Hi Dear VPP When I was trying to test fragmentation feature in VPP, I encountered a problem. firstly, I added an acl as below:
acl_add_replace deny proto 1 sport 2-2 dport 3-3, permit+reflect and then I saw that ICMP ping packets were passing through the VPP matching with second rule. At the next step I ran ping with "-s 5000". Then initial fragment was matched with second rule and non-initial fragments were matched with first rule and subsequently they were dropped(due to 3tuple search for non-initial fragments in acl). To prevent this problem this commit would be helpful: https://gerrit.fd.io/r/#/c/15582/ In this commit, acl-rule-search will try to find a permit rule matched with non-initial fragments, otherwise, those packets will be dropped . Although the solution is not a complete one and it has the problem of passing non-initial fragments unexpectedly, it will meet the requirement of passing fragmented packets. Also we can try to fix another problem due to rfc1858 <https://tools.ietf.org/html/rfc1858> in the future.
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#11014): https://lists.fd.io/g/vpp-dev/message/11014 Mute This Topic: https://lists.fd.io/mt/27781531/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
