Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Nokia-7215] Dataplane IPv6 ACL rule cannot match packet correctly #20255

Open
lizhijianrd opened this issue Sep 13, 2024 · 1 comment
Open

[Nokia-7215] Dataplane IPv6 ACL rule cannot match packet correctly #20255

lizhijianrd opened this issue Sep 13, 2024 · 1 comment
Labels
Bug 🐛 Issue for 202311 Platform: Marvell Platform: Nokia

Comments

@lizhijianrd
Copy link
Contributor

lizhijianrd commented Sep 13, 2024
edited
Loading

Description

On latest 202311 marvell-armhf image, dataplane ACL rule cannot match packet correctly. Please check the details in repro steps.

Steps to reproduce the issue:

On Nokia-7215 Mx DUT with latest 202311 image installed:

  1. [On DUT] Create file acl_table_types.json with below content:
{
    "ACL_TABLE_TYPE": {
        "BMCDATAV6": {
            "MATCHES": ["SRC_IPV6", "DST_IPV6", "ETHER_TYPE", "IP_TYPE", "IP_PROTOCOL", "IN_PORTS", "L4_SRC_PORT", "L4_DST_PORT", "L4_SRC_PORT_RANGE", "L4_DST_PORT_RANGE", "ICMPV6_TYPE", "ICMPV6_CODE", "TCP_FLAGS"],
            "ACTIONS": ["PACKET_ACTION", "COUNTER"],
            "BIND_POINTS": ["PORT"]
        }
    }
}
  1. [On DUT] Issue below command to add custom ACL table type to running config:
admin@sonic:~$ sudo sonic-cfggen -j acl_table_types.json -w
  1. [On DUT] Issue below command to setup ACL table:
admin@sonic:~$ sudo config acl add table NORTHBOUND_V6 BMCDATAV6 -p Ethernet0,Ethernet1,Ethernet2 -s ingress
  1. [On DUT] Confirm ACL table is active:
admin@sonic:~$ show acl table NORTHBOUND_V6
Name           Type       Binding    Description    Stage    Status
-------------  ---------  ---------  -------------  -------  --------
NORTHBOUND_V6  BMCDATAV6  Ethernet0  NORTHBOUND_V6  ingress  Active
                          Ethernet1
                          Ethernet2
  1. [On DUT] Create file acl.json with below contents:
{
    "acl": {
        "acl-sets": {
            "acl-set": {
                "NORTHBOUND_V6": {
                    "acl-entries": {
                        "acl-entry": {
                            "4000_AD_HOC_TCP_SYN": {
                                "actions": {
                                    "config": {
                                        "forwarding-action": "DROP"
                                    }
                                },
                                "config": {
                                    "sequence-id": 4000
                                },
                                "ip": {
                                    "config": {
                                        "protocol": "6"
                                    }
                                },
                                "l2": {
                                    "config": {
                                        "ethertype": 34525
                                    }
                                },
                                "transport": {
                                    "config": {
                                        "tcp-flags": [
                                            "TCP_SYN"
                                        ]
                                    }
                                }
                            },
                            "4001_AD_HOC_ALLOW_ICMPV6_ECHO": {
                                "actions": {
                                    "config": {
                                        "forwarding-action": "ACCEPT"
                                    }
                                },
                                "config": {
                                    "sequence-id": 4001
                                },
                                "icmp": {
                                    "config": {
                                        "code": 0,
                                        "type": 129
                                    }
                                },
                                "ip": {
                                    "config": {
                                        "destination-ip-address": "fc03::1/128",
                                        "protocol": "58"
                                    }
                                },
                                "l2": {
                                    "config": {
                                        "ethertype": 34525
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }
    }
}
  1. [On DUT] Issue below command to apply the ACL rules:
admin@sonic:~$ acl-loader update full acl.json
  1. [On DUT] Confirm ACL rules are active:
admin@sonic:~$ show acl rule NORTHBOUND_V6
Table          Rule       Priority    Action    Match                  Status
-------------  ---------  ----------  --------  ---------------------  --------
NORTHBOUND_V6  RULE_4000  6000        DROP      ETHER_TYPE: 34525      Active
                                                IP_PROTOCOL: 6
                                                TCP_FLAGS: 0x02/0x02
NORTHBOUND_V6  RULE_4001  5999        FORWARD   DST_IPV6: fc03::1/128  Active
                                                ETHER_TYPE: 34525
                                                ICMPV6_CODE: 0
                                                ICMPV6_TYPE: 129
                                                IP_PROTOCOL: 58
  1. [On DUT] Clear interface counter before sending packet in step 11:
admin@sonic:~$ portstat -c
Cleared counters
  1. [On PTF Container] install python packet:
root@fef264db69e9:~# pip3 install ptf
Collecting ptf
  Downloading https://files.pythonhosted.org/packages/96/dd/c405056362da86494af91aed03cde223612699ccfd0216a0464776f9163a/ptf-0.10.0-py3-none-any.whl (59kB)
    100% |████████████████████████████████| 61kB 874kB/s
Installing collected packages: ptf
Successfully installed ptf-0.10.0
  1. [On PTF Container] Open a Python interactive shell and issue below command to send 100 ICMPv6 ECHO REPLY packet:
root@fef264db69e9:~# python3
Python 3.7.3 (default, Mar 23 2024, 16:12:05)
[GCC 8.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from ptf import testutils
WARNING:root:ROCEv2 support not found in Scapy
WARNING:root:ERSPAN support not found in Scapy
WARNING:root:GENEVE support not found in Scapy
Using packet manipulation module: ptf.packet_scapy
>>> pkt = testutils.simple_icmpv6_packet(ipv6_dst='fc03::1', icmp_type=129)
>>> sendp(pkt, iface='eth0', count=100)
....................................................................................................
Sent 100 packets.
>>>

