Hi Marco, On 6/9/17, Marco Varlese <marco.varl...@suse.com> wrote: > Hi Andrew, > > On Fri, 2017-06-09 at 13:53 +0200, Andrew 👽 Yourtchenko wrote: >> Hi Marco, >> >> Yes, this works as expected, assuming after deletion *all* the traffic >> is denied, rather than just the SSH traffic. >> >> If you apply to an interface the ACL# that does not exist, that is the >> same as if there was an ACL with just the "deny all" semantics, to >> avoid the perception that a given policy is enforced when it isn't - >> so I erred on the side of caution. >> >> The way to remove the ACL: you would ensure the ACL is not applied to >> the interface(s) first, then remove the ACL (or replace it with a >> different policy in-place). > Ok, which function would allow me to unset the ACL from an interface? > I see on the documentation that 'acl_interface_add_del' is marked as "not > recommended" hence I wonder whether it will soon be marked as deprecated > and > eventually removed.
I encourage the users to use the acl_interface_set_acl_list mostly because it has a clearer (IMHO) semantics - removing all the ACLs means simply setting the empty list for in+out... As for the deprecation - I think it will be a while, if at all. And of course if the users say "no, we find it useful and we need it", then it won't be deprecated at all :-) > >> >> Alternatively, you can just replace the existing ACL in-place with >> "permit any" for IPv4 and IPv6 - this way you explicitly state that >> there is a policy to permit all the traffic. >> >> I've been bitten myself and seen several times in my career when an >> applied but non-existent ACL caused problems later on, in the worst >> possible moment. The current behaviour IMHO makes the config >> discrepancy clear - what do you think ? > In the past, when I had to work on ACL implementation, I approached the > solution > differently: an ACL (whether deny or permit) which is referenced (e.g. > applied > to one or multiple interfaces) if deleted would see a cascading effect > (please, > allow me the expression) of that deletion onto any interface which was > referencing it. > > The "problem" I see - with the current approach - is that once an ACL is > deleted > it's much harder to understand / debug why a given flow is either permitted > or > not (depending on the action of the ACL). If you have hundreds or thousands > of > ACL/rules then things get complicated very quickly. > Instead, by applying the "cascading" effect hence freeing the interfaces > from > the previous behaviour, things would have a 1:1 mapping between what you see > in > configuration (acl_dump) with the flows you see on the network. True, this is also a valid approach, feel free to submit a gerrit doing this. :-) I will also add you to a draft of my work-in-progress quicker lookup so you can see how it all interacts (and indeed will be happy to hear your feedback on that one too!) I think the definition of policy and its application from the control plane standpoint in this day should be automated - so then the control plane would have to do this housekeeping already anyway internally, thus unapplying the ACL is just (in my understanding) just a single call. But I can see the benefits of the automatic cleanup too, so I am happy with either way. (especially since this does not break the things for the clients that do the unapply already). --a > >> >> --a > Cheers, > Marco > >> >> On 6/9/17, Marco Varlese <marco.varl...@suse.com> wrote: >> > >> > Hi, >> > >> > I am trying the ACL functionality and I found a "strange" behaviour. >> > >> > The steps I follow to use an ACL are: >> > * I create an ACL to deny SSH traffic between VMs (via the >> > 'acl_add_replace' >> > function) >> > * Set that ACL to the interfaces involved (via the >> > 'acl_interface_set_acl_list' >> > function) >> > >> > After performing the above steps the traffic was correctly being >> > blocked. >> > >> > However, when I decided to enable the SSH traffic again, I simply >> > deleted >> > the >> > ACL (via the 'acl_del' function) with the consequence though that the >> > traffic >> > was still being denied. >> > >> > Is this behaviour correct? >> > If so what would be the right way to unset hence disable a given ACL >> > from an >> > interface (or multiple)? >> > >> > >> > Thanks, >> > Marco >> > >> > _______________________________________________ >> > vpp-dev mailing list >> > vpp-dev@lists.fd.io >> > https://lists.fd.io/mailman/listinfo/vpp-dev >> > _______________________________________________ vpp-dev mailing list vpp-dev@lists.fd.io https://lists.fd.io/mailman/listinfo/vpp-dev
