From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by dpdk.org (Postfix) with ESMTP id A9F2C5947 for ; Wed, 20 May 2015 16:28:34 +0200 (CEST) Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga102.jf.intel.com with ESMTP; 20 May 2015 07:28:33 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.13,464,1427785200"; d="scan'208";a="697796145" Received: from irsmsx101.ger.corp.intel.com ([163.33.3.153]) by orsmga001.jf.intel.com with ESMTP; 20 May 2015 07:28:09 -0700 Received: from irsmsx105.ger.corp.intel.com ([169.254.7.73]) by IRSMSX101.ger.corp.intel.com ([169.254.1.217]) with mapi id 14.03.0224.002; Wed, 20 May 2015 15:28:07 +0100 From: "Ananyev, Konstantin" To: Zi Hu , "dev@dpdk.org" Thread-Topic: [dpdk-dev] DPDK ACL bug? pkt matches the wrong ACL rule. Thread-Index: AdCTCQqz8MgmwDZ5T9uZEEjE55zbog== Date: Wed, 20 May 2015 14:28:06 +0000 Message-ID: <2601191342CEEE43887BDE71AB977258214306FB@irsmsx105.ger.corp.intel.com> Accept-Language: en-IE, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [163.33.239.182] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [dpdk-dev] DPDK ACL bug? pkt matches the wrong ACL rule. X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches and discussions about DPDK List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 May 2015 14:28:35 -0000 Hi Zi, > From: dev [mailto:dev-bounces@dpdk.org] On Behalf Of Zi Hu > Sent: Friday, May 15, 2015 1:27 AM > To: dev@dpdk.org > Subject: [dpdk-dev] DPDK ACL bug? pkt matches the wrong ACL rule. >=20 > Hi, there, >=20 > I recently noticed that sometimes packets are matched with the wrong ACL > rules when using the DPDK ACL library. >=20 > I tested it with the "testacl" under dpdk/build/app: > Here are my rule file and trace file: > cat test_data/rule1 > @192.168.0.0/24 192.168.0.0/24 400 : 500 0 : 52 6/0xff > @192.168.0.0/24 192.168.0.0/24 400 : 500 54 : 65280 6/0xff > @192.168.0.0/24 192.168.0.0/24 400 : 500 0 : 65535 6/0xff >=20 > cat test_data/trace1 > 0xc0a80005 0xc0a80009 450 53 0x06 >=20 > I run the test by: > sudo ./testacl -n 2 -c 4 -- --rulesf=3D./test_data/rule1 > --tracef=3D./test_data/trace1 >=20 > Result: > ..... > acl context @0x7f5b43effac0 > socket_id=3D-1 > alg=3D2 > max_rules=3D65536 > rule_size=3D96 > num_rules=3D3 > num_categories=3D3 > num_tries=3D1 > ipv4_5tuple: 1, category: 0, result: 1 > search_ip5tuples_once(1, 256, sse) returns 1 > search_ip5tuples @lcore 2: 1 iterations, 1 pkts, 1 categories, 21812 > cycles, 21812.000000 cycles/pkt >=20 >=20 > The result shows that the packet matches the second rule, which is wrong= . > The dest port of the pkt is 53, so it should match the third rule. > How possible could it match the second rule? Anyone see similar situatio= n > before? >=20 > Another interesting I found is that if we make the dest port range to be > 54 : 65279 in the second rule (only change 65280 to 65279, all other stuf= f > remains the same): >=20 > cat test_data/rule1 > @192.168.0.0/24 192.168.0.0/24 400 : 500 0 : 52 6/0xff > @192.168.0.0/24 192.168.0.0/24 400 : 500 54 : 65279 6/0xff > @192.168.0.0/24 192.168.0.0/24 400 : 500 0 : 65535 6/0xff >=20 > Then run the test again, the packet matches the third rule as expected. >=20 >=20 > This seems really weird to me. Anyone has an explanation for that? >=20 > thanks > -Zi I think I found the culprit. Problem is that acl_merge_trie() sometimes is too aggressive in trying to = conserve some space at build time. So didn't duplicate a node, even when it should. Could you try a patch below? Thanks Konstantin Signed-off-by: Konstantin Ananyev --- lib/librte_acl/acl_bld.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/lib/librte_acl/acl_bld.c b/lib/librte_acl/acl_bld.c index a406737..92a85df 100644 --- a/lib/librte_acl/acl_bld.c +++ b/lib/librte_acl/acl_bld.c @@ -1044,9 +1044,7 @@ acl_merge_trie(struct acl_build_context *context, * a subtree of the merging tree (node B side). Otherwise, * just use node A. */ - if (level > 0 && - node_a->subtree_id !=3D - (subtree_id | RTE_ACL_SUBTREE_NODE)) { + if (level > 0) { node_c =3D acl_dup_node(context, node_a); node_c->subtree_id =3D subtree_id | RTE_ACL_SUBTREE_NODE; } --=20 1.8.5.3