Thanks Andrew, I've successfully done acl_plugin test. BTW, just reply here for latecomers, do "V=2 EXTENDED_TESTS=1 TEST=acl_plugin* make test" to do more test and print verbosely.
Since I'm testing stateful ACL by watching behavior of test_acl_plugin_conns.py, along with explaination from Statefull ACL ( https://lists.fd.io/g/vpp-dev/topic/10641774#4928 ) , this test case was below, to test client 172.16.0.1 (call it A here) accessing client 172.16.1.1 (call it B here): set acl-plugin session timeout udp idle 200 set acl-plugin session timeout tcp idle 10 set acl-plugin session timeout tcp transient 1 acl_add_replace ipv4 permit+reflect src 172.16.0.1/32 dst 172.16.1.1/32 proto 6 dport 80, ipv4 deny any # index 2 acl_add_replace ipv4 deny any # index 0 acl_interface_set_acl_list vxlan_tunnel10 input 2 output 0 acl_interface_set_acl_list vxlan_tunnel11 input The case behave like these: #1: A ping B, unreachable #2: A access B tcp port 22, unreachable #3: A access B tcp port 80, reachable Q1: #1/#2 works well, but why #3 still work even when A has finished existing connection and established a new tcp dport 80 to B, the connection still can be established. Is this a bug or feature of 'permit+reflect'? Q2: How does ACL define 'stateful ACL' or 'connection', since new established connection won't be treated as related connection in Netfilter? Q3: What's 'transient'?
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#13893): https://lists.fd.io/g/vpp-dev/message/13893 Mute This Topic: https://lists.fd.io/mt/33127037/21656 Mute #vpp: https://lists.fd.io/mk?hashtag=vpp&subid=1480452 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
