Hi,
I am trying the ACL functionality and I found a "strange" behaviour.
The steps I follow to use an ACL are:
* I create an ACL to deny SSH traffic between VMs (via the 'acl_add_replace'
function)
* Set that ACL to the interfaces involved (via the 'acl_interface_set_acl_list'
function)
After pe
Hi Marco,
Yes, this works as expected, assuming after deletion *all* the traffic
is denied, rather than just the SSH traffic.
If you apply to an interface the ACL# that does not exist, that is the
same as if there was an ACL with just the "deny all" semantics, to
avoid the perception that a given
Hi Andrew,
On Fri, 2017-06-09 at 13:53 +0200, Andrew 👽 Yourtchenko wrote:
> Hi Marco,
>
> Yes, this works as expected, assuming after deletion *all* the traffic
> is denied, rather than just the SSH traffic.
>
> If you apply to an interface the ACL# that does not exist, that is the
> same as if
Hi Marco,
On 6/9/17, Marco Varlese wrote:
> Hi Andrew,
>
> On Fri, 2017-06-09 at 13:53 +0200, Andrew 👽 Yourtchenko wrote:
>> Hi Marco,
>>
>> Yes, this works as expected, assuming after deletion *all* the traffic
>> is denied, rather than just the SSH traffic.
>>
>> If you apply to an interface t
.
> -Original Message-
> From: vpp-dev-boun...@lists.fd.io [mailto:vpp-dev-boun...@lists.fd.io] On
> Behalf Of Andrew ?? Yourtchenko
> Sent: Friday, June 9, 2017 7:53
> To: Marco Varlese
> Cc: vpp-dev@lists.fd.io
> Subject: Re: [vpp-dev] Bind / Unbind of ACL
>
> Hi
;> Sent: Friday, June 9, 2017 7:53
>> To: Marco Varlese
>> Cc: vpp-dev@lists.fd.io
>> Subject: Re: [vpp-dev] Bind / Unbind of ACL
>>
>> Hi Marco,
>>
>> Yes, this works as expected, assuming after deletion *all* the traffic is
>> denied, rather than
On Fri, 2017-06-09 at 14:27 +0200, Andrew 👽 Yourtchenko wrote:
> Hi Marco,
>
> On 6/9/17, Marco Varlese wrote:
> >
> > Hi Andrew,
> >
> > On Fri, 2017-06-09 at 13:53 +0200, Andrew 👽  Yourtchenko wrote:
> > >
> > > Hi Marco,
> > >
> > > Yes, this works as expected, assuming after deletion *al
o [mailto:vpp-dev-boun...@lists.fd.io]
>>> On
>>> Behalf Of Andrew ?? Yourtchenko
>>> Sent: Friday, June 9, 2017 7:53
>>> To: Marco Varlese
>>> Cc: vpp-dev@lists.fd.io
>>> Subject: Re: [vpp-dev] Bind / Unbind of ACL
>>>
>>> Hi Marc
ogical that this is the
>> same
>> behavior as when matching falls off the end of the ACL.
>>
>> Chris.
>>
>>> -Original Message-
>>> From: vpp-dev-boun...@lists.fd.io [mailto:vpp-dev-boun...@lists.fd.io]
>>> On
>>
when the ACL
> is
> >> empty
> >> or non-existent? At the moment to me it seems logical that this is
> the
> >> same
> >> behavior as when matching falls off the end of the ACL.
> >>
> >> Chris.
> >>
>
me
> > > behavior as when matching falls off the end of the ACL.
> > >
> > > Chris.
> > >
> > > >
> > > > -Original Message-
> > > > From: vpp-dev-boun...@lists.fd.io [mailto:vpp-dev-boun...@lists.fd.io]
> > > >
that indicates the desired behavior when the ACL is
>> > > empty
>> > > or non-existent? At the moment to me it seems logical that this is
>> > > the
>> > > same
>> > > behavior as when matching falls off the end of the ACL.
>> > &
ty of it :)
> > > >
> > > > --a
> > > >
> > > > On 6/9/17, Luke, Chris wrote:
> > > > >
> > > > >
> > > > > Would it make sense to have a flag on the interface (or globally),
> > > > > set
> &g
d be best to tackle that post-17.07
> > > > > with a separate API message acl_del_and_unbind or similar ?
> > > > >
> > > > > I feel a beet wary of adding more hidden state (even though the
> > > > > reflected sessions table does provide alre
>>>>> "unbind_acl_from_everywhere; delete_acl" instead of
>>>>>> "delete_acl", maybe it would be best to tackle that post-17.07
>>>>>> with a separate API message acl_del_and_unbind or similar ?
>>>>>>
>&g
hris
> Cc: Marco Varlese ; vpp-dev@lists.fd.io
> Subject: Re: [vpp-dev] Bind / Unbind of ACL
>
> Ok! So what do you think if then we were to also disallow applying the ACL
> that doesn't exist yet ?
>
> It feels like it would be a matching symmetric behavior "from the o
metry.
>
> Chris.
>
>> -Original Message-
>> From: Andrew Yourtchenko [mailto:ayour...@gmail.com]
>> Sent: Friday, June 16, 2017 17:51
>> To: Luke, Chris
>> Cc: Marco Varlese ; vpp-dev@lists.fd.io
>> Subject: Re: [vpp-dev] Bind / Unbind of ACL
>>
&g
+1
> -Original Message-
> From: Andrew 👽 Yourtchenko [mailto:ayour...@gmail.com]
> Sent: Saturday, June 17, 2017 5:28
> To: Luke, Chris
> Cc: Marco Varlese ; vpp-dev@lists.fd.io
> Subject: Re: [vpp-dev] Bind / Unbind of ACL
>
> Perfect, thanks a lot!
>
>
nko [mailto:ayour...@gmail.com]
> > > Sent: Friday, June 16, 2017 17:51
> > > To: Luke, Chris
> > > Cc: Marco Varlese ; vpp-dev@lists.fd.io
> > > Subject: Re: [vpp-dev] Bind / Unbind of ACL
> > >
> > > Ok! So what do you think if then we
19 matches
Mail list logo
