On Fri, 2017-06-09 at 14:27 +0200, Andrew 👽  Yourtchenko wrote:
> Hi Marco,
> 
> On 6/9/17, Marco Varlese <marco.varl...@suse.com> wrote:
> > 
> > Hi Andrew,
> > 
> > On Fri, 2017-06-09 at 13:53 +0200, Andrew 👽  Yourtchenko wrote:
> > > 
> > > Hi Marco,
> > > 
> > > Yes, this works as expected, assuming after deletion *all* the traffic
> > > is denied, rather than just the SSH traffic.
> > > 
> > > If you apply to an interface the ACL# that does not exist, that is the
> > > same as if there was an ACL with just the "deny all" semantics, to
> > > avoid the perception that a given policy is enforced when it isn't -
> > > so I erred on the side of caution.
> > > 
> > > The way to remove the ACL: you would ensure the ACL is not applied to
> > > the interface(s) first, then remove the ACL (or replace it with a
> > > different policy in-place).
> > Ok, which function would allow me to unset the ACL from an interface?
> > I see on the documentation that 'acl_interface_add_del' is marked as "not
> > recommended" hence I wonder whether it will soon be marked as deprecated
> > and
> > eventually removed.
> 
> I encourage the users to use the acl_interface_set_acl_list mostly
> because it has a clearer (IMHO) semantics - removing all the ACLs
> means simply setting the empty list for in+out...
> 
> As for the deprecation - I think it will be a while, if at all. And of
> course if the users say "no, we find it useful and we need it", then
> it won't be deprecated at all :-)
> 
> > 
> > 
> > > 
> > > 
> > > Alternatively, you can just replace the existing ACL in-place with
> > > "permit any" for IPv4 and IPv6 - this way you explicitly state that
> > > there is a policy to permit all the traffic.
> > > 
> > > I've been bitten myself and seen several times in my career when an
> > > applied but non-existent ACL caused problems later on, in the worst
> > > possible moment. The current behaviour IMHO makes the config
> > > discrepancy clear - what do you think ?
> > In the past, when I had to work on ACL implementation, I approached the
> > solution
> > differently: an ACL (whether deny or permit) which is referenced (e.g.
> > applied
> > to one or multiple interfaces) if deleted would see a cascading effect
> > (please,
> > allow me the expression) of that deletion onto any interface which was
> > referencing it.
> > 
> > The "problem" I see - with the current approach - is that once an ACL is
> > deleted
> > it's much harder to understand / debug why a given flow is either permitted
> > or
> > not (depending on the action of the ACL). If you have hundreds or thousands
> > of
> > ACL/rules then things get complicated very quickly.
> > Instead, by applying the "cascading" effect hence freeing the interfaces
> > from
> > the previous behaviour, things would have a 1:1 mapping between what you see
> > in
> > configuration (acl_dump) with the flows you see on the network.
> 
> True, this is also a valid approach, feel free to submit a gerrit
> doing this. :-)
> 
Well, I can obviously code it but I won't code something which was discarded at
design time or won't ever be accepted.
If you feel it is a better approach then the current one then I will spend time
on it...

> I will also add you to a draft of my work-in-progress quicker lookup
> so you can see how it all interacts (and indeed will be happy to hear
> your feedback on that one too!)
> 
> I think the definition of policy and its application from the control
> plane standpoint  in this day  should be automated - so then the
> control plane would have to do this housekeeping already anyway
> internally, thus unapplying the ACL is just (in my understanding) just
> a single call. But I can see the benefits of the automatic cleanup
> too, so I am happy with either way. (especially since this does not
> break the things for the clients that do the unapply already).
> 
> --a
> 
> > 
> > 
> > > 
> > > 
> > > --a
> > Cheers,
> > Marco
> > 
> > > 
> > > 
> > > On 6/9/17, Marco Varlese <marco.varl...@suse.com> wrote:
> > > > 
> > > > 
> > > > Hi,
> > > > 
> > > > I am trying the ACL functionality and I found a "strange" behaviour.
> > > > 
> > > > The steps I follow to use an ACL are:
> > > > * I create an ACL to deny SSH traffic between VMs (via the
> > > > 'acl_add_replace'
> > > > function)
> > > > * Set that ACL to the interfaces involved (via the
> > > > 'acl_interface_set_acl_list'
> > > > function)
> > > > 
> > > > After performing the above steps the traffic was correctly being
> > > > blocked.
> > > > 
> > > > However, when I decided to enable the SSH traffic again, I simply
> > > > deleted
> > > > the
> > > > ACL (via the 'acl_del' function) with the consequence though that the
> > > > traffic
> > > > was still being denied.
> > > > 
> > > > Is this behaviour correct?
> > > > If so what would be the right way to unset hence disable a given ACL
> > > > from an
> > > > interface (or multiple)?
> > > > 
> > > > 
> > > > Thanks,
> > > > Marco
> > > > 
> > > > _______________________________________________
> > > > vpp-dev mailing list
> > > > vpp-dev@lists.fd.io
> > > > https://lists.fd.io/mailman/listinfo/vpp-dev
> > > 
> > 
> 
_______________________________________________
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev

Reply via email to