Hi Rene, ACL plugin does something along the lines - by using a “permit+reflect” action on an ACL that allows the packet from the initiating side, even if the packet is denied by an opposite direction ACL on that interface, it will hit the session entry and will go through.
The state tracking is deliberately very simple since it doesn’t pretend to be a full fledged “firewall” but could be enough. There is no ALG of any kind so there are no “related” sessions. --a > On 31 Jan 2022, at 16:19, René Weiss <rmwe...@nullmodem.ch> wrote: > > Hi, > > I have another question for my evaluation of VPP as replacement/addition to > my current Linux router: > > Let's say I have the two VLANs "vlan-a" and "vlan-b" and I want that devices > in "vlan-a" can initiate a connection to devices in "vlan-b" but not the > other way around. > > On Linux I currently solve this with iptables/nftables rules that only > forward "related" and "established" packages from "vlan-b" to "vlan-a". > > Can I do the same thing with VPP (with the config files / without coding) and > if so, which module/plugin would I have to look at? > > Thanks > René > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#20807): https://lists.fd.io/g/vpp-dev/message/20807 Mute This Topic: https://lists.fd.io/mt/88809613/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