Describe the results you received:

[On DUT] Check ACL counter before and after send ICMPv6 packet with aclshow -a. We can see the counter of RULE_4000 increased by 100, but RULE_4001 doesn't increase. That's incorrect behavior.

admin@sonic:~$ aclshow -a
RULE NAME    TABLE NAME       PRIO    PACKETS COUNT    BYTES COUNT
-----------  -------------  ------  ---------------  -------------
RULE_4000    NORTHBOUND_V6    6000               15           1542
RULE_4001    NORTHBOUND_V6    5999                0              0
admin@sonic:~$ aclshow -a
RULE NAME    TABLE NAME       PRIO    PACKETS COUNT    BYTES COUNT
-----------  -------------  ------  ---------------  -------------
RULE_4000    NORTHBOUND_V6    6000              115          11942
RULE_4001    NORTHBOUND_V6    5999                0              0

Describe the results you expected:

ACL counter of RULE_4001 should increase by 100.

I can see the correct behavior on old 202311 image:

admin@sonic:~$ aclshow -a
RULE NAME    TABLE NAME       PRIO    PACKETS COUNT    BYTES COUNT
-----------  -------------  ------  ---------------  -------------
RULE_4000    NORTHBOUND_V6    6000                0              0
RULE_4001    NORTHBOUND_V6    5999                0              0
admin@sonic:~$ aclshow -a
RULE NAME    TABLE NAME       PRIO    PACKETS COUNT    BYTES COUNT
-----------  -------------  ------  ---------------  -------------
RULE_4000    NORTHBOUND_V6    6000                0              0
RULE_4001    NORTHBOUND_V6    5999              100          10400

Output of show version:

(paste your output here)

Output of show techsupport:

(paste your output here or download and attach the file here )

Additional information you deem important (e.g. issue happens only occasionally):
This was referenced Sep 13, 2024
Merged
Merged
@johnchiucc
Copy link

After analysis, suggest use qualifier NEXT_HEADER instead of IP_PROTOCOL for IPv6 rules. Then do config load to apply it. One example at bottom.

Analysis
A similar workaround in Marvell SAI is removed to avoid redundant part (as sonic-swss workaround), and improve ACL arrangement. The change pass community test cases but this combination of IP_PROTOCOL qualifier and custom ipv6 table type is not expected. Thus it exposes this sonic qualifier setting difference between IPv4 and IPv6.

  // TODO: For backwards compatibility, users can substitute IP_PROTOCOL for NEXT_HEADER.
   // This should be removed in a future release.
   if ((m_pTable->type.getName() == TABLE_TYPE_MIRRORV6 || m_pTable->type.getName() == TABLE_TYPE_L3V6)
           && attr_name == MATCH_IP_PROTOCOL)
   {
       SWSS_LOG_WARN("Support for IP protocol on IPv6 tables will be removed in a future release, please switch to using NEXT_HEADER instead!");
       attr_name = MATCH_NEXT_HEADER;
   }

Working scenario
With ACL configuration aligned to config schema using NEXT_HEADER and config load:

root@str-marvell-acs-1:/home/admin# cat acl_table_types.json
{
   "ACL_TABLE_TYPE": {
       "BMCDATAV6": {
           "MATCHES": ["SRC_IPV6", "DST_IPV6", "ETHER_TYPE", "IP_TYPE", "IN_PORTS", "L4_SRC_PORT", "L4_DST_PORT", "L4_SRC_PORT_RANGE", "L4_DST_PORT_RANGE", "ICMPV6_TYPE", "ICMPV6_CODE", "TCP_FLAGS", "NEXT_HEADER"],
           "ACTIONS": ["PACKET_ACTION", "COUNTER"],
           "BIND_POINTS": ["PORT"]
       }
   }
}
root@str-marvell-acs-1:/home/admin#
root@str-marvell-acs-1:/home/admin# cat acl_test.json
{
   "ACL_RULE": {
       "NORTHBOUND_V6|4000_AD_HOC_TCP_SYN": {
           "NEXT_HEADER": "6",
           "ETHER_TYPE": "34525",
           "PRIORITY": "6000",
           "TCP_FLAGS": "0x02/0x02",
           "PACKET_ACTION": "DROP"
    },
    "NORTHBOUND_V6|4001_AD_HOC_ALLOW_ICMPV6_ECHO": {
           "PACKET_ACTION": "FORWARD",
           "PRIORITY": "5999",
           "DST_IPV6": "fc03::1/128",
           "NEXT_HEADER": "58",
           "ETHER_TYPE": "34525",
           "ICMPV6_CODE": "0",
           "ICMPV6_TYPE": "129"
     }
   }
}
 
root@str-marvell-acs-1:/home/admin# sonic-cfggen -j acl_table_types.json -w
root@str-marvell-acs-1:/home/admin# config acl add table NORTHBOUND_V6 BMCDATAV6 -p Ethernet0,Ethernet1,Ethernet2 -s ingress
root@str-marvell-acs-1:/home/admin# config load acl_test.json -y
Running command: /usr/local/bin/sonic-cfggen -j acl_test.json --write-to-db

image
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug 🐛 Issue for 202311 Platform: Marvell Platform: Nokia
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lizhijianrd @johnchiucc