Learning VPP: ABF

logo_fdio-300x184

Overview

ABF stands for ACL Based Forwarding. ABF is a subset of PBR (Policy Based Routing). ABF is different from normal IP routing in that the lookup by IP destination address is replaced by a match using ACL rules.

Testing

Run VAT.

./build-root/build-vpp_debug-native/vpp/bin/vpp
./vpp/build-root/build-vpp_debug-native/vpp/bin/vpp_api_test

Create ACL rules.

vat# acl_add_replace ipv4 permit dst 8.8.8.8/32
acl_dump
vl_api_acl_add_replace_reply_t_handler:108: ACL index: 0
vat# vl_api_acl_details_t_handler:222: acl_index: 0, count: 1
   tag {}
   ipv4 action 1 src 0.0.0.0/0 dst 8.8.8.8/32 proto 0 sport 0-65535 dport 0-65535 tcpflags 0 mask 0

Create a policy.

DBGvpp# abf policy add id 0 acl 0 via 10.100.0.4 loop2
DBGvpp# show abf policy                                                                                    
abf:[0]: policy:0 acl:0
     path-list:[43] locks:1 flags:shared,no-uRPF, uRPF-list: None
      path:[45] pl-index:43 ip4 weight=1 pref=0 attached-nexthop:  oper-flags:resolved,
        10.100.0.4 loop2
      [@0]: arp-ipv4: via 10.100.0.4 loop2

Bind to an interface.

DBGvpp# abf attach ip4 policy 0 GigabitEthernet0/8/0         
DBGvpp# show abf attach GigabitEthernet0/8/0
ipv4:
 abf-interface-attach: policy:0 priority:0
  [@1]: arp-ipv4: via 10.100.0.4 loop2

Trace without ABF

00:02:27:818282: dpdk-input
  GigabitEthernet0/8/0 rx queue 0
  buffer 0xd886: current data 0, length 98, free-list 0, clone-count 0, totlen-nifb 0, trace 0x1
                 ext-hdr-valid 
                 l4-cksum-computed l4-cksum-correct 
  PKT MBUF: port 1, nb_segs 1, pkt_len 98
    buf_len 2176, data_len 98, ol_flags 0x0, data_off 128, phys_addr 0x8b162200
    packet_type 0x0 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
    rss 0x0 fdir.hi 0x0 fdir.lo 0x0
  IP4: 08:00:27:54:67:a2 -> 08:00:27:88:33:fd
  ICMP: 20.20.20.2 -> 8.8.8.8
    tos 0x00, ttl 64, length 84, checksum 0x85e9
    fragment id 0x7c9a, flags DONT_FRAGMENT
  ICMP echo_request checksum 0x8a71
00:02:27:818326: ethernet-input
  frame: flags 0x3, hw-if-index 2, sw-if-index 2
  IP4: 08:00:27:54:67:a2 -> 08:00:27:88:33:fd
00:02:27:818337: ip4-input-no-checksum
  ICMP: 20.20.20.2 -> 8.8.8.8
    tos 0x00, ttl 64, length 84, checksum 0x85e9
    fragment id 0x7c9a, flags DONT_FRAGMENT
  ICMP echo_request checksum 0x8a71
00:02:27:818350: ip4-lookup
  fib 0 dpo-idx 11 flow hash: 0x00000000
  ICMP: 20.20.20.2 -> 8.8.8.8
    tos 0x00, ttl 64, length 84, checksum 0x85e9
    fragment id 0x7c9a, flags DONT_FRAGMENT
  ICMP echo_request checksum 0x8a71
00:02:27:818357: ip4-rewrite
  tx_sw_if_index 1 dpo-idx 11 : ipv4 via 192.168.0.1 GigabitEthernet0/3/0: mtu:9000 98ded060c14f0800275a18a50800 flow hash: 0x00000000
  00000000: 98ded060c14f0800275a18a50800450000547c9a40003f0186e9141414020808
  00000020: 080808008a7106b2069c0292205e00000000707d0e00000000001011
00:02:27:818362: nat44-ed-in2out-output
  NAT44_IN2OUT_ED_FAST_PATH: sw_if_index 2, next index 3, session -1
00:02:27:818369: nat44-ed-in2out-output-slowpath
  NAT44_IN2OUT_ED_SLOW_PATH: sw_if_index 2, next index 0, session 5
00:02:27:818376: GigabitEthernet0/3/0-output
  GigabitEthernet0/3/0
  IP4: 08:00:27:5a:18:a5 -> 98:de:d0:60:c1:4f
  ICMP: 192.168.0.106 -> 8.8.8.8
    tos 0x00, ttl 63, length 84, checksum 0xedec
    fragment id 0x7c9a, flags DONT_FRAGMENT
  ICMP echo_request checksum 0x51a6
00:02:27:818381: GigabitEthernet0/3/0-tx
  GigabitEthernet0/3/0 tx queue 0
  buffer 0xd886: current data 0, length 98, free-list 0, clone-count 0, totlen-nifb 0, trace 0x1
                 ext-hdr-valid 
                 l4-cksum-computed l4-cksum-correct l2-hdr-offset 0 l3-hdr-offset 14 
  PKT MBUF: port 1, nb_segs 1, pkt_len 98
    buf_len 2176, data_len 98, ol_flags 0x0, data_off 128, phys_addr 0x8b162200
    packet_type 0x0 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
    rss 0x0 fdir.hi 0x0 fdir.lo 0x0
  IP4: 08:00:27:5a:18:a5 -> 98:de:d0:60:c1:4f
  ICMP: 192.168.0.106 -> 8.8.8.8
    tos 0x00, ttl 63, length 84, checksum 0xedec
    fragment id 0x7c9a, flags DONT_FRAGMENT
  ICMP echo_request checksum 0x51a6

