Skip to content

ACL

Jump to bottom
Taras Chornyi edited this page Nov 28, 2022 · 26 revisions

This section includes the following:

ACL Overview

Access Control Lists (ACL) enable you to apply policies on traffic flows by setting matching criteria (for example, 5-tuple) and actions (for example, pass/drop). The ACL can be used to restrict traffic forwarding, limit traffic rate, maintain statistics and trigger network address translation. ACL rules can be added/removed at any time and can apply to traffic ingresses and/or egresses, at the port level.

ACL Overview

ACL Configuration

To offload Linux ACL configuration to netdevs, which represent Marvell switch ports, use the TC flower filter tool.

Add ACL Rules

Before configuring match rules on switch ports, you must create the queuing disciplines (qdiscs) to which the flower classifier is attached. Add a ingress qdisc, or a clsact qdisc to the port, using the following tc command:

tc qdisc add dev DEV-NAME {ingress|clsact}

Where DEV-NAME is the switchdev interface name, e.g.: sw1p1.

To create ingress queuing disciplines (qdiscs):

tc qdisc add dev sw1p1 ingress

To create the clsact qdisc:

tc qdisc add dev sw1p10 clsact

NOTE: ingress qdisc supports adding rules on ingress only. clsact qdisc supports adding rules on both ingress and egress qdisks.

To list the existing qdiscs:

tc qdisc show

Output example of the show command:

qdisc ingress ffff: dev sw1p1 parent ffff:fff1 -------------
qdisc clsact ffff: dev sw1p10 parent ffff:fff1

The rest of the examples in this section use clsact qdisc and generic commands for ACL rule configuration.

ACL rule configuration uses the following format:

tc [ OPTIONS ] filter [ add|show|delete ] dev DEV [ ingress|egress|root ] [ handle filter-id ] [ protocol PROTO ] [ { prio|pref } PRIORITY ] flower [ flower specific parameters ]

Where:

  • ingress is used for clsact qdisc for ingress rules.
  • egress is used for clsact qdisc for egress rules.
  • root is used for ingress qdisc.

For more information on flower specific parameters, see the tc-flower man page.

NOTE: The driver does not support all parameters. See Supported Actions, Keys and Rules for the full list of supported actions and keys.

Once the qdisc is created, you can add flower rules which are bound to a specific qdisc/switchdev interface.

Rules can be defined as software or hardware or both.

  • To define a rule on software only, add the skip_hw parameter.
  • To define a rule on hardware only, add the skip_sw parameter.
  • To define a rule on software and hardware, omit these parameters

For example, to create a flower rule which drops an IP packet with source address 192.168.1.1, use the following command:

tc filter add dev sw1p1 ingress protocol ip pref 10 flower skip_sw src_ip 192.168.1.1 action drop

This adds a rule with priority (pref) 10, matching and dropping every IP packet with the source address 192.168.1.1.

NOTE: the parameter skip_sw instructs the tc to skip the insertion of the rule to the kernel's datapath. If this keyword is omitted, the rule is inserted in both the kernel and hardware.

To add the rule to kernel, e.g. filter CPU traffic, use the skip_hw key instead.

tc rules (filters) are put by order of priority (pref). If the priority is omitted, the tc will generate priority automatically based on flower rule/actions provided by user. For rules with the same priority, but different match/action value, the rule is added to the end of all rules with this priority. The rule with lowest pref number (high priority) is executed first.

To create a flower rule which drops egress IP packets with source address 192.168.1.2, enter the following command:

tc filter add dev sw1p1 egress protocol ip pref 10 flower skip_sw src_ip 192.168.1.2 action drop

Similar commands can be used to pass the packet or trap the packet to CPU. For example:

To add a pass rule with a different source IP address:

tc filter add dev sw1p1 ingress protocol ip pref 20 flower skip_sw src_ip 192.168.1.2 action pass

To add a rule to trap-to-CPU:

tc filter add dev sw1p1 ingress protocol ip pref 30 flower skip_sw src_ip 192.168.1.3 action trap

NOTE: The trap action is supported only for ingress rules.

To show qdiscs filter rules:

tc filter show dev sw1p1 ingress

To observe statistics related to packets, bytes transmitted, or last time used, which are maintained on a per rule basis, add the -s flag:

tc -s filter show dev sw1p1 ingress

See Supported Actions, Keys and Rules for the full list of supported rules. Following are several examples showing how to use tc with other supported ACL keys (tc flower match):

tc filter add dev sw1p1 ingress pref 25 protocol 0x8FF flower skip_sw action pass

tc filter add dev sw1p1 ingress prio 24 flower skip_sw src_mac 00:11:22:33:44:88 action drop

tc filter add dev sw1p1 ingress protocol ip flower skip_sw ip_proto tcp action drop

tc filter add dev sw1p1 ingress preference 43 protocol ip flower skip_sw ip_proto tcp src_port 39 action trap

tc filter add dev sw1p1 ingress protocol all flower skip_sw action drop

tc filter add dev sw1p1 ingress protocol ipv6 flower skip_sw src_ip 1::2 action drop

NOTE: some tc command keys support different naming (alias) for some attributes. For example, pref Key can be used as prio.

