[P4-dev] ACL to P4 Conversion

LJ Wobker ljw at barefootnetworks.com
Wed Jun 10 17:06:32 EDT 2015


Scott-



Good question here.  There are a number of ways to express this in
traditional forwarding models, but I think the key issue here is that P4
really just represents/describes the final forwarding tables, not
necessarily what their logical outcome is.



One possibility is to just have the control plane invert all of the ACL
rules, and then program them into the device.

a.      In this case, the compiler would likely need to know something
about the target in order to optimize how it’s done.  For instance, some
“not” rules might be trivial to implement as a small set of exact match
rules, while others might be more efficiently implemented as a set of
ternary rules.

There are (somewhat) well known algorithms for negating rules in a TCAM or
other ternary device, but you have to be careful as they can sometimes
expand to very large rulesets.



You could define a set of tables with different actions, that correspond to
what you want the behavior of the ACL to be.



You could define multiple stages of tables, where some handle the positive
“match” cases and others handle the “match not” cases.  Again depending on
the target’s capabilities you may want to choose one over the other.



Does that help at all?  ;-)



--lj











*From:* P4-dev [mailto:p4-dev-bounces at p4.org] *On Behalf Of *Scott Collins
(scotcoll)
*Sent:* Wednesday, June 10, 2015 1:55 PM
*To:* p4-dev at p4.org
*Subject:* [P4-dev] ACL to P4 Conversion



Hi all,



This is an ACL configuration that uses a not operation to specify
exclusions. How could this be represented in P4?



Thanks,

Scott





!

class-map match-all ce_af2_customer

match access-group 187

match not access-group xxx

!

class-map match-all ce_af2_include

match class-map ce_af2_customer

match not access-group 198

!

!

class-map match-any ce_af2_output

match class-map ce_af2_include

!

access-list xxx permit tcp any any eq 8014

access-list xxx permit tcp any eq 8014 any

access-list xxx permit tcp any host 165.72.11.108

access-list xxx permit tcp any host 7.252.68.73

access-list xxx permit tcp host 7.252.68.73 any

!

!

