[P4-dev] ACL to P4 Conversion

Scott Collins (scotcoll) scotcoll at cisco.com
Wed Jun 10 17:11:37 EDT 2015


Yes, thank you LJ, those ideas will get me started.
-Scott

From: LJ Wobker <ljw at barefootnetworks.com<mailto:ljw at barefootnetworks.com>>
Date: Wednesday, June 10, 2015 at 5:06 PM
To: scotcoll Collins <scotcoll at cisco.com<mailto:scotcoll at cisco.com>>, "p4-dev at p4.org<mailto:p4-dev at p4.org>" <p4-dev at p4.org<mailto:p4-dev at p4.org>>
Subject: RE: [P4-dev] ACL to P4 Conversion

Scott-

Good question here.  There are a number of ways to express this in traditional forwarding models, but I think the key issue here is that P4 really just represents/describes the final forwarding tables, not necessarily what their logical outcome is.

One possibility is to just have the control plane invert all of the ACL rules, and then program them into the device.

a.      In this case, the compiler would likely need to know something about the target in order to optimize how it’s done.  For instance, some “not” rules might be trivial to implement as a small set of exact match rules, while others might be more efficiently implemented as a set of ternary rules.
There are (somewhat) well known algorithms for negating rules in a TCAM or other ternary device, but you have to be careful as they can sometimes expand to very large rulesets.

You could define a set of tables with different actions, that correspond to what you want the behavior of the ACL to be.

You could define multiple stages of tables, where some handle the positive “match” cases and others handle the “match not” cases.  Again depending on the target’s capabilities you may want to choose one over the other.

Does that help at all?  ;-)

--lj





From: P4-dev [mailto:p4-dev-bounces at p4.org<mailto:p4-dev-bounces at p4.org>] On Behalf Of Scott Collins (scotcoll)
Sent: Wednesday, June 10, 2015 1:55 PM
To: p4-dev at p4.org<mailto:p4-dev at p4.org>
Subject: [P4-dev] ACL to P4 Conversion

Hi all,

This is an ACL configuration that uses a not operation to specify exclusions. How could this be represented in P4?

