Hi Dave, You can not do operations in ACL plugin at an ACE level. By design. For a few reasons:
1) requiring to supply the entire ACL decreases the amount of transient state, reasoning about the state of the system becomes easier - it is a “declarative” model, which is easier to reason about. 2) because with any scenarios involving the even moderately accelerated lookups, the amount of shuffling in the underlying data structures was way too big. And the end user was always asking “what happened? I just added/deleted one entry!”. So this API makes it explicit. Also, the ace-level operations require either some sort of “commit” message later or are subject to time-based heuristics. 3) use case. The ACL plugin from get go aimed to deal with the relatively slow-changing rulesets, thus it uses this approach within the API to underline the intent. There is an experimental patch in gerrit https://gerrit.fd.io/r/c/vpp/+/28083 which allows to reuse the “lazy” connection tracking infra from ACL plugin and supply your own policy lookup engine. Warning: since it is experimental, there is an indirect function call per lookup, which won’t get you much performance. But it’s something that may be interesting for prototyping / experiments. More inline: > On 14 Jul 2022, at 15:07, Dave Houser <davehous...@gmail.com> wrote: > > I would like to create a new ACE (Access Control Entry) in an already created > ACL (Access Control List) with the acl_plugin.so mainly trying to use the > acl_add_replace struct. > > It appears I can only add a new ACL with 1 to many entries, I can also > replace a whole ACL by its index, and lastly delete an ACL. However there > does not seem to be a way to add an ACE to an existing ACL. > Yes, you re-send the ACL as you expect it to be. The VPP may or may not do an incremental edit under the hood - but that is not being exposed nor promised. > I looked at src/plugins/acl/acl.api lines 105-144 > > ``` > > define acl_add_replace > > { > > u32 client_index; > > u32 context; > > u32 acl_index; /* ~0 to add, existing ACL# to replace */ > > string tag[64]; /* What gets in here gets out in the corresponding tag > field when dumping the ACLs. */ > > u32 count; > > vl_api_acl_rule_t r[count]; > > option vat_help = "<acl-idx> <permit|permit+reflect|deny|action N> [src > IP/plen] [dst IP/plen] [sport X-Y] [dport X-Y] [proto P] [tcpflags FL MASK], > ... , ..."; > > }; > > ``` > > Most of those values in the struct make sense (Especially since above it is a > comment describing each parameter), except for `vl_api_acl_rule_t r[count]` I > dont know what this does and there does not appear to be any comment on what > its purpose is. Not sure its related. Maybe I should be using a different This is the array of the rules of the ACL, defined as “acl_rule” within acl_types.api. In general when you are seeing “vl_api_FOO_t”, search .api files for “FOO” for clues. > struct? So the problem is when I try to target a ACL with `acl_index`, there > is no way I can find to tell acl_add_replace "Add an entry to the existing > acl index, dont remove or replace ACE's", therefore the call will cause vpp > to replace the whole ACL with whatever is in the new rule list. Yep, as I said intentionally, per the reasons above. > > Either way, how can I add a new ACE to an existing ACL without affecting > other values in the ACL? > Also, while we are talking about ACE's, how can I replace a specific ACE in > an ACL without affecting the other ACE's in the ACL (target a specific ACE > entry to remove or replace)? You perform any of the needed edits and supply the new ACL to replace via acl_add_replace. —a > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#21659): https://lists.fd.io/g/vpp-dev/message/21659 Mute This Topic: https://lists.fd.io/mt/92378300/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
