a80009 450 53 0x06
>
> I run the test by:
> sudo ./testacl -n 2 -c 4 -- --rulesf=./test_data/rule1
> --tracef=./test_data/trace1
>
> Result:
> .....
> acl context <TESTACL>@0x7f5b43effac0
> socket_id=-1
> alg=2
> max_rules=65536
> rule_size=96
> num_rules=3
> num_categories=3
> num_tries=1
> ipv4_5tuple: 1, category: 0, result: 1
> search_ip5tuples_once(1, 256, sse) returns 1
> search_ip5tuples @lcore 2: 1 iterations, 1 pkts, 1 categories, 21812
> cycles, 21812.000000 cycles/pkt
>
>
> The result shows that the packet matches the second rule, which is wrong.
> The dest port of the pkt is 53, so it should match the third rule.
> How possible could it match the second rule? Anyone see similar situation
> before?
>
> Another interesting I found is that if we make the dest port range to be
> 54 : 65279 in the second rule (only change 65280 to 65279, all other stuff
> remains the same):
>
> cat test_data/rule1
> @192.168.0.0/24 192.168.0.0/24 400 : 500 0 : 52 6/0xff
> @192.168.0.0/24 192.168.0.0/24 400 : 500 54 : 65279 6/0xff
> @192.168.0.0/24 192.168.0.0/24 400 : 500 0 : 65535 6/0xff
>
> Then run the test again, the packet matches the third rule as expected.
>
>
> This seems really weird to me. Anyone has an explanation for that?
Indeed, that looks like a bug.
Will have a look.
Konstantin
>
> thanks
> -Zi
next prev parent reply other threads:[~2015-05-15 10:10 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-15 0:27 Zi Hu
2015-05-15 10:10 ` Ananyev, Konstantin [this message]
2015-05-20 14:28 Ananyev, Konstantin
2015-05-20 17:17 ` Zi Hu
[not found] ` <2601191342CEEE43887BDE71AB97725821430903@irsmsx105.ger.corp.intel.com>
2015-05-21 9:41 ` Ananyev, Konstantin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2601191342CEEE43887BDE71AB9772582142F2A7@irsmsx105.ger.corp.intel.com \
--to=konstantin.ananyev@intel.com \
--cc=dev@dpdk.org \
--cc=huzilucky@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).