On Fri, 2017-06-09 at 14:27 +0200, Andrew 👽 Yourtchenko wrote: > Hi Marco, > > On 6/9/17, Marco Varlese <marco.varl...@suse.com> wrote: > > > > Hi Andrew, > > > > On Fri, 2017-06-09 at 13:53 +0200, Andrew 👽 Yourtchenko wrote: > > > > > > Hi Marco, > > > > > > Yes, this works as expected, assuming after deletion *all* the traffic > > > is denied, rather than just the SSH traffic. > > > > > > If you apply to an interface the ACL# that does not exist, that is the > > > same as if there was an ACL with just the "deny all" semantics, to > > > avoid the perception that a given policy is enforced when it isn't - > > > so I erred on the side of caution. > > > > > > The way to remove the ACL: you would ensure the ACL is not applied to > > > the interface(s) first, then remove the ACL (or replace it with a > > > different policy in-place). > > Ok, which function would allow me to unset the ACL from an interface? > > I see on the documentation that 'acl_interface_add_del' is marked as "not > > recommended" hence I wonder whether it will soon be marked as deprecated > > and > > eventually removed. > > I encourage the users to use the acl_interface_set_acl_list mostly > because it has a clearer (IMHO) semantics - removing all the ACLs > means simply setting the empty list for in+out... > > As for the deprecation - I think it will be a while, if at all. And of > course if the users say "no, we find it useful and we need it", then > it won't be deprecated at all :-) > > > > > > > > > > > > > > Alternatively, you can just replace the existing ACL in-place with > > > "permit any" for IPv4 and IPv6 - this way you explicitly state that > > > there is a policy to permit all the traffic. > > > > > > I've been bitten myself and seen several times in my career when an > > > applied but non-existent ACL caused problems later on, in the worst > > > possible moment. The current behaviour IMHO makes the config > > > discrepancy clear - what do you think ? > > In the past, when I had to work on ACL implementation, I approached the > > solution > > differently: an ACL (whether deny or permit) which is referenced (e.g. > > applied > > to one or multiple interfaces) if deleted would see a cascading effect > > (please, > > allow me the expression) of that deletion onto any interface which was > > referencing it. > > > > The "problem" I see - with the current approach - is that once an ACL is > > deleted > > it's much harder to understand / debug why a given flow is either permitted > > or > > not (depending on the action of the ACL). If you have hundreds or thousands > > of > > ACL/rules then things get complicated very quickly. > > Instead, by applying the "cascading" effect hence freeing the interfaces > > from > > the previous behaviour, things would have a 1:1 mapping between what you see > > in > > configuration (acl_dump) with the flows you see on the network. > > True, this is also a valid approach, feel free to submit a gerrit > doing this. :-) > Well, I can obviously code it but I won't code something which was discarded at design time or won't ever be accepted. If you feel it is a better approach then the current one then I will spend time on it...
> I will also add you to a draft of my work-in-progress quicker lookup > so you can see how it all interacts (and indeed will be happy to hear > your feedback on that one too!) > > I think the definition of policy and its application from the control > plane standpoint in this day should be automated - so then the > control plane would have to do this housekeeping already anyway > internally, thus unapplying the ACL is just (in my understanding) just > a single call. But I can see the benefits of the automatic cleanup > too, so I am happy with either way. (especially since this does not > break the things for the clients that do the unapply already). > > --a > > > > > > > > > > > > > > --a > > Cheers, > > Marco > > > > > > > > > > > On 6/9/17, Marco Varlese <marco.varl...@suse.com> wrote: > > > > > > > > > > > > Hi, > > > > > > > > I am trying the ACL functionality and I found a "strange" behaviour. > > > > > > > > The steps I follow to use an ACL are: > > > > * I create an ACL to deny SSH traffic between VMs (via the > > > > 'acl_add_replace' > > > > function) > > > > * Set that ACL to the interfaces involved (via the > > > > 'acl_interface_set_acl_list' > > > > function) > > > > > > > > After performing the above steps the traffic was correctly being > > > > blocked. > > > > > > > > However, when I decided to enable the SSH traffic again, I simply > > > > deleted > > > > the > > > > ACL (via the 'acl_del' function) with the consequence though that the > > > > traffic > > > > was still being denied. > > > > > > > > Is this behaviour correct? > > > > If so what would be the right way to unset hence disable a given ACL > > > > from an > > > > interface (or multiple)? > > > > > > > > > > > > Thanks, > > > > Marco > > > > > > > > _______________________________________________ > > > > vpp-dev mailing list > > > > vpp-dev@lists.fd.io > > > > https://lists.fd.io/mailman/listinfo/vpp-dev > > > > > > _______________________________________________ vpp-dev mailing list vpp-dev@lists.fd.io https://lists.fd.io/mailman/listinfo/vpp-dev