access-list 187 permit tcp any eq telnet any

access-list 187 permit tcp any any eq telnet

access-list 187 permit tcp any eq 2598 any

access-list 187 permit tcp any any eq 2598

access-list 187 permit tcp any any eq 8911

access-list 187 permit udp any eq 8911 any

access-list 187 permit udp any any eq 8911

access-list 187 permit tcp any eq 3306 any

access-list 187 permit tcp any any eq 3306

access-list 187 permit tcp any eq 1186 any

access-list 187 permit tcp any any eq 1186

access-list 187 permit tcp any range 1525 1527 any

access-list 187 permit tcp any any range 1525 1527

access-list 187 permit tcp any eq 1529 any

access-list 187 permit tcp any any eq 1529

access-list 187 permit tcp any eq 5432 any

access-list 187 permit tcp any any eq 5432

access-list 187 permit tcp any eq 9100 any

access-list 187 permit tcp any any eq 9100

access-list 187 permit tcp any any eq 135

access-list 187 permit tcp any eq 135 any

access-list 187 permit tcp any any range 989 990

access-list 187 permit tcp any range 989 990 any

access-list 187 permit tcp any any eq 683

access-list 187 permit tcp any eq 683 any

access-list 187 permit tcp any any eq 2162

access-list 187 permit tcp any eq 2162 any

access-list 187 permit tcp any any range 137 139

access-list 187 permit tcp any range 137 139 any

access-list 187 permit tcp any any eq 575

access-list 187 permit tcp any eq 575 any

access-list 187 permit tcp any eq 5631 any

access-list 187 permit tcp any any eq 5631

access-list 187 permit tcp any eq login any

access-list 187 permit tcp any any eq login

access-list 187 permit tcp any range 6000 6063 any

access-list 187 permit tcp any any range 6000 6063

access-list 187 permit tcp any eq 8004 any

access-list 187 permit tcp any any eq 8004

access-list 187 permit tcp any eq 8888 any

access-list 187 permit tcp 199.40.254.0 0.0.0.255 eq 80 any

access-list 187 permit tcp any 199.40.254.0 0.0.0.255 eq 80

access-list 187 permit tcp 23.252.16.0 0.0.0.255 eq 8080 any

access-list 187 permit tcp any 23.252.16.0 0.0.0.255 eq 8080

access-list 187 permit tcp 10.250.66.0 0.0.0.255 eq 8080 any

access-list 187 permit tcp any 10.250.66.0 0.0.0.255 eq 8080

access-list 187 permit tcp 10.250.66.0 0.0.0.255 eq 80 any

access-list 187 permit tcp any 10.250.66.0 0.0.0.255 eq 80

access-list 187 permit tcp 199.40.254.0 0.0.0.255 eq 3128 any

access-list 187 permit tcp any 199.40.254.0 0.0.0.255 eq 3128

access-list 187 permit tcp 23.252.16.0 0.0.0.255 eq 3128 any

access-list 187 permit tcp any 23.252.16.0 0.0.0.255 eq 3128

access-list 187 permit tcp 10.250.66.0 0.0.0.255 eq 3128 any

access-list 187 permit tcp any 10.250.66.0 0.0.0.255 eq 3128

access-list 187 permit tcp 23.253.31.0 0.0.0.255 eq 8080 any

access-list 187 permit tcp any 23.253.31.0 0.0.0.255 eq 8080

access-list 187 permit tcp 23.253.31.0 0.0.0.255 eq 80 any

access-list 187 permit tcp any 23.253.31.0 0.0.0.255 eq 80

access-list 187 permit tcp 199.40.22.0 0.0.0.255 eq 8080 any

access-list 187 permit tcp any 199.40.22.0 0.0.0.255 eq 8080

access-list 187 permit tcp host 199.40.26.88 eq 8080 any

access-list 187 permit tcp any host 199.40.26.88 eq 8080

access-list 187 permit tcp host 199.40.26.88 eq 80 any

access-list 187 permit tcp any host 199.40.26.88 eq 80

access-list 187 permit tcp host 199.40.253.79 eq 8080 any

access-list 187 permit tcp any host 199.40.253.79 eq 8080

access-list 187 permit tcp host 199.40.253.79 eq 80 any

access-list 187 permit tcp any host 199.40.253.79 eq 80

access-list 187 permit tcp host 10.250.46.187 eq 3128 any

access-list 187 permit tcp any host 10.250.46.187 eq 3128

access-list 187 permit tcp host 10.250.46.187 eq 8080 any

