[dpdk-dev,v2] pipeline_firewall: Fix for port range filtering
Checks
Commit Message
Firewall ACL definition need to use same input index for source and
destination ports as these are 16 bits and would fit in one ACL
field of 32 bits. This is required as per librte_acl API. Without this
UDP/TCP source and destination ports filtering (and for that
matter ICMP type/code filtering) does not work.
Signed-off-by: Shyam Kumar Shrivastav <shrivastav.shyam@gmail.com>
---
examples/ip_pipeline/pipeline/pipeline_firewall_be.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
Comments
> -----Original Message-----
> From: Shyam Kumar Shrivastav [mailto:shrivastav.shyam@gmail.com]
> Sent: Wednesday, March 22, 2017 1:36 AM
> To: Dumitrescu, Cristian <cristian.dumitrescu@intel.com>
> Cc: dev@dpdk.org; Shyam Kumar Shrivastav <shrivastav.shyam@gmail.com>
> Subject: [PATCH v2] pipeline_firewall: Fix for port range filtering
>
> Firewall ACL definition need to use same input index for source and
> destination ports as these are 16 bits and would fit in one ACL
> field of 32 bits. This is required as per librte_acl API. Without this
> UDP/TCP source and destination ports filtering (and for that
> matter ICMP type/code filtering) does not work.
>
> Signed-off-by: Shyam Kumar Shrivastav <shrivastav.shyam@gmail.com>
> ---
Reviewed-by: Jasvinder.Singh@intel.com
Acked-by: Cristian.Dumitrescu@intel.com
Thanks, Shyam, for debugging this!
> Firewall ACL definition need to use same input index for source and
> > destination ports as these are 16 bits and would fit in one ACL
> > field of 32 bits. This is required as per librte_acl API. Without this
> > UDP/TCP source and destination ports filtering (and for that
> > matter ICMP type/code filtering) does not work.
> >
> > Signed-off-by: Shyam Kumar Shrivastav <shrivastav.shyam@gmail.com>
> > ---
>
> Reviewed-by: Jasvinder.Singh@intel.com
> Acked-by: Cristian.Dumitrescu@intel.com
>
> Thanks, Shyam, for debugging this!
>
Tested-by: Shyam Kumar Shrivastav <shrivastav.shyam@gmail.com>
> > Firewall ACL definition need to use same input index for source and
> > destination ports as these are 16 bits and would fit in one ACL
> > field of 32 bits. This is required as per librte_acl API. Without this
> > UDP/TCP source and destination ports filtering (and for that
> > matter ICMP type/code filtering) does not work.
> >
> > Signed-off-by: Shyam Kumar Shrivastav <shrivastav.shyam@gmail.com>
> > ---
>
> Reviewed-by: Jasvinder.Singh@intel.com
> Acked-by: Cristian.Dumitrescu@intel.com
>
> Thanks, Shyam, for debugging this!
Applied, thanks
@@ -161,7 +161,7 @@ struct firewall_table_entry {
.type = RTE_ACL_FIELD_TYPE_RANGE,
.size = sizeof(uint16_t),
.field_index = 4,
- .input_index = 4,
+ .input_index = 3,
.offset = sizeof(struct ether_hdr) +
sizeof(struct ipv4_hdr) +
offsetof(struct tcp_hdr, dst_port),
@@ -221,7 +221,7 @@ struct firewall_table_entry {
.type = RTE_ACL_FIELD_TYPE_RANGE,
.size = sizeof(uint16_t),
.field_index = 4,
- .input_index = 4,
+ .input_index = 3,
.offset = sizeof(struct ether_hdr) +
SIZEOF_VLAN_HDR +
sizeof(struct ipv4_hdr) +
@@ -282,7 +282,7 @@ struct firewall_table_entry {
.type = RTE_ACL_FIELD_TYPE_RANGE,
.size = sizeof(uint16_t),
.field_index = 4,
- .input_index = 4,
+ .input_index = 3,
.offset = sizeof(struct ether_hdr) +
SIZEOF_QINQ_HEADER +
sizeof(struct ipv4_hdr) +