Hi Andrew, On Fri, 2017-06-09 at 13:53 +0200, Andrew 👽 Yourtchenko wrote: > Hi Marco, > > Yes, this works as expected, assuming after deletion *all* the traffic > is denied, rather than just the SSH traffic. > > If you apply to an interface the ACL# that does not exist, that is the > same as if there was an ACL with just the "deny all" semantics, to > avoid the perception that a given policy is enforced when it isn't - > so I erred on the side of caution. > > The way to remove the ACL: you would ensure the ACL is not applied to > the interface(s) first, then remove the ACL (or replace it with a > different policy in-place). Ok, which function would allow me to unset the ACL from an interface? I see on the documentation that 'acl_interface_add_del' is marked as "not recommended" hence I wonder whether it will soon be marked as deprecated and eventually removed.
> > Alternatively, you can just replace the existing ACL in-place with > "permit any" for IPv4 and IPv6 - this way you explicitly state that > there is a policy to permit all the traffic. > > I've been bitten myself and seen several times in my career when an > applied but non-existent ACL caused problems later on, in the worst > possible moment. The current behaviour IMHO makes the config > discrepancy clear - what do you think ? In the past, when I had to work on ACL implementation, I approached the solution differently: an ACL (whether deny or permit) which is referenced (e.g. applied to one or multiple interfaces) if deleted would see a cascading effect (please, allow me the expression) of that deletion onto any interface which was referencing it. The "problem" I see - with the current approach - is that once an ACL is deleted it's much harder to understand / debug why a given flow is either permitted or not (depending on the action of the ACL). If you have hundreds or thousands of ACL/rules then things get complicated very quickly. Instead, by applying the "cascading" effect hence freeing the interfaces from the previous behaviour, things would have a 1:1 mapping between what you see in configuration (acl_dump) with the flows you see on the network. > > --a Cheers, Marco > > On 6/9/17, Marco Varlese <marco.varl...@suse.com> wrote: > > > > Hi, > > > > I am trying the ACL functionality and I found a "strange" behaviour. > > > > The steps I follow to use an ACL are: > > * I create an ACL to deny SSH traffic between VMs (via the 'acl_add_replace' > > function) > > * Set that ACL to the interfaces involved (via the > > 'acl_interface_set_acl_list' > > function) > > > > After performing the above steps the traffic was correctly being blocked. > > > > However, when I decided to enable the SSH traffic again, I simply deleted > > the > > ACL (via the 'acl_del' function) with the consequence though that the > > traffic > > was still being denied. > > > > Is this behaviour correct? > > If so what would be the right way to unset hence disable a given ACL from an > > interface (or multiple)? > > > > > > Thanks, > > Marco > > > > _______________________________________________ > > vpp-dev mailing list > > vpp-dev@lists.fd.io > > https://lists.fd.io/mailman/listinfo/vpp-dev > _______________________________________________ vpp-dev mailing list vpp-dev@lists.fd.io https://lists.fd.io/mailman/listinfo/vpp-dev