IPv6 Support

For chain template with matches on IPv6 addresses, filter rules without explicitly provided protocol are added for non-IPv6 traffic only. If you need to filter IPv6 traffic too, you have to explicitly add corresponding rules for it:

tc qdisc add dev sw1p1 clsact

# This rule applies for non-IPv6 traffic only since default template is used
# which includes matches on IPv6 addresses
tc filter add dev sw1p1 ingress flower skip_sw src_mac 00:01:02:03:04:05 action drop

# This rule applies for IPv6 traffic only
tc filter add dev sw1p1 ingress protocol ipv6 flower skip_sw src_mac 00:01:02:03:04:05 action drop

If chain template is explicitly provided and it does not contain matches on IPv6 addresses, then filters in that chain apply for all traffic including IPv6:

tc qdisc add dev sw1p1 clsact

tc chain add dev sw1p1 ingress chain 0 flower src_mac 00:00:00:00:00:00

# This rule applies for all traffic including IPv6 since an explicit template with matches on IPv6 addresses is uses
tc filter add dev sw1p1 ingress flower skip_sw src_mac 00:01:02:03:04:05 action drop

Delete ACL Rules

A tc flower rule (ACL rule) is deleted based on delete criteria provided by user. For example, to delete all rules with a given priority, use the following command:

tc filter del dev sw1p1 root prio 1

If there are multiple rules in qdisc with the same priority, then the specific rule can be deleted by handle qdisc-id.

For example, to delete rule with priority 1 and handle 0x2:

tc filter del dev sw1p1 root prio 1 handle 0x2 flower

NOTE: Use tc filter show dev sw1p1 root command to determine which handle to use.

To delete all rules from a specific qdisc, use the following command:

tc filter del dev sw1p1 root

If an ACL is not going to be used anymore on the switchdev interface, use the following command to destroy the qdisc with all rules attached to it:

tc qdisc del dev sw1p1 parent ffff:

Hardware statistics

According to tc-actions man page, TC rule action supports hardware counters of type: immediate or delayed (see man for more details). Prestera drivers support only delayed hardware counters.
delayed hardware counters Means that in a dump, user gets hardware statistics that might be out of date for some time, maybe couple of seconds. This is the case when driver polls statistics updates periodically, or when it gets an asynchronic statistics update from the device. In addition, hardware counters can be disabled to save hardware counter resources during tc rule creation. If no hardware statistic type is provided implicitly by user, delayed hardware counter is allocated and used by the rule.

Create an ACL rule with delayed hardware statistics:

tc filter add dev sw1p1 {ingress|egress} proto ip flower src_ip 1.1.1.0/2 action drop hw_stats delayed

If no hardware counter is available for the rule, the command produces EINVAL error, although it may still be possible to create the same rule with disabled statistics:

tc filter add dev sw1p1 {ingress|egress} proto ip flower src_ip 1.1.1.0/2 action drop hw_stats disabled

Supported Actions and Match Keys

Supported Actions

  • drop
  • shot (same as drop)
  • pass
  • ok (same as pass)
  • trap (only for ingress rules)
  • goto (only for ingress rules)
  • police
  • nh
  • nat

Supported Flower Match Keys

  • indev DEV-NAME (useful when using qdisc blocks)
  • protocol PROTO (tc filter option, not flower filter type)
  • dst_mac MASKED-LLADDR
  • src_mac MASKED-LLADDR
  • ip_proto [ tcp | udp ] (protocol [ ip | ipv6 ])
  • dst_ip PREFIX (protocol [ ip | ipv6 ]) 1
  • src_ip PREFIX (protocol [ ip | ipv6 ])
  • dst_port { NUMBER | MIN_VALUE-MAX_VALUE } (ip_proto [ tcp | udp ]) 2
  • src_port { NUMBER | MIN_VALUE-MAX_VALUE } (ip_proto [ tcp | udp ]) 2
  • vlan_id
  • vlan_ethtype { ipv4 | HEX }
  • type MASKED_TYPE (ip_proto icmp)
  • code MASKED_CODE (ip_proto icmp)

1 match on destination IPv6 address (egress proto ipv6 flower dst_ip) is not supported on AC5x
2 port ranges are not supported for ingress IPv6 traffic (ingress proto ipv6)

Due to the iproute2 tc issue, the vlan_ethtype cannot be configured with icmp type/code matches. Use protocol ip to configure ICMP type/code matches.

Network Configurations

Clone this wiki locally