From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <shrivastav.shyam@gmail.com>
Received: from mail-qk0-f178.google.com (mail-qk0-f178.google.com
 [209.85.220.178]) by dpdk.org (Postfix) with ESMTP id 56F101396
 for <dev@dpdk.org>; Sat, 18 Mar 2017 17:28:52 +0100 (CET)
Received: by mail-qk0-f178.google.com with SMTP id p64so84985127qke.1
 for <dev@dpdk.org>; Sat, 18 Mar 2017 09:28:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:in-reply-to:references:from:date:message-id:subject:to
 :cc; bh=qCmmQiQ4B7WKzcM19ghvh79WDU6YfDKVzlgDB2zG3uM=;
 b=QM6hBx0ERPUNDC+OBH4PVyjlwjQg9nSh/KewC241nPEqWLQ3FEnX+cQJeGpc3k0d/D
 BnYxd/cm5tm/E5EZEfjY7C+ryBpgn2bF5p061z9MzRxPo6EUIx2Z1uwnj5aVcMfBrvS8
 NyAUtgnbjpMJxot6jXy/TuBS8W68xvjnfqCPLor9wD/kPQU8Ji7jyw7+C2/wOBjhLjpd
 Yb+kRP/41Gm34li39sNkZcbEJl7UW717T83osBTNhdqNCbx2Feb4rq85m5JrQTsf0uMG
 IutYfMtEOADkS7PNqD5oC1p7pRH43YhcRk3+0vz8tZ2JtRrqrDcOwhdgrWZM+C7OXMGn
 NZWQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:in-reply-to:references:from:date
 :message-id:subject:to:cc;
 bh=qCmmQiQ4B7WKzcM19ghvh79WDU6YfDKVzlgDB2zG3uM=;
 b=TxGNMG8AXPnHbyCE/PAyDgXIjipP+3RzvIy+lPrr34iMz1RtRDZCef1feGDlkLVhQC
 jrcqhUFhIlZLYN3pr3NMl5vwewHiZlSuf+yuzwCUdyMou8ri5TJu0pg4tCGNS79kg1iY
 mUGdTtEs3I9yf6Y9nt0Y9kj2sOG6znmcXhf+ubfDt7MOH3wb//LhLceb7/QfRozQn8ae
 f9jV2XdjNe7iqCuLhTXF5YefMf0FLWnnuRiqGj/kyfmxduh8FXfzq/EgeSKNlBpA75gG
 geq6kEwMvQ0vNDqXW0k8rC6xwoxVVa88ECTIYFBE+1hJhQHFxzWt2S9w2J5UG3tvkdDA
 GAaQ==
X-Gm-Message-State: AFeK/H3/t8Bt1c1S8xWWWeI7GIIBFvLxIWhjaJ9Txn2ms2xcyMj+8l5d89whNEvvcuvykkfObVRPoQTtq7IUpg==
X-Received: by 10.55.214.24 with SMTP id t24mr19282890qki.141.1489854531465;
 Sat, 18 Mar 2017 09:28:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.12.139.71 with HTTP; Sat, 18 Mar 2017 09:28:51 -0700 (PDT)
In-Reply-To: <CAGSp03=ECkiBsBCVktE97NnHWkX6aTq=91zKJVHDnpfmPaSbKg@mail.gmail.com>
References: <CAGSp03=ECkiBsBCVktE97NnHWkX6aTq=91zKJVHDnpfmPaSbKg@mail.gmail.com>
From: Shyam Shrivastav <shrivastav.shyam@gmail.com>
Date: Sat, 18 Mar 2017 21:58:51 +0530
Message-ID: <CAGSp03kPwreOVmcpArrFcuMs-0EPD+5BYwo7+LgnUO+=U4Zt3w@mail.gmail.com>
To: dev@dpdk.org
Cc: Shyam Shrivastav <shrivastav.shyam@gmail.com>
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.15
Subject: Re: [dpdk-dev] ip_pipeline firewall port range filtering
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <http://dpdk.org/ml/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <http://dpdk.org/ml/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Mar 2017 16:28:52 -0000

I took older versions dpdk-stable-16.07.2 & dpdk-16.04(almost one year
old), went  through code changes in relevant libraries librte_table(acl
part only) and librte_acl, looks like no changes to acl compilation and
matching part since then. Has anyone got specific port filtering working
with ACLs? Looks like I have to go through ACL compilation/clasify code
which looks quite difficult :(

On Fri, Mar 17, 2017 at 12:31 PM, Shyam Shrivastav <
shrivastav.shyam@gmail.com> wrote:

> Hi
>
> I am trying to just allow tcp dest port 80 packets using ip_pipeline
> firewall, configured as under
> ------------------------------------------------------------
> ------------------------------------------------------------------------
> pipeline> p 1 firewall add priority 1 ipv4 0.0.0.0 0 0.0.0.0 0 0 65535 80
> 80 6 0xF port 0
> pipeline> p 1 firewall ls
> Prio = 1 (SA = 0.0.0.0/0, DA = 0.0.0.0/0, SP = 0-65535, DP = 80-80, Proto
> = 6 / 0xf) => Port = 0 (entry ptr = 0x7fddf9f0ff08)
> Default rule: DROP
> ------------------------------------------------------------
> -----------------------------------------------------------------------
>
> but it is not working and all tcp packets are getting dropped. If I
> configure dest port range to be wildcard(0-65535) then tcp packets are
> allowed
>
> ------------------------------------------------------------
> -----------------------------------------------------------------------
> pipeline> p 1 firewall add priority 1 ipv4 0.0.0.0 0 0.0.0.0 0 0 65535 0
> 65535 6 0xF port 0
> Prio = 1 (SA = 0.0.0.0/0, DA = 0.0.0.0/0, SP = 0-65535, DP = 0-65535,
> Proto = 6 / 0xf) => Port = 0 (entry ptr = 0x7fddf9f0ff08)
> pipeline> p 1 firewall ls
> Prio = 1 (SA = 0.0.0.0/0, DA = 0.0.0.0/0, SP = 0-65535, DP = 0-65535,
> Proto = 6 / 0xf) => Port = 0 (entry ptr = 0x7fddf9f0ff08)
> Default rule: DROP
>
> ------------------------------------------------------------
> --------------------------------------------------------------------------
>
> Anyone here got specific port filtering work with ip_pipeline firewall?
> I am debugging this, meanwhile any help/guidance would be greatly
> appreciated.
>
> Thanks and rgds
>