[P4-dev] ACL to P4 Conversion

LJ Wobker ljw at barefootnetworks.com
Wed Jun 10 17:59:17 EDT 2015


Mihai-



In this particular example, the “not” is a negation of the classifier rule,
rather than a negation of the action.  So here you’d have to logically
combine these two rules and use that as the classifier… and then select the
action.





--lj











*From:* P4-dev [mailto:p4-dev-bounces at p4.org] *On Behalf Of *Mihai Budiu
*Sent:* Wednesday, June 10, 2015 2:56 PM
*To:* Scott Collins (scotcoll)
*Cc:* p4-dev at p4.org
*Subject:* Re: [P4-dev] ACL to P4 Conversion



You can choose any action to execute when an entry in a table matches:
i.e., drop, or no_op.

For entries that do not match the default action is executed; there you can
again choose drop or no_op.

The table contents is populated dynamically, from the control plane.



Mihai



On Wed, Jun 10, 2015 at 1:54 PM, Scott Collins (scotcoll) <
scotcoll at cisco.com> wrote:

Hi all,



This is an ACL configuration that uses a not operation to specify
exclusions. How could this be represented in P4?



Thanks,

Scott





!

class-map match-all ce_af2_customer

match access-group 187

match not access-group xxx

!

class-map match-all ce_af2_include

match class-map ce_af2_customer

match not access-group 198

!

!

class-map match-any ce_af2_output

match class-map ce_af2_include

!

access-list xxx permit tcp any any eq 8014

access-list xxx permit tcp any eq 8014 any

access-list xxx permit tcp any host 165.72.11.108

access-list xxx permit tcp any host 7.252.68.73

access-list xxx permit tcp host 7.252.68.73 any

!

!