access-list 187 permit tcp any host 10.250.46.187 eq 8080

access-list 187 permit tcp host 10.250.46.187 eq 80 any

access-list 187 permit tcp any host 10.250.46.187 eq 80

access-list 187 permit tcp 199.40.22.0 0.0.0.255 eq 3128 any

access-list 187 permit tcp any 199.40.22.0 0.0.0.255 eq 3128

access-list 187 permit tcp 199.40.22.0 0.0.0.255 eq 80 any

access-list 187 permit tcp any 199.40.22.0 0.0.0.255 eq 80

access-list 187 permit tcp 23.253.31.0 0.0.0.255 eq 3128 any

access-list 187 permit tcp any 23.253.31.0 0.0.0.255 eq 3128

access-list 187 permit tcp 23.252.18.0 0.0.0.255 eq 3128 any

access-list 187 permit tcp any 23.252.18.0 0.0.0.255 eq 3128

access-list 187 permit tcp 23.252.18.0 0.0.0.255 eq 8080 any

access-list 187 permit tcp any 23.252.18.0 0.0.0.255 eq 8080

access-list 187 permit tcp 23.252.18.0 0.0.0.255 eq 80 any

access-list 187 permit tcp any 23.252.18.0 0.0.0.255 eq 80

access-list 187 permit tcp 165.72.25.0 0.0.0.255 eq 8080 any

access-list 187 permit tcp any 165.72.25.0 0.0.0.255 eq 8080

access-list 187 permit tcp 199.40.175.0 0.0.0.255 eq 8080 any

access-list 187 permit tcp any 199.40.175.0 0.0.0.255 eq 8080

access-list 187 permit tcp 199.40.175.0 0.0.0.255 eq 80 any

access-list 187 permit tcp any 199.40.175.0 0.0.0.255 eq 80

access-list 187 permit tcp 23.156.24.0 0.0.0.255 eq 8080 any

access-list 187 permit tcp any 23.156.24.0 0.0.0.255 eq 8080

access-list 187 permit tcp 23.156.24.0 0.0.0.255 eq 80 any

access-list 187 permit tcp any 23.156.24.0 0.0.0.255 eq 80

access-list 187 permit tcp 199.40.144.0 0.0.0.255 eq 80 any

access-list 187 permit tcp any 199.40.144.0 0.0.0.255 eq 80

access-list 187 permit tcp 165.72.192.0 0.0.0.255 eq 80 any

access-list 187 permit tcp any 165.72.192.0 0.0.0.255 eq 80

access-list 187 permit tcp 10.22.23.0 0.0.0.255 eq 8080 any

access-list 187 permit tcp any 10.22.23.0 0.0.0.255 eq 8080

access-list 187 permit tcp 10.22.23.0 0.0.0.255 eq 80 any

access-list 187 permit tcp any 10.22.23.0 0.0.0.255 eq 80

access-list 187 permit tcp 10.22.23.0 0.0.0.255 eq 3128 any

access-list 187 permit tcp any 10.22.23.0 0.0.0.255 eq 3128

access-list 187 permit tcp 23.252.100.0 0.0.0.127 eq 8080 any

access-list 187 permit tcp any 23.252.100.0 0.0.0.127 eq 8080

access-list 187 permit tcp 23.252.100.0 0.0.0.127 eq 80 any

access-list 187 permit tcp any 23.252.100.0 0.0.0.127 eq 80

access-list 187 permit tcp 23.252.100.0 0.0.0.127 eq 3128 any

access-list 187 permit tcp any 23.252.100.0 0.0.0.127 eq 3128

access-list 187 permit tcp 199.40.20.0 0.0.0.255 eq 80 any

access-list 187 permit tcp any 199.40.20.0 0.0.0.255 eq 80

access-list 187 permit tcp 165.72.12.0 0.0.0.255 eq 80 any

access-list 187 permit tcp any 165.72.12.0 0.0.0.255 eq 80

access-list 187 permit tcp 23.253.32.0 0.0.0.255 eq 80 any

access-list 187 permit tcp any 23.253.32.0 0.0.0.255 eq 80

access-list 187 permit tcp 199.40.23.0 0.0.0.255 eq 80 any

access-list 187 permit tcp any 199.40.23.0 0.0.0.255 eq 80

access-list 187 permit tcp 199.40.30.0 0.0.0.255 eq 80 any

access-list 187 permit tcp any 199.40.30.0 0.0.0.255 eq 80

access-list 187 permit tcp 23.252.17.0 0.0.0.255 eq 80 any

access-list 187 permit tcp any 23.252.17.0 0.0.0.255 eq 80

access-list 187 permit tcp 10.250.62.0 0.0.0.255 eq 80 any

access-list 187 permit tcp any 10.250.62.0 0.0.0.255 eq 80

access-list 187 permit tcp 194.102.25.0 0.0.0.255 eq 80 any

access-list 187 permit tcp any 194.102.25.0 0.0.0.255 eq 80

!

!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.p4.org/pipermail/p4-dev_lists.p4.org/attachments/20150610/618dbcb8/attachment-0001.html>


More information about the P4-dev mailing list