[vpp-dev] #vpp

[cipher . chen2012]

Hi vpp-dev,

I'm testing security group functions on VPP19.08, and got some questions here. 
I have two vms: A(172.16.0.1/24, using vxlan_tunnel10 / bridge 10) and 
B(172.16.1.1/24, using vxlan_tunnel11 / bridge 11). Both these two networks' 
gateway is X.254, configured on VPP bridges (10 and 11). And now A/B are 
reachable from each other.

I try to configure acl as follow:

vat# acl_dump 4
vl_api_acl_details_t_handler:223: acl_index: 4, count: 3
tag {}
ipv4 action 0 src 0.0.0.0/0 dst 0.0.0.0/0 proto 1 sport 0-65535 dport 0-65535 
tcpflags 0 mask 0,
ipv4 action 1 src 0.0.0.0/0 dst 0.0.0.0/0 proto 6 sport 0-65535 dport 0-65535 
tcpflags 0 mask 0
vat#

vat# acl_interface_set_acl_list sw_if_index 1 input 4

This rule is expected to
1. deny icmp packets, and
2. allow tcp packets
but after applied to interface vxlan_tunnel10, ALL packets are deneid.

And after so much researches, I found 
https://lists.fd.io/g/vpp-dev/topic/10642768#8144 that VPP has an implicit 
"deny all" in the end, so I add one more rule "permit all":

vat# acl_dump 4
vl_api_acl_details_t_handler:223: acl_index: 4, count: 3
tag {}
ipv4 action 0 src 0.0.0.0/0 dst 0.0.0.0/0 proto 1 sport 0-65535 dport 0-65535 
tcpflags 0 mask 0,
ipv4 action 1 src 0.0.0.0/0 dst 0.0.0.0/0 proto 6 sport 0-65535 dport 0-65535 
tcpflags 0 mask 0,
ipv4 action 1 src 0.0.0.0/0 dst 0.0.0.0/0 proto 0 sport 0-65535 dport 0-65535 
tcpflags 0 mask 0
vat#

And now, ALL packets has been permited.

So these are my questions:

Q1: Why tcp packets still be dropped even has an explicit "allow ipv4 tcp 
packets" rule?
Q2: Why all packets are permitted after appending the "permit all"?
Q3: Since VPP docs are so pool, are there any official docs can be found that 
refer this "implicit deny all" and others (since so few non-officical docs can 
be found)?

Thanks.

Cipher Chen

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#13887): https://lists.fd.io/g/vpp-dev/message/13887
Mute This Topic: https://lists.fd.io/mt/33127020/21656
Mute #vpp: https://lists.fd.io/mk?hashtag=vpp&subid=1480452
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-