access-list 187 permit tcp any eq telnet any

access-list 187 permit tcp any any eq telnet

access-list 187 permit tcp any eq 2598 any

access-list 187 permit tcp any any eq 2598

access-list 187 permit tcp any any eq 8911

access-list 187 permit udp any eq 8911 any

access-list 187 permit udp any any eq 8911

access-list 187 permit tcp any eq 3306 any

access-list 187 permit tcp any any eq 3306

access-list 187 permit tcp any eq 1186 any

access-list 187 permit tcp any any eq 1186

access-list 187 permit tcp any range 1525 1527 any

access-list 187 permit tcp any any range 1525 1527

access-list 187 permit tcp any eq 1529 any

access-list 187 permit tcp any any eq 1529

access-list 187 permit tcp any eq 5432 any

access-list 187 permit tcp any any eq 5432

access-list 187 permit tcp any eq 9100 any

access-list 187 permit tcp any any eq 9100

access-list 187 permit tcp any any eq 135

access-list 187 permit tcp any eq 135 any

access-list 187 permit tcp any any range 989 990

access-list 187 permit tcp any range 989 990 any

access-list 187 permit tcp any any eq 683

access-list 187 permit tcp any eq 683 any

access-list 187 permit tcp any any eq 2162

access-list 187 permit tcp any eq 2162 any

access-list 187 permit tcp any any range 137 139

access-list 187 permit tcp any range 137 139 any

access-list 187 permit tcp any any eq 575

access-list 187 permit tcp any eq 575 any

access-list 187 permit tcp any eq 5631 any

access-list 187 permit tcp any any eq 5631

access-list 187 permit tcp any eq login any

access-list 187 permit tcp any any eq login

access-list 187 permit tcp any range 6000 6063 any

access-list 187 permit tcp any any range 6000 6063

access-list 187 permit tcp any eq 8004 any

access-list 187 permit tcp any any eq 8004

access-list 187 permit tcp any eq 8888 any

access-list 187 permit tcp 199.40.254.0 0.0.0.255 eq 80 any

access-list 187 permit tcp any 199.40.254.0 0.0.0.255 eq 80

access-list 187 permit tcp 23.252.16.0 0.0.0.255 eq 8080 any

access-list 187 permit tcp any 23.252.16.0 0.0.0.255 eq 8080

access-list 187 permit tcp 10.250.66.0 0.0.0.255 eq 8080 any

access-list 187 permit tcp any 10.250.66.0 0.0.0.255 eq 8080

access-list 187 permit tcp 10.250.66.0 0.0.0.255 eq 80 any

access-list 187 permit tcp any 10.250.66.0 0.0.0.255 eq 80

access-list 187 permit tcp 199.40.254.0 0.0.0.255 eq 3128 any

access-list 187 permit tcp any 199.40.254.0 0.0.0.255 eq 3128

access-list 187 permit tcp 23.252.16.0 0.0.0.255 eq 3128 any

access-list 187 permit tcp any 23.252.16.0 0.0.0.255 eq 3128

access-list 187 permit tcp 10.250.66.0 0.0.0.255 eq 3128 any

access-list 187 permit tcp any 10.250.66.0 0.0.0.255 eq 3128

access-list 187 permit tcp 23.253.31.0 0.0.0.255 eq 8080 any

access-list 187 permit tcp any 23.253.31.0 0.0.0.255 eq 8080

access-list 187 permit tcp 23.253.31.0 0.0.0.255 eq 80 any

access-list 187 permit tcp any 23.253.31.0 0.0.0.255 eq 80

access-list 187 permit tcp 199.40.22.0 0.0.0.255 eq 8080 any

access-list 187 permit tcp any 199.40.22.0 0.0.0.255 eq 8080

access-list 187 permit tcp host 199.40.26.88 eq 8080 any

access-list 187 permit tcp any host 199.40.26.88 eq 8080

access-list 187 permit tcp host 199.40.26.88 eq 80 any

access-list 187 permit tcp any host 199.40.26.88 eq 80

access-list 187 permit tcp host 199.40.253.79 eq 8080 any

access-list 187 permit tcp any host 199.40.253.79 eq 8080

access-list 187 permit tcp host 199.40.253.79 eq 80 any

access-list 187 permit tcp any host 199.40.253.79 eq 80

access-list 187 permit tcp host 10.250.46.187 eq 3128 any

access-list 187 permit tcp any host 10.250.46.187 eq 3128

access-list 187 permit tcp host 10.250.46.187 eq 8080 any

access-list 187 permit tcp any host 10.250.46.187 eq 8080

access-list 187 permit tcp host 10.250.46.187 eq 80 any

access-list 187 permit tcp any host 10.250.46.187 eq 80

access-list 187 permit tcp 199.40.22.0 0.0.0.255 eq 3128 any

access-list 187 permit tcp any 199.40.22.0 0.0.0.255 eq 3128

access-list 187 permit tcp 199.40.22.0 0.0.0.255 eq 80 any

access-list 187 permit tcp any 199.40.22.0 0.0.0.255 eq 80

access-list 187 permit tcp 23.253.31.0 0.0.0.255 eq 3128 any

access-list 187 permit tcp any 23.253.31.0 0.0.0.255 eq 3128

access-list 187 permit tcp 23.252.18.0 0.0.0.255 eq 3128 any

access-list 187 permit tcp any 23.252.18.0 0.0.0.255 eq 3128

access-list 187 permit tcp 23.252.18.0 0.0.0.255 eq 8080 any

access-list 187 permit tcp any 23.252.18.0 0.0.0.255 eq 8080

access-list 187 permit tcp 23.252.18.0 0.0.0.255 eq 80 any

access-list 187 permit tcp any 23.252.18.0 0.0.0.255 eq 80

access-list 187 permit tcp 165.72.25.0 0.0.0.255 eq 8080 any

access-list 187 permit tcp any 165.72.25.0 0.0.0.255 eq 8080

access-list 187 permit tcp 199.40.175.0 0.0.0.255 eq 8080 any

access-list 187 permit tcp any 199.40.175.0 0.0.0.255 eq 8080

access-list 187 permit tcp 199.40.175.0 0.0.0.255 eq 80 any

access-list 187 permit tcp any 199.40.175.0 0.0.0.255 eq 80

access-list 187 permit tcp 23.156.24.0 0.0.0.255 eq 8080 any

access-list 187 permit tcp any 23.156.24.0 0.0.0.255 eq 8080

access-list 187 permit tcp 23.156.24.0 0.0.0.255 eq 80 any

access-list 187 permit tcp any 23.156.24.0 0.0.0.255 eq 80

access-list 187 permit tcp 199.40.144.0 0.0.0.255 eq 80 any

access-list 187 permit tcp any 199.40.144.0 0.0.0.255 eq 80

access-list 187 permit tcp 165.72.192.0 0.0.0.255 eq 80 any

access-list 187 permit tcp any 165.72.192.0 0.0.0.255 eq 80

access-list 187 permit tcp 10.22.23.0 0.0.0.255 eq 8080 any

access-list 187 permit tcp any 10.22.23.0 0.0.0.255 eq 8080

access-list 187 permit tcp 10.22.23.0 0.0.0.255 eq 80 any

access-list 187 permit tcp any 10.22.23.0 0.0.0.255 eq 80

access-list 187 permit tcp 10.22.23.0 0.0.0.255 eq 3128 any

access-list 187 permit tcp any 10.22.23.0 0.0.0.255 eq 3128

access-list 187 permit tcp 23.252.100.0 0.0.0.127 eq 8080 any

access-list 187 permit tcp any 23.252.100.0 0.0.0.127 eq 8080

access-list 187 permit tcp 23.252.100.0 0.0.0.127 eq 80 any

access-list 187 permit tcp any 23.252.100.0 0.0.0.127 eq 80

access-list 187 permit tcp 23.252.100.0 0.0.0.127 eq 3128 any

access-list 187 permit tcp any 23.252.100.0 0.0.0.127 eq 3128

access-list 187 permit tcp 199.40.20.0 0.0.0.255 eq 80 any

access-list 187 permit tcp any 199.40.20.0 0.0.0.255 eq 80

access-list 187 permit tcp 165.72.12.0 0.0.0.255 eq 80 any

access-list 187 permit tcp any 165.72.12.0 0.0.0.255 eq 80

access-list 187 permit tcp 23.253.32.0 0.0.0.255 eq 80 any

access-list 187 permit tcp any 23.253.32.0 0.0.0.255 eq 80

access-list 187 permit tcp 199.40.23.0 0.0.0.255 eq 80 any

access-list 187 permit tcp any 199.40.23.0 0.0.0.255 eq 80

access-list 187 permit tcp 199.40.30.0 0.0.0.255 eq 80 any

access-list 187 permit tcp any 199.40.30.0 0.0.0.255 eq 80

access-list 187 permit tcp 23.252.17.0 0.0.0.255 eq 80 any

access-list 187 permit tcp any 23.252.17.0 0.0.0.255 eq 80

access-list 187 permit tcp 10.250.62.0 0.0.0.255 eq 80 any

access-list 187 permit tcp any 10.250.62.0 0.0.0.255 eq 80

access-list 187 permit tcp 194.102.25.0 0.0.0.255 eq 80 any

access-list 187 permit tcp any 194.102.25.0 0.0.0.255 eq 80

!

!




_______________________________________________
P4-dev mailing list
P4-dev at mail.p4.org
Listinfo - http://mail.p4.org/mailman/listinfo/p4-dev_p4.org
Archives - http://mail.p4.org/pipermail/p4-dev_p4.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.p4.org/pipermail/p4-dev_lists.p4.org/attachments/20150610/959d3b12/attachment-0001.html>


More information about the P4-dev mailing list