Hi Mahmood, Only TCP and UDP are reflected.
The unit tests in test/test_acl_plugin_conns.py illustrate the usage of reflect with UDP. For the "stateful firewall" mental model in the head, imagine VPP as a router, having potentially a small independent 2-interface firewall on every interface. --a > On 9 May 2017, at 10:47, mahmood gholipour <mahmood.gholip...@gmail.com> > wrote: > > Hi Andrew, > > First of all thanks for your answer. > > In a common state-full scenario , a state table of all the connections > initiated from the internal LAN maintains. For example it would only allow a > TCP request from the outside world if it is a response to an outgoing > request. > > So, I tested upon fact on ICMP protocol. I defined an Input ACL with > permit+reflect action and set it as input ACL for interface A. then, > defined a deny ACL and set it as output ACL for interface A. I expected > reply ping egress interface A and output ACL doesn't drop this packet but it > happened. In fact, permit+reflect action acts same as permit action. Is this > true? If not, please provide me a config example that shows this difference > between permit and permit+reflect action. > > Best Regards > > >> On Mon, May 8, 2017 at 9:01 PM, Andrew 👽 Yourtchenko <ayour...@gmail.com> >> wrote: >> Hi, >> >> Reflect is not evaluated across multiple interfaces, both ACLs must be on >> the same interface. Mentally you can imagine like a tiny firewall attached >> sitting inline with the VPP interface. >> >> You can look at the test/test_acl_plugin*.py files which are the unit tests >> for more specifics on how it is configured and tested. >> >> --a >> >>> On 8 May 2017, at 13:59, mahmood gholipour <mahmood.gholip...@gmail.com> >>> wrote: >>> >>> Hi, >>> >>> I tested statefull ACL by writing an ACL rule with action of permit+reflect >>> and it didn't work. Is this feature completed in 17.04 and is expected to >>> work properly? >>> I define one deny ACL rule and set it as inbound ACL for interface B and >>> also define a permit+reflect ACL rule and set it as inbound ACL for >>> interface A. I expected a ssh session to be established successfully. In >>> this scenario interface A is ingress interface and interface B is egress >>> interface. But packets are dropped by inbound ACL on interface B. >>> >>> Best Regards, >>> >>> -- >>> Mahmood Gholipour >>> M.Sc Candidate, >>> School of Electrical and Computer Engineering, >>> College of Engineering, >>> University of Tehran >>> >>> >>> >>> >>> _______________________________________________ >>> vpp-dev mailing list >>> vpp-dev@lists.fd.io >>> https://lists.fd.io/mailman/listinfo/vpp-dev > > > > -- > > > Mahmood Gholipour > M.Sc Candidate, > School of Electrical and Computer Engineering, > College of Engineering, > University of Tehran > > > > > <acl.png>
_______________________________________________ vpp-dev mailing list vpp-dev@lists.fd.io https://lists.fd.io/mailman/listinfo/vpp-dev
