Dear Emma, the behavior you are observing is expected. Since we do not do in-flight reassembly, in order to make the ACL work for the fragment we have to do first-match on a relaxed rule derived from L4 rule that would have matched that packet.
I think just issuing "set acl-plugin l4-match-nonfirst-fragment 0" at the debug CLI will get the behavior you are looking for, without any extra code changes. Please give it a shot and let me know. --a On 10/29/18, emma sdi <s3m2e1.6s...@gmail.com> wrote: > Hi Dear VPP > When I was trying to test fragmentation feature in VPP, I encountered a > problem. > firstly, I added an acl as below: > > acl_add_replace deny proto 1 sport 2-2 dport 3-3, permit+reflect > > and then I saw that ICMP ping packets were passing through the VPP matching > with second rule. > At the next step I ran ping with "-s 5000". Then initial fragment was > matched with second rule and non-initial fragments were matched with first > rule and subsequently they were dropped(due to 3tuple search for > non-initial fragments in acl). > > To prevent this problem this commit would be helpful: > https://gerrit.fd.io/r/#/c/15582/ > In this commit, acl-rule-search will try to find a permit rule matched with > non-initial fragments, otherwise, those packets will be dropped . > Although the solution is not a complete one and it has the problem of > passing non-initial fragments unexpectedly, it will meet the requirement of > passing fragmented packets. Also we can try to fix another problem due to > rfc1858 <https://tools.ietf.org/html/rfc1858> in the future. >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#11015): https://lists.fd.io/g/vpp-dev/message/11015 Mute This Topic: https://lists.fd.io/mt/27781531/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
