Kaneko-San, My replies inline below... hope they help you.
> On 7 Feb 2018, at 12:43, kaneko <kaneko.hito...@lab.ntt.co.jp> wrote: > > Hello, my name is Hitoshi Kaneko. > > I belong to NTT Laboratories. > > I evaluate VPP and there have been questions. > > > > (1)Question 1 > > I have wanted to evaluate Access Control List of VPP. > > About this feature, I have used acl_add_replace and > acl_interface_set_acl_list commands and I have seen packets stop, i. e. , > I have input the commands bellow . > > "acl_add_replace ipv4 deny src 192.168.10.15/32" > > "acl_interface_set_acl_list sw_if_index 1 input 0 output" > > But, at the same time, all the packets, i. e. , whose source IP addresses are > not 192.168.10.15/32 , also have stopped. > > Please teach me how to stop the only packets whose source IP addresses are > 192.168.10.15/32 . > There is an implicit “deny all” after acl evaluation. So this configuration drops all traffic. You need to add “permit any any” to the end of the acl to permit the packets which did not match yet. > (Of course, all the packets have passed through the VPP if that ACL rule has > been deleted . ) > > > > (2)Question 2 > > Ultimately, I want the only packets whose source IP addresses are > 192.168.10.15/32 to pass through the VPP, for example , bellow . > > "acl_add_replace ipv4 deny" > > "acl_add_replace ipv4 permit src 192.168.10.15/32" > > "acl_interface_set_acl_list sw_if_index 1 input 0 1 output" > > > > > But, when I have input the commands bellow , > > "acl_add_replace ipv4 permit src 192.168.10.15/32" > > "acl_interface_set_acl_list sw_if_index 1 input 0 output" > > all the packets have stopped like the events of the question 1 . > You can use the “show acl-plugin acl”, “show acl-plugin interface” debug CLI to verify that the ACLs are correct and are applied to the correct interfaces, as well as the packet tracer (“trace add dpdk-input 50” and “show trace”) to verify what is happening with the packets.. I am assuming sw_if_index 1 is the interface which is connecting to the 192.168.10.15, since the acl is applied ingress. —a > > Regards, > > Hitoshi Kaneko > > > > E-mail: kaneko.hito...@lab.ntt.co.jp > > Phone: +81 422 59 4946 > > _______________________________________________ > vpp-dev mailing list > vpp-dev@lists.fd.io > https://lists.fd.io/mailman/listinfo/vpp-dev
_______________________________________________ vpp-dev mailing list vpp-dev@lists.fd.io https://lists.fd.io/mailman/listinfo/vpp-dev
