Re: [vpp-dev] Bind / Unbind of ACL

2017-06-19 Thread Marco Varlese
From: Andrew Yourtchenko [mailto:ayour...@gmail.com] > > > Sent: Friday, June 16, 2017 17:51 > > > To: Luke, Chris <chris_l...@cable.comcast.com> > > > Cc: Marco Varlese <marco.varl...@suse.com>; vpp-dev@lists.fd.io > > > Subject: Re: [vpp-dev] Bind / Unb

Re: [vpp-dev] Bind / Unbind of ACL

2017-06-17 Thread Luke, Chris
+1 > -Original Message- > From: Andrew  Yourtchenko [mailto:ayour...@gmail.com] > Sent: Saturday, June 17, 2017 5:28 > To: Luke, Chris <chris_l...@cable.comcast.com> > Cc: Marco Varlese <marco.varl...@suse.com>; vpp-dev@lists.fd.io > Subject: Re:

Re: [vpp-dev] Bind / Unbind of ACL

2017-06-17 Thread Andrew  Yourtchenko
gt; Chris >> > >> >>> >> >>> --a >> >>> >> >>> >> >>> >> >>>> >> >>>> >> >>>> Cheers, >> >>>> Marco >> >>>> >> >>

Re: [vpp-dev] Bind / Unbind of ACL

2017-06-16 Thread Luke, Chris
ris <chris_l...@cable.comcast.com> > Cc: Marco Varlese <marco.varl...@suse.com>; vpp-dev@lists.fd.io > Subject: Re: [vpp-dev] Bind / Unbind of ACL > > Ok! So what do you think if then we were to also disallow applying the ACL > that doesn't exist yet ? > > It feels like it

Re: [vpp-dev] Bind / Unbind of ACL

2017-06-16 Thread Andrew Yourtchenko
t;>>> Assuming the only change is to effectively have >>>>>> "unbind_acl_from_everywhere; delete_acl" instead of >>>>>> "delete_acl", maybe it would be best to tackle that post-17.07 >>>>>> with a separate API message acl_

Re: [vpp-dev] Bind / Unbind of ACL

2017-06-16 Thread Luke, Chris
reflected sessions table does provide already plenty of it :) > > > > > > > > > > --a > > > > > > > > > > On 6/9/17, Luke, Chris <chris_l...@comcast.com> wrote: > > > > > > > > > > > > > > > &g

Re: [vpp-dev] Bind / Unbind of ACL

2017-06-16 Thread Marco Varlese
flag on the interface (or globally), > > > > > set > > > > > when > > > > > applying the ACL, that indicates the desired behavior when the ACL is > > > > > empty > > > > > or non-existent? At the moment to me it seems logical that

Re: [vpp-dev] Bind / Unbind of ACL

2017-06-16 Thread Andrew  Yourtchenko
>> > > set >> > > when >> > > applying the ACL, that indicates the desired behavior when the ACL is >> > > empty >> > > or non-existent? At the moment to me it seems logical that this is >> > > the >> > > same >> >

Re: [vpp-dev] Bind / Unbind of ACL

2017-06-16 Thread Marco Varlese
gical that this is the > > > same > > > behavior as when matching falls off the end of the ACL. > > > > > > Chris. > > > > > > > > > > > -Original Message- > > > > From: vpp-dev-boun...@lists.fd.io [mailto:vpp-

Re: [vpp-dev] Bind / Unbind of ACL

2017-06-15 Thread Andrew  Yourtchenko
falls off the end of the ACL. > >> > >> Chris. > >> > >>> -Original Message- > >>> From: vpp-dev-boun...@lists.fd.io > [mailto:vpp-dev-boun...@lists.fd.io] > >>> On > >>> Behalf Of Andre

Re: [vpp-dev] Bind / Unbind of ACL

2017-06-15 Thread Luke, Chris
.@lists.fd.io [mailto:vpp-dev-boun...@lists.fd.io] >>> On >>> Behalf Of Andrew ?? Yourtchenko >>> Sent: Friday, June 9, 2017 7:53 >>> To: Marco Varlese <marco.varl...@suse.com> >>> Cc: vpp-dev@lists.fd.io >>> Subject

Re: [vpp-dev] Bind / Unbind of ACL

2017-06-15 Thread Andrew  Yourtchenko
>>> From: vpp-dev-boun...@lists.fd.io [mailto:vpp-dev-boun...@lists.fd.io] >>> On >>> Behalf Of Andrew ?? Yourtchenko >>> Sent: Friday, June 9, 2017 7:53 >>> To: Marco Varlese <marco.varl...@suse.com> >>> Cc: vpp-dev@lists.fd.io >

Re: [vpp-dev] Bind / Unbind of ACL

2017-06-09 Thread Marco Varlese
On Fri, 2017-06-09 at 14:27 +0200, Andrew  Yourtchenko wrote: > Hi Marco, > > On 6/9/17, Marco Varlese wrote: > > > > Hi Andrew, > > > > On Fri, 2017-06-09 at 13:53 +0200, Andrew   Yourtchenko wrote: > > > > > > Hi Marco, > > > > > > Yes, this works as expected,

Re: [vpp-dev] Bind / Unbind of ACL

2017-06-09 Thread Andrew  Yourtchenko
ehalf Of Andrew ?? Yourtchenko >> Sent: Friday, June 9, 2017 7:53 >> To: Marco Varlese <marco.varl...@suse.com> >> Cc: vpp-dev@lists.fd.io >> Subject: Re: [vpp-dev] Bind / Unbind of ACL >> >> Hi Marco, >> >> Yes, this works as expected, assuming afte

Re: [vpp-dev] Bind / Unbind of ACL

2017-06-09 Thread Luke, Chris
. > -Original Message- > From: vpp-dev-boun...@lists.fd.io [mailto:vpp-dev-boun...@lists.fd.io] On > Behalf Of Andrew ?? Yourtchenko > Sent: Friday, June 9, 2017 7:53 > To: Marco Varlese <marco.varl...@suse.com> > Cc: vpp-dev@lists.fd.io > Subject: Re: [vpp-dev] B

Re: [vpp-dev] Bind / Unbind of ACL

2017-06-09 Thread Marco Varlese
Hi Andrew, On Fri, 2017-06-09 at 13:53 +0200, Andrew  Yourtchenko wrote: > Hi Marco, > > Yes, this works as expected, assuming after deletion *all* the traffic > is denied, rather than just the SSH traffic. > > If you apply to an interface the ACL# that does not exist, that is the > same as

Re: [vpp-dev] Bind / Unbind of ACL

2017-06-09 Thread Andrew  Yourtchenko
Hi Marco, Yes, this works as expected, assuming after deletion *all* the traffic is denied, rather than just the SSH traffic. If you apply to an interface the ACL# that does not exist, that is the same as if there was an ACL with just the "deny all" semantics, to avoid the perception that a

[vpp-dev] Bind / Unbind of ACL

2017-06-09 Thread Marco Varlese
Hi, I am trying the ACL functionality and I found a "strange" behaviour. The steps I follow to use an ACL are: * I create an ACL to deny SSH traffic between VMs (via the 'acl_add_replace' function) * Set that ACL to the interfaces involved (via the 'acl_interface_set_acl_list' function) After