Thanks,
Scott


!
class-map match-all ce_af2_customer
match access-group 187
match not access-group xxx
!
class-map match-all ce_af2_include
match class-map ce_af2_customer
match not access-group 198
!
!
class-map match-any ce_af2_output
match class-map ce_af2_include
!
access-list xxx permit tcp any any eq 8014
access-list xxx permit tcp any eq 8014 any
access-list xxx permit tcp any host 165.72.11.108
access-list xxx permit tcp any host 7.252.68.73
access-list xxx permit tcp host 7.252.68.73 any
!
!
access-list 187 permit tcp any eq telnet any
access-list 187 permit tcp any any eq telnet
access-list 187 permit tcp any eq 2598 any
access-list 187 permit tcp any any eq 2598
access-list 187 permit tcp any any eq 8911
access-list 187 permit udp any eq 8911 any
access-list 187 permit udp any any eq 8911
access-list 187 permit tcp any eq 3306 any
access-list 187 permit tcp any any eq 3306
access-list 187 permit tcp any eq 1186 any
access-list 187 permit tcp any any eq 1186
access-list 187 permit tcp any range 1525 1527 any
access-list 187 permit tcp any any range 1525 1527
access-list 187 permit tcp any eq 1529 any
access-list 187 permit tcp any any eq 1529
access-list 187 permit tcp any eq 5432 any
access-list 187 permit tcp any any eq 5432
access-list 187 permit tcp any eq 9100 any
access-list 187 permit tcp any any eq 9100
access-list 187 permit tcp any any eq 135
access-list 187 permit tcp any eq 135 any
access-list 187 permit tcp any any range 989 990
access-list 187 permit tcp any range 989 990 any
access-list 187 permit tcp any any eq 683
access-list 187 permit tcp any eq 683 any
access-list 187 permit tcp any any eq 2162
access-list 187 permit tcp any eq 2162 any
access-list 187 permit tcp any any range 137 139
access-list 187 permit tcp any range 137 139 any
access-list 187 permit tcp any any eq 575
access-list 187 permit tcp any eq 575 any
access-list 187 permit tcp any eq 5631 any
access-list 187 permit tcp any any eq 5631
access-list 187 permit tcp any eq login any
access-list 187 permit tcp any any eq login
access-list 187 permit tcp any range 6000 6063 any
access-list 187 permit tcp any any range 6000 6063
access-list 187 permit tcp any eq 8004 any
access-list 187 permit tcp any any eq 8004
access-list 187 permit tcp any eq 8888 any
access-list 187 permit tcp 199.40.254.0 0.0.0.255 eq 80 any
access-list 187 permit tcp any 199.40.254.0 0.0.0.255 eq 80
access-list 187 permit tcp 23.252.16.0 0.0.0.255 eq 8080 any
access-list 187 permit tcp any 23.252.16.0 0.0.0.255 eq 8080
access-list 187 permit tcp 10.250.66.0 0.0.0.255 eq 8080 any
access-list 187 permit tcp any 10.250.66.0 0.0.0.255 eq 8080
access-list 187 permit tcp 10.250.66.0 0.0.0.255 eq 80 any
access-list 187 permit tcp any 10.250.66.0 0.0.0.255 eq 80
access-list 187 permit tcp 199.40.254.0 0.0.0.255 eq 3128 any
access-list 187 permit tcp any 199.40.254.0 0.0.0.255 eq 3128
access-list 187 permit tcp 23.252.16.0 0.0.0.255 eq 3128 any
access-list 187 permit tcp any 23.252.16.0 0.0.0.255 eq 3128
access-list 187 permit tcp 10.250.66.0 0.0.0.255 eq 3128 any
access-list 187 permit tcp any 10.250.66.0 0.0.0.255 eq 3128
access-list 187 permit tcp 23.253.31.0 0.0.0.255 eq 8080 any
access-list 187 permit tcp any 23.253.31.0 0.0.0.255 eq 8080
access-list 187 permit tcp 23.253.31.0 0.0.0.255 eq 80 any
access-list 187 permit tcp any 23.253.31.0 0.0.0.255 eq 80
access-list 187 permit tcp 199.40.22.0 0.0.0.255 eq 8080 any
access-list 187 permit tcp any 199.40.22.0 0.0.0.255 eq 8080
access-list 187 permit tcp host 199.40.26.88 eq 8080 any
access-list 187 permit tcp any host 199.40.26.88 eq 8080
access-list 187 permit tcp host 199.40.26.88 eq 80 any
access-list 187 permit tcp any host 199.40.26.88 eq 80
access-list 187 permit tcp host 199.40.253.79 eq 8080 any
access-list 187 permit tcp any host 199.40.253.79 eq 8080