Trace with ABF

From the trace below it is clear that traffic traverses abf-input-ip4 node. As a result, it is encapsulated in VxLAN and forwarded through a tunnel.

00:03:30:398890: dpdk-input
  GigabitEthernet0/8/0 rx queue 0
  buffer 0xcec6: current data 0, length 98, free-list 0, clone-count 0, totlen-nifb 0, trace 0x3
                 ext-hdr-valid 
                 l4-cksum-computed l4-cksum-correct 
  PKT MBUF: port 1, nb_segs 1, pkt_len 98
    buf_len 2176, data_len 98, ol_flags 0x0, data_off 128, phys_addr 0x8d73b200
    packet_type 0x0 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
    rss 0x0 fdir.hi 0x0 fdir.lo 0x0
  IP4: 08:00:27:54:67:a2 -> 08:00:27:88:33:fd
  ICMP: 20.20.20.2 -> 8.8.8.8
    tos 0x00, ttl 64, length 84, checksum 0xce6e
    fragment id 0x3415, flags DONT_FRAGMENT
  ICMP echo_request checksum 0x1312
00:03:30:398931: ethernet-input
  frame: flags 0x3, hw-if-index 2, sw-if-index 2
  IP4: 08:00:27:54:67:a2 -> 08:00:27:88:33:fd
00:03:30:399080: ip4-input-no-checksum
  ICMP: 20.20.20.2 -> 8.8.8.8
    tos 0x00, ttl 64, length 84, checksum 0xce6e
    fragment id 0x3415, flags DONT_FRAGMENT
  ICMP echo_request checksum 0x1312
00:03:30:399382: abf-input-ip4
   next 1 index 12
00:03:30:399535: ip4-rewrite
  tx_sw_if_index 3 dpo-idx 12 : ipv4 via 10.100.0.4 loop2: mtu:1360 020027fd0004020027fd00050800 flow hash: 0x00000000
  00000000: 020027fd0004020027fd0005080045000054341540003f01cf6e141414020808
  00000020: 08080800131206b200096c8b205e0000000091760100000000001011
00:03:30:399713: loop2-output
  loop2
  IP4: 02:00:27:fd:00:05 -> 02:00:27:fd:00:04
  ICMP: 20.20.20.2 -> 8.8.8.8
    tos 0x00, ttl 63, length 84, checksum 0xcf6e
    fragment id 0x3415, flags DONT_FRAGMENT
  ICMP echo_request checksum 0x1312
00:03:30:400172: l2-input
  l2-input: sw_if_index 3 dst 02:00:27:fd:00:04 src 02:00:27:fd:00:05
00:03:30:400389: l2-fwd
  l2-fwd:   sw_if_index 3 dst 02:00:27:fd:00:04 src 02:00:27:fd:00:05 bd_index 1 result [0xffffffffffffffff, -1] static age-not bvi filter learn-event learn-move 
00:03:30:400617: l2-flood
  l2-flood: sw_if_index 3 dst 02:00:27:fd:00:04 src 02:00:27:fd:00:05 bd_index 1
00:03:30:400894: l2-output
  l2-output: sw_if_index 4 dst 02:00:27:fd:00:04 src 02:00:27:fd:00:05 data 08 00 45 00 00 54 34 15 40 00 3f 01
00:03:30:401147: ipsec-gre0-output
  ipsec-gre0
  00000000: 020027fd0004020027fd0005080045000054341540003f01cf6e141414020808
  00000020: 08080800131206b200096c8b205e000000009176010000000000101112131415
  00000040: 161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435
  00000060: 36370000000000000000000000000000000000000000000000000000
00:03:30:401413: ipsec-gre0-tx
  GRE: tunnel 0 len 122 src 10.101.0.5 dst 10.101.0.4 sa-id 1
00:03:30:401757: esp4-encrypt
