Hi Cipher, Reply below inline
> On 4 Sep 2019, at 12:36, Cipher Chen <cipher.chen2...@gmail.com> wrote: > > Thanks Andrew, I've successfully done acl_plugin test. > > BTW, just reply here for latecomers, do "V=2 EXTENDED_TESTS=1 > TEST=acl_plugin* make test" to do more test and print verbosely. Yeah the connection tracking test takes time and needs some more love to be generally usable so it’s in the extended tests. > > Since I'm testing stateful ACL by watching behavior of > test_acl_plugin_conns.py, along with explaination from Statefull ACL , > > this test case was below, to test client 172.16.0.1 (call it A here) > accessing client 172.16.1.1 (call it B here): > > set acl-plugin session timeout udp idle 200 > > set acl-plugin session timeout tcp idle 10 > > set acl-plugin session timeout tcp transient 1 > > > > acl_add_replace ipv4 permit+reflect src 172.16.0.1/32 dst 172.16.1.1/32 proto > 6 dport 80, ipv4 deny any # index 2 > > acl_add_replace ipv4 deny any # index 0 > > > > acl_interface_set_acl_list vxlan_tunnel10 input 2 output 0 > I assume this is the interface of the “side” to which the 172.16.0.1 is connected ? > acl_interface_set_acl_list vxlan_tunnel11 input > You don’t need this, in principle. It should just clear all ACLs from the interface - but if there were none, no need to clear. > > The case behave like these: > #1: A ping B, unreachable > #2: A access B tcp port 22, unreachable > #3: A access B tcp port 80, reachable > > Q1: #1/#2 works well, but why #3 still work even when A has finished existing > connection and established a new tcp dport 80 to B, the connection still can > be established. Is this a bug or feature of 'permit+reflect'? This is how you configured it. You specify that any connection to port 80 has to be permitted and will create the connection entries on that innterface that are checked before the acl. Again, packet tracer will help to see what is going on. > Q2: How does ACL define 'stateful ACL' or 'connection', since new established > connection won't be treated as related connection in Netfilter? https://docs.fd.io/vpp/19.08/acl_multicore.html I need to update it to reflect some of the last fixes but it should help to understand the general logic. > Q3: What's 'transient'? The above doc talks about that :) —a > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > > View/Reply Online (#13893): https://lists.fd.io/g/vpp-dev/message/13893 > Mute This Topic: https://lists.fd.io/mt/33127037/675608 > Mute #vpp: https://lists.fd.io/mk?hashtag=vpp&subid=1480457 > Group Owner: vpp-dev+ow...@lists.fd.io > Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [ayour...@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=-
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#13900): https://lists.fd.io/g/vpp-dev/message/13900 Mute This Topic: https://lists.fd.io/mt/33127037/21656 Mute #vpp: https://lists.fd.io/mk?hashtag=vpp&subid=1480452 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