access-list 187 permit tcp host 199.40.253.79 eq 80 any
access-list 187 permit tcp any host 199.40.253.79 eq 80
access-list 187 permit tcp host 10.250.46.187 eq 3128 any
access-list 187 permit tcp any host 10.250.46.187 eq 3128
access-list 187 permit tcp host 10.250.46.187 eq 8080 any
access-list 187 permit tcp any host 10.250.46.187 eq 8080
access-list 187 permit tcp host 10.250.46.187 eq 80 any
access-list 187 permit tcp any host 10.250.46.187 eq 80
access-list 187 permit tcp 199.40.22.0 0.0.0.255 eq 3128 any
access-list 187 permit tcp any 199.40.22.0 0.0.0.255 eq 3128
access-list 187 permit tcp 199.40.22.0 0.0.0.255 eq 80 any
access-list 187 permit tcp any 199.40.22.0 0.0.0.255 eq 80
access-list 187 permit tcp 23.253.31.0 0.0.0.255 eq 3128 any
access-list 187 permit tcp any 23.253.31.0 0.0.0.255 eq 3128
access-list 187 permit tcp 23.252.18.0 0.0.0.255 eq 3128 any
access-list 187 permit tcp any 23.252.18.0 0.0.0.255 eq 3128
access-list 187 permit tcp 23.252.18.0 0.0.0.255 eq 8080 any
access-list 187 permit tcp any 23.252.18.0 0.0.0.255 eq 8080
access-list 187 permit tcp 23.252.18.0 0.0.0.255 eq 80 any
access-list 187 permit tcp any 23.252.18.0 0.0.0.255 eq 80
access-list 187 permit tcp 165.72.25.0 0.0.0.255 eq 8080 any
access-list 187 permit tcp any 165.72.25.0 0.0.0.255 eq 8080
access-list 187 permit tcp 199.40.175.0 0.0.0.255 eq 8080 any
access-list 187 permit tcp any 199.40.175.0 0.0.0.255 eq 8080
access-list 187 permit tcp 199.40.175.0 0.0.0.255 eq 80 any
access-list 187 permit tcp any 199.40.175.0 0.0.0.255 eq 80
access-list 187 permit tcp 23.156.24.0 0.0.0.255 eq 8080 any
access-list 187 permit tcp any 23.156.24.0 0.0.0.255 eq 8080
access-list 187 permit tcp 23.156.24.0 0.0.0.255 eq 80 any
access-list 187 permit tcp any 23.156.24.0 0.0.0.255 eq 80
access-list 187 permit tcp 199.40.144.0 0.0.0.255 eq 80 any
access-list 187 permit tcp any 199.40.144.0 0.0.0.255 eq 80
access-list 187 permit tcp 165.72.192.0 0.0.0.255 eq 80 any
access-list 187 permit tcp any 165.72.192.0 0.0.0.255 eq 80
access-list 187 permit tcp 10.22.23.0 0.0.0.255 eq 8080 any
access-list 187 permit tcp any 10.22.23.0 0.0.0.255 eq 8080
access-list 187 permit tcp 10.22.23.0 0.0.0.255 eq 80 any
access-list 187 permit tcp any 10.22.23.0 0.0.0.255 eq 80
access-list 187 permit tcp 10.22.23.0 0.0.0.255 eq 3128 any
access-list 187 permit tcp any 10.22.23.0 0.0.0.255 eq 3128
access-list 187 permit tcp 23.252.100.0 0.0.0.127 eq 8080 any
access-list 187 permit tcp any 23.252.100.0 0.0.0.127 eq 8080
access-list 187 permit tcp 23.252.100.0 0.0.0.127 eq 80 any
access-list 187 permit tcp any 23.252.100.0 0.0.0.127 eq 80
access-list 187 permit tcp 23.252.100.0 0.0.0.127 eq 3128 any
access-list 187 permit tcp any 23.252.100.0 0.0.0.127 eq 3128
access-list 187 permit tcp 199.40.20.0 0.0.0.255 eq 80 any
access-list 187 permit tcp any 199.40.20.0 0.0.0.255 eq 80
access-list 187 permit tcp 165.72.12.0 0.0.0.255 eq 80 any
access-list 187 permit tcp any 165.72.12.0 0.0.0.255 eq 80
access-list 187 permit tcp 23.253.32.0 0.0.0.255 eq 80 any
access-list 187 permit tcp any 23.253.32.0 0.0.0.255 eq 80
access-list 187 permit tcp 199.40.23.0 0.0.0.255 eq 80 any
access-list 187 permit tcp any 199.40.23.0 0.0.0.255 eq 80
access-list 187 permit tcp 199.40.30.0 0.0.0.255 eq 80 any
access-list 187 permit tcp any 199.40.30.0 0.0.0.255 eq 80
access-list 187 permit tcp 23.252.17.0 0.0.0.255 eq 80 any
access-list 187 permit tcp any 23.252.17.0 0.0.0.255 eq 80
access-list 187 permit tcp 10.250.62.0 0.0.0.255 eq 80 any
access-list 187 permit tcp any 10.250.62.0 0.0.0.255 eq 80
access-list 187 permit tcp 194.102.25.0 0.0.0.255 eq 80 any
access-list 187 permit tcp any 194.102.25.0 0.0.0.255 eq 80
!
!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.p4.org/pipermail/p4-dev_lists.p4.org/attachments/20150610/154d8313/attachment-0001.html>


More information about the P4-dev mailing list