  esp: spi 5 seq 469 crypto aes-cbc-128 integrity sha-256-128
00:03:30:402114: ip4-lookup
  fib 0 dpo-idx 16 flow hash: 0x00000000
  IPSEC_ESP: 10.101.0.5 -> 10.101.0.4
    tos 0x00, ttl 254, length 172, checksum 0xa74d
    fragment id 0x0000
00:03:30:402450: ip4-rewrite
  tx_sw_if_index 5 dpo-idx 16 : ipv4 via 10.101.0.4 loop3: mtu:9000 020027fe0004020027fe00050800 flow hash: 0x00000000
  00000000: 020027fe0004020027fe00050800450000ac00000000fd32a84d0a6500050a65
  00000020: 000400000005000001d6c6fd0b0258faf7c67f3d2a5c88dd30723e7a
00:03:30:402820: loop3-output
  loop3
  IP4: 02:00:27:fe:00:05 -> 02:00:27:fe:00:04
  IPSEC_ESP: 10.101.0.5 -> 10.101.0.4
    tos 0x00, ttl 253, length 172, checksum 0xa84d
    fragment id 0x0000
00:03:30:403637: l2-input
  l2-input: sw_if_index 5 dst 02:00:27:fe:00:04 src 02:00:27:fe:00:05
00:03:30:404046: l2-fwd
  l2-fwd:   sw_if_index 5 dst 02:00:27:fe:00:04 src 02:00:27:fe:00:05 bd_index 2 result [0xffffffffffffffff, -1] static age-not bvi filter learn-event learn-move 
00:03:30:404494: l2-flood
  l2-flood: sw_if_index 5 dst 02:00:27:fe:00:04 src 02:00:27:fe:00:05 bd_index 2
00:03:30:404950: l2-output
  l2-output: sw_if_index 6 dst 02:00:27:fe:00:04 src 02:00:27:fe:00:05 data 08 00 45 00 00 ac 00 00 00 00 fd 32
00:03:30:405421: vxlan4-encap
  VXLAN encap to vxlan_tunnel0 vni 3
00:03:30:405921: ip4-rewrite
  tx_sw_if_index 1 dpo-idx 17 : ipv4 via 192.168.0.104 GigabitEthernet0/3/0: mtu:9000 08002768d11e0800275a18a50800 flow hash: 0x00000001
  00000000: 08002768d11e0800275a18a50800450000de00000000fd113aecc0a8006ac0a8
  00000020: 006812b512b500ca00000800000000000300020027fe0004020027fe
00:03:30:406389: nat44-ed-in2out-output
  NAT44_IN2OUT_ED_FAST_PATH: sw_if_index 5, next index 3, session -1
00:03:30:406922: nat44-ed-in2out-output-slowpath
  NAT44_IN2OUT_ED_SLOW_PATH: sw_if_index 5, next index 0, session -1
00:03:30:408014: GigabitEthernet0/3/0-output
  GigabitEthernet0/3/0
  IP4: 08:00:27:5a:18:a5 -> 08:00:27:68:d1:1e
  UDP: 192.168.0.106 -> 192.168.0.104
    tos 0x00, ttl 253, length 222, checksum 0x3aec
    fragment id 0x0000
  UDP: 4789 -> 4789
    length 202, checksum 0x0000
00:03:30:408548: GigabitEthernet0/3/0-tx
  GigabitEthernet0/3/0 tx queue 0
  buffer 0x16c54: current data -50, length 236, free-list 0, clone-count 0, totlen-nifb 0, trace 0x3
  PKT MBUF: port 65535, nb_segs 1, pkt_len 236
    buf_len 2176, data_len 236, ol_flags 0x0, data_off 78, phys_addr 0x8d1b1580
    packet_type 0x0 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
    rss 0x0 fdir.hi 0x0 fdir.lo 0x0
  IP4: 08:00:27:5a:18:a5 -> 08:00:27:68:d1:1e
  UDP: 192.168.0.106 -> 192.168.0.104
    tos 0x00, ttl 253, length 222, checksum 0x3aec
    fragment id 0x0000
  UDP: 4789 -> 4789
    length 202, checksum 0x0000

References