Hi Hyong, When you use acl plugin to apply an acl to an interface, it has the implicit “deny everything” in the end of processing.
If you want to only drop a selected port, you need to add an explicit “permit” at the end. If you didn’t do it, I would expect the results as you describe them. You can take a look at logs created as part of “TEST=acl* make test”, as well as the test code in src/plugins/acl/test/* to have an idea of how the ACLs are being used, as well as various troubleshooting commands. --a > On 18 Jan 2021, at 18:28, hyong...@gmail.com wrote: > > Hi all, > > I'm using the python api to create a ACL rule and apply it to the egress side > of an interface. The VPP version = 20.09-release, and the ACL plugin version > is 1.4. > > The rule is to block all the packets addressed to a host's address at port > 5555. When the rule is added to the interface, it blocks the said traffic, > and when the rule is deleted from the interface, the traffic is allowed. > > Then I update (or replace) the rule so that it blocks packets addressed to > port 6666. I use 'acl_add_replace()' with 'acl_index' set to the 'acl_index' > received when creating the rule in the first place. I also check that > 'acl_index' is the same as before. > > However, when I add the updated rule to the same interface, the traffic to > port 5555 is still getting blocked, and when I remove the updated rule, the > traffic to port 5555 is allowed. Seeing this, I didn't even try to generate > the traffic to 6666 at this point. > > Given I'm new only to VPP but also to ACL, I feel I must be missing > something. Any help would be greatly appreciated. > > Thanks, > --Hyong > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#18539): https://lists.fd.io/g/vpp-dev/message/18539 Mute This Topic: https://lists.fd.io/mt/79928765/21656 Mute #vpp:https://lists.fd.io/g/vpp-dev/mutehashtag/vpp Mute #vapi:https://lists.fd.io/g/vpp-dev/mutehashtag/vapi Mute #vpp-dev:https://lists.fd.io/g/vpp-dev/mutehashtag/vpp-dev Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
