Thanks for testing ! The l4 “port” values without l4 protocol value set do not make sense and thus are ignored. (Since they mean totally different things for TCP and ICMP). So your rule becomes “permit+reflect any any” which is what you observe in your test.
See function make_mask_and_match_from_rule in the acl plug-in. You are welcome to submit a patch that makes the validation stricter to prevent others from making the same mistake. --a > On 11 Aug 2021, at 08:18, jankinca...@gmail.com wrote: > > > <dummyfile.0.part> > > > acl_add_replace permit+reflect dport 21 > acl_add_replace deny > acl_interface_set_acl_list enp10s0 input 9 output 8 9 > > <dummyfile.1.part> > > > > ssh can be accessed, but I don’t understand > > VPP version:v21.06 > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#19947): https://lists.fd.io/g/vpp-dev/message/19947 Mute This Topic: https://lists.fd.io/mt/84811042/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-